• US Department of Defense Just Beginning to Grapple with Scale of Vulnerabilities
    26 replies, posted
https://www.gao.gov/mobile/products/GAO-19-128 In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats Some highlights: The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls. One test team emulated a denial of service attack by rebooting the system, ensuring the system could not carry out its mission for a short period of time. Operators reported that they did not suspect a cyber attack because unexplained crashes were normal for the system. Another test report indicated that the intrusion detection system correctly identified test team activity, but did not improve users’ awareness of test team activities because it was always “red.” Warnings were so common that operators were desensitized to them.
That's... shockingly bad. I mean, I can understand this shit in the late '90s and early noughts, but we're supposed to have moved on from this. It's even more embarrassing that this is for national security and they've neglected the security part.
A friend of mine is a software analyst for Raytheon and was telling me about a losing his security clearance because his password was something like PassworD2016!
No fucking wonder MOL and shit like that has us have 15 character passwords and change them everything other time you try to log in because you forgot it.
CorrectHorseBatteryStaple > hunter2 Is the former flawed in some way such that the latter kind of password is preferred pretty much everywhere?. Physical isolation is the best network security IMO. Software just isn't that secure.
The password thing is nuts, we're required at just a regular utility company to have 14 character passwords with symbols, capitals and numbers. It goes up to 18 for admins. But even worse, if these glaring security issues are representative of the wider USA weapon systems then it's incredibly likely that Russia, China and really just about anyone has all kinds of completely hidden access to all kinds of functions and data. And in typical American fashion everyone is just hands in pocket whistling going "nope, no issues here". yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.
You can still break the former with dictionary attacks, i.e. brute forcing over word combinations.
It's a frightening idea that a lot of weapons and defenses could be turned off if someone actually did want to invade actually, wasn't that basically the plot of that Homefront game
The password was definitely "Password".
did they hire bethesda to make this fucking thing
We had encrypted USB devices with confidential data at my office with the password "passwordpassword".
Nah, probably "guest"
Not DoD but I discovered my company's publicly available website (which runs the software we sell) hadn't deleted the default Admin account with the password "admin". They removed it when I pointed it out
As someone in the military it was more than likely "1qaz2wsx!QAZ@WSX".
DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do. Basically this is the military industrial complexes next big joke at our expense. Design an overpriced system, ignore any criticm of its short comings, deploy it and find out its shit. All because the people in charge are going to make bank.
the problem with that XKCD comic is that the actual entropy values are quite a bit different from the random number letter combinations because youd have to actually know the exact combination in order to actually detemrine the brute force method -- which you never will. the actual entropy of using the 'bad' password in the XKCD is much higher (and thusly much harder for a computer to guess) than a 4 dictionary attackable password -- and the latter is also more susceptible to rainbow tables if enough people fall for it
this was the plot of a Futurama episode
Ah, thankfully I only use that kinda password for an email I don't really care much about and my password database's password has a nonsense word in it. Rest of passwords are generated gibberish. Should change the email one just in case though.
What if it's a full sentence with proper punctuation?
Throwing money at an issue has never solved anything. The strongest and best equipment has come from pressure applied from various directions, be it financial or something more apparently like a war. The 600bn budget likely does more harm than good.
If sites didn't have arbitrary password length limits, I would assert that random paragraphs of novels be used as passwords. Pick your favorite paragraph of your favorite book, and away you go. Username: Gmod4ever Password: CallmeIshmael.Someyearsago—nevermindhowlongprecisely—havinglittleornomoneyinmypurse,andnothingparticulartointerestmeonshore,IthoughtIwouldsailaboutalittleandseethewaterypartoftheworld.ItisawayIhaveofdrivingoffthespleenandregulatingthecirculation.WheneverIfindmyselfgrowinggrimaboutthemouth;wheneveritisadamp,drizzlyNovemberinmysoul;wheneverIfindmyselfinvoluntarilypausingbeforecoffinwarehouses,andbringinguptherearofeveryfuneralImeet;andespeciallywhenevermyhyposgetsuchanupperhandofme,thatitrequiresastrongmoralprincipletopreventmefromdeliberatelysteppingintothestreet,andmethodicallyknockingpeople’shatsoff—then,IaccountithightimetogettoseaassoonasIcan.Thisismysubstituteforpistolandball.WithaphilosophicalflourishCatothrowshimselfuponhissword;Iquietlytaketotheship.Thereisnothingsurprisinginthis.Iftheybutknewit,almostallmenintheirdegree,sometimeorother,cherishverynearlythesamefeelingstowardstheoceanwithme. Good luck dictionary attacking that, hackers!!
This is some Pentagon Wars bullshit
This is some Ghost in the Shell shit.
Seriously I think it's hilarious that we have an over 700b/year budget and can't even do basic shit like proper security or spending properly
It's because that budget goes all towards paying contractors to build more tanks and aircraft that we really really don't need but because those things create jobs and economic opportunities for the places the manufacturing plants exist in, places like congressional districts, they still get massive funding from congress.
Don't use anything you like, it's possible a person with enough investment and knowledge on you will figure it out. If you really were going to use this method I would suggest using a paragraph from a book no one knows you've ever read (and thus one you don't own in any way or have ever rented from any public space). I would probably also use multiple paragraphs from many different parts of the book (and possibly splice them together randomly) so as to make it more difficult to copy and paste passages from it and get lucky that way.
You can up the ante by adding numbers in between so brute forcing is rendered useless. Like c1a2l3lm4e5.i6s7h8m9a1e2l, call me ishmael with 1234567 in between each letter.
Sorry, you need to Log In to post a reply to this thread.