NSA Wages Cyberwar Against US Armed Forces Teams

Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."

Linux

[sleekware]

Anyone surprised by the OS choice of the winner? It was going to be either that or BSD.

Re:Linux

[Bellegante]

NSA linux : http://www.nsa.gov/research/selinux/index.shtml

Re:Linux

[Burkin]

Whoosh!

Re:Linux

[gravesb]

I participated in this as a Cadet in 2001. We used a variety of operating systems, including Windows 2000, Solaris, Linux, and Mac OS9. Even back then, the Linux server and desktop client had by far the greatest uptime. Well, except for me, as I was attempting to rebuild the Windows server after they had taken it down, yet again.

Re:Linux

I was involved in the exercise. We used FreeBSD and Fedora Core 10 as our base server platforms. We'd used FreeBSD last year, so we were confident that it would give us a solid base to work from.

According to the exercise directive, we had to run several windows workstations. We used Window2008 as the Active Directory and Domain Controller. We didn't go so far as try the "read only" mode, but W2k8 seemed solid enough for the duration of the exercise. Wasn't easy to get set up and locked down, however.

Re:Linux

[MoonBuggy]

Although you jest, I'm actually surprised at how confident and competent the NSA seem here. Maybe it's just an (unfair?) association I've built up that government organisation = technically incompetent, and I know they employ a lot of very smart people, but it surprises me that they were so far ahead of the teams that they could pick exactly what level of difficulty to set their attacks at.

Seeing at some of the work that's presented at conventions, the brilliantly paranoid security systems that the likes of OpenBSD have, and some of the distinctly embarrassing news stories about the latest government network being hacked by some guy in a basement, I guess I was just expecting the NSA to get more of a run for their money than "Yeah, we pitched it so they couldn't quite win. No problem really."

I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.

Re:Linux

[ArcherB]

Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.

For a Soldier/Marine/Sailor/Airman, the ability to communicate is just as important as the ability to shoot. The greatest marksman in the world is worthless when he is cut off from his unit and surrounded by enemies that are in constant contact with each other.

So to unplug the network cable from these machines kinda makes them worthless.

Re:Linux

[EEDAm]

You were surprised how confident and competent the NSA seems here? Honestly that got me scratching my head hugely. Not because I have some god given insight into the strength of the NSA but simply because this was an *under-grad* evaluation where they pitched the task as slightly too hard for the best under-grad team. Nuff respect to under-grads who study hard, but being an under-grad is just part of the journey and you have so much more you can develop when you finish that phase of your life. You really think it's surprising the NSA (or for that any fact any corporation / organisation / entity) is fairly or in fact let's make that *hugely* more advanced than the undergrads entering it? For every genius entrepreneur who comes out of college with a hot idea, there's a million who are just beginning their development. The world would be f$cked if we stoppped at that point...

Re:Linux

[Tom]

I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.

Get their asses handed to them, essentially.

We all laugh about the military and the secret services, but we forget what an impressive amount of things they do that we do not hear about. Sure, you learn about that double-agent fuckup in the middle east and think "how could anyone be that stupid?" - but you never learn about the other 20 agents that never get caught or uncovered.

MIT is an impressive university, and they can floor Vegas with card counting. But the NSA is the largest employer of mathematicians in the world, and is still several years ahead of the world-wide scientific community in some areas of math research, especially cryptography.

They have their share of fuckups, like every organisation of that size. Wouldn't underestimate them, though.

NCCDC

Looks a lot like the National Collegiate Cyber Defense Competition. Any college student team can participate in that one, however, and the NSA or Secret Service have participated in past events iirc.

The competition is a lot of fun, 64 teams last year.

Re:NCCDC

[Atlantis-Rising]

The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.

Re:NCCDC

[c_forq]

You really think the NSA bothers to ask?

Re:NCCDC

[Jah-Wren+Ryel]

You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?

Hell, MS even said yes when China asked.

Open-source just levels the playing field for the rest of us.

Kobayashi Maru?

[HaeMaker]

NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.'

Nobody wins, but lets see how long you hold out.

Re:Kobayashi Maru?

[Johnny+Mnemonic]

Also, note that the NSA isn't saying that they used the full force of their power and creativity. This is probably for several reasons:

-it's not worthwhile to simply crater all of the teams. You want to see who's the best graduates and the most receptive to a couple of years of schooling, even if they need 25 years worth of real world experience to stand up to a real world exercise.

-You don't want to reveal your whole strategy just for a graduation exam.

-Even if you do reveal your whole strategy, you don't want your opposition to know that you did.

I would be tempted to use something pretty rare, and mask the id strings--I would think that it would take so long to understand what OS I was really using to serve, and to research and characterize it's failures, that I would win. Like use BeOS and make it look like OS X as much as possible.

OpenBSD?

[wandazulu]

When it comes to stories like this, or the one about the Dali Lama's computers being compromised, etc., I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security. Because it's Unix, it can still run pretty much everything (though you want to use the OpenBSD version because it's been reviewed for security holes, etc.).

Seriously, if I wanted to keep my battle plans, aircraft designs, etc. out of the hands of the "enemy", I'd lock them up in an OpenBSD server, preferably on some less-common architecture like the Alpha, so that anyone trying to hack my system would have an enormously hard time.

Yes I understand this doesn't take into consideration social networking. So I'd take a page from the elevated privilege playbook and say that in my organization, no one trusts the person below him/her so as secrets can never flow downhill. Going back to the operating system, this would presumably be handled by ACLs.

Of course, no system is immune from the booze-n-hookers style of temptation, but that's someone else's job; I'm just here to install and configure software. :)

Re:OpenBSD?

[commodoresloat]

Yes I understand this doesn't take into consideration social networking.

Exactly. OpenBSD lacks the kind of application client support for Facebook and Twitter that the NSA has come to expect.

Re:Modern day Kobayashi Maru...

[jdgeorge]

This appears like a modern day Kobayashi Maru exercise. And instead of it being designed and executed by a single Vulcan whom we all know, it was done by the best and brightest of our 'No Such Agency'. I say congratulations to both parties, the NSA and the winning West Point Team.

Man, do I ever long for the good old days of the Victorian era Kobayashi Maru.

Re:Linux CNET URL to TFA

[davidsyes]

Cadets trade trenches for firewalls
http://news.cnet.com/2100-7350_3-6249633.html

(if you don't have nor want a subscription to the NYT....)

This part probably is getting lots of attention here in /.:

Cadet Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.

But this part probably says it all:

""It seems weird for the Army with its large contracts to be using Linux, but it's very cheap and very customizable," McCord said. It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."

Re:Not as many?

More than do the same with Windows

Re:Not as many?

[blitzkrieg3]

There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know.

When getting attacked by the NSA, I'd prefer to use something that they developed to stem such an attack. And I don't want to hear, "well they developed it, so they probably have a backdoor." The many eyes argument definitely applies, since patches from the NSA would undoubtedly come under much more scrutiny. Espeically since this has yet to be proven for other operating systems.

Anyway, the winning team was using Fedora 8, which has SELinux on by default.

Re:Not as many?

[Unordained]

And regardless, can you trust the build based on that source code? ACM Classic: Reflections on Trusting Trust (about the need for a bootstrap compiler, and the concern that this compiler might be infiltrated.)

Nothing new here

[ronmon]

I was in the AF from 1977-1981 and worked directly for the NSA when they still had some scruples. In fact, my last posting was at Fort Meade after several years in the far east.

As a '202xxA'(Radio Communications Analyst), that focused on foreign military communications, I could have been reassigned at any time as a 202xxB (Radio Communications Security Specialist) with no retraining. The B job just meant we were testing our own weaknesses instead of exploiting those of our opponents. It is important to look inward, find your flaws, and fix them. Kind of like debugging open source code, huh?

That's what they were doing. Good job.

Re:Not as many?

[socceroos]

You're talking about bad drivers like its the OS's fault.

The trade-offs of having drivers in userspace outweigh the positives.