DOD Kicks Up Cybersecurity Efforts 178
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
I feel safer already. (Score:3, Funny)
The US Army's Secret Plan? (Score:5, Funny)
You may consider that funny... (Score:3, Insightful)
Kjella
Re:You may consider that funny... (Score:1, Insightful)
I mean I'm sure they are competent. But I bet they use mostly public tools and methods.
Security research is a pretty accessible field and there are many security researchers both public and underground. The chance that a small group of NSA people have discovered some super elite technique of hacking while the rest of the entire world is in the dark seems slim to me.
Re:You may consider that funny... (Score:3, Insightful)
Why hack it when you can walk in the front door using the password you picked up from a video above the keyboard?
They actually tried that the year before... (Score:2)
NSA's Secret Plan (Score:5, Funny)
Army slob 1: OK, everything locked down?
Army slob2: Services off, filtering on. Nothin's gettin' in here.
NSA hack: [Taps on keyboard. Clicks "Send."]
Army slob 1: Hey, check it out. I just got an email with nude pix of Natalie Portman and HOT GRITS!
Army slob 2: Score!
Army slob 1: [Clicks "Open Email"]
NSA 1: Army 0
Re:NSA's Secret Plan (Score:4, Interesting)
Just remember... (Score:5, Funny)
Re:Just remember... (Score:2, Insightful)
Re:Just remember... (Score:2)
Re:Just remember... (Score:2)
Easy... (Score:5, Funny)
Nowhere in the article does it say that the computers have to be on.
Also, it doesn't say which OS (Score:5, Interesting)
It would also be interesting to see which OS allows the "red team" to infiltrate the network.
Re:Also, it doesn't say which OS (Score:5, Informative)
I am aware that there ARE various UNIX boxes scattered around, but Windows makes up the vast majority, for reasons that continue to elude me.
-Damen
Re:Also, it doesn't say which OS (Score:2)
Re:Also, it doesn't say which OS (Score:2)
Re:Also, it doesn't say which OS (Score:3, Funny)
Unix boxes are superior to Windows boxes because they're more waterproof
Re:Also, it doesn't say which OS (Score:2)
Re:Also, it doesn't say which OS (Score:5, Informative)
Will the network have UNIX or Windows based OS's?
Read the fine article--the Army team, at least, uses Linux
Pretty amazing the /. story didn't trumpet that fact.
Re:Also, it doesn't say which OS (Score:5, Interesting)
I wonder if they'll be using the NSA's Linux [nsa.gov] against the NSA?
Re:Also, it doesn't say which OS (Score:2)
There are various projects that are attempting to integrate this work. The only really mainstream distro (ie, not a variant of some other distribution like "hardened Gentoo" (or whatever it's called) is) that has SELinux in it is Fedora Core 2, at least that I'm
Re:Also, it doesn't say which OS (Score:2)
Nah, the editors probably didn't even read it.
Re:Also, it doesn't say which OS (Score:5, Interesting)
The requirements specify using Exchange, but otherwise we're free to use whatever operating systems we want. Obviously I can't say what we're using for operational security reasons, but let's just say that it's a heterogeneous environment.
Re:Also, it doesn't say which OS (Score:2)
NMCI (Score:2)
The Navy as I understand it is heading for a completely monoculture network. Worse yet that monoculture is brought to you by the folks from Redmond. You can expect a few more ships towed into port.
Re:NMCI (Score:2)
You know? At this point, I dunno who is the worst...MS or EDS. NMCI feels like the anti-christ to a dba or developer here...ick!! I can't wash off the dirt...help...help...
Re:Also, it doesn't say which OS (Score:2)
Actually... (Score:2)
So, as you can see, turning the computers off is actually counter productive.
Also, this is pretty cool:
"The rules this year are designed to make the competition simulate more of a 24-hour operation, despite the reality that "Taps" still sounds at 2330 (11:30 p.m.) and c
Where's the challenge? (Score:2, Funny)
The NSA will never break into those.
Re:Where's the challenge? (Score:1)
# hostname stevejobsg5.corp.apple.com
hacker wargames (Score:4, Interesting)
Re:hacker wargames (Score:5, Informative)
Re:hacker wargames (Score:3, Offtopic)
It's more realistic that way. Wouldn't it be considered an act of war if our Army started attacking other nations computer systems? There's a whole different set of rules in place when you start using your military to inflict damage upon your enemies.
The point being that the military would probably have to wait until the onset of hostilities before they could start screwing ar
Re:hacker wargames (Score:2)
Find out here [slashdot.org].
Re:hacker wargames (Score:2)
National Security (Score:4, Funny)
Bugzilla? (Score:1)
Sounds good to me (Score:3, Insightful)
Re:Sounds good to me (Score:1, Informative)
Ultimately, the Red Teams are worth about 30 days of organizational leadership attention (depending on the visibility of the exercise), resulting in near-term actionable items that get little if any funding to help secure success. Its the ADHD nature of the entire DoD-- leadership change
Uh oh... (Score:4, Funny)
"Hello Professor Falken. Would you like to play a game?"
*shudder*
duh (Score:1, Insightful)
Shocking (Score:5, Interesting)
Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.
Re:Shocking (Score:5, Informative)
Well, that's not exactly what happened. I was a member of the Air Force Academy's team. I don't want to give too much away because you never know who will be reading this, but the Air Force's Team didn't have a SINGLE break-in during the entire excercise. Even when we were ordered to take down our firewalls on the last day, all of our machines were locked down (even the requisite Windows Boxen) that there were no compromises. The Red Team wasn't even able to perform a 100% successful DOS attack
The exercise was basically run like this. Every team was given more or less the same hardware/# of machines to use to defend their network. You were allowed to use any operating system you felt was necessary, although a certain number of Windows machines had to be on the network. Each team had to provide a variety of services, including local account, local mail for members of the red team, web servers, database services, mail, DNS and FTP. SFTP was not allowed, so you had to be creative in your security.
Services were measured by downtime - a service could go down for a specific amount of time before points were taken away. The points were on a subjective scale based on amount of downtime, how you remedied it, etc.
It should ALSO be noted that this is an exercise that resides purely in Academia - it's an exercise between a bunch of different service academies, which is NOT the same thing as the operational United States military
All in all, it was an EXTREMELY exciting exercise, lots of attacks were thwarted, many cans of Mountain Dew were imbibed. We laughed a little, cried a little, heck we even learned a little.
I hope not (Score:5, Funny)
Re:I hope not (Score:1)
Re:I hope not (Score:2, Funny)
And for the winner... (Score:4, Funny)
What do we have for the runner-ups John?
Where the fun is [technicalknow-how.com]
Re:And for the winner... (Score:4, Funny)
haha (Score:5, Interesting)
Meanwhile... (Score:5, Funny)
Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.
Re:Meanwhile... (Score:1, Offtopic)
Hey! Why are you trying to drag poor Jared [cnn.com] into this? What did he do to offend you?
Reveal all methods? (Score:5, Funny)
DOD: could you sec-test our network?
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: Doh!
Re:Reveal all methods? (Score:4, Funny)
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: riiiiiiiiight...
DOD: there's more?
NSA: *whistles innocently*
DOD: could others have discovered the same exploits?
NSA: theoretically, that is, if there were any
DOD: so theoretically, if they nuke us with our own nukes, it's your fault
NSA:
Kjella
Re:Reveal all methods? (Score:2)
Art of War (Score:5, Funny)
Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return. [slashdot.org]"
Cyber Rattling (Score:2, Interesting)
Re:Cyber Rattling (Score:2)
Re:Cyber Rattling (Score:2)
Say, citizen
Get'im, boys!
Re:Cyber Rattling (Score:2)
These "Flamebait" and "Troll" mods generally look to me less like rightwing supression than like "Whatever Generation" wimpouts. Kids today - no nerve. Anything that looks like confrontation is bad. Breeding a nation of deniers overlaps the rightwing agenda of a scared, servile populace armed to the teeth and targeting strawmen. But, as I learned f
The US Army will try to secure [...] (Score:1, Funny)
Ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-hoho-ha-ha-ha-
NSAKey (Score:3, Interesting)
Kudos (Score:4, Insightful)
It is much better to harness the natural competitiveness and curiosity of your geeks than to suppress it by any means possible and depend on security by obscurity.
After the exercise (Score:5, Funny)
Re:After the exercise (Score:2)
The DOD actually has very effective security (Score:2)
that is based on the simple premise of limiting the impact that any attack can possibly have instead of trying to do the impossible and prevent all attacks. So, how do they do it? Simple really. In fact, its so simple that is even be accidental. Their systems are so diverse, numerous, both antiquated and modern at the same time, that even they don't know what they have. Much of the time, there are several completely separate systems based on different technologies from different decades that can be cho
Hopefully, the NSA does not have (Score:5, Funny)
The first thing they should do is... (Score:1, Interesting)
Useless exercises (Score:5, Insightful)
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
Re:Useless exercises (Score:2)
Re:Useless exercises (Score:4, Insightful)
You act like conventional warfare is always straightforward. Everyone just lines up and fights a certain way between certain hours. Deception, misdirection, and the element of surprise have always been major factors in warfare. Nothing has changed. Warriors have always had to adjust to new techniques and technologies.
I agree with you that it is impossible to account for all possibilities. I'm sure that the first guy to be shot with a firearm was pretty surprised as his suit of armor was pierced by the bullet. The test of a warrior is how quickly you can adapt. Once you see your people fall with holes in the armor, you better be able to come up with a new strategy for protecting yourself. These types of games can help to tune those skills.
These types of war games are a good way to assess preparedness, test your defenses, and learn from mistakes. You have to practice and constantly test yourself to become and stay good.
Besides, whos says that you just have to sit around on the defensive. The rules didn't change, we just didn't realize that there was a war on before 9/11. You can also go after the attackers and make sure that they have little time to plan because they are doing everything they can just to stay alive.
Revealing cards? (Score:4, Informative)
Actually, I don't think it will be much fun at all, simply because I don't think there is any chance either side will reveal any cards. No doubt there will be some already published exploits and/or configuration gaffes that will be used. But I doubt anything new will come out of this.
Virtual Sandbox (Score:2)
Re:Virtual Sandbox (Score:2)
Didn't know it existed.
As the Army - I would scale Systrace up a notch by
1. creating a ghosted install in which every binary other than the orginal veryfied binaries are run in systrace by mandate (This is where running Linux to host a virtual and (systraced) windows has a place and
2. create a central repository to reduce the redundancies in verifying system call profiles.
Such that any system connected would raise a request to the central monitoring agency before being run and/or included i
I win! I got in! (Score:2)
Windows Boxes... (Score:5, Funny)
It's just not worth it, the patented Windows BlueScreen Security System[tm] is foolproof. I'll take the easier road and stick to hacking OpenBSD boxes.
poster is inconsistent (Score:1)
Social Engineering (Score:2, Funny)
NSA phone rings...
NSA-Person: "hello?"
Caller: "This is the deputy secretary for Condoleezza Rice. We are having a problem viewing the 'cyber war game' and are sending someone over right away."
NSA-Person: "umm, that isn't possible sir..."
Caller: "Listen son, This comes right from the top. Do you want to find yourself cleaning the latrines in the chinese resturaunt down the street?"
NSA-Person: "well, umm, no but.."
Caller: "No buts! We are sending our personal network specialist o
Weakest Link (Score:2)
My money is on using social engineering techniques to determine everything possible before launching an attack.
Even the attack itself would be more successful if it were tripped by an insider doing something stupid (clicking on an Outlook attachment with some local context softcore pr0n hint).
Given the current software environment, it's the people that leak like sieves.
To win... (Score:1, Funny)
A C-130 gunship will halt a DOS attack PDQ.
Social or just technical? (Score:4, Insightful)
I would wager than any social engineering would a) be more likely to succeed, and b) be also more likely to occur in the real world. But it's less quantifiable too.
This is not new. (Score:5, Interesting)
Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.
Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.
I'll see if I can find some more info and post it here.
Re:This is not new. (Score:2)
Hmmm, can they link the service to slashdot?
Protest (Score:2)
Punch cards, anyone? (Score:2)
This isn't really that new... (Score:4, Informative)
This really isn't all that new. The U.S. Naval Postgraduate School [navy.mil] has been
sending their Infosec students to play Capture the Flag [ghettohackers.net] at Defcon [defcon.org] for the last couple years as well as
this year's Interz0ne [interz0ne.com] conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.
Also, Immunix [immunix.com], a DARPA [darpa.mil] funded hardened Linux version [immunix.com] has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).
The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.
It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot [defcon.org]
the Fed" game MUCH easier.
Re:Best Method to secure network (Score:1)
The great thing is although the NSA can probably
get into most things, we can still slow them down.
And there's always self distructing media and files..
Swallowable hard disks!,
logic bombs!!..
Re:So this is what our tax dollars go to... (Score:2, Insightful)
Re:So this is what our tax dollars go to... (Score:5, Insightful)
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!
Re:A single gov't entity responsible for infosec? (Score:1)
Re:A single gov't entity responsible for infosec? (Score:1, Funny)
Wow. I didn't realize the GNAA was that powerful.
Re:A single gov't entity responsible for infosec? (Score:1, Informative)
First, there's paranoid rambling, including government mandated software backdoors, +1.
Second, there's the one-two buzzword combo (DMCA, Palladium), +1.
Third, a pitiful lament about how it's all falling apart for us, +1.
Fourth, there's a misquoted Jefferson. +1
Fifth, more paranoid ramblings about the **AAs. +1
Finally, we have a 'teh' and some poor grammar.
This one deserves a +5, Informative by my estimates. Slashdot moderation being the fool-show it is
Re:A single gov't entity responsible for infosec? (Score:3)
Re:Hackers vs. Crackers (Score:1, Funny)
Re:Hackers vs. Crackers (Score:3, Insightful)
Re:Hackers vs. Crackers (Score:2)
Re:Hackers vs. Crackers (Score:2, Informative)
AFAIK, hackers analyze systems for holes and find innovative ways to exploit them.
(and then theres the skr1pt k1dd13s in a class of their own)
Moral of the story: if your gonna freak out about naming conventions, make sure you're right first.
Re:Hackers vs. Crackers (Score:5, Funny)
Anyway, I'm off to go get my eggplant registered.
Re:My prediction: A Chocolate Bar (Score:3, Insightful)
No... we won't. The NSA never hands out results of their findings (well maybe they will to Congress in a Special Hearing considering recent events).
Re:Federal Law vs. Soldier Training (Score:2)