USAF Cyber Command and Thoughts on Conficker

Gods, where to start.

Anything important is on a SCADA network. Little critical infrastructure is on Internet accessible networks. The most critical stuff is only monitored by SCADA networks but cannot be given commands over SCADA. Yes, SCADA networks need to be updated to keep in line with advances made in network defense that internet facing networks almost always have.

The NSA and DISA publish good white papers and specifications for securing OS’s, network devices, some applications, etc. They also cooperate with private sector manufacturers and software publishers to promote Information Assurance concepts and resources. They have a good reputation, remain strictly neutral, and usually only advise. DISA is responsible for the overwhelming amount of US military networks, and a surprising number of general government networks. DISA handles the bulk of the hands on information security on defense and national security networks. A lot of server stuff too. NSA does some stuff, but not as much hands on stuff as you’d think. Probably for the best.

I’m not convinced that the USAF’s Cyber Command is little more than a money sink. What can they do that the NSA or DISA is not doing? I suspect their primary mission will be to suck up funds and maybe protect a very few number of networks. On the plus side, maybe they will do some improvements on embedded networks specific to the USAF. That’d be nice. But not critical to the security of the US infrastructure, as they run only more or less internal networks. They turn over more and more of those networks to DISA each year.

While there is a lot of improvement needed in the information security field, it’s not catastrophically bad. Consumers need better security. That’s the biggest threat at the moment. Millions of ordinary desktops and laptops. Infrastructure and corporate wise, infosec is getting better. Govt always needs to get better, but is good enough by and large. The only advice I can give that crosses private and public sector is, more applicable user training. Not the boring CYA legal-ese crap, but short good information. Put your written passwords in your wallet, don’t share them, shred papers you don’t need, if in doubt ask IT, don’t click on stuff you think is off, if something sounds odd ask your security department, etc etc.

IT and IT Security departments need to expand beyond technical issues and also regularly interface with the users. Yes, I bloody well know how problematic this can be. But most users don’t want to work around standard procedures, they just want to do their job in a way that isn’t too painstaking. IT personnel should try to make their user solutions as streamlined as possible.

Some folks in the Obama administration and Congress kicked around kind of national computer security agency to ‘own’ all the networks and make them safe.

A centralized body governing network security is such a bad idea I’m not sure I can make a proper analogy. “You might as well shoot yourself in the head to save time” would be the closest I can come to explaining how bad of an idea it is. Any hypercentralized NSOC (Network Security Operations Center) with legal powers to control every network in the US would be the worst security threat I can imagine. If you find a way into such a NSOC, you can take down everything. As it stands now, if somehow you could take down… say a specific hospital, that didn’t mean you could automatically also take down a nuclear power plant, a jet liner or a Mom’n’Pop small business network. Decentralization means you have a wide variety of different environments. The more diverse and decentralized you make the entire US IT infrastructure, the less likely any one attack vector can do damage to a bunch of different networks using the same trick.

If you wanted to do the same thing in a somewhat secure manner, which is a bad idea, give the central telecoms a right to blacklist IP traffic without legal repercussion and the ability to void their obligation to completing contracts at their leisure but still get paid anyways. The idea is major telecommunication companies could cut off clients that are infected or attacking other networks. Also, legally make the client liable for the costs of the downtime so that the telecommunication company does not have a financial incentive to ignore the attacks. Sounds like a bad idea? It is. But it’s much more secure than the hypercentralized NSOC idea.

Some folks commented that Conficker was a really nasty worm and the media played it up like it was Ragnarök. Also, IT folks were running scared.

Really? Must be a different part of the IT community than I regularly communicate with. Oh sure, we’re all very concerned with users installing malware. Any one worm? Not so much. If you patch your systems regularly, have a good AV solution and hopefully a half decent firewall, there isn’t a worm made yet that the IT community is overly concerned over. Never confuse secondary effects (rush to patch an exploit, or dealing with an upsurge in spam traffic) with the worm or malware itself.

Hell, I was amazed at how much the media was playing up Conficker. The persons that designed Conficker were either really stupid, or didn’t care. If you upgrade to nmap 4.85Beta7 and run the command ” nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1 “, you can determine if the host is infected or not. ( being the target IP, and obviously removing the quotes.) Why? NetpwPathCanonicalize() gives a nonstandard answer to queries. So you ask the worm if it has infected a host, and it accurately says “Yes, I did.”

I’ll grant you, worms are becoming more sophisticated. Storm was designed by someone with a glancing knowledge of secure programming. Not a professional level, of course. Almost, but not quite, respectable. Conficker is worrisome not because it was well written or well designed, but rather because it exploited a nasty hole in all relevant versions of Windows (See MS08-067), which is a hole that gives system level access with no authentication over a network. That’s as bad as an security hole gets. If you’re patched, no problem. If you’re running an AV, somewhat no problem.

Instead of saying “ZOMG! Killer worm! All the geeks are in a panic and predict end of the world”, the media should say “Yo, a routine worm is making it around the internet exploiting a hole patched on Oct 8th, 2008. If you haven’t patched your desktop in SIX MONTHS, please do so. Go to for details on how to do so.”

As we all know, rational dissemination of information ain’t the media’s strong point.

Disclosure: I formerly worked for the US Army and DISA.

Read More


Just saw Quarantine with some friends… Quick overview? Movie was actually half decent, but the characters are dumb as a box of bricks.

This entire rant is basically a spoiler, but it really doesn’t matter too much.

It was shot handheld, which I normally hate. It’s no longer clever. Cloverfield vastly overdid it, making plenty of people nauseous. I could try to be clever, and claim it was a tossup between the characters themselves or the shaky camera that made people want to puke. But anyways, back to this movie. The camera work was just bumpy enough to remind you it was handheld, but not every five seconds nor in an excessive manner. Pretty well done, actually. As I can recall, there was no background music. It’s a subtle thing, but I think it helped set the viewer on edge if you heard various backgrounds sounds rather than creepy music.

The movie starts off with a reporter (Jennifer Carpenter) following LA fire fighters around for a night. Pretty plausible, and the intro gets you using and liking the main characters. One could say the intro was slow, but it worked quite well for character background without being too obvious.

The firefighters get a call, and the crew goes to an apartment building. The building has an interesting layout, and looks like it was rather nice when it was built in the ’50’s but has gone downhill since. Firefighters knock down the door to see a very pale old lady with blood all over her and drooling quite profusely. Ah, zombie, alien parasite or evil disease. My bet’s on zombie!

Well, after biting a couple folks, and getting shot twice, she’s down. Not a zombie. Dang it. I had $1 riding on zombie. The officer put one round in the shoulder, and the second center of mass. If evil looking, shuffling, biting, pale, blood laden, drooling hag ripped a chunk of my partner’s neck out, I’d personally be putting at least one round through the brain. Just to be sure.

Up till this point, all was more or less tactically sound. But after your partner has his neck ripped out by evil looking hag, everything starts going downhill.

At this point, everyone seems to still be possessing some degree of intelligence, because they more or less unanimously say “**** this, I’m out of here!” Wise and prudent. Unless of course, the US Army is in the middle of sealing you in and politely asking you to remain inside for a bit. When half a dozen M4’s are aimed at you by soldiers in MOPP gear, suddenly evil zombie looking hags seem preferable. No gloves, shame on them, someone’s training NCO forgot a class on FM 3-3!

WTF Moment 1 : Ok, there’s a dead cop on the lobby floor. Is ANYONE going to grab his 92 series Beretta and spare mags? No? Sigh…

WTF Moment 2 : Let’s grab everyone in the building and throw them into the lobby with two bodies. Another extremely obviously sick and drooling lady found? Let’s bring her on down as well! That’s the ticket. Because having someone’s neck ripped out isn’t blatant enough.

A handy vet acting as a doc pronounces it to likely be some kind of rabies. Ok, somewhat plausible. More plausible than zombies, so sure. Why not.

Two “CDC” guys come in. One with an M4, the other with an M9 in a thigh holster. Obviously not CDC, most likely USAMRIID but maybe they want to keep a low profile. Alleged CDC guys start doing their investigation, and get eaten. Talk about realism, they depict US government competency absolutely perfectly. Everyone runs away. Which would be normally a good idea, except:

WTF Moment 3 : They secure their only doctor, an M4 and an M9 in a room with infected. But, alas, their brilliant containment neglects the glass windows on the room.

Ok, if you were secured in a building with rabies infected Californians surrounded by a fair chunk of the US Army, would you run away from a single infected half dead dude with tons of broken bones, or beat the dude to death with ANYTHING within arms reach in order to secure weapons and a medical guy?

So all of the lights are out… They do make use of the light on the camera for illumination. WHY THE HELL AREN’T THEY MAKING TORCHES OR LOOKING FOR FLASHLIGHTS? Fire hazard or not, if I’m locked in a building with more rabid drooling Californians than an Al Gore rally, I’m NOT going to go running around in the dark, unarmed.

Now everyone starts dying in very short order. It’s hard to keep track, but soon enough everyone is turned except one firefighter and the reporters. The firefighter is the only person in the entire film who bothers using an improvised weapon, a sledgehammer. So they start running around the building. Then the firefighter dies. Then the camera light dies. Intelligently, the camera guy switches it to night vision mode. Then tries to hide from an infected.

WTF Moment 4 : If you can see and the other guy can’t, uh… Attack? Maybe? No?

Ok, both die. The end.

In fairness, most of the WTF’s happen in a relatively smooth fashion that is unfortunately very believable. No one stops to think at any point. People don’t adjust to their environment. No one really does any planning whatsoever. No one actually looks at their terrain and makes judgments based on it. No one bothers to kill anyone obviously infected before they turn. No one shows more survival instinct than a drunken lemming on quaaludes.

The film’s worth renting. Probably not worth buying. It’s entertaining in a “let’s watch stupid people die” kind of way. It’s a decent reminder that sometimes it’s worth taking a second to think things over.

If I was in such a situation?  The second you get the fact that it’s some kind of virus transmitted through biting or whatnot:  Don’t group everyone together, kill all of the pets, tell people to lock themselves in their apartments, tell everyone to get some kind of improvised weapon, and have whoever is armed patrol the common areas to shoot anything infected.

I’d really like to see a horror movie some day where the characters have a degree of common sense.  Dog Soldiers is the only one I can recall. The rest? Idiots banging on Darwin’s door screaming “Let me in!”

Read More