[ISN] Secret of Cyber Defence Exercise 2004

From: InfoSec News (isn@private)
Date: Wed Jul 28 2004 - 23:51:23 PDT


By Doug Mohney
28 July 2004

A WEEK before the 2004 Cyber Defense Exercise (CDX) kicked off in
April, the National Security Agency abruptly asked the participating
military service academies close off the event to the public and the
media for "operational concerns." What did "operational concerns"  
mean? NSA's public affairs office failed to respond via e-mail. Of
course, NSA had problems sending e-mail to my primary e-mail account
in the first place, so I'm not sure if the response went into a
top-secret black hole or I was just ignored.

Each academy ultimately made their own call, with Army's West Point
and little-heralded United States Merchant Marine Academy (USMMA)  
choosing to keep their doors open. Perhaps unsurprisingly, USMMA and
West Point placed one and two in the CDX contest. The NSA's request
was an about-face for an event that had been open and widely promoted
by West Point over the last two years. Since the exercise was designed
to be unclassified from the ground up, "Red Team" attackers from the
NSA and the Air Force's 92nd Aggressor Squadron were only permitted
publicly known security exploits and not use any classified "Zero-Day"  

CDX is designed to be a defense exercise, the most realistic scenario
a military IT officer is going to face in the real world. Each
participating team is tasked with setting up and operating a core set
of services, keeping them operational in the face of Red Team attacks.  
The underdog winners at USMMA setup and operated a combination of
Windows 2000, XP, and Linux Mandrake machines to resist the best
unclassified attacks the U.S. cyberwarfare establishment could dish
out. After all, the Red Team - or people just like them - were the
folks that wrought havoc on Saddam Hussein's networks, monitoring
communications and pulling such tricks as sending e-mail to senior
Iraq military commanders asking them to surrender. Maybe sanctions had
kept Saddam's people from getting the latest Microsoft security
patches, but nobody's saying.

USMMA's team used Windows 2000 Advanced Server with service pack 4 to
run active directory, primary domain controller, e-mail (Exchange
Server 2000 w/ SP3), mail relay, LRA (Local Registration Authority
used to issue DoD public key encryption certificates), and web
services with IIS 5.0. Workstations ran Windows 2000 Professional with
SP1. A video conferencing station used Windows XP because the web
camera being used was more stable under that OS. Finally, the heavy
network lifting was done with Linux Mandrake 10.0, including the
primary firewall and router, backup firewall, external DNS, and IDS.  
Needless to say, all the latest security patches were loaded and

However, USMMA Midshipman Allen Hsiao admits they tweaked things a
little within the rules of the guidelines. Workstations were locked
down to the point where end-users could only run Outlook, Internet
Explorer, and NotePad, with options further tightened down in each of
the programs. End users could not save files to any storage medium
except for a floppy disk or a USB drive. "In a normal, real world
network, end users normally require much more functionality from their
workstation," said Hsiao.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Thu Jul 29 2004 - 00:26:09 PDT