This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

5 August 1999.

Anonymous 3 writes JYA that the immediately following message is mistaken: that there has been an increase in DoD password protection measures as stated by the initial message of this file due to a fairly recent computer security incident. A portion of a confidential DoD document was provided for substantiation, with a request to not publish it. More on this topic would be welcome. Send to jy@jya.com.

3 August 1999. TT Anonymous 2. 

There is NO "new" password policy.  In May, the Office of the
Assistant Secretary of Defense sent a memo reminding folks
about the *old* password policy and warning folks that the IG will
be checking to see if people were following the policy.

<http://www.c3i.osd.mil/org/cio/y2k/policy/Y2K_DoD_ISSP.pdf> [423k]

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE
6000 DEFENSE PENTAGON
WASHINGTON, DC 20301-6000

COMMAND, CONTROL,
COMMUNICATIONS, AND
INTELLIGENCE 

                             May 5, 1999

MEMORANDUM FOR 	SECRETARIES OF THE MILITARY DEPARTMENTS
               	CHAIRMAN OF THE JOINT CHIEFS OF STAFF
		UNDER SECRETARIES OF DEFENSE
		DIRECTOR, DEFENSE RESEARCH AND ENGINEERING
		ASSISTANT SECRETARIES OF DEFENSE
		GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSE
		INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE
		DIRECTOR, OPERATIONAL TEST AND EVALUATION
		ASSISTANTS TO THE SECRETARY OF DEFENSE
		DIRECTOR, ADMINISTRATION AND MANAGEMENT
		DIRECTORS OF DEFENSE AGENCIES

SUBJECT:   Year 2000 (Y2K) and teh Importance of Adherence to
	   Department of Defense (D0D) Information System Security
	   Policy


     The Department of Defense Year 2000 Management Plan,
Appendix B, alerts "system owners and users for the potential of
creating increased vulnerabilities within, and the resulting
Information Warfare threat to the Defense Information
Infrastructure and DoD operational readiness throughout Y2K
testing, evaluation, and renovation processes." Administrative
Instruction 26 (AI 26), Chapter 11, Section 5.1.1.,
"Identification and Authentication," prescribes security measure
to provide protection from many Y2K related computer threats. As
the Year 2000 approaches, it is important that all personnel
using DoD systems comply with the guidance in AI 26, Chapter 11,
particularly Section 5.1.1., (see attachment). I have asked the
DoD Inspector General's office to begin to check for the
adherence to AI 26 as part of their ongoing Y2K audits.

     My point of contact for any additional information is
Mr. Walter Benesch at (703)602-0983, Ext. 129, e-mail:
benesch@osd.pentagon.mil.

                        Arthur L. Money
                        Senior Civilian Official

Attachment





         ADMINISTRATIVE INSTRUCTION 26, CHAPTER 11
                       SECTION 5.1.1

            (The complete AI 26 can be downloaded from:
              http://web7.whs.osd.mil/html3/ai-26.htm)

5.1.1. Identification and Authentication

	The OSD Component system I&A policies and procedures are 
as follows:

+ A user is always required to enter a password during the login 
before that user is allowed to access the systems.

+ Passwords are at least eight characters long and must consist 
of both alpha and numeric characters.

+ Passwords are validated each time a user accesses the system

+ Passwords are not displayed at any terminal or printer

+ Passwords are changed at least every 90 days

+ Electronically stored passwords are encrypted.

+ The number of consecutive authentication failures allowed to 
any system user is limited to five. A user's inability to 
successfully access the desktop system within the established 
limits automatically deactivates the user's access to the desktop 
system for a minimum of 20 minutes and creates an audit trail 
record.

+ The systems should maintain password history tor 1 year on 
Unclassified and Classified systems for each user.

+ Users memorize their passwords.

+ Under normal circumstances, users do not disclose their 
personal passwords to anyone. Disclosing one's personal 
classified system password to anyone without a valid clearance 
and need-to-know constitutes a security violation.

+ A password that has been shared with another user must be 
changed as soon as possible.

+ If a user believes that his/her password has been compromised 
the user must immediately notifY the SA and/or ISSO.

+ SAs should share Unclassified system access passwords only 
when necessary. When possible, Unclassified system access 
passwords should also be written down, sealed in a Standard Form 
700 (SF-700) or plain envelope, and protected in a manner similar 
to the classified system passwords.

+ SAs will make their classified system passwords available to 
other SAs only during an emergency. This effort will be 
accomplished by storing a copy of the password in a secure 
container authorized for storage of information of the 
classification level of the password. The password(s) must be 
written down and sealed in an SF-700 or plain envelope.

+ All factory set, default, or standard user IDs and passwords 
are removed or changed.

+ Passwords are changed when compromised, possibly compromised 
forgotten, or when they appear on an audit document.

+ Passwords are disabled if a user no longer requires access to 
the system, including departures, deaths, or loss of security 
clearance.

+ Passwords are classified and controlled at the highest level 
of the information accessed or the classification level of the 
system.

[HTML by JYA]

2 August 1999. Thanks to Anonymous 1, PGN/WS. 

From: "Stewart, William C (Bill), BNSVC" <billstewart@att.com
To: cypherpunks@cyberpass.net
Subject: FW: DoD password management -- from Risks Digest
Date: Mon, 2 Aug 1999 16:32:07 -0500 

----------

Date: Wed, 21 Jul 1999 22:29:29 -0400
From: [Identity withheld by request]
Subject: DoD password management

   [This message is from Department of the Army civilian who has had Military
   active duty (53) system administration duties.  His or her identity is
   withheld for obvious reasons.  PGN]

I am an employee (15 + years) in the Department of Defense.  In the last few
days I have received the most ludicrous requirement yet.  It applies to
every part of DoD.  It requires us to change every password on every system
and then power down and power up the system.  I have been told this was
signed off by the Secretary of Defense upon urging by his Joint Task Force
for computer security.  For Army systems, this came in the form of a
majordomo message.  Last night I found out that it the aftermath of an
incident.  Prior to this knowledge, a lot of us thought that this was just
an exercise.

When the initial message came in, MACOMS (Major Army Command typically 4
stars), RCERTS, and other institutions were called to see if this was a
hoax.  It turns out it wasn't.  They actually want us to complete this
requirement in less than 4 weeks.  Initially, we weren't told the reason for
the requirement -- just to get it done.

Shortly thereafter, we received another report that tells us (1) not to use
the word "password" when directing our users to do this, (2) to use verbiage
to our users explaining the need for the password change that is untrue, (3)
to have the users change their passwords themselves rather that have the
system force them to do it.  On (2), I don't think they intentionally wanted
us to lie; just obscure the reasons.  I first take issue that they have us
(Sys Admin/Net Admin) mislead our installation users (another risk).  Along
with every IT (govt. employee, contract, military) person whom I have talked
to at my installation, I think this requirement is overkill.  In addition to
using a lot of resources, it causes us the question the credibility of the
people who are making these decisions.  This in itself is a major risk.

Other thoughts:

1. Some people and sysadmins have about (3-7) passwords for various
   systems.  If they have to change all their passwords they are likely to
   recycle the same passwords, on different systems.  

2. I have spoken with my counterparts at different Army installations.  For
   the most part they want to define the problem away (i.e., NT domain
   account is not computer account -- it is a resource account).

DoD is starting to take computer security seriously.  However, they are
using sledgehammers to stamp out flies.  By doing this they make us (sys
admins/net admins) question their capabilities.

There are several issues here. (1) military vs civilian, (2) overreliance on
FUD contractors, and (3) honesty between levels of commands.

[Signed] A concerned but disillusion DoD employee

   [There are certainly some pockets of enlightenment within DoD,
   but there are also some incredible examples of ostrich mentality,
   with heads in the sand.  By the way, changing passwords does not
   help if sniffers are already in place.  The deeper problem, familiar
   to RISKS readers, is the pervasive use of fixed passwords in the 
   first place.  PGN]