Attacks/Breaches
1/12/2012
02:00 PM
50%
50%

Air Force Drone Controllers Embrace Linux, But Why?

U.S. Air Force switched drones' ground control operating system after a credential-grabbing malware outbreak. Security expert thinks it's more than coincidence.

Did a Windows virus outbreak in systems related to military drones cause the Air Force to switch its control systems from Windows to Linux?

"Last year, U.S. military drone control systems were infected with Windows USB worms. They seem to be moving the control systems to Linux now," said Mikko Hypponen, chief research officer at F-Secure, via Twitter.

As evidence of the apparent shift, he posted pictures of a drone control system from 2009 (the image was originally published by the Air Force), which appears to sport a Windows graphical user interface. (A cropped version of the image also appeared in Air Force Times in 2009.) For comparison, Hypponen then posted an unclassified slide from a 2010 briefing that details Linux as being part of a 2011 upgrade and refit for drone control systems, and which sports a different graphical user interface.

[ Malicious attacks accounted for 40% of disclosed breaches last year. Learn more: Hack Attacks Now Leading Cause Of Data Breaches. ]

Would the operating system switch provide an immediate drone control system security boost? "If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take," Hypponen told the Register.

While the timing of the apparent shift from Windows to Linux may be coincidental, it comes in the wake of a malware outbreak involving drone control systems last year. In October 2011, the Air Force acknowledged that malware had been detected on portable hard drives in use at Creech Air Force Base in Nevada. The majority of the country's unmanned military drones are remotely flown from the base, and used for missions in Afghanistan and other war zones. But the Air Force said that the malware, discovered in September 2011, hadn't "affected Remotely Piloted Aircraft (RPA) operations," but rather just ground control systems, which are responsible for drones' weapons and surveillance capabilities.

"The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident," according to a statement released by the Air Force.

The Air Force also downplayed the malware's threat, saying it wasn't a keylogger--as first reported by Wired, which broke the drone malware story--but rather a credential stealer, which is typically designed to capture logon credentials for Webmail, FTP sites, and online games.

"The malware was detected on a stand-alone mission support network using a Windows-based operating system," read the Air Force statement. "It is not designed to transmit data or video, nor is it designed to corrupt data, files, or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."

Arguably, however, any intelligence gleaned by a credential stealer might be useful for someone who wanted to compromise a drone, as Iran recently did with a U.S. Sentinel drone, reportedly by jamming its remote-control channel, then feeding it fake GPS coordinates and making it believe it was landing at an American base.

But the Air Force said that the infected computers were part of a ground control system used to support unmanned aircraft operations, and that the malware never infected the aircrafts' flight control systems. Furthermore, those flight control systems are supposed to be protected by an air gap, and never connected to the Internet. But the presence of malware on portable drives--"approved for transferring information between systems," as the Air Force put it--indicates an obvious potential infection vector, should those drives have been plugged into flight control systems.

According to Defense News, the portable drives had been used to load map updates and to transfer surveillance videos between computers. After the malware outbreak, however, the use of such drives was banned.

InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RSL
50%
50%
RSL,
User Rank: Apprentice
1/17/2012 | 4:31:44 PM
re: Air Force Drone Controllers Embrace Linux, But Why?
You seem to miss the point: a PROCESS FLAW caused this problem, not Windows. Fact: Every OS has vulnerabilities. Your enterprise is only as secure as to the way you manage it. Please present a good reason as to why USB drives could freely operate on military computers, please indicate where Windows was the issue. If you allow USB drives, then ANY OS, or enterprise can be infected, correct?

Are you going to blame Windows for the recent event where an untold amount of info left military facilities and into WikiLeaks? Are you going to blame Windows for the drone that is in Iranian hands, after it was learned that they took advantage of a flaw that existed for YEARS?

The bulk of modern day threats are no longer being directed at the OS.

Your answer that GǣWindows is not secureGǥ is a typical, lightweight reply. Soon to arrive, Windows 8 has been regarded as so secure that hackers will now resort to breaching on board devices, like video cards G because the OS has been so hardened. What military information breach has occurred due to Windows itself?

The knee jerk reaction is all too often blame Windows, when Windows itself is secure and has an entire arena of security tools, and central management features that leave any other OS in the dust. Stay focused on the issues: process flaws.
RSL
50%
50%
RSL,
User Rank: Apprentice
1/17/2012 | 4:30:42 PM
re: Air Force Drone Controllers Embrace Linux, But Why?
You seem to miss the point: a PROCESS FLAW caused this problem, not Windows. Fact: Every OS has vulnerabilities. Your enterprise is only as secure as to the way you manage it. Please present a good reason as to why USB drives could freely operate on military computers, please indicate where Windows was the issue. If you allow USB drives, then ANY OS, or enterprise can be infected, correct?

Are you going to blame Windows for the recent event where an untold amount of info left military facilities and into WikiLeaks? Are you going to blame Windows for the drone that is in Iranian hands, after it was learned that they took advantage of a flaw that existed for YEARS?

The bulk of modern day threats are no longer being directed at the OS.

Your answer that GǣWindows is not secureGǥ is a typical, lightweight reply. Soon to arrive, Windows 8 has been regarded as so secure that hackers will now resort to breaching on board devices, like video cards G because the OS has been so hardened. What military information breach has occurred due to Windows itself?

The knee jerk reaction is all too often blame Windows, when Windows itself is secure and has an entire arena of security tools, and central management features that leave any other OS in the dust. Stay focused on the issues: process flaws.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
1/14/2012 | 2:44:02 AM
re: Air Force Drone Controllers Embrace Linux, But Why?
I also brought facts, not rants, and they won't post them. My answer was too long. The long and short of it is that Windows is not secure. Maybe Windows could have been more secure if Microsoft had just waited for IBM to put ownership and file usage permissions into the HPFS (High Performance File System) that became the NTFS. Over the past six years of producing filters for HostsFile.org and SecureMecca.com I have looked at over 6,000 Windows binary malware. I have had less than a dozen cross-platform infections, all of them using JavaScript that affected Linux. Two of the JavaScript infections were toolbars, one distributed by Mozilla. My only dissatisfaction with Linux is too much change just for the sake of change. Why, oh why did Ubuntu abandon the gnome-shell GUI? It works great for me. Kudos to the Air Force for their courageous decision.
Henry Hertz Hobbit
50%
50%
Henry Hertz Hobbit,
User Rank: Apprentice
1/14/2012 | 2:28:38 AM
re: Air Force Drone Controllers Embrace Linux, But Why?
Well, OldUberGoober, I beat you by quite a bit going back into the 70s. The reason the Robert Tappan Morris exploit worked was because sendmail was running with root (admin) privileges and they ignored his pleas to guard against buffer over-run. Don't tell me what it was like - I was a sysadmin all the way through the episode and learned to really dislike sendmail. Like Microsoft Windows, sendmail was secure enough until you pushed against it. Postfix written by Wietse Venema is much better and runs most of the time with lower privileges. Thanks IBM for supporting the Postfix development. But sendmail was patched and I know people that have been using sendmail the past 15+ years woth no problems (other than that awful configuration file). If Microsoft had just waited for IBM to put ownership and usage permissions into the HPFS (High Perfornance File System) that became the NTFS we would not be in the mess we are in today. In the almost six years of doing research into producing filters for SecureMecca.com and HostsFile.org I had less than a dozen malware that worked with Linux - actually they were cross platform since they were all JavaScript and two of them were browser toolbars that spy on you. During that same time period I have looked at well over 6,000 Windows binary malware. Recently I discovered a PAC (proxy auto config) file that is also cross platform at PhishTank. Here is the scan of it at Jotti:
http://preview.tinyurl.com/7hm...
PhishTank people classified it as NOT a phish. It is one of two new style phish. It beats me why a Taiwan web-site was (they finally removed it but took a long time to do it) distributing a PAC file with various Brazilian bank pretenders. Fortunately, I was able to persuade the Minnesota town's ISP the PAC file redirected you to for the Brazilian banks to take protections agaisnt it by having the people where the PAC phisher information went to, to have thei person clean it off their Microsoft Windows PC. If it had been in Chicago, New York or some other place like that instead of a small Minnesota town with some people that have good sense, nothing would have been done. If you go into my public folder on securemecca.com you can see what it looks like. It is the file called PAC-Phish.txt. All I changed was the IP address to localhost to protect the innocent. I have also received I don't know how many new phish of a type recently that will work on any platform. Again, PhishTank people don't know what to do with them since they are not a URL. They are an attached file Neither do the AV companies, and here is the Jotti AV scan to prove it (this is on-going right now and I am using Jotti because Comcast seems to be blocking my access to VirusTotal.com):
http://preview.tinyurl.com/7tm...
It is good to see that CP-Secure has joined Sophos in understanding what it is. But again, it looks like PHISH in the Thunderbird email client program. What does it look like in Outlook Express, Outlook, and web-mail? It looks like the real deal. But like prying you off of Windows, getting you to use Thunderbird instead of Outlook (you can also use Claws Mail on Windows if you want an Outlook-like client that doesn't excecute JavaScript and get OpenPGP encryption to boot - all free) is just as difficult as it was for RSA. We all know where that went, don't we?
Kudos to the Air Force for their courageous decision!
RSL
50%
50%
RSL,
User Rank: Apprentice
1/13/2012 | 5:16:36 PM
re: Air Force Drone Controllers Embrace Linux, But Why?
Lets stay in focus here - the crux of this matter is that the systems were compromised by a PROCESS FLAW, not a specific OS. USB drives were allowed to be randomly mounted ...on military systems? Really? This is a well known high risk practice - like running email attachments from an unknown sender. If USB drives are absolutely needed, then a disconnected kiosk machine should be used to scan any drive before use. Remember USB drives can be used to STEAL info from these systems too, I cannot believe they were allowed.

Your enterprise is only as secure as your practices allow.

The Windows OS is not the issue here, it is inherently secure, and has many tools to enhance that. They were running XP, Windows 7 has been out for quite awhile, and is way more secure ...and they still hadn't upgraded? Via Group Policies, Windows can natively disallow USB drive use, which would have avoided this episode. Native Linux cannot be centrally managed.

I bring you facts, not rants. These are basic and simple solutions, built into Windows, available to all enterprises, can other OSes do that?
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
1/13/2012 | 3:18:56 PM
re: Air Force Drone Controllers Embrace Linux, But Why?
Charles, perhaps you should have a beer with Robert Tappan Morris before you get too convinced that Unix/Linux is ultimately secure. My Unix experience goes back to the early '80s, but I don't romanticize it. There are indeed fewer threats to Unix-derived systems than Windows, but a big part of that is related to the fact that the target base is about 100 times bigger, and bad guys go where the money is. NO system is unhackable, and while I agree that a properly configured Linux system is generally safer than an equivalent current Windows machine (XP, the object of the quote in the article is of course not current), the delta has shrunk significantly over the years, and the real key to either system is that 'properly configured' caveat.
Charles Norrie
50%
50%
Charles Norrie,
User Rank: Apprentice
1/13/2012 | 5:44:24 AM
re: Air Force Drone Controllers Embrace Linux, But Why?
Well that just about does it for Windows. It ends for once and for all the debate about which system is safer. Sound it from the rooftops and make Gates, Ballmer and co swallow their words. Microsoft is and was from the start crapware. The military has spoken.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?