Forwarded from: William Knowles <wkat_private> http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23 By Brian Krebs washingtonpost.com Staff Writer Wednesday, April 23, 2003 In a basement lab littered with computers, monitors and chalkboard diagrams, 14 Naval Academy midshipmen are buzzing about the latest hacker assault on the computer network they created. Hackers have penetrated their network and erased a database. But lead technician James Shey, stifling a yawn, says this attack is no big deal -- his team saved a backup copy. Shey has slept a total of five hours out of the last 36. He and the other future Navy officers have been standing cybersecurity watch as part of the third annual Cyber Defense Exercise. The midshipmen, along with teams from the nation's four other service academies, are defending home-grown computer networks from attack by specialists from the National Security Agency, the United States's ultra-secretive surveillance and spy agency. The war in Iraq drove home the fact that the U.S. military is heavily dependent on sophisticated electronic communications and information technology. As the Pentagon deploys even more advanced systems, planners are acutely aware that a hacker could kill more U.S. soldiers with bits and bytes than with bombs or bullets. A porous military network deployed on the battlefield, for example, could allow the enemy to inject misleading information about the location of allied and enemy forces, leading to friendly fire casualties or an enemy ambush, said U.S. Army Lt. Col. Daniel Ragsdale, assistant professor of computer science at the U.S. Military Academy at West Point, and co-founder of the exercise. "We are so highly dependent on information technology that if we don't do the hard work we're doing here, that could soon become a real Achilles heel for us," Ragsdale said. "A network compromise in the battlefield means we could be fed bad information, which could easily cost lives." Thus the cyber defense program was born to challenge the notion that cyberattacks are an annoying but non-lethal threat to U.S. forces. Begun at West Point in the late 1990s, the training program took off in 2000 when the NSA sent computer scientist Wayne Schepens to the academy. Schepens offered the services of the NSA's own computer security experts, who regularly probe the Defense Department's networks for security holes. The program is specifically a product of the service academies and the NSA, and is not part of any Pentagon computer security of cyber-warfare effort. The excercises are, however, "a microcosm of what's going on in our military overall today," said John Arquilla, associate professor at the Naval Postgraduate School. "Our military relies on advanced communications and technology to know where the enemy is, and the destruction or disruption of that flow of information can cripple them," he said. "The information technologies that make us so strong are also our biggest weaknesses." This year's exercise took place on closed "virtual private networks," rather than on the Internet. Teams of eight to several dozen students -- mostly computer science majors -- defended their systems against the NSA hackers from Monday morning to Thursday afternoon. The teams were based at their respective military academies, while the "hackers" operated from NSA headquarters at Fort Meade, Md. West Point and the Air Force Academy competed in the first exercise in 2001. The Naval and Coast Guard academies joined last year, and the Merchant Marine Academy joined this year. As with golf, the winner is the team with the least number of points. Earning points is bad, because it means the enemy was able to bring down part of the network or corrupt its contents. "What you have here is an exercise in battlefield conditions, where teams were assessed points for any sustained damage to their systems, with each point considered equal to a loss of life," said Bradford Willke of the government-funded CERT Coordinating Center at Pittsburgh's Carnegie Mellon University, which provided the referees for this year's exercise. Technological Curveballs Computer security experts know that the battle against hackers never ends. To shake things up this year, the NSA changed the ground rules, adding new twists like insider threats and "injection attacks," where, for example, teams are asked to shut down the machine running their database and e-mail servers and find other ways to provide those services within a given amount of time. Such tactics force even the most well prepared teams to improvise and innovate under unforeseen, high-pressure situations, said Midshipman 1st Class Jessie Grove, the leader of the Naval Academy team. "Our network went from this big beautiful, complex, super-secure system to something we were fixing on the fly and hoping we could just make work," she said. On Wednesday, the NSA told the teams to disable their firewalls for several hours at a time. The request came after a period of relatively little activity from the hackers, which led Midshipman Trevor Baumgartner to boast that the Navy group's defense technologies had stymied the NSA hackers. "I thought we were going to be fixing things left and right nonstop, but [it] seems like they just got tired of trying to hit us," Baumgartner said. Thomas Hendricks, a visiting NSA professor at the Naval Academy, chuckled at the notion that the NSA team used the firewall exercise as a last resort. The loss of the firewall, he said, exposed an unsecured administrative account on the Navy's network, allowing the NSA to wreak havoc. "They were taught -- though I'm not sure how much they listened -- to protect as many layers of the network as possible," Hendricks said. "This part of the exercise was designed to see how many layers of protection they had in place." Some in the Navy group also suspected that the hackers tried to use social engineering to gain access to privileged information. That is, instead of relying on their knowledge of computers, they tried to con their way in. Midshipman Jason Kolligs said he got a telephone call Thursday morning from someone claiming to be a "white cell" member at the Coast Guard team. The caller asked him to send an e-mail to test their message server, but Kolligs and his teammates refused after agreeing that something about the call didn't seem quite right. "I just told the guy on the other end of the phone that our mail server was down, too," said Kolligs. Tomorrow's Online Defenders This year's winning team won't be announced until later this week, but Willke said that all of the teams exceeded expectations. "From the folks at [CERT], I was told that the team that finishes last this year would have won the competition hands down last year," he said. The Coast Guard and Merchant Marine academies are the presumptive underdogs because they do not have information security or computer science study programs. The Coast Guard team members are electrical engineering majors, and the majority of the Merchant Marine students are majoring in subjects like maritime business and marine transportation. Shashi Shah, the Merchant Marine Academy team's director, said he has been "blown away" by the dedication of his 13-man team, which prepared for the exercise by attending four days of weekend classes on information assurance -- on top of their course load. They also set up metal cots in the school's computer room to have at least one midshipman manning the battle stations at any time, Shah said. "I must say I am touched by dedication and devotion of midshipmen who took part in this exercise, and I know each one of them has learned far more than they expected," he said. Many of the program's participants said that they think the training will help them once they are serving on active duty. Erik Sarson, 22 , West Point senior cadet from Latrobe, Pa., said he is going into the armored branch, "but I'll be an important asset no matter where they place me because the Army is becoming more digitized every day." After the exercise ended, a handful of midshipmen from the Navy team gathered around an xBox video game console to compete in the first-person futuristic combat game "Halo." Baumgartner and others said they felt confident they had kept their attackers at bay. But outside the war room, Hendricks sounded a note of caution, saying the team may not have spotted all of the NSA's attacks. "A lot of these schools got a false sense of success last year and left the exercise thinking they had beat the red team. But it was pretty bad because the red teams were hardly trying," he said. "This year, I think most of the schools may have gotten beat up quite a bit." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 05:00:26 PDT