[ISN] Exercise puts cadets on the cyber-defensive

From: InfoSec News (alerts@private)
Date: Sun May 06 2007 - 23:08:35 PDT


http://www.marinecorpstimes.com/news/2007/05/military_academies_cyberdefense_070504w/

By Kelly Kennedy 
Staff writer
May 4, 2007

WEST POINT, N.Y.  Last year, huddled in a camouflaged classroom, senior 
cadets at the U.S. Military Academy here carefully checked each computer 
for bugs.

They secured possible entries to make sure hackers couldnt bust into 
their online network.

They tested and retested to make sure all the parts and pieces worked 
well together.

And then they forgot to change the default password on one of the 
routers.

It only took two minutes before their exchange server was owned, said 
Army Capt. Joseph Salazar, who was sent from the National Security 
Agency to monitor West Points team for the annual Cyber Defense 
Exercise.

As a result, the Air Force Academy kicked West Points virtual tail.

This year, the Black Knights swore, theyd strike back.

Seven years ago, cadets at West Point began working with the NSA to 
create an exercise that would simulate conditions if the military were 
required to set up an Internet system in a foreign country just as 
cyber-soldiers have done in Iraq. The NSA acts as the opposing force, 
known as the red cell, and spends a week trying to take down virtual 
networks set up by each of the military academies for the event.

Each academy team starts with 50,000 points, then loses points any time 
its system is down, any unencrypted e-mails are sent out or any missteps 
are made in following directions about setting up the network. They can 
also earn points by completing tasks the NSA sends out during the week. 
The academy with the most points at the end of a week of attacks wins.

The cadets dont do any hacking themselves its all defense. And they dont 
attack or work with the other academies. Instead, NSA gives them a 
scenario this year, it was to dig into a war-torn developing nation 
called Meridia.

To set up the network which must include e-mail accounts, chat rooms and 
a database they must use some of their own equipment, as well as some 
sketchy Meridian equipment.

They try to make it relevant something well see in our Army career if we 
choose this path, said Robert Singley, a cadet serving as deputy 
commander for West Points team. As much as this is a competition, its a 
learning experience.

This year, things seemed quieter as cadets hovered around computers 
looking for warning signs of problems. Its a marked difference from last 
year, Salazar said. The tone and tempo is a lot calmer.

But that calm forced an electric hyperawareness.

This hurts my head, said Phil Supple, cradling his temples as he gazed 
at a computer screen.

Whats that? asked Tyler Hallmark, who hadnt left the room since noon the 
day before. Oh wait. Its not an attack its just a recon.

In the early stages of the exercise, the NSA sent out hit after hit to 
find out what system each computer used, whether the cadets had found 
the glitches hidden in the Meridian gear and whether there were any 
holes big enough to welcome worms, viruses or bugs.

Salazar chuckled in a corner as he looked out over the scene.

Its early, so [the NSA] is looking for holes to exploit, he said. 
Whenever they find vulnerability, they get to ring a bell.

Last year, more than bells rang when the Air Force Academys Web site 
suddenly announced, We love Red Cell!

And then the West Point cadets became traitors to their team when Go 
Navy, Beat Army, appeared on their site. The Red Cell happens to include 
a crew of Navy guys.

The red cell is very, very good, Salazar said. There will be 
vulnerabilities its near impossible to get them all.

In a sign of how seriously this exercise is taken these days, 25 West 
Point cadets missed classes for the week to spend every second defending 
their network.

I really take pride in this, Singley said. I really want to win. I 
really love doing this.

They sat blurry-eyed and stiff-necked and it was only Monday. But for 
the previous two weeks, the cadets were busy Googling for systems 
information, cracking textbooks they hadnt seen since they were plebes, 
and writing days and days of code.

Jeffrey Cox spent the night prior to the games trying to fix a computer 
that had suddenly stopped working at 9:30 p.m.

I created three virtual systems to try to rebuild it, Cox said. I 
finally had it up 10 minutes before the game began and then the first 
computer started working again.

This is fun?

This is a blast, Cox said. We pretty much spend all our time learning 
something new.

Back in Meridia, a cluster of cadets watched as a screen showing the Air 
Force Academys system went red.

If its a lot of red, theyre in a hurt box, Cox said. Were all green 
right now. Navy was down for a few minutes. All the way down. Air Force 
just came back up.

For two hours, the cadets watched. Nothing. Nothing. More nothing.

Weve been kind of on edge, Cox said. I think wed like a little 
excitement just to know whats going on. We would like a few hits.

And then: Hey! Somebody in forensics come look at this!

But it was just another unnerving false alarm.

Salazar said the games provide the students with training and the NSA 
with potential future employees. Several students will perform 
internships on the red team.

The game prepares them for what theyll be doing in the real world, 
Salazar said.

In the end, West Point retained their cool and even got a little cocky. 
They taunted the Red Team with a false document describing a Web server 
as Linux, then watched as the Red Team tried to attack a Linux system.

Much to their surprise, it was actually a Windows server, said Maj. 
Damon Becknel, a West Point computer science professor. We went the 
entire exercise this year without a compromise from the Red Team.

Each of the other academies had break-ins, including yet another 
announcement on the Air Force Academy Web site: Red Team owns U.

West Point won the event with 53,615 points, while the Coast Guard 
Academy came in second with 52,105. Air Force placed third with 50,350 
points; Navy was fourth with 49,750 points, and the Marines placed fifth 
with 49,315 points.

The Air Force Institute, which participates in the exercise but does not 
officially compete, had 52,549 points.

Its different every year, Salazar said. This year, West Points using 
their chain of command and staying calm. Ill probably come back next 
year and things will be different again.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Sun May 06 2007 - 23:23:22 PDT