Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOD Kicks Up Cybersecurity Efforts

Posted by michael on from the wargames dept.

codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."

28 of 178 comments (clear)

  1. The US Army's Secret Plan? by Anonymous Coward · · Score: 5, Funny

    They'll be unplugging the network. NSA probably has a work-around, though.

  2. Just remember... by abh · · Score: 5, Funny

    Username is joshua, and you don't need to enter a password.

  3. Easy... by JimDabell · · Score: 4, Funny

    Nowhere in the article does it say that the computers have to be on.

  4. hacker wargames by quelrods · · Score: 4, Interesting

    It sounds like a CTF match, except via the government. I somehow doubt they'd publish packet dumps and such of the event, but that'd be even more interesting. Kudos to the nsa/dod for trying to ensure some of our vital infrastructure is secured from attack.

    --
    :(){ :|:&};:
    1. Re:hacker wargames by agentZ · · Score: 4, Informative

      Not quite. The Army cadets are not allowed to attack the NSA or the other military academies. It's strictly a defensive exercise.

  5. Also, it doesn't say which OS by GillBates0 · · Score: 5, Interesting
    Will the network have UNIX or Windows based OS's? I would think the better idea is to use a mixture of OS/platforms to simulate a real-world network, but it should've been mentioned.

    It would also be interesting to see which OS allows the "red team" to infiltrate the network.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
    1. Re:Also, it doesn't say which OS by dknight · · Score: 5, Informative

      For the most part, the army uses Windows boxes... Mostly Win2k and Windows XP. At least, they do in the command I work at.

      I am aware that there ARE various UNIX boxes scattered around, but Windows makes up the vast majority, for reasons that continue to elude me.

      -Damen

    2. Re:Also, it doesn't say which OS by OECD · · Score: 4, Informative

      Will the network have UNIX or Windows based OS's?

      Read the fine article--the Army team, at least, uses Linux

      Pretty amazing the /. story didn't trumpet that fact.

      --
      One man's -1 Flamebait is another man's +5 Funny.
    3. Re:Also, it doesn't say which OS by JimDabell · · Score: 4, Interesting

      Read the fine article--the Army team, at least, uses Linux

      I wonder if they'll be using the NSA's Linux against the NSA?

    4. Re:Also, it doesn't say which OS by agentZ · · Score: 5, Interesting

      I'm involved at the Navy side of this exercise.

      The requirements specify using Exchange, but otherwise we're free to use whatever operating systems we want. Obviously I can't say what we're using for operational security reasons, but let's just say that it's a heterogeneous environment.

  6. Uh oh... by adun · · Score: 4, Funny

    I'm sure we all remember the LAST time some snotty smart punks hacked into a military computer!

    "Hello Professor Falken. Would you like to play a game?"

    *shudder*

  7. Shocking by thebra · · Score: 5, Interesting

    Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.
    Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.

    1. Re:Shocking by ssuppe · · Score: 5, Informative
      Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.

      Well, that's not exactly what happened. I was a member of the Air Force Academy's team. I don't want to give too much away because you never know who will be reading this, but the Air Force's Team didn't have a SINGLE break-in during the entire excercise. Even when we were ordered to take down our firewalls on the last day, all of our machines were locked down (even the requisite Windows Boxen) that there were no compromises. The Red Team wasn't even able to perform a 100% successful DOS attack

      The exercise was basically run like this. Every team was given more or less the same hardware/# of machines to use to defend their network. You were allowed to use any operating system you felt was necessary, although a certain number of Windows machines had to be on the network. Each team had to provide a variety of services, including local account, local mail for members of the red team, web servers, database services, mail, DNS and FTP. SFTP was not allowed, so you had to be creative in your security.

      Services were measured by downtime - a service could go down for a specific amount of time before points were taken away. The points were on a subjective scale based on amount of downtime, how you remedied it, etc.

      It should ALSO be noted that this is an exercise that resides purely in Academia - it's an exercise between a bunch of different service academies, which is NOT the same thing as the operational United States military

      All in all, it was an EXTREMELY exciting exercise, lots of attacks were thwarted, many cans of Mountain Dew were imbibed. We laughed a little, cried a little, heck we even learned a little.

  8. I hope not by go3 · · Score: 5, Funny

    They'll probably just install Norton Internet Security.

  9. And for the winner... by 53cur!ty · · Score: 4, Funny
    A lovely 5 year stay in LevinWorth!

    What do we have for the runner-ups John?

    Where the fun is

  10. haha by Anonymous Coward · · Score: 5, Interesting

    We get random netbios traffic from the DoD all the time... looks like something is not locked down over there. Either that or they are scanning other government agencies for open windows computers. hmmmm.

  11. Meanwhile... by Otter · · Score: 5, Funny
    ...the former head of the Los Angeles LUG protests this by, uh, ...

    Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.

    --
    What I'm listening to now on Pandora...
  12. Reveal all methods? by KaDOOGAN · · Score: 5, Funny

    As the post states, I don't think NSA will reveal all methods.

    DOD: could you sec-test our network?
    NSA: sure.

    NSA: we've found these holes
    DOD: fixed
    DOD: hey, now even you guys can't get in!
    NSA: Doh!

    --
    No electrons were harmed sending this message. Wait, ... maybe a few.
  13. Art of War by WoodenRobot · · Score: 5, Funny

    Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive.

    Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return."

    --
    ---
    "I did nothing. I did absolutely nothing and it was everything that I thought it could be."
  14. After the exercise by ch-chuck · · Score: 5, Funny

    A sargent is pacing in front of a line of soldiers at attention, bellowing, "I've never seen such a sloppy outfit! Dictionary passwords on the root filesystem - open NetBIOS ports on the security gateway!!"

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  15. Hopefully, the NSA does not have by thisissilly · · Score: 4, Funny

    ...any chocolate bars.

  16. Useless exercises by eyeball · · Score: 5, Insightful

    Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.

    With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.

    Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.

    Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.

    --

    _______
    2B1ASK1
  17. Windows Boxes... by bfg9000 · · Score: 4, Funny

    ... I personally find that Windows boxes are the hardest to crack, because every time I'm about to get in, the damn thing crashes and the victim reboots and I lose all my work. And then when I finally manage to get on the system, it crashes again, usually when I'm halfway done stealing his copy of Massive Zoomers and the Ladies Who Love 'Em 4. Arrrghghghghhhh!

    It's just not worth it, the patented Windows BlueScreen Security System[tm] is foolproof. I'll take the easier road and stick to hacking OpenBSD boxes.

    --

    I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."

  18. Re:Hackers vs. Crackers by NineNine · · Score: 4, Funny

    Then stop beating a dead horse. It's not gonna happen, any more than my active campaign to call "automobiles", "eggplants". For some reason, people just aren't interested in changing the meaning of words they use already. Don't ask me why...

    Anyway, I'm off to go get my eggplant registered.

  19. This is not new. by BeProf · · Score: 5, Interesting

    This has been going on each year for almost 10 years now. Each of the "official" military academies compete, and the best team wins the NSA Information Assurance Directorate Trophy. In the past Army, Navy, and Air Force have all done quite well, while Coast Guard has not.

    Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.

    Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.

    I'll see if I can find some more info and post it here.

    --
    You are attempting to read sigs. Cancel or Allow?
  20. Re:So this is what our tax dollars go to... by rjune · · Score: 5, Insightful

    If I had moderator points, you would be at -1 right now instead of 0.

    This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.

    It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!

  21. NSA's Secret Plan by MisterSquid · · Score: 4, Funny

    Army slob 1: OK, everything locked down?

    Army slob2: Services off, filtering on. Nothin's gettin' in here.

    NSA hack: [Taps on keyboard. Clicks "Send."]

    Army slob 1: Hey, check it out. I just got an email with nude pix of Natalie Portman and HOT GRITS!

    Army slob 2: Score!

    Army slob 1: [Clicks "Open Email"]

    NSA 1: Army 0

    --
    blog
  22. This isn't really that new... by bingbong · · Score: 4, Informative


    This really isn't all that new. The U.S. Naval Postgraduate School has been
    sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
    this year's Interz0ne conference. In
    fact, there was only one team (Anomaly - and they won ironically) that didn't
    have government personnel or contractors on their team.





    Also, Immunix, a DARPA funded hardened Linux version has also
    been put under fire during CTF for the last couple year. (Their team placed a
    solid second both times).





    The Feds have learned over the last couple years that they
    are behind the ball in terms of normal unclassified security training for their
    personnel. These conferences have been really good at given them some real
    world training that they normally don't get.





    It's nice to see my tax dollars being put to a good use for
    a change. Plus it makes the "Spot
    the Fed" game MUCH easier.



    --
    "Omnis tuus capsa sunt inesse nos"