Slashdot Mirror
DOD Kicks Up Cybersecurity Efforts
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
Is this why all those US bank notes say "IN DOD WE TRUST" on them?
They'll be unplugging the network. NSA probably has a work-around, though.
Username is joshua, and you don't need to enter a password.
Nowhere in the article does it say that the computers have to be on.
If anyone has enough money to be able to afford Macs, it's the government/military. :-)
The NSA will never break into those.
It sounds like a CTF match, except via the government. I somehow doubt they'd publish packet dumps and such of the event, but that'd be even more interesting. Kudos to the nsa/dod for trying to ensure some of our vital infrastructure is secured from attack.
:(){
While we would like to thank you for participating in our security test, we can not further report on this event due to National Security, and we humbly request that all key loggers, camera phones and recording devices remain in the safe hands of our NSA coat-check-girls (for fine tuning).
The dangers of knowledge trigger emotional distress in human beings.
I hope this is a path the military will continue to follow. Security is vital when you come to rely heavily on intelligence. Lets just hope the dont stop here and take this as a serious effort.
It would also be interesting to see which OS allows the "red team" to infiltrate the network.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I'm sure we all remember the LAST time some snotty smart punks hacked into a military computer!
"Hello Professor Falken. Would you like to play a game?"
*shudder*
Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.
Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.
They'll probably just install Norton Internet Security.
What do we have for the runner-ups John?
Where the fun is
We get random netbios traffic from the DoD all the time... looks like something is not locked down over there. Either that or they are scanning other government agencies for open windows computers. hmmmm.
Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.
What I'm listening to now on Pandora...
Compromised information systems are a real danger. Especially in the military where good vs. bad information can mean the difference between bombing an enemy position, or the Chinese embassy.
As the post states, I don't think NSA will reveal all methods.
DOD: could you sec-test our network?
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: Doh!
No electrons were harmed sending this message. Wait,
Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive.
Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return."
---
"I did nothing. I did absolutely nothing and it was everything that I thought it could be."
Hey, does anyone recall the NSAKey symbol that leaked on a debug version of a DLL in NT 4? (Was that GINA.DLL?) I wonder if it's still in there in later versions...
Those who can, do. Those who can't, consult.
It is good to see the issue of computer security intelligently approached.
It is much better to harness the natural competitiveness and curiosity of your geeks than to suppress it by any means possible and depend on security by obscurity.
"He is no fool who gives what he cannot keep in order to gain what he cannot lose."
...but I'm sure the NSA will try to hijack the EM transmissions at the endpoints. Of course, the military is quite aware of that, but your average computer installation probably wouldn't be safe simply by disconnecting the network...
Kjella
Live today, because you never know what tomorrow brings
A sargent is pacing in front of a line of soldiers at attention, bellowing, "I've never seen such a sloppy outfit! Dictionary passwords on the root filesystem - open NetBIOS ports on the security gateway!!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
...any chocolate bars.
Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
_______
2B1ASK1
Actually, I don't think it will be much fun at all, simply because I don't think there is any chance either side will reveal any cards. No doubt there will be some already published exploits and/or configuration gaffes that will be used. But I doubt anything new will come out of this.
more like a misquoted franklin
That fight needed to to be fought 7 years ago. It's too late now.
I think the title hackers is appropriate unless the NSA is reverse engineering to determine the super secret l33t registration code to unlock the full features of the cadets system.
AFAIK, hackers analyze systems for holes and find innovative ways to exploit them.
(and then theres the skr1pt k1dd13s in a class of their own)
Moral of the story: if your gonna freak out about naming conventions, make sure you're right first.
... I personally find that Windows boxes are the hardest to crack, because every time I'm about to get in, the damn thing crashes and the victim reboots and I lose all my work. And then when I finally manage to get on the system, it crashes again, usually when I'm halfway done stealing his copy of Massive Zoomers and the Ladies Who Love 'Em 4. Arrrghghghghhhh!
It's just not worth it, the patented Windows BlueScreen Security System[tm] is foolproof. I'll take the easier road and stick to hacking OpenBSD boxes.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
Here is how you win:
...at the US Army cyber HQ...
NSA phone rings...
NSA-Person: "hello?"
Caller: "This is the deputy secretary for Condoleezza Rice. We are having a problem viewing the 'cyber war game' and are sending someone over right away."
NSA-Person: "umm, that isn't possible sir..."
Caller: "Listen son, This comes right from the top. Do you want to find yourself cleaning the latrines in the chinese resturaunt down the street?"
NSA-Person: "well, umm, no but.."
Caller: "No buts! We are sending our personal network specialist over to fix the problem. You will let him do his work or you will answer to me!" hangs up the phone
US Army Guy: "Well boys, were in..."
~SpermanHerman
Then stop beating a dead horse. It's not gonna happen, any more than my active campaign to call "automobiles", "eggplants". For some reason, people just aren't interested in changing the meaning of words they use already. Don't ask me why...
Anyway, I'm off to go get my eggplant registered.
Does anyone happen to know if social engineering is allowed, or is this just a technical attack?
I would wager than any social engineering would a) be more likely to succeed, and b) be also more likely to occur in the real world. But it's less quantifiable too.
--
$tar -xvf
This has been going on each year for almost 10 years now. Each of the "official" military academies compete, and the best team wins the NSA Information Assurance Directorate Trophy. In the past Army, Navy, and Air Force have all done quite well, while Coast Guard has not.
Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.
Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.
I'll see if I can find some more info and post it here.
You are attempting to read sigs. Cancel or Allow?
If I had moderator points, you would be at -1 right now instead of 0.
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!
No... we won't. The NSA never hands out results of their findings (well maybe they will to Congress in a Special Hearing considering recent events).
Army slob 1: OK, everything locked down?
Army slob2: Services off, filtering on. Nothin's gettin' in here.
NSA hack: [Taps on keyboard. Clicks "Send."]
Army slob 1: Hey, check it out. I just got an email with nude pix of Natalie Portman and HOT GRITS!
Army slob 2: Score!
Army slob 1: [Clicks "Open Email"]
NSA 1: Army 0
blog
This really isn't all that new. The U.S. Naval Postgraduate School has been
sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
this year's Interz0ne conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.
Also, Immunix, a DARPA funded hardened Linux version has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).
The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.
It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot
the Fed" game MUCH easier.
"Omnis tuus capsa sunt inesse nos"