[Infowarrior] - Inside NSA Red Team Secret Ops With Government's Top Hackers

[Richard Forno]

Inside NSA Red Team Secret Ops With Government's Top Hackers
By Glenn Derene
Published on: June 30, 2008

http://www.popularmechanics.com/technology/military_law/4270420.html?page=2A

When it comes to the U.S. government’s computer security, we in the  
tech press have a habit of reporting only the bad news—for instance,  
last year’s hacks into Oak Ridge and Los Alamos National Labs, a break- 
in to an e-mail server used by Defense Secretary Robert Gates ... the  
list goes on and on. Frankly that’s because the good news is usually a  
bunch of nonevents: “Hackers deterred by diligent software patching at  
the Army Corps of Engineers.” Not too exciting.

So, in the world of IT security, it must seem that the villains  
outnumber the heroes—but there are some good-guy celebrities in the  
world of cyber security. In my years of reporting on the subject, I’ve  
often heard the National Security Agency’s red team referred to with a  
sense of breathless awe by security pros. These guys are purported to  
be just about the stealthiest, most skilled firewall-crackers in the  
game. Recently, I called up the secretive government agency and asked  
if it could offer up a top red teamer for an interview, and,  
surprisingly, the answer came back, “Yes.”

What are red teams, you ask? They’re sort of like the special forces  
units of the security industry—highly skilled teams that clients pay  
to break into the clients’ own networks. These guys find the security  
flaws so they can be patched before someone with more nefarious plans  
sneaks in. The NSA has made plenty of news in the past few years for  
warrantless wiretapping and massive data-mining enterprises of  
questionable legality, but one of the agency’s primary functions is  
the protection of the military’s secure computer networks, and that’s  
where the red team comes in.

In exchange for the interview, I agreed not to publish my source’s  
name. When I asked what I should call him, the best option I was  
offered was: “An official within the National Security Agency’s  
Vulnerability Analysis and Operations Group.” So I’m just going to  
call him OWNSAVAOG for short. And I’ll try not to reveal any  
identifying details about the man whom I interviewed, except to say  
that his disciplined, military demeanor shares little in common with  
the popular conception of the flippant geek-for-hire familiar to all  
too many movie fans (Dr. McKittrick in WarGames) and code geeks (n00b  
script-kiddie h4x0r in leetspeak).

So what exactly does the NSA’s red team actually do? They provide  
“adversarial network services to the rest of the DOD,” says OWNSAVAOG.  
That means that “customers” from the many branches of the Pentagon  
invite OWNSAVAOG and his crew to act like our country’s shadowy  
enemies (from the living-in-his-mother’s-basement code tinkerer to a  
“well-funded hacker who has time and money to invest in the effort”),  
attempting to slip in unannounced and gain unauthorized access.

These guys must conduct their work without doing damage to or  
otherwise compromising the security of the networks they are tasked to  
analyze—that means no denial-of-service attacks, malicious Trojans or  
viruses. “The first rule,” says OWNSAVAOG, “is ‘do no harm.’?” So the  
majority of their work consists of probing their customers’ networks,  
gaining user-level access and demonstrating just how compromised the  
network can be. Sometimes, the red team will leave an innocuous file  
on a secure part of a customer’s network as a calling card, as if to  
say, “This is your friendly NSA red team. We danced past the comical  
precautionary measures you call security hours ago. This file isn’t  
doing anything, but if we were anywhere near as evil as the hackers  
we’re simulating, it might just be deleting the very government  
secrets you were supposed to be protecting. Have a nice day!”

I’d heard from one of the Department of Defense clients who had  
previously worked with the NSA red team that OWNSAVAOG and his team  
had a success rate of close to 100 percent. “We don’t keep statistics  
on that,” OWNSAVAOG insisted when I pressed him on an internal  
measuring stick. “We do get into most of the networks we target.  
That’s because every network has some residual vulnerability. It is up  
to us, given the time and the resources, to find the vulnerability  
that allows us to access it.”

Continued: Why the Pentagon Needs Hackers >>>


RELATED STORIES
• SPECIAL REPORT: Fake Chips Reveal Pentagon Network Vulnerabilities
• PM NEWS: Hack on Tibet Groups Could Hint at China's Anti-U.S. Tactic
• BUZZWORD: Inside New Workplace Surveillance Technology
• GLENN DERENE: Archive of PM Tech Editor’s Online-Only Column

hacking
(Illustration by Headcase Design)

MORE NEW DIGITAL SECURITY NEWS
• TECH WATCH: FBI’s Next-Gen ID Databank to Store Face Scans

It may seem unsettling to you—it did at first to me—to think that the  
digital locks protecting our government’s most sensitive information  
are picked so constantly and seemingly with such ease. But I’ve been  
assured that these guys are only making it look easy because they’re  
the best, and that we all should take comfort, because they’re on our  
side. The fact that they catch security flaws early means that,  
hopefully, we can patch up the holes before the black hats get to them.

And like any good geek at a desk talking to a guy with a really cool  
job, I wondered just where the NSA finds the members of its  
superhacker squad. “The bulk is military personnel, civilian  
government employees and a small cadre of contractors,” OWNSAVAOG  
says. The military guys mainly conduct the ops (the actual breaking  
and entering stuff), while the civilians and contractors mainly write  
code to support their endeavors. For those of you looking for a gig in  
the ultrasecret world of red teaming, this top hacker says the ideal  
profile is someone with “technical skills, an adversarial mind-set,  
perseverance and imagination.”

Speaking of high-level, top-secret security jobs, this much I now  
know: The world’s most difficult IT department to work for is most  
certainly lodged within the Pentagon. Network admins at the Defense  
Department have to constantly fend off foreign governments, criminals  
and wannabes trying to crack their security wall—and worry about a  
bunch of ace hackers with the same DOD stamp on their paychecks.

Security is an all-important issue for the corporate world, too, but  
in that environment there is an acceptable level of risk that can be  
built into the business model. And while banks build in fraud as part  
of the cost of doing business, there’s no such thing as an acceptable  
loss when it comes to national security. I spoke about this topic  
recently with Mark Morrison, chief information assurance officer of  
the Defense Intelligence Agency.

“We meet with the financial community because there are a lot of  
parallels between what the intelligence community needs to protect and  
what the financial community needs,” Morrison said. “They,  
surprisingly, have staggeringly high acceptance levels for how much  
money they’re willing to lose. We can’t afford to have acceptable  
loss. So our risk profiles tend to be different, but in the long run,  
we end up accepting similar levels of risk because we have to be able  
to provide actionable intelligence to the war fighter.”

OWNSAVAOG agrees that military networks should be held to higher  
standards of security, but perfectly secure computers are perfectly  
unusable. “There is a perfectly secure network,” he said. “It’s one  
that’s shut off. We used to keep our information in safes. We knew  
that those safes were good, but they were not impenetrable, and they  
were rated on the number of hours it took for people to break into  
them. This is a similar equation.”