Feb 03 2008

What’s wrong with this picture?

You call this “infor­ma­tion assu­rance”? I can’t wait to see “infor­ma­tion superiority”
No Gravatar

The U.S. Air Force seems far too eager to pitch its new “cyberspace” mission. Case in point: their brand-new Air Force Cyberspace Command (AFCYBER) published a classified publicity photo on their website in July 2007.

Classified publicity photo available on USAF website

This classi­fied photo made its debut on USAF’s web­site in July 2007. They pub­lished a redacted ver­sion in their offi­cial maga­zine but no one bothered to pull the clas­si­fied ver­sion from their web­site. The clas­si­fied photo has since appeared in two dif­ferent mili­tary asso­ci­a­tions’ magazines.

Someone wisely redacted this photo when it appeared in Airman magazine … yet no one bothered to remove it from USAF’s website. Now, both the Air Force Association and the Armed Forces Communications & Electronics Association have printed the original classified publicity photo in their January 2008 journals.

You could still view the original classified publicity photo at USAF’s website when I published this column. But hey, if you’re a cyber-terrorist, go here so you don’t leave any fingerprints on a U.S. military web server.

“Classified publicity photo.” Hmph. Do you realize how stupid it sounds?

Yes yes yes, I parodied this very photo last year — but I used a reduced version too small for intelligence gathering. For the record: I did not publish the full unretouched snapshot in AFCEA’s international arms magazine. But if they can do it, then I might as well join in on the fun. I posted the original classified publicity photo as no-opsec.jpg purely for your amusement.

(“no-opsec,” get it?)

AFCYBER submitted two similar captions for this classified publicity photo. The more informative caption reads:

Capt. Jason Simmons and Staff Sgt. Clinton Tips update anti-virus software for Air Force units to assist in the prevention of cyberspace hackers July 12 at Barksdale Air Force Base, La. The Air Force is setting up the Air Force Cyberspace Command soon and these Airmen will be the operators on the ground floor. (U.S. Air Force photo/Tech. Sgt. Cecilio Ricardo)

Everyone tries to put their best foot forward in a publicity photo, but this one is bad on multiple levels. I’m stunned by what it reveals to enemies of the United States.

Let’s begin with the monitor behind the forehead of the man on the right with his face lit up for dramatic effect. It identifies “SIPRNET,” the military’s classified Internet, with a bold red background. Low and to the left of the monitor we can see a small KVM with both a green sticker and a red sticker on it. We see a KVM at each workstation, and the stickers in the left foreground offer enough focus so we can infer “Unclassified” on the green sticker and “Secret” on the red sticker.

If you served in the mili­tary after 1988 or pur­chased a USB flash drive at an Afghan bazaar, then you know the stickers iden­tify classi­fied objects as pro­scribed in Title 32 USC §2003.

Count ‘em, folks: five monitors are on SIPRNET in this photo. The rest are on NIPRNET (aka the Internet). Two SIPRNET screens are password-locked but the other three reveal sensitive data to enemies of the United States.

Two green lights on the KVMs tell us each workstation has two computers; the yellow light above & to the right of a green dot tells us which machine currently has the monitor. But this is odd: we can plainly see two monitors at each workstation. The KVMs look too small to support dual monitors — and we don’t see KVMs stacked on top of each other — so we can deduce AFCYBER connects NIPRNET & SIPRNET machines to each other via one of the monitors.

That’s a major no-no, isn’t it? I don’t think the NSA will let you connect a SIPRNET machine to a NIPRNET machine like that!

(Since Americans read English from left-to-right, you can bet AFCYBER hooks the left monitor to the KVM and connects classified & unclassified computers via the right monitor. Regardless, though, I doubt the NSA likes it when AFCYBER does this.)

Memo to AFCYBER/CV: ask the NSA for advice on dual-monitor KVMs for your ops floor. Seriously. You need them.

If that’s still a no-no, then AFCYBER’s lax security would explain why they didn’t bother to switch all of the monitors to NIPRNET during this photo-op. Lax security would also explain why Capt Simmons himself let a photo-op take place in a non-sanitized room.

Okay, now look at the screen fourth from the left in the foreground. A red background peeks out from the very top of the screen, telling us it’s on SIPRNET. It clearly says “DMS-CRL Status” on the screen. Google for it and you’ll find DMS stands for “Defense Message System,” one of the Pentagon’s mission critical command & control systems. “CRL” stands for “Certificate Revocation List.”

This is an amazing thing to see on a classified screen, folks! We must assume AFCYBER’s ops floor wouldn’t monitor revoked DMS certificates unless they had a reason to monitor them. And that reason is almost certainly classified.

Okay, now look at the screen second from the left in the background. We can see a red background peeking out from the top of that screen. It must be on SIPRNET and it’s visiting a website. We can see AFCYBER uses Internet Explorer — and it’s not even IE7! We can deduce the ops floor uses either IE6 or (shudder) IE5.x. That’s very useful information to any nation-state that would do battle against AFCYBER!

If I had to ven­ture a guess, I’d spec­u­late Chinese intel­li­gence offi­cers phished their way into the NIPRNET and usurped a valid DMS cer­ti­fi­cate. “Ouch.”

The con­ven­tional line of thin­king says “this is a great way to eaves­drop on DoD’s mis­sion criti­cal com­mand & con­trol systems.”

But the non-conven­tional thinkers will say “this is a great way to corrupt DoD’s faith in its own com­mand & con­trol systems.”

Mind you, USAF routinely denies my “Freedom of Information Act” (FOIA) requests for “security” reasons when I ask about the scope of network technology used in the Iraq war(s). As bizarre as it sounds, the Air Intelligence Agency won’t even confirm if they use Microsoft operating systems! Yet it’s all right there in a classified publicity photo on USAF’s website.

If you look at the second screen from the left in the foreground, you’ll see it sports a red desktop background. It looks like the word SECRET is centered on a line of its own at the very top of the screen, in a slightly darker red than the rest of the desktop background. In other words, it’s a security banner for the Microsoft Word document in the window near the top of the screen.

Ah, but what version of Microsoft Word? Any nation-state that would do battle against AFCYBER will want to know this so they can exploit the correct vulnerabilities. Here we can also see Microsoft Outlook in a window — and it looks like version 2003 or 2007.

In the left foreground under a KVM, you’ll notice two identical devices with “CLEARCUBE” written on them. Looking around, you see every workstation has two ClearCubes. So I did the obvious thing: I went to ClearCube.com.

Guess what? They offer a multimedia presentation on how the Army & Air Force use ClearCube products. What a bonanza of knowledge!

If you want to launch, say, an “ADVEIS” attack, then you’ll need as much homogeneity as possible to bring down the entire United States Air Force. And a ClearCube appeals to those who crave homogeneity. If AFCYBER’s top security officials confuse “email security” with “email infrastructure security” (as I suspect they do), then this photo confirms an enemy can exploit AFCYBER’s homogeneity.

We can see AFCYBER places SIPRNET & NIPRNET ClearCubes directly on top of each other. That’s another major no-no, isn’t it? I’m pretty sure the NSA demands a foot or two of distance between them.

The big screens in the far background reveal these essential elements of friendly information:

Why should we trust AFCYBER to pro­tect America’s elec­trons? They can’t even stage a photo-op with­out vio­lating national security!

  • Which major commands fall under which regions of AFCYBER’s Integrated Network Operations Security Center (INOSC). Noticeably missing from the list is Air Force Space Command.
  • Lt McGhee is a crew commander.
  • TSgt Webb (what a name!) and TSgt Selke take care of things like:
    • “IWS” (probably communicating with on-duty personnel at Information Warfare Squadrons);
    • “MSL” (probably entering reportable events in a Master Station Log);
    • “NOTAMS” (probably distributing or perhaps even drafting Notices to Airmen);
    • “TCNOs” (probably monitoring compliance with or perhaps even drafting Time Compliance Network Orders; for example, a public web page at the Air Force Communications Agency says “if a computer violates TCNO compliance, the software script kicks in and administratively removes the computer from the network…”).
  • TSgt Robinson, SSgt Stoll, and SrA Wagoner stand watch over the USAF networks in Iraq & Afghanistan.
  • SSgt Schloemer, SrA Miles, and SrA Henry stand watch over the Air National Guard’s many different networks.

Talk about a social engineering bonanza! You could “phish” all day long at AFCYBER with this kind of knowledge.

Thanks to the big screens in the far background, we know that on 12 July 2007 at 12:52pm ET, both Air Combat Command and Air Force Pacific Command were green on NIPRNET & SIPRNET; and that Air Force Space Command was blue on NIPRNET. It also appears Air Education & Training Command was green on NIPRNET at the time, too.

Shall I whip out another “FOIA rejection letter” for you? The Air Intelligence Agency refuses to release any details about the operational status of collective Air Force networks. They classify this information SECRET, yet America’s enemies can openly acquire it from a classified publicity photo on USAF’s website.

The photo shows two ordinary headphones without boom mikes. It’s useful to know the folks on the ops floor listen to music to relieve monotony. In Hollywood movies, it’s always the bored guard who fails to keep an eye on the security cameras…

Memo to Capt Simmons: since you’re so big on anti­virus soft­ware, you should watch this video and read this column when you get a chance. It’ll open your eyes…

(Heh heh. Do you remember the classic scene in the 1986 movie “Iron Eagle” when our teenage hero pops in his favorite cassette while flying across the ocean in a stolen USAF fighter jet to save his POW father? Nowadays our teenage airmen pop in their favorite rap CDs while they fly & fight in cyberspace!)

Now look at the telephone in the lower center of the photo. It has a yellow card underneath it and we can just barely make out the words “bomb threat.” The phone above it in the background appears to have a similar card underneath it. It’s nice to know AFCYBER takes logic-bomb threats as seriously as it takes physical bomb threats in the heart of Louisiana.

Both men in the foreground left their Air Force ID cards in plain sight. Actually, that’s no big deal — but it’s just one more thing that should not appear in this photo.

This photo is bad on so many different levels that it forces us to ask a philosophical question. “Why should we trust AFCYBER to protect America’s electrons?” These guys can’t even stage a simple photo-op without violating national security!

Here’s some food for thought. The journal for the Armed Forces Communications & Electronics Association also recently published a photo of the Navy’s Network Warfare Command ops floor. The folks on that ops floor took OPSEC seriously before the paparazzi walked in.

“C’mon Rob, you served a tour in the Air Force in the 1980s. Don’t you want your alma mater to protect America’s cyberspace?” Sure — but I won’t let a granfalloon stand in the way of the mission. “Go Navy” if you want competent cyberspace protection.

I’m half-tempted to park my RV near Barksdale AFB for a few days. You know: just for the fun of it. Heaven only knows what I might find if I sniff for wireless networks around the AFCYBER headquarters building…