Report will admit Taliban hackers launched U.S. Patriot missile
Posted by John Arqtangent at 8/3/2008 5:16 PM 
Categories: Luciano Bello, Taliban, Patriot missile, Al Qaeda
Categories: Luciano Bello, Taliban, Patriot missile, Al Qaeda
Last October, you may recall the U.S. Army confirmed a Patriot missile "accidentally" launched from its battery and exploded in a farm in Qatar. The board of investigators will officially release their report on Thursday — and I'll give you a disturbing hint about its contents. Hint: the report won't call it an accident.
Those of us in military cyberspace operations knew immediately there was something bizarre about the incident. "Those things are not supposed to accidentally discharge," said Pentagon spokesman Bryan Whitman. "It was not supposed to happen." The forthcoming official report will prove Mr. Whitman correct.
The Army's official report will blame this misfired Patriot missile on an Al Qaeda-trained hacker cell working directly for the Taliban. I was "read into" the team that helped analyze the cyber attack for two big reasons: first, I'm a certified "OpenSSH security A+" instructor, and second, I hold a top secret security clearance.
The photo at right comes from a CCTV videotape that was declassified one week ahead of the official report. The pending report will reveal that investigators poured over three different videotapes (two of them remain classified) before concluding no Soldier was logged into the computer that controlled the Patriot battery in question.
Analysis of the Patriot's "Debian Black Box Daemon" (DBBD) revealed that someone else logged in from an IP address that traced back to an Internet café in the Musa Qala district of Afghanistan's Helmand province. This person issued a total of 38 commands (two of them mistyped) during a session that lasted one hour, three minutes, eight seconds. Twenty-nine seconds after launching the missile, he typed "exit 91". Yet in his haste to flee, the attacker disconnected his session before hitting the "Enter" key.
Army soldiers are trained to type "exit 91" if they encounter a problem with the software. It's a signal to the computer to reboot, which in turn would have erased some of the hacker's footprints. Because the attacker failed to hit "Enter" first, he left both his online session and the last command hanging in limbo. Investigators were able to direct military intelligence officials to the café in Musa Qala, where they discovered evidence that an Al Qaeda-trained Taliban hacker cell had been using it as a safe house for nearly a year. The café has since been shut down.
The Army's forthcoming report will expose five "systemic defense failures" that allowed this cyber attack to take place:
Those of us in military cyberspace operations knew immediately there was something bizarre about the incident. "Those things are not supposed to accidentally discharge," said Pentagon spokesman Bryan Whitman. "It was not supposed to happen." The forthcoming official report will prove Mr. Whitman correct.
The Army's official report will blame this misfired Patriot missile on an Al Qaeda-trained hacker cell working directly for the Taliban. I was "read into" the team that helped analyze the cyber attack for two big reasons: first, I'm a certified "OpenSSH security A+" instructor, and second, I hold a top secret security clearance.The photo at right comes from a CCTV videotape that was declassified one week ahead of the official report. The pending report will reveal that investigators poured over three different videotapes (two of them remain classified) before concluding no Soldier was logged into the computer that controlled the Patriot battery in question.
Analysis of the Patriot's "Debian Black Box Daemon" (DBBD) revealed that someone else logged in from an IP address that traced back to an Internet café in the Musa Qala district of Afghanistan's Helmand province. This person issued a total of 38 commands (two of them mistyped) during a session that lasted one hour, three minutes, eight seconds. Twenty-nine seconds after launching the missile, he typed "exit 91". Yet in his haste to flee, the attacker disconnected his session before hitting the "Enter" key.
Army soldiers are trained to type "exit 91" if they encounter a problem with the software. It's a signal to the computer to reboot, which in turn would have erased some of the hacker's footprints. Because the attacker failed to hit "Enter" first, he left both his online session and the last command hanging in limbo. Investigators were able to direct military intelligence officials to the café in Musa Qala, where they discovered evidence that an Al Qaeda-trained Taliban hacker cell had been using it as a safe house for nearly a year. The café has since been shut down.
The Army's forthcoming report will expose five "systemic defense failures" that allowed this cyber attack to take place:
- High-ranking U.S. Army officials chose to uplink each Patriot battery directly to their command center in Qatar. Each uplink flowed over a leased commercial line with a direct link to the Internet.
- Patriot battery computers run the "Debian" operating system and use the "OpenSSH" protocol to establish secure connections with the command center. But the combination of these two products created a then-unknown "zero day" exploit that allow a hacker to open an SSH connection to the missile battery computer as an authenticated user.
- The Army only tracked logins to Patriot missile batteries after the fact, not in real-time.
- The crucial "FIRE [immediate]" launch command did not require a "TPI" (two person integrity) authentication code.
- The Patriot computer did not terminate the OpenSSH session when it failed to receive TPI authentication for a critical "COORD [lat,lon,asl] [detonate]" command that directed the missile to strike -- you guessed it! -- the Patriot missile command center in Qatar.
If any one of these "systemic defense failures" had not occurred, then the Taliban hackers would have failed in their effort to fire a U.S. Patriot missile from the safety of their safe house.
The Army's forthcoming report won't say it ... but it's frightening to think that Taliban hackers knew about the Debian-OpenSSH attack vector before Debian researcher Luciano Bello alerted the NSA to its existence. What else do the Taliban know that we haven't got a clue about?
My comments follow...Analysis of the Patriot's "Debian Black Box Daemon" (DBBD) revealed that someone else logged in from an IP address that traced back to an Internet café in the Musa Qala district of Afghanistan's Helmand province. This person issued a total of 38 commands (two of them mistyped) during a session that lasted one hour, three minutes, eight seconds. Twenty-nine seconds after launching the missile, he typed "exit 91". Yet in his haste to flee, the attacker disconnected his session before hitting the "Enter" key.
Army soldiers are trained to type "exit 91" if they encounter a problem with the software. It's a signal to the computer to reboot, which in turn would have erased some of the hacker's footprints. Because the attacker failed to hit "Enter" first, he left both his online session and the last command hanging in limbo. Investigators were able to direct military intelligence officials to the café in Musa Qala, where they discovered evidence that an Al Qaeda-trained Taliban hacker cell had been using it as a safe house for nearly a year. The café has since been shut down.
Why print this and give them additional intel? Even if "they" know, now anybody else that reads the site or monitors it for tid-bits of intel can benefit from it. In my view, this is simiilar to the published report that the US military was able to track Bin Laden to Bora Bora by his cell phone tx. Thank you US press - poof! No more cell phone calls.
Reply to this
John,
Fantastic article. You continue to remain our source for open-source intel like this. Question, I can't find this Army report anywhere and am siting it. Was it never released or is it classified?
Thanks,
Alissa V. Knight
C2I Counter Intelligence
Special Operations
Reply to this
The SIGINT details are X1, but, the rest of the document should only be collateral. I think it would be easy to sanitize. The executive summary wasn't even FOUO, that is why I didn't feel bad writing about it. Semper Gumby!
-John
--I'm editing this comment to add something. The summary is in Part I of the investigative board's report. Part I is always public. Part II of the report is the one that is mostly collateral. But I would think you already knew that!
Reply to this
John,
Can you email me? My email address is alissa.knight [at] cewar.org
Thanks!
Alissa Knight
Reply to this
John,
Yep. Thank you. Question, can you send me the Investigative Boards Report (whatever is public)? Ive checked both the News Release and also the Reports site for the Army and I can't find it.
Thanks for all your help.
Alissa
Reply to this
Leave it up to higher command to fuck something like this up. If they were going to use a commercial line, why didn't they use a T1 encryption device? WTF are these people thinking?
Reply to this