"Red Team" Exercise

Scenario: The Department of Homeland Security has hired a team of engineers and policy professionals to 1) test cyber-security vulnerabilities in the US economy, and 2) recommend appropriate policy responses (if any). The team must conduct its investigation and write a 3-7 page report summarizing its findings and recommendations by Monday October 24. You are a member of the team.

Phase 0: Teams will consist of 5-6 members and must contain a balanced mix of CS and social science students. Students who would like to work on the same team should notify the Teaching Assistant, Jeff Bigham, on or before Wednesday October 5. Students who do not indicate a preference by this date will be assigned 1) to existing under-strength teams, 2) to new teams, as necessary, by Friday October 7.

Phase 1: Beginning on Friday October 7, each team's engineering members will probe a target computer at UCSD (see http://www.cse.ucsd.edu/users/voelker/cse291/redteam.html for further information) to search for flaws. Preliminary briefings on possible attack scenarios can be found at Aleph One, http://www.shmoo.com/phrack/Phrack49/p49-14 ("Smashing The Stack For Fun And Profit," Phrack 49 7(49), 2000), and THC http://thc.org/papers/OVERFLOW.TXT ("STACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UX," 1996).

Team members should treat each attack as a controlled experiment, recording such variables as time-to-break-in, techniques attempted, success rate, hypothetical defenses, and the feasibility of automating successful attacks. Each engineering member is encouraged to mount his/her own attack separately in order to gain maximum experience with the target.

Phase 2: Teams will prepare a 3-7 page document summarizing their attack(s) and any ramifications for policy. The report should contain, at a minimum:

Reports will be judged on quality of evidence, reasoning, and presentation. The cybersecurity flaws you find may be significant or they may be minimal; your report should present the evidence fairly and impartially. A good public policy analyst should guard against preconceptions. You can and should change your beliefs as new evidence comes in.

Mechanics: Each team member should take primary responsibility for one or more sections of the report and his/her name should appear above those sections. However, you should not hand in "staple job." Instead, each member should participate in, and provide detailed edits to, the entire report. Strong group performances can and will be reflected in individual grades.

Team reports are due on Monday October 24.