Thursday, September 07, 2006

Further Discussion of Chinese Cyber Threat

As a follow-up to this post, I found this forum transcript to be a mildly informative overview of the Chinese cyber threat. This question is really troubling, if true:

Joe in Groton, CT: I am an administrator of a DoD network. Why haven't I heard anything from up above about what types of attacks they are using, and whether or not Sysadmins need to take any extra steps to secure our networks? As a matter of fact, I haven't even heard anything from the DoD that there was a compromise at all. There was not even a post at the infosec web site about any compromise. If it wasn't for the SANS newsletter, I wouldn't have even found the GCN website. I feel that we need to share information within our community so we can all be more proactive in protecting our networks and our data. I get the impression that without this cohesion, we are sitting ducks.

That is sad. DoD is being owned and the people in one of the best positions to resist, and potentially detect and respond, are not aware of what's happening!

3 comments:

LonerVamp said...

Big Bureaucracy...

Likewise, the opposite is sad. What if this all didn't really happen as we infer and is just leverage? Argh!

Anonymous said...

Just a comment aimed at Joe in CT and others that are in DoD that claim "non-awareness" - since he is a sysadmin on a DoD Network, he should have at least a SECRET clearance*. That being said, getting access to SIPRNET might require going to another building or organization if he doesn't have his own SIPRNET connectivity. This stuff has been going on awhile and reported in the press. So is Joe taking care of his network and patching his boxes, looking at his logs, implemented the IA/CND software that has been purchased by DISA for the DoD Enterprise (eEye Retina, Hercules, etc)?

Bottom line: It isn't hard to do a search on Intellink on Titan Rain once the hit the press, I mean was he under a "rock" last year at this time? Maybe he should be asking his G2/J2/x2 for a cyber intel threat brief, maybe he's part of a civilian DoD Agency that doesn't have an intel section - use the briefs available on SIPRNET that are produced by the Services CERT/CIRT/NOSC/etc. Common on, there is even a Wikipedia entry for Titan Rain. Again a little initative to stay informed shows that he cares about his network. This type of lack of interest on the part of sysadmins is probably why this problem is there in the first place. `Nuff said!

* OK, he could be a foreign national sysadmin working for DoD in an overseas location, but he's in CONUS so it's 99% bet that he is a US citizen with a background investigation and clearance.

Anonymous said...

I worked on the investigation for Titan Rain (hell, I'm one of the guys who figured it out), notice that I have made my self anonymous for that reason.

How 'they' broke in, is still classified. The exact details. I know how how they did it, because I was one of the ones that found it, but I was read off of that program when i left DoD, the secret dies with me.

However, I agree with the previous anonymous posting, go to your servicing CERT site (I know ACERT used to have a good sipr site), and read their slides. If you don't keep up with your Intel on at least a weekly basis, you won't know how they are coming at you