Slashdot Mirror
NSA Takes On West Point In Security Exercise
Wired is running a story about a recent security exercise in which the NSA attacked networks set up by various US military academies. The Army's network scored the highest, put together using Linux and FreeBSD by cadets at West Point. Quoting:
"Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones. 'One of the challenges was when they see a scan, deciding if this is it, or if it's a cover,' says [instructor Eric] Dean. Spotting 'cover' attacks meant thinking like the NSA -- something Dean says the cadets did quite well. 'I was surprised at their creativity.' Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."
Man, I love reading about stuff like this, but this article has some serious vagueness that really leaves unanswered questions. Perhaps a true security-fluent slashdotter can offer some insight if they are familiar with this particular game:
Why does this require "custom tools" with automatic monitoring? Really, I doubt the students know the details of asymmetric security theory / Ph.D. level mathematics, and were monitoring something like (if I get a port scan from IP x.x.x.x then tell "router guys" to block IP x.x.x.x).
It seems to me that this should be something that essentially should be done automatically, and with a very well-configured system would not cause that much of a problem.
Also, the article was written for somebody who doesn't understand computers to go "whoa." "Kernel-level rootkit"? How the hell did this "unwelcome executable file" get on the box to begin with, and why was it executing in kernelspace? I assume they were required to start with a compromised system, otherwise this is something that major corporations do all day (general traffic monitoring) and is actually kind of not exciting.
I wish that Wired and magazines would write at a technical level and describe accurately what is going on - IMHO more information is always better!
Slashdotter, ID #101. UIDs are in binary, right?
Purchasing Open Source Tools that could automatically thwart these types of attacks is to expensive. They cost at least as much as a toilet seat, and we know from the news, that they have not been purchasing any toilet seats.
Rootkits are payload, normally, something deposited by an attacker using an exploit to get in. THe author of the article doesn't seem to appreciate the difference between the holes used to get into the network and the secondary attacks launched from there. It's not even clear from the article whether the Army ever found out how the rootkit was delivered.
But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network
Um, isn't the NSA part of the DoD? So they would not need anything special to take down a network as they are all under the same organization. Or, likewise, they would have consent which would allow them to attack the network. I really do not see the need for such a fear-mongering statement at the end of this summary.
But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."
yah, right. 14 year old serbo-croatian kids do that every day.
Sacred cows make the best burgers.
Isn't that a Windows thing? There is no other mention of Windows in the article.
Are you implying that previous generations do not have intelligence and creativity? Who do you think is teaching these cadets and running the exercise?
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
Dumbledore?
Nerd rage is the funniest rage.
This reminds of when LT Regenald Barkly started teaching at Star Fleet academy.... his stutter left many questions unanswered... but the bright side of this is that he was able to help the Voyager crew make proper communications with the Alpha quadrant.... ok this isnt really a joke, its fact.
WWPD - What Would Picard Do?
This isn't really an official extension of West Point, but rather a club at West Point known as SIGSAC.
The club's members every year get a chance to visit the NSA and see some rather interesting stuff, and so has a rather good relationship with the NSA in general.
The club itself operates out of West Point but has a network connection that isn't attached to West Point's network. It has actually participated in contests in the past as well with other schools/groups, so unless something's changed in the past couple years, that part of the summary is incorrect. If I had to wager a guess I'd say the focus of the group is just being directed purely at defensive measures, rather than actual attacks.
The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply... That is why the kids that go there are the top 2% of the nation. Also, did I also mention that many of the the US best leaders came from West Point? :)
In addition, I have several systems that run at the USMA, and know their admin personally. They have a pretty good network setup simply because they never have the money they need so they are forced to implement the best solution rather than the most expensive solution.
I was actually part of the exercise, and I would agree that the article is very vague. The main purpose of the exercise was to help cadets learn best security practices of building a network. There were required services we had to run, such as exchange, a web server, DNS, active directory, and a jabber messaging server. The rootkit they speak of was on the box because the other part of the exercise was trying to secure untrusted computers. They riddled two Windows VMs and one Linux VM with as much stuff as they could, and the told us to secure them. Naturally we missed some things, which allowed the callback to go out.
As for the 'custom tools', I have no idea what they are talking about. We used native Windows logging and a few open source programs to pull logs to a log server, but that was about it for extra programs. I would agree that the article was written for the non-technical person, but those are the kinda of questions they were asking us when the reporter was here.
With MS pw's and a perl script.
http://arstechnica.com/news.ars/post/20060712-7249.html
Domestic spying is now "Benign Information Gathering"
Nice job guys! I have seen a lot of air force cyber talk, but not much coming out of the Army. Good work.
IF Asked AND IF Unclassified, the agency/party MAY provide a copy of the ENDEX.
Contact the Acadamies, NSA, even the Departments of Defense, Army, Air Force, Navy.
ENDEX's have event logs, referee notes, exercise build and teardown plans....
The only thing new in this world is the history that you don't know.[Harry Truman]
"kids that go there are the top 2% of the nation. Also, did I also mention that many of the the US best leaders came from West Point"
Oh please, they all say that - the USNA, USAFA, even the USCGA. Not to mention that MIT, Stanford, Carnegie Melon, et al contend that they get the best of the best. I have worked with managers and engineers that graduated from various military academies; other than an inflated sense of patriotism and an intolerance for dissent, these people are no different from any other college.
As a former Marine, I have had to contend with more than one arrogant "ring knocker".
The military officer is the last of the elitist blue-bloods left in American society. The military NCO is the last of the true patriots that somehow just find a way to get it done.
True, I'm sure there are many civilian employees at the NSA, just like there are many civilian employees on any Army base. For example, the folks who work at the cafeteria in most Army bases I've been to are usually not enlisted. I imagine that the same is true for most of the NSA's mathematicians; I don't know a lot of mathematicians who would be interested in going through Basic Training
In contrast, the CIA is a separate, standalone agency. They take their orders from the President, and Congress, or something like that. Things get a little more muddy when you consider that the FBI, CIA, NSA, and all those other agencies are all coordinated by the Director of National Intelligence, but that's more or less the way things work (I think
Biggest question is, did they allow you to use your own tools, or did they just let you use divining rods.
Sort of ignorant on their part, that they would expect you to keep security on one of the most critical networks in the world and not have proper tools.
Example: image the drive, make it read only, no execute and use tools like rkhunter, and many other programs to see what is running on the system under test.
To me, having a compromised machine on a military network would get it a instant pulled plug, and a backup brought into play, with major lockdowns on network communication. Considering you can let the genie out of the bottle and not put it back in, in a very short time.
When you detect malware installed on your system, wipe and reinstall. Always! There is no "cleaning".
Probably wasn't possible given the parameters of the test, but they tried to clean a rootkit and got the predictable result.
Help stamp out iliturcy.
My rights don't need management.
Those West Pointers usually make pretty good officers. Or, at least they do after a few SFCs drag the new looie behind the barracks and beat all the West Point hogwash out of them.
];)
Regards;
I'm curious why the rules didn't allow snort to block things. Was there a specific reason given?
Along the same lines, were there other tools not allowed or "crippled" (meaning not able to use some particular (or some range) or functionality?
I think this is a pretty interesting question. Remember the movie Russia House? The main part of the plot was the discussion over how dangerous lists of questions were--they indicated what you didn't know and what you were focusing on. Generally, I believe the same applies to rules in a game.
I invited NSA to run their red team against a classified intelligence network I ran back in the '90s. That's back when nearly every security tool was of your own creation. I was running SunOS 4.1.3, so at least I had a little help from OS security options.
They had to come on-site to break us and they identified only one finding for which we didn't already have fix planned or in work. We considered that a raging success!
The most embarrasing moment was when they broke the System Security Officer's password with an expanded dictionary attack. I got to kid her about that for months! "How's your password today?" "Strong, dammit!"
Invenio via vel creo
So the US government is creating a generation of black hat security experts: pros who define the cutting edge of hostile attacks on infosystems. That's all right and proper as part of the US military, the necessary maintenance of infiltration and coercive force that is required to operate as a last resort of public policy produced under the Constitution, like any military power.
Leaving aside the separate and important issue of Congressional and other oversight to ensure the military crackers operate always under proper law and in the formal national interest, what happens to these people when they leave government service? We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. Sure they're like any other armed soldier, whose many other developed skills are valuable in many contexts not violence. But the fact is that many retired soldiers do find their skills and interests best fit a police or private security career, and even as paramilitary mercenaries - some of which private armies are emerging as serious threats to world stability in its balance of power. Military crackers are different, though: there is little or no role in non-military police, and virtually no legal role in private employ cracking anything.
We are creating an army of high-end crackers who will find themselves leaving the military, and available for hire by the legions of private employers whose use of them to crack systems is mostly illegal, or even acts of war.
We should consider how to track these people and their later activities. Working to secure and to test secure systems with permission of their owners is a valuable asset to keeping us all safe, whether as national service or in private employment. But leaving lots of them floating around loose practically guarantees that at least some of them will find jobs illegally cracking systems without the owners' permission, to do crimes, or perhaps even working for foreign militaries running attacks without coordination with proper US foreign policy, perhaps against our allies, perhaps against us, perhaps even just destabilizing some balance worked out among our enemies.
We are creating many serious potential threats, as part of our programme to reduce and eliminate threats. Part of that programme should be minimizing the increased threat we're creating with them. There's got to be a way to help these people continue their careers with the most freedom, which will overall increase security (and their personal benefit) that doesn't let some few people turn against their training (and likely oaths to "be good").
--
make install -not war
Exactly which trainees do you plan on registering, the students or the red team? I think you are missing the overall point of the exercise. There was no offensive side to the students networks, only setting up the services and try to protect them. The red team - those that the NSA already employs - were the only ones attempting to break in. The academies' jobs were to simply keep them out. I can see your point about keeping track of those who have been part of the NSA, but I would be willing to bet that is already taken care of.
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Anyone here know how good the CS/IT/EE curriculum in the military academies are? And do those members usually end up deployed where their expertise is useful?
I've heard the Air Force is the leading branch for network stuff, so I'm surprised the Army did well.
But the commercial tools, with the yearly support, and sending the men all off to be trained, Priceless
Sorry above is a bit of a rant.
I interviewed at NSA headquarters in Maryland, and I'm told by NSA engineers that such procedures are fairly common for ensuring the protection of United States networks from foreign adversaries. They do this sort of thing all the time; this was perhaps the first instance that was publicly known.
By the way, the NSA facilities are unbelievably frightening. Just thought you all ought to know.
- Hi... I'll be seeking a nomination from you in 3 years, here is what I have done to earn it.
- Hi... I'll be seeking a nomination from you in 2 years, here is what I have done to earn it.
- Hi... I'll be seeking a nomination from you in 1 years, here is what I have done to earn it.
- Hi... I'll am seeking a nomination from you and here is what I have done to earn it.
Worked for me...
Also, the whole nomination process is pretty misunderstood. It is just a nomination - you still have to get an appointment (read: accepted). Each representative can pass on 10 names for each vacancy (and each rep can have five constituents at each academy at any one time). If you think about it, there are 435 representatives , 50 senators and a handful of presidential and vp nominations or about 500 nomination "sources". Since each class usually has around 1000 students (at each academy) that means that on average each nominating source only has 2 of their vacancies filled so on average they can forward 30 names to each academy each year.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
Mod parent up "informative" only because there isn't "primary source" as an option. :)
The NSA: Granted, they are all powerful and perhaps evil, but at least they on OUR SIDE. I don't like wars or conflict (I think they are outdated methods of resource allocation), but if shit hits the fan, we've got people that can and will defend us.
I think that is good.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
Which is it? Legal limitations or NSA not affected because of 'arsenal of waivers...'? I hate summaries like this with such an overt bias against anything the NSA does. Either they were legally limited, or they had a bunch of waivers...which is it? The sad thing is that this could have been a much more effective exercise without the unnecessary complexity introduced by the 1984-inspired Kooks amongst us.
...
Also, the whole nomination process is pretty misunderstood. It is just a nomination - you still have to get an appointment (read: accepted).So what you're saying is that you didn't actually accomplish anything of note? And that your anecdote is spectacularly useless?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
As a former Marine, I have had to contend with more than one arrogant "ring knocker".
... it sure is funny when 2000 soldier's lose half their C2.
Many of the most arrogant assholes I ever ran into in Baghdad were Marines. I especially liked how they destroyed two battalions' network links by carelessly tearing down marked cabling. Their S3 later laughed it off like it was funny
But wait, there's more. I seriously considered West Point, and talked to some folks about applying and getting an appointment. I was a finalist for the NMS at the time, so our reps basically told me "Don't worry about it, if I have to borrow a nomination and pay it back for the next ten years, you'll get one." So, they can even horse-trade them like picks at the drafts!
no.... you still have to get a nomination - my point was that it isn't as difficult as many perceive. Getting the appointment is the real challenge.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
You don't know what you're talking about. I am a military academy graduate and I had absolutely zero political ties.