not great timing.
Wow after the Equifax hack and now the SEC hack probably not the best time to go before your peers accused of computer misuse. Don't drop the soap Mittesh. Probably should have pled down.
An IT contractor is facing a possible decade behind bars in America for planting a ticking "destructive" time bomb in US military systems. After a three-day trial this week, Mittesh Das, 48, of Atlanta, Georgia, was found guilty by a jury in North Carolina of knowingly transmitting malicious code with the intent of causing …
Isn't Fort Bragg home of Special Operations Command?
The United States SOC is headquartered at MacDill Air Force Base in Florida.
https://en.wikipedia.org/wiki/United_States_Special_Operations_Command
Fort Bragg is the HQ for the US Army SOC, a different unit.
https://en.wikipedia.org/wiki/United_States_Army_Special_Operations_Command
Still, messing with military in any way is a guaranteed FAIL.
Step one: accept that logic bombing is unprofitable and you're going to get caught, then choose a target where the penalty for getting caught doesn't possibly include bullet to the back of the head, cut brake lines , waking up in secret underground facility that very few folks know exist.
TFIFY
Well I wouldn't make it obviously "fail" at anything for a start. Off the top of my head and given that this is a payroll system, I would introduce small but cumulatively significant errors into the payroll tax calculations. Once there is a significant discrepancy to work with, anonymously tip off the IRS (motto: "No dollar left behind.") and watch the resulting cage fight from a safe distance.
US military pay entitlements and gross-to-net calculations have been done centrally (for both active duty and reserve personnel) for nearly 40 years. Local payroll systems have been used to print earnings statements and issue checks (although for years payments have been by direct pay to bank with few exceptions if any). Locally operated, but mostly centrally maintained systems also may process data used to determine service member entitlements. For reserve personnel not on active duty, that would include data entry and validation for monthly weekend exercises, for example, and the locally operated software used would be the place to insert errors.
Reservists are attentive to their pay and not hesitant to raise issues, including with their congressional representative, if it is incorrect or late. Representatives (or their staffs, which amounts to the same thing) are similarly attentive to service member complaints, and so are agencies deemed accountable, which in DoD are held to a ten day turnaround on "congressionals."
Disguised as notepad.exe
So if somebody would open the boobytrapped notepad.exe, it'll do two things :
- check for administrative privileges, if not, start up the real notepad.exe
- if administrative privileges exists, then it'll copy the logic bomb somewhere into the system, delete the trojanized notepad.exe and start the real notepad.exe up, with nobody the wiser - until the logic bomb activates itself.
After all admins need to use notepad.exe sometime. Or ipconfig. Or any other windows app for that matter sometime.
But I will never, ever do it, too risky.
Not so hard in some languages. ({} + []) === ([] + {}) .... not in JS it doesn't, and if you can use PHP then the scope for "accidentally on purpose" logic and calculation bear traps is so huge there are entire websites dedicated to the resulting WTF'ery. As for a "detonator", the MM/DD/YYYY vs. DD/MM/YYYY (or ISO) date format discrepancy is almost purpose built for the task.
What about hiding it in gcc / msbuild.exe so it injects the payload (ie the Ken Thompson Hack)
Having been an Army Reservist (and Active Duty before that), this must have been the payroll system for Civilians that work at Army Reserve centers for the Army itself and maybe Unit Administrators when they're not called back to duty and militarized under Title 10 orders.
And given most UAs are retired First Sergeants and Sergeants Major, what a stupid target to fuck with. I would not want every UA in the country hot after your ass for making them miss a paycheck. At the same time, these people can likely handle missing a paycheck whereas a Private up to Specialist/Corporal really can't unless they're living in the barracks and most of their pay is disposable income.
Military pay for the actual servicemembers in an Army Reserve or Regular Army unit is (mis)handled by the Defense Financial and Accounting Service, which is an even dumber target to fuck with. The easiest way to wind up in prison if you have anything to do with the Department of Defense is to mess with Uncle Sam's money. They've even tossed the first commander of SEAL Team Six/DEVGRU into prison for misappropriating funds.
That being said, I'm amazed that the Clowns in Disguise (CID for the uninitiated, they're usually pretty inept) figured it out, and it didn't take the 902d Counterintelligence and NSA/CSS to do it, unless it did and the CID's just getting the public credit for it. Which could be the case.
"And given most UAs are retired First Sergeants and Sergeants Major, what a stupid target to fuck with. I would not want every UA in the country hot after your ass for making them miss a paycheck."
Because these guys are going to come hunting the perpetrator down, Rambo style, right?
I do enjoy these, "the army are the last people you want to fuck with", warnings.
Either you're from the UK or you're NOT a native of North Carolina,
or the Virginias, Texas Alabama, Georgia, Florida, etc!
YOU pull a stunt like that down here and ABSOLUTELY NO IFS
AND OR BUTS ABOUT IT you are gonna get a DEFINITE beat down
and MULTIPLE 9mm, .357 or .45 slugs in your gut!
EVERYONE carries guns down here!
And YOU MESS with their paychecks
and your are soooo much dead meat!
Americans don't give a R*((*&*(&* A*(&*(& what the bobbies think!
You mess with a family member's living and you are as good as -D-E-A-D-!!!
Literally EVERY SINGLE DAY (sometimes 3 times a day!) in EVERY ONE
of those states I listed above someone ends up shot dead or beat down
reeeeeaaaal good for messing with a person's livelihood!
In these states especially (and in Fort Bragg in particular!) the
local yokels ABSOLUTELY WILL BE ON THE HUNT for said hacker
and that hacker WILL BE SHOT ...AFTER... he gets a good beat down!
He is sooooooo lucky the MP's (Military Police) and/or Feds (FBI) got to him first!
I can very much assure you he would NOT be alive had he been caught by the locals!
There's a heck of a lot of America that simply DOES NOT PUT UP WITH IDIOTS like this!
They get -S-H-O-T- -D-E-A-D- --- In America we REALLY DO Shoot First and Ask Questions Later !!!!
... amounting to a total labor cost to the US Army of approximately $2.6 million.
Let's say it took them a month to wipe and reload all systems the guy has ever touched. It should not have taken this long, but let's err on the generous side. At $130K p.a., this is 240 people doing the work, which seems like a slight overkill for a few dozen systems likely affected.
Of course, it could have also been couple of pals of the base commander's son, who took a bargain-basement fixed-price contract to do the work ...
You are clearly thinking as a right minded techie not a government contractor.
You would clearly need to procure new hardware and storage to perform your re-install on.
There are probably fees to retrieve the backups, especially if they are historic.
You need a few people to to the code review, but don't forget the account manager, project managers and "expenses".
Add a bit of a fudge factor for the internal costs associated with writing letters and administering evidence gathering for a prosecution it does not sound so hard to justify (regardless of any resemblance to reality)
Also you're forgetting the military markup - anything for the military costs at least 3x what it does on civvie street. Hell, sometimes it's even for good reasons, but I suspect this may be a case of "we're used to paying over the odds - shut up and take our (government) money!!"
I'm sitting here wondering how a middle-aged man becomes so petty as to wilfully try to damage an ex-client's system. I mean, I'm no stranger to losing my exquisite cool over client stupidity, but I wouldn't even consider this. Especially if they've just changed suppliers at the end of a contract run.
@ defiler -- You answered your own question:
"I'm sitting here wondering how a middle-aged man becomes so petty as to wilfully try to damage an ex-client's system.
"...you're forgetting the military markup - anything for the military costs at least 3x what it does on civvie street."
Losing lots of easy money can make people do stupid things.
You also haven't taken into account the fact they wouldn't have know what/how many things were effected, I imagine this triggered a deep look into and at *everything with a plug on it*.
They will have been obliged, quite rightly, to check every switch,router,server,PC, SAN etc etc
New hardware will have been purchased, work will have been round the clock, so overtime/high rates. Suppliers to gov entities also always charge though the nose. After all the hoops they jumped through to get contracts, they tend to gouge to recover costs.
Tthen every single bit of software will have been checked out. The list goes on. It's the military, I doubt they just ran MBAM.exe on everything and called it a day.
What you have here is what we used to call a 'logistics sink'.That's when a incident occurs which allows a military unit to write off stuff that has gone missing/been misappropriated, been broken, or just needs replacing.
As a result a one-minute contact with the enemy can consume a truly amazing amount of equipment. I'd imagine this logic bomb presented the IT folks with a similar opportunity.
Actually, the cost isn't bad at all. It appears you don't have a lot of InfoSec experience.
There is a lot more than just looking at code and restoring data involved in the costs.
Don't forget about the investigation (including talking to people-- suspects/witnesses), forensics, network security experts, not to mention corrective actions, etc. There is also looking through all other systems this individual had access to, then going through all of them with a fine tooth comb.
I can go on, but I'm sure you're starting to get the picture... there's a lot more than meets the eye.
I am not one of the downvoters, and I had a long yet witty response typed when either ElReg or CloudFlare decided crapping themselves would be a good thing to do.
Long story short, 700 000 bucks claimed against McKinnon, a slightly lost kid on the other side of the ocean trying a default remote desktop password and not disturbing anything, vs 2.6 mil claimed against an IT professionnal with physical access to "critical" systems and causing actual damage... the 2.6 mil claim doesn't seem the most overstated of the 2, to me.
... that's ludicrously cheap for a forensics consultant to come in and do post-mortum.
the last incident I was involved with, the one guy ran double that hourly rate easy. In-house staff did the bulk of the leg work, both raw discovery and remediation.
anon for obvious reasons.
1 - Timing; it's waaaaay too soon, as has been pointed out. Too obvious.
2 - Instead of a logic bomb, he should have got all the spare cents from each pay roll run transactions etc and rolled them into a separate account. No one would EVER notice (unless he stupidly buys a Ferrari or somesuch) /Profit
I mean delaying the payroll is bound to get someone to notice soon. Far better to just add an extra dollar onto everyone's pay-packet that month. Then an extra two dollars the next month... And keep going. No-one is going to complain, and the wages bill next audit looks like the investment in the new contract was more costly than anyone anticipated.
"Have you read 'The Times' this morning Holmes? That Das fellow in America seems to be getting his comeuppance for this army payroll thing eh?"
"On the contrary Watson - the man is completely innocent, and a grave miscarriage of justice is afoot. Call a cab - we must get to the American Embassy immediately!"
"Nonsense Holmes - look at this paragraph and just see the damage he has done!"
<Prosecutors described Das's program as "progressively destructive," adding: "The damage had to be corrected through removal of the malicious code, restoration of all information and features, and a thorough review of the entire system to locate any further malicious code,>
"Damage has indeed been done Watson - but not by Das - for observe, - the crime took place on THE SECOND TUESDAY OF THE MONTH!"
um, reasonable doubt anyone....?
people who don't work in IT don't seem to get it, but it is extremely easy to frame people for these things....I mean really, if you were going to do something like this would you really use your own ID? or somebody else's...? and when you have access to the back end of systems you've effectively got access to everybody's ID....I find it very difficult to believe that somebody who is competent enough to do that job in the first place would do that in a way where it was trackable back to him....I suspect the same on that Litvinenko assassination as well, but morons blindly following the evidence.....there is no easier way to frame people. in the physical world u wd need to plant a cigarrette but, dna, fingerprints or something....much more difficult!
even when you don't have that kind of access still very easy to plant something like, say kiddy porn or whatever on your managers PC.....tell his manager you saw him looking at kiddy porn on his computer, manager checks....he's fired and u get a promotion....how many times do u think that has happened?