Mapping The CIA Nonclassified Network

jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."

It's DMZ data I'm sure...

[bergeron76]

I would tend to think that the sites they mapped were in areas considered "DMZ" or De-Militarized-Zone. It's basic System's Administration... I think these Brits aren't giving our spooks enough credit.

Score One for the Silent Majority

[guamman]

Personally, I think this is great. Anytime a private corporation can extract any kind of information on the government and their organizations, it makes the government that much more accesible to the average citizen. The fact that it's entirely legal is even better. It's quite refreshing to hear about a legal and tolerated computer activity compare to all the "bad news" that gets reported on all the time.

Re:Portscanning?

[Monkelectric]

Im a sysadmin for a major university, and I can tell you first hand that even pinging will get you a letter from the agency you pinged.

One of my users decided to ping a DOD (department of defense) computer ... he pinged it, and a few days later we got an email from them asking us A: if we have been compromised B: if we hadn't please dont do it again. The letter was very courtious, and explained they understand that pinging in itself is not illegal or not even unusual, the real point was to inform us that we may have been compromised (prolly a good idea). A buddy of mine who works for the air force claims if you ping an air-force server, armed FBI agents will appear at your door quickly ... Obviously I am unwilling to test this :)

Meme...

[netsharc]

A few weeks ago I was in an IRC-room when someone asked what sort of results people were getting for "traceroute (some IP I've forgotten)". whois said it was the CIA's IP-range, and the traceroute never reached that IP.
Taking the numbers from the diagram in the article, whois says:

Hewlett-Packard Company (NETBLK-HP19)
3000 Hanover Street
Palo Alto, CA 94304
US

Netname: HP19
Netblock: 192.81.0.0 - 192.81.255.255
Maintainer: HP
.
Hmm the CIA has 162.45.*.* assigned to them, I guess they aren't using it.
I hope the MiBs don't come knocking on my door now.

Anyone else notice the Lotus Domino Server

[Anonymous Coward]

version 5.0.6a

Why you may ask?

Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.

Re:Portscanning?

[technos]

Apparantly they've become more paranoid.. I remember portscanning .mil subnets as recently as 97-98, though that was from a badly implemented net sampling tool and not through malice. (Line read scan(n_ipb,n_ipc,n_ipa,n_ipd), should have been alphabetic order) For years and years, I used to set the system clock on my CMOS-battery impaired DOS box from the clock on a Air Force server I found manually trolling hosts. Didn't respond to ping, but telnet got me the time..

Don't recall ever hearing from anyone about it. I even tried to send an explaination of the port-scan, but the published email I had bounced.

Re:So what?

[dvdeug]

Of all organisations that might be vulnerable to social engineering, I am least worried about the military.

A small team of men managed to literally roll an airplane out the back gate of an Air Force base, primarily using social engineering tactics. This team, hired by the military, found that military security wasn't all that it was cracked up to be.

if people only hire intelligent software engineers, no one will be able to social engineer anything.

How does *that* follow? Many social engineering attacks get the user to hand over username and password, and if you can't check IP (think mobile users) then you've just lost. At best you can contain it to that user's files, but that still may be a severe security leak.

Re:Web Logs

[Kalak]

The CIA doesn't have the whole 198.81.xxx.xxx class. 198.81.23.39 is an AOL proxy server, and I sincerely hope the CIA isn't using AOL.

"You've got a mail bomb"

Re:So what?

[Darth_Burrito]

One of the companies I used to work for gave us secureid keychains with 7 or 8 digit numbers on them that changed every 60 seconds. Whenever we logged in to our company account, we had to supply the code in addition to our username and password. A very popular scam was to email people a message with a link to a fake login page. Sometimes they would fake an internal memo: Eg. New company policy regarding X, log in here and read it. Your order for $120 sunglasses has been processed, to view your order login here. A virus is propagating through the company network, login here to download the patch, etc. Some of these messegaes would be very convincing. Often the only way to tell them apart from real company mail was to examine the link's url which was usually obsficated. I'm sure many people, especially new hires, periodicly fell for this stuff. What I'm trying to say is, social engineering can be very effective. It only takes a couple of uninformed folks to make a mistake and when you are more or less constantly under attack, a few slip ups are bound to happen.

Re:Anyone else notice the Lotus Domino Server

[DavittJPotter]

Except: as an administrator, if you *really* want to read someone's mail, you can re-register and re-certify that person, thereby generating a new ID file, which will match the entry in the .nsf's ACL. You then Switch ID to that user, and open their database. The ACL reads Davitt J Potter/CIA/GOV/US, and... well, you're in. Why do I know this? :) Users forget passwords, and this is how we recovered passwords. Granted, this is not the most secure implementation, but it is the default for a Domino installation.

You *can* disable this, however, by setting up password recovery within Domino, which I recommend that ALL Domino admins do. Then it requires anywhere from 2 to (I think) 4 different ID's to enter a recovery password, which will then recover the user's password.

Domino/Notes also is interesting in that your password is never sent over the wire, encrypted or otherwise. Your machine gets a copy of about a 2K $user.id file, which contains your authentication certificate to the Domino server. Your password identifies to your certificate that "I am Davitt J Potter/CIA/GOV/US." The Notes client then sends the certificate info to Domino, which then checks to make sure that certificate was generated by the Domino server, and is still a valid certificate. (Domino servers can set certificate expirations, so even if your password is valid, your certificate may be expired.)

I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?

Re:Portscanning?

[cloudmaster]

I ran a quick "nmap -O" on a few air force servers just a few weeks ago, because they were mirrorring one of our web sites very aggressively (many requests per second) and I wanted to get some information on exactly what the machine was that was pulling stuff down that hard. I've yet to be visited by anyone, in person or via email.

Then, the site being mirrored was one that we'd developed for the air force, so I assume that they must've figured it was ok or maybe realized that it's bad form to monopolize most of our T1 for several minutes at a time and not felt like pushing the issue... :)

I'm pretty sure that individual bases or however they're grouped each are alowed some leeway in their security implemntations, so they probably don't all track connection information down to each individual ping...

Significance?

[hyrdra]

I have a feeling this made news just because of it's affiliation with the CIA -- the all powerful super secret spy agency of the US government. I sure wish I could generate news stories by doing recursive whois reports and DNS queries.

What's next? I would think that if you were not able to map the CIA's unclassified public network than they must have some sort of major DNS problem.

There is absolutely no significane to this news story other than organizations who maintain a publically accessible web site with such services as e-mail and a web site must have a logical network structure to deliver said services. The CIA is no exception.

it's not that hard.

[hoyosa]

$ host -v -a -l cia.gov I think that about covers it.

Who's Socially Engineering Whom?

[Anonymous Coward]

The CIA's actual network defenses never even came
into play. Because of the CIA's reputation, the
security firm didn't dare portscan, or test the
numbers, names, and addresses they got.

Obviously the CIA are the ones who really employed
social engineering in this case.

Re:Portscanning?

[Cally]

> Im a sysadmin for a major university, and I can
>tell you first hand that even pinging will get you a
>letter from the agency you pinged.

I can assure you that this is NOT the case for us outside the US. I've been known to use www.af.mil as a test of connectivity / UDP / ICMP, and I've not seen a letter, an email or indeed any MIB.

Never re-route CIA packets...

[darkonc]

A friend of mine once described a run-in that his company had with 'the CIA' a number of years ago.

Before his company got attached to the net, they were using an address of '11.*' for their internal computers, which included a number of Sun workstations -- some doing double duty as routers. For those of you who don't know, RFC 1918 officially designates 3 network ranges for this sort of work -- 192.168.*, 10.* and 172.16.0/12. 11.0 obviously doesn't fit in that range.

When they got their network attached to the 'net, they had to do a good deal of work to renumber all of their computers to have 'proper' IP addresses (either in their assigned block, or in an RFC1918 non-routing block).

Within an hour of connecting their box to the 'net, they got a rather brusque call from an intelligence agency official demanding to know why they were stealing his packets. They had to disconnect from the network and root around their network until they found (and removed) the errant subnet stub. It turns out that they had managed to miss one SUN with a second ethernet card that was no longer attached to an active subnet (but still routing to the stub subnet). This was back at a time when any SUN with two ethernet cards routed by default, and every machine ran routed(8) as a matter of course (much easier than having to do manual routing all the time!). It turns out that the route to the stub network had leaked out to the larger internet and poisoned the routing for a huge pool of machines.

When I teach networking, I use it as an example of why you should always use the proper non-routing addresses for internal networks.

(I just did a whois, and 11.0/8 is actually owned by the Defence Intelligence Agency, not the CIA. Not like there's a big difference for us civies.)