An IT Flaw Has Let Unauthorized Users Exploit Army PCs for Years

Illustration for article titled An IT Flaw Has Let Unauthorized Users Exploit Army PCs for Years

Earlier this week, Buzzfeed reported that a computer security flaw in has left Army computers vulnerable for at least two years; today, the Army confirmed to Buzzfeed that this was, in fact the case. And that they have no plans to do anything to fix it.

Advertisement

While the specifics of the flaw haven't yet been disclosed—for obvious reasons—what it does is alarming. Anyone with access to a shared Army computer can assume the identity of any other Army personnel. That means getting their security clearances. That's bad. According to Buzzfeed:

In order to log into a shared Army computer you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier’s permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out. But the hack overrides that system during the shut down period.

Repeated attempts by some soldiers to bring the matter to light through normal channels went unheaded; they were told, instead, to keep their mouths shut. It was only after the Buzzfeed report came to light that they acknowledged there was a problem at all. And that they have no intention of making it better.

That's right. Instead of patching the flaw, the military is instead going to impress the importance of personal responsibility on its troops. If everyone makes sure they're fully logged off, the thinking goes, the problem will take care of itself. As anyone who's ever spent any amount of time around computer systems will tell you, it will not.

It's an especially large problem given the sort of information that's at stake. Nearly any soldier with knowledge of the hack—of whom there were reportedly a large number before, which one can imagine is much larger by now—could use it to gain access to the highest clearance levels we have. If that's not an important national security threat, I'm not sure what is.

The full report on Buzzfeed is well worth a read. It's also a not-so-gentle reminder that some of our most important vulnerabilities can't be stopped with Kevlar or missile defense. Especially if we don't try to patch them at all. [Buzzfeed]

Advertisement

Photo credit: Getty Images

DISCUSSION

AlexDeLarge
AlexDeLarge

Some years ago, I was assigned to perform a software installation at an Army location placed close to Albany, NY.

Being mexican I had to pass a lot of security in order to get into the IT department, always with a huge badge that said "Foreign National" around my neck.

On my checklist there was a simple question "Do I have permissions and clearance to modify the base's Active Directory?". THEY SAID YES (Fortunately for me, I had a signed checklist), so I proceed to install said software.

SHIT, less than a minute after that, the phones started ringing like crazy, my computer blocked, and a lot of people entering the room asking for explanation.

I think they sympathize with me after they saw my face. I was easily identifiable, the guy with the fucking ridiculous big badge. For the first 10 minutes I was freaked, my cool returned when I remembered and showed the signed checklist.

After that day for the next two weeks I was working at the base, I had to be accompanied by a MP at all times.

Installation and setup went great after the event, that happened in the very first morning of the assignment. The IT manager, a Major if I remember, was very kind, he gifted me a nice book about the history of the place. Which, even it was a hard read, I read it and sent some comments about it in reciprocity.