OK, so there is a U.S, Navy Seal undergoing court martial (military criminal trial) for murder of a wounded prisoner in combat. The Navy Times newspaper kept reporting on leaked documents sealed by the court during the trial. The judge was not happy, and ordered a stop to the leaks. They kept happening.
The lead prosecutor approved a cyberattack on an editor of the paper and on the defense lawyers. The attack involved sending e-mails to the Navy Times editor and to defense lawyers with embedded malware that put remote monitoring software (spyware) on the recipients' computers. The software infected not only target computers, but also any other to which the targeted recipients forwarded the e-mails.
One of the defense layers is an Air Force officer. The Air Force discovered the malware insertion and is now investigating an attack on Air Force networks by the Navy. Read the the report latest on the story in
Why the Air Force is investigating a cyber attack from the Navy
Now, on to the questions
Tech Question: Since the Air Force uses standard procedures to detect attachments and malware in all e-mails, how did the Navy's malware package make it through to the computers and network?
Legal Question: If the Navy sent out this spyware without a court order, how many laws may have been broken, and will anyone pay any consequences?
Ethics Question: Did any cyberwarriors in the Navy violate general professional ethics or specifically the CISSP Code of Ethics by participating in this spyware attack?
Ethics - depends on if they are ISC2 members or associates, however is so yes the first two canons. Clearly the second is violated, but it would be hard to see how the first isn't seriously undermined by their actions
Legal - clearly wiretapping type offences, but this is also hacking of a government organisation, pretty serious. It would be treates as a breach of CMA and also a national security matter and could be covered under counter terrorism legislation in a UK context. Pretty sure serving officers in the forces aren't imune from prosecution.
Technical - it depends on what the standard procedural and technical controls are, so you'd start from the obvious. Allowing SMIME, not stripping off all attachments, not blocking 'dangerous' file types, not looking for spoofed attachment types, allowing in encrypted or password protected payloads would all be risks. They could have used metaspolit to mutate their payload to avoid detection. And then you have the potential for hyperlinks and magic pixels in the messages that could download content from external web sites. Then you have the published vulnerabilities which may be unpatched and day zero exploits that could potentially be used.
This is so wrong on all accounts, but to answer your questions, from my point of view:
Technical: depending on the systems employed by the Air Force, they may or may not use threat emulation and this is what is required to catch anything mildly sophisticated. Oftentimes, the signed messages are allowed uninspected to preserve their integrity and assuming certain degree of trust. Most commercial solutions have preset depth of scanning, types of the files, limit size of the data scanned to something like first 4gb with subsequent action of "Allow".
Knowing these limitations, or taking a good guess at what vendor's solution(s) are employed by adversary can aid in bypassing their security measures.
Legal: am no expert, but it does seems that a number of laws were violated. Furthermore, even with the court order in place, the adversarial actions between military branches are bound to have a very long reaching repercussions. In the absence of such, it is certainly sounds like criminal activity.
Ethical: From the point of view of those actually implementing the hack, it may very well be OK. Before you feed me to the dogs, let me explain my take on it. It's a military operation. Those that execute action are not always, if ever, are aware of the larger picture and are provided with the need to know only data on which to act. Should soldiers pause to think, ask questions and weigh their morality, we'll be living in a Utopian society and no shots will be fired by any member of any military. Alas, this is not so.
Those that have issued this order are most definitely in violation of the Code of Ethics.
Vladimir Yakovlev, CISSP
higher.intelligence@gmail.com