[ISN] NSA Attacks West Point! Relax, It's a Cyberwar Game

From: InfoSec News (alerts@private)
Date: Mon May 12 2008 - 01:23:52 PDT


By David Axe 

Five hours into their assault on West Point, the hackers got serious.

The SQL [structured query language] inserts that came earlier were just 
pablum intended to lull the Army cadets into a false sense of security. 
But then the bad guys unleashed a stealthy kernel-level rootkit that 
burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were 
really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the 
nation's most secretive repository of spooks, snoops and electronic 
eavesdroppers -- directed coordinated assaults on custom-built networks 
at seven of the nation's military academies, including West Point, the 
Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training 
event for future military IT specialists. The exercise offered a rare 
window into the NSA's toolkit for infiltrating, corrupting or destroying 
computer networks.

The 34 Army cadets comprising the West Point IT team operated in a 
different kind of battlefield, but their combat skills and instincts 
need to be every bit as sharp. Like George Washington said: "There is 
nothing so likely to produce peace as to be well prepared to meet the 

The SQL injections, targeting their Fedora Core 8 Web server, were a 
piece of cake for these IT combatants. Each injection tried to smuggle 
malicious code inside the seemingly harmless language used by the 
network.s MySQL software. The cadets handily defended with open source 
Apache web server modules, plus some manual tweaking of the SQL database 
to "avoid any surprises," in the words of Lt Col. Joe Adams, a West 
Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy 
operating-system hijacker can open unseen "back doors" into even highly 
protected networks. When they detected the rootkit's "calls home" the 
cadets launched Sysinternal's security software to find the hijacker, 
then they manually scoured the workstation to find the unwelcome 
executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it 
required them to use some advanced techniques to find the rootkit," 
Adams says. And rooting it out helped boost the West Point team to the 
top of the pile when, in the aftermath of the exercise, the referees 
rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air 
Force, Coast Guard and others, winning geek bragging rights and the 
privilege of holding onto a gaudy, 60-pound brass trophy festooned with 
bald eagles and American flags. Adams credits the team.s thorough 
preparation and their excellent teamwork despite the round-the-clock 

At the network control room on the second floor of West Point.s 
200-year-old engineering building (which once was an indoor horse corral 
and still smells like it in some remote corners, according to one 
instructor), the IT team set up cots and, just for the hell of it, 
camouflaged netting. They worked in shifts, with one team member always 
monitoring incoming and outgoing traffic. He or she would alert other 
cadets -- "router guys" -- to block any suspicious addresses. Meanwhile, 
off-shift cadets would make food and coffee runs to keep everyone fueled 
up and alert. Together, the team was "faster than anyone else," Adams 

But the way the cadets designed their network was a big factor in their 
victory, too. The NSA dictated some terms: All networks had to be 
capable of e-mail, chat and other services and had to be up and running 
at all times despite any attacks or defensive measures. Beyond that, the 
teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly 
standard Linux and FreeBSD-based network with advanced routing 
techniques for steering incoming traffic in directions of the IT team's 

The choices in software tools for responding to any attack really boiled 
down to "automatic" versus "custom," says Eric Dean, a civilian 
programmer and instructor. He adds that while automatic tools that do 
most of their own work are certainly easier, custom tools that allow 
more manual tweaking are more effective. "I expect one of the 'lessons 
learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there 
was an element of intuitiveness required to defend against the NSA, 
especially once it became clear the agency was using minor, and perhaps 
somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it, 
or if it.s a cover," says Dean. Spotting "cover" attacks meant thinking 
like the NSA -- something Dean says the cadets did quite well. "I was 
surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise. 
Ideally, the teams would be allowed to attack other schools' networks 
while also defending their own. But only the NSA, with its arsenal of 
waivers, loopholes, special authorizations (and heaven knows what else) 
is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the 
agency told Wired.com that it had tailored its attacks to be just "a 
little too hard for the strongest undergraduate team to deal with, so 
that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much 
craftier network take-downs.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 12 2008 - 01:34:37 PDT