US Army reduces tech vulnerabilities

[Xisiqomelir]

Forbes

Thinking Different
Apples For The Army
Andy Greenberg , 12.21.07, 6:00 AM ET

Given Apple's marketing toward the young and the trendy, you wouldn't expect the U.S. Army to be much of a customer. Lieutenant Colonel C.J. Wallington is hoping hackers won't expect it either.

Wallington, a division chief in the Army's office of enterprise information systems, says the military is quietly working to integrate Macintosh computers into its systems to make them harder to hack. That's because fewer attacks have been designed to infiltrate Mac computers, and adding more Macs to the military's computer mix makes it tougher to destabilize a group of military computers with a single attack, Wallington says.

This past year was a particularly tough one for military cybersecurity. Cyberspies infiltrated a Pentagon computer system in June and stole unknown quantities of e-mail data, according to a September report by the Financial Times. Later in September, industry sources told Forbes.com that major military contractors, including Boeing, Lockheed Martin, Northrop Grumman and Raytheon had also been hacked.

The Army's push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army's chief information officer, gave a speech calling for more diversity in the Army's computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.

Apple computers still satisfy only a tiny portion of the military's voracious demand for computers. By Wallington's estimate, around 20,000 of the Army's 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army's ranks during each of its bi-annual hardware buying periods.

Military procurement has long been driven by cost and availability of additional software--two measures where Macintosh computers have typically come up short against Windows-based PCs. Then there have been subtle but important barriers: For instance, Macintosh computers have long been incompatible with a security keycard-reading system known as Common Access Cards system, or CAC, which is heavily used by the military.

The Army's Apple program, created after Boutelle's 2005 address, is working to change that. As early as February 2008, the Army is planning to introduce software, developed by Arlington, Texas-based Thursby Software, that will also enable Mac desktops and laptops to use CAC systems--a change that should make it easier to get Macs into the service.

Though Apple machines are still pricier than their Windows counterparts, the added security they offer might be worth the cost, says Wallington. He points out that Apple's X Serve servers, which are gradually becoming more commonplace in Army data centers, are proving their mettle. "Those are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off," he says.

Apple, which declined to comment, has long argued its hardware is less hackable than comparable PCs. Jonathan Broskey, a former Apple employee who now heads the Army's Apple program, argues that the Unix core at the center of the Mac OS operating system makes it easier to lock down a Mac than a Windows platform.

And Apple's smaller market share has long meant that it didn't attract cybercriminals hoping to wreck the most havoc possible. "If you look at the numbers, you see that malicious software for Macs is very limited," he says. "We used to sell Apples by saying they don't get viruses."

Of course, cyberspooks may be honing their Mac-attacking skills, too. An end-of-year report by Finnish software security company F-Secure highlights the growing number of hackers targeting Apple systems with malicious software, some of which could allow cybercriminals to steal security passwords. In the past two years, until this October, F-Secure found only a small handful of malicious programs targeting Macs. In the past two months, the company has found more than a hundred specimens of Mac-targeted malicious code.

Charlie Miller, a software researcher with Independent Security Evaluators, worries that the Army's diversification plan isn't enough to thwart the bad guys. He sees a two-platform system as a "weakest link" scenario, in which a determined cyber-intruder will seek out the more vulnerable of the two targets. "In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house," he says.

The marketing pitch that Apples are inherently more secure than PCs is also largely a myth, contends Miller, who gained notoriety for remotely hacking the iPhone last August. He points to data gathered by software security firm Secunia, which showed that Apple had to patch nearly five times as many security flaws in its software over the past year as Microsoft had to patch in Windows. Apple's Quicktime player alone, he says, was patched 34 times. "I love my Macs, but in terms of security, they're behind the curve, compared to Windows," Miller warns.

But the Army's Jonathan Broskey stands by his claims of Apple's security: He says the high number of patches to Apple software is a good sign--evidence of the large community of developers actively working to tighten Unix programs and eliminate bugs. Nonetheless, like any responsible IT department, he says the Army's Apple program will closely monitor security updates to Mac-specific programs. "The Army's no different from any corporation," he says.

Still, relative to corporate cybersecurity, Lieutenant Colonel Wallington points out, the stakes are much higher. A leaked deployment order, for instance, might reveal the path of a supply truck and the points where it could be sabotaged, he says.

"This is information that affects the lives of soldiers and the civilians we're trying protect," Broskey adds. "It has to be safeguarded."

[Solauren]

Given the money the army has, converting to all Macintosh shouldn't be a problem.

However, that may actually encourage hackers to target Macintosh systems.

I personally think the Army would be further ahead buying up a software firm and saying 'okay, make us our own custom operating system to these specifications.'

Keep the operating system classified, and that would reduce hacker problems dramatically.

'Course, that would oh, make sense

[phongn]

Writing an entirely new custom OS probably would make the system less secure, not more.

[Durandal]

However, that may actually encourage hackers to target Macintosh systems.

It probably will. But frankly, we've been hearing all this noise about how Mac OS X is going to be the next Windows XP for years now. And it hasn't happened. With things like Seat Belt in Leopard, exploits' ability to harm the system will be severely diminished. There are vulnerabilities in Mac OS X, but no one seems to have really bothered exploiting them, despite growing marketshare, mindshare and the supposed "smug attitude" of Mac users about security.

I personally think the Army would be further ahead buying up a software firm and saying 'okay, make us our own custom operating system to these specifications.'

Just buying up a software company and telling them to write an operating system isn't exactly easy. And the final product will almost certainly be riddled with security holes, since code scrutiny will be limited to those with security clearances. It's a security-by-obscurity design, and it doesn't work. The entire technique of fuzzing was probably developed largely in part to work against this security model.

Keep the operating system classified, and that would reduce hacker problems dramatically.

'Course, that would oh, make sense

Not terribly, no.

[Zablorg]

Lieutenant Colonel C.J. Wallington is hoping hackers won't expect it either.

Well Wallington, you just kind of blew that hope by announcing you're using them!

[Darth Ruinus]

Lieutenant Colonel C.J. Wallington is hoping hackers won't expect it either.

Well Wallington, you just kind of blew that hope by announcing you're using them!

Or...

... its a trick!

[Durandal]

It's a trap!

[Spyder]

Yep, someone's going to feel very clever when they telnet in and get greeted with a TRS-DOS prompt.

[Rogue 9]

Okay, so now hackers have an actual reason to start hacking Macs. Yay?

[Spyder]

Okay, so now hackers have an actual reason to start hacking Macs. Yay?

That'll be interesting to see actually. I've always been curious to see how Macs would perform if hackers were given a reason to launch an attack.

[Zablorg]

Mac fans say that no one really hacks macs because of their 1337 security. Can anyone confirm this?

[Mr Bean]

Of course there's the problem that attempting to hack DOJ will be prosecuted as a terrorist act rather than simply industrial espionage or electronic breaking and entering.

That of course does not stop a dozen people a day attempting to hack the FBI's server. (At least that's one Web guru told me at the Pentagon once)

[Rogue 9]

People attempt to hack the DoD every day, or at least they used to. I don't know whether that's changed since the government started considering it a terrorist act (when was this, by the by?), but it wouldn't surprise me much if it didn't.

[Mr Bean]

People attempt to hack the DoD every day, or at least they used to. I don't know whether that's changed since the government started considering it a terrorist act (when was this, by the by?), but it wouldn't surprise me much if it didn't.

Since Patriot Act Part I, any attack on US government facilities can be considered terrorism if the DoJ decides to prosecute it as such.

[Netko]

Mac fans say that no one really hacks macs because of their 1337 security. Can anyone confirm this?

Not really, no. As the article notes (in a surprisingly balanced fashion), Macs (and Linux in a desktop role - however, its server proliferation makes it a bigger target) have an added security advantage of being a minor market share OS, which discourages general hacks (would you target the OS with 90% market share, and more importantly a 90% chance of finding it again when the virus attempts to spread itself or the one with 5%?) and targeted hacks have the problem of less knowledge (familiarity) on the part of the hackers. On the other hand, as noted about last year's patching numbers, do to being the main target Windows got hardened a lot in the last couple of years (since XP SP2 when security became paramount), while, do to being such a smaller target, OS X developers could be slack about security, comparatively (hence the need to plug so many holes). The general feel over on Ars among the knowledgeable posters seems to be that OS X is probably better security-wise then pure XP but less then or on par with XPSP2 (with Vista being even somewhat more secure), or that at least is my impression.

[ThatGuyFromThatPlace]

Given the money the army has, converting to all Macintosh shouldn't be a problem.

However, that may actually encourage hackers to target Macintosh systems.

I personally think the Army would be further ahead buying up a software firm and saying 'okay, make us our own custom operating system to these specifications.'

Keep the operating system classified, and that would reduce hacker problems dramatically.

'Course, that would oh, make sense

Why buy a software firm simply to develope a more secure, custom OS whent he open source community already provides a number of highly customizable and secure OSes for free, then the pentagon could spend it's money on more hookers for the generals AND have a versatile, secure OS.
But I guess Pentagon is allergic to spending its money wisely and has decided to buy overpriced, overspecced, not incredibly versatile computers instead (I guess this will be good for the quality of powerpoint presentation in the Pentagon at least)

[Lonestar]

Not terribly, no.

The operations side is classified. In fact, it's physically segregrated from the internet.

Not much that would be damaging is to be had on nIPR.

Uhhh...except social security numbers.