Slashdot Mirror
Details of Cyber Storm War Games Released
I Don't Believe in Imaginary Property writes "Apparently, the participants in the U.S. 'Cyber Storm' war games are familiar with the Kobayashi Maru, because some of them tried to cheat by hacking the games themselves. They also prepare for some very interesting scenarios. Among other things, the organizers are worried about having too many people on the 'No Fly' list show up at an airport, finding 'mystery liquids' in the subway, and having bloggers reveal the classified location of railcars with hazardous materials. The Department of Homeland Security has already analyzed the results of the games, and plans to hold 'Cyber Storm 2' in March."
Defcon: Everybody Dies by Introversion you mean? :D Which reminds me of another game by the same group that does not simulate what happens as a result of cyber attacks but allows you to play as the attacker: Uplink. It's also a very entertaining game though not entirely realistic.
Weaksauce as they say...
Have any details on how these "games" are actually run? I'm interested in how they simulate everything...is it just a mock control room with a game server hooked up to everything instead of the real world, or do they actually use real world utilities and networks to do this? I read the article but it was more newspaper-speak than technical details.
Obligatory blog plug: http://www.caseybanner.ca/
Does anyone else feel like a huge nerd for knowing what the Kobayashi Maru is?
...there are spies, profiteers, and anarchists that would do things like that. So I guess it was a successful experiment to see what just might happen.
Eviscerate the Proletariat!
Seems to me that the two cases would have equal consequences and equal risk levels, and that no other individual could possibly modify those values significantly, reducing the security through obscurity to someone's job security through obscurity. Tell me, why should I care about this person's job more than I care about any potential risk to my wellbeing?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
People find mystery liquids on the subway all the time. It's called "urine".
I find it interesting that they call hacking the game itself "cheating."
Reminds me of when I was in college and us CS people used to get together and play a computerized version of capture the flag. The premise of the game was simple enough -- players were divided into 4 teams of 2-3 people each, and each team got a machine that came pre-loaded with an older unpatched version of Linux that had well known and published security vulnerabilities (something like Red Hat 7.3). Each machine had 4 services running on it -- typically SSH, Bind, Apache, and telnet (yeah...*sigh*). Each of those services came configured to return a certain string (the so-called flag) when queried by a master scoring server that ran a fairly simple Python script. The script ran once every minute and then displayed up to date team scores on a video projector. The rules of the game stated that we could not patch the machine or use IPtables to lock down the machine. Anything else was fair game. The machines and the scoring server were all networked together on small private network, and each team was given one additional network drop to do with as they pleased.
Anyway, one night we got together to play CTF and there were only enough people for 3 teams of two. Since that doesn't make for such an interesting game, one of our professors who was just supposed to be observing decided to join in and be on his own team. As soon as the game started, everyone went to work furiously trying to defend their boxen and then the real fun -- the attacking -- began.
We were all quite surprised when the first round of results came in and our professor hadn't had anyone hijack his machine. He also evidently hadn't attacked anyone else. The night went on and each of the student teams went back and forth, attacking and defending, but our professor stayed the same -- he neither had anyone successfully compromise his box, nor successfully compromised anyone elses.
The last few minutes of the game saw my team dead last, our professor in third place, and two other teams above us. 5 seconds from the end, our professor's score suddenly increased to an ungodly high (and according to the rules unattainable) score, with the rest of our scores getting set to zero. As the clock ticked down and the game came to an end, we were befuddled as to what happened.
Suddenly it dawned on us -- our professor had spent the entire time hacking the scoring server (which was supposed to have been an up to date, secure Linux install) and replacing the Python scoring script with one of his own, all to his advantage. At some point during the game, he had actually replaced the running script with his own, without any of us ever noticing. We were all in awe and amazement at his creativity -- the idea to do such a thing had not even occurred to any of us. We learned several valuable lessons that night, one of which was that the mind of a creative attacker may not be confined solely within the nice little security box that you place it in. That, and never mess with your professors!
echo $SIG
I love how the Feds find uncensored and uncontrolled free press a "threat".
Reading that article really opens eyes as to the real inside of our government. The founding fathesr have got to be spinning at 30-40 thousand RPM in their graves by now.
Do not look at laser with remaining good eye.
Why does did sound like the plot to war games 2?
http://en.wikipedia.org/wiki/WarGames_2:_The_Dead_Code
the movie has a system that sounds alot like the one talked about hear.
So, to summarize your post:
WTF?
You obviously missed the whole point, which was really to work on the cooperation and communication. They weren't testing specific countermeasures, but stressing the people and the organizations involved to see what happens. Even if it weren't, being more prepared or knowledgeable about some threats is better than being knowledgeable than no threats.
JOIN US FOR PONG!
as does everyone who drives on the NJ Turnpike. do I win?
What about China's reaction to unforseen disaster? Currently they are suffering a huge week long bizzard that has stranded millions of people who were travelling home for Chinese new year. At one station alone there were several hundered thousand people waiting several days for the trains to restart.
People stuck in a blizzard is nothing new in China, what I found interesting was the government has made a rare official appology to the people for being unprepared for the magnitude of this particular storm. Politicians are turning up at train stations and adressing the massive crowds with bullhorns, appologising profusely while explaining that the trains can't run until the power lines are back up and the tracks are cleared.
Some people were complaining, but the majority were spontaneously applauding and cheering the guy with the bullhorn.
BTW: I realise that the news from China is tainted with propoganda and a poloitician with a blowhorn won't get the trains back any faster. However, since they have a million troops working on the clean up, have hailed 6 electrical workers who died trying to restore power as national heros, plus the afforementioned apology for something they could not realistically prevent, I think the applause is not entirely hollow.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I haven't seen anything but their say so that the cut was an accident. It could have been deliberate to slow down middle eastern stock market transactions, to try and avert a meltdown...just sayin'.... or something else. Could be a lot of things. I don't know but so far ain't buying the story as advertised. It might be true, but it smells bad. We have one report that says ships got "ordered" to go anchor in an unusual place..this is a clear WTF? episode then. Why they do that? Plausible deniability excuse some "ships anchor" did it?
Whenever there is a HUGE screwup, judging by past historical references and parallels,.... with big business or governments, it pays to reject the first official "explanation".
The cyber storm war game is not about penetration testing. Its about response coordination. The US government has plenty of people who network in the security community and keep up on exploits etc. They have SNORT and SHADOW and who knows what other IDS systems all over the net watching for new exploit code.
The key element of these war games is to test response capabilities. Testing existing exploits would be pointless. An exploit could come out tomorrow that allows someone to control every Cisco router on the planet. Would that cause problems? You bet. At that point entities which have a tested and rehearsed security response plan will fare better then does who don't. Also organizations which have handled security incidents before will also fare better.
Charles Wyble System Engineer
The point of wargames is to prepare for possible situations, and train people how to react to them. If you fail to anticipate a situation, you have a weakness that can be exploited. I agree in general, but not with this particular cheat.
Michael Chertoff, in Wired: "They point out where your expectations of your capabilities may be overstated," Homeland Security Secretary Michael Chertoff told the AP. "They may reveal to you things you haven't thought about. It's a good way of testing that you're going to do the job the way you think you were. It's the difference between doing drills and doing a scrimmage." I don't see the article saying that particular computer vulnerability was previously unknown. In fact, requesting that everybody not target the server suggests that the particular exploit is a known weakness, thus use of it is redundant to the organizers & lazy on the part of the cheaters, not insightful & informative & funny, & all-around, it's definitely not worthy of the prize. Of course, somebody among the organizers probably thought of that, and somebody else really should have listened more attentively.
Wired: Perplexed organizers sent everyone an urgent e-mail marked "IMPORTANT!" instructing them not to probe or attack the game's control computers.
"Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'" said George Foresman, a former senior Homeland Security official. "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players."
The exercise was a big deal for all concerned.
The $3 million, invitation-only war game simulated what the U.S. describes as plausible attacks over five days in February 2006 against the technology industry, transportation lines and energy utilities by anti-globalization hackers. The government is organizing a multimillion-dollar "Cyber Storm 2," to take place in early March. They offered $3 million to the winner, left playing by the rules to "the honor system," and the organizers were "perplexed" that somebody cheated? That is stupid! They'll need to make it an "invitation, to use our-crippled-terminals-only war game" next time, and simulate the whole thing on an isolated LAN, if they want that kind of controlled simulation. Or, they can just repeat the same mistake, I guess, and hope it works better this time.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..