Yet Another “Lady Gaga” Exposure Forces DOD to Wipe Drone Control Computers

On Friday, Wired broke the news that the DOD suffered yet another breach because they continue to leave computers exposed to outside storage systems. (h/t WO) In this case, the Ground Control Stations they use to control drones got infected with a keylogger virus.

But time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. The Pentagon is still disinfecting machines, three years later.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

After a virus was introduced into computers in Iraq three years ago via thumb drive, DOD claimed it had prohibited the use of any removable media with their computers. But then Bradley Manning allegedly removed hundreds of thousands of classified cables from SIPRNet using a Lady Gaga CD. Rather than making all computers inaccessible to removable media at that point, DOD left 12% of their computers vulnerable, deploying a buddy-system to prevent people from taking files inappropriately; but human buddy systems don’t necessarily prevent the transmission of viruses.

The good news is that the Host-Based Security System implemented in response to Wikileaks discovered the virus–two weeks ago.

But here’s the other interesting wrinkle. To get rid of these viruses, techs have resorted to wiping the hard drives of the targeting computers.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

Given what little we know about the Anwar al-Awlaki assassination (which, as Wired points out, happened after the virus had knowingly infected these computers), this should not affect the computers that ten days ago killed two US citizens with no due process. The Newsweek story describing the CIA’s targeting process says that targeting is done in VA, not NV, where the virus hit.

But particularly given the questions about Samir Khan’s death, consider if that weren’t the case. That would mean a key piece of evidence about whether or not the US knowingly executed an American engaging in speech might be completely eliminated, wiped clean to fix a predictable virus.

That’s not the only risk, of course. We’ve talked before about how long it’ll take for Iran or Mexican drug cartels to hack our armed drones. If this virus were passed via deliberate hack, rather than sloppiness, then we might be one step closer to that eventuality.

All because DOD continues to refuse to take simple steps to secure their computers.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

28 replies
  1. MadDog says:

    The Newsweek article that EW links to this paragraph in it:

    “…Some counterterrorism experts say that President Obama and his advisers favor a more aggressive approach because it seems more practical—that administration officials prefer to eliminate terrorism suspects rather than detain them. “Since the U.S. political and legal situation has made aggressive interrogation a questionable activity anyway, there is less reason to seek to capture rather than kill,” wrote American University’s Kenneth Anderson, author of an essay on the subject that was read widely by Obama White House officials. “And if one intends to kill, the incentive is to do so from a standoff position because it removes potentially messy questions of surrender…”

    (My Bold)

    I’ve previously downloaded Anderson’s “essay” from the Social Science Research Network (SSRN), and for the edification of other commenters who wish a deeper understanding of what forms the drone targeting decision-making thinking of the National Security types in the White House and elsewhere in the Intelligence Community, here’s a link to where you can download that Kenneth Anderson “essay”:

    Targeted Killing in U.S. Counterterrorism Strategy and Law

  2. MadDog says:

    @MadDog: And since it seems that there can be no more than two links per comment, I’m continuing my document linking in additional comments.

    Some additional Kenneth Anderson essays available for download on this topic:

    1) His most recent piece: Targeted Killing and Drone Warfare: How We Came to Debate Whether There is a ‘Legal Geography of War’

    2) His and others’ testimony to Congress on the topic: ‘Drones II’ – Kenneth Anderson Testimony Submitted to U.S. House of Representatives Committee on Oversight and Government Reform,Subcommittee on National Security and Foreign Affairs, Second Hearing on Drone Warfare, April 28, 2010

  3. allan says:

    “That would mean a key piece of evidence about whether or not the US knowingly executed an American engaging in speech might be completely eliminated…”

    It should be remembered that the Lackawanna Five (or Buffalo Six, depending on who you ask)
    lost their only chance at exculpatory testimony when Kamal Derwish was Hellfired.

  4. scribe says:

    Heh. Kaspersky’s a Russian and his company is based in Russia. F’g hilarious, the US going to the Russians to get instructions on how to wipe out a computer virus.

  5. MadDog says:

    …Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another…

    A question that arises from the description of the process “to load map updates and transport mission videos from one computer to another” on GCS machines as the Wired article describes is just how now do these tasks get accomplished?

    The task itself hasn’t gone away, so how do the Air Force and the CIA do it now? If they no longer use removable drives, and they still perform the task, there aren’t many options left to accomplish it.

    One is is that the GCS machines are connected via some type of network like SIPRNet (or its Top Secret equivalent) “to load map updates and transport mission videos from one computer to another”.

    In which case, the use of some network like SIPRNet may reduce the potential virus threat, but leave the GCS machine data still vulnerable to the previously known SIPRNet flaws of access and control.

    One of the truisms (and oxymorons) about computer security is that the only method to completely ensure computer security is to prevent any access to the computer.

  6. scribe says:

    @MadDog:

    The task itself hasn’t gone away, so how do the Air Force and the CIA do it now?

    Punch cards.

    Decks and decks of punch cards.

  7. MadDog says:

    @scribe: LOL! Back in the day when punch cards were de rigueur (yes, I am one of those with hands-on familiarity), there was nothing funnier than watching some poor techie schlep (yes, I was also one of those) drop an entire tray of punch cards on the floor.

    The term “time-sharing” was also in vogue and had a real meaning. It meant that computing time was precious and rationed to the nth degree.

    Many a night I’ve spent waiting for my time in the queue for access to the computer. Let’s say that was from 2:00 AM until 2:10 AM.

    If one dropped that entire tray of punch cards on the floor, one had totally screwed the pooch.

    Been there, done that! *g*

  8. scribe says:

    @MadDog: Back in the day, some of my college courses required use of the card reader and a deck of punch cards. There was always a joke running around among us students about screwing over this classmate or that, by shuffling their deck of cards. No one ever did, but we all adopted one flavor or another of easing our worries, usually by magic marker on the edge of the deck so one could see at a glance if it had been shuffled.

  9. orionATL says:

    “…In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort…”

    1) dod employees have so little training, and/or so little expert help as back-up, that they have to go to a commercial anti-virus website for help?

    2) our multi-$100 billion per year uses a commercial virus blocker?

    no wonder the chinese military computer academy can steal anything they want from the u.s. dept of dunce.

    by the way, the info released that is contained in this article is posdibly more damaging to u.s. national security than anything manning copied and forwarded.

    we now know

    – that dod has no team of specialists to help out its it folk

    and

    – that dod does not have a compentent a-v program for some of its computers

    and

    – that dod may be using a commercial a-v product to protect us – kind of like a condom with microscopic holes.

  10. P J Evans says:

    @scribe:
    I always favored a lengthwise diagonal stripe, usually in red. I also tried to make sure there were numbers on the cards. Playing 52-pickup with a program isn’t that much fun. (I was also happy when punchcards went out. I do remember using mark-sense cards for a job in 1984.)

  11. jerryy says:

    Keystroke loggers give you more than user names and passwords, the record also tells you how the technology is being controlled which means you can reverse engineer it to get to how the hardware works, which is often better knowledge than a low level password which only controls one item.

  12. chetnolian says:

    I wonder if the continuing use of removable drives at Creech has anythig to do with the British RAF Predator crews based there. I assume it would be difficult to allow the RAF crews access to SIPRNet as US security has always regarded any US private soldier as inherently more secure than some Limey officer.

  13. emptywheel says:

    @chetnolian: It may. THere were two reasons cited for why they did that: to share intell with partners, and for weapons platforms that required it.

    Both could apply here.

  14. The Raven says:

    It sounds like they are using Windows for their drone controller software, which is a major security error. It also sounds like their software engineers didn’t even take the elementary precaution of disabling auto-run from inserted CDs and thumb drives.

    Larry, Moe, and Curly do computer security.

  15. Carl Weetabix says:

    Ironically generally the way you get these sorts of viruses/malware in the first place is by going to questionable sites – porn, illegal download, etc.

    Doesn’t exactly reflect well in general.

  16. P J Evans says:

    @The Raven:
    Worse security than the utility I work at. We don’t have USB ports enabled, and the CD drive on my computer, at least, is non-functional. (Yes, it is occasionally extremely inconvenient for work purposes. They have to work around it for software installation.)

  17. rugger9 says:

    However, it also conveniently prevents any scrutiny over the Awlaki / Samir Khan hit. Golly, the data just got wiped. Kind of like how Rove “lost” his blackberry so the emails were no longer available.

    Hmmmmmm………

  18. emptywheel says:

    @rugger9: Yeah, that’s sort of why I put it in the post. I THINK the targeting on Awlaki was done a lot closer to the WH than in NV. If so, it probably wasn’t wiped.

    • bmaz says:

      Interesting point, and I think that is quite possible on the actual targeting end. I wonder how much information moves between the facilities to the actual pilot team? For instance, would live feeds etc would go to Nevada.

  19. Acharn says:

    @scribe: I think you were joking there, but…

    I think it was at least twenty years ago when I read the lamentation that important parts of the history of computer development were going to be lost because of changes in technology. In other words there were vital documents and documentation and narrative that could no longer be read because the machines they were stored on couldn’t be read by modern machines. For example, at one time there were computers that used a ten-bit byte. For some reason that design was rejected in favor of powers of two, but there were some important machines built that way. IBM used to design their machines with interfaces that could only be connected to using their patented plugs. There was bubble memory, and memory systems using dollops of mercury. And file formats that were not universally used in the days before standards.

    But I would expect any organization as resistant to change as the military to still have card readers.

Comments are closed.