Add to collection(s) Add to saved
  1. Social Science

school epg - Cyber Exercises

advertisement 
APCO North Central Conference
Table Top Exercise Program Guide (EPG)
Scenario: SCHOOL
Revision 1.3 – 15 April 2009
CONFIDENTIAL
Authors: James P, Cavanagh,cyber exercises, jim@cyberexercises.com
Tom Thienel, cyber exercises, tomt@cyberexercises.com
Instructions to reviewers/editors. Add your name, agency or organizational affiliation and email at the end of the list and, with
TRACK CHANGES on make your edits and when you are finished send the final email for jim@911tips.org with TTX: Public in the
subject line.
Contributors:
Table of Contents
Table of Contents
Cyber Table Top Exercises......................................................................................................................... 1
School Shooting with Hostages Cyber Table Top...................................................................................... 1
Objectives ................................................................................................................................................. 2
Purpose ..................................................................................................................................................... 2
Exercise Agenda ........................................................................................................................................ 2
Scenario..................................................................................................................................................... 3
Scenario Anatomy ..................................................................................................................................... 5
Detection/Prevention/ Response Planning ............................................................................................ 10
Detection/Prevention/ Response Role Play............................................................................................ 10
Appendix A: Prep/Reading List
Appendix B: After Action Activities
Appendix C: Materials Checklist
Glossary
Cyber Table Top Exercises
On Sunday, April 26th, 2009 at 0900 in La Crosse, Wisconsin three cyber table top exercises will be
staged as a pre-conference exercise of the Association of Public safety Communications Officials' (APCO)
North Central Conference. Like many table top exercises these exercises will deal with an active shooter
incident on campus with hostages, emergency response to an unprecedented natural disaster and
terrorist disruption of a public gathering. Unlike most table top exercises, however, these exercises will
focus on the cyber aspects of the three scenarios.
The objective of these exercises is to transfer knowledge about key aspects of the underlying
technologies, how they are exploited and disrupted and how risks can be mitigated. The overall program
will be moderated and facilitated by Wisconsin Emergency Management's Terrorism Exercise Training
Coordinator and La Crosse County's Emergency Management Coordinator with each of the three
individual exercises being conducted by Knowledge Transfer Agents (KTAs) who are practitioners with
technology and cybersecurity credentials in their respective scenarios. Additional knowledge transfer
will be performed through cross-disciplinary participation from schools, cities, counties, hospitals and
other interested and impacted parties whose participation is being actively solicited. In order to get the
most impact from the program each registered participant will have an opportunity to review and edit
the Exercise Planning Guide (EPG) prior to the exercise and their inputs will be noted through end notes
in the guide with their name, agency or company affiliation and email address.
School Shooting with Hostages Cyber Table Top
Two students attack their senior class, holding the Student Council officers
as hostages and using campus video systems to track the actions of law
enforcement and to broadcast their demands over the Internet. This
scenario, or some variation on the theme, is all too common: the
perpetrators of this horrible crime feel as though they are being
discriminated against and feel compelled to use force to make their
grievances known.
In this scenario the two students ran for Student Council office and lost: they blame the new Student
Council officers for their shame and take them hostage after a shooting rampage. Using technical skills
learned while helping maintain the school network and doing their own home networks they
commandeer the campus video system, thereby giving them an eye on the actions of law enforcement
and use the Internet as a platform for their complaints. This exercise will delve into the use of IP-based
video technology and the Internet and how they can be used by both law enforcement and bad actors.
Wireless measures and countermeasures will also be described as well as other related technologies.
Non-Classified / HLS and Law Enforcement Use Authorized
Page 1
APCO North Central Conference TTX: Public Gathering Scenario
Objectives
1. Offer opportunities for subject-matter experts to provide information regarding current and
emerging technologies and the associated challenges (intentional or otherwise) to the effective
use of those technologies.
2.
Prepare and conduct three facilitated table-top exercises designed to explore various means
that perpetrators could use to disrupt public safety communications. The exercises will be
offered in a rotated schedule so that every workshop attendee may participate in all three
exercises, or select those that offer topics specific to their needs and interests.
3. Provide exercise review presentations to the full workshop to allow participants to share
thoughts and ideas regarding potential responses to the cyber-terrorism attacks as well as overall exercise design and conduct feedback.
Purpose
Pre-conference attendees from the thirteen APCO North Central Region represented States will be
offered an opportunity to examine and share concerns and insights regarding the intentional criminal
exploitation of new and emerging technologies in the public safety communications profession. A
tabletop exercise will serve as the core component of a subject-matter expert facilitated workshop and
will feature multiple scenarios in a break-out session format to allow for exposure to diverse concerns
and potential solutions to common issues.
Exercise Agenda
This exercise will be divided into four phases: Scenario, Scenario Anatomy, Detection/Prevention/
Response Planning and Detection/Prevention/Response Role Plays. The Scenario phase will last less than
ten minutes and will describe the unfolding scenario from the viewpoint of law enforcement. The
Scenario Anatomy phase will last just over 20 minutes and will
describe the scenario from “the inside”, from the viewpoint of the
perpetrators. One of the unique aspects of this table top exercise is
the big difference between the law enforcement view and the actual
facts of what is occurring.
In the third phase participants will be divided into two groups:
school and law enforcement. The school group will have 30 minutes
to develop a plan to address detection and prevention while the law
enforcement group will have thirty minutes to develop a plan for
response to this event. Thirty minutes may seem like a short time
but it is 30 minutes longer than law enforcement will have to create a plan in an actual, live event.
The fourth phase, Detection/Prevention/Response Role Plays will be an opportunity for a representative
of each of the two groups – school and law enforcement – to spend fifteen minutes each explaining
their plans to an omniscient third party – KTA Tom Thienel – and for him to provide an explanation as to
why the plan might work or why it might not.
Non-Classified / HLS and Law Enforcement Use Authorized
Page 2
APCO North Central Conference TTX: Public Gathering Scenario
Scenario
In Phase I, Scenario, we will view this scenario from the viewpoint of law enforcement. Realistically this
is the only information that law enforcement will have at their disposal during an actual event and the
response phase should come immediately after this phase allowing table top exercise participants to
make the mistakes they might make with the limited, and misleading, information and to learn from
those mistakes. However, in-keeping with the knowledge transfer objectives of these table top exercises
ttx participants will be privy to both the law enforcement and insider views before being required to
develop responses.
This scenario occurs in the medium-sized middle-American city of La Salle. La Salle has a centralized
police force operating from a single police station which is co-located with 911 and the jail. The La Salle
Police Patrol Division provides 24-hour police protection and services to the citizens of La Salle. The
Patrol Division is divided into three shifts: Day Shift, Afternoon Shift, and Night Shift. Each shift is staffed
by a lieutenant, two sergeants, and eight or nine patrol officers. The Patrol Division patrols to the
corporate limits of La Salle and works closely with La Salle University Department of Public Safety, the La
Salle County Sheriff's Department, and State Police.
TIME
-14 days
-1 hr 15
minutes
(0800)
-8 minutes
(0907)
-7 minutes
(0908)
-6 minutes
(0909)
-5 minutes
(0910)
-4 minutes
(0911)
-1 minute
(0914)
0 minutes
(0915)
Event
School janitor notices strange markings in chalk on the floors. He does not feel it is gang related and
erases the markings and makes no report .
Day Shift begins at La Salle PD. One Lieutenant and two Sergeants on duty at PD. Eight cars on
patrol with one officer each. Normal heavy city rush hour traffic hinders operations and decreases
mobility for patrol vehicles slowing average response time to 11 to 14 minutes.
La Salle 911 receives a call reporting an armed robbery at a store in the northern part of the city.
La Salle 911 receives a call reporting a known child molester has taken control of a school bus in the
southern part of the city and is holding all the girls, ages 6-10, hostage on the bus.
La Salle 911 receives a call reporting a breaking and entering in a house in the west part of the city.
La Salle 911 receives a call reporting domestic violence involving an armed perpetrator and children
in the east part of the city.
La Salle 911 receives a call from Paula Dane, the principal of Central High School, reporting shooting
in the school. The 911 telecommunicator is a neighbor of Ms. Dane and does not recognize the
caller’s voice. The 911 telecommunicator tells Ms. Dane to lock her office door and to stay put until
help can arrive.
The 911 telecommunicator calls Ms. Dane1 and reaches Ms. Dane in her office. Ms. Dane claims to
have made no such 911 call.
During the call from 911 to the Principal loud sounds, very much like gun fire, are heard in the
background. Ms. Dane verifies that shots have been fired and that one classroom has been
barricaded.2
911 telecommunicator consoles display the call back number associated with the emergency calls they are receiving so they
may call back if a call is disconnected. In this case the 911 telecommunicator used this feature to verify the legitimacy of the call.
1
The shooters have taken advantage of the normal confusion associated with the movement of students at the class change
from first to second period that occurs at 0915.
2
Non-Classified / HLS and Law Enforcement Use Authorized
Page 3
APCO North Central Conference TTX: Public Gathering Scenario
5 seconds
+ 4 minutes
+ 4 minutes
+5 minutes
+6 minutes
+7 minutes
+9 minutes
+14 minutes
+18 minutes
+21 minutes
+22 minutes
+27 minutes
+33 minutes
+35 minutes
+37 minutes
+1 hr 3 min
+1 hr 7 min
+1 hr 8 min
Twitter tweets are sent out from this moment every several minutes updating anyone who is signed
up as a friend on the attack as it is unfolding, step by step.
Breaking and entering cannot be verified by responding officer(s).
Cell phone calls from students in the school – while shots are being fired – begin to go out to parents,
friends and media and continue through the siege.
Store robbery cannot be verified by responding officer(s).
Fox News Special Report shows two armed students and hostages inside classroom at Central High
School.
Report of domestic violence cannot be verified by responding officer(s).
Report of child molester holding students hostage cannot be verified by responding officer(s).
Fox interview with two armed students via Skype with video and full audio. First student, identified as
“Dylan”, claims that if their demands are not met or if they are approached by law enforcement they
will begin executing hostages. Second student, identified as “Eric”, says they might just start shooting
hostages anyway.
From Fox interview school officials identify shooter “Dylan” as Dave Varden and “Eric” as Larry Croft.
Parents are contacted and communications is established via cell phone.
Varden and Croft tell Fox News that law enforcement is moving into position and that if they do not
retreat there will be ‘consequences’. Varden and Fox show video feeds of law enforcement positions
from the school video surveillance system.
Varden and Croft demand that Oklahoma bomber Timothy McVeigh be released to their custody and
that a small aircraft and pilot be made available to them on the school’s running track. They further
demand that McVeigh co-conspirator Terry Nichols be put on a diet of whole foods and be given
something for his hemorrhoids.
On advice of the school psychiatrist Varden and Croft are not told that Timothy McVeigh was put to
death by lethal injection in 2001.
Hostage negotiators agree to have a plane with McVeigh available within six hours. Varden and Croft
give them thirty minutes.
Local NEWS 8 truck arrives, deploys satellite uplink and begins coverage.
Varden and Croft each make statements on Fox news that the reason for their actions is that they
were treated unfairly in their recent run for Student Council, which they lost, and that their actions are
on behalf of “all mistreated and abused students everywhere who are too weak to act for
themselves”. They reveal that they are holding the entire newly appointed Student Council hostage.
They show the Fox News the Student Council cowering in a group in the corner via the Skype
connection and send a cell phone photo to the hostage negotiator via cell phone.
No airplane, no McVeigh. The first execution takes place: the class secretary. FOX news is told that
the murder will be posted to YouTube, which it is within minutes. Varden and Croft give five more
minutes for their demands to be met.
Law enforcement blocks Internet access from the classroom3. The Skype connection to Fox is lost.
The video surveillance feed to the classroom computers is lost. Croft boots up a notebook computer
and warns the hostage negotiator that law enforcement should stand down: they are getting too
close.
Demands are not met. The second execution takes place: the class treasurer. Video is posted on
YouTube.
Law enforcement, with the assistance of the school LAN administrator can disable wired access if the school has smart hubs or
switches that allow remote control of Internet access and can also disable wireless access points remotely.
3
Non-Classified / HLS and Law Enforcement Use Authorized
Page 4
APCO North Central Conference TTX: Public Gathering Scenario
+1 hr 9 min
1 hr 14 min
1 hr 15 min
1 hr 17 min
Demands are repeated. Five minutes are given until the next execution. Video is posted on YouTube.
Demands are not met. The third execution takes place: the class vice president. The video footage is
posted to YouTube but is taken down immediately.
Demands are not met. Five minutes are given until the next, and last, execution.
Law enforcement storms the classroom, killing both Varden and Croft. All of the Student Council
members are found alive, duct taped but safe, in the classroom.
Scenario Anatomy
The second phase, the Scenario Anatomy, will reveal what law enforcement did
not know about this scenario, including the real story behind the shooting,
hostage taking and use of technology by the two high school students as well as a
third party to the crimes: an accomplice.
TIME
-42 days
-38 days
-35 days
-26 days
-19 days
-15 days
Event
A new student, Milosc Sobchak, enrolls in school. He has transferred from Riverside High in
Riverside, California. His father works for a Wireless Internet Service Provider (WISP). His first day of
school he wears an I Love Timothy McVeigh t-shirt4.
Sobchak, an outsider, quickly falls in with Dave Varden and Larry Croft, two average students who
are not connected with any clique in particular. The three boys are above average in intelligence and
socially maladjusted. They have read extensively on terrorist topics as well as the domestic terrorism
of Timothy McVeigh and Terry Nichols. They decide to stage an elaborate fake school shooting and
hostage taking as their own, personal, junior prank. They also decide to demand that Timothy
McVeigh, who was put to death by lethal injection in 2001 be turned over to them as “an inside joke
between us and the cops”. Planning begins.
The plan is formulated and underway. Varden and Croft officially commit as candidates for President
and Vice President of Student Council with Sobchak as their campaign manager on a “We Shall
Overcome” platform complete with new lyrics to the spiritual that became emblematic of the US civil
rights movement.
Sobchak drives to a distant city where he attempts to purchase semi-automatic weapons at a swap
meet. He is detained briefly by security guards and then evicted from the meet.
Sobchak and Croft successfully break the WEP5 encryption6 securing Varden’s home wireless LAN
and access his files. Varden is ecstatic and the decision is made to take a test run at the school.
Croft and Sobchak go “war chalking”7 in the school. They identify the location of the school’s
Wireless Access Points (WAPs) and mark the locations with chalk in a manner consistent with
instructions found on the Internet so they can easily return later.
Customized I Love so-and-so (Hitler, Nixon?) T-Shirts (http://www.loveyoushirts.com/Name.aspx?id=1&imgText=Timothy&imgText2=McVeigh
and others) are readily available on the Internet as are t-shirts quoting McVeigh.
4
5
WEP is Wired or wireline Equivalent Privacy and is an older, and less secure, method of securing wireless communications.
Many available web sites provide the software tools to crack WEP. An example of such a web site is www.netstumbler.org and
the chopchop WEP cracker software that can be downloaded from that site free of charge..
6
Non-Classified / HLS and Law Enforcement Use Authorized
Page 5
APCO North Central Conference TTX: Public Gathering Scenario
-14 days
-13 days
-11 days
-9 days
-8 days
-7 days
-6 days
-5 days
-4 days
-4 hours
-1 hr 15
minutes
(0800)
-9 minutes
-8 minutes
(0907)
School janitor notices strange markings in chalk on the floors. He does not feel it is gang related and
erases the markings and makes no report .
Croft and Sobchak relocate the school wireless access points and determine that rather than the
older WEP encryption algorithm the school is using the more difficult WPA28 which is, with the tools
at their disposal, uncrackable.
Sobchak, who at age 17 has both A+ and Network+ certifications gets a job as a student
administrator on the Central High Local Area Network (LAN). Sobchak was able to self-study the A+
and Network+ materials with help from his father and to take the tests online. In his new role he was
able to obtain the WPA2 security keys for school wireless access9.
Student Council elections are held and Varden and Croft, predictably, loose.
Sobchak tests connections to several news agencies and news networks’ “newsmaker” lines. He
finds the Fox network easiest to access, because they use Skype (www.skype.com), which allows
direct audio and video communications with the added benefit that the conversation is encrypted.
Sobchak, Varden and Croft enlist the new Student Council officers, as well as a few other students,
to help film a class video project. Everyone is sworn to secrecy as they film realistic scenes of the
last moments of the live of the hostages. The screen goes blank just before each gunshot is heard.
The last sound is the body falling lifelessly to the ground.
In his role as student LAN administrator Sobchak installs X11 wireless surveillance cameras that are
independent of the school video surveillance system.
Croft completes a term paper for a fellow student on the tragedies of William Shakespeare in return
for access to the starter pistols and ammunition used by the school track team.
Sobchak establishes a Twitter identity and gets school mates to sign up to receive “Tweets”, short
messages about his current activities. He promises them that this will let them be in on “something
really big” and drops hints about a popular local band. Through the fabric of the social network the
number of people to whom the brief “tweet” messages will go number in the thousands.
Sobchak, Croft and Varden have slept overnight at Sobchak’s home in what will become their
operations center for the upcoming hoax at the school. Sobchak will remain in their command center
and provide remote tactical support via the Internet and cell phone.
Day Shift begins at La Salle PD. One Lieutenant and two Sergeants on duty at PD. Eight cars on
patrol with one officer each. Normal heavy city rush hour traffic hinders operations and decreases
mobility for patrol vehicles slowing average response time to 11 to 14 minutes.
Using software widely available on the Internet10 or services that are commercially available11
Sobchak places fictitious 9-1-1 calls. The process is referred to as swatting or PSAP bombing.
La Salle 911 receives a call reporting an armed robbery at a store in the northern part of the city.
Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Inspired by hobo symbols,
the warchalking marks were conceived by a group of friends in June 2002 and publicized by Matt Jones who designed the set of
icons and produced a downloadable document containing them. Within days of Jones publishing a blog entry about warchalking,
articles appeared in dozens of publications and stories appeared on several major television news programs around the world.
7
WPA is WiFi Protected Access. WPA2 is a fuller, richer implementation. While susceptible to sophisticated cracking methods it
is substantially more secure than Wireline Equivalent Privacy (WEP).
8
Within the security area this would be considered “social engineering”, which is, basically, obtaining information, passwords,
keys or other useful tools through non-technical means by exploiting humans and social relationships.
9
10
For example, http://www.gadgettrail.com/2005/01/06/do-it-yourself-caller-id-spoofing/
For example, the Itellas service (http://www.itellas.com/?gclid=CKaEgLOR7JkCFR4hnAod73IOSQ) and Spoof 1-2-3
(http://www.spoof123.com/) not only allow a caller to change the caller ID but also allows the caller to change their voice using
sophisticated audio processing software. Spoof123 also works internationally.
11
Non-Classified / HLS and Law Enforcement Use Authorized
Page 6
APCO North Central Conference TTX: Public Gathering Scenario
-7 minutes
(0908)
-6 minutes
(0909)
-5 minutes
(0910)
-4 minutes
(0911)
-1 minute
(0914)
0 minutes
(0915)
5 seconds
+ 4 minutes
+ 4 minutes
+5 minutes
+5 ½
minutes
+6 minutes
+7 minutes
+9 minutes
+12 minutes
+14 minutes
+18 minutes
+20 minutes
+21 minutes
La Salle 911 receives a call reporting a known child molester has taken control of a school bus in the
southern part of the city and is holding all the girls, ages 6-10, hostage on the bus.
La Salle 911 receives a call reporting a breaking and entering in a house in the west part of the city.
La Salle 911 receives a call reporting domestic violence involving an armed perpetrator and children
in the east part of the city.
La Salle 911 receives a call from Paula Dane, the principal of Central High School, reporting shooting
in the school. The 911 telecommunicator is a neighbor of Ms. Dane and does not recognize the
caller’s voice. The 911 telecommunicator tells Ms. Dane to lock her office door and to stay put until
help can arrive.
The 911 telecommunicator calls Ms. Dane and reaches Ms. Dane in her office. Ms. Dane claims to
have made no such 911 call.
During the call from 911 to the Principal loud sounds, very much like gun fire, are heard in the
background. Ms. Dane verifies that shots have been fired – unbeknownst to Dane fired from the
starting guns obtained from the school track team - and that one classroom has been barricaded.
Twitter tweets are sent out from this moment every several minutes updating anyone who is signed
up as a friend on the attack as it is unfolding, step by step.
Breaking and entering cannot be verified by responding officer(s).
Cell phone calls from students in the school – while shots are being fired – begin to go out to parents,
friends and media and continue through the siege.
Store robbery cannot be verified by responding officer(s).
Croft attaches a USB device to a classroom computer and with a few key strokes is able to send a
video out, through the school’s security firewall, to Fox showing conditions in the classroom. This is
set up with a phone call to the Fox hotline number which appears frequently on the screen for news
leads. Croft also accesses the schools internal video surveillance system and makes the video feeds
available on several classroom computers.
Fox News Special Report shows two armed students and hostages inside classroom at Central High
School.
Report of domestic violence cannot be verified by responding officer(s).
Report of child molester holding students hostage cannot be verified by responding officer(s).
Skype is software that allows free audio and video calls between Skype users and calls for a fee to
parties on the traditional phone network. Most news agencies have active4 Skype connections for
use by remote correspondents as well as viewers with hot news tips.
Fox interview with two armed students via Skype with video and full audio. First student, identified as
“Dylan”, claims that if their demands are not met or if they are approached by law enforcement they
will begin executing hostages. Second student, identified as “Eric”, says they might just start shooting
hostages anyway.
From Fox interview school officials identify shooter “Dylan” as Dave Varden and “Eric” as Larry Croft.
Parents are contacted and communications is established via cell phone.
Varden loads a desktop sharing application to allow the video feeds to be sent to Fox for
broadcase.12
Varden and Croft tell Fox News that law enforcement is moving into position and that if they do not
retreat there will be ‘consequences’. Varden and Fox show video feeds of law enforcement positions
There are numerous software programs and services for sharing desktops, applications, etc. from remote control programs
such as Timbuktu (www.timbuktu.com) to GoToMyPC (www.gotomypc.com) and trial versions of GoToWebinar
(www.gotowebinar.com).
12
Non-Classified / HLS and Law Enforcement Use Authorized
Page 7
APCO North Central Conference TTX: Public Gathering Scenario
from school video surveillance system.
Non-Classified / HLS and Law Enforcement Use Authorized
Page 8
APCO North Central Conference TTX: Public Gathering Scenario
+22 minutes
+27 minutes
+33 minutes
+35 minutes
+37 minutes
+1 hr 3 min
+1 hr 5 min
+1 hr 6 min
+1 hr 8 min
+1 hr 9 min
1 hr 14 min
1 hr 15 min
1 hr 17 min
Varden and Croft demand that Oklahoma bomber Timothy McVeigh be released to their custody and
that a small aircraft and pilot be made available to them on the school’s running track. They further
demand that McVeigh co-conspirator Terry Nichols be put on a diet of whole foods and be given
something for his hemorrhoids.
On advice of the school psychiatrist Varden and Croft are not told that Timothy McVeigh was put to
death by lethal injection in 2001.
Hostage negotiators agree to have a plane with McVeigh available within six hours. Varden and Croft
give them thirty minutes.
Local NEWS 8 truck arrives, deploys satellite uplink and begins coverage. No one in law
enforcement realizes – and the NEWS8 people may or may not care – that their news truck is
equipped with a wireless access point (WAP), which, in this case, is open/not secured.
Varden and Croft each make statements on Fox news that the reason for their actions is that they
were treated unfairly in their recent run for Student Council, which they lost, and that their actions are
on behalf of all mistreated students who are too weak to act for themselves., They reveal that they
are holding the entire newly appointed Student Council hostage. They show the Fox News the
Student Council cowering in a group in the corner via the Skype connection and send a cell phone
photo to the hostage negotiator via cell phone.
No airplane, no McVeigh.. The first execution takes place: the class secretary. FOX news is told that
the murder will be posted to YouTube, which it is within minutes. Varden and Croft give five more
minutes for their demands to be met. Law enforcement is unaware that the video footage was
produced previously and that it is being posted on the popular video site YouTube
(www.youtube.com) by Sobchak who is remote from the events as they unfold. Twitter Tweets
continue to reach shocked and appalled recipients, some of whom have already called news outlets
who have picked up the story and are running the Tweets live as well as the Fox coverage.
Law enforcement blocks Internet access from the classroom. The Skype connection to Fox is lost.
The video surveillance feed to the classroom computers is lost. Croft boots up a notebook computer
and warns the hostage negotiator that law enforcement should stand down: they are getting too
close. At this point Croft is accessing the X11 video feed – the one that is independent of the school
video surveillance – on a computer that is more mobile than the classroom desktop from which they
already have access.
After a brief interruption the Skype connection flutters back to life and the connection to Skype is reestablished. On the computer running Skype Croft scans for available Wireless Access Points and is
able to re-establish communications via the NEWS 8 truck and their satellite uplink.
Demands are not met. The second execution takes place: the class treasurer. Video is posted on
YouTube. Police are perplexed that videos are posted to YouTube and Twitter Tweets are still being
generated even though Internet access from the classroom has been disabled. They are unaware
that Sobchak is operating from a remote location and is in contact via cell phone.
Demands are repeated. Five minutes are given until the next execution. Video is posted on YouTube.
Demands are not met. The third execution takes place: the class vice president. The video footage is
posted to YouTube but is taken down immediately.
Demands are not met. Five minutes are given until the next, and last, execution.
Law enforcement storms the classroom, killing both Varden and Croft. All of the Student Council
members are found alive, duct taped but safe, in the classroom.
Non-Classified / HLS and Law Enforcement Use Authorized
Page 9
APCO North Central Conference TTX: Public Gathering Scenario
Detection/Prevention/ Response Planning
In the Debrief phase of the table top exercise the facilitator will guide participants through the process
of discovering countermeasures and additions to routines that could, at minimum, detect and identify
risks and, at the best, to counteract and diffuse the risk.
Detection/Prevention/ Response Role Play
In the Debrief phase of the table top exercise the facilitator will guide participants through the process
of discovering countermeasures and additions to routines that could, at minimum, detect and identify
risks and, at the best, to counteract and diffuse the risk.
Non-Classified / HLS and Law Enforcement Use Authorized
Page 10
Appendix A
Appendix A: Prep/Reading List
The following web sites and reading are highly recommended in order for the exercise participant to get
the most from this exercise.
Warchalking and Other Wireless Worries by Mike Small
http://www.net-security.org/article.php?id=444
What is WEP (Wired Equivalent Privacy)?
http://www.tech-faq.com/wep-wired-equivalent-privacy.shtml
Crack wep with backtrack 3
http://www.youtube.com/watch?v=oHq-cKoYcr8
What is WPA (Wi-Fi Protected Access)?
http://www.tech-faq.com/wpa-wi-fi-protected-access.shtml
The Real History of Caller ID Spoofing
http://www.calleridspoofing.info/
SWATTING
http://74.125.47.132/search?q=cache:vufHW_h2h0QJ:en.wikipedia.org/wiki/Swatting+swatting
&cd=1&hl=en&ct=clnk&gl=us
Man accused of hacking into 911
http://www.ocregister.com/news/home-emami-county-1894171-ellis-system
Another ‘SWATTER’ gets prison sentence
http://startelegram.typepad.com/crime_time/swatting/index.html
Voice Scrambler Products – both hardware and software
http://www.google.com/search?hl=en&q=voice+scrambler
Caller ID Spoofing ANI Spoofing – VOIP Security
http://www.metacafe.com/watch/849275/caller_id_spoofing_ani_spoofing_voip_security/
911 service not prepared for new generation of pranksters By David Chartier
http://arstechnica.com/telecom/news/2009/02/911-service-not-prepared-for-new-generationof-pranksters.ars
Ringleaders in “Swatting/Spoofing” Conspiracy Sentenced
http://www.usdoj.gov/criminal/cybercrime/rosoffSent.htm
Non-Classified / HLS and Law Enforcement Use Authorized
Appendix B
Appendix B: After Action Activities
The following activities are recommended to reinforce and add depth and perspective to the knowledge
gained in this exercise.
1. Establish two or more Twitter accounts and send several sample Tweets. Consider the good and
bad aspects of this and how it might be used by law enforcement and law breakers. Law
enforcement, by the way, is already using Twitter for emergency notification.
2. Install Caller ID faking software and, in coordination with your PSAP test the system.
3. Use Caller ID faking services and test in coordination with your PSPAP.
4. Establish two Skype accounts and do video conferences.
5. In coordination with your LAN administrator install a rogue wireless access point on your LAN,
test connections to it and remove it from your system.
Non-Classified / HLS and Law Enforcement Use Authorized
Appendix C
Appendix C: Materials Checklist
o
Large format monitor to connect to facilitator’s computer.
Non-Classified / HLS and Law Enforcement Use Authorized
Glossary
Glossary
Social Engineering Social engineering is
obtaining passwords, keys, system or physical
access or other useful information through nontechnical means by exploiting human and social
relationships. It can often be far more
expedient and lower cost and risk than
technical means that might be employed to gain
the same results.
Warchalking Warchalking is the drawing of
symbols in public places to advertise an open
Wi-Fi wireless network. Inspired by hobo
symbols, the warchalking marks were conceived
by a group of friends in June 2002 and
publicized by Matt Jones who designed the set
of icons and produced a downloadable
document containing them. Within days of
Jones publishing a blog entry about
warchalking, articles appeared in dozens of
publications and stories appeared on several
major television news programs around the
world.
WEP while 802.11i was prepared. Specifically,
the Temporal Key Integrity Protocol (TKIP), was
brought into WPA. TKIP could be implemented
on pre-WPA wireless network interface cards
that began shipping as far back as 1999 through
firmware upgrades. Because the changes
required fewer modifications on the client than
on the wireless access point, most pre-2003 APs
could not be upgraded to support WPA with
TKIP. Researchers have since discovered a flaw
in TKIP that relied on older weaknesses to
retrieve the keystream from short packets to
use for re-injection and spoofing. The later
WPA2 certification mark indicates compliance
with an advanced protocol that implements the
full standard. This advanced protocol will not
work with some older network cards. Products
that have successfully completed testing by the
Wi-Fi Alliance for compliance with the protocol
can bear the WPA certification mark.
WEP Wired (or wireline) Equivalent Privacy
(WEP) is an older, but commonly used,
algorithm to secure IEEE 802.11 wireless
networks. Wireless networks broadcast
messages using radio and are thus more
susceptible to eavesdropping than wired
networks. When introduced in 1997 WEP was
intended to provide confidentiality comparable
to that of a traditional wired network.
Beginning in 2001, several serious weaknesses
were identified by cryptanalysts with the result
that today a WEP connection can be cracked
with readily available software within minutes.
WPA Wi-Fi Protected Access (WPA and WPA2)
is a certification program created by the Wi-Fi
Alliance to indicate compliance with the
security protocol created by the Wi-Fi Alliance
to secure wireless computer networks. This
protocol was created in response to several
serious weaknesses researchers had found in
the previous system, Wired Equivalent Privacy
(WEP). The protocol implements the majority of
the IEEE 802.11i standard, and was intended as
an intermediate measure to take the place of
Non-Classified / HLS and Law Enforcement Use Authorized
Related documents
(si-523 - CLEA(Commencement (No 3) Order,_x0020, 0.03 MB)
(si-523 - CLEA(Commencement (No 3) Order,_x0020, 0.03 MB)
DOC - Europa
DOC - Europa
LAW AND ORDER AND WHITE POWER: WHITE SUPREMACIST
LAW AND ORDER AND WHITE POWER: WHITE SUPREMACIST
Book Review on Eldest
Book Review on Eldest
Officer Holly Lawrence
Officer Holly Lawrence
Download
advertisement