DOD Kicks Up Cybersecurity Efforts
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
Is this why all those US bank notes say "IN DOD WE TRUST" on them?
They'll be unplugging the network. NSA probably has a work-around, though.
Username is joshua, and you don't need to enter a password.
Nowhere in the article does it say that the computers have to be on.
If anyone has enough money to be able to afford Macs, it's the government/military. :-)
The NSA will never break into those.
It sounds like a CTF match, except via the government. I somehow doubt they'd publish packet dumps and such of the event, but that'd be even more interesting. Kudos to the nsa/dod for trying to ensure some of our vital infrastructure is secured from attack.
:(){
While we would like to thank you for participating in our security test, we can not further report on this event due to National Security, and we humbly request that all key loggers, camera phones and recording devices remain in the safe hands of our NSA coat-check-girls (for fine tuning).
The dangers of knowledge trigger emotional distress in human beings.
I hope this is a path the military will continue to follow. Security is vital when you come to rely heavily on intelligence. Lets just hope the dont stop here and take this as a serious effort.
It would also be interesting to see which OS allows the "red team" to infiltrate the network.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I'm sure we all remember the LAST time some snotty smart punks hacked into a military computer!
"Hello Professor Falken. Would you like to play a game?"
*shudder*
Firewall it with OpenBSD, use pf's packet cleansing option. Ta-Da!
Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.
Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.
They'll probably just install Norton Internet Security.
What do we have for the runner-ups John?
Where the fun is
We get random netbios traffic from the DoD all the time... looks like something is not locked down over there. Either that or they are scanning other government agencies for open windows computers. hmmmm.
Ahh yes I do love these challenges.
The great thing is although the NSA can probably
get into most things, we can still slow them down.
And there's always self distructing media and files..
Swallowable hard disks!,
logic bombs!!..
Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.
What I'm listening to now on Pandora...
Compromised information systems are a real danger. Especially in the military where good vs. bad information can mean the difference between bombing an enemy position, or the Chinese embassy.
As the post states, I don't think NSA will reveal all methods.
DOD: could you sec-test our network?
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: Doh!
No electrons were harmed sending this message. Wait,
Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive.
Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return."
---
"I did nothing. I did absolutely nothing and it was everything that I thought it could be."
Now that they've got a disgruntled former employee, the CyberSecurity corps of Homeland Security will turn their eyes on all unpatriotic Americans who can get TV time. And the rest of us will drown in emailed PIF viruses.
--
make install -not war
The US Army will try to secure an entire computer network against a team led by the NSAh a- ha-ha-ha-ha... eeeeeh ... -ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha!!!
Ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-hoho-ha-ha-ha-
Hey, does anyone recall the NSAKey symbol that leaked on a debug version of a DLL in NT 4? (Was that GINA.DLL?) I wonder if it's still in there in later versions...
Those who can, do. Those who can't, consult.
... and nobody that teh **AA doesn't want running systems ...
Wow. I didn't realize the GNAA was that powerful.
It is good to see the issue of computer security intelligently approached.
It is much better to harness the natural competitiveness and curiosity of your geeks than to suppress it by any means possible and depend on security by obscurity.
"He is no fool who gives what he cannot keep in order to gain what he cannot lose."
...but I'm sure the NSA will try to hijack the EM transmissions at the endpoints. Of course, the military is quite aware of that, but your average computer installation probably wouldn't be safe simply by disconnecting the network...
Kjella
Live today, because you never know what tomorrow brings
A sargent is pacing in front of a line of soldiers at attention, bellowing, "I've never seen such a sloppy outfit! Dictionary passwords on the root filesystem - open NetBIOS ports on the security gateway!!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
that is based on the simple premise of limiting the impact that any attack can possibly have instead of trying to do the impossible and prevent all attacks. So, how do they do it? Simple really. In fact, its so simple that is even be accidental. Their systems are so diverse, numerous, both antiquated and modern at the same time, that even they don't know what they have. Much of the time, there are several completely separate systems based on different technologies from different decades that can be chosen at will by a commander to do any particular task. And even if the systems are up and using some common basis for attack such as MS Windows, the chances of any given system being available on a network at any point in time are probably less than 50/50 because their networks SUCK. So, the attack would have great difficulty spreading before detection. Once detected, they tend to just shut down all of the links. So, as long as they don't get stupid and standardize, fix and catalog everything, any concentrated attack can only have limited effects.
Hmmm. But it looks like that may be just what they are thinking about doing... :o)
...any chocolate bars.
post a link to the webserver on /. that ought to be a good stress test.
Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
_______
2B1ASK1
Actually, I don't think it will be much fun at all, simply because I don't think there is any chance either side will reveal any cards. No doubt there will be some already published exploits and/or configuration gaffes that will be used. But I doubt anything new will come out of this.
I would propose the army build a virtual sandbox in which to run applications safely - in the sandbox - external requests go through a mother-may-i query in which a real user - or a centralized database is queried as to the permissabiity of (deleting the file "some file x") etc. Once the application has run for a period of time under scrutiny - the repetitious requests can be quashed, and only new requests for external data raise flags - managing a list of valid external requests should be much more practical than line by line audits for buffer overrun opportunities on a billion lines of code.
my 2c
AIK
I wonder how far modded up this troll will go.
First, there's paranoid rambling, including government mandated software backdoors, +1.
Second, there's the one-two buzzword combo (DMCA, Palladium), +1.
Third, a pitiful lament about how it's all falling apart for us, +1.
Fourth, there's a misquoted Jefferson. +1
Fifth, more paranoid ramblings about the **AAs. +1
Finally, we have a 'teh' and some poor grammar.
This one deserves a +5, Informative by my estimates. Slashdot moderation being the fool-show it is.
Wait. It was only for military? Uh...Nope, wasn't me. Hold on a sec'. Someone's at the door. DD0002111873A627F87DDE13B{}}|{|{00000000[NO CARRIER]
But why is the rum gone?
That's GNU-cracking you insensitive clod!
bau bau chicka chicka mau mau
more like a misquoted franklin
That fight needed to to be fought 7 years ago. It's too late now.
I thought you said "Not to beat" ...
KARMA TAG! You're it.
I think the title hackers is appropriate unless the NSA is reverse engineering to determine the super secret l33t registration code to unlock the full features of the cadets system.
AFAIK, hackers analyze systems for holes and find innovative ways to exploit them.
(and then theres the skr1pt k1dd13s in a class of their own)
Moral of the story: if your gonna freak out about naming conventions, make sure you're right first.
... I personally find that Windows boxes are the hardest to crack, because every time I'm about to get in, the damn thing crashes and the victim reboots and I lose all my work. And then when I finally manage to get on the system, it crashes again, usually when I'm halfway done stealing his copy of Massive Zoomers and the Ladies Who Love 'Em 4. Arrrghghghghhhh!
It's just not worth it, the patented Windows BlueScreen Security System[tm] is foolproof. I'll take the easier road and stick to hacking OpenBSD boxes.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
"I would like to see what the NSA and friends could throw at my network" One could suppose the poster has skills in security, and is somewhat proud about it. yet ...
"into any Windows box :)"
Here is how you win:
...at the US Army cyber HQ...
NSA phone rings...
NSA-Person: "hello?"
Caller: "This is the deputy secretary for Condoleezza Rice. We are having a problem viewing the 'cyber war game' and are sending someone over right away."
NSA-Person: "umm, that isn't possible sir..."
Caller: "Listen son, This comes right from the top. Do you want to find yourself cleaning the latrines in the chinese resturaunt down the street?"
NSA-Person: "well, umm, no but.."
Caller: "No buts! We are sending our personal network specialist over to fix the problem. You will let him do his work or you will answer to me!" hangs up the phone
US Army Guy: "Well boys, were in..."
~SpermanHerman
What is that any operating system that is NMCI compliant?
The Navy as I understand it is heading for a completely monoculture network. Worse yet that monoculture is brought to you by the folks from Redmond. You can expect a few more ships towed into port.
Then stop beating a dead horse. It's not gonna happen, any more than my active campaign to call "automobiles", "eggplants". For some reason, people just aren't interested in changing the meaning of words they use already. Don't ask me why...
Anyway, I'm off to go get my eggplant registered.
My money is on using social engineering techniques to determine everything possible before launching an attack.
Even the attack itself would be more successful if it were tripped by an insider doing something stupid (clicking on an Outlook attachment with some local context softcore pr0n hint).
Given the current software environment, it's the people that leak like sieves.
"Provided by the management for your protection."
... all the Army has to do is call in an airstrike on the NSA team: "All systems secure, SIR!!"
A C-130 gunship will halt a DOS attack PDQ.
Does anyone happen to know if social engineering is allowed, or is this just a technical attack?
I would wager than any social engineering would a) be more likely to succeed, and b) be also more likely to occur in the real world. But it's less quantifiable too.
--
$tar -xvf
In related news, the stock prices of Alcoa and Reynold's skyrocketed by over 30 points each as the American public finally came to the realization that the military DOES know how to monitor all networks in real time and IS actively watching the populance using exploits that they DON'T tell anyone else about.
+++ATHZ 99:5:80
This has been going on each year for almost 10 years now. Each of the "official" military academies compete, and the best team wins the NSA Information Assurance Directorate Trophy. In the past Army, Navy, and Air Force have all done quite well, while Coast Guard has not.
Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.
Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.
I'll see if I can find some more info and post it here.
You are attempting to read sigs. Cancel or Allow?
If I had moderator points, you would be at -1 right now instead of 0.
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!
You can find out the info at their webpage and get some more detailed information in the publications, especially the ones by Ragsdale and Schepens. http://www.itoc.usma.edu/CDX/wpia.htm I have attended two talks by LTC Dan Ragsdale and had the opportunity to meet with him to discuss the development of similar cyber defense exercises at UMBC CISA http://cisa.umbc.edu/ According to him the exercises use both linux and windows operating systems and teams are required to provide certain services (ftp, dns, etc.) They get points for having these services up and running and lose points for any downtime. New to the exercise this year are: an orange team (naval postgraduate school) allowing social engineering attacks All attacks are carried out over a VPN and as to the nature of the NSA red teams attacks... that is unknown, even to the exercise coordinators. So there could be exploits being tested here without anyone elses knowledge.
Just put link to computer in /. head story and then be ready to test against _real_ DDoS attack :)
The ex-President of LALUG will then protest against using any of the lessons learned to make any Open Source systems more secure.
...beat the Navy -- what are they thinking, taking on the NSA?
At least they got home field advantage...
Following this guy's example, I am not going to use security on my network because the DOD does.
No... we won't. The NSA never hands out results of their findings (well maybe they will to Congress in a Special Hearing considering recent events).
OH gimme a break. Go back to 1981 you guy with shoulder length gray hair and baldspot with your tshirt involving some sort of C64 humor. A hacker has been a bad guy since 1994 since i got my first computer and that was 10 YEARS AGO! No one 'hacks' their own motherboard with a soldering iron anymore. Retire! Its over buddy! You handed over the reins to we youngins who travel no where without roller blades and our hair the color of flinstone vitamins, and we're hackers yo...
---------
No matter how thin you slice it, its still baloney.
The thing that worries me about any government computer security activity is that many managers who will have the final say have no practical experience beyond MS Word and a bit of COBOL as a undergrad. I once worked in a SCIF where the regs spoke of "zeroing core memory". Magnetic media was not allowed out once inside yet we had an internet connection and dozens of Macs running System 7 file sharing.
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
Yes, you are beating a dead horse.
A Very Dead horse.
They call him Elmers now.
You are making a mess.
1.Netcraft confirms:In Soviet Russia all your base welcomes a beowolf cluster of CowboyNeal overlords. 2.? 3.Profit!!1!
Most of you guys are just guessing here, my company does pen. testing for the DoD and NASA and they are full of holes (big enough to drive a Humvee through). Back in 2001, they had serious BIND issues, SMTP proxy alias issues, blank passwords on POP3, etc etc....now, these are all fixed but think about all of the vuln's that have been created since then. They don't have the internal expertise to secure themselves, most of the internal staff are high school drop-outs who didn't want to be in the infantry. Why do you think they use 3rd party vendors for most of their Info-SEC work. If terrorists even get a slight clue, we are in for a world of pain.....
"...A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.'..."
-Press Conference-
"Ladies and Gentleman: I am proud to anounce our new cyber security czar, Mr. William Gates..."
Laugh! Damn you!
"Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail."
Jason Lotito
"Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail."
So, as you can see, turning the computers off is actually counter productive.
Also, this is pretty cool:
"The rules this year are designed to make the competition simulate more of a 24-hour operation, despite the reality that "Taps" still sounds at 2330 (11:30 p.m.) and cadets are required to be in bed with lights out by then. Overnight, the enemy can prey upon any network vulnerabilities with impunity."
Jason Lotito
Army slob 1: OK, everything locked down?
Army slob2: Services off, filtering on. Nothin's gettin' in here.
NSA hack: [Taps on keyboard. Clicks "Send."]
Army slob 1: Hey, check it out. I just got an email with nude pix of Natalie Portman and HOT GRITS!
Army slob 2: Score!
Army slob 1: [Clicks "Open Email"]
NSA 1: Army 0
blog
I'm wondering if social engineering would include taking one of the students hostage when he leaves the NOC for a pee and threatening his life with a car battery, a set of jumper cables, and some titanium nipple clips.
It seems that if I were a real enemy after real information, it might be a lot easier to take down a camo-clad cyber geek than the 14 levels of electronic protection and pervasive paranoia of social engineering that must be present in these situations...
Or is titanium not that good a conductor?
I have a plan. Using mainly spoons, we'll tunnel our way out of the city...
This really isn't all that new. The U.S. Naval Postgraduate School has been
sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
this year's Interz0ne conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.
Also, Immunix, a DARPA funded hardened Linux version has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).
The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.
It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot
the Fed" game MUCH easier.
"Omnis tuus capsa sunt inesse nos"
potential riches to rags, one step removed as my girlfriend tells it.
Long time ago, her dad (very well off lawyer) at Christmas offered all the kids a challenge.
On the spot, he asked all of them who's picture was on the 10 very large bill, whoever guessed right, they got it!
He held it up, his hand over the face, she says they could all see the zeros hanging out and about shit.
NONE of them guessed correct.
Dad puts the bill away back in his pocket.
I guess that was his lesson to the kids on "know your stuff" in the business/economic world.
An associate of mine says the Army has a way to remotely lock and freeze any windows box trying to hack their systems. Then they can take control of the box remotely to determine the owner - any truth to this claim?
Namaste
as the rules of engagement seem to preclude social engineering in this case. It's a fixed timeframe of maybe a few days at most. The defenders are all "teams" at the various military academies, all of whom probably never leave the staging area except to eat or sleep until the game is over. And the attacker is required to use an anonymous location in Maryland as their base of operations. Even if travel outside this BoO is allowed for the attackers, agents would have to hop on planes immediately, engineer their way into the academy and get at the teams, then try to glean some information from them or the surrounding location that they didn't already know.
Social engineering would be more suitable for a more open-ended game that didn't have so many constraints, or one that focused on secret keeping and the like rather than on network defense.
I competed against the West Points team in the ACM computer programming competition. My team sat next to them and I was far from impressed...didn't see any code, but they were clearly missing some HUGE concepts from what I heard from their discussions. And these are supposedly the academics of the US Army.
NSA's got this one in the bag.
"There are no such things as mutual fantasies. Yours bore us and ours offend you."
- Bill Maher
Does this mean that the NSA "Red Team" will go on to compete in the Defcon Root-Fu competition this year?
Will we end up with virtual reporters on the Alexis Park cable talking about "Red Team" getting beat by "Team Green (0x00FF00)" and "WMD"? (that I would love to see!)
Come to Defcon XII and find out!
I don't really see why not: most of the team members will probably be in attendance already, and according to some of the earlier posts, they are not allowed to use any classified tricks anyway.
If you want more information, take a look at West Point's Cyber Defense Exercise webpage...
http://www.itoc.usma.edu/cdx/
They also have a number of publications here...
http://www.itoc.usma.edu/cdx/publication.htm
~rumint
www.rumint.com
There's been no fatherly welfare I am aware of, his philsophy as related to me was while they were at home they got free room and board but did chores, no maid action or anything like that, hit 18 it was adios, go make something of yourself. Shes a retired stewardess, two years of college before she went flying,college paid for via athletic scholarship, nationally ranked swimmer. Her sisters are married and each runs a small business they started, one of her brothers is an architect, And the other I forget, but just some normal job in IT, but I honestly don't remember what it is. Her dad is a hoot, he was a B-24 pilot in ww2 and still flies his own plane, a cessna 210 I believe. He's just always been a lawyer since he got out of the war, mostly criminal cases, and always thrifty, saved his nickles. cheap but not mean, he DID offer the 10 grand bill if they knew who was on it. (sam chase, BTW) He does goofy stuff all the time, I've heard dozens of these sorts of stories. And, if there was any family welfare, I sure don't see it. We do caretaking now, make an absurdly small salary for hot nasty outdoor labor, and get a three room cabin of around 600 square feet. Not exactly the lap of luxury around here. Combined we make less a day than what most people here make per hour. My new whizzbang surfin machine is a 1996 ibm @ 200 mghz. She owns a 1980 jeep that needs a new cylinder head and rings and a carb, and I have a 1975 van with well over 300 thou on it. If there's tons of cash or platinum cards kickin around here, I'd sure like to go on a spree, like, buy some parts I need and maybe go eat in a restaurant someplace that had actual china plates on a table.
"Elgible Receiver" was a classic cyber wargame that took place a few years ago. The memory still gives nightmares to folks in the Pentagon.
There have only been a handful of public statements on the results of Elgible Receiver, and they indicate that the attacks reached classified systems.
The red team (the attackers from NSA) developed their attacks by cruising the Internet and collecting the most recent attack tools and discussions of attack techniques. They didn't use anything top secret, nor did they need government endorsed back doors. The red team was so successful that very few details have ever been released.
I have no doubt a red team can do as well today as they did back then, even if they start from scratch again. The main advantage the red team might have over a real cyberterrorist is a bit of insider knowledge about the networks under attack.