Tag Archives: Pentagon

F-35: flying on phased out fuel or programmed by a videogame freak?

Soon after publishing the article about the “F-35 from the Cockpit” I’ve received some emails and comments about an interesting thing readers have noticed in one of the webminar slides used to show the Joint Strike Fighter glass cockpit’s symbology.

As the following image seems to suggest, the most advanced 5th generation combat plane, integrating the best stealth technologies, full sensor fusion and a futuristic X-ray-like capable helmet, flies on JP-4 fuel, a dangerous kind of propellant, quick to ignite and explode, that was largely used from 1951 to 1996, when it was phased out and replaced by the safer, kerosene-based, JP-8.

Image: Lockeed Martin (highlight mine)

As explained in the website of Air BP (“the specialised aviation division of BP, providing fuels, lubricants & services to our customers in over 50 countries worldwide”):

although JP-8 has replaced JP-4 in most every case, the potential need for JP-4 under emergency situations necessitates maintaining this grade in specifications MIL-DTL-5624 and Defence Standard 91-88.

However, unless the JP-4 was/is used for testing purposes, it is quite strange that while some combat planes are beginning to perform test flights on eco-friendly biofuel or synthetic fuel, the F-35 is flying on a type of jet propellant presumed to be phased-out or used only in emergency situations.

Unless, the F-35’s glass cockpit symbology, so “user friendly” to remind some early flight simulator games, was not only designed for a “videogame freak” as test pilots said during the webminar, but also by someone who used to play with arcade games with some simulation elements (as F/A-18 Interceptor or F-19 Stealth Fighter) in the  ’90s, when the JP-4 was still in use :)

F-35B Finally on track?

Defense Secretary Leon E. Panetta visited NAS Patuxent River on Jan. 20 and announced the STOVL (Short Take Off Vertical Landing) version of the F-35 Joint Strike Fighter has been taken off probation.

“We need to make sure we are on the cutting edge” said Panetta when describing the Pentagon’s next generation war fighting technology which is to include the F-35 program.

The sigh of relief must have been palpable from the offices of Lockheed Martin after several tough dark years in which it looked in all probability that the STOVL (Short take off vertical landing) version was going to be scrapped after technical issue after technical issue along with massive cost over runs put the version at risk. The F-35B is a monumentally complex aircraft due to its remit of being stealthy and being able to operate from the back of a ship or from rough airstrips, but as Panetta himself stated that the F-35 was “absolutely vital to maintaining our air superiority,” but cautioned that it was important “to get this right.”

After hearing Panetta’s announcement Gen. James F. Amos, the Marine Corps commandant, made a statement in which he stated ““I welcome the secretary of defense’s announcement removing the F-35B Lightning II from ‘probation’ and granting it full status commensurate with the other two variants of the Joint Strike Fighter,” General Amos said. “I continue to be encouraged by the strong and steady progress that the F-35B team has made over the past year.”

With the survival of the STOVL variant the USMC can keep up with their plan to equip with a fixed wing aircraft their LHA (Landing Helicopter Assault) and LHD (Landing Helicopter Dock) to support a MEU (Marine Expeditionary Unit) in regional crisis. Moreover, the F-35B is expected to replace also the service’s F/A-18s to cover the full spectrum of modern warfare scenarios with their own resources.

Other program partners may have welcome the news that the F-35B was lifted from probation. Among them, the Italian Navy that needs the STOVL variant for the Cavour aircraft carrier. According to the original plan, 20 are supposed to be delivered to the Marina Militare as Harrier replacement, whereas the Italian Air Force was interested in some B planes to replace the AMX light bomber.

However, the initial plan will have to be revised as a consequence of the Defense budget review that the new Monti technocratic cabinet is about to lauch. Even if some political forces are urging the new Defense Minister Di Paola to quit the program and to renounce to the planned 131 examples, a cut is a more plausible hypothesis.

Although the final outcome of the Defense budget review is unpredictable a likely scenario sees the Italian Air Force receiving about 80 F-35s (A and B variants) and the Navy 20 F-35B STOVL (Short Take Off Vertical Landing) combat planes.

Anyway, it now looks like Lockheed Martin has finally turned a corner with regards to this very challenging project. As The Aviationist has already reported the other day following the Lockheed Martin F-35 webminar, the arrestor hook issue suffered by the ‘C’ variant was a minor problem and has been fixed and LM is awaiting the opportunity to test the new design out.

Historically the F-35 isn’t on its own with teething problems, the S-3 Viking springs to mind with its ejector seat issues for rear cabin aircrew that went on to a long and distinguished Naval career, the F-35 Lightning II will follow in its footsteps.

Written with The Aviationist’s Editor David Cenciotti

Lockheed's SecurID Breach Also Threatens Online Banking

The same type of attack used recently to get around security measures at Lockheed Martin, and possibly other defense contractors as well, could also be used to hack international banking services, security experts say.

That’s because both the defense and banking industries rely heavily on RSA’s SecurID tokens, 40 million of which are in use around the world.

Small businesses and private users use SecurID tokens to access online banking services, while large corporations use them to authenticate employees who need to remotely or locally access internal networks and resources.

SecurID devices are small, tamper-resistant tokens that generate numeric codes every 30 or 60 seconds. The complex cryptographic algorithm combines three inputs: the token’s serial number, the internal seed (a secret key hard-coded in the token) and absolute computer time (which counts seconds from January 1, 1970 and never repeats).

The same computation is performed by the authentication server, which compares its code with the one provided by the user. If they correspond, the user is granted access.

The seemingly random sequences of numbers generated by SecurID tokens are technically called OTPs (One Time Passwords) — they can be used only once and expire even if never used.

An OTP can’t be modified, changed or altered, and a SecurID token can’t be fixed, opened or reprogrammed. If it’s compromised, a SecurID token must be replaced.

These tokens can also exist as software applications installed on a PC or a smartphone to perform the same function.

Theoretically, the physical possession of the token, PC or smartphone ensures the security of the authentication mechanism. The only circumstance under which an attacker could clone the token (and it would take some time) would be if seeds and token serial numbers had been stolen.

Unfortunately, that’s exactly what seems to have happened.

“On March 17, 2011, RSA, the security division of EMC Corporation, one of the most important players in the IT security market, publicly announced that information that could be used to reduce the effectiveness of their SecurID authentication implementation was compromised,” explained Paolo Passeri, an ICT (Information and Communication Technology) Security expert based in Rome, Italy.

Passeri was among the first to understand that the RSA security breach could be used to attack EMC Security Division’s corporate clients using SecurID tokens.

Two months later, Lockheed Martin, one of the world’s largest suppliers of military hardware to the U.S. and other countries, announced it had suffered a network intrusion. Lockheed Martin disabled all remote access to its internal networks and said it would replace every one of its RSA SecurID tokens – and that RSA would pay the replacement costs.

“Since the information stolen from RSA, alone, could not be used to successfully clone the tokens, in order to perpetrate the attacks, the hackers must have used keylogger malware and phishing campaigns to get the missing pieces of the puzzle (usernames and PINs — personal identification numbers),” Passeri surmised.

In fact, RSA has not publicly disclosed what was taken from its servers in March (it will tell only existing clients who sign a non-disclosure agreement), and Lockheed Martin has not said if or how its attackers had usernames or passwords.

But the problems for defense contractors may have just begun.


[Read the rest of my article on Tech News Daily]

RSA Security breach explained: why US defense programs could be compromised

As almost everybody know by now, on Mar. 17, 2011, RSA (the Security Division of EMC Corporation and one of the most important IT Security vendors of the world) publicly announced that some information that could be used to reduce the effectiveness of one of their two-factor authentication implementations was compromised. In other words: their Database, mapping SecurID token serial numbers, to the token “seeds” was stolen.

What are we talking about?

To make it simple, SecurID devices are small tamper-resistant tokens (resembling calculators), which generate a numeric code at fixed intervals (usually 30 or 60 seconds before the displayed code is replaced by the next one). Even if they are usually pieces of hardware, they exist also as a software application that can be installed on a pc or smartphone to perform the same function. Those randomic sequences of numbers generated by SecurID tokens are authentication codes, technically called OTPs (One Time Passwords). The term One-Time means that they can be used for a single authentication process and they expire even if they are never used. Such tokens provide a OTP that can be used for both network or application/web authentication. Many use them to access their homebanking while companies use them to authenticate employees that need to (remotely or locally) access the internal network and resources.

Image: Wikipedia

These tokens generate the 6 or 8-digit OTP using an AES (Advanced Encryption Standard) algorithm to hash the token serial number, the internal seed and the Current Time (BTW: the server makes the same computation performed by the token devices and generates a OTP that is compared to that provided by the user).

Paolo Passeri studied the subject and in an interesting blog post dated Apr. 10 and provided some more information about the inputs that are used to generate  the OTP:

  • a 128-bit token-specific true-random seed,
  • a 64-bit standard ISO representation of Current Time (yr/mo/day/hour/min/second),
  • a 32-bit token-specific salt (the serial number of the token), and
  • another 32 bits of padding, which can be adapted for new functions or additional defensive layers in the future.

Since the AES-Hash operation is performed on 128 bit blocks, the latter two inputs are not a specific security feature but they are needed to pad the standard Current Time representation to fulfil the “rule” of 128 bit multiples.

As you can understand, both the seed and the serial number are unique for each token and, theoretically, the physical possession of the device ensures the security of the authentication mechanism. The only circumstance under which an attacker could be able to clone the token (and generate authentication codes on behalf of the legitimate user) was if seeds and token serial numbers had been stolen. That’s exactly what happened: an Advanced Persistent Threat (APT) was able (injecting a malware and using other vulnerabilities) to steal the database mapping seeds to serial numbers.

Even if the SecurID generates new strings of digits on a 30-60 second basis, some implementations require the user to enter the OTP along with a PIN (Personal Identification Number), a fixed code like the one used at ATMs. Even if the PIN represents an additional security layer that, for sure, was not stored in the RSA DB, such short codes are easier to hack and can be retrieved using malware, keyloggers and many other methods.

One last thing: the OTP can’t be modified/changed/altered and the token, and the SecurID, being tamper-proof, can’t be fixed, opened, reprogrammed. Therefore, if compromised, the SecurID must be replaced.

Targeting defense contractors

As analysts predicted, the RSA hack was not simply intended to discredit the EMC Security division. The actual targets were the corporate clients which use the SecurID token for user authentication and, among them, defense contractors.

Indeed, the first defense contractor to be known to have suffered a security violation was Lockheed Martin that on May 22 disabled all remote access to its internal network (“at least for a week”) and planned the replacement of all its RSA SecurID tokens after detecting an intrusion in the internal network. Needless to say Lockheed is one of  world’s largest defense contractors, “an American global aerospace, defense, security and advanced technology company” supplying hi-tech military hardware to US and worldwide military (F-16, C-130, F-22, F-35 to name but few interesting Lockheed “products”).

On May 31 Wired reported that another defence contractor, L-3, was targeted using SecurID stolen data even if it is not clear whether the hackers were successful in the penetration or not.

Both attacks show a certain interest for data managed by military contractors which manufacture some of the most sophisticated and sensitive US (and foreign) military equipment; weapon systems currently used in both Iraq, Afghanistan and Libya. However, as Paolo Passeri commented:

I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.

Certainly, defense contractors’ networks contain many classified data about current and future US projects. However, such data is usually secured in closed networks that are not interconnected with corporate LANs or that require additional authentication procedures. I have already explained, when I commented the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project that network intrusions or data leakage not always imply a significant loss. It all depends on the information that is actually stolen.

Image: Lockheed Martin

For sure, Advanced Persistent Threats as well as RSA SecurID weakness, are something that, defense contractors and Government agencies, facing a huge and growing Cyber risk, must be able to deal with.  First of all, companies should follow the example of  Raytheon (another Defense Contractor) that has declared to have taken immediate companywide actions, as soon as the RSA incident information was made public, to prevent a widespread disruption of their network but, to enhance the effectiveness of their security countermeasure, I think, sooner or later, all corporates/agencies will have to consider the opportunity to use more costly biometric devices (usually seen in movies like Star Trek, Minority Report, X-Men, Planet of the Apes  and few others) that perform user authentication by means of voice analysis, face recognition, iris scan, keystroke dynamics identification, etc.

About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

In the last couple of days, I was asked by many friends and colleagues about the recent Wall Street Journal news that top secret details about the Lockheed F-35 JSF (Joint Strike Fighter) were stolen by hackers that were able to gain access to the Pentagon network.

According to the reports, Information Leakage dealt with thousands of confidential files that were compromised over the past two years. The data related to the electronics systems and avionics of the JSF. Some sources claimed Terabytes (!) of data were stolen: design and performance statistics of the fighter, as well as the system used by the aircraft to conduct self-diagnostics during flight. The intruders were able to compromise the data by gaining access to the computers of Pentagon contractors in charge of designing and building the aircraft.

These were the facts, more or less reported the same way by many newspaper, agencies and web magazines.

“How was that possible?” is the first thing that came to my mind.

If those files were so sensitive, they had to be protected by applying a series of countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised. The three attributes1 are the basis of Information Security. By evaluating the impact that the loss of any of those attributes for a particular type of asset (meaning information at the higher possible level = data, documents, personal computer, hardware, software, oral communication, people, company’s reputation, etc) you can understand which assets require particular countermeasures and which other are less critical and require “loose” security measures.

For example, it is obvious that the file containing the office numbers of all the employees is less important than the file containing the detailed description of the weaknesses of the passive and active countermeasures of the F-22. So, you shouldn’t worry about the security of the group telephone and address book, but you should invest a lot (in terms of security devices, training, policies and procedures of course) to protect the survey about the weaknesses of the F-22 self-protection suite.

The entire process that goes from the evaluation of the Risk (Risk Analysis) to the ways to manage the Risk (Risk Treatment), is named Risk Management. You can’t say an asset is secure or not if you don’t put into relation the value of the asset (under the organisation’s perspective) and its peculiar threats.

Since Risk Management is paramount to address the investments on Information Security, organisations all around the world perform Risk Assessment and consequent Risk Treatment continuously. he Risk Management enables an organisation to manage the Risk’s lifecycle; after applying the countermeasures, an organisation is called to test their effectiveness and to fill the gap between the expected security level and the actual one (in accordance with the Plan Do Check Act or Deming Cycle paradigm).

Let’s get back to the presumed JSF hack.

For sure, someone who was not authorized to, was able to gain access to particular file –> Confidentiality break.

Even if I have no idea how the Pentagon network is protected I’m sure there are plenty of Firewalls, Authentication Servers, Intrusion Prevention Systems, Document Right Management and many other technical and procedural countermeasures to protect the sensitive information. If the stolen files were so critical, it is hard to believe they were so simply available on contractor’s computers.

So, there are three possibilities:

  1.  the data was not secured because it was not deemed to be critical
  2. since the risk can’t be avoided but just reduced (you can’t ever be 100% secure), there were a series of breaches that enabled the information to be leaked despite data was protected in a (most probably) heavily defended network architecture.
  3. Pentagon has no basic idea on how to deal with Information Security

I pick the first, since the second one is simply unlikely (but still possible) and I believe the third is just impossible for a nation where Network-Centric Warfare was pioneered. The second option is also possible but the more the information was critical, the less the possibilities that a security breach could remain undetected for 2 years (enabling leakeage of TB of data…).

1 Let’s quickly explain the meaning of the attributes:
Confidentiality: Assurance that information is shared only among authorised persons. Breaches of Confidentiality can occur when data is disclosed in any way (for example, watching the content of a document, eavesdropping a conference call, accessing private records, and so on).
Integrity: Assurance that the information is authentic and complete. Therefore, this attribute refers to the need to keep the data as it is, without any change. Information must be trusted.
Availability: Assurance that the data is available when needed. Leak of availability occurs if any network failure prevent an authorized user to gain access to a file stored in a Server.