The Associated Press reported Friday according to an unnamed source the “Pentagon has said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel,” adding that “no classified information was compromised.”
According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.
Associated Press; Oct 12 2018
The hack was reported Oct 4 to leaders by “a department cyber team,” and Pentagon spokesman Lt. Col. Joseph Buccino said the breach was through a “single commercial vendor,” but would not name the vendor “due to security reasons.”
However, Gizmodo reports, adding to the news of the data hack, “it’s been a hell of a week for the Pentagon, which can’t seem to keep itself out of headlines recently.” While the AP reports on the US Government Accountability Office’s (GAO) published Oct 9 report which said, “the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security,” Gizmodo says the GAO report shows that it was not until just recently the Department of Defense “prioritized the safeguarding of its weapon cybersecurity,” adding that “Defense officials the GAO met with were dismissive of findings.”
WIRED reported Oct 10 the GAO’s released report was conducted in response from a Senate Armed Services Committee “ahead of a planned $1.66 trillion in spending by the Defense Department to develop its current weapons systems.” It was subtitled, “DOD Just Beginning to Grapple with Scale of Vulnerabilities.”
The GAO report says that one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. Yet another tester managed to partially shut down a weapons system by merely scanning it—a technique so basic, the GAO says, it “requires little knowledge or expertise.”
Testers were sometimes able to take full control of these weapons. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” the report states.
The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” In other cases, the report states that automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.
WIRED; Oct 10 2018
Former White House Cybersecurity Adviser R. David Edelman said, “In the private sector, this is the sort of report that would put the CEO on death watch.”
“It’s important to be clear,” WIRED writes, “that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams.”
On A Side Note (Opinion)
I recommend reading the Gidmozo and WIRED reports.
We’re in the best of hands. /
Meanwhile, as the Pentagon DOD officials dismisses not only the GAO’s report findings, but their own, TNB readers are reminded about the following stories:
Bolton Pushes to Eliminate White House Cybersecurity Coordinator – May 10 2018
Top White House Cybersecurity Position Eliminate – May 15 2018
Foreign Hackers Targeted Persona Gmail Accounts of Senate and Staff September 21 2018
Yes. We’re in the best of hands. ///