Army Denies Hacking Incident

The U.S. Army is denying that its systems were compromised by a recently discovered buffer overflow vulnerability in a component of Microsoft Windows 2000 used to manage the Web Distributed Authoring and Versioning protocol.

However, Pentagon sources acknowledged that an investigation into the compromise of a "military server" is now under way.

"To the best of our knowledge, an Army system was not attacked," said Col. Ted Dmuchowski, director of information assurance at the Army's Network Technology Enterprise Command. "According to our records, the military sites that were attacked did not belong to the Army."

Even so, "we do consider operating and defending the Army's computer networks to be no different than managing and defending the physical battlefield," Dmuchowski said. "We are aware of the vulnerability in the IIS 5.0 server software, and we have taken measures to push the appropriate patch down to all Army networks."

Server Shuffle

An Army source on Tuesday notified Russ Cooper, surgeon general at TruSecure, of the attack. However, Cooper said today that he misunderstood the Army source's explanation and now agrees that the Army wasn't the victim of a hacking incident.

"If the Army says that no Army server was compromised, that's fine," said Cooper. "But a military server was compromised." He declined to comment on which server had been infiltrated.

However, Pentagon sources said the Air Force Computer Emergency Response Team has been investigating a possibly related incident. The Air Force CERT and the Pentagon's Joint Task Force for Computer Network Defense couldn't be reached immediately for comment.

According to the Army source, administrators responsible for the undisclosed military system noticed that the exploit was conducting network mapping and outputting data on the terminal services port, Port 3389, to an unspecified region over and over again. Cooper said using Port 3389 was likely an attempt by the attacker to stay below the Army's security radar, since it is normally used for encrypted traffic that sniffers wouldn't try to decipher.

Microsoft Issues Patch

As for Microsoft's comments that it was fully aware of the vulnerability when Cooper contacted the company, Cooper said he stands by his original assertion that the executives at Microsoft whom he normally deals with--and who should have known about the vulnerability--were unaware of it.

"The people I spoke to were individuals who I would have expected to know about this issue," said Cooper. "When I spoke to them [on March 12], they didn't know what I was talking about."

Within hours, however, Microsoft confirmed that it had been working on developing a patch.