NSA Takes On West Point In Security Exercise 140
Wired is running a story about a recent security exercise in which the NSA attacked networks set up by various US military academies. The Army's network scored the highest, put together using Linux and FreeBSD by cadets at West Point. Quoting:
"Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones. 'One of the challenges was when they see a scan, deciding if this is it, or if it's a cover,' says [instructor Eric] Dean. Spotting 'cover' attacks meant thinking like the NSA -- something Dean says the cadets did quite well. 'I was surprised at their creativity.' Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."
More details, anybody? (Score:5, Interesting)
Why does this require "custom tools" with automatic monitoring? Really, I doubt the students know the details of asymmetric security theory / Ph.D. level mathematics, and were monitoring something like (if I get a port scan from IP x.x.x.x then tell "router guys" to block IP x.x.x.x).
It seems to me that this should be something that essentially should be done automatically, and with a very well-configured system would not cause that much of a problem.
Also, the article was written for somebody who doesn't understand computers to go "whoa." "Kernel-level rootkit"? How the hell did this "unwelcome executable file" get on the box to begin with, and why was it executing in kernelspace? I assume they were required to start with a compromised system, otherwise this is something that major corporations do all day (general traffic monitoring) and is actually kind of not exciting.
I wish that Wired and magazines would write at a technical level and describe accurately what is going on - IMHO more information is always better!
What's with the fearmongering? (Score:1, Interesting)
Um, isn't the NSA part of the DoD? So they would not need anything special to take down a network as they are all under the same organization. Or, likewise, they would have consent which would allow them to attack the network. I really do not see the need for such a fear-mongering statement at the end of this summary.
Re:More details, anybody? (Score:2, Interesting)
As for your blocking method, we're talking about the NSA. They could easily scan with one IP and then blast you with another IP.
He did tell me his team lost, though.
Re:Sysinternals? Windows? (Score:2, Interesting)
Been There, Done That (Score:5, Interesting)
I invited NSA to run their red team against a classified intelligence network I ran back in the '90s. That's back when nearly every security tool was of your own creation. I was running SunOS 4.1.3, so at least I had a little help from OS security options.
They had to come on-site to break us and they identified only one finding for which we didn't already have fix planned or in work. We considered that a raging success!
The most embarrasing moment was when they broke the System Security Officer's password with an expanded dictionary attack. I got to kid her about that for months! "How's your password today?" "Strong, dammit!"
Register the Trainees (Score:5, Interesting)
Leaving aside the separate and important issue of Congressional and other oversight to ensure the military crackers operate always under proper law and in the formal national interest, what happens to these people when they leave government service? We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. Sure they're like any other armed soldier, whose many other developed skills are valuable in many contexts not violence. But the fact is that many retired soldiers do find their skills and interests best fit a police or private security career, and even as paramilitary mercenaries - some of which private armies are emerging as serious threats to world stability in its balance of power. Military crackers are different, though: there is little or no role in non-military police, and virtually no legal role in private employ cracking anything.
We are creating an army of high-end crackers who will find themselves leaving the military, and available for hire by the legions of private employers whose use of them to crack systems is mostly illegal, or even acts of war.
We should consider how to track these people and their later activities. Working to secure and to test secure systems with permission of their owners is a valuable asset to keeping us all safe, whether as national service or in private employment. But leaving lots of them floating around loose practically guarantees that at least some of them will find jobs illegally cracking systems without the owners' permission, to do crimes, or perhaps even working for foreign militaries running attacks without coordination with proper US foreign policy, perhaps against our allies, perhaps against us, perhaps even just destabilizing some balance worked out among our enemies.
We are creating many serious potential threats, as part of our programme to reduce and eliminate threats. Part of that programme should be minimizing the increased threat we're creating with them. There's got to be a way to help these people continue their careers with the most freedom, which will overall increase security (and their personal benefit) that doesn't let some few people turn against their training (and likely oaths to "be good").
Re:Academy academics (Score:3, Interesting)
Let me guess - did an Air Force recruiter tell you that?
Re:Academy academics (Score:5, Interesting)
I'm not saying the Army is any more intelligent than any other branch. We have some really dumb people. The Army trains so that the dumbest kid on the block can do the job perfectly, every time.
Re:Register the Trainees (Score:3, Interesting)
Just registering "our" crackers' DNA isn't going to do anything to ensure they don't blow back on us. I'm talking about tracking these people's careers, probably combined with a referral program to help them get jobs assisting legitimate employers. Like I said, people with physical violence skills have lots more legitimate options in more fully mature private security and police industries than there are for legitimate crackers. The renta/cop job market is much larger than the high-caliber criminal job market, but the market for "white hats" is not nearly as much bigger than the market for "black hats". Blowback is a proven problem for the NSA, and Binladen is neither an isolated or vanishingly rare example. We should keep these dangerous people in the system, even if just for easily finding them for investigation later, as part of the balance we use to mitigate the risks we create, not just the ones that come knocking from the outside.
BTW, white hat hackers [wikipedia.org] are the "good guys", securing systems, even when they're cracking them to test the security. "Black hats" are bad guys, whether or not they are actively cracking a system, or perhaps just securing a "bad" system.