The Mysteries of SIPRNet
by The Ruiner
As a Canadian hacker, it's always heart-warming to see texts written by fellow H/P'ers from up here in the north country (albeit sarcastically called, myself living in the most southern part of Canada).
So in that spirit, I decided to write this article about an experience I had exploring the security features of and getting busted for a hack on the U.S. Defense Department's "Secret Internet Protocol Routing Network" (SIPRNet).
The SIPRNet, back in the good ol' days of 1994-1995, was still quite "under construction," so to speak, and not exactly living up to its name-sake as a secured means of connecting some of the U.S. military's more "top secret" and sensitive computer systems to the "rest of the world" (now there is irony!).
Through some investigation (and more or less with a stroke of "luck"), I came to find myself in contact with a man from a Californian Naval base who was employed on a team that was responsible for the installation of some new SIPRNet routers and mainframes there.
Through him, I was able to obtain information regarding the security status of the fledgling network including some blanket mainframe system specs and the status of the net's main security feature at that time, which was an interesting dual-firewall construction.
The SIPRNet, at its core, consisted of DEC Alpha-type mainframes (running at 400 MHz) which were used as the primary network servers. Running a UNIX-style variant, they hadn't many security features beyond the standard *NIX network bullshit; being as the DoD hadn't quite gotten around to actually securing the systems with all of that hardcore military tracking software/equipment so-called "secured networks" are infamous for.
Instead, the network was protected by not much more than a unique DES-encrypted firewall architecture. For sake of explanation, this firewall can be simply represented as a two dimensional object, one side colored RED, the other colored BLACK. The BLACK side of the firewall functions as any other, in that it only accepts connections from a very exclusive set of network systems (although at the time, holes within this side of the wall were quite common).
The RED side, however, serves to DES encrypt/decrypt incoming and outgoing packets. Thus, it stands to reason, that any successful attempt to gain access to the network, would require finding a break (be it a loophole, backdoor, bureaucratic screw-up, whatever) in the RED side of the wall, otherwise one would still be required to deal with the problem of encrypted network packets (thus making any connection useless to the mere mortal).
The RED/BLACK sides of this object are of course, part of the same system. The BLACK side hands off any valid attempt at access to the RED side, which deals with the secondary security measures (i.e., encryption/decryption - although regarding the nature of which I had obtained little information).
In turn, if access is made through the RED side, the BLACK side will recognize the attempt as valid.
A few fellow comrades and I decided to make an attempt at verifying the validity of this information (and perhaps obtaining some more technical explanations of the system along the way). Thanks to an IP address range provided by the wonders of social engineering, it became entirely possible to gain access to the network using not much more than some homemade IP scanning software and the exploitation of common UNIX backdoors. A clever hacker with the inclination could have, therefore, laid a backdoor for future access to the network after the system's security was completed (although I seriously doubt that the military would let any backdoor go undetected, the possibility nevertheless remains).
Go figure, but United States Naval Intelligence (out of California), the FBI, and the Royal Canadian Mounted Police (RCMP) - your friendly Canadian federal police agency - didn't think the theories (nor the "alleged" successful attempts at system access) were very funny. It could be interesting to note, however, that the knock at the door didn't come until a whole year later (after I had discovered that several U.S. hackers were also questioned about their knowledge regarding the SIPRNet).
At any the rate, thanks to living outside of the U.S., the Secret Service wasn't able to use its smash-into-your-house-and-seize-everything-you-own approach to justice. Rather, a couple of well-dressed FBI agents, a shadowy RCMP detective, a man from Naval Intelligence and a "computer guy" from Washington decided to ask permission to search my computer. (Why not? The look on the "computer guy's" face was priceless after he realized that I owned a Macintosh). At any rate, after a very friendly chat about how I could have been arrested for some conspiratory seditious treason bullshit if I lived in the United States, they kindly asked me never to discuss the incident and left (I've never heard from them again).
I'd figure that now, about three or four years later, the SIPRNet's security features would have been completed, or at least improved to a substantial degree. Therefore, attempting to unlawfully access this system by the aforementioned means alone would not be advisable if at all still possible (especially given the resources of the military to track you down). No less, the firewall scheme described in this article was probably brought out of service after the SIPRNet was put into full operation through the use of "closed-circuit" DISN dial-ups.
In the past, the SIPRNet was accessible through the "public" MILNET, being as the delicate process of network construction required it so. Thus was the nature of the firewall protecting the few connected network systems.
Nowadays, however, access to the SIPRNet is accomplished through DISN remote access dial-in services. These services are provided by Cisco 2511 Terminal Servers, which require client systems to possess specialized hardware called "Communication Service Cards" (CS cards) before they can enable a valid access. These cards provide a means of communication by connecting with the DISN router layer.
These cards contain a unique internal "Access Code" (AC), which the Communications Servers use to define the validity of system access. They come in two varieties: one for named individuals, the other for specific - though necessarily small - groups of individuals. Despite the differing classifications, both types of CS cards are only valid for usage by one person at any one time. The ever-mysterious UID is home to a user-specific DDN NIC handle which identifies both the user as well as their location. This location definition is accomplished through the use of unique "ORGIDs" (Origin Identifications), which is how the military tracks the geographic and network locations of its systems.
Individual cards are registered and distributed by "Local Access Authorities" (LAAs) to specific client users, while group cards are issued by the same LAA but in the name of an "Organizational Card Custodian" (OCC). This individual is responsible for the administration and proper use of any cards within his group. An OCC is entitled to some 25 cards per year and as such, "organizational" CSC's are more for temporary and emergency use whenever possible, as they do not retain the same security level that the individual card versions do.
DISN access authorities - where card, NIC, and access registrations are accepted and enforced - include "Service/Agency Authorities," "Regional Access Authorities" and "Local Access Authorities," each of which has responsibilities within their region of influence. Such responsibilities often extend to blanket control of and over "regional" policies, as well as what network activities are prohibited or endorsed.
Although I am at a loss for any more current information regarding the security status of the routing network, the DDN does administer a NIC page regarding the SIPRNet at nic.ddn.mil/siprnet, and there is a DoD operated Support Center which can be contacted toll-free at 800-582-2567 or direct at 703-821-6260.
Vive le Canada and Happy Hacking!