Nearly every U.S. arms program found vulnerable to cyber attacks

Kirk W · January 22, 2015

According to Reuters News Service,

skp51443 · January 22, 2015

Not surprising, the government isn't willing to pay for the skilled folks needed to write secure programs, pay for the tools to catch what they miss and pay for penetration testing to catch what the tools miss. Paying for the skilled folks needed to test and install updates is another area where nobody wants to play.

About as bad on the civilian side, so many critical infrastructure systems are out there with no security, default passwords or easily guessed ones the only reason we haven't had a disaster is because nobody wanted to cause one. Given the number of stateless (and hard to retaliate against) bad folks out there hoping nobody decides to turn off power to the east coast in retaliation for something we did is a frail hope.

Like so many consumer companies today the government and infrastructure companies are exercising the ostrich method of security not realizing that burying your head in the sand leaves your behind sticking up in the air just waiting to get booted.

RV_ · January 22, 2015

Yep,

While it sounds like the same problems as consumers have, this one's totally different. Regardless of the reason one does not have the time or bandwidth, it is too late after the loss to patch a system in a timely manner.

Excerpt:

"The findings were included in an annual report by DoD’s Office of the Director for Operational Test and Evaluation and released Jan. 29. The office assessed 33 DoD programs in fiscal 2012 and 2013. Half of the 400 security vulnerabilities were identified as category one, meaning they could allow “debilitating compromise” to DoD systems.

As of November 2012, CANES had 29 category one vulnerabilities and 172 less severe vulnerabilities, the report found. It isn’t clear how many of those issues have been resolved, but the report’s most recent recommendations suggest the Navy mitigate outstanding cyber vulnerabilities prior to initial operational test and evaluation.

CANES will replace legacy networks on ships, submarines and shore sites.

“The majority of system vulnerabilities discovered in operational testing over the last two years could and probably should have been identified and resolved prior to these tests,” Director Michael Gilmore said of the 400 vulnerabilities.

“There is general agreement that systems must be assessed for cybersecurity earlier in a system’s development,” Gilmore said in the report, adding that his office is collaborating with the under secretary of defense for acquisition, technology and logistics to revise cybersecurity policy to address the shortfall.

Among the category one vulnerabilities, the most common were out-of-date or unpatched software, configurations that included known code vulnerabilities, and the use of default passwords in fielded systems, the report noted.

Eighty-nine percent of the 400 vulnerabilities could have been found in developmental testing, versus the remainder that required an operational test to uncover."

That last line from the article above that I highlighted in red is the crux as this mostly refers to CANE, a Navy program that was contracted out to Lockheed in 2011 to avoid security issues. That article quoted above is here: http://www.defensenews.com/article/20140204/C4ISRNET07/302040033/DoD-report-identifies-hundreds-security-vulnerabilities

Actually the full report, a 50 mb pdf file, is available in the blue link in the article above for anyone that wants to download it and read it for themselves.

So what is CANES?

Canes, a custom designed system for the Navy is not Windows or Linux based AFAIK. Northrup Grumman won the contract but ( Cur Gomer Pyke voice) Surprise, Surprise, Surprise! A multi vendor contract was let so Lockheed could dip into the funding.

Excerpt:

"The US Navy’s Consolidated Afloat Networks and Enterprise Services (CANES) program is designed to streamline and update shipboard networks to improve interoperability across the fleet. It will replace 5 shipboard legacy network programs to provide the common computing environment on board for command, control, intelligence and logistics. The primary goal of the CANES program is to build a secure shipboard network required for naval and joint operations, which is much easier when you consolidate and reduce the number of shipboard networks. That consolidation can also lower costs and maintenance requirements and reduce training needs, if good choices are made. The intent is to build it as an Infrastructure and Platform as a Service (IaaS / PaaS) and field it on a rolling 4-year hardware baseline and a 2-year software baseline.

In 2010, the US Navy awarded 2 contracts, with a potential value of $1.7 billion, for the design and development of the CANES common computing environment. Northrop Grumman and Lockheed Martin are competing, and a single prime contractor was expected to be picked in 2011. It took until early 2012, but Northrop Grumman won. By 2014, however, a multi-year, multi-vendor contract was in place…"

That article is here: http://www.defenseindustrydaily.com/US-Navy-to-Lean-on-CANES-to-Integrate-Shipboard-Networks-06221/

I doubt we have heard the last of that SNAFU.

skp51443 · January 22, 2015

While some things can be blamed on the operating system having a newly discovered bug so many are stupid programmer errors that will be committed regardless of the OS, language or development environment. Skilled developers that know the hardware, OS, language and tools are the first line of defense... Absent that you get your own article here someday.

Sad programming situations: DailyWTF mostly interesting to programmers who want to be reassured that things are worse in some other shop. If you visit the comments you'll get a good dose of snark and some insight into just what is wrong with the examples in the article. This one greatly resembles the next to last government contract I worked on, sometimes the only way to improve things is with a copier and a freshly printed resume.