[Infowarrior] - Apples For The Army

Richard Forno rforno at infowarrior.org
Fri Dec 21 21:49:33 UTC 2007


Apples For The Army
Andy Greenberg , 12.21.07, 6:00 AM ET
http://www.forbes.com/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221
army_print.html

Given Apple's marketing toward the young and the trendy, you wouldn't expect
the U.S. Army to be much of a customer. Lieutenant Colonel C.J. Wallington
is hoping hackers won't expect it either.

Wallington, a division chief in the Army's office of enterprise information
systems, says the military is quietly working to integrate Macintosh
computers into its systems to make them harder to hack. That's because fewer
attacks have been designed to infiltrate Mac computers, and adding more Macs
to the military's computer mix makes it tougher to destabilize a group of
military computers with a single attack, Wallington says.

This past year was a particularly tough one for military cybersecurity.
Cyberspies infiltrated a Pentagon computer system in June and stole unknown
quantities of e-mail data, according to a September report by the Financial
Times. Later in September, industry sources told Forbes.com that major
military contractors, including Boeing, Lockheed Martin, Northrop Grumman
and Raytheon had also been hacked.

The Army's push to use Macs to help protect its computing corps got its
start in August 2005, when General Steve Boutelle, the Army's chief
information officer, gave a speech calling for more diversity in the Army's
computer vendors. He argued the approach would both increase competition
among military contractors and strengthen its IT defenses.

Apple computers still satisfy only a tiny portion of the military's
voracious demand for computers. By Wallington's estimate, around 20,000 of
the Army's 700,000 or so desktops and servers are Apple-made. He estimates
that about a thousand Macs enter the Army's ranks during each of its
bi-annual hardware buying periods.

Military procurement has long been driven by cost and availability of
additional software--two measures where Macintosh computers have typically
come up short against Windows-based PCs. Then there have been subtle but
important barriers: For instance, Macintosh computers have long been
incompatible with a security keycard-reading system known as Common Access
Cards system, or CAC, which is heavily used by the military.

The Army's Apple program, created after Boutelle's 2005 address, is working
to change that. As early as February 2008, the Army is planning to introduce
software, developed by Arlington, Texas-based Thursby Software, that will
also enable Mac desktops and laptops to use CAC systems--a change that
should make it easier to get Macs into the service.

Though Apple machines are still pricier than their Windows counterparts, the
added security they offer might be worth the cost, says Wallington. He
points out that Apple's X Serve servers, which are gradually becoming more
commonplace in Army data centers, are proving their mettle. "Those are some
of the most attacked computers there are. But the attacks used against them
are designed for Windows-based machines, so they shrug them off," he says.

Apple, which declined to comment, has long argued its hardware is less
hackable than comparable PCs. Jonathan Broskey, a former Apple employee who
now heads the Army's Apple program, argues that the Unix core at the center
of the Mac OS operating system makes it easier to lock down a Mac than a
Windows platform.

And Apple's smaller market share has long meant that it didn't attract
cybercriminals hoping to wreck the most havoc possible. "If you look at the
numbers, you see that malicious software for Macs is very limited," he says.
"We used to sell Apples by saying they don't get viruses."

Of course, cyberspooks may be honing their Mac-attacking skills, too. An
end-of-year report by Finnish software security company F-Secure highlights
the growing number of hackers targeting Apple systems with malicious
software, some of which could allow cybercriminals to steal security
passwords. In the past two years, until this October, F-Secure found only a
small handful of malicious programs targeting Macs. In the past two months,
the company has found more than a hundred specimens of Mac-targeted
malicious code.

Charlie Miller, a software researcher with Independent Security Evaluators,
worries that the Army's diversification plan isn't enough to thwart the bad
guys. He sees a two-platform system as a "weakest link" scenario, in which a
determined cyber-intruder will seek out the more vulnerable of the two
targets. "In the story of the three little pigs, did diversifying their
defenses help? Not for the pig in the straw house," he says.

The marketing pitch that Apples are inherently more secure than PCs is also
largely a myth, contends Miller, who gained notoriety for remotely hacking
the iPhone last August. He points to data gathered by software security firm
Secunia, which showed that Apple had to patch nearly five times as many
security flaws in its software over the past year as Microsoft had to patch
in Windows. Apple's Quicktime player alone, he says, was patched 34 times.
"I love my Macs, but in terms of security, they're behind the curve,
compared to Windows," Miller warns.

But the Army's Jonathan Broskey stands by his claims of Apple's security: He
says the high number of patches to Apple software is a good sign--evidence
of the large community of developers actively working to tighten Unix
programs and eliminate bugs. Nonetheless, like any responsible IT
department, he says the Army's Apple program will closely monitor security
updates to Mac-specific programs. "The Army's no different from any
corporation," he says.

Still, relative to corporate cybersecurity, Lieutenant Colonel Wallington
points out, the stakes are much higher. A leaked deployment order, for
instance, might reveal the path of a supply truck and the points where it
could be sabotaged, he says.

"This is information that affects the lives of soldiers and the civilians
we're trying protect," Broskey adds. "It has to be safeguarded."




More information about the Infowarrior mailing list