Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Takes On West Point In Security Exercise

Posted by Soulskill on from the with-friends-like-these dept.

Wired is running a story about a recent security exercise in which the NSA attacked networks set up by various US military academies. The Army's network scored the highest, put together using Linux and FreeBSD by cadets at West Point. Quoting: "Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones. 'One of the challenges was when they see a scan, deciding if this is it, or if it's a cover,' says [instructor Eric] Dean. Spotting 'cover' attacks meant thinking like the NSA -- something Dean says the cadets did quite well. 'I was surprised at their creativity.' Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

8 of 140 comments (clear)

  1. More details, anybody? by neapolitan · · Score: 5, Interesting

    Man, I love reading about stuff like this, but this article has some serious vagueness that really leaves unanswered questions. Perhaps a true security-fluent slashdotter can offer some insight if they are familiar with this particular game:

    Why does this require "custom tools" with automatic monitoring? Really, I doubt the students know the details of asymmetric security theory / Ph.D. level mathematics, and were monitoring something like (if I get a port scan from IP x.x.x.x then tell "router guys" to block IP x.x.x.x).

    It seems to me that this should be something that essentially should be done automatically, and with a very well-configured system would not cause that much of a problem.

    Also, the article was written for somebody who doesn't understand computers to go "whoa." "Kernel-level rootkit"? How the hell did this "unwelcome executable file" get on the box to begin with, and why was it executing in kernelspace? I assume they were required to start with a compromised system, otherwise this is something that major corporations do all day (general traffic monitoring) and is actually kind of not exciting.

    I wish that Wired and magazines would write at a technical level and describe accurately what is going on - IMHO more information is always better!

    --
    Slashdotter, ID #101. UIDs are in binary, right?
  2. Re:Fantastic by Keebler71 · · Score: 5, Insightful

    Are you implying that previous generations do not have intelligence and creativity? Who do you think is teaching these cadets and running the exercise?

    --
    "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
  3. I was in the exercise... by Anonymous Coward · · Score: 5, Informative

    I was actually part of the exercise, and I would agree that the article is very vague. The main purpose of the exercise was to help cadets learn best security practices of building a network. There were required services we had to run, such as exchange, a web server, DNS, active directory, and a jabber messaging server. The rootkit they speak of was on the box because the other part of the exercise was trying to secure untrusted computers. They riddled two Windows VMs and one Linux VM with as much stuff as they could, and the told us to secure them. Naturally we missed some things, which allowed the callback to go out.

    As for the 'custom tools', I have no idea what they are talking about. We used native Windows logging and a few open source programs to pull logs to a log server, but that was about it for extra programs. I would agree that the article was written for the non-technical person, but those are the kinda of questions they were asking us when the reporter was here.

    1. Re:I was in the exercise... by Anonymous Coward · · Score: 5, Informative

      I was also in the exercise... from the NSA side ;) (I have to post anonymously). I agree that the article IS very lean on details (as it should be), and geared toward a somewhat nontechnical audience. I have a different perspective from what the cadets at the USMA saw, as I experienced it from the opposition side.

      The network directive given out to the academies had stipulation they had to follow, and a scenario that reflected real world situations (the cadets were setting up a network that included VMs of computers they HAD to include in their network). The network directive also had costs associated with anything the cadets wanted to do. So if they wanted to park a cadet at a Snort terminal for the duration of the exercise, that had a cost associated with it, as did setting up VLANS, using IPSEC, other IDS sensors, firewalls, host/service monitors, etc. Each academy had to submit their network structure for review and approval prior to STARTEX. The scenario reflects real world situations that would come up in most operations that involve other allied nations.

      The NSA was strictly there to attack the networks and document any exploits they succeeded with. I can't go into details as to what our Rules of Engagement were, but suffice to say that we met with success with every school that was actually scored (the two graduate schools that participated were not scored).

      The whole goal of the exercise is to prepare the cadets for SECURING a network against information security threats. It is a DEFENSIVELY ORIENTED exercise. The cadets don't do any hacking (and I honestly think that unless a gifted or experienced cadet was at an academy with the skills to do a network penetration, they would not meet with much success).

  4. Re:West Point Club by Pinbll · · Score: 5, Informative

    Although SIGSAC was involved, this was done for the Information Assurance class that is taught by the CS department there. This was the culminating exercise. The course teaches security practices, and gives cadets a look into why it is important to program securely.

  5. Register the Trainees by Doc+Ruby · · Score: 5, Interesting

    So the US government is creating a generation of black hat security experts: pros who define the cutting edge of hostile attacks on infosystems. That's all right and proper as part of the US military, the necessary maintenance of infiltration and coercive force that is required to operate as a last resort of public policy produced under the Constitution, like any military power.

    Leaving aside the separate and important issue of Congressional and other oversight to ensure the military crackers operate always under proper law and in the formal national interest, what happens to these people when they leave government service? We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. Sure they're like any other armed soldier, whose many other developed skills are valuable in many contexts not violence. But the fact is that many retired soldiers do find their skills and interests best fit a police or private security career, and even as paramilitary mercenaries - some of which private armies are emerging as serious threats to world stability in its balance of power. Military crackers are different, though: there is little or no role in non-military police, and virtually no legal role in private employ cracking anything.

    We are creating an army of high-end crackers who will find themselves leaving the military, and available for hire by the legions of private employers whose use of them to crack systems is mostly illegal, or even acts of war.

    We should consider how to track these people and their later activities. Working to secure and to test secure systems with permission of their owners is a valuable asset to keeping us all safe, whether as national service or in private employment. But leaving lots of them floating around loose practically guarantees that at least some of them will find jobs illegally cracking systems without the owners' permission, to do crimes, or perhaps even working for foreign militaries running attacks without coordination with proper US foreign policy, perhaps against our allies, perhaps against us, perhaps even just destabilizing some balance worked out among our enemies.

    We are creating many serious potential threats, as part of our programme to reduce and eliminate threats. Part of that programme should be minimizing the increased threat we're creating with them. There's got to be a way to help these people continue their careers with the most freedom, which will overall increase security (and their personal benefit) that doesn't let some few people turn against their training (and likely oaths to "be good").

    --

    --
    make install -not war

  6. Heaven forbidden by RealGrouchy · · Score: 5, Funny

    But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else)... No, Heaven doesn't have the security clearance to access that information.

    - RG>
    --
    Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
  7. Re:Academy academics by Daniel+Wood · · Score: 5, Interesting

    The truth of the matter is that the Army generally has the least amount of fuckups when it comes to communications. This is because the Army curriculum is VERY methodical and almost reads like a checklist (in fact, we often use checklists and cut-sheets).

    I'm not saying the Army is any more intelligent than any other branch. We have some really dumb people. The Army trains so that the dumbest kid on the block can do the job perfectly, every time.