NSA Wages Cyberwar Against US Armed Forces Teams

Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."

Linux

[sleekware]

Anyone surprised by the OS choice of the winner? It was going to be either that or BSD.

Re:Linux

[ouimetch]

Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.

Re:Linux

[socceroos]

That, my friend, is a dangerously shallow explanation of security.

Re:Linux

No whoosh involved when a comment that stale, pointless, and banal is not seen as humorous.

I think it was making fun of the traditional arguments about why Linux has fewer security risks. I.e. That Linux is "underrepresented" or benefits from security through obscurity. The post, though not funny to you, is funny to those who see through this disingenuous argument.

Re:Linux

[rtb61]

This still makes the assessment grossly unfair. They others teams forced to run windows were effectively discriminated against and stuck in a no win situation, especially as the NSA created a more secure OS SELinux, so obviously there secure OS of choice and effectively checked for any known hacks they could implement.

Of course for real security you need to involve the CIA, rather than hacking the software, you hack the admins, free love, hard currency etc. and, you get direct access and the hardware of your choice installed, good luck trying to secure software on insecure hardware ;D.

Re:Linux

[ArcherB]

Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.

For a Soldier/Marine/Sailor/Airman, the ability to communicate is just as important as the ability to shoot. The greatest marksman in the world is worthless when he is cut off from his unit and surrounded by enemies that are in constant contact with each other.

So to unplug the network cable from these machines kinda makes them worthless.

Re:Linux

[EEDAm]

You were surprised how confident and competent the NSA seems here? Honestly that got me scratching my head hugely. Not because I have some god given insight into the strength of the NSA but simply because this was an *under-grad* evaluation where they pitched the task as slightly too hard for the best under-grad team. Nuff respect to under-grads who study hard, but being an under-grad is just part of the journey and you have so much more you can develop when you finish that phase of your life. You really think it's surprising the NSA (or for that any fact any corporation / organisation / entity) is fairly or in fact let's make that *hugely* more advanced than the undergrads entering it? For every genius entrepreneur who comes out of college with a hot idea, there's a million who are just beginning their development. The world would be f$cked if we stoppped at that point...

Re:Linux

[Daniel+Dvorkin]

If the other teams were "forced to run Windows" (which it doesn't say anywhere in the story) then it would have been because of service policy ... in which case hopefully the Army's relatively favorable attitude Linux will get the other services' attention.

Re:Linux

[Software+Geek]

The competence of the NSA or the cadets has nothing to do with it. At the moment, the attacker simply has a huge advantage over the defender, no matter who the attacker and defender are. The defender must deploy a host of applications whose primary development goal was time to market, and security is still somewhere near the bottom of the todo list. The defender must rely on the discipline of end users with no interest or understanding of network security. The attacker can download all kinds of prepackaged exploits from the internet. The attacker only needs for a handful of those exploits to succeed. The defender can not afford to lose even once.
Government networks get hacked because they are defending. I would venture to guess that the NSA can hack into Chinese and Russian government networks just as easily as they can hack into ours.

Re:NCCDC

[nametaken]

How bad-ass must one be to withstand concerted hack attempts by the NSA? I'd think that would look really, really impressive on a resume. Especially for someone applying for a .gov job!

Kobayashi Maru?

[HaeMaker]

NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.'

Nobody wins, but lets see how long you hold out.

Re:Kobayashi Maru?

[Johnny+Mnemonic]

Also, note that the NSA isn't saying that they used the full force of their power and creativity. This is probably for several reasons:

-it's not worthwhile to simply crater all of the teams. You want to see who's the best graduates and the most receptive to a couple of years of schooling, even if they need 25 years worth of real world experience to stand up to a real world exercise.

-You don't want to reveal your whole strategy just for a graduation exam.

-Even if you do reveal your whole strategy, you don't want your opposition to know that you did.

I would be tempted to use something pretty rare, and mask the id strings--I would think that it would take so long to understand what OS I was really using to serve, and to research and characterize it's failures, that I would win. Like use BeOS and make it look like OS X as much as possible.

Re:Not as many?

[Burkin]

The programmers that contribute to OS projects are pretty adamant about good code, something Microsoft will learn one day.

And yet in practice this statement doesn't hold up because there is plenty of shit code floating around in open source projects.

Re:NCCDC

[Atlantis-Rising]

The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.

OpenBSD?

[wandazulu]

When it comes to stories like this, or the one about the Dali Lama's computers being compromised, etc., I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security. Because it's Unix, it can still run pretty much everything (though you want to use the OpenBSD version because it's been reviewed for security holes, etc.).

Seriously, if I wanted to keep my battle plans, aircraft designs, etc. out of the hands of the "enemy", I'd lock them up in an OpenBSD server, preferably on some less-common architecture like the Alpha, so that anyone trying to hack my system would have an enormously hard time.

Yes I understand this doesn't take into consideration social networking. So I'd take a page from the elevated privilege playbook and say that in my organization, no one trusts the person below him/her so as secrets can never flow downhill. Going back to the operating system, this would presumably be handled by ACLs.

Of course, no system is immune from the booze-n-hookers style of temptation, but that's someone else's job; I'm just here to install and configure software. :)

Re:OpenBSD?

[RiotingPacifist]

I keep hearing that BSD is sooo much safer than linux, but isn't it all about the userspace, which is pretty much the same? For there to be much of a difference between linux & BSD you'd have to get to the point where you can make nasty system calls first, which provided your using SELINUX/apparmour/bsd equivalent is pretty hard.

I also fail to see how using a less thoroughly tested platform like alpha is better than using an x86 processor (specifically an x86 that has all the security enhancements)?

Despite my bias being that you are wrong, i am open to suggestions about how BSD is more secure and using alpha is a good idea?

Re:OpenBSD?

[drinkypoo]

I do not think that word [built] means what you think it means. OpenBSD is a fork of netbsd with a heavy code audit process and an even slower release schedule. I've run it myself (though not in a while) and even bought a CD and tee shirt and have a pretty clear idea of the OpenBSD situation. In fact, if you dug through my posting history you could probably even find me defending TdR's attitude. I am glad that they have such a focus on security, but it's not like they built it from the ground up with security in mind. Rather, their goal is to have the most secure Unix implementation. It's clear that it is possible to construct a more secure operating system than OpenBSD; it's not clear that you could have it be POSIX compliant.

Re:Not as many?

More than do the same with Windows

Secure Linux for the win

[WillAffleckUW]

That said, the assumption that the NSA are up to the off-the-reservation methods that true Black Hats would use may not be a correct assumption.

What we anticipate and plan for frequently is not what is used against us by someone who truly is our enemy.

You're looking at it backwards...

[malevolentjelly]

They weren't testing the operating systems, they were testing the cadets. A linux system is a sieve for the NSA-- I think this simply demonstrates that the team using the Linux boxes knew their system better than the teams on Windows or Solaris respectively. It's clear that a group of passionate linux admins can maintain an acceptably secure system at this level of expertise.

However, actually infiltrating the systems would have proven nothing. I guarantee the *level of difficulty* the NSA used in order to properly test the undergrads is beneath what the Chinese government would use if trying to infiltrate a U.S. site.

The reality is that none of these three systems are acceptably secure for government networks one their... if you're relying on just the Unix security model or Windows security model, you're basically wide opened to a dedicated and well-funded attack. It's situations like these where you need to keep your systems well behind a decent level of virtualization like secure separation kernels with more than competent internal security policies. The operating system like Windows, Linux, or Solaris, is really just the "interface" to the system for the users, so to speak.

Re:You're looking at it backwards...

[mikek2]

They weren't testing the operating systems, they were testing the cadets.

Agreed 100%. While supposedly the country's best & brightest, Cadets truly aren't more than horny 21 year-olds (I was a cadet... trust me I know! ;).

Yes, the NSA could've SMASHED them in minutes. But the bigger concept here is to get the cadets to wrap their brains around the idea of a Pearl Harbor on the US' IT infrastructure & how to protect against it.

Assuming this exercise started this year (it didn't... just saying), we'll start to benefit in ~5 yrs, as these horn-dogs assume senior roles.

Re:Not as many?

[socceroos]

You're talking about bad drivers like its the OS's fault.

The trade-offs of having drivers in userspace outweigh the positives.

Re:NCCDC

[Artemis3]

Did you forget "KEY" "NSAKEY" found when someone let windows slip with debug symbols and variable names on? This is the reason you don't trust black boxes known as proprietary software.

Re:Not as many?

[mokus000]

I don't think fault is relevant. The consequence of bad code in drivers that can trash the kernel is that the OS, which is all but useless without drivers, has bad code actively executing in kernel space on some deployed systems.

Obviously, a choice had to be made about how to provide drivers. I personally have no problem with the one that was made, and I suspect many security-conscious linux users would rather not accept the efficiency trade-offs for user-space drivers. The current situation does mean, though, that if you want to analyze or talk about the security of Linux you can't just dismiss drivers as "not part of the OS" - at least not the ones you're running on any systems you care about.