Jump to content

That Cyber Thread


17D_guy

Recommended Posts

So, Rudy Giuliani is going to be Cyber Advisor to our new Czar President.  

Oh look, he runs a security consulting company.

There's no way they'd leave a test page open to show config worked.

Or tons of open ports that are easy to enumerate, crack and/or run Russian in.

:banghead:

Edited by 17D_guy
Link to comment
Share on other sites

Maybe I've been silent too long, and maybe i'm TDY under the influence, but why do people keep saying "Russians" like that means State Actor. Am I the only one who listens to Bruce Schneier? Heck, you can "hippie out" and watch the new Cyberwar show on the Viceland app and get a better idea. Russia allows hackers of all kinds to do cyber work with impunity as long as targets don't coincide with Russia State bodies. This isn't new. In fact you can hire one for as little as $5 on Fiverr.com. 

This is known in the Network Security realm as Westphalian Fallacy.  Just because someone operates from a location doesn't make them State Actors of the location they live in. In fact, of all the factors of Air Force attack vectors...attribution is our biggest hold-up, and in this case there is no clear way to assign blame. This is classic "Meet the Parents," logic...no, the Russians did not attack the DNC...an [indefinite article] Russian did...for profit. Even if it was THE Russians...we have about as much evidence as a fart in the elevator with 20 people in it. That report is complete subjectiveness. There was not a single first-hand report of Putin or Russia doing anything, except being. Trust me...i'm not a Russian sympathizer, but we've got to do something more than point fingers to appear right...and No, Wikileaks isn't the answer.  That's like pointing at the wind after you fart thinking its a viable excuse to those around you.

Even still, a canary isn't enough to avoid the attack: Look at OPM. OPM was warned 1.5 years in advance by Mandrake Consulting, with actual instructions on how to avoid attack from the Chinese Decentralized Unit. The appendix had step by step instructions...a monkey could have avoided it; with a football in one hand. Not having a cyber entity in-charge is a non-issue...there is taking responsibility to be done at a unit level. If I ran a mom-pop website and it was hacked because I failed to do a simple update...i'd be out the job or worse. This is an organization under Federal Review....Congressional IG...DoD-CIO...IC review. We have an internal problem. The Hillary Server should have been a conversation starter but it was wrong time/wrong place. 

On another note...DISA is not the solution. You can't spell disappointment without DISA. I've been on both sides of this argument in my OPS/Cyber background. DISA is a combat support agency, but they don't step to the challenge. They force services like the AF to be C&A masters when they should be more advantageous or brave and offer solutions that DoD-CIO can outright approve. But being on the OPS side of the AF I know, this is requiring an AO to accept Risk, which is like asking a person to play Russian Roulette (partly a pun) with their career. Any respectable leader in a Commercial Entity, even ones involving HIPAA, FERPA, FISMA, or Sarbanes-Oxley would have bit the bullet...the AF would still have their hands in the pockets. Cyber...OPS or Support...is an Oxymoron or a Fallacy. If you want an argument against DISA look at EFBs...DMUC doesn't provide a single service except an extremely on-time bill for $7.54 per device per month. They employ less people to manage it than an average FLIP management shop in an OSS. They offer no more than a proxy to call Mobile Iron when its not working. PureBred is the new Certificate Issuance for Mobile Devices conduit...its 2 years behind...briefed 27 times per year despite its status...and is still currently not ready. When it is allowed, they plan to phase in customers who aren't contributors to DMUC last. i.e. The Majority of the AF that isn't AMC. It sounds like a midnight QVC gone wrong.

But what do I know...

  • Upvote 1
  • Downvote 1
Link to comment
Share on other sites

On 1/12/2017 at 6:32 PM, 17D_guy said:

Also, It's extremely common for F5 devices to report Ports open, in order to funnel the aggressor to Logging or detection. In fact, its standard practice for most covert Combat Support agencies. Its a concept called "crustacean security," where you intentionally don't make your shell too hard that people come at you with a hammer instead of checking the basic strengths than seem covert.  (while secretly, you observe and log)

Also, he's an executive, not a hacker...Pointing your finger at a 72 year old regarding Cyber Security practices is about as mature as laughing at him because he can't dunk or play WoW. 

Cyber Security 101...An Open Port is not equal to a vulnerability if you're aware of it.

  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

So,

  This seems like a well balanced article on something that's going on in Russia.  Of course, we can't know what's really occurring; we can only speculate.  But it is interesting 2 of the arrested have come from the FSB.

http://talkingpointsmemo.com/edblog/wow-it-gets-bigger

  Of course the secret trials should help put everything to bed.

 

another one - http://www.usatoday.com/story/news/2017/01/26/report-arrested-russian-intel-officer-allegedly-spied-us/97094696/

Edited by 17D_guy
to fast clicky
Link to comment
Share on other sites

Another note that I had mentioned before: CGO's are started to get pinged for reasons they're leaving.  Not exit survey's, but emails from former CC's.

Word on the street is CGO retention is abysmal, particularly in our Ops Sq's.  Since I'm not in one of the anointed Sq's and can't get my hands on retention numbers (wouldn't post those anyway) I've no way to confirm.  I do have bros that are Ops and not too many are super happy with what their AF future looks like.  This includes the patch-wearers and CNODP grads.

I've provided feedback about how soon our CGO's are taken off technical/skilled work, lack of "cyber-pay," lack of recognition pertinent to the type of ops (a la Air Medals), the split between what 24 AF is doing, and the rest of the big AF.

One idea floated to me by a Col was to not give CGO's certifications (GIAC, CISSP, etc.) since they're worth so much on the outside and allows us to realize our dollar value.  I like the dude who suggested this, so I'm going to assume legit panic/worry and not a character flaw.  He got a dig more at the numbers this past week, so we'll see what happens.

Also of note are the number of Lt Col and Col retirements over the past 5 years.  I generally hate the trope of "best and brightest" leave, but there's so much more freedom, money and ability to make a difference and lead on the outside--both commercially and politically, that I'm kinda concerned.  

 

While this improves my chances of making rank, because we have to wait so long to promote and I've had no Ops stink, the reality of me getting promoted is getting drastically reduced.  Which I think my Big AF bro's are also seeing, and just bouncing.  Plus the easy to find certification dollars.

Link to comment
Share on other sites

10 hours ago, 17D_guy said:

One idea floated to me by a Col was to not give CGO's certifications (GIAC, CISSP, etc.) since they're worth so much on the outside and allows us to realize our dollar value.  I like the dude who suggested this, so I'm going to assume legit panic/worry and not a character flaw.  He got a dig more at the numbers this past week, so we'll see what happens.

I ended up only getting the unit to pay for some of my certs before I punched, the rest I paid for myself.

  • Upvote 1
Link to comment
Share on other sites

21 hours ago, 17D_guy said:


One idea floated to me by a Col was to not give CGO's certifications (GIAC, CISSP, etc.) since they're worth so much on the outside and allows us to realize our dollar value.  I like the dude who suggested this, so I'm going to assume legit panic/worry and not a character flaw.  He got a dig more at the numbers this past week, so we'll see what happens.

Also of note are the number of Lt Col and Col retirements over the past 5 years.  I generally hate the trope of "best and brightest" leave, but there's so much more freedom, money and ability to make a difference and lead on the outside--both commercially and politically, that I'm kinda concerned.  

 

At that stage, why do we even need officers in the career field familiar with computers at all?  If the solution to retention is hire people who can't get jobs on the outside, then your model is broken.

  • Upvote 2
Link to comment
Share on other sites

https://www.thecyberwire.com/events/afaasc2016/technical-workflorce-development-the-cyber-challenge.html

"Officer personnel: 88% of the positions are currently filled. The biggest challenge is to retain the when their active duty commitment is up at the four-to-five year point in a junior officer's career. Retention is currently running at about 75%, and the Air Force needs around 90%. She said retention is currently under study—the Air Force doesn't yet fully understand why.

Enlisted personnel: 66% of cyber specialty positions are currently filled. Retention here is generally solid, and there's a good bit of cross-training with communications fields.

Civilian personnel: Here, the Air Force suffers from a Government-wide problem: "We lack a common definition of what a cyber position is." Grosso estimates the Air Force has about a 10% occupancy rate, "but we don't really know because of kabuki around what's a cyber job." In building the civilian workforce, she would like to have some of the authorities other agencies have that make it easier and faster to hire qualified people."

 

For O's they need 90% retention to maintain ops... AHAHAHAHAHAHAHAHAHA.  

Of note, no one I know has been asked about retention in an official way.  It's all been bro network.

And on the E side to get to a Ops position you have to cross-train, and you used to have to be at least SrA.  So.. that makes sense and doesn't speak to morale or anything like that.

Civilians...who cares?

 

 

Link to comment
Share on other sites

52 minutes ago, 17D_guy said:

https://www.thecyberwire.com/events/afaasc2016/technical-workflorce-development-the-cyber-challenge.html

"Officer personnel: 88% of the positions are currently filled. The biggest challenge is to retain the when their active duty commitment is up at the four-to-five year point in a junior officer's career. Retention is currently running at about 75%, and the Air Force needs around 90%. She said retention is currently under study—the Air Force doesn't yet fully understand why.

 

 

 

I have a few guesses.  I don't know how much fucking studying it takes to just ask the guys in the field why they are bailing at the 4-6 year point.

  • Upvote 2
Link to comment
Share on other sites

It's impressive how important physical controls are, and how even when presented with clear evidence of their necessity our gov't still won't do the right thing - 

https://www.emptywheel.net/2017/02/08/how-hal-martin-stole-75-of-nsas-hacking-tools-nsa-failed-to-implement-required-security-fixes-for-three-years-after-snowden/

  • Upvote 1
Link to comment
Share on other sites

Well,

  Obama was pushed to fire ADM Rodgers and he's received much criticism for issues within that org.  Overall, it's the same issue we're facing and our forefathers faced with air.  Old people that don't want to change and realize the capabilities this new domain brings.

  Army's NETCOM just offered a bunch of gray-hairs VSP style packages to get them to retire and are hiring like mad.  Don't know if we need to do the same thing.

  Also, direct commission of IT/Cyber Pro's isn't the worst idea.  But they're not going to be able to do ANYTHING until the juggernaut that is AFLCMC, DISA and other "centers of innovation" are brought to heel.

Link to comment
Share on other sites

  • 1 month later...

All right,

  Been awhile since I've posted on here.  Since then there's been a few happenings in this new domain.  One of course is the CIA drop from the Wikileaks.  I won't share anything on it here unless requested since it's been so prominent in the news.

  Another is the Tallinn Manual 2 which covers international law and cyber.  If you like legal nerd stuff and cyber nerd stuff it's probably right up your alley.  Note that we have had AF law-dogs provide commentary on this.  No free sources that I could find without looking super hard.

  Rand Corp has also been putting out good info recently on cyber stuff. Here's a e-book I just got and am "looking forward to."  

  I'll also add that the C2 of the domain is rapidly changing and your local Comm Sq's are probably super pissed off.  I don't want to get into it too much on here, but ask for your patience while we follow the direction of our awesome Viper driver boss to figure this nonsense out.  For some reason it's taken a pilot after so many "space operations" officers to finally articulate to leadership just how bad a shape we're in, and actually have them understand.  I believe much of this is cultural (i.e. space views 5 years as not a long time vs you flyboys) and with the right person in charge and advocating we'll get a lot done.  Very interesting the new CSAF email about MDC2 dropped on Friday to dovetail with our efforts.

  Also, if you're in a A3 staff position and work on force apportionment I could use a PM...I've got tons of questions.

Link to comment
Share on other sites

On 3/11/2017 at 11:28 AM, 17D_guy said:

  I'll also add that the C2 of the domain is rapidly changing and your local Comm Sq's are probably super pissed off. 

How recently? What details can you provide, if any?

Link to comment
Share on other sites

I got an email in response to a ticket from an A1C asking me to justify why our NIPR computers should work by providing how many people use them, how often they deploy, how many pilots/officers we have, and what our squadron's mission is

Pretty sure it was probably a Russian hacker.

So we've got that going for us.

  • Upvote 2
Link to comment
Share on other sites

15 hours ago, SurelySerious said:

I got an email in response to a ticket from an A1C asking me to justify why our NIPR computers should work by providing how many people use them, how often they deploy, how many pilots/officers we have, and what our squadron's mission is

Pretty sure it was probably a Russian hacker.

So we've got that going for us.

Forward it to your Sq/CC and follow it up with a face-to-face so that he/she can ask the CS/CC "WTF"?

Link to comment
Share on other sites

On ‎3‎/‎13‎/‎2017 at 10:51 PM, Tonka said:

How recently? What details can you provide, if any?

We are pissed off.  Basically AFSPC added a new layer in between your base comm squadrons and the 24 AF units that have the majority of actual control over the network.  So we're not allowed to call the squadrons that do all the network sh-t that affects our base anymore.  We have to go through our MAJCOM - thing is, they didn't tell the MAJCOMs about this, they just up a did this sh-t on 1 February.  Most MAJCOMs have a reporting cell to provide network SA and mission impact to the A3 & CC, but they are not resourced to control/coordinate...well, AFSPC has decided they'll have to do it anyway.

Link to comment
Share on other sites

On ‎3‎/‎13‎/‎2017 at 11:06 PM, SurelySerious said:

I got an email in response to a ticket from an A1C asking me to justify why our NIPR computers should work by providing how many people use them, how often they deploy, how many pilots/officers we have, and what our squadron's mission is

Pretty sure it was probably a Russian hacker.

So we've got that going for us.

 

17 hours ago, Champ Kind said:

Forward it to your Sq/CC and follow it up with a face-to-face so that he/she can ask the CS/CC "WTF"?

Maybe not the best way to do so, but I think I see where the kid was going here.  With the new C2 construct we have to fight for what limited resources we can get to fix issues, and it appears this squadron might be trying to prioritize based on mission.  If he uses this data to gain a higher priority for your ticket (vs. the personnelist who has a ticket because facebook is slow), you may get your sh-t fixed faster.  Probably could have been better staffed/advertised in your wing though.

Of course they should probably know most of this stuff already... In our sq we have a standing rule that units directly involved in our wing's core missions get priority, however, at this point very few of our major issues/tickets can be handled in house.  We have a good pic internally of what missions are out there and impact of these tickets to provide when we have push them up, but sometimes we try to get a better picture so we can fight to have 24 AF actually fix our sh-t instead of letting it sit in a black hole.

Again - just trying to give the kid the benefit of the doubt...looks like they may have the right idea, but an approach that needs work.  Or he could be an idiot (or worse have idiot leadership), but there may be another side to the story.  A call to the Sq/CC or DO should fix easily.

ZB

Edited by zach braff
Link to comment
Share on other sites

8 minutes ago, panchbarnes said:

No strat for you LT... :bash:


Gigabytes of sensitive Air Force documents reportedly discovered by security firm

"The security firm MacKeeper came across an Air Force lieutenant’s misconfigured backup hard drive."

 

As usual the AFTimes has terrible journalism.

 

It was a Lt Col's drive. Probably will pick up O-6, get SDE, and pin it all on a lieutenant though.

http://www.zdnet.com/article/leaked-us-military-files-exposed/

 

Link to comment
Share on other sites

3 hours ago, zach braff said:

 

Maybe not the best way to do so, but I think I see where the kid was going here.  With the new C2 construct we have to fight for what limited resources we can get to fix issues, and it appears this squadron might be trying to prioritize based on mission.  If he uses this data to gain a higher priority for your ticket (vs. the personnelist who has a ticket because facebook is slow), you may get your sh-t fixed faster.  Probably could have been better staffed/advertised in your wing though.

Of course they should probably know most of this stuff already... In our sq we have a standing rule that units directly involved in our wing's core missions get priority, however, at this point very few of our major issues/tickets can be handled in house.  We have a good pic internally of what missions are out there and impact of these tickets to provide when we have push them up, but sometimes we try to get a better picture so we can fight to have 24 AF actually fix our sh-t instead of letting it sit in a black hole.

Again - just trying to give the kid the benefit of the doubt...looks like they may have the right idea, but an approach that needs work.  Or he could be an idiot (or worse have idiot leadership), but there may be another side to the story.  A call to the Sq/CC or DO should fix easily.

ZB

What about asking for priority/need date when the ticket is filed (if the system supports this)?

Link to comment
Share on other sites

12 hours ago, zach braff said:

 

Many good words...

ZB

ZB's right all around.  Again, the communication from the "former" communication guys just sucked.  Shockingly the decision was made by a bunch of Cols that this was our way ahead, you deal with it.  Our 1-star and 2-star are working hard to address that issue and have pushed out a ton more info at the MAJCOM A6 level and up.  

Guess what rank most A6's are... yep.  Seems like there's this magic rank where shit just goes sideways.  I don't know why that is.  Ideally they'd be sharing that information down.  Do other AFSC's have info hoarders the way we do?

The new C2 construct is tough, but it's literally the only way we can do business moving forward.  The manning issues have hit everyone, including our cyber operators/maintainers.  So, we need MAJCOMs to tell us what no-kidding they need fixed so we can decide if we're going to fix email/internet or some mission system.  It's not different than when I was at a base and got a call that some Maj couldn't get on the ShareDrive from some naming party slides or fixing the scheduling office's Capt's workstations with a blizzard rolling in.  Of course a exec's inability to get his GO's alt-token working still seems to float to the top....

On top of this we're trying to develop processes for everything you real domain operators have that works in cyber.  Except we have the fight of needing to help out customers in addition to needing to do operations...for now.

Anyone on the new Microsoft office email?  How's that working out?

Link to comment
Share on other sites

8 hours ago, magnetfreezer said:

What about asking for priority/need date when the ticket is filed (if the system supports this)?

It does, but only to a certain level then you gotta start rolling in rank to get it higher and higher.

Link to comment
Share on other sites

  • 3 weeks later...

Well...this happened - 

 

My Fellow Warrior-Airmen;

At the past CORONA gathering the CSAF directed the merger of 24th and 25th Air Force into a single NAF under Air Combat Command (ACC). ACC is the OPR for integration planning with AFSPC, 24AF and 25AF as OCRs. We are tasked to deliver a decision brief for implementation to the SECAF at CORONA TOP at the end of June. This is the extent of the formal and official guidance I've received to date.

Way Ahead: GEN's Raymond and Holmes are meeting next week at the Space Symposium in Colorado Springs to discuss our way-ahead and provide both staffs with planning guidance. We (24 AF) will be intimately involved and I will be personally involved in this strategic endeavor for our Air Force. I fully expect the two NAF staffs to have leading roles on the planning given our deep operational expertise. We do not know any more specifics at this time.

 I developed a detailed enterprise-level perspective on optimizing Air Force Cyber Domain Operations over the past 6+ months which has been briefed to Gen Raymond, Gen Holmes, ADM Rogers and the VCSAF. It outlines the core strategic challenges of our AF cyber domain which we must resolve moving forward. As many of you know, I was vocal that an ill-conceived and hasty thrust to simply mash our two NAF's together is not an acceptable course of action. I briefed options similar to the Navy Task Force and Army OPCON models for their consideration also. BTW, my first pitch was for a Cyber Ops MAJCOM...go big or go home I suppose.

 I campaigned to ensure whatever decision was made that it must:

1. Generate Unity of Command and Unity of Effort for Cyberspace Operations

2. Increase support to our Air Component Commanders

3. Elevate Air Force Cyberspace Domain Operations from a 3rd echelon Command/2-star posture, to a Component Command on-par with USN/USARMY.

4. Normalize our force O/T/E functions and Joint Force Presentation to USCYBERCOM

5. Improve Intelligence Support to Cyberspace Operations

6. Not break the G-ISR enterprise or impede CMF build/Operations

 

 We will look at the merger holistically based upon these and other desired end-states, then integrate and aggregate the necessary capabilities and authorities across our two NAFs to generate the most effective organization possible...an "Information Dominance NAF" for our Air Force....it's something bigger than 24th and 25th combined in my opinion. Don't get fixated on structure, design, etc....form will follow function once designed and approved.

 I believe we have have lost a battle, but ultimately won the War for Air Force Cyber Ops. The opportunities presented are significant and powerful. Now is the time to focus on multi-domain, multi-functional integration (Cyber Ops, All-source Intel, EW, IO) to deliver decisive full-spectrum global information dominance capabilities and effects for our Service, the Joint Force and our great Nation.

 The decision to move the new NAF into ACC was based primarily on the Air Force's desire to grow our Service's role and posture for Space Operations within DoD, adding further strain on AFSPC's already insufficient Cyber Ops staff capacity.

 I intend to host as series of Town Hall events once we have formal guidance and the planning teams have commenced their efforts.

 So, that's all we know right now. I am certain the RUMOR MILL is off the charts and generating a lot of unnecessary anxiety and uncertainty already. I need all our leaders at every echelon to help belay concerns, squash speculation and help us maintain focus on our demanding "BOSDEE" lines of effort. We must do this in-stride and ensure our missions go on without fail, the CMF is built and trained as planned, and that we take care of the personal and professional needs of our Airmen and Civilians 24/7...you forever remain our most precious resource and I know this will only add to whatever anxiety you have. As soon as I know more, and have decisive information I will let you know.

 These are exciting times and I am honored to share them with such audacious and innovative leaders...I am absolutely certain you will make our Air Force proud in this new enterprise endeavor.

Lead on!

V/R

Wedge

CHRIS P. WEGGEMAN

Major General, USAF

Commander, 24 AF (AFCYBER)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...