Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday October 10 2018, @04:37PM   Printer-friendly
from the who's-aiming-that-thing,-anyhow? dept.

Submitted via IRC for chromas

Pentagon's new next-gen weapons systems are laughably easy to hack | ZDNet

New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today.

The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress.

Congress ordered the GAO report in preparation to approve DOD funding of over $1.66 trillion, so the Pentagon could expand its weapons portfolio with new toys in the coming years.

But according to the new report, GAO testers "playing the role of adversary" found a slew of vulnerabilities of all sort of types affecting these new weapons systems.

"Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO officials said.

The report detailed some of the most eye-catching hacks GAO testers performed during their analysis.

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.

In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating.

Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

The report claims the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by VLM on Wednesday October 10 2018, @11:12PM (5 children)

    by VLM (445) Subscriber Badge on Wednesday October 10 2018, @11:12PM (#747194)

    satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.

    They aren't running a online bank. Or I hope they were not talking about finance POGs.

    For a good laugh ask a mil vet where they kept the humvee keys. (There is no such thing...)

    There are stories going back to WWII (probably earlier?) of soldiers dying because vehicles were locked up and the only guy with the key got vaporized or medevac'd.

    The way the military handles it is you can't steal a SR-71 because the armed guards would shoot you and for cheaper things like humvees our reserve unit had bizarre after market steering wheel locks and stuff like that. Also if someone stole a piece of shit humvee we'd just follow the oil leak and blow them away. Those cool high tech transmissions sure leaked oil real well.

    The military has "cheap" labor for guard duty and unlike the civvy world "well the computers were down or my password needed resetting" is not an acceptable excuse for a unit to get blown away.

    The database system I admined in the Army (a long time ago, between the gulf wars) had minimal protection from insiders, but to become an insider you'd have to kill the infantry platoon guarding the site, then kill everyone in the van including me and the chief and the LT, then hope things worked afterward, and when you're done you gain info thats frankly not terribly useful without the onsite operators (who are dead, as previously mentioned). So a post it note with the password on it is actually good security in that no enemy hands could get within hundreds of feet of the keyboard unless we're all dead, but a sniper or mortar crew could pick off the CWO-3 from a mile away and then we're all locked out which could tactically be very bad indeed under war time conditions, so post it notes make sense.

    (note this system was not networked to the outside world at all, our "WAN" was couriers with floppy disks and/or tapes...)

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by legont on Thursday October 11 2018, @01:33AM (3 children)

    by legont (4179) on Thursday October 11 2018, @01:33AM (#747238)

    So, what if a military guy of relatively low rank gets pissed off with liberals and decides to nuke NY? Is is feasible?

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    • (Score: 0) by Anonymous Coward on Thursday October 11 2018, @03:48AM (2 children)

      by Anonymous Coward on Thursday October 11 2018, @03:48AM (#747278)

      IIRC, launching a nuke generally requires two people operating controls on opposite sides of the room at the same time.

      • (Score: 0) by Anonymous Coward on Thursday October 11 2018, @09:02AM (1 child)

        by Anonymous Coward on Thursday October 11 2018, @09:02AM (#747347)

        Yeah, until someone wires a car battery so they don't have to? Or so they have all 0000000 for launch codes, just so they don't forget? Right?

        We are fucking lucky we are still alive.

        • (Score: 2) by VLM on Thursday October 11 2018, @02:55PM

          by VLM (445) Subscriber Badge on Thursday October 11 2018, @02:55PM (#747442)

          This kind of thing comes up a lot in world building military sci fi type discussions and there's a lot of unclassified info.

          Its very unlikely to work in practice.

          In the sense that in theory after a zombie apocalypse I or someone similar to me could break into a nuclear power plant and turn it up and generate power, yes. In practice, it would take a team of people roughly the size of the former staffers to realistically pull it off, lacking the experience they won't do as well of a job as the former staffers, and when you're talking those numbers its a successful invasion scenario, not a lone wolf. Also the rest of the world is either not going to help or actively interfere making it even more difficult.

          To some extent if the military thought they could get away with a SF sized team running the weapon system, thats all they would staff, so ... given the name "crew served weapon" anything as complicated as a M2 or worse is mostly lone-wolf-proof.

          A good analogy is in theory paper and dice role playing games are boring because a player could roll an infinite streak of natural 20s on a D20 devolving the whole game to boredom. In practice its not a serious concern.

  • (Score: 2) by HiThere on Thursday October 11 2018, @05:42AM

    by HiThere (866) Subscriber Badge on Thursday October 11 2018, @05:42AM (#747297) Journal

    I suspect you don't think like one of the people who *do* break into systems. That is couldn't be done in the ways you guarded against isn't real evidence that it couldn't be done. Social engineering, much less unexpected bugs, has repeatedly demonstrated that systems presumed secure aren't. So I'm more willing to believe the GAO than apologists for expensive new weapons systems.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.