PcTek9
Well-Known Member
- Reaction score
- 87
- Location
- Mobile, AL
I am from the United States, a medium sized country in the Americas. I was thinking recently about an interesting situation which occurred at my countries military headquarters.
To be as simple as possible, lots of people work at this building called the pentagon. They go in and out, and may even be searched randomly. Because the pentagon needs to share information, but at the same time keep it secure, they have a network of computers inside their building.
This network like most typical computer networks has servers and clients. It is a huge spiderweb of my country's most secret data. From foreign intelligence and surveillance to current operations, secret systems of defense and offense, plans for extremely advanced weapons, and much more.
The pentagon is the walmart of intelligence and operations and technological innovations in warfare managment and design.
So because of the information contained there, it is a premier target for foreign governments who wish to know what we know.
So in the pentagon, in our network, we have computers that link to the servers where the data is located. But the system fails a little bit here... Each pc has usb ports which can be used to attach mobile external devices. To move the data from the pentagon to other locations.
To me that represents a massive failure of information security of data protection needs at this level of infrastructure. I feel special hardware should have been purchased with zero usb ports. Devices for each client should be thought out exhaustively, For example if you know you need a scanner on that workstation, why not have a company design a workstation scanner, then you need no peripherals. Silly? Maybe, maybe not...
Consider thousands of people moving in and out of the building... Any of them could possess a covert usb device which delivers a trojan which upon it's implementation could open up the entire country's secret intelligence. Some of those people probably do have such devices and probably are spies. We already know this exact scenario happened once in the past few years.
So... why not have super extra secure mega top secret information on computers that do not allow the data to be exported. I'm not just saying disable usb ports in a security policy... Because they are still there... and someone eventually at some point, will renable them and repeat the entire scenario. Do not plug a leaking dam with bubble gum. Rebuild the dam.
So. If we look at the model very objectively. I mean very objectively. You have servers that share data to clients, and clients that have physical orifices from which data may be removed. Yes you can disable usb ports in the bios or in security policies, but there is ALWAYS a way for some smart innovative person to turn such things back on, it is simply a matter of time/energy.
Personal computers have tons of connectors... for sharing information. They are the computer hardware equivalents to a seive for holding water. Ludicrous, ridiculous. Other interested people only need to get their attack right 1 time. Why make it easy. In my mind i see a diagram where squares are servers, and circles are clients - and then i see each client having 10 or more little holes which are potential data leaking portals. I'm not talking about exotic tempest shielding. I'm talkin about sharing information over secured networks, not through usb sticks, cd's, floppies, and memory cards. I can take a screwdriver alone in my office, open a computer reset the bios (by hook or by crook) and suddenly i have access to the computers hardware abilities, so now I can sit there for a few minutes and turn on all the usb ports, all the flash memory ports, etc. You are right of course security policies could prevent all this... Sure they could... But people are ALWAYS finding this or that exploit to get right past the software protection. Then it's just a matter of using a portable device to carry the data through security to the outside world. Take the orifices away. Make it more difficult.
The attacks that have been used against my country show a tremendous technical knowledge behind the curtain. But how hard is it for the people that design your systems to find ways around the system security they created. Design it in house, in my country, by my people. One of the funniest things that struck me oddly - I have to tell you this - I was once contacted about a job at nasa. Unfortunately they found out about a bankruptcy filing and the offer was rescinded (like most college grads i had a ton of credit card debt, and student loans.) Their concern was that since i had no money, and since i needed money, that i might sell information from the job to foreign governments. So being without money made me a national security risk. About this same time, I was talking to a friend of mine in irc on the internet. I learned he was in the country of Iran, and through time I learned that his job was finding exploits in microsoft software. But not for Microsoft, but instead for a subsidiary, of a subcontractor, of a subcontractor of the pentagon. I suppose that most of you know that my country has not been on a particularly friendly side with Iran in quite some time. At any rate, it struck me particularly funny that Iranians landed a computer security contract from a subcontractor acting as an intermediary for the pentagon, particularly in light of my own experience where my government was concerned about me. LOL. So inadvertently the pentagon was financing through various subcontractors our enemy to do their security research. LOL. To appreciate the full irony of the situation you might recall that Iran was in the middle of chaotic oppressive government control and rioting in the streets. Anyway, I was momentarily overcome with a bout of shock, awe, laughter, confusion, and disapointment. I tend to see things quite a bit differently from most people - at least that is what other people tell me. But in my mind I see the networking model that is typical of most computer networks and I realize you simply can't have someone standing at each terminal making sure an employee isnt taking the case apart with a screwdriver or unplugging an ethernet cable from a network card and sticking a device with interception capabilities in between the computer and the network or other peripherals. But you could design it where they couldn't. Then your only concern would be network topology and isolation.
To be as simple as possible, lots of people work at this building called the pentagon. They go in and out, and may even be searched randomly. Because the pentagon needs to share information, but at the same time keep it secure, they have a network of computers inside their building.
This network like most typical computer networks has servers and clients. It is a huge spiderweb of my country's most secret data. From foreign intelligence and surveillance to current operations, secret systems of defense and offense, plans for extremely advanced weapons, and much more.
The pentagon is the walmart of intelligence and operations and technological innovations in warfare managment and design.
So because of the information contained there, it is a premier target for foreign governments who wish to know what we know.
So in the pentagon, in our network, we have computers that link to the servers where the data is located. But the system fails a little bit here... Each pc has usb ports which can be used to attach mobile external devices. To move the data from the pentagon to other locations.
To me that represents a massive failure of information security of data protection needs at this level of infrastructure. I feel special hardware should have been purchased with zero usb ports. Devices for each client should be thought out exhaustively, For example if you know you need a scanner on that workstation, why not have a company design a workstation scanner, then you need no peripherals. Silly? Maybe, maybe not...
Consider thousands of people moving in and out of the building... Any of them could possess a covert usb device which delivers a trojan which upon it's implementation could open up the entire country's secret intelligence. Some of those people probably do have such devices and probably are spies. We already know this exact scenario happened once in the past few years.
So... why not have super extra secure mega top secret information on computers that do not allow the data to be exported. I'm not just saying disable usb ports in a security policy... Because they are still there... and someone eventually at some point, will renable them and repeat the entire scenario. Do not plug a leaking dam with bubble gum. Rebuild the dam.
So. If we look at the model very objectively. I mean very objectively. You have servers that share data to clients, and clients that have physical orifices from which data may be removed. Yes you can disable usb ports in the bios or in security policies, but there is ALWAYS a way for some smart innovative person to turn such things back on, it is simply a matter of time/energy.
Personal computers have tons of connectors... for sharing information. They are the computer hardware equivalents to a seive for holding water. Ludicrous, ridiculous. Other interested people only need to get their attack right 1 time. Why make it easy. In my mind i see a diagram where squares are servers, and circles are clients - and then i see each client having 10 or more little holes which are potential data leaking portals. I'm not talking about exotic tempest shielding. I'm talkin about sharing information over secured networks, not through usb sticks, cd's, floppies, and memory cards. I can take a screwdriver alone in my office, open a computer reset the bios (by hook or by crook) and suddenly i have access to the computers hardware abilities, so now I can sit there for a few minutes and turn on all the usb ports, all the flash memory ports, etc. You are right of course security policies could prevent all this... Sure they could... But people are ALWAYS finding this or that exploit to get right past the software protection. Then it's just a matter of using a portable device to carry the data through security to the outside world. Take the orifices away. Make it more difficult.
The attacks that have been used against my country show a tremendous technical knowledge behind the curtain. But how hard is it for the people that design your systems to find ways around the system security they created. Design it in house, in my country, by my people. One of the funniest things that struck me oddly - I have to tell you this - I was once contacted about a job at nasa. Unfortunately they found out about a bankruptcy filing and the offer was rescinded (like most college grads i had a ton of credit card debt, and student loans.) Their concern was that since i had no money, and since i needed money, that i might sell information from the job to foreign governments. So being without money made me a national security risk. About this same time, I was talking to a friend of mine in irc on the internet. I learned he was in the country of Iran, and through time I learned that his job was finding exploits in microsoft software. But not for Microsoft, but instead for a subsidiary, of a subcontractor, of a subcontractor of the pentagon. I suppose that most of you know that my country has not been on a particularly friendly side with Iran in quite some time. At any rate, it struck me particularly funny that Iranians landed a computer security contract from a subcontractor acting as an intermediary for the pentagon, particularly in light of my own experience where my government was concerned about me. LOL. So inadvertently the pentagon was financing through various subcontractors our enemy to do their security research. LOL. To appreciate the full irony of the situation you might recall that Iran was in the middle of chaotic oppressive government control and rioting in the streets. Anyway, I was momentarily overcome with a bout of shock, awe, laughter, confusion, and disapointment. I tend to see things quite a bit differently from most people - at least that is what other people tell me. But in my mind I see the networking model that is typical of most computer networks and I realize you simply can't have someone standing at each terminal making sure an employee isnt taking the case apart with a screwdriver or unplugging an ethernet cable from a network card and sticking a device with interception capabilities in between the computer and the network or other peripherals. But you could design it where they couldn't. Then your only concern would be network topology and isolation.
Last edited:
