A Real World Security Story

A Real World Security Story

If you think Security on Computers connected to the Internet is pretty easy, you’d be wrong. If you think that Computer security is EASY in any location you might be surprised to learn there are indeed situations where computer security is so easy to do, even a Cave Man could do it. But, I digress…

A few years ago, before I retired to cruise my Sailboat around the East Coast and Chesapeake Bay, Cape Fear River and Atlantic Ocean, I did a short (eighteen year) stint as a Systems and Network Security Engineer. I did both software, and hardware
engineering for the Missile Defense Agency in Colorado Springs, CO at a place known as Schriever, AFB where we housed MDA, and several other high profile military agencies and groups. NORAD folks visited up often, as did NATO forces for various things.

My job was to design the internal security systems protecting the MDA against physical intrusion, against internal thieves who might steal classified data or devices, to protect our human assets inside (us) and to ensure that we had an accounting of personnel in and out of the building at any given time.

During my time there, we relied heavily on Lawrence Livermore Labs in California, as the provider of the main systems we utilized in our designs.

Without going into great details of the Security System proper, suffice it to say it was hardened against radiation, EMP, operated inside a secure perimeter of several layers of defense, including the Air Force base fence, military Security forces as the first line of defense, then another set of gates, only accessible by those within the 1 mile by 1 mile compound, through “portals” which consisted of a SEPARATE, UNCONNECTED security system which was controlled by the USAF SF.

Our internal systems were maintained, installed, operated by a very select set of personnel, who had rather high security clearances, my own being one of the highest on the base (along with my other colleagues, of which there were few - three others).

Our system was run on an operating system not dissimilar to Linux, called VMS (a rather OLD operating system to say the least). I used it in another life and job, at the White House in the 1980s.

Here’s the kicker. Our entire Security System was run on an OS that wasn’t owned by Microsoft, but somehow someone, somewhere decided we needed to incorporate “Windows” machines in the system… which we did eventually, though not really helpful, they were clean and you actually could point and click on things, and eventually LLNL designed software to make it “neat” for our security operations center and the guards who ran the consoles watching over alarms in the building. And alarms we had, several THOUSAND points - a point being, say a door, or a Remote Access Panel (all of them were alarmed to prevent tampering).

One day, the US Government in it’s “infinite wisdom” sent to us a group of “Security Professionals” (routinely forgetting that we too were “security professionals” with very high clearances and pretty much all of, and more than the other guys’ certifications).

And thus the Security Story begins

A knock on the door with six personnel, cart loads of equipment and computers showed on the camera. I opened the door and said politely,
“May I help you?”

“Yes, Sir, we are with the Governments Red Team, and we’re here to test your security,” said the older man.

“Why, great. Welcome to (Group name, I won’t mention here) and I would tell you to start there in the hall way. Please let me know when you gain access to our computers,” and closed the door in his face.

Great consternation could be seen on the camera with significant arm waving and some yelling could be heard (we were not a SCIF* so we could hear them in the hallway). After fifteen minutes myself and my other two co-workers walked out and past the people who were frantically making phone calls on the hall phones, apparently attempting to drum up some kind of support. We did have work to do, after all, and could not wait around for a bunch of government hackers to figure out how to hack into a system they couldn’t gain access to in the first place.

Our systems were completely separated from our normal systems networks in the building. Security was performed physically, preventing interlopers from accessing computer terminals in random places in the building. We had terminals, the Security Operations Center had terminals and the front desk had
terminals. No one else could access them.

When we returned an hour later, the “gentleman” was practically apoplectic, yelling at me about his job and me losing mine, and so forth.

“Sir, when you calm down a bit, I’ll explain. I don’t answer to government employees. I am a contractor. I have a security Clearance, and I have no idea who you are, or think you are, telling me you need access to classified and Sensitive systems. I don’t have any orders from anyone to let you
or anyone else in. We are a closed Security System with access in only a few places. You are going to have go come back when you have proper
authorization…”

“I will have the Director himself fire you…”

“Be my guest, have a nice day, I have paperwork to finish, and we’re closing up shortly. Have a good afternoon…” And I went inside

The next morning, I had placed a dumb terminal in the hallway with a cable attached to our system. IF you have a log in, and password you might3be able to get to the main server and talk to it, but there was little someone without knowledge of the system could do, or information they could gain without
accessing the main system. Essentially, they needed to be “Root” (as in root on linux, the highest account level).

When they showed up they started beating on the door. So, I answered and explained if they could gain access to the system from the hallway, I’d be happy to give them a tour. This is when things got heated.

To calm them down, I invited them in and we went into our computer room and seated everyone at a conference table. I wasn’t really “in charge” per se but since I was leading this charge against these people, I led the meeting.

“Here’s your problem. You want access to our servers so you can load software and ‘vulnerabilities’, right?”

“Yes.”

“If you can’t access the servers, or the work stations and load software, then you can’t test the vulnerabilities, right?”

“Right”

“If you can’t access the main systems, you can’t do ANY testing, and therefore can not find vulnerabilities right?”

“Correct…”

“Therefore, if you can’t access the system in ANY WAY, then you can’t break anything, you can’t get into anything, you can’t load a rootkit, you can’t test for software leaks, and you simply can not break the system, right?”

“Right… see we need…”

“You NEED me to ALLOW you access to my computer so you can break our security system. Which I promise you, you will do, IF we allowed you to throw random software on the systems, to do your nasty attacks. Which we’re not going to let you. I will make you a wager, that if we allowed you to do
this, your software would lag our system down and BREAK it, taking down the entire security system in minutes…”

“So you say the system IS vulnerable?”

“Sure, if you could get into it. If we LET you access it. If you can’t access it, you can’t break it. There is a REASON it is not on the standard net in these buildings, nor accessible to anyone else.”

“We can’t monitor anything on the system!” he persisted.

“Because… it is… a SECURITY SYSTEM. If you could do that it wouldn’t be secure would it?”

The light dawned on them. They could not access our system and they couldn’t monitor our system. They couldn’t test it, they couldn’t break it, and worse they were upset because we wouldn’t ALLOW them to break it.

“I guess not…”

They left.

On Wednesday, we received orders from the Director of the MDA himself, we were to assist and cooperate with these “government hackers” to the best of our
ability.

We did. We gave them access to our systems. True to my bet with them, they broke the system with in a few minutes, and the entire security system went down.

I explained to them that ANY HACKER worth their salt, who had physical access to ANY machine could hack into pretty much anything.

They went to lunch while we repaired our systems. We removed their bugs, and viruses from the windows machines and while they were out, I hacked into their three laptops and changed all their account passwords, their user names, and deleted most of their spyware from their machines used to “break into windows machines”.

When they returned, we had our system back online. Their machines were locked out, and only I had the information to get back in. I personally handed it over to an officer from the USAF Security Forces and told him that he could give the envelope to them once they were outside our secure compound, and they needed to be escorted out.

I continued to work for MDA for another 7 or 8 years, and we never again had a “security breech” while I worked there.

The moral is - ANY HACKER with PHYSICAL access to a machine and all the time in the world can break in. The government has some good hackers.

The government isn’t always the smartest cookie in the cookie jar.

If you are truly, absolutely intent on keeping your data secure, ENCRYPT IT, KEEP OFF THE INTERNET, DON’T LET ANYONE PHYSICALLY ACCESS YOUR DATA.

You will be 100% secure in your data and knowledge that your data is secure.

In the real world we need to go “online” so there are many other precautions we can take - those things vary based on the machines, the access to the Internet and what you need to do. And each of those things you will discover as you learn more and more about breaking the ties from Big Tech, getting away from Microsoft, Apple and Google.

For now, your start is to look at Linux, look at your needs, and look at limiting how much data YOU put OUT THERE, and how to prevent THEM from GETTING IN HERE.

Good luck an Fair Winds!!!

@Pirate_Fletcher (American Patriot)

*SCIF – Special Compartmented Information Facility, a very secure, sound proof, electromagnetic proof room in which Top Secret discussions may take place. MDA has dozens of them in their facilities, and are used by personnel to have classified discussions about “classified things”

8 Likes

Thanks for that great story!

Most of my life have been spent in the “physical realm”
.
Its been a hard 30 years - I have fought with ‘engineers’ to remember a simple 4 digit code! When I mentioned early on in that career that there was almost a 1 in ten that a random entry could work (due to over 1000 users) they laughed at me.

Policy soon followed, and the ‘6 digit’ code was immediately complained about, bringing about ‘access tags’. Ahh, modern equipment…

Just getting folks to turn around to be sure the door was ‘latched’ on leaving!
Oh the stories that could flow!
:slightly_smiling_face:

2 Likes