Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Takes On West Point In Security Exercise

Soulskill posted more than 6 years ago | from the with-friends-like-these dept.

The Military 140

Wired is running a story about a recent security exercise in which the NSA attacked networks set up by various US military academies. The Army's network scored the highest, put together using Linux and FreeBSD by cadets at West Point. Quoting: "Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones. 'One of the challenges was when they see a scan, deciding if this is it, or if it's a cover,' says [instructor Eric] Dean. Spotting 'cover' attacks meant thinking like the NSA -- something Dean says the cadets did quite well. 'I was surprised at their creativity.' Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

cancel ×

140 comments

More details, anybody? (5, Interesting)

neapolitan (1100101) | more than 6 years ago | (#23368462)

Man, I love reading about stuff like this, but this article has some serious vagueness that really leaves unanswered questions. Perhaps a true security-fluent slashdotter can offer some insight if they are familiar with this particular game:

Why does this require "custom tools" with automatic monitoring? Really, I doubt the students know the details of asymmetric security theory / Ph.D. level mathematics, and were monitoring something like (if I get a port scan from IP x.x.x.x then tell "router guys" to block IP x.x.x.x).

It seems to me that this should be something that essentially should be done automatically, and with a very well-configured system would not cause that much of a problem.

Also, the article was written for somebody who doesn't understand computers to go "whoa." "Kernel-level rootkit"? How the hell did this "unwelcome executable file" get on the box to begin with, and why was it executing in kernelspace? I assume they were required to start with a compromised system, otherwise this is something that major corporations do all day (general traffic monitoring) and is actually kind of not exciting.

I wish that Wired and magazines would write at a technical level and describe accurately what is going on - IMHO more information is always better!

Re:More details, anybody? (0)

Anonymous Coward | more than 6 years ago | (#23368576)

"Man, I love reading about stuff like this, but this article has some serious vagueness that really leaves unanswered questions. Perhaps a true security-fluent slashdotter can offer some insight if they are familiar with this particular game:" - by neapolitan (1100101) * on Sunday May 11, @09:01AM (#23368462)
I'll agree with you, 110%, that MANY 'security report' type articles are rather "vague" & I THINK they do that, on purpose - that purpose? TO NOT GIVE OTHERS "TOO MANY IDEAS" (via details), so they don't go & execute the 'better attacks' themselves, or worse, come up with 'variations' that their defensive technique (vs. said 'better attacks') do NOT work against... just a thought.

APKm

I was in the exercise... (5, Informative)

Anonymous Coward | more than 6 years ago | (#23368838)

I was actually part of the exercise, and I would agree that the article is very vague. The main purpose of the exercise was to help cadets learn best security practices of building a network. There were required services we had to run, such as exchange, a web server, DNS, active directory, and a jabber messaging server. The rootkit they speak of was on the box because the other part of the exercise was trying to secure untrusted computers. They riddled two Windows VMs and one Linux VM with as much stuff as they could, and the told us to secure them. Naturally we missed some things, which allowed the callback to go out.

As for the 'custom tools', I have no idea what they are talking about. We used native Windows logging and a few open source programs to pull logs to a log server, but that was about it for extra programs. I would agree that the article was written for the non-technical person, but those are the kinda of questions they were asking us when the reporter was here.

Curious (1)

WillRobinson (159226) | more than 6 years ago | (#23369332)

Biggest question is, did they allow you to use your own tools, or did they just let you use divining rods.

Sort of ignorant on their part, that they would expect you to keep security on one of the most critical networks in the world and not have proper tools.

Example: image the drive, make it read only, no execute and use tools like rkhunter, and many other programs to see what is running on the system under test.

To me, having a compromised machine on a military network would get it a instant pulled plug, and a backup brought into play, with major lockdowns on network communication. Considering you can let the genie out of the bottle and not put it back in, in a very short time.

Re:Curious (4, Informative)

Pinb4ll (1287468) | more than 6 years ago | (#23369384)

The tools we used were Nagios for service verification on an external computer (just to make sure we saw what the scorers saw, so we didn't lose points due to their slow network) and one box running Snort through a one way cable. We weren't allowed to let Snort block things, but it let us know who was doing what, allowing us to send up a request to the graders to block the IP. As for checking the untrusted boxes, we were able to run whatever we wanted on them. The root kit that we missed we simply didn't find in the mess of everything else.

Rules? (0)

Anonymous Coward | more than 6 years ago | (#23369546)

I'm curious why the rules didn't allow snort to block things. Was there a specific reason given?


Along the same lines, were there other tools not allowed or "crippled" (meaning not able to use some particular (or some range) or functionality?


I think this is a pretty interesting question. Remember the movie Russia House? The main part of the plot was the discussion over how dangerous lists of questions were--they indicated what you didn't know and what you were focusing on. Generally, I believe the same applies to rules in a game.

Re:Rules? (3, Informative)

Pinb4ll (1287468) | more than 6 years ago | (#23370042)

It all came down to the scenario. Built into the game was a notional 'cost' for different network items, making certain items prohibitively expensive. It mainly came down to the semantics of the rules, but the costs were going to be looked at for next year. The overall effect was eliminating the use of some best practices simply because of cost.

Re:I was in the exercise... (5, Informative)

Anonymous Coward | more than 6 years ago | (#23371786)

I was also in the exercise... from the NSA side ;) (I have to post anonymously). I agree that the article IS very lean on details (as it should be), and geared toward a somewhat nontechnical audience. I have a different perspective from what the cadets at the USMA saw, as I experienced it from the opposition side.

The network directive given out to the academies had stipulation they had to follow, and a scenario that reflected real world situations (the cadets were setting up a network that included VMs of computers they HAD to include in their network). The network directive also had costs associated with anything the cadets wanted to do. So if they wanted to park a cadet at a Snort terminal for the duration of the exercise, that had a cost associated with it, as did setting up VLANS, using IPSEC, other IDS sensors, firewalls, host/service monitors, etc. Each academy had to submit their network structure for review and approval prior to STARTEX. The scenario reflects real world situations that would come up in most operations that involve other allied nations.

The NSA was strictly there to attack the networks and document any exploits they succeeded with. I can't go into details as to what our Rules of Engagement were, but suffice to say that we met with success with every school that was actually scored (the two graduate schools that participated were not scored).

The whole goal of the exercise is to prepare the cadets for SECURING a network against information security threats. It is a DEFENSIVELY ORIENTED exercise. The cadets don't do any hacking (and I honestly think that unless a gifted or experienced cadet was at an academy with the skills to do a network penetration, they would not meet with much success).

Re:I was in the exercise... (0)

Anonymous Coward | more than 6 years ago | (#23372934)

Heck it's just good to know that slashdot is frequented by the NSA! No more of those posts about the evil RIAA! :) Thanks again for the insight.

Re:More details, anybody? (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23368872)

Actually, I have a friend (and I'm posting anon for his sake) that was a part of the games from the naval side. He is a very sharp person that is near completing his CompSci Masters. We we friends in CompSci undergrad and he joined the Navy and now has a high security clearance. I wish I could've grilled him a little more on what all goes on for these war games but I had something else important going on at the time he was telling me about them. Plus I'm a little used to getting vague descriptions of things due to his not being able to reveal details to me. He did ask me a few things (and I'm going to be vague here) that made me think he was doing some hard core stuff.

As for your blocking method, we're talking about the NSA. They could easily scan with one IP and then blast you with another IP.

He did tell me his team lost, though.

Re:More details, anybody? (0)

Anonymous Coward | more than 6 years ago | (#23369182)

Yo mama, Navy wings are brass, Army wings are gold!

Re:More details, anybody? (3, Insightful)

milsoRgen (1016505) | more than 6 years ago | (#23369382)

but this article has some serious vagueness that really leaves unanswered questions.
Just like every other Wired article ever written.

Re:More details, anybody? (1)

joeboomer628 (869162) | more than 6 years ago | (#23369534)

Despite what Stephen King says, there are numerous highly intelligent individuals attending the US service academies that can not only read, they can do math also.

Re:More details, anybody? (0)

Anonymous Coward | more than 6 years ago | (#23370216)

The requirement for 'custom tools' was due to a new set of rules in the exercise this year. Because many of the schools did so well last year, the NSA red cell put a cap on what kinds of software and hardware could be used. This was to try and force us to think outside the box and apply the knowledge we got in our other IT and CS classes to the exercise.

As for the kernel-level root kit, you hit the nail on the head.

Re:More details, anybody? (1)

gad_zuki! (70830) | more than 6 years ago | (#23370444)

Wired is written for non-technical people. I dont think its ever pretended to be anything but the 'people magazine' of technology, hence its popularity.

Fantastic (0, Flamebait)

finalnight (709885) | more than 6 years ago | (#23368480)

Its good to see that the newest generation of servicemen actually has intelligence and creativity in the technical fields.

Re:Fantastic (5, Insightful)

Keebler71 (520908) | more than 6 years ago | (#23368592)

Are you implying that previous generations do not have intelligence and creativity? Who do you think is teaching these cadets and running the exercise?

Re:Fantastic (4, Funny)

maxume (22995) | more than 6 years ago | (#23368652)

Dumbledore?

Re:Fantastic (0, Offtopic)

tgatliff (311583) | more than 6 years ago | (#23368710)

The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply... That is why the kids that go there are the top 2% of the nation. Also, did I also mention that many of the the US best leaders came from West Point? :)

In addition, I have several systems that run at the USMA, and know their admin personally. They have a pretty good network setup simply because they never have the money they need so they are forced to implement the best solution rather than the most expensive solution.

Re:Fantastic (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23369196)

"kids that go there are the top 2% of the nation. Also, did I also mention that many of the the US best leaders came from West Point"

Oh please, they all say that - the USNA, USAFA, even the USCGA. Not to mention that MIT, Stanford, Carnegie Melon, et al contend that they get the best of the best. I have worked with managers and engineers that graduated from various military academies; other than an inflated sense of patriotism and an intolerance for dissent, these people are no different from any other college.

As a former Marine, I have had to contend with more than one arrogant "ring knocker".

The military officer is the last of the elitist blue-bloods left in American society. The military NCO is the last of the true patriots that somehow just find a way to get it done.

Re:Fantastic (3, Insightful)

earthforce_1 (454968) | more than 6 years ago | (#23369494)

The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply...
Meaning they have to be politically well connected.

Re:Fantastic (2, Funny)

LurkerXD (996914) | more than 6 years ago | (#23369928)

The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply... That is why the kids that go there are the top 2% of the nation.
I don't know...my sister makes me wonder about what the hell our tax dollars are financing...

You have to understand (2, Funny)

WillRobinson (159226) | more than 6 years ago | (#23368532)

Purchasing Open Source Tools that could automatically thwart these types of attacks is to expensive. They cost at least as much as a toilet seat, and we know from the news, that they have not been purchasing any toilet seats.

Re:You have to understand (1)

TubeSteak (669689) | more than 6 years ago | (#23369256)

Purchasing Open Source Tools that could automatically thwart these types of attacks is to expensive. They cost at least as much as a toilet seat, and we know from the news, that they have not been purchasing any toilet seats.
Right, Purchasing is another department.
We send all our orders through the Requisitions Dept.
/In triplicate.

Re:You have to understand (3, Insightful)

Stickney (715486) | more than 6 years ago | (#23372420)

The cost of free software is, of course, nothing... but the notional costs, built into the exercise through a restrictive budgeting system, of deploying those tools, along with training people to use them, put them outside our notional budget for the exercise.

Rootkit is payload... (1)

argent (18001) | more than 6 years ago | (#23368548)

Rootkits are payload, normally, something deposited by an attacker using an exploit to get in. THe author of the article doesn't seem to appreciate the difference between the holes used to get into the network and the secondary attacks launched from there. It's not even clear from the article whether the Army ever found out how the rootkit was delivered.

Re:Rootkit is payload... (1)

ozmanjusri (601766) | more than 6 years ago | (#23368626)

It's not even clear from the article whether the Army ever found out how the rootkit was delivered.

TFA says they used Sysinternals RootkitRevealer to find it, which means it was a Windows exploit. The NSA guys probably just waved the rootkit in the general direction of kernel32...

Re:Rootkit is payload... (1)

RiotingPacifist (1228016) | more than 6 years ago | (#23368664)

AM i reading a different TFA, i cant find any mention of that and i got the impression they were using a Linux & BSD based system?

Re:Rootkit is payload... (2, Informative)

ozmanjusri (601766) | more than 6 years ago | (#23368782)

i cant find any mention of that and i got the impression they were using a Linux & BSD based system?

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.
Since the article says the West Point team was running Linux/BSD, and specifically mentions that the cadets were running a "Fedora Core 8 Web server", I'm guessing the Windows system was being run by one of the other teams.

Frankly, I was underwhelmed by the whole story. It was pretty clear the journo doesn't have a clue what was going on. Wired should be able to do better than that.

Re:Rootkit is payload... (1)

LilGuy (150110) | more than 6 years ago | (#23369180)

That is probably part of the requirements the NSA put on the agreement to allow the story to run.

Re:Rootkit is payload... (4, Informative)

Stickney (715486) | more than 6 years ago | (#23372268)

"Fedora Core 8 Web server", I'm guessing the Windows system was being run by one of the other teams.
Yes, we ran a Fedora 8 LAMP server, but we were also required to run a Windows domain controller, an exchange server, and a Windows DNS server, along with two XP user workstations. The rest of our network, to including logging, traffic monitoring, and XMPP services, ran on FreeBSD (our choice). You're right though; not many of the reporters grasped much of what was going on.

Re:Rootkit is payload... (1)

EQ (28372) | more than 6 years ago | (#23369480)

Actually the rootkits mentioned did not "get int". They were preloaded along with tons of other security messes and misconfigurations on machines that the cadets were then challenged to secure on their network.

The point of that part of the exercise being how good you are at detecting threats from the inside (far more common due to users introducing viruses and trojans from web sites they stupidly vision, hijacked browsers, programs loaded from thumb drives, CDs burned at home, etc.

What's with the fearmongering? (1, Interesting)

pikakilla (775788) | more than 6 years ago | (#23368552)

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network

Um, isn't the NSA part of the DoD? So they would not need anything special to take down a network as they are all under the same organization. Or, likewise, they would have consent which would allow them to attack the network. I really do not see the need for such a fear-mongering statement at the end of this summary.

Re:What's with the fearmongering? (2, Informative)

gbutler69 (910166) | more than 6 years ago | (#23368666)

No, the NSA IS NOT part of the DOD. DOD is Department of Defense. There are 3 to 4 branches, depending on how you count: Army, Navy(Marines), Air Force. Yes, technically "The Marines" are part of the Navy.

Re:What's with the fearmongering? (4, Informative)

SoapBox17 (1020345) | more than 6 years ago | (#23368786)

According to wikipedia [wikipedia.org] , "The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency of the United States government, administered under the U.S. Department of Defense. " and "The Department includes the Army, Navy, Air Force, Marine Corps, as well as non-combat agencies such as the National Security Agency and the Defense Intelligence Agency."

Under Secretary of Defense for Intelligence
* Defense Intelligence Agency
* Defense Security Service
* Counterintelligence Field Activity
* National Geospatial-Intelligence Agency
* National Reconnaissance Office
* National Security Agency


Re:What's with the fearmongering? (1)

flydpnkrtn (114575) | more than 6 years ago | (#23369172)

According to wikipedia [wikipedia.org]
I know this is a bit citation Nazi-ish, but please don't cite Wikipedia directly. Any random yahoo could have thrown that up 5 minutes ago... hell you could have made that edit 5 minutes ago!

That entire intro paragraph doesn't have one citation other than a passing reference to Title 10 USC

Just sayin'...I'd like to read the part of the USC that sets up the NSA but honestly that's a big law document to parse

Re:What's with the fearmongering? (1)

CrimsonAvenger (580665) | more than 6 years ago | (#23369202)

Just sayin'...I'd like to read the part of the USC that sets up the NSA but honestly that's a big law document to parse

No Such Agency? Whatever gave you the idea that enough information about NSA was put into the USC to make a big law document?

Re:What's with the fearmongering? (1)

flydpnkrtn (114575) | more than 6 years ago | (#23370496)

Lol well I was just expecting a one-liner in something like "10 USC Section 5 Subsection 4 Paragraph 3" or whatever :P

Re:What's with the fearmongering? (1)

falcon5768 (629591) | more than 6 years ago | (#23368798)

Only 3, Marines are part of the Navy and have absolutely no independent say at the DOD, they dont even have a department

Re:What's with the fearmongering? (1)

zippthorne (748122) | more than 6 years ago | (#23369012)

they dont even have a department
Neither do the Army and Navy. I know what you're getting at, but all of the branches fall under the Department of Defense. And although the Marines are a part of the Navy, they still get a seat on the Joint Chiefs of Staff [wikipedia.org] .

Re:What's with the fearmongering? (1)

RockoTDF (1042780) | more than 6 years ago | (#23369158)

Yes they do, the Departments of the Army, Navy, and Air Force all exist with their respective secretaries under the DoD.

Re:What's with the fearmongering? (1)

falcon5768 (629591) | more than 6 years ago | (#23368814)

oh forgot to add, your wrong BTW in another fact. the NSA IS a agency of the DOD.

Re:What's with the fearmongering? (0, Troll)

maxume (22995) | more than 6 years ago | (#23368834)

The NSA is a tool for use by the Secretary of Defense:

http://www.archives.gov/federal-register/codification/executive-order/12333.html#1.12 [archives.gov]

About half of the people that work for the NSA are military.

Re:What's with the fearmongering? (1)

maxume (22995) | more than 6 years ago | (#23369600)

O.k., poor wording, but read that link, there is an executive order directing the Secretary of Defense to utilize the NSA to gather intelligence.

Re:What's with the fearmongering? (1)

sammy baby (14909) | more than 6 years ago | (#23368670)

You're making the assumption that one branch of the armed services (say, the Navy) is permitted by regulation to try to infiltrate another one. The NSA's mission is specifically to provide SIGINT and to protect government against foreign SIGINT - including military systems.

Re:What's with the fearmongering? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23368802)

The NSA's mission is specifically to provide SIGINT

You mean those PhD mathematicians sit around all day hitting Control-C's?

Re:What's with the fearmongering? (1)

sammy baby (14909) | more than 6 years ago | (#23369234)

The NSA's mission is specifically to provide SIGINT

You mean those PhD mathematicians sit around all day hitting Control-C's?
Well, let's be fair. They probably have a bash script that does it pretty efficiently.

Given the supercomputing clusters they no doubt have at their disposal, they could be generating a lot of SIGINT that way.

Absolutely NOT (-1)

Anonymous Coward | more than 6 years ago | (#23368762)

the NSA, like the CIA, are outside of the DOD. They typically work together, and many of the CIA agents are ex-dod. In fact, most of the NSA were never military, though that may change as time goes on.

Re:Absolutely NOT (0)

Anonymous Coward | more than 6 years ago | (#23369212)

the NSA, like the CIA, are outside of the DOD. They typically work together, and many of the CIA agents are ex-dod. In fact, most of the NSA were never military, though that may change as time goes on.
What? You're wildly incorrect, as evidenced here [wikipedia.org] and quoted here [slashdot.org] .

True, I'm sure there are many civilian employees at the NSA, just like there are many civilian employees on any Army base. For example, the folks who work at the cafeteria in most Army bases I've been to are usually not enlisted. I imagine that the same is true for most of the NSA's mathematicians; I don't know a lot of mathematicians who would be interested in going through Basic Training ;) That doesn't make the NSA any less of a military organization, though -- they still take their orders from the Secretary of Defense, just like the Army and the Navy and the Air Force.

In contrast, the CIA is a separate, standalone agency. They take their orders from the President, and Congress, or something like that. Things get a little more muddy when you consider that the FBI, CIA, NSA, and all those other agencies are all coordinated by the Director of National Intelligence, but that's more or less the way things work (I think :).

Re:What's with the fearmongering? (0)

Anonymous Coward | more than 6 years ago | (#23369034)

I would think that an MOU/MOA between the parties would solve the "legal" issues mentioned.

Re:What's with the fearmongering? (1)

mi (197448) | more than 6 years ago | (#23369532)

The real enemy would be attacking/scanning/jamming from many directions — using hired and/or own botnet(s) and other already cracked-into computers belonging to other schools, governments, individuals, corporations, and other organizations.

The participants in the exercise weren't allowed to do that, except, maybe, for NSA and their near-universal root-access...

Re:What's with the fearmongering? (0)

Anonymous Coward | more than 6 years ago | (#23369698)

Actually, that statement comes verbatim from the article. The context is also in the summary, so there should be no confusion. The military academies are not allowed to attack each other, even though they are all part of the DoD, they have each other's permission, and so on. But the NSA is allowed to attack those systems. The article attributes this to an "arsenal of waivers, loopholes..." the NSA supposedly has. If you have better information, please post it here.

speemborkle deregulus (1)

quonsar (61695) | more than 6 years ago | (#23368556)

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

yah, right. 14 year old serbo-croatian kids do that every day.

Gay Nigger Goatse (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23368572)

Gay Nigger Goatse [twofo.co.uk]

Sysinternals? Windows? (1)

FranTaylor (164577) | more than 6 years ago | (#23368586)

Isn't that a Windows thing? There is no other mention of Windows in the article.

Re:Sysinternals? Windows? (2, Interesting)

Dreadneck (982170) | more than 6 years ago | (#23368876)

Yes, SysInternals was sucked up by the collective...err...Microsoft. From reading the article it is fairly obvious that the only serious security challenge came from a Windows box compromised by a rootkit. It seems the LAMP server they were running (I assume it was LAMP - they mentioned Fedora 8, MySQL and Apache... I assume it also had PHP, Perl and Python) easily handled the SQL injection attacks. I wonder if having a windows box in your network was part of the requirements insisted upon by the NSA when the cadets set up their network? NSA-Key, anyone?

Re:Sysinternals? Windows? (1)

0racle (667029) | more than 6 years ago | (#23369018)

[blockquote] NSA-Key[/blockquote] Oh shut up.

Re:Sysinternals? Windows? (1)

0racle (667029) | more than 6 years ago | (#23369036)

Oh great, now I look like an idiot.

Re:Sysinternals? Windows? (1)

Dreadneck (982170) | more than 6 years ago | (#23370342)

Yeah, and you can't make proper use of HTML either. :)

Re:Sysinternals? Windows? (1)

Stickney (715486) | more than 6 years ago | (#23372174)

As the cadet in charge of security for the Linux/FreeBSD boxes on the network, I can say that yes, it was LAMP on a Fedora 8 box; the NSA gave us 5 Windows virtual machines and 2 running Fedora 6. Because of the rules of the exercise, basically a very restrictive budget, we were able to build a Fedora repo and update the two linux machines to Fedora 8, but not enable firewalls or antivirus on any but a select few. Two of the Windows machines and the non-LAMP Fedora box were meant to simulate user workstations; these contained the rootkits.

Re:Sysinternals? Windows? (1)

Dreadneck (982170) | more than 6 years ago | (#23372466)

Thanks for the info! Out of curiosity, were the machines with the rootkits compromised prior to the beginning of the exercise or during the course of the exercise? It would be interesting to know just what level of handicap you guys were forced to work with.

Re:Sysinternals? Windows? (1)

Stickney (715486) | more than 6 years ago | (#23372492)

As mentioned a few other places, we were given several machines (5 Windows, 2 Fedora 6) which we had to put on our network. Based on the budgeting rules, we scrapped one Windows box (a Windows 2000 XMPP server) and replaced it with a FreeBSD box. That server and three "user workstation" machines (1 Fedora, 2 Windows XP) were absolutely riddled with rootkits and other malware. We removed as much as we could find beforehand, but missed one rootkit in one of the Windows machines.

Re:Sysinternals? Windows? (1)

Dreadneck (982170) | more than 6 years ago | (#23372742)

It seems you guys did a pretty good job given how badly the NSA kneecapped you from the start. It would be interesting to know what the rules and goals of the exercise were. It almost seems as if the NSA wanted to test your ability to respond to an attack on a compromised network moreso that your ability to prevent it being compromised in the first place.

Re:Sysinternals? Windows? (0)

Anonymous Coward | more than 6 years ago | (#23368956)

The cadets were probably using some Windows machines to monitor their Linux servers/routers? A hacker would obviously aim for the machines which administrators are using to type in passwords to access more secure systems. An attack vector such as ARP poisoning is something that is often overlooked (they're too busy blocking IPs and ports) and would ensure quick and easy access to the Windows administration consoles. If I was attacking the network of the cadets, I'd keep them busy blocking ports and IPs on their IDS/routing equipment while thinking outside their box to attack their own administration workstations.

The photo and article seemed to indicate to me that they were remotely monitoring and configuring their network over the same network that could be compromised. I am hoping that these cadets are being taught concepts such as what an air gap [wikipedia.org] is. I also hope they're being taught that running monitoring applications such as Wireshark (Ethereal) often introduce new exploits into an otherwise secure network.

The best hackers are the ones who are creative in their attack and defense. The defending team could have counter-attacked the attackers. Changing the focus of the attackers back onto their own attacking network rather than the target network is a great defense. Setting up honeypots (designed to be attacked) and then allowing the attackers to steal files that are riddled with file format bugs is another idea.

Re:Sysinternals? Windows? (2, Informative)

AHuxley (892839) | more than 6 years ago | (#23369044)

Read up on the "Millenium Challenge '02" war games.
Opposing Force Commander, Gen. Paul van Ripen won.
He was not invited back :-)
Cadets do not learn, they just get to press the "refloat" icon.
http://www.nytimes.com/2008/01/12/washington/12navy.html?ex=1357794000&en=a4dbb42d5ad2a700&ei=5088&partner=rssnyt&emc=rss [nytimes.com]
"The sheer numbers involved overloaded their ability, both mentally and electronically, to handle the attack,.. "

Re:Sysinternals? Windows? (1)

Stickney (715486) | more than 6 years ago | (#23372210)

Ummm.... cadets = Army or Air Force.

Refloat = Navy.

You mean "midshipmen".

And yes, as a matter of fact, the US Naval Academy participated, and they got destroyed.

Re:Sysinternals? Windows? (1)

AHuxley (892839) | more than 6 years ago | (#23372712)

You have generation wintendo fresh from the streets and shopping malls of the USA.
They are trained up a bit more on 'windows'.
Why waste years, when they be interacting with a
Tablet PC like gui on the front line?
If they get McCained they can talk about moving
icons around a screen and then the sky lights up.

Ballmer Cock Suck Fiasco NSA.exe (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23368602)

Enjoy your Windows XP/Vista updates,

Can you see inside, the code?

Do you know what you're really downloading?

No, you don't!

Enjoy your Windows Genuine NSAdvantage .exe

this reminds me of... (1)

jflo (1151079) | more than 6 years ago | (#23368668)

This reminds of when LT Regenald Barkly started teaching at Star Fleet academy.... his stutter left many questions unanswered... but the bright side of this is that he was able to help the Voyager crew make proper communications with the Alpha quadrant.... ok this isnt really a joke, its fact.

West Point Club (1, Informative)

Dak RIT (556128) | more than 6 years ago | (#23368698)

This isn't really an official extension of West Point, but rather a club at West Point known as SIGSAC.

The club's members every year get a chance to visit the NSA and see some rather interesting stuff, and so has a rather good relationship with the NSA in general.

The club itself operates out of West Point but has a network connection that isn't attached to West Point's network. It has actually participated in contests in the past as well with other schools/groups, so unless something's changed in the past couple years, that part of the summary is incorrect. If I had to wager a guess I'd say the focus of the group is just being directed purely at defensive measures, rather than actual attacks.

Re:West Point Club (0)

Anonymous Coward | more than 6 years ago | (#23368792)

Just remember that while a good solution of defense in depth is a start, in some situations the best defense might just be a strong offense.

Re:West Point Club (5, Informative)

Pinbll (1287458) | more than 6 years ago | (#23368970)

Although SIGSAC was involved, this was done for the Information Assurance class that is taught by the CS department there. This was the culminating exercise. The course teaches security practices, and gives cadets a look into why it is important to program securely.

Re:West Point Club (1)

failedlogic (627314) | more than 6 years ago | (#23372402)

I at least have a general understanding of the purpose of West Point. But I'm wondering: if you have a college graduate in a certain field, do they need to go to West Point afterwards or write a "West Point equivalency test"? or does the DoD formally recognize the degree? Its purely out of curiosity for me. I'm a Canadian anyhow so I likely wouldn't qualify for any jobs in the DoD anyways.

Pentagon hacker Gary McKinnon could do it... (1)

AHuxley (892839) | more than 6 years ago | (#23368906)

With MS pw's and a perl script.
http://arstechnica.com/news.ars/post/20060712-7249.html [arstechnica.com]

Re:Pentagon hacker Gary McKinnon could do it... (0)

Anonymous Coward | more than 6 years ago | (#23369032)

MacGuyver could do it with a paperclip, a rubber band and a post-it note.

The Army's network scored the highest (1)

crack_vial (572312) | more than 6 years ago | (#23368930)

Nice job guys! I have seen a lot of air force cyber talk, but not much coming out of the Army. Good work.

ENDEX (2, Informative)

sciop101 (583286) | more than 6 years ago | (#23369094)

Every agency/party involved in the exercise will publish an ENDEX (End of Exercise) report.

IF Asked AND IF Unclassified, the agency/party MAY provide a copy of the ENDEX.

Contact the Acadamies, NSA, even the Departments of Defense, Army, Air Force, Navy.

ENDEX's have event logs, referee notes, exercise build and teardown plans....

There is no cleaning a rootkit (3, Insightful)

symbolset (646467) | more than 6 years ago | (#23369346)

When you detect malware installed on your system, wipe and reinstall. Always! There is no "cleaning".

Probably wasn't possible given the parameters of the test, but they tried to clean a rootkit and got the predictable result.

Re:There is no cleaning a rootkit (1)

dw604 (900995) | more than 6 years ago | (#23369958)

How hard can it be to secure a system -for real-? They could have done it with the right tools. Spybot S&D has a nice resident malware scanner and system settings change monitor. Combine that with an in and outgoing firewall program and a few other tools (alert with parent process id every time a file is written?) and you should be able to trace every last bit of a trojan.

Re:There is no cleaning a rootkit (1)

Pinb4ll (1287468) | more than 6 years ago | (#23370102)

It all comes down to the rules of the exercise: those items weren't allowed to be installed during the actual exercise time, so they had to be removed after the prep was done.

Re:There is no cleaning a rootkit (0)

Anonymous Coward | more than 6 years ago | (#23372416)

True, wiping the box is the 'best practice' for dealing with malware, especially rootkits. Speaking as someone who battled the rootkit for 8 hours on the second day, it wasn't quite that easy. We were not allowed to just wipe the system.

The attacks were spawned under the explorer.exe process; we changed the Windows shell to notepad.exe and changed the permissions on the executable to "deny all" and ran what we called "notepad OS" for the rest of the exercise. We were still able to perform any needed functions on the computer between the task manager's "run" functionality and the ability to right click on anything within the "open" dialog box and choose "run." So while we couldn't officially clean the machine, we were able to prevent it from calling back to the NSA.

Go Army (2, Funny)

Hasai (131313) | more than 6 years ago | (#23369514)

Those West Pointers usually make pretty good officers. Or, at least they do after a few SFCs drag the new looie behind the barracks and beat all the West Point hogwash out of them.
];)

Been There, Done That (4, Interesting)

FurtiveGlancer (1274746) | more than 6 years ago | (#23369578)

I invited NSA to run their red team against a classified intelligence network I ran back in the '90s. That's back when nearly every security tool was of your own creation. I was running SunOS 4.1.3, so at least I had a little help from OS security options.

They had to come on-site to break us and they identified only one finding for which we didn't already have fix planned or in work. We considered that a raging success!

The most embarrasing moment was when they broke the System Security Officer's password with an expanded dictionary attack. I got to kid her about that for months! "How's your password today?" "Strong, dammit!"

Register the Trainees (5, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#23369932)

So the US government is creating a generation of black hat security experts: pros who define the cutting edge of hostile attacks on infosystems. That's all right and proper as part of the US military, the necessary maintenance of infiltration and coercive force that is required to operate as a last resort of public policy produced under the Constitution, like any military power.

Leaving aside the separate and important issue of Congressional and other oversight to ensure the military crackers operate always under proper law and in the formal national interest, what happens to these people when they leave government service? We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. Sure they're like any other armed soldier, whose many other developed skills are valuable in many contexts not violence. But the fact is that many retired soldiers do find their skills and interests best fit a police or private security career, and even as paramilitary mercenaries - some of which private armies are emerging as serious threats to world stability in its balance of power. Military crackers are different, though: there is little or no role in non-military police, and virtually no legal role in private employ cracking anything.

We are creating an army of high-end crackers who will find themselves leaving the military, and available for hire by the legions of private employers whose use of them to crack systems is mostly illegal, or even acts of war.

We should consider how to track these people and their later activities. Working to secure and to test secure systems with permission of their owners is a valuable asset to keeping us all safe, whether as national service or in private employment. But leaving lots of them floating around loose practically guarantees that at least some of them will find jobs illegally cracking systems without the owners' permission, to do crimes, or perhaps even working for foreign militaries running attacks without coordination with proper US foreign policy, perhaps against our allies, perhaps against us, perhaps even just destabilizing some balance worked out among our enemies.

We are creating many serious potential threats, as part of our programme to reduce and eliminate threats. Part of that programme should be minimizing the increased threat we're creating with them. There's got to be a way to help these people continue their careers with the most freedom, which will overall increase security (and their personal benefit) that doesn't let some few people turn against their training (and likely oaths to "be good").

Which trainees? (3, Insightful)

Pinb4ll (1287468) | more than 6 years ago | (#23370078)

Exactly which trainees do you plan on registering, the students or the red team? I think you are missing the overall point of the exercise. There was no offensive side to the students networks, only setting up the services and try to protect them. The red team - those that the NSA already employs - were the only ones attempting to break in. The academies' jobs were to simply keep them out. I can see your point about keeping track of those who have been part of the NSA, but I would be willing to bet that is already taken care of.

Re:Which trainees? (-1, Flamebait)

Doc Ruby (173196) | more than 6 years ago | (#23370340)

I'm talking about the NSA attackers.

And I'd live to hear why you're willing to bet that the NSA is doing anything like what I described. The evidence we have of how the NSA, CIA, Pentagon and other military/intel agencies operate speaks directly to the contrary: creating new weapons and dangerous people for a legitimate programme, then letting them spread around to threaten us when the immediate mission (and its budget) is through.

Re:Register the Trainees (1)

not_hylas( ) (703994) | more than 6 years ago | (#23370962)

At this writing Parent is deemed "Flamebait" - curious, that, I find the concerns quite valid, they do keep tabs on Spy assets. They DO shoot horses, don't they? :-)
Being naive is not an excuse.
For those of you scoring at home (and those of you alone) it's accustom to giving every man/woman an AK-47 to take home in a land of mercenaries.
Loose cannons (canons too), indeed.

The Army's got chops. I'm just glad that after 10 years, or so, they've finally joined the fray.

This is starting to get interesting.

Re:Register the Trainees (0)

Anonymous Coward | more than 6 years ago | (#23371832)

You are mistaken in what you think the service academies are teaching. They are not teaching "black hat" security expert techniques. They are not teaching OFFENSIVE Information Security. The curricula are strictly DEFENSIVE in nature. They aren't being taught to "crack" anything. They are being taught best practices on how to defend against such information security attacks. So why the hell should they be tracked? A person who takes the Certified Ethical Hacker course has more exposure to hacking tools than the cadets do.

Re:Register the Trainees (2, Insightful)

johnny cashed (590023) | more than 6 years ago | (#23372718)

FUD.

The military has been graduating experts in the "black arts"* since the inception of organized militaries. Guys who know basic hand to hand combat, firearms skills. Advanced soldiers learn even more technical and lethal combat skills. I'm not saying that every soldier is a killing machine, but that is what they train for. Black hat network uber hacker on the "outside" a real threat? As veterans, aren't they already sort of registered? They've got their DNA on file. What more do you want from those who have served? Constant loyalty tests?

Good network security shouldn't be through obscurity, so even the "black hats" should know as much as the "white hats".

*I using the term "black arts" hear to refer to all those things which are generally forbidden except when in a war zone, killing, breaking things, etc. I won't bore you with a list. Granted, the killing is supposed to be reserved for combatants.

Re:Register the Trainees (1)

spinkham (56603) | more than 6 years ago | (#23373136)

Honestly, these types of skills get you good jobs at large companies or the ability to work for yourself and earn a comfortable living.
Any skilled hacker who is also good at understanding the needs of business and has good communications skill will not be without good ethical job prospects for the foreseeable future.

Re:Register the Trainees (1)

Doc Ruby (173196) | more than 6 years ago | (#23373260)

Yes, I noted that. But crime pays. The economy, already pretty stagnant or bad, is going rapidly down the toilet. Jobs illegally cracking systems will decrease slower, perhaps even rise as their bosses get comparatively more stable and profitable compared to the failing legal economy. But even in good times, there are plenty of bad guys with money to buy "evil henchmen" who can outbid the good guys with ethical jobs.

The point is that we're sending lots of potential threats out there. The programme whose value is minimizing those threats should at least be tracking those new threats it creates, to help ensure they don't turn against that original mission that created them.

As just one example, I'll note that Binladen's Qaeda was created by the NSA/CIA/Pentagon to "do bad things for a good reason", and that blew back seriously enough to outbalance practically all the good it ever did us. We need to at least keep account of what we're creating before it becomes extremely expensive to do so retroactively, searching for some virtual cave out on the Internet somewhere.

Heaven forbidden (5, Funny)

RealGrouchy (943109) | more than 6 years ago | (#23370244)

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else)...
No, Heaven doesn't have the security clearance to access that information.

- RG>

Academy academics (1)

identity0 (77976) | more than 6 years ago | (#23370322)

Anyone here know how good the CS/IT/EE curriculum in the military academies are? And do those members usually end up deployed where their expertise is useful?

I've heard the Air Force is the leading branch for network stuff, so I'm surprised the Army did well.

Re:Academy academics (2, Interesting)

Keebler71 (520908) | more than 6 years ago | (#23371456)

I've heard the Air Force is the leading branch for network stuff

Let me guess - did an Air Force recruiter tell you that?

Re:Academy academics (1, Informative)

Anonymous Coward | more than 6 years ago | (#23371740)

I've heard the Air Force is the leading branch for network stuff, so I'm surprised the Army did well.
Heh. In the exercise this year, the Air Force team actually had the worst performance of all. The Coast Guard Academy and the Merchant Marine Academy both put in better performances.

Re:Academy academics (0)

Anonymous Coward | more than 6 years ago | (#23371952)

West Point has won 5 years in a row at this time. The Department of Electrical Engineering and Computer Science is responsible for the event at the Military Academy. http://www.eecs.usma.edu

Re:Academy academics (5, Interesting)

Daniel Wood (531906) | more than 6 years ago | (#23372082)

The truth of the matter is that the Army generally has the least amount of fuckups when it comes to communications. This is because the Army curriculum is VERY methodical and almost reads like a checklist (in fact, we often use checklists and cut-sheets).

I'm not saying the Army is any more intelligent than any other branch. We have some really dumb people. The Army trains so that the dumbest kid on the block can do the job perfectly, every time.

But -- (1)

WillRobinson (159226) | more than 6 years ago | (#23372690)

But the commercial tools, with the yearly support, and sending the men all off to be trained, Priceless

Sorry above is a bit of a rant.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...