NSA Wages Cyberwar Against US Armed Forces Teams 219
Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."
Not as many? (Score:3, Interesting)
"It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."
I'm not sure I agree with this. There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know. Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.
I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use? Where they using email firewalls to prevent floods of emails or just blocking. I think you also have to harden your servers, but I'd rather have something protecting my email server and have more layers to dig thru..and to alert you.
Re:NCCDC (Score:3, Interesting)
Re:Not as many? (Score:3, Interesting)
With Windows, you have to just trust Microsoft. With Linux or BSD, you don't have to trust anyone.
It is even more of an issue for a non-US military. If you have the source code, you can vet it and make sure no one has planted back doors that the US Govt has insisted on.
With Windows, you have to trust Microsoft when they tell you there are no backdoors. If you were the Chinese, would you believe them?
Re:Not as many? (Score:4, Interesting)
How many people actually vet the Linux source code, or would recognize various weaknesses and backdoors if they were staring at them?
Re:OpenBSD? (Score:3, Interesting)
Yep. That or if OpenVMS if you have Alpha or Itanium hardware. OpenVMS was banned from some of those hack-or-be-hacked competitions, because no one could ever get into them. :)
Re:Yay NSA? (Score:3, Interesting)
I don't think the classified portion of the Executive Order that created them has been released. For all we know it contains a classified pardon.
Re:Linux (Score:5, Interesting)
Re:NCCDC (Score:3, Interesting)
You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?
Re:Linux (Score:3, Interesting)
Re:NCCDC (Score:4, Interesting)
I've seen to many examples of the NSA having insider information to believe that. We get told to change some obscure registry setting or files and then a month later MS quietly announces an update that fixes the problem. For example, we were had to go into the registry and gut the autorun function entirely instead of just using the GPO. At the time I thought it was a f'd up mandate, but alas 6 weeks later MS admits that disabling autorun via the normal policy did not disable it in certain situations. Think the NSA knew ahead of time?
Or how about their partnership with Symantec? Where the detections for some zero-day exploits are present in the symantec definitions files long before the zero-day exploit shows up in the wild?
No, NSA isn't ahed of the game at all....
Comment removed (Score:5, Interesting)
Re:Linux (Score:3, Interesting)
As a CGA cadet back in the day, I would've LOVED to have done this. Alas, this was in the early 90's before this competition became reality.
Alas, the Coast Guard has since completely eliminated the academy's CS major altogether (instead replacing it with some bullshit Op Analysis degree). Talk about being told your services aren't wanted anymore!
But screw 'em and their horrible decision; I make more than an admiral now, anyway.
Re:You're looking at it backwards... (Score:3, Interesting)
CCEAL 4+ is the highest level one can attain without designing for CC from the ground up.
SELinux presents much tougher security than is commonly available on commercial systems.
There are hardened variants of others (solaris, for instance), but none of the vanilla, commonly available OS variants come close to SELinux.
What this really shows (Score:4, Interesting)
It is time to put the NSA back in charge of this.
Re:Linux (Score:4, Interesting)
I'm actually surprised at how confident and competent the NSA seem here
No offense to West Point and the other military academies, but I'd like to see NSA take on the top team from MIT, Cal Tech, etc and see how they fare before putting total confidence in the NSA.
Re:NCCDC (Score:3, Interesting)
Certainly with closed software, its easier to lean on the company to get a backdoor inserted without anyone noticing. You still can't rule this out with open-source.
You think the NSA hasn't been trying to weasel a backdoor into Firefox? I'm willing to bet the NSA (or another foreign intelligence agency) has done their own review of the code, and they are saving a few exploitable bugs for future use.
Sorry open source fans. The cold hard reality is that once open source code is written and accepted into a project, nobody actually looks at it again unless it has a functional bug, they want to add a feature, or someone exploits the code. It's a myth that software, either closed or open source, gets any kind of periodic review out of good practice.
Re:OpenBSD? (Score:3, Interesting)
Actually, we had a similar - but much less involved - exercise in one of my senior classes at Purdue University back in 2002. I *did* use OpenBSD. I'm pretty sure the instructor didn't even understand that was an operating system.... but it was an easy A, because pf is a great little firewall.
Re:OpenBSD? (Score:3, Interesting)
The NSA decided, many years ago, that hardening Linux would be the better route, and they released SELinux to the world.
You can read up their reasoning, history, etc. on nsa.gov/selinux, at least you could last time I checked. Otherwise, ask Google.