Re: The War in All its Online Glory

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: bob () globaldevelopment org, jericho () attrition org

> This doesn't give me any sort of confidence. The fact that these
> machines are connected to any public network is disturbing.

Who said the machines were connected to a public network?  The quote
says "unidentified" machines, which could mean anything from
misconfigured systems on the private network, to other machines on the
network that are outside the scope of the exercise.

Of course, the quote *was* from a LtCol...it's probably very likely
that he hasn't even memorized the right buzzwords yet, so we have no
idea what the *real* issue is...

Does anyone know if the military is still doing the field grade
lobotomy the old way, or if they're going through the nose now
(doesn't leave the telltale scar)??  I had heard rumors that they had
a medication taken orally now...  ;-)

> I understand the desire for access to information, but given how
> critical and sensitive these systems are, it seems that there would
> be some real need for a physical gap in the network.

I agree.  However, I've worked with the US Army before (they were the
customer) and their support infrastructure, and to be quite honest, no
amount of security awareness training is going to work in that
environment.  I've seen senior-level execs get the briefing and sign
the sheet saying that they understand that they're not to send or
launch executables via email, blah, blah, blah...and then they do just
that b/c they think it's funny.

Of course, you've then got the whole issue of how the Army
operates...those officers quoted in the article may not be in their
positions in 6 months or a year.  Rotations are critical for
advancement and promotion...and regardless of what anyone wants to
believe, very little institutional knowledge survives.

> Throwing up additional firewalls seems like a joke of a response.

Exactly.

> It isn't about how many devices you have protecting your resources,
> it's about how they are configured and monitored.

We should get that on a t-shirt.
 
> Even if someone isn't intent on a classic breakin, how would a DoS
> attack affect their capability to reach the information they need?
> How about a few hundred script kiddy style attacks and the diversion
> of resources that could cause?

We'd need to know more about the set up.  Unfortunately, when officers
leave such positions, or the enlisted guys don't re-enlist, they very
often get jobs w/ the contractor for the project, and sign NDAs
there....



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.