Mapping The CIA Nonclassified Network

jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."

Portscanning?

[LWolenczak]

Last I checked, Portscanning was legal?

Not that impressive

[fiber_halo]

I wouldn't say that they mapped the CIA's network. Sure, they found some machine names that route mail. Big deal. I'll bet more that half of the slashdotters here could have gotten the same (or more) information. I don't see how knowing what machines route mail pose any security threat. Anyone outside the network could just look at their mail headers and see what internal machines were used to forward the mail.

If someone can get classified information from CIA via social engineering, I'd say someone needs to be retrained. These guys should be on the lookout for that at all times.

Big deal!

[shyster]

Big deal! So they managed to map their public space and their mail servers on the inside. All of this is pretty easy to find out and is hardly supposed to be a secret.

As for the email addresses and sysadmin names, I really don't think that's a big deal.

"Simply knowing the names and e-mail addresses that Matta turned up would be enough for some social engineers to get the rest of the information necessary to mount an attack,"

Guess we better stop posting our email addresses and names! And, god forbid, get rid of your business cards! And don't forget your whois information!!!!

If that's really an avenue to social engineering, then we're all in trouble.

Re:So what?

[kafka93]

Social engineering is probably *the most* dangerous form of attack, as well as the most often overlooked from a defensive standpoint. Although the webmaster may not directly have details of russian agents, to use your example, he may have access to information that might compromise the security of the entire system. From my admittedly limited experience, the military and other "important" organisations are often little better prepared for attacks than the average web startup: even where great care and attention has been given to firewalls and the like, there will still exist employees who will disclose information, and there is still always the capacity for human error.

Besides, addressing this kind of issue "when someone breaks in" is too late. And it's important that the civilian be aware of and take an interest in problems in its government, police force, legal system, etc.

Re:sendmail 8.8.8?

[EricKrout.com]

Well, they're using Solaris 2.5.1, which initially came with SMI-8.6.

They have upgraded since that original version, however.

The latest Sendmail version for Solaris 2.5.1 was 8.8.8 plus a Sun patch, so hopefully they got rid of any and all potential problems [insecure.org].

MONOLINUX :: Imagine There's No Windows. It's Easy If You Try. [monolinux.com]

Re:It's DMZ data I'm sure...

[global_diffusion]

Here's another funny thing:

Among items they found were emails and phone numbers of sys admins and other employees

This sounds really stupid of the CIA at the first glance, but if you think about it, the sys-admins were probably "email the webmaster!" links and the 'other employees' were probably officials that displayed their office numbers so the public could contact them. What a joke.

Re:So what?

[monkeydo]

First, anyone who answers the phone at the CIA is trained not to tell you anything. For that matter, they don't know anything. Everything os compartmentalized, computer systems, intelegence, even people. Social engineering on the scale you mention usually doesn't happen in the wild. Social engineer as a hacker technique is popular because of the low risk exposure. If you are a team hired by the AF to try and steal a plane you have zero risk no matter what you try, so you'll do some things no one would do in real life.

Second, do you really think the CIA uses username/password authentication for *anything*? Think smartcards, one time key generators, palm scanners, etc. I guarantee there isn't a single secure system you can get into without at least a token and a passphrase. The most secure systems require multiple authentications. Hello, we're are talking about the largest *inteligence* agency in world.

Re:Hah.

[CokeBear]

Thats not the point!

The point is, that anyone in the USA should be allowed to discuss the merits of any social/political system. For a long time, that discussion was cut off, and people who held a particular viewpoint (however absurd it might seem to us rational people) were fired from their jobs, spied on, and even imprisoned.

Re:Portscanning?

[CodeMonky]

You are welcome to be completely ignorant of other countries laws if you plan on never leaving the us. However if you are gonna ever travel abroad you may wish to keep track of what is and isn't legal elsewhere when it comes to computers. It would be a shame for you to portscan a computer while on a trip to china and be put to death.

Hackers tools

[The Monster]

Who needs portscans. The article says:

"The fact that this information was gathered through a search on Google.com, which is hardly considered by most people to be a hacker's tool, is especially interesting,"

Absolutely true, if you think about it. Google is most definitely a hacker's tool, but not a tool for doing what most people consider to be 'hacking', nor for that matter do most people consider google itself.

Ever heard of stripping headers?

[tweek]

The least they could do is have the outbound mailserver strip the internal mail headers from the message before sending it out. It's easy to do with postfix and that's what we do. Why give out anymore information than needed? I noticed that they were able to get what CIDR block they use for internal IP's from the mailserver.

Jesus I don't run a covert espionage agency and I at least do that at our company. Hell I even proxy requests to private servers from an apache server in the DMZ.

Isn't this just basic network security?

Re:Not that impressive

[paiute]

Social engineering is by far the most cost-effective way to run an intelligence agency. I'll let you spend billions on fancy software and hardware. I'll spend a grand on a hooker to wink at one of your sysadmins - and I've got all the access I want.

New ?

[Anonymous Coward]

Sooo.... What's new? Did someone expect public information not to be really public when it comes to the CIA? Secret stuff is probably already ran from sources that can't be easily found.

Re:Not that impressive

[Happy go Lucky]

Social engineering is by far the most cost-effective way to run an intelligence agency. I'll let you spend billions on fancy software and hardware. I'll spend a grand on a hooker to wink at one of your sysadmins - and I've got all the access I want.

A few years ago, Archer-Daniels Midland actually did try to hire a few hookers to get some market information from a competitor. The plan got scrapped when nobody could keep a straight face at the thought of some lady of the evening moaning "f--- me! F--- me! Harder! What's your method for removing impurities from lysine? Oh, god, harder!"

But I agree with paiute. It's people who have information, and getting information means getting it from people. Sending them hookers who then blackmail them is one option-a US Marine assigned to our embassy in Moscow fell for that back in the 80's.

And a lot of people will talk just because. Rajid at the 7-11 (not flamebait-that's really his name), a half-dozen homeless guys, and a handful of "undocumented workers" who are just as happy that the gringo cop speaks Spanish and doesn't know INS' phone number like to talk about what goes on in one particular neighborhood, and that includes talking to cops who want to buy coffee at 3AM (mainly me) and as a result I know pretty much everything that happens within two blocks of that 7-11.

It's all about people, and knowing how to listen to them. If the CIA had the good sense to hire street cops, semi-experienced newspaper reporters, multilingual cabdrivers, and a very few really good clinical psychologists to send overseas, they'd be able to tell us what kind of lube Osama bin Laden uses when he has relations with his goats, whether Jiang Zemin really is a pedophile or if that's just office gossip, if there's another reason why Vladimir Putin is cranky this week, and where the communist guerillas in Colombia buy their cigarettes. The really REALLY good information-gatherers know that they need to talk to people instead of wasting money on techno-toys.

Port scanning

[lightspawn]

(Is there a site/whatever where people with ideas suggest what software is missing and people with time may choose to implement them?)

What I want is a kernel module to defeat port scanning. Whenever a remote tries to connect to a port that isn't bound, the module kicks in, accepts the connections, and doesn't do anything, or echos the incoming data, or sends random data, or behaves like a web/ftp/etc server, or a combination of the above.

If most computers used this, wouldn't port scanning become impractical?

Would there by any harm in it?

Re:Anyone else notice the Lotus Domino Server

[bob_dinosaur]

I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?

Have you ever tried to use the client? That's why.

Version 5.0 of the client still can't handle Daylight Savings Time! If it crashes (and it does) you've got to manually kill the process nlhdeamon.exe to restart. You do not want your helpdesk handing out instructions like that...