Simulated Hack To Test US Government Response 73
superapecommando writes "Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a hack attack on critical infrastructure targets.
The Bipartisan Policy Center, a Washington-based non-profit established in 2007 by several lawmakers, will host a simulated nation-wide cyber-attack next Tuesday for a group of former administration and national security officials, who will be playing the roles of Cabinet members."
Use it as cover! (Score:3, Interesting)
So when a real hack happens at the same time, we don't react?
Re:Use it as cover! (Score:5, Insightful)
not only that, but knowing a hack is coming is not exactly realistic.
I'm sure the results will say "we're well prepared for a hack" even though reality proves otherwise.
Re: (Score:3, Insightful)
not only that, but knowing a hack is coming is not exactly realistic.
Indeed. They should launch the simulation without warning on Sunday or Monday and see how prepared they really are. ;)
Re:Use it as cover! (Score:4, Insightful)
From reading TFA I'm fairly sure no pen-testing will be involved.
By the look of it it's going to be a beurocratic drill rather than a technical one.
No actuall hacking, just a load of suits in a room being given fictional reports of the progress of the "cyber attack" against them.
They pretend to know anything at all about it, they make fictional descisions and then some consultants go over it all afterwards with them and try to guess which chocies wouldn't have been good ones had it been a real situation.
Re: (Score:1)
Sounds about right. I picture a guy running into a room of suits yelling "The internet is DOWN!!" and everyone panics.
Re:Use it as cover! (Score:4, Funny)
Which one? [penny-arcade.com]
Re: (Score:2)
Re: (Score:1)
When you don't know what to do put a bunch of people in a aroom that might be responsible, come up with a scenario, and ask the question, "Who does what?"
Re: (Score:2)
7:30 AM on a Sunday would be a good time. It should be followed, after a few hours, by a statement from the crackers that they're considering an attack. Keep with tradition here.
Neither the attack nor the response is realistic (Score:2, Insightful)
Re: (Score:1, Insightful)
Re: (Score:1)
Re:Use it as cover! (Score:5, Interesting)
yes and no.
I did a simulated data disaster at Comcast a decade ago. but I informed only one important key person that I was going to cause a very real data loss event in the billing system. I would back thing up myself, but the backups that IT were running I would silently fail for a WEEK before the event.
at the event horizon I deleted the SQL database, the SQL team yawned and went to restore the database.... Oh crap nothing to restore but week old backups....
They shit themselves and we let them panick for a good hour before we walked in and asked...
What do you mean? you check your backups of critical data daily dont you? how about vertifying the validity of those backups? when was the last time you did a test restore on a backup server to make sure it was right?
I knew they were not backing it up or testing, I used that to my advantage to scare the hell out of them in hopes of getting what I have been telling them for a year through their skulls.
It also proved my point to the IT director that his "teams" were NOT ready for this.
I'll bet you $1000.00 they STILL dont test the backups, and rarely check to see if they are running.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Nope I DISABLED their backup by changing what it backed up. they NEVER CHECKED IT. which is the problem.
If you dont audit your backup systems regularly then you fail. If it's critical data like Accounting, then it's audited WEEKLY or even more frequent. In Fact it's a Sarbanes Oxley requirement, they were putting down that they were checking, (Even looking at the backup size would have tipped them off) when they were not.
I would have failed if they were doing their job. They were not and that is what I w
Re: (Score:2)
I agree, also the fact is, they would have to duplicate exactly the variables included in the study that would HAVE been from the cabinet ministers websites, compared to what they set up on their own to mimic.
Sometimes being behind NSA run firewalls, mkaes a difference compared to godaddy hosting that they might use to host the supposed mimic websites
Takes one to know one. (Score:1)
Pot, kettle, black. You're an insulting jerk.
Simulated? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
For something like firefighting, you have past experience (both from the organizers, and from others) to tell you how to do a drill and what it should focus on. But for this, there's no past experience...
Writing out a strategy to react to an unprecedented event is better than having no plan at all.
Re: (Score:1, Flamebait)
Re: (Score:3, Insightful)
That's kind of an extreme position, don't you think?
Just because an unannounced drill is useful, doesn't mean announced drills aren't useful. For one thing, you *can't* do realistic drills of some scenarios. Some reactions to emergencies kill people. Clog the roads with emergency vehicles and panicking people and rush most of your EMTs and ambulances to the "disaster" site and people who need to ride in an ambulance for real suffer. Shutdown the airport for a few hours and somebody might not get his hear
Re: (Score:2)
Re: (Score:2)
It sounds like your view is more nuanced than it first appeared.
I still say that planned exercises (perhaps we should not call them "drills") are valuable. My experience is that most people aren't very imaginative. They can't see what would be obvious to them in a walk through when they are trying to plan ahead.
For years I sold a software package that was used in the public health field. I used to go to conferences and give training sessions and lectures, I know these were highly rated, because I read th
It's a war game, not a drill (Score:2)
They are war gaming this.
Re: (Score:2)
There's two sorts of drills, both useful.
A scheduled drill is a teaching tool. For example, the recent fire drill where we were all shepherded out the proper door and to the designated rally point. That develops specific knowledge in the participants. The drillers won't learn much.
An unscheduled drill is more like a test. It won't teach the participants much, except in the post-mortem, but it will show you how well they react to the fire alarm or whatever.
Re: (Score:2)
Hope you don't have plans next Tuesday... (Score:1)
I'm sure this will go well. If you have any government work that you need to do, make sure it's in before next Tuesday! Or maybe you should wait until afterwards in case they lose everything somehow.
Re: (Score:1)
Re: (Score:2)
"Sorry mister IRS man, my tax got hax'd!"
how will they know? (Score:4, Informative)
Have they been notified? And how is it a simulation if they are or how will they know how to respond or detect it even?
If I imagine this to happen here, to a global bank, this has been a real scenario:
"How did they get those data?"
"Appearantly all our clients have been leaked"
"Oh shits, heads gonna roll! Call serverteam!!"
*Perform security audit, fire 3rd party solution creators, creating a hole through carelessness.*
Now, if you would do a "large scale test", it will in my experience go like this:
:
"Agents complain of slow access, what is up?"
"It's lunchbreak, people are surfing, let them know we're checking it out."
"Agents are still complaining, we have some error logs coming in from website users."
"Ok, lets contact servermaintenance, request a logfile."
"Server maintenance here, we're swamped with requests, I can send it to you tomorrow or the day after soonest."
"We need a stat on the server, things are slow"
"CPU is looking ok, memory is reasonable. Must be some configuration on your side, wait for the logs. Tmorrow."
"Oh, nvm it cleared up. Guess we got a pusblished article in the papers drawing in more folks. Applause for sales. Close the ticket."
Simulation of the results follows (Score:3, Insightful)
Re: (Score:3, Insightful)
I predict that the results will be along the lines that there are some short comings in the responses but overall the results were good enough for most things. Those that conducted the test will be more then happy to assist the targeted agencies shoring up their weak points and improving training for exorbitant prices.
Did you even RTFS?
They've invited a bunch of "former administration and national security officials" to pretend to be Cabinet members at a simulation they've setup at a hotel.
This is a private company inviting private citizens to do some techno-LARPing.
Re: (Score:2)
Sounds like an excellent idea for foreign espionage. Set up a private shell company, then invite a bunch of former officials who know exactly how the real systems work, to get together in a hotel you've bugged and start pretending they're responding to a cyber attack of some sort.
Official1: "Call the NSA Task force Orange, tell them to begin operation Stork."
ForeignAgent: (making notes) Operation Stork.... NSA... means X..."
This will be a nice change from the status quo, (Score:3, Funny)
Re: (Score:2)
Paranoia (Score:2)
Duck and cover! (Score:2)
A Simulated Fire Sale... (Score:1)
Re: (Score:2)
Those phones are made in China right?
what's this button do
I guess I'll have to register in South Carolina now...
Re: (Score:1)
The Office (Score:2)
Observe 4Chan (Score:1)
How it all works. (Score:1)
Re: (Score:2)
Chinese Sub (Score:5, Interesting)
Does anyone remember this event happening?
http://www.dailymail.co.uk/news/article-492804/The-uninvited-guest-Chinese-sub-pops-middle-U-S-Navy-exercise-leaving-military-chiefs-red-faced.html [dailymail.co.uk]
Yes, that really happened in real life. It also happened in Tom Clancy's book "Executive Orders". Let me summarize the headline for you real quick, The uninvited guest: Chinese sub pops up in middle of U.S. Navy exercise, leaving military chiefs red-faced
...So who's to say something similar won't happen this time, except in cyberspace? Imagine, in the middle of a simulated hack, the Chinese government actually hacks our systems during a military exercise. Knowing what we know now, it's not improbable.
Re: (Score:1)
Re: (Score:2)
They really do call it that... it's the naval arm of the People's Liberation Army, so I guess it makes some sense, but as you noted, it certainly is awkward.
Re: (Score:1)
Re:Chinese Sub (Score:4, Insightful)
Except that article is all fluff and lacking any type of intelligence.
Those were regularly scheduled exercises which take place annually in the exact same spot every year. The FACT is, no one in the military was embarrassed. Period. Only the idiot reporters, who improperly frame it as an embarrassment, have been embarrassed.
This is reality. The Chinese, wishing to cause a publicity stunt, hoping that idiots, which are frequently referred to as reporters, will pick up on a stunt are report on it because one, they are idiots, and two, won't actually check fact their story. And so, the Chinese decide to quietly sit in the middle of nowhere waiting for the US military to come along; as they've done every year preceding for who knows how many years. Sure enough, just like every year before, the US Navy comes cruising along in the exact same area. The Chinese pop up and start cruising toward the highest value target available; a US aircraft carrier. Next, idiot reporter states the military is embarrassed because he's too stupid to realize they are not.
The simple truth is, unless they are able to break US military cryptography, which I very seriously doubt, or if they are planning on a preemptive strike whereby China disappears from the face of the Earth, this is in no way, shape, or form, representative of any type of military action possible by the Chinese.
The Chinese do not pose any credible threat to the US Navy in open waters. None. Not one bit. They do, however, pose a threat in regional, shallow waters, which is why the Navy is pushing so hard to improve their sonar capabilities in that environment.
To summarize, the only people embarrassed by the Chinese are idiot reporters and ignorant masses who believe it speaks to China's Naval capabilities. In reality, it was a completely non-news event and reports and people who ignorantly repeat such stories are nothing but sock puppets for the Chinese propaganda machine; which the US Military is now trying to play to obtain yet additional funding.
Re: (Score:1, Troll)
Man the millitary types just crawl out of the woodwork when you post anything negative about them. The point was that they were actively scrimming and the Chinese sub managed to bypass their sensors.
Re: (Score:3, Informative)
sub managed to bypass their sensors.
That's actually easy to do and the expected result for a stationary object resting near or on the bottom. Things that don't don't move and don't make noise are really hard to find. This is especially true where multiple thermoclines exist. Of course, that's also why its not the least bit embarrassing for the US Navy because for it to have any real meaning, the Chinese would have to know where the US Navy would be before hand, during a state of war.
The picture is even more bleak for trying to locate modern d
The ancient DoS attacks: are they really prepared? (Score:2, Insightful)
Who needs a complicated hack when you can use thermite on key interconnections?
2) Lure an insider
Ancient methods that the CIA is still using to gather foreign "intelligence" from their euphemistically called "Agents" (in their respective countries these Agents would be called traitors).
Who can stop a trusted and authorized user with the right privileges from opening ports from behind the enemy lines (aka. firewalls)... when the "bad guys" get him the proper incentive or coersion?
3) C
In the meantime... (Score:2, Funny)
Better summary at The Atlantic (Score:2)
Right here [theatlantic.com]. Although I expect ot see lots of posts here rated "5", which completely miss the difference between a drill and a war game.
wait, we've seen this before (Score:2)
presumably the response will be to invade an innocent and unrelated country. maybe belgium.
Scripted Simulation (Score:1)
The simulation is occurring in a hotel. It is being simulated to test the response of officials. Not to test the response of security professionals. There is a production company who is providing scripts to security professionals. So I am sure the officials will be asking the security professionals for updates or detailed information, which will be scripted. It is like a table read for a television show, (ie Saturday Night Live), where everyone sits around a table and reads the scripts, without actuall
Calling BS (Score:1)