NSA Wages Cyberwar Against US Armed Forces Teams 219
Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."
NCCDC (Score:5, Informative)
Looks a lot like the National Collegiate Cyber Defense Competition [nationalccdc.org]. Any college student team can participate in that one, however, and the NSA or Secret Service have participated in past events iirc.
The competition is a lot of fun, 64 teams last year.
Re:Linux (Score:2, Informative)
Modern day Kobayashi Maru... (Score:2, Informative)
Re:Not as many? (Score:3, Informative)
I never said they don't. They do, and that's bad. But that doesn't change the point that the ability to inspect and audit all your code for vulnerabilities is an attractive feature to any Government not wanting to trust a proprietary vendor beholden to a foreign power. China was just an example. The same would be true of France or Germany.
Re:Linux (Score:5, Informative)
Re:Linux CNET URL to TFA (Score:5, Informative)
Cadets trade trenches for firewalls
http://news.cnet.com/2100-7350_3-6249633.html [cnet.com]
(if you don't have nor want a subscription to the NYT....)
This part probably is getting lots of attention here in /.:
Cadet Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.
But this part probably says it all:
""It seems weird for the Army with its large contracts to be using Linux, but it's very cheap and very customizable," McCord said. It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."
An error in the original article (Score:2, Informative)
Re:Not as many? (Score:5, Informative)
There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know.
When getting attacked by the NSA, I'd prefer to use something that they developed [nsa.gov] to stem such an attack. And I don't want to hear, "well they developed it, so they probably have a backdoor." The many eyes argument definitely applies, since patches from the NSA would undoubtedly come under much more scrutiny. Espeically since this has yet to be proven for other operating systems [wikipedia.org].
Anyway, the winning team was using Fedora 8, which has SELinux on by default.
Re:Not as many? (Score:5, Informative)
And regardless, can you trust the build based on that source code? ACM Classic: Reflections on Trusting Trust [boun.edu.tr] (about the need for a bootstrap compiler, and the concern that this compiler might be infiltrated.)
Re:Kobayashi Maru? (Score:4, Informative)
Re:You're looking at it backwards... (Score:4, Informative)
Unless they had it disabled the Red Hat systems they used would have had SELinux enabled by default so if their linux systems really were a sieve then that doesn't speak to highly of SELinux and the NSA.
SELinux merely brings linux up to par with other popular commercial systems in security, not beyond them. It brings Linux to the level where it may receive a government EAL 4+ certification, which certifies that the system is safe from casual or inadvertent attacks. These systems do not reflect the level of security necessary to defend government networks.
Re:Kobayashi Maru? (Score:3, Informative)
Nothing new here (Score:5, Informative)
I was in the AF from 1977-1981 and worked directly for the NSA when they still had some scruples. In fact, my last posting was at Fort Meade after several years in the far east.
As a '202xxA'(Radio Communications Analyst), that focused on foreign military communications, I could have been reassigned at any time as a 202xxB (Radio Communications Security Specialist) with no retraining. The B job just meant we were testing our own weaknesses instead of exploiting those of our opponents. It is important to look inward, find your flaws, and fix them. Kind of like debugging open source code, huh?
That's what they were doing. Good job.
Re:Linux (Score:5, Informative)
I was involved in the exercise. We used FreeBSD and Fedora Core 10 as our base server platforms. We'd used FreeBSD last year, so we were confident that it would give us a solid base to work from.
According to the exercise directive, we had to run several windows workstations. We used Window2008 as the Active Directory and Domain Controller. We didn't go so far as try the "read only" mode, but W2k8 seemed solid enough for the duration of the exercise. Wasn't easy to get set up and locked down, however.
Re:OpenBSD? (Score:3, Informative)
I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security.
What? OpenBSD was forked from netbsd, it's not specifically built for security. It's specifically forked from netbsd, and since then the focus has been on security. Arguably the approach is no more or less valid than using a security layer like selinux. The two have certain parallels; getting some software to run on OpenBSD is a bitch, and getting selinux configured and useful is a bitch :)
Re:NCCDC (Score:5, Informative)
You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?
Hell, MS even said yes when China asked. [cnet.com]
Open-source just levels the playing field for the rest of us.
Re:OpenBSD? (Score:4, Informative)
I mentioned this in another post, but the point of using an Alpha, or a MIPS, or Itanium, or whatever, is not meant to be a cure-all, it's meant to present yet-another-barrier to entry. Since malware typically relies on being pre-compiled, your x86-based exploit isn't going to work. Somehow you find out I'm running OpenBSD on an Itanium. Okay, you have that information, but I've still made your job harder, now you have to go out and get an Itanium to build your malware on before you try to hack my box because you can't assume I'll have a compiler on it (and I would never have a compiler on it).
Using a OS like OpenBSD and a different chip architecture will not guarantee a hack-proof box, but it's going to make it that much harder; if you're just looking for a box to turn into a zombie, it won't be worth it. If you're a foreign government trying to get at my battle plans, the booze-n-hookers method is likely going to be easier and faster.
Re:Not as many? (Score:3, Informative)
I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use?
The rules require the teams to construct the network within the constraints of a notional budget. This forces the teams to make choices about what infrastructure and security measures to deploy. They cannot have everything they might want; this is a taste of the risk-benefit decisions managers and admins have to make. It is also intended to make it feasible for the Red Team to penetrate a well-watched network, having only a minimal user-base, in only four days.
IPS and other automated response systems are prohibited in the CDX.
For IDS the West Point team used Snort on BSD, with a custom-blended set of rules from VRT and Emerging Threats.
The budget decisions did not support deploying a dedicated firewall device. Firewalling had to be done using Cisco ACLs; however, some creative use of NAT and VLANs helped to make the Red Team's job a bit harder.
Re:Not as many? (Score:3, Informative)
Unless it is a driver for something really important to system stability, it should not take down the whole OS.
Your complaint is against the PC platform, not the OS. It is impossible to operate PCI hardware without trusting it and the corresponding driver stack. This is due to the way DMA and interrupts work. This may change some day with the "I/O virtualization" features of late, but given the track record of other PC virtualization not being secure, I would not hold my breath.
Re:Linux (Score:5, Informative)
I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.
Get their asses handed to them, essentially.
We all laugh about the military and the secret services, but we forget what an impressive amount of things they do that we do not hear about. Sure, you learn about that double-agent fuckup in the middle east and think "how could anyone be that stupid?" - but you never learn about the other 20 agents that never get caught or uncovered.
MIT is an impressive university, and they can floor Vegas with card counting. But the NSA is the largest employer of mathematicians in the world, and is still several years ahead of the world-wide scientific community in some areas of math research, especially cryptography.
They have their share of fuckups, like every organisation of that size. Wouldn't underestimate them, though.