[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Australian Restricted Defense Networks and FISSO ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #65 | Release date : 2008-11-04 | Editor : TCLH
IntroductionTCLH
Phrack Prophile on The UNIX TerroristTCLH
Phrack World NewsTCLH
Stealth Hooking: another way to subvert the Windows kernelMxatone and IvanLeFou
Clawing holes in NAT with UPnPFelineMenace
The only laws on Internet are assembly and RFCsJulia
System Management Mode HacksBSDaemon and coideloko and D0nand0n
Mystifying the debugger for ultimate stealthnesshalfdead
Australian Restricted Defense Networks and FISSOthe Finn
phook - The PEB HookerShearer and Dreg
Hacking the $49 Wifi Finderopenschemes
The art of exploitation: Technical analysis of Samba WINS overflowFelineMenace
The Underground MythAnonymous
Hacking your brain: Artificial Conciousness-c
International Scenesvarious
Title : Australian Restricted Defense Networks and FISSO
Author : the Finn
                             ==Phrack Inc.==

               Volume 0x0c, Issue 0x41, Phile #0x09 of 0x0f


                             ==Phrack Inc.==

|=---------------------------------------------------------------------=|
|=--------=[ Australian Restricted Defense Networks and FISSO ]=-------=|
|=---------------------------------------------------------------------=|
|=-----------------------------[ The Finn ]----------------------------=|
|=-----------------------=[ TheFinn@phrack.org ]=----------------------=|
|=---------------------------------------------------------------------=|


--[ Contents

1. Introduction 
2. Wardialling and You 
3. Origins of FISSO 
4. Australian DoD and FISSO 
5. An Introduction to the EPL and CCRA 
6. The EPL and CCRA in depth 
7. Other standards
8. Secrets
9. Conclusion 
10. Annex


--[ 1. Introduction

This document explains and introduces a new secret network maintained
by the Australian DoD. As far as I know, this network is similar in
its usage to the American DoD's SIPRNET. To be used in conjunction
with specially designed software to promote better communication in
the procedures and implementation of command and control systems,
intelligence and logistics.

Please keep in mind, much if it will be based on my own past experience,
observations and guesswork. Due to the volatile nature of the information
I will keep it "barely legal" while trying to introduce some of the
concepts behind the way the various DoD's are now interconnecting and 
thus maintaining the same network security philosophy across the world.

I found this document a good idea because to find this information out
required weeks of reading and knowing where to find these things on the
web. Also you'd have to read the kinds of documents that first specifies
how it's going to use verbs within the document, then they will convey
how they are going to use nouns... etc...

You really don't want to go there ;)


--[ 2. Wardialling and You

After wardialling a lot of numbers I found some really interesting dialups
belonging (obviously) to the DoD which were part of the network belonging
to the Australian Navy.

You don't really see a lot on wardialling anymore as there are so many
ISP's people can connect to for vpn connectivity to anywhere in the world,
however the military still considers modems a good way to communicate
as they can control the access point themselves and log everything.

I personally use THCSCAN on windows to wardial with, as it works well 
in Australia for me as well as other places. (I say it works well in
Australia because over the years many wardiallers have come out with
VERY stringent rules about the numbers to be dialled which only conform
to US area-code and dialling standards - very annoying -_-). I always
have it on my laptops - go nowhere without it ;). THC have had to remove
many of  their great tools from their website recently because of the
changes in German law regarding internet security tools, but thanks to
the guys from packetstorm it is still available there.

The other good wardialler I love to use on linux is iwar. [8]
This is a really nice wardialler, lets you use as many modems as you
can fit on the box. It can also log all the data to a mysql database - 
which I am a fan of. They are working on a sip/iax2 functionality which 
will allow dialout through a sip gateway and wardial the PSTN network on 
the other side using a software modem - it works, but with some small 
difficulties at the moment. It's still a work in progress. Pretty 
sophisticated stuff, really nice.

It is possibly useful to note here even a commercial provider like Free 
World Dialup will allow you to dial the US, UK and NL toll free numbers 
over sip for free. There are others which will also give you local calls 
for free (in countries where they are free) with a little research, you 
can find them.

Anyhow, unfortunately in Australia, it costs you $0.22c per local call. So
this kind of info is expensive to get - even if you're dialling on a sunday
morning at 2am (which is what I did) - unless you like sitting outside 
peoples homes beiging - I'm getting too old and fat for that anyhow ;)

But for you young skinny folk - wardialling still works well, people should
be doing it - especially in countries where local calls are free!!

When I first saw these pop up, I was pretty happy. I'd not been at the
front-door to anything like this in a while, and I knew it would keep
me interested for a bit. You have to keep in mind, the Department of
Defence is stupid and worthy of your respect - both. They are like
mmost other large animals, they are slow to move, but if they hit you,
you'll get squished like a bug (I have been there before).

However it's amazing how much of an understanding you can get about such
a large target by doing a little research.

When I first found these dialups it was back in 2004. I noted them
all down, and kept a copy very safe. Later on a couple years later I
rechecked them to make sure they were still valid - no other reason.

I did notice a slight change - in the banner.

Here's the original banner back in 2004:

**************************************************************************
* CONNECT 57600                                                          *
*                                                                        *
* The unauthorised access, use or modification of this computer system   *
* or the data contained therein or in transit to/from, is prohibited     *
* by Part VIA of the Commonwealth Crimes Act and other Federal and State *
* laws.                                                                  *
* This system is subject to regular audit.                               *
* ----------------------------------------------------------             *
* For access problems please log a job through the DRN Customer Support  *
* Centre. Either phone 133272 or e-mail to                               *
* 'outage.notifications@defence.gov.au'.                                 *
*                                                                        *
* ****************                                                       *
*                                                                        *
*                                                                        *
* User Access Verification                                               *
*                                                                        *
* Username:                                                              *
* NO CARRIER                                                             *
**************************************************************************

Here's the banner in 2006:

**************************************************************************
* CONNECT 36000 CCCC                                                     *
*   The unauthorised access, use or modification of this computer system *
*        or the data contained therein or in transit to/from,            *
*      is prohibited by Part VIA of the Commonwealth Crimes Act          *
*              and other Federal and State laws.                         *
*                                                                        *
*            This system is subject to regular audit.                    *
*----------------------------------------------------------------------- *
* For access problems please log a job through the FISSO Support Centre. *
* Either phone 02 9359 6000 or e-mail to 'fleet.help@defence.gov.au'.    *
*                                                                        *
* *****************                                                      *
*                                                                        *
*                                                                        *
* User Access Verification                                               *
*                                                                        *
* Username:                                                              *
* NO CARRIER                                                             *
**************************************************************************

(The part I starred out was the actual dialup location and line number 
which are a code for maintenance purposes for the terminal server I guess.)

As you can imagine I was kinda interested in why it changed from a DRN
(Defense Restricted Network) to FISSO and what FISSO was.

I checked around the web, and then started reading all the pdf's that
the military in Australia declassify and make available to the public.


--[ 3. Origins of FISSO

Currently the RAN (Royal Australian Navy) has expanded the DRN (Defence
Restricted Network) to allow for more robust communications protocols
(still an IP Network) and Services. Thus FISSO (Fleet Information Systems
Support Organisation) is born out of the old Navy driven DRN Support Group.

During some time when those banners above changed, the DRN was expanded
to include the other armed services branches Army and Air Force.

They are now implementing the networking technology overseas with
collaboration efforts in the UK and USA. This will allow far better
communications between the various armed services of the west and thus
provide better cohesion. This is where the CCRA comes in.

It is also interesting to mention here one project which has been in the 
press for years - ECHELON. The USAUK Agreement back after WW2 has allowed 
vast amounts of intelligence to be shared among the member nations as well 
as projects like ECHELON to be enacted. This new criteria for security 
measures internationally is a new brick in the wall for these intelligence
communities.

Keep in mind - when you see this kind of press for things like ECHELON, 
that is one thing, but most of the intelligence agencies will not share 
high level intel with ANYONE, not even allies. What they will usually 
share are things that used to come under the term "domestic terrorism" - 
which after 9/11 is a relative term with the Homeland Security Department 
being formed.

Unfortunately or fortunately - depending how you look at it, as a result,
the list itself shows clearly which evaluated products are in use on
such networks - which is at least of interest to us.

One of the fundamental problems with making rules is the existence of
anomalous circumstances - exceptions - which most of us are aware of ;)

Creating a criteria and then an implementation procedure for security
devices takes a long time, it is also expensive for the company doing
the implementation - as they must pay for the DSD staff's time to do
criteria evaluations - for their specific implementation of their product.

These rules are followed stringently at the time of a particular
installation.

The amount of beaurecracy found in the DSD is mind-blowing. Thus their
ability to move quickly on any given specific flaw in security is AT TIMES
small. They do however keep internal security mailing lists, patches and
often have direct contact with not just vendors of products but also the
original architects most of these won't relate to CCRA listed products
however - more on all of this in the next section.

You will even in places find tricks implemented in a DSD controlled network
that you will find nowhere else in the world - you have been warned.


--[ 4. Australian DoD and FISSO

FISSO themselves are a rehash of the old DRN Support Group who
maintained the old Defense Restricted Networks for the DoD. FISSO is
the new project the Navy is (still) running for the DoD - Keep in mind,
the navy has historically been in charge of many signals projects before
other branches of armed services have been invited to join or use them -
the same I believe is true of the US Navy. (Must be all that morse code).

The FISSO Network is a support network for DoD Personel to communicate
with each other around the world with low level communications
mediums. Which is to say laptops or other small computer systems with
modems in order to help officers and other officials to communicate
across the globe in a secure manner for departmental purposes.

The FISSO Network Support Group has had several contract workers in the
DoD to create a network with many quite amazing and intricate network
systems. The officers are able to communicate with voice over ip, digital
video, whiteboards, conference rooms, text chat and other ways [6].
They can exchange files and communicate over the parts of the network
that have been secured by the DSD and the old DRN Group.

Aspect Computing currently hold contract with the DoD for FISSO Core
Contract and FISSO In-House Contract Payment. Given the amounts in
the reports I've read, I'd suggest they're probably just contracting
either software or hardware or both to the Navy (my best guess) who would
likely only trust DoD or DSD staff to maintain the support centre itself.
(It might contract out some positions to suitably DoD security cleared
contractors - likely top-secret or better would be required).

At present Aspect Computing is being paid approximately $2 million
dollars a year for support to FISSO. This would probably be a 3rd tier
support network, to be used after both the FISSO Support and KAZ could
not fix a particular issue.

KAZ Technology Services (Procured by Telstra in 2004) is also a contractor
who provides Command and Support Systems for Officers and Logistical
Support Systems Integration that is to say that these guys provide all
the really nice and interesting comms software that the officers and
support/logistical personel use for decision making and chain of command
order verification. (Think of them as the Australian version of SAIC).
They won a 5 year $200million contract back in 2005 to provide desktop
computing to the RAN (Royal Australian Navy). Kaz had maintained a
relationship with DOD since its inception in 1988 and is being offered
2 year contract extensions up until 2015.

Kaz staff go through rigourous security checks in order to be cleared
to work on the FISSO network and they have in the past been helicoptered
out to sea in order to complete work in required timeframes.

From a KAZ document regarding their FISSO solution:
"Behind these capabilities, KAZ high security architecture integrates
Lotus Notes R5, Domino, SameTime (including server to server federated
architecture), LAN/WANs, MS Windows NT Servers, MS Windows Terminal
Servers, Citrix Mataframe Xpe 1.0, Ultra Thin Clients, HP-UX and
Hummingbird Exceed.

The architecture also draws on TCP/IP, ISDN and modems to connect
the Fleet to services across Defence intranets, with the addition
of cryptographic black boxes outside each of the on-board servers to
maintain military level security.

KAZ also integrated SameTime technology to extend the Navy's collaborative
capabilities to a Coalition Wide Area Network (COWAN), involving
naval systems belonging to Allies such as the United States and United
Kingdom." [6]

You'll notice KAZ's inference of a Coalition Wide Area Network which I can
find no other mention of that particular acronym. It might be either a
marketting insertation or something that eludes to more restricted
documentation. Either way you have to assume KAZ knows more about it than 
us and I find it interesting that such a beast is mentioned here.

IBM Provide Hardware and Software also to do with Logistical support
for the various arms of the DoD. [4]

Sun Microsystems are providing Hardware and Software for security based
firewalls and other security devices (RFID and biometric authentication
device drivers and such). [4]

Lotus Notes and Domino are in use widely still to this day - which at
first I wasn't sure of but I was in discussion on with a friend and he
pointed out the KAZ website - I'd suggest the Navy would be loath to
update their systems as often as normal corporates would.

<axe> Lotus-Domino 5.0.9
<axe> i'm surprised that still exists
<thefinn> those docs are old
<thefinn> probably doesn't exist now
<thefinn> but might still
<thefinn> u never know, their beaurecracy is amazing sometimes
<thefinn> i actually worked with a prime 9950 at one company
<thefinn> didn't even run the newer version of cobol
<thefinn> ...
<thefinn> took up half a room
<thefinn> was sitting next to all the AT&T servers
<thefinn> funny stuff
<axe> http://www.kaz-group.com/subscribe
<axe> yeah, just to keep some legacy code running
<thefinn> yeah
<axe> <!-- Lotus-Domino (Release 5.0.9a - January 7, 2002 on Windows 
           NT/Intel) -->
<thefinn> wow
<thefinn> there ya go
<thefinn> dude im gonna add that in the article
<axe> how may i own thee, let us count the ways..
<thefinn> haha


--[ 5. An Introduction to the the EPL and CCRA.

Let's introduce the criteria themselves'. At the moment the DSD have 2
different tables of criteria the ITSEC system and the CCRA for evaluating
products for secure use on Military and Government networks.

The DSD (Defence Signals Directorate) is the main body behind secure
communications for the Australian Government, ostensibly they take the
same role as the NSA does in the US. The EPL (Evaluated Products List)
is the list the DSD creates and maintains denoting all products put
forward by vendors for assessment by the DSD for use in high level,
high security government networks and systems. There are a number of
criteria in the DSD which products are assessed for.

The CCRA (Common Criteria Recognition Arrangement) is an agreement by
NATO nations in the west to rate equipment by a shared standard as well
as share past evaluated products at a common rating so that they might
interconnect their military and government networks to better control
your sorry ass. ;)

To allow those poor corporates who have spent lots and lots of dollars
on getting their products evaluated, time to re-evaluate them under
the new international system, the CCRA (as a body) are going to allow
member countries who have used the ITSEC (Information Technology Security
Criteria) system (including the USA, UK, Australia) to use ITSEC rated
products as CCRA rated products for the timebeing.

This basically means the EPL's for all these countries are now turning
into the CCRA. They are amalgamating 50 years of "defense" protocols
and political maneuvering to be able to dominate more freely. After
all it wouldn't be nice to have UK troops in some little out of the way
village while the US Navy are ordering cruise missiles to destroy it from
1000 kilometers away - the speedy communications methods and stringent
protocols (military protocols) enabled by a communications network like
this would allow for these kinds of scenarios to be less of a concern
and have a million other benefits.

Along with the E1-E6 (ITSEC) and EAL1-EAL7 (CCRA), there is a network 
designation relating to the secrecy and security needs for the network,
as follows: UNCLASSIFIED, IN-CONFIDENCE, RESTRICTED, PROTECTED, National
Security/HIGHLY PROTECTED.

The Document relates the required security device to be used
interconnecting the different networks which I will include here:

*************************************************************************
* SRC NETWORK    * AND DST NETWORK IS     *  THEN YOUR GATEWAY REQUIRES *
*************************************************************************
* UNCLASSIFIED   * - public domain.       *  a traffic flow filter.     *
*                * - UNCLASSIFIED.        *                             *
*                * - IN-CONFIDENCE.       *                             *
*                * - PROTECTED.           *                             *
*                * - HIGHLY PROTECTED or  *                             *
*                *   National Security.   *                             *
*************************************************************************
* IN-CONFIDENCE  * - public domain.       *  an EAL2 Firewall.          *
*                * - UNCLASSIFIED.        *                             *
*************************************************************************
*                * - IN-CONFIDENCE.       *  a traffic flow filter.     *
*                * - PROTECTED.           *                             *
*                * - HIGHLY PROTECTED or  *                             *
*                *   National Security.   *                             *
*************************************************************************
* RESTRICTED     * - public domain.       *  an EAL2 Firewall.          *
*                * - UNCLASSIFIED.        *                             *
*                * - IN-CONFIDENCE.       *                             *
*************************************************************************
*                * - PROTECTED.           *  a traffic flow filter.     *
*                * - HIGHLY PROTECTED.    *                             *
*                *   National Security.   *                             *
*************************************************************************
* PROTECTED      * - public domain.       *  an EAL4 Firewall.          *
*                * - UNCLASSIFIED.        *                             *
*************************************************************************
*                * - IN-CONFIDENCE.       *  an EAL3 Firewall.          *
*                * - RESTRICTED.          *                             *
*************************************************************************
*                * - PROTECTED.           *  an EAL2 Firewall.          *
*************************************************************************
*                * - HIGHLY PROTECTED or  *  an EAL1 Firewall.          *
*                *   National Security.   *                             *
*************************************************************************

Can you see the interesting parts with regard to our dialups?

2 things I notice right away. If anything HIGHLY PROTECTED or National
Security rated are connected to the network we have dialups for - there's
only a packet filter in between me and it - if the old DRN network rating
hasn't changed. (A restricted network).

Also, behind that terminal server, I can probably expect to find myself
facing a nice EAL2 rated firewall. As I would assume the PSTN Network is
considered "Public Domain". It may even require some kind of secure-ID
type authentication - a one time pad or smartcard.

This would be a theoretical login session given the types of equipment
listed on the EPL and what they are used for.

The network topology could easily include remote identification servers.
The  terminal server itself can instigate PPP with a client, pass you 
through to the Cisco VPN 3000 Concentrator(EAL2), you authenticate there 
via key and it directs you to where you're trying to go, when you get 
there you have a Sun Firewall-1 (EAL4+) asking for your SecureID one time 
PAD or similar product.  Once you do that, you can check your email, 
download your porn, whatever.

Also the other interesting thing to note - EAL1 rated firewalls are only
going to be found on PROTECTED, HIGHLY PROTECTED or National Security
networks and only where they interconnect with others of the same security
rating. If you find one one of those firewalls - you know the importance
of the networks you're on.

Now down to the exact security designations for the products:

EAL1 - Functionally Tested. Provides analysis of the security functions,
using a functional and interface specification of the TOE (target of
evaluation), to understand the security behaviour. The analysis is
supported by independent testing of the security functions.

EAL2 - Structurally Tested. Anaysis of the security functions using a
functional and interface specification and the high level design of the
subsystems of the TOE. Independent testing of the security functions,
evidence of developer "black box" testing, and evidence of a development
search for obvious vulnerabilities.

EAL3 - Methodically Tested and Checked. The analysis is supported
by "grey box" testing, selective independent confirmation of the
developer test results, and evidence of a developer search for obvious
vulnerabilities. Development environment controls and TOE configuration
management are also required.

EAL4 - Methodically Designed, Tested and Reviewed. Analysis is supported
by the low-level design of the modules of the TOE, and a subset of the
implementation. Testing is supported by an independent search for obvious
vulnerabilities. Development controls are supported by a life-cycle model,
identification of tools, and automated configuration management.

EAL5 - Semiformally Designed and Tested. Analysis includes all of
the implementation. Assurance is supplemented by a formal model and a
semiformal presentation of the functional specification and high level
design, and a semiformal demonstration of correspondence. The search
for vulnerabilities must ensure relative resistance to penetration
attack. Covert channel analysis and modular design are also required.

EAL6 - Semiformally Verified Design and Tested. Analysis is supported by
a modular and layered approach to design, and a structured presentation
of the implementation. The independent search for vulnerabilities must
ensure high resistance to penetration attack. The search for covert
channels must be systematic.  Development environment and configuration
management controls are further strengthened.

EAL7 - Formally Verified Design and Tested. The formal model is
supplemented by a formal presentation of the functional specification
and high level design showing correspondence. Evidence of developer
"white box" testing and complete independent confirmation of developer
test results are required. Complexity of the design must be minimised.

Note: Only assurance levels 1-4 are incorporated in the CCRA currently,
and ratings of products which fit criteria above level 4 in Australia,
are designated 4+ on the EPL.

Here I'll give a few examples of ratings from random catagories.
(The EPL is split up into various network devices and then the larger
part of network security products).

Biometric Products
EAL2  - Iridian Technologies KnoWho Authentication Server and Private ID

Miscellaneous Devices
E1    - NEC S2 (Mobile Satellite Terminal)
EAL1  - Cisco VoIP Telephony Solution

Network Security Devices
EAL1  - Secure Session VPN v4.1.1
EAL2  - SurfControl Email filter for SMTP
EAL4  - Clearswift Bastion II Firewall
EAL4+ - Cisco Secure PIX Firewall V7.0(6)

Operating Systems
E3    - AIX V4.3
EAL4+ - Sun Trusted Solaris 8/04
EAL4+ - Windows 2000 Professional, Server and Advanced Server 
        with SP3 and Q326886 Hotfix *cough*bullshit*cough*


There are also smartcard products, PC Security products, encryption 
products, and many other catagories. More in-depth information can be 
found on the website itself regarding each product.


--[ 6. The EPL and CCRA in depth

During 1998 The United Kingdom, France, Germany, The United States and
Canada put in place the CCRA. Australia joined in 1999. It should be noted
here also that under the member countries list (with contact details)
under the DSD website, Japan, South Korea, Netherlands and Norway have
also joined the CCRA recently.

This Criteria is for use between the countries in any kinds of shared
network arrangements - this process is called "Mutual Recognition". The
philosophy behind this is that overseas products rated by the DSD, NSA
and various other organisations can be used in other member countries
without being re-evaluated as the criteria is the same. Although it may
be noted that (at least in Australia) the DSD does provide exceptions for
any kind of cryptographic equipment which it may need to give particular
evaluation to.

(I wonder if this is a security concern or more to do with compatibility).

Also available is the ACSI33 Network Security Manual - Public Domain
Copy [1] - this is much like the old DoD Orange Book in the US.
This manual defines many of the Australian DoD Network security standards
and criteria prerequisites for many of the supplicants of DSD/DoD approval
for the Evaluated Products List (EPL).

If you check the EPL itself, you'll find criteria certification reports
and security target papers, defining how the product was certified,
possible weaknesses in the product, how the product should be used in
the DoD and all the contact details any given DoD department should need
to buy such a product or get information on it.

You have the shopping list for exploits, contact information for social
engineering, a detailed outline of what to worry about once you'd attacked
a DoD network point and how to hide yourself from IDS - you have the list
of what IDS are used, and can download the IDS signature recognition
files and run those through something like IDA Pro disassembler. Then
modify your code/payload to no longer alert the IDS software, use of
polymorphic payload would be a good technique to use for this once you
know the triggering pattern.

Since the old days of hacking into .mil's on the old milnet (the cold-war
ip network of the USA which was used both for research and development)
of the early 90's lots of things happened. Lots of busts and a lot of
talk of securing the governments of the western world. And they are not
the only ones. Since the early 90's we've seen a huge amount of digest on
changes to computer related laws worldwide in relation to this particular
agenda in places like Russia, China and North Korea.

There is more than enough information in these documents to set up
an elaborate network attack, when the various military organisations
will be more reliant than ever on these networks for command and
control, logistics and communications.

More interesting is the fact that on the UK EPL and the US EPL they also
list the same products with the same rating - even though some of them have
been independantly assessed (haha), further pushing the point that these
networks are now at least slightly interoperable or at least becoming so
over time.

The scarey part is that it's connected to the largest military
body in the world. The US DoD, who have run SIPRN for many years, since 
they re-built the early milnet after the cold-war. The network there being
able to at least speak to the Australian network and be restricted by
guidelines of Mutual Recognition as set down by the new standards in the
CCRA must of course adhere to the same standards, and can be recognised
by the EAL designation on the Australian and UK EPLs.

Theory: Latest exploits - or even old ones - could still work
to this day on many of the systems because of the way the EPL is
implemented. Companies must pay to become a part of the EPL. It can cost
upward of $1,000,000 AUD to get a product certified sufficiently. From
the companies point of view - the more they pay, the better their market
share is, because the further up the EPL rating they go - by taking
more time through evaluation - which costs more to get evaluated for,
they find less companies are willing to pay for the evaluation.

This directly impacts sales because the more secure a network is rated
internally by the DSD the less choice any given department has for the
products to secure it.  Pretty much the DSD/NSA etc. will give you a
license to print money - as long as you pay THEM first. 

Here's one recent example of the whole deal going wrong which has come out
in the press as I wrote this article [7]. I find it interesting that even 
the most educated security consultants aren't really that aware of the way
the intelligence community is functioning when it comes to the CCRA/EPL
equipment. Their mention of "Pentest expresses doubts about whether the
certification of the firewall according to Common Criteria EAL4+ is 
merited on the basis of the flaws it unearthed." amuses me. Fact is, once
a particular IMPLEMENTATION of a product is evaluated, it doesn't change.
It won't be "Regularly Patched" or even "Regularly Evaluated", any changes
whatsoever made to the  implementation make it non-standard and no longer 
adhering to the criteria it was evaluated for originally - that's the point
of evaluation - as far as the DSD/NSA are concerned.

You are almost back at the old NASA addage back when the space race was
on and they would joke that the Russians had their best minds and parts
going into their project while the US spacecraft was 10,000 moving parts,
all built by the lowest bidder run by a group of people chosen on their
ability to kiss ass.

This is the basic problem with beaurecracy in the western military. 
Beaurecrats are always trying to justify their existence, they do so 
by telling everyone what they are doing and companies involved want to say 
"hey look what we did for the DoD".

On with our look at the pretty secure network: Without actually breaking
in, we can't know if you can break into the american network from the
Australian side, or any other side, however, the previous designations
with regard to PROTECTED networks connecting to National Security Networks
could tell us that we might be able to easily. I suggest that no matter
what the CCRA will tell countries to do, their own internal DSD, NSA, DoD
computer departments will require some heavy security between coalition 
members. But this is only an assumption on my part, I wouldn't put it
past the various department heads to cut costs here - it happens.

I find it amusing that in none of the above departments or EPL's does
NSA SELinux get a mention ;) (Probably just someone's pet project).

One assumption you'd have to make is the network wouldn't be fast out of
the country you're in. Ground based satellite transponders are bound to
be slow, ship based ones even slower. Network coverage of combat areas
is going to be pretty nasty for data - especially if you are on a dialup 
line. But they are there. Recent Satellite scans show a large number of S 
and X band non-commercial satellite beacons (which show working 
transponders in space) and data/analog signals which are encrypted as no 
in-band scans return any valid output at all (you can see the bandwidth is 
being used however).

I dont have a lot of information about the SIPR Network, not being in the
U.S (hopefully it will not be long before someone writes another article
on it).

But from the DISA website:

SIPRNet: The Secret IP Router Network (SIPRNet) is DoDs largest
interoperable command and control data network, supporting the Global
Command and Control System (GCCS), the Defense Message System (DMS),
collaborative planning and numerous other classified warfighter
applications. (Note: I suggest warfighter applications means training
programs).

Direct connection data rates range from 56 kbps to 155Mbps. Remote
dial-up services are available up to 19.2kbps.

The data rates there are interesting, meaning they also have dialup and
ATM links available possibly faster is now available as that page hasn't
been updated since the mid 90's.


--[ 7. Other Standards

The only other standards I've found that are worthy of note for this 
particular paper are the encryption standards. These are also noted in the 
acsi33 document fully. The usage of 3DES and AES for symmetrical 
encryption and RSA/DH/DSA/Elliptic Curve Diffie-Hellman (ECDH)/Elliptic 
Curve Digital Signature Algorithm (ECDSA) for asymmetric (key exchanges). 
Encryption is not my strong point, however it should  be noted the CCRA 
members defer to NIST with regard to most of their encryption 
standards.

Fact is I am quoting almost directly from the acsi33 document here, the 
only encrypted VPNs I ever set up for these companies I worked for were
Cisco IOS 3des algorithms.


--[ 8. Secrets

At the end of the cold war, there were probably a few hundred thousand 
computers hooked up to the internet. Almost every country on earth had 
SOMETHING hooked up. The R&D departments of universities in Australia was 
where I got my internet access from and developed contacts in the hacker
scene of the time. At that time China and the USSR were both large threats
to western dominance, however I find it interesting to note that all of the
member countries of both of these power blocks were internet connected at 
the time the cold war was in full force.

The US DoD or DARPA has still never actually disclosed any given project to
do with engineering or humanities that the internet actually facilitates 
apart from communication.

One has to wonder about the significance of the storm worm and other such 
virii, their ability to act as an autonomous strike against non-military,
but more a regional strike against economic infrastructure. 

The foreseen assumption of any given biological, nuclear or widespread 
terrorist attack would be that that economic infrastructure would disolve
before military infrastructure.

After having written this article, I'm not entirely sure that is a valid 
assumption...



--[ 9. Conclusion

Much as I would like to write more about the networks in other nations
(Japan and France would be nice to find out about), I don't really have
the time to wardial or do research for so many networks in so many 
countries. It will have to come at a later date by other writers. But keep 
in mind, the USA spend the most on industrial military and mainstream 
military projects in the world just by matter of overall odds for breaking
in and not being discovered, they are probably your least favourable 
target. As the network seems to now be interconnected with other NATO 
nations, one of the nations spending less on it might be give
better outcomes.

The standards are the same across the board anyhow, most of this 
information will still be good as long as you are in, or looking at a 
network in one of these member nations.

I think many people in the various military departments across the world
who are member organisations for this particular network should be quite
embarassed by this information being so easy to get. Security through
obscurity is another oldschool technique which seems to have gone the
way of the steam train - even by those who should be most concerned with
obscuring and securing their data.

Any hacker who has been around for any decent length of time can tell you
there is a way around any system - if you added the extra advantage of
having many men who are ready and willing to come to your country and
"kick the door down" to procure some of this information, the people
responsible for this should be concerned. If we can glean all of this
from the "public domain" security level, imagine just having some access
to documentation from the IN-CONFIDENCE network computer.

In my own experience in working for the Australian DSD through
contractors, I found many times that their network data security was
very dependant upon one or two applications that were bought from
outside organisations - poorly implemented and only very rudimentary
security precautions taken. Even the fact that I worked there - even with a
previous criminal record to do with gaining access to commonwealth 
systems,  inserting data in commonwealth systems, and defrauding the 
credit card system - was a security breach. 

One of the first computers I ever broke into was done via a COBOL packet 
snarfer. I re-wrote all of the screens to all of the computers the terminal
servers would connect to. Then from an account I looked over someone's 
shoulder to get, I ran up the snarfer and it would look as if I had logged 
out. I hadn't, in fact the program was running and looked like the login 
screen. When you typed in your username/password pair, it gave the 
usual "Password Authorisation Failure" or other error message (depending 
on where you were logging in) and it logged it to a file in another 
account - which had the file permissions opened on it so other accounts 
could write to its' directory. The program then logged itself out - 
giving the user the normal login screen. Completely unseen by them, and 
they merely thought they had typed the wrong password.

8 Years later I was working for this particular contractor to the DSD, I 
found myself sitting  in Air Force bases, Navy Logistics Centres, as well 
as many high-end government and corporate computer security departments. 
Physical security was not an issue - even though, if propper background 
checks had been done on me - I would not have been allowed 
to be there.

Iin the past few months I've seen various talk in the press about botnets,
attack vectors from unknown sources and the dreaded "black hat" hackers. 
The latest laugh I had was the stats from google saying that more unix 
boxes had been compromised than windows boxes and the reporter couldn't 
understand why unix was considered more secure than windows. They didn't 
and don't to this day understand WHY *nix and open source are more secure 
- I am not going to educate people here.

Creating an aire of "hype" or complacency in any security environment is 
completely unconstructive, use of "known factors" through use of friends 
and other associates is likewise unconstructive.

The reasons for this are simple and are defined indeed by one of the latest
press releases from the whitehouse.






"On the last day, we won't be lost because of a lack of strength or a lack 
of equipment. We'll be lost because of a lack of trust."


--[ 10. Annex

Acronyms: 
---------

[i]    RAN - Royal Australian Navy 
[ii]   FISSO - Fleet Information System Support Organisation.  
[iii]  DSD - Defence Signals Directorate.  
[iv]   DoD - Department of Defence.  
[v]    DRN - Defence Restricted Network.  
[vi]   NSA - National Security Agency (USA).  
[vii]  SIPRN - Secret IP Router Network (US DoD).

Resources: 
-----------

[1] http://www.dsd.gov.au/library/infosec/acsi33.html 
[2] http://www.cesg.gov.uk/site/iacs/index.cfm? 
    menuSelected=1&displayPage=151
[3] http://www.defence.gov.au/dmo/id/cic_contracts/Values2001-2002.pdf
[4] http://www.yaffa.com.au/defence/pdf/05/top40-20-2004.pdf
[5] http://www.disa.mil/main/prodsol/data.html 
[6] http://www.kaz-group.com/files/casestudies/cs_ran.pdf
[7] http://www.theregister.co.uk/2007/10/03/check_point_pentest/
[8] http://www.softwink.com/iwar/
[9] http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?
    searchvalue=thefinn&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.