Iran's Hacking of US Navy 'Extensive,' Repairs Took $10M and 4 Months 147
cold fjord sends news that Iran's breach of a computer network belonging to the U.S. Navy was more serious than originally thought. According to a Wall Street Journal report (paywalled, but summarized at The Verge), it took the Navy four months to secure its network after the breach, and the repair cost was approximately $10 million. From the article:
"The hackers targeted the Navy Marine Corps Intranet, the unclassified network used by the Department of the Navy to host websites, store nonsensitive information and handle voice, video and data communications. The network has 800,000 users at 2,500 locations, according to the Navy. ... The intrusion into the Navy's system was the most recent in a series of Iranian cyberoffensives that have taken U.S. military and intelligence officials by surprise. In early 2012, top intelligence officials held the view that Iran wanted to execute a cyberattack but had little capability. Not long after, Iranian hackers began a series of major "denial-of-service" attacks on a growing number of U.S. bank websites, and they launched a virus on a Saudi oil company that immobilized 30,000 computers. ... Defense officials were surprised at the skills of the Iranian hackers. Previously, their tactics had been far cruder, usually involving so-called denial of service attacks that disrupt network operations but usually don't involve a penetration of network security."
Re:Maybe they learned (Score:3, Informative)
Far more likely the US congress running around all the time threatening to kill millions of Iranians to keep Israeli campaign donors happy has motivated a lot of high order Iranian thinkers to work together to thumb their noses at the US dogs of war.
Real reason why the failure, US computer security services were far too busy attacking everyone else, purposefully leaving holes in the system and in some super crazily deranged false flag attack creating new ones for others to exploit which is OK so long as they can also exploit them (seriously WTF). Want security in the US then completely separate cybersecuirty defence from offence and remind defensive system that they should consider offensive systems as the enemy and if they catch them operating within domestic territory they should be arrested and prosecuted.
Until then expect to routinely fail on the defensive side because it is harder and there is more opportunity for promotion impacting failure (success is the expected norm, failure is punished). On the attack side of course failure is completely ignored (failure is the norm, success in rewarded). Not to forget that success on the attack side requires your targets to fail. I'm sure anyone with half a brain can see the problem this creates, well, perhaps not your typical US politician or military type. Hint, you create a system where attack is promoted and those within the system prefer the attack side because that's where the promotions are and defence is where the losers end up because success for them is never rewarded but failure is a guaranteed career killer (which is why you separate them). Attack will also hide information from defence to protect it so they can use it, whilst demanding all information from defence in order to create new attacks and weakening defence.
Re:False flag? (Score:5, Informative)
The Marine Corp's budget is $29B per year. An extra $10M would be an increase of 0.03%. The Department of Defense budget, minus the money spent on individual military branches, is $190B. $10M is 0.005% of that.
Poor practices already have massive consequences (Score:2, Informative)
It's not just the military or Iran. We choose to twittle our thumbs and write it off as a rarity. Most companies don't even realize the drastic damage its doing. When your competition in China has all your secrets and make identical clones of your products for a fraction of the price how do you expect to stay in business. Iran's impact is probably insignificant in the scheme of things. It's industrial espionage and 'theft' of proprietary information that's the major problem. Iran's just an exemplary example at the moment, but in reality most of these attacks are just swept under the carpet until the system breaks down utterly and completely. All the while you wonder why American companies are selling out there core businesses. There is nothing left the competition doesn't already have.
The only answer to this problem is defaulting to hardened systems, moving away from auto-on for stupid default setting (macros, javascript, etc), etc.
But your company uses Microsoft Windows? ohh never mind. Keep doing what your doing. I'm sure you'll survive given nobody ever went wrong with that!
The US Navy has lots of windows boxen (Score:5, Informative)
I know this because a client I once consulted for, sold 400,000 licenses for their Windows product to the Navy.
Windows isn't so bad if it's properly locked down, but it's not really possible to do that unless all of your application are Windows Logo-compliant, for example they don't store end-user documents in the Program Files folder. I expect the military has a lot of homebrew software they absolutely need to use, that prevents Program Files from being locked down.
Also everyone who actually administrates a windows box, has to actually know how to lock it down.