Simulated Hack To Test US Government Response

superapecommando writes "Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets. The Bipartisan Policy Center, a Washington-based non-profit established in 2007 by several lawmakers, will host a simulated nation-wide cyber-attack next Tuesday for a group of former administration and national security officials, who will be playing the roles of Cabinet members."

Use it as cover!

So when a real hack happens at the same time, we don't react?

Re:Use it as cover!

[poetmatt]

not only that, but knowing a hack is coming is not exactly realistic.

I'm sure the results will say "we're well prepared for a hack" even though reality proves otherwise.

Re:Use it as cover!

[interactive_civilian]

not only that, but knowing a hack is coming is not exactly realistic.

Indeed. They should launch the simulation without warning on Sunday or Monday and see how prepared they really are. ;)

Re:Use it as cover!

[HungryHobo]

From reading TFA I'm fairly sure no pen-testing will be involved.
By the look of it it's going to be a beurocratic drill rather than a technical one.
No actuall hacking, just a load of suits in a room being given fictional reports of the progress of the "cyber attack" against them.
They pretend to know anything at all about it, they make fictional descisions and then some consultants go over it all afterwards with them and try to guess which chocies wouldn't have been good ones had it been a real situation.

Re:Use it as cover!

[srpape]

Sounds about right. I picture a guy running into a room of suits yelling "The internet is DOWN!!" and everyone panics.

Re:Use it as cover!

[Lumpy]

yes and no.

I did a simulated data disaster at Comcast a decade ago. but I informed only one important key person that I was going to cause a very real data loss event in the billing system. I would back thing up myself, but the backups that IT were running I would silently fail for a WEEK before the event.

at the event horizon I deleted the SQL database, the SQL team yawned and went to restore the database.... Oh crap nothing to restore but week old backups....

They shit themselves and we let them panick for a good hour before we walked in and asked...

What do you mean? you check your backups of critical data daily dont you? how about vertifying the validity of those backups? when was the last time you did a test restore on a backup server to make sure it was right?

I knew they were not backing it up or testing, I used that to my advantage to scare the hell out of them in hopes of getting what I have been telling them for a year through their skulls.

It also proved my point to the IT director that his "teams" were NOT ready for this.

I'll bet you $1000.00 they STILL dont test the backups, and rarely check to see if they are running.

Re:Use it as cover!

[SeekerDarksteel]

"The internet is DOWN!!"

Which one?

Re:Use it as cover!

I guess two days later the US will want to start bombing China, even though "evidence" points to Texas, and a few weeks later anyone who thinks that's dodgy will be arrested under new Patriotism (tm) laws.
As the Fearless Iranians From hell sang back in the eighties: "The new definition of patriotism is follow blindly without question"

Re:Use it as cover!

[david_thornley]

7:30 AM on a Sunday would be a good time. It should be followed, after a few hours, by a statement from the crackers that they're considering an attack. Keep with tradition here.

Re:Use it as cover!

[hesaigo999ca]

I agree, also the fact is, they would have to duplicate exactly the variables included in the study that would HAVE been from the cabinet ministers websites, compared to what they set up on their own to mimic.
Sometimes being behind NSA run firewalls, mkaes a difference compared to godaddy hosting that they might use to host the supposed mimic websites

Re:Use it as cover!

[sh00z]

Thanks, Dwight

Re:Use it as cover!

[jandoedel]

The IT Crowd - This is the internet http://www.youtube.com/watch?v=iRmxXp62O8g

Re:Use it as cover!

[Finite9]

wow. cool test! Working as an Oracle DBA managing thousands of instances, I know that even if our level 0 backups exist, all it takes is one missing archive log backup to freak us all out if we have to do a restore. We log all backups and monitor all backup logs for errors, and create incident reports automatically if we get an error. I think we have a pretty good system, but it's never going to be fool proof. One thing we don't currently do is validate the backups on the VTL. Even if the team you tested had processes in place for full monitoring of all backups and handled errors in a timely fashion, nothing is going to help them if someone maliciously deletes the backups from tape.

In effect, you weren't testing their ability to perform their job and complete a database restore: you were simply pointing out the fact that they did not have a process in place to validate backups on VTL, which does not really test them as a team. If they had that process, then your evil plan would have failed :)

Taking backups, monitoring logs, and responding to backup failures is a *time consuming* job, even with the best of systems. There comes a point where it is not cost effective to account for every conceivable failure. I'm not saying that validating backups is pointless to implement, but I suspect it is even more time consuming than checking backup logs.
Also, performing restore tests is not feasable nor cost effective when managing many databases. Sure, we do restores of production systems every now and again, and every several months, we might just do a test to freshen us up a bit, but then it's with a test database in-house, not a copy of a production DB from backups. We just use these times to test our restore procedures. To actively test restore procedures on a production DB to see if the backups are ok is only every done if a customer requests it (aka: we get paid to do the test)

Re:Use it as cover!

[Lumpy]

Nope I DISABLED their backup by changing what it backed up. they NEVER CHECKED IT. which is the problem.

If you dont audit your backup systems regularly then you fail. If it's critical data like Accounting, then it's audited WEEKLY or even more frequent. In Fact it's a Sarbanes Oxley requirement, they were putting down that they were checking, (Even looking at the backup size would have tipped them off) when they were not.

I would have failed if they were doing their job. They were not and that is what I was trying to highlight.

Re:Use it as cover!

[brasscount]

Sounds like a policy brainstorm to me.

When you don't know what to do put a bunch of people in a aroom that might be responsible, come up with a scenario, and ask the question, "Who does what?"

Simulated?

[ircmaxell]

A "Simulated" attack? So basically people wandering around pretending that power just went out? I understand that holding fire drills is good and all, but why not try lighting a controlled fire and seeing how everyone reacts? And never announce a drill. Otherwise, it's simply not real enough to give you useful information about the response...

Re:Simulated?

[Idiomatick]

Everyone runs planned drills and they are important. Perhaps after running regular planned drills for a little bit it would be useful to run some unwarned ones. As it I'm pretty sure they simply aren't prepared to handle one without warning very well.

Re:Simulated?

[ircmaxell]

Yes, during training, you run "planned drills"... Something exercise a specific skill or scenario. But a planned drill does nothing but test that specific skill. Unplanned drills test the entire system... Basically, a planed drill teaches people how to react. An unplanned drill shows how "prepared" you are, and where you need to focus training. Without the baseline provided by an unplanned drill, how do you know how to focus the planned ones? For something like firefighting, you have past experience (both from the organizers, and from others) to tell you how to do a drill and what it should focus on. But for this, there's no past experience...

Re:Simulated?

[clone53421]

For something like firefighting, you have past experience (both from the organizers, and from others) to tell you how to do a drill and what it should focus on. But for this, there's no past experience...

Writing out a strategy to react to an unprecedented event is better than having no plan at all.

Re:Simulated?

[solafide]

So this is why the government felt it necessary to fly planes into various gov't offices: they were creating controlled, limited-scope emergencies to test their ability to remain functional. Clearly the president was warned beforehand, but not many other people, and clearly it's really helped us shape up our response to such an attack. </sarcasm>

Re:Simulated?

[hey!]

That's kind of an extreme position, don't you think?

Just because an unannounced drill is useful, doesn't mean announced drills aren't useful. For one thing, you *can't* do realistic drills of some scenarios. Some reactions to emergencies kill people. Clog the roads with emergency vehicles and panicking people and rush most of your EMTs and ambulances to the "disaster" site and people who need to ride in an ambulance for real suffer. Shutdown the airport for a few hours and somebody might not get his heart transplant.

People and groups learn by being stretched, and of course an unannounced drill stretches people, but sometimes when people are very poorly prepared they don't learn anything from abject failure. If *nothing* works, then you get a useless emotional reaction. If you give people a chance to prepare, you can get them to think about the general parameters of what an effective response would be.

Not everything in a drill people know is coming has to be expected. So you got your workers out there, and then you say, "OK everyone, the UHF radios have stopped working," or "You can't get any blood plasma from Mount Sinai because they're full up with casualties," or "Guess what, this isn't a chemical spill, it's radioactive."

The thing about disasters is that they disrupt normal systems. That's the definition of a disaster. It takes a while to get people trained up to the point where you can throw anything at them and it will be a learning experience.

Re:Simulated?

Last place I worked; the fire drills were scheduled months ahead of time. Everyone in the building got several e-mails detailing when it would occur, which route to take, where to meet, and who to report to. Then supervisors would come around personally and ensure that each employee was aware of the drill, and all the accompanying info. Simulations indeed.
,
Admittedly it does make sense from a business perspective. We had millions of dollars worth of molecular biology experiments running there, and interrupting them (left too long at the wrong temperature etc...) could have proved costly, (at a minimum compromised the data we were gathering). Still, I'm convinced that such a drill serves to satisfy regulations only and provides very little real information about emergency preparedness.

Re:Simulated?

[ircmaxell]

I'm not saying not to tell people that it's a drill. I'm saying not to tell them beforehand. If you tell them beforehand, they get to "study" and mentally prepare for what (they think) is going to happen. While this is good for appearances, it's not good for determining real preparedness. You tell them that it's a drill when the drill actually starts. This is what we used to do at the fire department where I was a member. Every so often (around twice per year, or so), we would get dispatched to an unannounced drill. When the dispatch went out, it started with "This is only a drill, this is only a drill", and ended with "this is only a drill, this is only a drill". That way, you know it's a drill, but don't get to prepare yourself for what's going on any different than if you were responding to an actual emergency.

I think that your point about not learning anything from abject failure is narrow. Sure, the people involved probably won't learn anything, but the people administering the drill will learn a whole lot. They will learn that when unit x fails, it takes down units a, b and c... Then, they can prepare planned drills to address those issues. Once every failure in the first unannounced drill is addressed with training and planned drills, you hold another unplanned drill. And the cycle goes on ad infinum... Learning from each event, and adjusting the response accordingly.

Sure, some events are not "drillable" first hand, but all are simulatable (At least "sections" are). You don't need to shut down the entire airport to do a disaster drill. But you can simulate one by holding several "smaller" drills that each shut down a tiny portion of the airport or at least simulate shutting down a portion (instead of shutting down the control tower, you'd use a mock tower with real employees)...

Re:Simulated?

[hey!]

It sounds like your view is more nuanced than it first appeared.

I still say that planned exercises (perhaps we should not call them "drills") are valuable. My experience is that most people aren't very imaginative. They can't see what would be obvious to them in a walk through when they are trying to plan ahead.

For years I sold a software package that was used in the public health field. I used to go to conferences and give training sessions and lectures, I know these were highly rated, because I read the evals. I also know that people who hadn't used the software before gained almost no benefit from the lectures, because I'd visit them later and *see*. On the other hand, I could take somebody through the exact same material at their desk, and come back a year later and they'd be rocking an rolling.

Why?

Because people make *connections* when they are in the environment where they are doing to actually do something. Most people don't seem to have the imagination to connect things they know on a intellectual level to actions they might need to take. Even somebody who's god at it can learn things he wouldn't have noticed. If they'd walked through the Apollo 13 scenario in advanced, somebody would have realized the CO2 filters from the LEM ought to be compatible with the Command Module too.

Now as far as abject failure is concerned, I don't want to be doctrinaire and say nobody ever learns anything from them. But my experience of human defensiveness tells me that you're more likely to get people digging in their heels than pulling in the same direction. The most useful kind of result is a generally positive one with clear areas for improvement. Then you keep raising the bar.

There's a time and a place for the surprise drill. But there's no use learning from simple failures that could be trained out of existence first.

Re:Simulated?

[david_thornley]

There's two sorts of drills, both useful.

A scheduled drill is a teaching tool. For example, the recent fire drill where we were all shepherded out the proper door and to the designated rally point. That develops specific knowledge in the participants. The drillers won't learn much.

An unscheduled drill is more like a test. It won't teach the participants much, except in the post-mortem, but it will show you how well they react to the fire alarm or whatever.

Re:Simulated?

[Mishotaki]

controlled fire? bad idea... use a big smoke machine that you got in while everyone was out on weekend and start it in the first hour of monday morning... see how people react to a shitload of smoke coming out of a room instead

Result

Send everyone to a simulated jail.

Hope you don't have plans next Tuesday...

[N3tRunner]

I'm sure this will go well. If you have any government work that you need to do, make sure it's in before next Tuesday! Or maybe you should wait until afterwards in case they lose everything somehow.

Re:Hope you don't have plans next Tuesday...

[hittjw]

Don't know why they need a simulated attack, ever script kiddy is banging on their equipment anyway. Maybe they will have a serious plan for handling it rather than what I've seen with speculation and lax best practices. At least they are trying.

Re:Hope you don't have plans next Tuesday...

[MachDelta]

"Sorry mister IRS man, my tax got hax'd!"

how will they know?

Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets

Have they been notified? And how is it a simulation if they are or how will they know how to respond or detect it even?

If I imagine this to happen here, to a global bank, this has been a real scenario:

"How did they get those data?"
"Appearantly all our clients have been leaked"
"Oh shits, heads gonna roll! Call serverteam!!"
*Perform security audit, fire 3rd party solution creators, creating a hole through carelessness.*

Now, if you would do a "large scale test", it will in my experience go like this:
:
"Agents complain of slow access, what is up?"
"It's lunchbreak, people are surfing, let them know we're checking it out."
"Agents are still complaining, we have some error logs coming in from website users."
"Ok, lets contact servermaintenance, request a logfile."
"Server maintenance here, we're swamped with requests, I can send it to you tomorrow or the day after soonest."
"We need a stat on the server, things are slow"
"CPU is looking ok, memory is reasonable. Must be some configuration on your side, wait for the logs. Tmorrow."
"Oh, nvm it cleared up. Guess we got a pusblished article in the papers drawing in more folks. Applause for sales. Close the ticket."

Simulation of the results follows

[0racle]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Re:Simulation of the results follows

[TubeSteak]

I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.

Did you even RTFS?
They've invited a bunch of "former administration and national security officials" to pretend to be Cabinet members at a simulation they've setup at a hotel.

This is a private company inviting private citizens to do some techno-LARPing.

Re:Simulation of the results follows

[AMuse]

Sounds like an excellent idea for foreign espionage. Set up a private shell company, then invite a bunch of former officials who know exactly how the real systems work, to get together in a hotel you've bugged and start pretending they're responding to a cyber attack of some sort.

Official1: "Call the NSA Task force Orange, tell them to begin operation Stork."
ForeignAgent: (making notes) Operation Stork.... NSA... means X..."

This will be a nice change from the status quo,

[Minwee]

...where "Political Hacks Interfere With US Government Response".

Re:This will be a nice change from the status quo,

[bsDaemon]

And here I squandered all my mod points on dumb crap... I wish I had saved some.

Paranoia

[handy_vandal]

What a perfect cover story for launching a real cyber attack. Let the paranoia begin!

Duck and cover!

[gparent]

The only appropriate response.

If my paranoid conspiracy theories are correct,

then the "attack" will be successful, and the "response" will be successful or eventually successful. I'll elaborate after the event is completed.

A Simulated Fire Sale...

[spammeister]

Bruce Willis is not impressed! (or) There's an app for that!

Re:A Simulated Fire Sale...

[datapharmer]

I'm going with B) there's and app for that.

Those phones are made in China right?


what's this button do ::breaks internet::

I guess I'll have to register in South Carolina now...

Re:A Simulated Fire Sale...

[spammeister]

Well that didn't go exactly as planned :(

Crime and Punishment

... a Washington-based non-profit established in 2007 by several lawmakers...

(Bold emphasis is mine, of course). Is crime such an important part of American culture that they need professional "lawmakers" to constantly think up new laws to enforce?

The Office

[LtGordon]

Reminds me of episode where Dwight teaches the office self-defense by attacking himself. It's kind of hard to successfully attack yourself without the element of surprise!

Observe 4Chan

[taliesinangelus]

Shouldn't they learn all they need to know from observing 4Chan and Verizon?

Neither the attack nor the response is realistic

[BhaKi]

I'm sure the "attack" will be successful enough to give credibility to all the recent hacking-related stories. And the "response" will be successful enough to justify future funding for "Cyber Control Force", "Strategic CyberWar command", etc.

Me, me! Please can I play?

Ooo, ooo, me, me, can I please play one of the former Presidents? When they come to notify me of the attack
I'll look lost, then I'll read a children's book and look lost for another 30 minutes without doing anything
before acknowledging reality and while being dragged away by my aides I'll mumble:
"Cyber attack? I... I cybered last night with a woman by the nickname DoubleDDaisy... She kept complaining
about my typos and about how slow my typing is... And she now attacked someone because of that or..? Did you
offer her money? I have some hooker money in my socks, let me take off my shoes and we'll have this sorted
out in a minute..."

How it all works.

[KevinH456]

in america, you pen test the government in soviet russia, government pen tests you

Re:How it all works.

[gparent]

In Soviet Russia, the government penetrates you.

simulated hacks...

Glancing at the title, I thought maybe they were moving beyond outsourcing and were now beginning to test virtualizing government employees.

You're an idiot.

So when a real hack happens at the same time, we don't react?

You're not a genius, dude. You don't actually think of shit nobody else considered.

Case in point, no computers participating in this simulated attack would have any confidential information, because the testers would be a vulnerability. This is essentially a drill, allowing people to learn what decisions to take in case of a serious attack. If somebody else takes this time to hack real systems, believe me, nobody is going to think it's part of the drill.

Chinese Sub

[Hadlock]

Does anyone remember this event happening?
 
  http://www.dailymail.co.uk/news/article-492804/The-uninvited-guest-Chinese-sub-pops-middle-U-S-Navy-exercise-leaving-military-chiefs-red-faced.html
 
Yes, that really happened in real life. It also happened in Tom Clancy's book "Executive Orders". Let me summarize the headline for you real quick, The uninvited guest: Chinese sub pops up in middle of U.S. Navy exercise, leaving military chiefs red-faced
 

When the U.S. Navy deploys a battle fleet on exercises, it takes the security of its aircraft carriers very seriously indeed.
At least a dozen warships provide a physical guard while the technical wizardry of the world's only military superpower offers an invisible shield to detect and deter any intruders.
That is the theory. Or, rather, was the theory. Uninvited guest: A Chinese Song Class submarine, like the one that sufaced by the U.S.S. Kitty Hawk
American military chiefs have been left dumbstruck by an undetected Chinese submarine popping up at the heart of a recent Pacific exercise and close to the vast U.S.S. Kitty Hawk - a 1,000ft supercarrier with 4,500 personnel on board.
By the time it surfaced the 160ft Song Class diesel-electric attack submarine is understood to have sailed within viable range for launching torpedoes or missiles at the carrier.
According to senior Nato officials the incident caused consternation in the U.S. Navy.
The Americans had no idea China's fast-growing submarine fleet had reached such a level of sophistication, or that it posed such a threat.
One Nato figure said the effect was "as big a shock as the Russians launching Sputnik" - a reference to the Soviet Union's first orbiting satellite in 1957 which marked the start of the space age.
The incident, which took place in the ocean between southern Japan and Taiwan, is a major embarrassment for the Pentagon. Battle stations: The Kitty Hawk carries 4,500 personnel
The lone Chinese vessel slipped past at least a dozen other American warships which were supposed to protect the carrier from hostile aircraft or submarines.
And the rest of the costly defensive screen, which usually includes at least two U.S. submarines, was also apparently unable to detect it.
According to the Nato source, the encounter has forced a serious re-think of American and Nato naval strategy as commanders reconsider the level of threat from potentially hostile Chinese submarines.
It also led to tense diplomatic exchanges, with shaken American diplomats demanding to know why the submarine was "shadowing" the U.S. fleet while Beijing pleaded ignorance and dismissed the affair as coincidence.
Analysts believe Beijing was sending a message to America and the West demonstrating its rapidly-growing military capability to threaten foreign powers which try to interfere in its "backyard".
The People's Liberation Army Navy's submarine fleet includes at least two nuclear-missile launching vessels.
Its 13 Song Class submarines are extremely quiet and difficult to detect when running on electric motors.
Commodore Stephen Saunders, editor of Jane's Fighting Ships, and a former Royal Navy anti-submarine specialist, said the U.S. had paid relatively little attention to this form of warfare since the end of the Cold War.
He said: "It was certainly a wake-up call for the Americans.
"It would tie in with what we see the Chinese trying to do, which appears to be to deter the Americans from interfering or operating in their backyard, particularly in relation to Taiwan."
In January China carried a successful missile test, shooting down a satellite in orbit for the first time.

...So who's to say something similar won't happen this time, except in cyberspace? Imagine, in the middle of a simulated hack, the Chinese government actually hacks our systems during a military exercise. Knowing what we know now, it's not improbable.

Re:Chinese Sub

[Ltap]

Wouldn't that be "People's Liberation Navy"? "People's Liberation Army Navy" just sounds awkward...

Re:Chinese Sub

[Zak3056]

Wouldn't that be "People's Liberation Navy"? "People's Liberation Army Navy" just sounds awkward...

They really do call it that... it's the naval arm of the People's Liberation Army, so I guess it makes some sense, but as you noted, it certainly is awkward.

Re:Chinese Sub

[GooberToo]

Except that article is all fluff and lacking any type of intelligence.

Those were regularly scheduled exercises which take place annually in the exact same spot every year. The FACT is, no one in the military was embarrassed. Period. Only the idiot reporters, who improperly frame it as an embarrassment, have been embarrassed.

This is reality. The Chinese, wishing to cause a publicity stunt, hoping that idiots, which are frequently referred to as reporters, will pick up on a stunt are report on it because one, they are idiots, and two, won't actually check fact their story. And so, the Chinese decide to quietly sit in the middle of nowhere waiting for the US military to come along; as they've done every year preceding for who knows how many years. Sure enough, just like every year before, the US Navy comes cruising along in the exact same area. The Chinese pop up and start cruising toward the highest value target available; a US aircraft carrier. Next, idiot reporter states the military is embarrassed because he's too stupid to realize they are not.

The simple truth is, unless they are able to break US military cryptography, which I very seriously doubt, or if they are planning on a preemptive strike whereby China disappears from the face of the Earth, this is in no way, shape, or form, representative of any type of military action possible by the Chinese.

The Chinese do not pose any credible threat to the US Navy in open waters. None. Not one bit. They do, however, pose a threat in regional, shallow waters, which is why the Navy is pushing so hard to improve their sonar capabilities in that environment.

To summarize, the only people embarrassed by the Chinese are idiot reporters and ignorant masses who believe it speaks to China's Naval capabilities. In reality, it was a completely non-news event and reports and people who ignorantly repeat such stories are nothing but sock puppets for the Chinese propaganda machine; which the US Military is now trying to play to obtain yet additional funding.

Re:Chinese Sub

[Hadlock]

Man the millitary types just crawl out of the woodwork when you post anything negative about them. The point was that they were actively scrimming and the Chinese sub managed to bypass their sensors.

Re:Chinese Sub

[GooberToo]

sub managed to bypass their sensors.

That's actually easy to do and the expected result for a stationary object resting near or on the bottom. Things that don't don't move and don't make noise are really hard to find. This is especially true where multiple thermoclines exist. Of course, that's also why its not the least bit embarrassing for the US Navy because for it to have any real meaning, the Chinese would have to know where the US Navy would be before hand, during a state of war.

The picture is even more bleak for trying to locate modern diesel subs when operating in their own backyard. These days diesel subs are extremely quiet. And this is exactly why the Navy has been working hard to increase its sonar capabilities. Congress has been pushing back on funding and environmental concerns but as I originally said, I'm sure the Navy will use this to help bolster their position.

Re:Chinese Sub

[Ltap]

Maybe it sounds better in Chinese.

The ancient DoS attacks: are they really prepared?

[garompeta]

1) Plant a bomb
Who needs a complicated hack when you can use thermite on key interconnections?

2) Lure an insider
Ancient methods that the CIA is still using to gather foreign "intelligence" from their euphemistically called "Agents" (in their respective countries these Agents would be called traitors).
Who can stop a trusted and authorized user with the right privileges from opening ports from behind the enemy lines (aka. firewalls)... when the "bad guys" get him the proper incentive or coersion?

3) Creative Social Engineering
Are they also be implementing policies to ensure that people are not plugging randomly dispersed usb drives with malware? The guy who delivers the mail, the fedex guy, the cleaning personnel, the cable guy, the Verizon guy. Those are valid strategies for everyday black hat hacking.

Now, that is a realistic scenario. Are they really prepared for that?
If I was planning a full-scale attack to the US infrastructures, the old methods would be the first choices.

I can imagine the following happening:

"Sir, when are they gonna start attacking us? We aren't getting any suspicious traffic"
"Ahem, you already have been hacked, training is over".

In the meantime...

[noddyxoi]

Goldman Sachs and JPM prepare a Short Selling attack in America.

It's a war game, not a drill

[wiredog]

They are war gaming this.

Better summary at The Atlantic

[wiredog]

Right here. Although I expect ot see lots of posts here rated "5", which completely miss the difference between a drill and a war game.

Bogus Simulation: If The Simulation Is Realistic

the government hacks would specify a URL and INVITE hacks.

Good luck with your submitted botnet.

Yours In St. Petersburg,
K. Trout

Re:Chinese Submarines at walmart

yes cause we all know the chinese are launching a submarine attack on americans via walmart

MOD PARENT DOWN

This is an OFF-TOPIC COMMENT.

Re:Neither the attack nor the response is realisti

[aaptel]

Shall we play a game?

wait, we've seen this before

[SkunkPussy]

presumably the response will be to invade an innocent and unrelated country. maybe belgium.

Scripted Simulation

[unsupported]

The simulation is occurring in a hotel. It is being simulated to test the response of officials. Not to test the response of security professionals. There is a production company who is providing scripts to security professionals. So I am sure the officials will be asking the security professionals for updates or detailed information, which will be scripted. It is like a table read for a television show, (ie Saturday Night Live), where everyone sits around a table and reads the scripts, without actually being on a stage, with make-up, lights, and cameras.

Takes one to know one.

[tqk]

So when a real hack happens at the same time, we don't react?

You're not a genius, dude. You don't actually think of shit nobody else considered.

Pot, kettle, black. You're an insulting jerk.

Case in point, no computers participating in this simulated attack would have any confidential information, because the testers would be a vulnerability. This is essentially a drill, allowing people to learn what decisions to take in case of a serious attack. If somebody else takes this time to hack real systems, believe me, nobody is going to think it's part of the drill.

Chyaa, right. You have full and complete confidence in the abilities and inclinations of everyone involved in this exercise? Really? Really?!? You're a neophyte, DOOD!

I've a lot of respect for the competent people out there, but how often are knowlegable, competent people put in charge of things like this, especially when a government and civil servants are in charge? And how often does the left hand know or care what the right hand's doing?

Has the history of Enron, EDS, and Wall Street so far escaped your attention? How?

Lose the attitude. It makes you look dumb.

Re:Neither the attack nor the response is realisti

[BhaKi]

Love to. How about Global Hacker War?

Where do I sign up?

It will probably be a honey pot. Eitherway Cult of the Dead Cow or pulltheplug have already r00ted the target in 60 seconds. Not that I have anything to do with CDC or know anyone that does such matters and locks out lazy sys admins. Get your proxy servers ready and chain them ladies and gentleman. Nmap at the ready insecure.org http://www.sec-tools.org/ or maybe check http://www.packetstormsecurity.org/ (Evolve or Die) *chuckle*

hooray

they do this every fucking year. it keeps contractors and subcontractors employed (think GenDyn, Lockheed, IBM, MS, etc) and making payroll.

Calling BS

[MrTripps]

The whole thing is pretty stupid. It doesn't say there is a specific weakness in security, but rather assumes some hypothetical attack that is immediately successful and is able to bypass any and all security measures. It is like running a bank vault security check using the chick from X-Men who can walk through walls as your test intruder. The take away is that a handful of random political people who don't manage IT infrastructure don't know anything about managing IT infrastructure. That won't stop the sensationalist headlines though. Some might suspect that is the whole idea. These days "bipartisan" doesn't mean what it used to mean.