AKO Email Exploit

Corporate espionage is increasing in the cyber world.  Although there are methods to deter and detect the transfer of protected information like classified documents and personal identification information (PII), by the time Information Assurance Officers catch on the the behavior the damage is already done.

People can understand the transfer of trade secrets in big companies but not big government.  A United States Soldier is currently under investigation for harvesting and soliciting potentially harmful information about thousands of military members deployed down range in Iraq.  This information could put family members in danger or jeopardize operations and degrade mission efforts.  The ripple effect from the release of this information has a reach strong enough to cause another war by proxy alone.

The motive can be broken down by forensic investigates but nobody can be sure.  Many of these “hot shots” steal email addresses and network topologies for cash.  It’s not really a surprise, because many military members have their needs met financially, but they are always treading water just to keep their needs met.  An opportunist like the Soldier likely was frustrated with leadership, wanted fame, or wanted to test the system to see how far he could go.

Other motives go deeper than fame or testing the waters.  There are thousands of foreigners that claim US Citizenship for a more stable life in the military or even joining the service to access classified information to transfer to their home country.  These individuals aren’t spending time with a mailing list; these individuals are aiming for larger, more valuable information that can cripple the United States government.

Department of Defense employees, including active duty military are issued a common access card (CAC).  This card has a small microchip embedded into the credit card sized CAC, and holds all of the individuals information relevant to their computer network accounts.  This card is inserted into a USB CAC reader, and the computer prompts the member for a password or pin number.  The CAC is used to allow the member to connect to DoD computer systems and networks with public and private encryption keys.

Another essential piece of information that is programmed into the members CAC is an email address.  This email address is also a required piece of information to utilize computer systems.  The email stored on the chip is virtually published into a global access list or (GAL) so that other domain users can lookup the individual for communication purposes.   Everyone, using the network can look in Microsoft Outlooks contact listing and harvest thousands of email addresses by exporting the list to a private contact list.

There is a huge pile of information published on the DoD domain, and eventually someone will take advantage of the access they have to this information and use it for personal gain.  The Army Soldier that boosted 70,000 email addresses for personal gain is a prime example of how easy it is for anyone to capitalize on this information.

CAC’s are secure with high level encryption, but when the information on the card is published on and enterprise network, everyone else that has access will be able to capture this information.  Information Assurance Officers can monitor traffic and bandwidth usage to track a certain computer.  In the case of the Soldier, there is an event stored on that computer or device that can proves his machine was sending high volumes of traffic over the wire.