Brazilian Army Gets Hacked After Allegations of Cheating In Security Cyber-Games 34
An anonymous reader writes: Anonymous hackers breached the servers of the Brazilian Army, and later leaked the personal details of around 7,000 officers. The incident seems to stem from CTF games where security teams try to hack each other. Apparently the Brazilian Army team used forbidden tactics to win its games, and the hackers responded by doxxing some of their officers.
A snippet: According to the hackers' statement, the Brazilian Army team used a forbidden technique to win their CTF matches in a local CTF tournament. The technique they used is WiFi deauth, a simplistic attack that jams WiFi traffic, incapacitating the other team. The hackers also seemed upset at the fact that the Brazilian army was bragging about their accomplishments, being particularly angry at the usage of the word "elite."
"forbidden tactics" ? (Score:2)
If you are constrained by 'rules' of how you can operate and what tools you can use, you are deluded and have already lost. The 'exercise' is simply a dog and pony show.
Re:"forbidden tactics" ? (Score:5, Informative)
No, you use whatever you can. An actual enemy would.
No. An actual enemy would not jam your WiFi because they would not be on your local network. That rule existed in the game because it was an attack that would not be available in an actual conflict.
Re: (Score:3)
Re: (Score:3)
You want realistic games? Nothing is off limits.
Re: "forbidden tactics" ? (Score:2, Funny)
So just kill your opponents and you win the game. The other countries would probably not want to participate in games after that...
Re: (Score:2)
So you could say that their enemies 'got waxed?'
Re:"forbidden tactics" ? (Score:5, Insightful)
Really? A small drone flying around, saturating/jamming your WiFi freq.
Except they didn't use a drone. They used a stationary jammer inside the facility, which is not realistic. They were also jamming WiFi, but a real military comm center would have cabled connections. WiFi was only being used because it was easier to run the game that way.
You want realistic games? Nothing is off limits.
The everyone would bring a shotgun to a chess tournament. Games are designed to test and exercise specific capabilities. There are always compromises that make them different from a real war, and rules to prevent participants from exploiting those compromises to "win" in unrealistic ways that would not work in a real conflict. Cheating to win doesn't make you better. It just corrupts the process, and then game is no longer an effective tool for improvement. So in a real war, you lose.
Re: (Score:1)
Of course they can. But why bother if that's not what they are attempting to test?
Re: (Score:2)
You want realistic games? Nothing is off limits.
Then everyone would bring a shotgun to a chess tournament.
now that's my kind of chess tournament!
Re: (Score:2)
We are not talking about a chess game here. It was a game of cyber-warfare and there are no rules in a game like this. The only possible rule would be try not to kill anybody but other than that anything goes. In the real world a drone could be used to take down the Wi-Fi or someone could infiltrate the facility and place a device inside the facility. I am sure the Iranians thought their nuclear centrifuges were safe from outside interference until someone infiltrated one of their most secure facilities in
Re: "forbidden tactics" ? (Score:1)
I used to organize that kind of tournament and we had basically three contest specific rules, teams are forbidden to go to the other teams area, keep your malicious traffic inside (no hacking on the real internet) and don't hack our infrastructure (the score keeping machine, the firewal/gateway to the net, the free wifi,the jukebox). We also had a code of conduct we evident rules like no fighting, no vandalism, no stealing etc....
Re: (Score:3)
But you just said there are no rules. In the real world once I knew where you were I could bomb you and/or the computer hosting your link. Therefore I should be able to walk over to you in the tournament and shoot you in the head. Your poor opsec is your problem, not mine.
You're not saying that there's no rules, you're saying that you'll only o
Re: (Score:2)
You want realistic games?
CTF is not realistic. It's lots of fun, but plenty of "realism" has been cut so you can test skills in realtime. It can take several months to find a zero-day exploit in real life, but in a CTF contest, you might find several of them in a single day.
Re: (Score:2)
> No. An actual enemy would not jam your WiFi because they would not be on your local network
Except when they've rootkitted a laptop near you, or used an antenna or a locally planted repeater to access your network from slightly offsite, or planted a wifi gateway inside your network. This is the difficulty of setting up defenses based what you think an "actual enemy" would do, rather than based on what real attackers do. Real attackers use the cheaper, simpler attack methods because they work, but they a
Re: (Score:3)
Except when they've rootkitted a laptop near you, or used an antenna
Defending against these attacks is not the responsibility of the participants in this exercise, and is not the point of these games. The defense against these attacks includes physical security, and better background checks. Those are not skills that are important in a penetration specialist, nor could they be realistically tested in this game scenario. To find a rootkitted laptop, you would walk around disabling wifi on each laptop until you found the offender. Do you think this exercise could work if
Re: (Score:2)
> Defending against these attacks is not the responsibility of the participants in this exercise,
I agree. The rules test certain types of defined attack vectors. But the concept that "No. An actual enemy would not jam your WiFi because they would not be on your local network" is not a well founded one, and it's what I meant to object to. Many attackers can, and will, gain access to your local network. Many successful or partially successful attackers can, and will brag about or exchange details on exact
Re: (Score:2)
Or their heads. I doubt the fine upstanding South American military chaps would ever do anything like that though.
Re: (Score:2)
Except when they've rootkitted a laptop near you
Now why in hells name after you have successful root a laptop in the enemies defense services would go and do a stupid thing like that. You might as well pop up a dialog that says, "HEY THIS MACHINE IS PROBABLY COMPROMISED LOOK HERE". No thank you if I was an attacker I rather keep my compromised box to help me ensure persistence rather than sacrifice it on what will be at most a minor disruption of a small number of people for a few moments.
Re: (Score:2)
And intelligent actual enemy would not jam your wifi after rooting one of your laptops, but rather use that laptop to forward information to them that you believed them ignorant of. And then, of course, if you detect it you feed in false, but believable information. And then...
Re: (Score:1)
CTFs have two rules: control the system, and keep the system online. Maximizing up-time is the entire point of a CTF.
The army couldn't beat the hackers so they jammed the connection with a wireless DoS. That defeats the purpose of the exercise. They might as well have turned off the computers.
Turning around and claiming victory after essentially admitting defeat was a lamer move. I'm not surprised bragging about their "elite" response triggered retribution.
Re: (Score:1)
No it doesn't, it ensures the legitimacy of the exercise. Uptime matters. If hackers deprive you of up-time: they've already won. That's why Anonymous is always using DDoS attacks: there are a lot of them an it is a cheap/easy victory.
Taking down your network and calling it a "victory" is like using scorched earth tactics against your own capital and calling your retreat a victory.
The "up-time" stipulation shouldn't even need to be said, but it deters retards from pulling the plug and knocking over the ches
Forbidden (Score:1)
They went full cyber [twimg.com]. Never go full cyber.
Ah the Kobayashi Maru technique (Score:2)
All's fair in love and war.
Isn't that the whole point? (Score:1)
If you're doing cyber-security hacking, the _whole point_ is cheating.
Kobayashi Maru (Score:2)
So they pulled a Kobayashi Maru and Slashdotters are upset? I did not expect that.