Posted by michael on Thursday April 22,
@11:35AM from the wargames
dept. codingOgre writes "The US Army will try to secure
an entire computer network against a team led by the NSA. They
are cadets at West Point competing against military academies and
other schools in a four-day Cyber Defense Exercise this week. I
would have to think that this would be a lot of fun! I would like to
see what the NSA and friends could throw at my network, although one
would think they wouldn't reveal all their cards...like the backdoor
into any Windows box:)" In a related story,
jkinney3 writes: "The feds are wising up to the needs for a
verifiable, secure code base for all of the DOD stuff, according to
Government
Computing News. A proposed solution 'would create a single
executive organization responsible for software integrity and
information assurance.' Joe Jarzombek, deputy director for software
assurance in DOD’s Information Assurance Directorate, said 'DOD
possesses so many millions of lines of code in countless thousands
of packages, that it would take years of effort and millions of
dollars just to identify what was developed where.' I'm envisioning
a lot of Bugzilla
installations."
It's funny but unfortunately true. My father
does this for a living, and part of his job is
dealing with ijits who send classified reports to
their Hotmail accounts so they can work on them at
home. (If you knew the ranks of some of the guys who
do that, you'd be building a bomb shelter right
now.)
Will the network have UNIX or Windows based OS's?
I would think the better idea is to use a mixture of
OS/platforms to simulate a real-world network, but it
should've been mentioned.
It would also be interesting to see which OS allows
the "red team" to infiltrate the network.
The requirements specify using
Exchange, but otherwise we're free to use whatever
operating systems we want. Obviously I can't say
what we're using for operational security reasons,
but let's just say that it's a heterogeneous
environment.
It sounds like a CTF match, except via the
government. I somehow doubt they'd publish packet dumps
and such of the event, but that'd be even more
interesting. Kudos to the nsa/dod for trying to ensure
some of our vital infrastructure is secured from attack.
While we would like to thank you for participating
in our security test, we can not further report on this
event due to National Security, and we humbly request
that all key loggers, camera phones and recording
devices remain in the safe hands of our NSA
coat-check-girls (for fine tuning).
Army lost last year not because of a successful
outside attack but from a self-inflicted wound in which
an authorized network user accidentally knocked out
service for several hours, costing precious points that
helped Air Force prevail. Isn't this how most
corporate networks are taken down? BTW, I can't access
the intranet.
Army lost last year not because of a successful
outside attack but from a self-inflicted wound in
which an authorized network user accidentally knocked
out service for several hours, costing precious points
that helped Air Force prevail.
Well, that's not exactly what happened. I
was a member of the Air Force Academy's team. I don't
want to give too much away because you never know who
will be reading this, but the Air Force's Team didn't
have a SINGLE break-in during the entire excercise.
Even when we were ordered to take down our firewalls
on the last day, all of our machines were locked down
(even the requisite Windows Boxen) that there were no
compromises. The Red Team wasn't even able to perform
a 100% successful DOS attack
The exercise was basically run like this. Every
team was given more or less the same hardware/# of
machines to use to defend their network. You were
allowed to use any operating system you felt was
necessary, although a certain number of Windows
machines had to be on the network. Each team had to
provide a variety of services, including local
account, local mail for members of the red team, web
servers, database services, mail, DNS and FTP. SFTP
was not allowed, so you had to be creative in your
security.
Services were measured by downtime - a service
could go down for a specific amount of time before
points were taken away. The points were on a
subjective scale based on amount of downtime, how you
remedied it, etc.
It should ALSO be noted that this is an exercise
that resides purely in Academia - it's an exercise
between a bunch of different service academies, which
is NOT the same thing as the operational United States
military
All in all, it was an EXTREMELY exciting exercise,
lots of attacks were thwarted, many cans of Mountain
Dew were imbibed. We laughed a little, cried a little,
heck we even learned a little.
haha (Score:5, Interesting)
by Anonymous Coward on Thursday April 22,
@11:46AM (#8939460)
We get random netbios traffic from the DoD all the
time... looks like something is not locked down over
there. Either that or they are scanning other government
agencies for open windows computers. hmmmm.
NSA: we've found these holes DOD:
fixed DOD: hey, now even you guys can't get
in! NSA: riiiiiiiiight... DOD: there's
more? NSA: *whistles innocently* DOD: could
others have discovered the same exploits? NSA:
theoretically, that is, if there were any DOD: so
theoretically, if they nuke us with our own nukes,
it's your fault NSA:....*whoops*
Cyber warfare, a subset of classic information
war that goes back as far as ancient Chinese military
strategist Sun Tzu, has pushed its way into U.S.
military curricula as the Internet has become
pervasive.
It is good to see the issue of computer security
intelligently approached.
It is much better to
harness the natural competitiveness and curiosity of
your geeks than to suppress it by any means possible and
depend on security by obscurity.
A sargent is pacing in front of a line of soldiers
at attention, bellowing, "I've never seen such a sloppy
outfit! Dictionary passwords on the root filesystem -
open NetBIOS ports on the security
gateway!!"
Unfortunately exercises like this show how our
conventional approach to warfare (cyber- or human-) is
doomed in the world of increasing unconventional war
tactics.
With a network or a piece of land,
actively defending against a known enemy in a known
timeframe is fairly easy. You know the rules for
engagement, you can easily account for all the possible
outcomes.
Putting processes in place to defend
against undeterminable attackers in an indefinite
timeframe approaches the impossible. In a network, all
it takes for hostile code to infiltrate is one human
error (i.e.: a race condition when a firewall ACL
changes). Same with terrorism: all it takes is a few
people with flight training and box-cutters to do some
serious damage. There are no rules of
engagement.
Put another way, conventional warfare
(again, cyber- or human-) is like a chess tournament.
Predictable rules. For the unconventional, imagine
someone winning a chess tournament by pulling out a gun
and shooting the opposing player.
So what do you do? Give up because it is too
hard?
You act like conventional warfare is
always straightforward. Everyone just lines up and
fights a certain way between certain hours. Deception,
misdirection, and the element of surprise have always
been major factors in warfare. Nothing has changed.
Warriors have always had to adjust to new techniques
and technologies.
I agree with you that it is
impossible to account for all possibilities. I’m sure
that the first guy to be shot with a firearm was
pretty surprised as his suit of armor was pierced by
the bullet. The test of a warrior is how quickly you
can adapt. Once you see your people fall with holes in
the armor, you better be able to come up with a new
strategy for protecting yourself. These types of games
can help to tune those skills.
These types of
war games are a good way to assess preparedness, test
your defenses, and learn from mistakes. You have to
practice and constantly test yourself to become and
stay good.
Besides, whos says that you just
have to sit around on the defensive. The rules didn't
change, we just didn't realize that there was a war on
before 9/11. You can also go after the attackers and
make sure that they have little time to plan because
they are doing everything they can just to stay
alive.
I would have to think that this would be a lot of
fun! I would like to see what the NSA and friends could
throw at my network, although one would think they
wouldn't reveal all their cards...
Actually, I don't think it will be much fun at all,
simply because I don't think there is any chance
either side will reveal any cards. No
doubt there will be some already published exploits
and/or configuration gaffes that will be used. But I
doubt anything new will come out of this.
... I personally find that Windows boxes are the
hardest to crack, because every time I'm about to get
in, the damn thing crashes and the victim reboots and I
lose all my work. And then when I finally manage to get
on the system, it crashes again, usually when I'm
halfway done stealing his copy of Massive Zoomers and
the Ladies Who Love 'Em 4.
Arrrghghghghhhh!
It's just not worth it, the
patented Windows BlueScreen Security System[tm]
is foolproof. I'll take the easier road and stick to
hacking OpenBSD boxes.
Does anyone happen to know if social engineering is
allowed, or is this just a technical attack?
I
would wager than any social engineering would a) be more
likely to succeed, and b) be also more likely to occur
in the real world. But it's less quantifiable too.
This has been going on each year for almost 10 years
now. Each of the "official" military academies compete,
and the best team wins the NSA Information Assurance
Directorate Trophy. In the past Army, Navy, and Air
Force have all done quite well, while Coast Guard has
not.
Contrary to popular belief, the NSA Red Team
isn't allowed to use any of the NSA arsenal of dirty
tricks. They are only allowed to use software that is
freely available off the internet (NMAP, snort, etc.)
running on commodity hardware. They can't do anything
that violates Federal Law, (other than the intrusion
attempts themselves), but social engineering is
ok.
Also, break-ins are not an automatic loss,
per se. Nor is prevention of break-in an automatic win.
The goal of the Red Team is DoS. For every minute a
service remains down, the Red Team scores points. The
cadet teams win points based on how quickly they detect
and respond to the attacks. All judging is done by an
NSA White Team.
I'll see if I can find some more
info and post it here.
This really isn’t all that new. The U.S. Naval Postgraduate
School [navy.mil] has been sending their Infosec
students to play Capture the
Flag [ghettohackers.net] at Defcon [defcon.org]
for the last couple years as well as this year’s Interz0ne
[interz0ne.com] conference. In fact, there was only
one team (Anomaly – and they won ironically) that
didn’t have government personnel or contractors on
their team.
Also, Immunix
[immunix.com], a DARPA [darpa.mil]
funded hardened Linux
version [immunix.com] has also been put under
fire during CTF for the last couple year. (Their team
placed a solid second both times).
The Feds have learned over the last couple years that
they are behind the ball in terms of normal
unclassified security training for their personnel.
These conferences have been really good at given them
some real world training that they normally don’t
get.
It’s nice to see my tax dollars being put to a good
use for a change. Plus it makes the “Spot
[defcon.org] the Fed” game MUCH
easier.
Then stop beating a dead horse. It's not gonna
happen, any more than my active campaign to call
"automobiles", "eggplants". For some reason, people just
aren't interested in changing the meaning of words they
use already. Don't ask me why...
If I had moderator points, you would be at -1 right
now instead of 0.
This is the best way to learn
security, by applying the "book learned" concepts to the
real world. In fact, this is exactly what we did for the
final project in the Computer Security course that I
took as part of my MS in Computing program at
Marquette.
It also reinforced a very important
concept -- people are the weakest link. We got the other
group to send us passwords by faking an email in the
instructor's name!
DOD Kicks Up
Cybersecurity Efforts
All trademarks and
copyrights on this page are owned by their respective owners.
Comments are owned by the Poster. The Rest © 1997-2004 OSDN.