Mapping The CIA Nonclassified Network 248
jeffy124 writes "A security firm Matta Security in London has mapped the CIA non-classified network. Using only legal and open sources, the company mapped topology of machines and even found networks otherwise closed to the public. The company never port scanned or probed the network directly. Among items they found were emails and phone numbers of sys admins and other employees. Amazingly, they did all this in two days."
It's DMZ data I'm sure... (Score:2, Interesting)
Score One for the Silent Majority (Score:1, Interesting)
Re:Portscanning? (Score:5, Interesting)
One of my users decided to ping a DOD (department of defense) computer ... he pinged it, and a few days later we got an email from them asking us
A: if we have been compromised
B: if we hadn't please dont do it again.
The letter was very courtious, and explained they understand that pinging in itself is not illegal or not even unusual, the real point was to inform us that we may have been compromised (prolly a good idea).
A buddy of mine who works for the air force claims if you ping an air-force server, armed FBI agents will appear at your door quickly ... Obviously I am unwilling to test this :)
Meme... (Score:2, Interesting)
Taking the numbers from the diagram in the article, whois says:
Hewlett-Packard Company (NETBLK-HP19)
3000 Hanover Street
Palo Alto, CA 94304
US
Netname: HP19
Netblock: 192.81.0.0 - 192.81.255.255
Maintainer: HP
.
Hmm the CIA has 162.45.*.* assigned to them, I guess they aren't using it.
I hope the MiBs don't come knocking on my door now.
Anyone else notice the Lotus Domino Server (Score:5, Interesting)
Why you may ask?
Because Lotus Notes and Lotus Domino is the only mail product that gives email administrators zero access to information within mail files. Each Notes database has an access control list, and you can specify who's on it. The mail server can have "depositor" access, which means it can only place information inside the database. The database can also be encrypted so that only the server can read it -- meaning someone has to steal a copy of the database itself off of the file system, in order to have a chance at decryption.
Re:Portscanning? (Score:4, Interesting)
Don't recall ever hearing from anyone about it. I even tried to send an explaination of the port-scan, but the published email I had bounced.
Re:So what? (Score:3, Interesting)
A small team of men managed to literally roll an airplane out the back gate of an Air Force base, primarily using social engineering tactics. This team, hired by the military, found that military security wasn't all that it was cracked up to be.
if people only hire intelligent software engineers, no one will be able to social engineer anything.
How does *that* follow? Many social engineering attacks get the user to hand over username and password, and if you can't check IP (think mobile users) then you've just lost. At best you can contain it to that user's files, but that still may be a severe security leak.
Re:Web Logs (Score:2, Interesting)
"You've got a mail bomb"
Re:So what? (Score:2, Interesting)
Re:Anyone else notice the Lotus Domino Server (Score:3, Interesting)
You *can* disable this, however, by setting up password recovery within Domino, which I recommend that ALL Domino admins do. Then it requires anywhere from 2 to (I think) 4 different ID's to enter a recovery password, which will then recover the user's password.
Domino/Notes also is interesting in that your password is never sent over the wire, encrypted or otherwise. Your machine gets a copy of about a 2K $user.id file, which contains your authentication certificate to the Domino server. Your password identifies to your certificate that "I am Davitt J Potter/CIA/GOV/US." The Notes client then sends the certificate info to Domino, which then checks to make sure that certificate was generated by the Domino server, and is still a valid certificate. (Domino servers can set certificate expirations, so even if your password is valid, your certificate may be expired.)
I found Domino to be a really nice enterprise level email solution; I only wonder why it isn't used more?
Re:Portscanning? (Score:3, Interesting)
Then, the site being mirrored was one that we'd developed for the air force, so I assume that they must've figured it was ok or maybe realized that it's bad form to monopolize most of our T1 for several minutes at a time and not felt like pushing the issue...
I'm pretty sure that individual bases or however they're grouped each are alowed some leeway in their security implemntations, so they probably don't all track connection information down to each individual ping...
Significance? (Score:3, Interesting)
What's next? I would think that if you were not able to map the CIA's unclassified public network than they must have some sort of major DNS problem.
There is absolutely no significane to this news story other than organizations who maintain a publically accessible web site with such services as e-mail and a web site must have a logical network structure to deliver said services. The CIA is no exception.
it's not that hard. (Score:2, Interesting)
Who's Socially Engineering Whom? (Score:2, Interesting)
The CIA's actual network defenses never even came
into play. Because of the CIA's reputation, the
security firm didn't dare portscan, or test the
numbers, names, and addresses they got.
Obviously the CIA are the ones who really employed
social engineering in this case.
Re:Portscanning? (Score:3, Interesting)
>tell you first hand that even pinging will get you a
>letter from the agency you pinged.
I can assure you that this is NOT the case for us outside the US. I've been known to use www.af.mil as a test of connectivity / UDP / ICMP, and I've not seen a letter, an email or indeed any MIB.
Never re-route CIA packets... (Score:4, Interesting)
Before his company got attached to the net, they were using an address of '11.*' for their internal computers, which included a number of Sun workstations -- some doing double duty as routers. For those of you who don't know, RFC 1918 officially designates 3 network ranges for this sort of work -- 192.168.*, 10.* and 172.16.0/12. 11.0 obviously doesn't fit in that range.
When they got their network attached to the 'net, they had to do a good deal of work to renumber all of their computers to have 'proper' IP addresses (either in their assigned block, or in an RFC1918 non-routing block).
Within an hour of connecting their box to the 'net, they got a rather brusque call from an intelligence agency official demanding to know why they were stealing his packets. They had to disconnect from the network and root around their network until they found (and removed) the errant subnet stub. It turns out that they had managed to miss one SUN with a second ethernet card that was no longer attached to an active subnet (but still routing to the stub subnet). This was back at a time when any SUN with two ethernet cards routed by default, and every machine ran routed(8) as a matter of course (much easier than having to do manual routing all the time!). It turns out that the route to the stub network had leaked out to the larger internet and poisoned the routing for a huge pool of machines.
When I teach networking, I use it as an example of why you should always use the proper non-routing addresses for internal networks.
(I just did a whois, and 11.0/8 is actually owned by the Defence Intelligence Agency, not the CIA. Not like there's a big difference for us civies.)