Security optimize

U.S. drones under attack from virus

Kara Reeder reports on the virus threat to the U.S. drone fleet. Find out what the Air Force and security experts are saying about it.
According to WIRED News, America's fleet of Predator and Reaper drones have been hit by a computer virus that logs pilots' every keystroke. While a source familiar with the infection, which was discovered several weeks ago, says the virus is considered "benign," network security specialists can't seem to wipe it from the computers at Creech Air Force Base in Nevada.

It is unclear exactly how the keylogger came to reside on the drones' systems, whether it was intentional or accidental. There is the possibility that it's just a common piece of malware that "just happened" to find its way into the systems. Wired blogger Noah Shachtman says the virus is believed to have spread through removable drives, which Predator and Reaper crews use to load map updates and transport mission videos from one computer to another. Regardless, it has been resistant to numerous attempts to remove it.

It also is unclear just how far the virus has spread, although it is certain that it has infiltrated both classified and unclassified machines at Creech, raising the possibility that secret data may have been captured and leaked to someone outside the military chain of command. However, the virus is not keeping the drones grounded, reports Reuters, as they continue to fly remote missions overseas.

Unsurprisingly, the Air Force is remaining tight-lipped about the incident, releasing this statement posted by msnbc.com:

We do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach. We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.

That response isn't likely to quell the concerns of some security experts like Richard Stiennon, chief research analyst with IT-Harvest in Birmingham, Mich. Stiennon told PCWorld.com:

This is bad in so many ways. It indicates that the military is using completely insecure operating systems and practices for the critical function of controlling drones ...These are deadly weapons that must work as required and only when required. To have their command and control corrupted by apparently common malware is inexcusable.
42 comments
Papa_Bill
Papa_Bill

Law enforcement and military forces benefit from a public perception that they have the technology to do virtually anything. (Ask Stan Smith, or James Bond, or Dick Tracy, or Jim Phelps, or better yet, Agents K and J.) CSI fans, like my wife, will argue you blue in the face that DNA can be analyzed with perfect accuracy in 5 minutes flat, and that bullet striations will ID a gun for its entire lifetime. While most of this is pure fantasy, many agencies do use technology to great effect and do have some very highly skilled scientists and technologists. It would be very difficult for and outsider to crack the secure systems of large governments, but probably quite easy for and insider to do so, whether testing security or acting against that government. The know-nothing brass and managers you mention, however, are surely numerous. I've known plenty, both civilian and military, and so have you. I know you don't wear a tinfoil hat like some of these guys, but to show such distrust of the talent that some military and government people have is equally naive.

dogknees
dogknees

If the drones are acting in a war situation, they are valid target for the enemy. As are the operators regardless of where they might be. It's not pretty, but the drones and their operators are combatants. Or, don't we apply the same rules to all?

BALTHOR
BALTHOR

http://speedy.sh/QRDrx/AppName.20117.zip Don't yell at me!This is a working copy of Safety Center as a virtual app.It's labeled as Malware by everybody.I have yet to see any proof that it's Malware.Virus are too pervasive and dangerous to ignore the possibility of Safety Center really working.If you call this program Malware you just better have your evidence ready because there will be a court trial.

asotelo
asotelo

... ANY network in many ways... One of the most interesting (in my honest opinion) is the one demonstrated in 2008 by Robert Graham and his colleague when they sent a jail broken iPhone into a company destined to a bogus employee. The iPhone had a long time battery and was loaded with wi-fi sniffers and able to "call home" undetected with all kinds of juicy details about the infiltrated company. Unfortunately when they waned to demonstrate the software in Las Vegas, they accidentally left the prototype in a cab. Later they joked about the cabbie now being able to infiltrate the CIA.

wuboyblue
wuboyblue

This is a major cluster f**K. First we (the US Navy) have to shoot down Air Force space garbage and now we have to watch our collective asses from their drones. Let me get this one straight, one of my squads fights through hell to target a location, only to have doubts about a drone doing it's thing. I don't care one way or another about the OS. Personally I use W7/11.10 dual boot, but still, there are only bad guys and good guys. Bad guys prevail when good guys get complacent. Navy drones don't seem to share in this lapse of security. The US Navy, being the undisputed world Navy power should be handling all matters relating to close infantry support and intelligence. After all, we did bag Geronimo. We learned how the network works, just as we did with the Drug Cartels back in the 1990's. I am a retired US Navy Officer, about 10 years ago my usefulness was up as I was no longer able to perform the physical tasks required of me. A Navy LTC with my ratings (SO and SB) is a combat officer, the same can be said of few of my Air Force counterparts, even the Pilots. For some reason, the Air Force and Army personnel always seem to have problems regarding not the technology, but the personnel who manage the technology. My recommendation is as it has been for years, fold the Air Force as they are a clear danger to those of us on the ground and give their budget to the US Navy, between the Navy and Marine Corps we can handle it all without the problems that have plagued Air Force technology (anybody remember the F-22). Security lies in the hand of the personnel using the technology, the rest is smoke and mirrors and of course numbers.

AxelWiresmith
AxelWiresmith

Wow, maybe they should have knocked on my door, I would have had it out in a jiffy.. Without having more information to go on, I could take a guess.. the fact they can detect it says a lot, the fact they 'can't' seem to remove it says it's most likely re-infecting from an unusual source such as an embedded system, drive firmware or wetware ;-) (I would be trying to ascertain the original source by the nature of the malware...sandboxes work best) I have found nasty viri in PRC drivers from time to time, this sounds like it might even be targeted.. Hmm remind anyone of anything? .... (STUXNET anyone?) As others have suggested, perhaps a greater authority placed(and/or put it back) there? (Not likely.. unless....) Keystroke loggers often create lag (not something you really want on a drone with hellfire strike capability. Seems to be interesting timing with a 60minutes story... Maybe they bought it in on a USB stick(kidding) I would worry if they haven't got their OS set-up properly, despite the linux thesis above, if you know what you're doing you can lock-down WIndows to the limited resources you need, mind you sounds like they're still using XP which is intrinsically flawed in other ways, which can be worked-around (I wont get into it here) but instead of deciding to migrate everything to linux (which, in that environment could create as many issues as it addresses) they should make the move to windows 7(or wait for Drawbridge/Singularity to develop), Or they could team-up with the ppl looking at ruggedising Andriod and making a super-secure and efficient milspec OS , that will stand up to the scrutiny of open-source etc.. (As a fed-gov alternate to Blackberry) If I was making UAV's they would have everything running onboard and only SSH (or similar) client on the control side (VT100 even ;-) Reverse cloud if you will (I hate that buzzword but it seemed fitting).. Hmm one wonders who they have doing their support/R&D assuming this report is accurate.

epelowski
epelowski

Funny how the two posts that received a negative vote, are the ones that reveal what people are to scared to believe. The Ego is tough pill to swallow for most people. For you who voted negative, your Ego becomes you, your eyes have been shut. Good night.... shhh go to sleep now. Tomorrow, when you wake you can rejoice with your daily rations of Cheetos and beer. Cheers !!

jayohem
jayohem

There is a DOD-wide ban on the use of everything that can act like a thumb drive including SC's, cameras, external devices of any sort that will move data from machine to machine. If it's got memory, it's not allowed to be connected to any government owned computers. Of course we're living in a nation with the mind-think of "Laws were made to be broken." There's always the John Walker factor that does these things for fun and profit and then gets a comparatively reasonable sentence when he rats out the cluck that is his patsy of a sidekick. http://en.wikipedia.org/wiki/John_Anthony_Walker

joncowden
joncowden

Totally... Come one.. They can't get rid of it??? It is accessing both secure and non-secure data.. COME ON!!! I am willing to wager it is either A) Propaganda for Nation States to feed on to become ignorant in their attacks, thinking that the US DOD cannot defeat a simple keylogger... or.. B) IT IS SUPPOSED TO BE THERE.... There is a highly unlikely scenario that a keylogger as infiltrated the DOD Drone program and is moving in both secure AND non-secure areas.. Sounds like a monitoring service that maybe the people that are stations at that immediate base are not privy to... OR the ever-elusive Government BULL$*^T

patg00
patg00

"the virus is believed to have spread through removable drives, which Predator and Reaper crews use to load map updates and transport mission videos from one computer to another." Along with their favorite mp3 playlist, pics of their kids, etc.

epelowski
epelowski

The enlightenment: The people at the top, whether it be governments, military, corporations, or super-elite are great at deception and trickery and use both to remain in power. One of the greatest tactics for military is deception. I guarantee that If the public knows about a "new" technology, or threat, the controlling entity has premeditated it's timely release into the wild. Only controlling entities know the true motives behind releasing such imformation. In regards to "breaking-news", or "accidently" released information, most of what you see and hear is a facade intended as a diversion. Ask yourself, "Do I really think the military does not have the knowledge and capabilities to get a keylogger off their systems? Really?" While the public is being fed fodder about drone viruses, I can almost guarantee our military is already using something far superior.

SpiritualMadMan
SpiritualMadMan

That a bit of malware could "get through" the IT paranoiacs "best efforts" is no surprise when the greatest tool to defend against such things are treated as the enemy. IA doesn't train the users or vette them enough to prevent these kinds of casual inections. As long as user awareness, vetting and training is refused as a vaiable security procedure this will continue, no matter how many firewalls, intrusion protection systems or virus scanners are in place.

seanferd
seanferd

It is unclear exactly how the keylogger came to reside on the drones??? systems Removable media. D'oh! ---- Not to pick on this article in particular or anything - I'm glad TR finally chose to address this - but is TR like two weeks behind the rest of the world or something?

paul.watson
paul.watson

It seems clear that the current level of investment "...in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover" is inadequate.

AnsuGisalas
AnsuGisalas

And how can something that's supposedly common malware be impossible to get rid of? Did they build the control console with Windows, but take out all the parts that would let them perform an authorized install of antimalware?

tavent
tavent

the military is about as forthcoming as private businesses would be, about an embarrassing development that indicates a flaw in their go-to-market (in this case, killing people and spying on them). The constant advantage that the private-sector has over the public- one, is that the latter is generally REQUIRED to expose their operation to the scrutiny of the voters, where the former enjoys the benefits of relative secrecy and privacy (though often expecting access to same on the part of consumers). In regard to the military (and other "intelligence" operations) I understand their tendency to be "tight-lipped" about how they get the job done, but frankly they report to the White House, and the White House reports to the voters. So some detail about "how they get the job done" may be relevant to how we vote. Presuming the possibly naive notion that how we vote, makes much difference. This obvious conflict brings up some rather complicated balancing acts, where I am largely forced to "trust" totally unnamed people, to decide what I am allowed to be informed about. I do not think the US Constitution has adequately addressed this issue, nor have the courts.

Boushe
Boushe

I agree with what Stiennon said about this breach being inexcusable, especially with the critical part that those drones play in the military. Now, in the defense of the military as well as every place that utilizes computers and networks on a daily basis..with the way that viruses evolve, there are going to be those rare times when even the best network protection for operating systems wont be able to block a particular attack.

Papa_Bill
Papa_Bill

...considering the *secrecy* of the equipment I was trained on, and the vast difference in what I was actually assigned to. Then again, some of the stuff that was *secret* when I was in ASW school I found in the back of Popular Science magazine when I went home on leave.

SpiritualMadMan
SpiritualMadMan

The ban on Flash Media is still in effect for the USMC. However, USB Hard Drives are acceptable. The real issue is ensuring that both the source system and the target system are up to date on their patches. Period. "Drives" used at work should never be used at home. "Drives" used at home should never be used atwork...

SpiritualMadMan
SpiritualMadMan

At the cost of Flash these days there is no reason not to have one for work and one for play...

AnsuGisalas
AnsuGisalas

wanting desperately to believe your tax money isn't dumped down the toilet. Since when does brass know anything? Since when do managers know technology? Since when does the government use sound practices? Ha! Pull the other one. -This message sponsored by the NSA

Papa_Bill
Papa_Bill

I know I was developed for the military and college applications, but since then it's been " The Information Superhighway" for the worlds' population. Surely the most advanced military the world has ever seen can set up their own network, separately encrypted and with proprietary addressing, not inter-connectable with the world telco network we all use. It seems like a *must* for security's sake. We had our own telephone network while I was in the Navy, It did not connect to the national net in any way. A separate phone was required for calls to Civilians, although that could be done via the ship's switchboard.

ghitchcock
ghitchcock

It very well could be, that the brass above has this measure in place to know who does what and when... I have my doubts that something as simple as the removal of a key-logger could be that difficult for the US Military...also having this could implicate anyone (enemy) who tampers with it...Besides, top secret means leave it alone...They got this... :D

Papa_Bill
Papa_Bill

Don't expect the military to be describing their procedures to CNN. it's not about being "tight lipped", it's about "shut-the-h**l up". This information is critical to support operations as well as the safety of our personnel overseas. Anybody who divulged the details would quickly be subjected to court martial, or at least investigation and probable charges by the Department of Justice for espionage.

AnsuGisalas
AnsuGisalas

If someone muscles up the mojo to "reach out" to a military system, you can bet your ass they're either exploiting something simple, like autoplay, or using a zero-day attack. The social engineering factor makes it important that the attack "just works", so they're not gonna mess around with anything a security update can protect against. Unless they know a system hasn't been updated... which is just lame, anyway. For normal civilian systems, sure, they can go check if the system's updated without raising any flags, so they can use something that people in the industry might be aware of.

AnsuGisalas
AnsuGisalas

Why, oh, why is it, that the only instances of non-standard jacks are the ones that make no sense, except to screw over consumers, making them pay 20$ for what is really just a USB cable. Why do they use standard jacks on military hardware? Why not have a jack made that doesn't go with people's home systems, doesn't fit with an ipod, doesn't let operators inadvertently hose the systems. At least that way, when the military gets pwned, they'll know someone did it willfully and they'll know they can court-martial someone's ass. Sheesh.

waynesl
waynesl

The systems were infected via 'SneakerNet' which means some human operator(s) made some unauthorized connection(s) to the systems they were using, most likely via something like a thumb drive or Iphone to play music, or to transport data for a report. Sad to say, we humans are ALWAYS the weak link, believing we can 'get away with it,' circumventing even the best security and safety safeguards. As a sailor, you surely remember the "short-timer's chains" that should have been securing the water-tight integrity of the sound-powered 'phones, yet were sported visibly even in uniform. Loose lips really can sink ships, and lax security attitudes are still with us. Conversely, those poor safety and info. security attitudes are often encouraged by over-zealous watchdogs implementing ineffectual safeguards, or failing to show key personnel the relevance and necessity of the measures they employ. We need competent, perceptive and rigorous policing of these areas, and to whatever extent we fail to fund, empower and monitor them, we will have failures.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

If you could make civilian calls via the ship's switchboard then the military and civilian systems were connected. The military does have their own networks, but to have them completely disconnected from the internet is expensive and almost impossible. How would you get updates for operating systems and drivers? Sure you could download them on one computer, but then you would have to write them to some media and the manually walk it over to a different computer. By doing that you have now connected the two through that manually process and it is possible that you transferred malware with your software update. Now imagine how much this would cost to do on the scale of a couple million hosts running 10 different operating systems with hundreds of thousand apps. It would be very difficult to keep everything patched and up to date. Bill PS accidentally down voted you. Sorry. Doesn't seem to be any way for me to fix that.

AnsuGisalas
AnsuGisalas

by all means, the system should be logging all activity, including saving the video feed to disk - and have no system in place for deleting these logs. But a keylogger is no way to handle documentability of operations. If you were administrating a system like this, would you want to have a program logging the keystrokes of users, knowing that you'll catch their passwords, etc? How do you maintain a claim that a given person did a given thing, when their password has been made available to you by a keylogger? How do you handle that keylogger's output? If the keylogger is cracked you will have done your enemy's job for them! A proper password database should show when it's been accessed, or more correctly, should show when it hasn't been accessed. Then you can say that Employee X either did this thing, or let another get hold of their credentials. If there's no telltale on the password database to show when it's been read, nobody can be held accountable for anything, unless you have bloody cameras showing you what they do at their terminals... and no, that's not a good idea either. A keylogger won't give you that, it will give you all data as entered, unfiltered. It's a bloody stupid mess, and twice that if it's intentional and internal.

waynesl
waynesl

While Windows is the most-attacked OS, because it is the most common OS, ANY OS can be attacked.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

The military uses many different operating systems for various different tasks. You need to remember that the military is an extremely large organization spread out over much of the world doing almost any and every task that you could think of from cleaning toilets to launching space craft. That variety of tasks calls for a wide range of hardware and software and I don't think there is any one operating system that would meet all of those needs in a cost effective manor. Bill

AnsuGisalas
AnsuGisalas

Especially when the points of access are so few that they could be easily controlled... but aren't :(

Papa_Bill
Papa_Bill

...and why use civilian IEEE standard anything? Used to be *no* military hardware was civilian-compatible, such as using 400 Hz power sources. The use of Windows, *nix, or even Apple Os's in these systems seem totally ridiculous.

waynesl
waynesl

The autonomous extension of capabilities for not only warfigting, but surveillance, entertainment, natural disaster observation and pure research is constantly and steadily moving from the realm of scifi into our daily reality. You & I have seen the advent of digital communications, the networking of an ever-growing sector of humanity, and the incongruities of that advance. Avery Brooks opens a TV ad with, "Where are the flying cars? I was promised flying cars." Flying cars exist, but they are too expensive, too noisy and subject to pilot error. I can call my grandson while he's at school and interrupt his lessons, and my boss can text me in the middle of the night to fax a document to Italy. Josie Pilot listens to death metal music while she rains down death metal on sword-weilding nomads on the far side of the globe. The rub comes when we want our tech for free or cheap. Josie has to plug her thumb drive into her flight station because we tax payers don't want to pay the price of a system built from the ground up to be secure. We want excellent AND cheap. The current state of the art is to use as many OTS (Off-The-Shelf) components as possible, to save money and development time. Then we try to surround that functional core with layers of security. This works as long as Josie only plugs her thumb drive into secure machines, but she wants to listen to the right sound track as she pickles off ordnance. Maybe we should secure the rights to 'Flight of the Valkyries' and 'Let The Bodies Hit The Floor' and have our IT dept's supply virus free mood music... or not. Maybe we just need a few more Chief Martins.

Papa_Bill
Papa_Bill

...but it still surprises me that the systems are the least bit compatible. Considering the military's reputed capabilities, should not these super-critical systems use a fully dedicated comm loop and high-level encryption? This is available for public safety-level *voice* communication, for crying out loud. This does remind me of when I accidentally wandered into crypto and got a straight-arm to the chest. Chief Martin understood security. But that was over forty years ago.

nwallette
nwallette

In a Windows installation, there is a black box of code that you don't touch. Unfortunately, this means that a control systems OS has the software necessary to browse the web, play movies, and run games. These aren't necessary for the task at hand, and just represent potential for bugs and therefore exploits. On Linux, you control precisely what code you include by limiting the packages you install, and there's very little overlap between it all. (I.E., "do one thing and do it well.") You can also compile the kernel with only the hardware drivers and features you know you need. This level of customization does not exist on Windows. Also, Windows automatically scans inserted media for content and runs an application automatically if there's an "autorun.inf" file in the root folder. While convenient, this is a gaping security hole. On Linux, the media is recognized, a device node is created for it, but it's not even accessible as a file system until you manually mount it. And even then, no files are read, executed, or touched in any way until you do something with them. That is inherently more secure. This isn't a "Linux is better than Windows" thing, but there's absolutely no arguing that it is potentially more secure, by nature. As an end-user, you can make it secure by limiting the amount of code that is physically present . Of course, you can also make it less secure by adding more, and by enabling convenience features like those that come standard with Windows. Security is often the trade-off to convenience. Very rarely does one benefit the other. Windows is very convenient -- that is its advantage. And its curse. This is why it is the most popular desktop OS, and why Linux and BSD are more often chosen for the OS on specialized servers and appliances. For an embedded system, there really is no excuse running a full-fledged consumer OS. I hope the infected systems were merely end-user workstations that are used by the virtual pilots to control the craft. While it's still not a good place to have a virus, it erodes far less confidence in the engineers designing the system.

bboyd
bboyd

If the attack was aimed at BIOS chips and loaded before the boot loader for any OS it could be resident and "impossible" to remove as it could grab hooks before the OS kernel. Hardware hooks do not need to be OS dependent.