5 August 1999.
Anonymous 3 writes JYA that the immediately following message is mistaken: that there has been an increase in DoD password protection measures as stated by the initial message of this file due to a fairly recent computer security incident. A portion of a confidential DoD document was provided for substantiation, with a request to not publish it. More on this topic would be welcome. Send to jy@jya.com.
3 August 1999. TT Anonymous 2.
There is NO "new" password policy. In May, the Office of the Assistant Secretary of Defense sent a memo reminding folks about the *old* password policy and warning folks that the IG will be checking to see if people were following the policy. <http://www.c3i.osd.mil/org/cio/y2k/policy/Y2K_DoD_ISSP.pdf> [423k]
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
6000 DEFENSE PENTAGON
WASHINGTON, DC 20301-6000
COMMAND, CONTROL,
COMMUNICATIONS, AND
INTELLIGENCE
May 5, 1999 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF STAFF UNDER SECRETARIES OF DEFENSE DIRECTOR, DEFENSE RESEARCH AND ENGINEERING ASSISTANT SECRETARIES OF DEFENSE GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSE INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE DIRECTOR, OPERATIONAL TEST AND EVALUATION ASSISTANTS TO THE SECRETARY OF DEFENSE DIRECTOR, ADMINISTRATION AND MANAGEMENT DIRECTORS OF DEFENSE AGENCIES SUBJECT: Year 2000 (Y2K) and teh Importance of Adherence to Department of Defense (D0D) Information System Security Policy The Department of Defense Year 2000 Management Plan, Appendix B, alerts "system owners and users for the potential of creating increased vulnerabilities within, and the resulting Information Warfare threat to the Defense Information Infrastructure and DoD operational readiness throughout Y2K testing, evaluation, and renovation processes." Administrative Instruction 26 (AI 26), Chapter 11, Section 5.1.1., "Identification and Authentication," prescribes security measure to provide protection from many Y2K related computer threats. As the Year 2000 approaches, it is important that all personnel using DoD systems comply with the guidance in AI 26, Chapter 11, particularly Section 5.1.1., (see attachment). I have asked the DoD Inspector General's office to begin to check for the adherence to AI 26 as part of their ongoing Y2K audits. My point of contact for any additional information is Mr. Walter Benesch at (703)602-0983, Ext. 129, e-mail: benesch@osd.pentagon.mil. Arthur L. Money Senior Civilian Official Attachment
ADMINISTRATIVE INSTRUCTION 26, CHAPTER 11 SECTION 5.1.1 (The complete AI 26 can be downloaded from: http://web7.whs.osd.mil/html3/ai-26.htm) 5.1.1. Identification and Authentication The OSD Component system I&A policies and procedures are as follows: + A user is always required to enter a password during the login before that user is allowed to access the systems. + Passwords are at least eight characters long and must consist of both alpha and numeric characters. + Passwords are validated each time a user accesses the system + Passwords are not displayed at any terminal or printer + Passwords are changed at least every 90 days + Electronically stored passwords are encrypted. + The number of consecutive authentication failures allowed to any system user is limited to five. A user's inability to successfully access the desktop system within the established limits automatically deactivates the user's access to the desktop system for a minimum of 20 minutes and creates an audit trail record. + The systems should maintain password history tor 1 year on Unclassified and Classified systems for each user. + Users memorize their passwords. + Under normal circumstances, users do not disclose their personal passwords to anyone. Disclosing one's personal classified system password to anyone without a valid clearance and need-to-know constitutes a security violation. + A password that has been shared with another user must be changed as soon as possible. + If a user believes that his/her password has been compromised the user must immediately notifY the SA and/or ISSO. + SAs should share Unclassified system access passwords only when necessary. When possible, Unclassified system access passwords should also be written down, sealed in a Standard Form 700 (SF-700) or plain envelope, and protected in a manner similar to the classified system passwords. + SAs will make their classified system passwords available to other SAs only during an emergency. This effort will be accomplished by storing a copy of the password in a secure container authorized for storage of information of the classification level of the password. The password(s) must be written down and sealed in an SF-700 or plain envelope. + All factory set, default, or standard user IDs and passwords are removed or changed. + Passwords are changed when compromised, possibly compromised forgotten, or when they appear on an audit document. + Passwords are disabled if a user no longer requires access to the system, including departures, deaths, or loss of security clearance. + Passwords are classified and controlled at the highest level of the information accessed or the classification level of the system. [HTML by JYA]
2 August 1999. Thanks to Anonymous 1, PGN/WS.
From: "Stewart, William C (Bill), BNSVC" <billstewart@att.com To: cypherpunks@cyberpass.net Subject: FW: DoD password management -- from Risks Digest Date: Mon, 2 Aug 1999 16:32:07 -0500 ---------- Date: Wed, 21 Jul 1999 22:29:29 -0400 From: [Identity withheld by request] Subject: DoD password management [This message is from Department of the Army civilian who has had Military active duty (53) system administration duties. His or her identity is withheld for obvious reasons. PGN] I am an employee (15 + years) in the Department of Defense. In the last few days I have received the most ludicrous requirement yet. It applies to every part of DoD. It requires us to change every password on every system and then power down and power up the system. I have been told this was signed off by the Secretary of Defense upon urging by his Joint Task Force for computer security. For Army systems, this came in the form of a majordomo message. Last night I found out that it the aftermath of an incident. Prior to this knowledge, a lot of us thought that this was just an exercise. When the initial message came in, MACOMS (Major Army Command typically 4 stars), RCERTS, and other institutions were called to see if this was a hoax. It turns out it wasn't. They actually want us to complete this requirement in less than 4 weeks. Initially, we weren't told the reason for the requirement -- just to get it done. Shortly thereafter, we received another report that tells us (1) not to use the word "password" when directing our users to do this, (2) to use verbiage to our users explaining the need for the password change that is untrue, (3) to have the users change their passwords themselves rather that have the system force them to do it. On (2), I don't think they intentionally wanted us to lie; just obscure the reasons. I first take issue that they have us (Sys Admin/Net Admin) mislead our installation users (another risk). Along with every IT (govt. employee, contract, military) person whom I have talked to at my installation, I think this requirement is overkill. In addition to using a lot of resources, it causes us the question the credibility of the people who are making these decisions. This in itself is a major risk. Other thoughts: 1. Some people and sysadmins have about (3-7) passwords for various systems. If they have to change all their passwords they are likely to recycle the same passwords, on different systems. 2. I have spoken with my counterparts at different Army installations. For the most part they want to define the problem away (i.e., NT domain account is not computer account -- it is a resource account). DoD is starting to take computer security seriously. However, they are using sledgehammers to stamp out flies. By doing this they make us (sys admins/net admins) question their capabilities. There are several issues here. (1) military vs civilian, (2) overreliance on FUD contractors, and (3) honesty between levels of commands. [Signed] A concerned but disillusion DoD employee [There are certainly some pockets of enlightenment within DoD, but there are also some incredible examples of ostrich mentality, with heads in the sand. By the way, changing passwords does not help if sniffers are already in place. The deeper problem, familiar to RISKS readers, is the pervasive use of fixed passwords in the first place. PGN]