January 13, 2012

Chinese Hack Defense Smart Cards

In the eternal struggle of measure/counter-measure, it seems the U.S. government is one step behind again:
Hackers in China have found a way to infiltrate supposedly secure smart cards used by U.S. government employees, according to security company AlienVault.
Government agencies use smart cards as an extra layer of security on top of passwords, according to the New York Times. Since passwords have been easy enough to hack, the smart cards were supposed to provide a final line of defense, at least until the new strain of Sykipot popped up.
I use a common access card (CAC) for part-time work as a defense contractor and for access to unclassified defense networks, email and military installations. They also have tons of personal data on them.

Now the Chinese have tons of personal data on us.

Next month Army Knowledge Online (AKO), a collaboration website I'm required to use for work, will require smart card log-in. I don't like AKO because its interface with various browsers seems sluggish, and its design and functionality dated. Like all government enterprises, it doesn't work well with others.

I'll also have to buy a smart card reader for my Macbook.

A few days ago I spent half a day trying to take on-line training in internet security from another Army website. Problem was the training required that you log-in with a CAC.

Since I don't have a smart card reader on my Mac, I fired up an old Dell with a smart card reader. After about an hour of downloading Norton security and windows updates, I got down to business.

Downloading the DoD certificates was a breeze, but getting the software that allowed the handshaking between the operating system and the smart card hardware required... you guessed it, a CAC log-in to AKO. For some reason, the old Dell was not able to log into AKO just with a password.

I then did a search for the download and found a copy on the AFRICOM website. After downloading and attempting to run the program, I got error messages galore; a massive failure.

I went back to the Mac and was able to log into AKO with just a password and downloaded the app on a thumb drive and transferred that to the Dell. After running the program, the smart card icon appeared in my applications bar, recognized the DoD certificates and worked fabulously.

After my adventures in tech-land, taking the on-line information awareness training was a snap. I completed the courses, took the tests and emailed my certificates to the security drones in Korea who live for such things.

As an aside, it was taking inordinately long to email those certificate on AKO; since when I forwarded the attached certs to the recipient, there was no send button anywhere. I finally attached the certs to my google email. That, too worked fabulously.

Come to think about it, I don't remember reading anything at all on the Chinese during my info awareness training.