Greg Cohoon (drmellow) wrote,
Greg Cohoon
drmellow

Schneier on Security: Contractor Injects Malicious Software into Critical Military Computers

Wow. Not much more to say, Bruce pretty much covered it:

U.S. Government Contractor Injects Malicious Software into Critical Military Computers

This is just a frightening story. Basically, a contractor with a top secret security clearance was able to inject malicious code and sabotage computers used to track Navy submarines.

Yeah, it was annoying to find and fix the problem, but hang on. How is possible for a single disgruntled idiot to damage a multi-billion-dollar weapons system? Why aren't there any security systems in place to prevent this? I'll bet anything that there was absolutely no control or review over who put what code in where. I'll bet that if this guy had been just a little bit cleverer, he could have done a whole lot more damage without ever getting caught.

One of the ways to deal with the problem of trusted individuals is by making sure they're trustworthy. The clearance process is supposed to handle that. But given the enormous damage that a single person can do here, it makes a lot of sense to add a second security mechanism: limiting the degree to which each individual must be trusted. A decent system of code reviews, or change auditing, would go a long way to reduce the risk of this sort of thing.

I'll also bet you anything that Microsoft has more security around its critical code than the U.S. military does.

Read more....

Tags: security
Subscribe

  • Back Home Safe

    We got back in town last night, all safe and sound. Lots of fun at the reunion. It's always great to visit family, especially when eating a pig is…

  • Cruise: Day Six (Key West)

    Another busy day. I'm tired, not as tired as last night, but still tired. We docked in Key West today. I'm really glad to be at sea tomorrow -- it…

  • Cruise: Day Five (Cozumel)

    Busy, busy, busy day today. Mostly, we visited the Mayan ruins at Tulum. We got up this morning with enough time to have some breakfast and get…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 2 comments