IF THERE’S ONE thing you’d hope would be supported by the world’s most sophisticated cybersecurity, it’d be ballistic missiles. Losing your CV and some photos due to malware is one thing. Losing an entire city is something else entirely.
Unfortunately, the USA’s ballistic missile system is irresponsibly insecure, according to a damning new report form the Department of Defence Inspector General. The paper found a total lack of encryption, no antivirus, no multifactor authentication and unpatched vulnerabilities dating back to 1990. We’ll bet there’s at least one instance of ‘password123′ in the system, too.
The report was compiled in April this year, so hopefully the information – in parts heavily redacted – is now out of date. Even if it is, it’s worrying that security went unchecked for quite so long. The department spotchecked five random locations where the Missile Defence Agency (MDA) had placed ballistic missiles designed to intercept nukes heading for the mainland, protecting the United States.
Theoretically multi-factor authentication is required for new MDA employees, but the investigators found that this rule was being ignored at three of the five sites. The report highlights one user who had been there for seven years accessing Ballistic Missile Defence Systems without the required common access card.
While the systems are password protected, a clever spear phishing campaign could be all that’s required to access the missiles. Yikes.
That’s worrying, but not quite as worrying as the unpatched vulnerabilities the report highlights. IT administrators at three of the five locations – possibly the same ones – had failed to keep computers up to date, with vulnerabilities highlighted dating back to 1990. We’ve all been guilty of pressing ‘update later’, but generally not for 28 years running.
These basic security flaws are bad enough, but get even worse when considering the weaknesses at the sites themselves. Not only were security cameras found to leave huge swathes of bases uncovered, but server racks at two of the locations were unlocked and easily accessible. In one of these, the rack was unlocked right next to a sign saying that the server door must be locked at all times.
The auditors reported that they weren’t challenged when entering the facilities without proper ID, and also noted that sensors often listed doors as closed when they clearly weren’t.
Combine all that with a lack of encryption at three locations, and no intrusion detection system, and it’s a small wonder all the missiles haven’t already been fired. Sleep well, reader. µ
Source : Inquirer