5 August 1999.
Anonymous 3 writes JYA that the immediately following message is mistaken: that there has been an increase in DoD password protection measures as stated by the initial message of this file due to a fairly recent computer security incident. A portion of a confidential DoD document was provided for substantiation, with a request to not publish it. More on this topic would be welcome. Send to jy@jya.com.
3 August 1999. TT Anonymous 2.
There is NO "new" password policy. In May, the Office of the Assistant Secretary of Defense sent a memo reminding folks about the *old* password policy and warning folks that the IG will be checking to see if people were following the policy. <http://www.c3i.osd.mil/org/cio/y2k/policy/Y2K_DoD_ISSP.pdf> [423k]
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
6000 DEFENSE PENTAGON
WASHINGTON, DC 20301-6000
COMMAND, CONTROL,
COMMUNICATIONS, AND
INTELLIGENCE
May 5, 1999
MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS
CHAIRMAN OF THE JOINT CHIEFS OF STAFF
UNDER SECRETARIES OF DEFENSE
DIRECTOR, DEFENSE RESEARCH AND ENGINEERING
ASSISTANT SECRETARIES OF DEFENSE
GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSE
INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE
DIRECTOR, OPERATIONAL TEST AND EVALUATION
ASSISTANTS TO THE SECRETARY OF DEFENSE
DIRECTOR, ADMINISTRATION AND MANAGEMENT
DIRECTORS OF DEFENSE AGENCIES
SUBJECT: Year 2000 (Y2K) and teh Importance of Adherence to
Department of Defense (D0D) Information System Security
Policy
The Department of Defense Year 2000 Management Plan,
Appendix B, alerts "system owners and users for the potential of
creating increased vulnerabilities within, and the resulting
Information Warfare threat to the Defense Information
Infrastructure and DoD operational readiness throughout Y2K
testing, evaluation, and renovation processes." Administrative
Instruction 26 (AI 26), Chapter 11, Section 5.1.1.,
"Identification and Authentication," prescribes security measure
to provide protection from many Y2K related computer threats. As
the Year 2000 approaches, it is important that all personnel
using DoD systems comply with the guidance in AI 26, Chapter 11,
particularly Section 5.1.1., (see attachment). I have asked the
DoD Inspector General's office to begin to check for the
adherence to AI 26 as part of their ongoing Y2K audits.
My point of contact for any additional information is
Mr. Walter Benesch at (703)602-0983, Ext. 129, e-mail:
benesch@osd.pentagon.mil.
Arthur L. Money
Senior Civilian Official
Attachment
ADMINISTRATIVE INSTRUCTION 26, CHAPTER 11
SECTION 5.1.1
(The complete AI 26 can be downloaded from:
http://web7.whs.osd.mil/html3/ai-26.htm)
5.1.1. Identification and Authentication
The OSD Component system I&A policies and procedures are
as follows:
+ A user is always required to enter a password during the login
before that user is allowed to access the systems.
+ Passwords are at least eight characters long and must consist
of both alpha and numeric characters.
+ Passwords are validated each time a user accesses the system
+ Passwords are not displayed at any terminal or printer
+ Passwords are changed at least every 90 days
+ Electronically stored passwords are encrypted.
+ The number of consecutive authentication failures allowed to
any system user is limited to five. A user's inability to
successfully access the desktop system within the established
limits automatically deactivates the user's access to the desktop
system for a minimum of 20 minutes and creates an audit trail
record.
+ The systems should maintain password history tor 1 year on
Unclassified and Classified systems for each user.
+ Users memorize their passwords.
+ Under normal circumstances, users do not disclose their
personal passwords to anyone. Disclosing one's personal
classified system password to anyone without a valid clearance
and need-to-know constitutes a security violation.
+ A password that has been shared with another user must be
changed as soon as possible.
+ If a user believes that his/her password has been compromised
the user must immediately notifY the SA and/or ISSO.
+ SAs should share Unclassified system access passwords only
when necessary. When possible, Unclassified system access
passwords should also be written down, sealed in a Standard Form
700 (SF-700) or plain envelope, and protected in a manner similar
to the classified system passwords.
+ SAs will make their classified system passwords available to
other SAs only during an emergency. This effort will be
accomplished by storing a copy of the password in a secure
container authorized for storage of information of the
classification level of the password. The password(s) must be
written down and sealed in an SF-700 or plain envelope.
+ All factory set, default, or standard user IDs and passwords
are removed or changed.
+ Passwords are changed when compromised, possibly compromised
forgotten, or when they appear on an audit document.
+ Passwords are disabled if a user no longer requires access to
the system, including departures, deaths, or loss of security
clearance.
+ Passwords are classified and controlled at the highest level
of the information accessed or the classification level of the
system.
[HTML by JYA]
2 August 1999. Thanks to Anonymous 1, PGN/WS.
From: "Stewart, William C (Bill), BNSVC" <billstewart@att.com To: cypherpunks@cyberpass.net Subject: FW: DoD password management -- from Risks Digest Date: Mon, 2 Aug 1999 16:32:07 -0500 ---------- Date: Wed, 21 Jul 1999 22:29:29 -0400 From: [Identity withheld by request] Subject: DoD password management [This message is from Department of the Army civilian who has had Military active duty (53) system administration duties. His or her identity is withheld for obvious reasons. PGN] I am an employee (15 + years) in the Department of Defense. In the last few days I have received the most ludicrous requirement yet. It applies to every part of DoD. It requires us to change every password on every system and then power down and power up the system. I have been told this was signed off by the Secretary of Defense upon urging by his Joint Task Force for computer security. For Army systems, this came in the form of a majordomo message. Last night I found out that it the aftermath of an incident. Prior to this knowledge, a lot of us thought that this was just an exercise. When the initial message came in, MACOMS (Major Army Command typically 4 stars), RCERTS, and other institutions were called to see if this was a hoax. It turns out it wasn't. They actually want us to complete this requirement in less than 4 weeks. Initially, we weren't told the reason for the requirement -- just to get it done. Shortly thereafter, we received another report that tells us (1) not to use the word "password" when directing our users to do this, (2) to use verbiage to our users explaining the need for the password change that is untrue, (3) to have the users change their passwords themselves rather that have the system force them to do it. On (2), I don't think they intentionally wanted us to lie; just obscure the reasons. I first take issue that they have us (Sys Admin/Net Admin) mislead our installation users (another risk). Along with every IT (govt. employee, contract, military) person whom I have talked to at my installation, I think this requirement is overkill. In addition to using a lot of resources, it causes us the question the credibility of the people who are making these decisions. This in itself is a major risk. Other thoughts: 1. Some people and sysadmins have about (3-7) passwords for various systems. If they have to change all their passwords they are likely to recycle the same passwords, on different systems. 2. I have spoken with my counterparts at different Army installations. For the most part they want to define the problem away (i.e., NT domain account is not computer account -- it is a resource account). DoD is starting to take computer security seriously. However, they are using sledgehammers to stamp out flies. By doing this they make us (sys admins/net admins) question their capabilities. There are several issues here. (1) military vs civilian, (2) overreliance on FUD contractors, and (3) honesty between levels of commands. [Signed] A concerned but disillusion DoD employee [There are certainly some pockets of enlightenment within DoD, but there are also some incredible examples of ostrich mentality, with heads in the sand. By the way, changing passwords does not help if sniffers are already in place. The deeper problem, familiar to RISKS readers, is the pervasive use of fixed passwords in the first place. PGN]