--- Valdis.Kletnieks@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place.... ------------------------------------------------ This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that "bank" email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott
Net net - what we have here is, so far, relatively low tech exploits with a huge element of brute force, and the only innovation being in the delivery mechanism - very well crafted spear phishes They don't particularly need to hide in a location where they're literally bulletproof (considering how many crimes have the death penalty in china, said penalty being enforced by a bullet to the head and your family billed for the bullet, if I remember correctly) Now there's a light shone on it all, despite the official denial, you'll simply see this office building shift to an even more anonymous business park halfway across the country (or maybe inside an army base that people just can't wander into and photograph), and the exploits will simply start to cover their traces better. Sure they'll evolve - let them. The point here is that they're going to evolve anyway if we let them operate with impunity from a location where they're bulletproof. --srs On Thursday, February 21, 2013, Scott Weeks wrote:
--- Valdis.Kletnieks@vt.edu <javascript:;> wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place.... ------------------------------------------------
This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only.
The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that "bank" email.
Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't.
scott
-- --srs (iPad)
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. It seems like China takes very little seriously until it goes mainstream. This is happening right now with their political system, they are attempting (publicly) to rid themselves of bad apples. I think this applies to the majority of the Internet dependant countries, people are ready to jump out of a window if facebook or Twitter is down. Imagine the revolt after every major US based provider stopped taking their calls, and data. I understand the implications, but I think this may be the only real way to spank them (I know the financial ramifications..)
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Suresh Ramasubramanian <ops.lists@gmail.com> Date: 02/20/2013 5:22 PM (GMT-08:00) To: surfer@mauigateway.com Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat Net net - what we have here is, so far, relatively low tech exploits with a huge element of brute force, and the only innovation being in the delivery mechanism - very well crafted spear phishes They don't particularly need to hide in a location where they're literally bulletproof (considering how many crimes have the death penalty in china, said penalty being enforced by a bullet to the head and your family billed for the bullet, if I remember correctly) Now there's a light shone on it all, despite the official denial, you'll simply see this office building shift to an even more anonymous business park halfway across the country (or maybe inside an army base that people just can't wander into and photograph), and the exploits will simply start to cover their traces better. Sure they'll evolve - let them. The point here is that they're going to evolve anyway if we let them operate with impunity from a location where they're bulletproof. --srs On Thursday, February 21, 2013, Scott Weeks wrote:
--- Valdis.Kletnieks@vt.edu <javascript:;> wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place.... ------------------------------------------------
This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only.
The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that "bank" email.
Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't.
scott
-- --srs (iPad)
On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response.
Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn't get to Joe's web site or Joe's mail server or especially Joe's VPN server? Probably not. Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either. This is why I've been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. [1] I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it's in. I also deny selected networks access to selected services, e.g., Amazon's cloud doesn't get access to port 25 because of the non-stop spam and Amazon's refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic. This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches. An even better approach, when appropriate, is to block everything and then only enable access selectively. This is a particularly good idea when defending things like ssh. Do you *really* need to allow incoming ssh from the entire planet? Or could "the US, Canada, the UK and Germany" suffice? If so, then why aren't you enforcing that? Do you really think it's a good idea to give someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts *per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts per most bots is a much better idea. Let 'em eat packet drops while they try to figure out which subset of bots can even *reach* your ssh server. Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why, given that the NYTimes apparently handed wads of cash over to various consulting firms, did none of those firms get the NYTimes to make a first-order attempt at solving this problem? Why in the world was anything in their corporate infrastructure accessible from the 2410 networks and 143,067,136 IP addresses in China? Who signed off on THAT? (Yes, yes, I *know* that the NYTimes has staff there, some permanently and some transiently. A one-off solution crafted for this use case would suffice. I've done it. It's not hard. And I doubt that it would need to work for more than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh, and lock it out of everything that a field reporter/editor/photographer doesn't need, e.g., there is absolutely no way someone coming in through one of those should be able to reach the subscriber database.) Two more notes: first, blocking inbound traffic is usually not enough. Blocks should almost always be bidirectional. [2] This is especially important for things like the DROP/EDROP lists, because then spam payloads, phishes, malware, etc. won't be able to phone home quite so readily, and while your users will still be able to click on links that lead to bad things...they won't get there. Second, this may sound complex. It's not. I handle my needs with make, rsync, a little shell, a little perl, and other similar tools, but clearly you could do the same thing with any system configuration management setup. And with proper logging, it's not hard to discover the mistakes and edge cases, to apply suitable fixes and temporary point exceptions, and so on. ---rsk [1] 'Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.' --- Marcus Ranum [2] "We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late." Let's see who recognizes that one. ;-)
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response
First thing is the Chinese government would rejoice since they don't want their citizens on our networks (except the ones they recruit for cyber warfare, they can get other address ranges for those guys). Second thing is someone will make a ton of money bouncing Chinese traffic through somewhere else (and someone will create a SPAMHAUS like service to detect that, and so on, and so on, and so on) Third thing is all the companies that do business in and around China would be screaming because tons of them use VPNs that are sourced from Chinese IP address space. Some people even like to travel and access things back home, you know weird stuff, like email, news, music, videos. One of the biggest problems with geoblocking is that often the addresses do not reveal the true source of the traffic. If you block everything from China, you miss attacks sourced from China that are bouncing through bot networks with hosts worldwide. Remember Tor, it is built to defeat just that sort of security by obscuring source locations. Corporations also often have egress points to the Internet in countries other than the one the user is in. If you block everything from China, then you are locking out any of your own personnel that travel Internationally or any of your customers that travel. Who here has not surfed the web from a hotel room on business. Anyone with malicious intent has a zillion ways to bypass that sort of security. Obscuring your source address is child's play. The management of the geoblocking will not be worth the minimal protection it provides. Trying to locate someone by address is a complete PITA in my opinion. If you go to Europe you will often get sent to the wrong Google sites because they attempt to locate you instead of just letting you put in the correct URL (if you are in the UK, it is not that hard to include .co.uk in your URL. I have been in the UK and gotten Google Germany and Google Spain for no apparent reason (except that carriers in Europe have addresses from all over the place because of mergers, alliances, and all sort of other arrangements). Blocking networks by service will also be a management nightmare since addresses often change and new blocks get assigned and companies offer different services. Who manages all of that and who is going to tell you when something changes (the answer is nobody, you will know when stuff breaks). If my network security guy had enough time to keep track of all of Amazon's address space and what services they are offering this week and all the services they host in their datacenters, I would fire him for having that much time on his hands. Can you keep track of all the stuff coming from Akamai and where all their servers are at on a continuing basis? Cloud services will make blocking by service nearly impossible since the network can reconfigure at any time. I would love to see this implementation in a large corporate or government network. What a huge game of whack a mole that is. Seems to me that the time would be much better spent tuning up firewalls and securing hosts properly. I think geoblocking gives you nothing but a false sense of security. I also believe that if you see an attack coming from China in particular it is because they WANT you to know it is coming from China. I would think any state sponsor conducting a very serious attack would conceal themselves better than that. I also believe that a lot of attacks that look like they are coming from China are actually coming from elsewhere. Think about this, if I am a hacker in the US, attacking a US victim, it would be a big advantage to look like I was coming from China because it almost guarantees no attempt to prosecute or track me down since everyone in this business knows that if it comes out of China you can't do anything about it. I would not be surprised to find out China is letting their capabilities be known just to remind everyone of what the implications of messing with them is. Remember Doctor Strangelove, "what good is a doomsday bomb if you don't tell anyone about it ?!?!?" Steven Naslund -----Original Message----- From: Rich Kulawiec [mailto:rsk@gsp.org] Sent: Thursday, February 21, 2013 10:00 AM To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response.
Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn't get to Joe's web site or Joe's mail server or especially Joe's VPN server? Probably not. Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either. This is why I've been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. [1] I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it's in. I also deny selected networks access to selected services, e.g., Amazon's cloud doesn't get access to port 25 because of the non-stop spam and Amazon's refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic. This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches. An even better approach, when appropriate, is to block everything and then only enable access selectively. This is a particularly good idea when defending things like ssh. Do you *really* need to allow incoming ssh from the entire planet? Or could "the US, Canada, the UK and Germany" suffice? If so, then why aren't you enforcing that? Do you really think it's a good idea to give someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts *per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts per most bots is a much better idea. Let 'em eat packet drops while they try to figure out which subset of bots can even *reach* your ssh server. Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why, given that the NYTimes apparently handed wads of cash over to various consulting firms, did none of those firms get the NYTimes to make a first-order attempt at solving this problem? Why in the world was anything in their corporate infrastructure accessible from the 2410 networks and 143,067,136 IP addresses in China? Who signed off on THAT? (Yes, yes, I *know* that the NYTimes has staff there, some permanently and some transiently. A one-off solution crafted for this use case would suffice. I've done it. It's not hard. And I doubt that it would need to work for more than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh, and lock it out of everything that a field reporter/editor/photographer doesn't need, e.g., there is absolutely no way someone coming in through one of those should be able to reach the subscriber database.) Two more notes: first, blocking inbound traffic is usually not enough. Blocks should almost always be bidirectional. [2] This is especially important for things like the DROP/EDROP lists, because then spam payloads, phishes, malware, etc. won't be able to phone home quite so readily, and while your users will still be able to click on links that lead to bad things...they won't get there. Second, this may sound complex. It's not. I handle my needs with make, rsync, a little shell, a little perl, and other similar tools, but clearly you could do the same thing with any system configuration management setup. And with proper logging, it's not hard to discover the mistakes and edge cases, to apply suitable fixes and temporary point exceptions, and so on. ---rsk [1] 'Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.' --- Marcus Ranum [2] "We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late." Let's see who recognizes that one. ;-)
On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in "several orders of magnitude".) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. "We were hacked from China" is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And "our data was exfiltrated to Elbonia" is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., "infrastructure reachable from the planet", "using M$ software", "actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure", etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk
I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just "IPs from country $x") is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote:
[a number of very good points ]
Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else.
But...
1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often.
So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in "several orders of magnitude".) So if your security guy is as busy as you say...maybe this would be a good idea.
And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing.
2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that?
3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable.
It's not hard. But it does require that you actually know what your own systems are doing and why.
4. "We were hacked from China" is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And "our data was exfiltrated to Elbonia" is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there?
Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., "infrastructure reachable from the planet", "using M$ software", "actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure", etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne.
---rsk
-- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts <kyle.creyts@gmail.com> wrote:
I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just "IPs from country $x") is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers.
On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote:
[a number of very good points ]
Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else.
But...
1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often.
So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in "several orders of magnitude".) So if your security guy is as busy as you say...maybe this would be a good idea.
And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing.
2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that?
3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable.
It's not hard. But it does require that you actually know what your own systems are doing and why.
4. "We were hacked from China" is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And "our data was exfiltrated to Elbonia" is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there?
Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., "infrastructure reachable from the planet", "using M$ software", "actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure", etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne.
---rsk
-- Kyle Creyts
Information Assurance Professional BSidesDetroit Organizer
I've been doing some thinking about the internet tonight and came across this e-mail by which I am intrigued. Currently we suffer from DDoS downtime on Rackspace (granted it's a very small amount of time, its a hit to our only single point of failure for which I am currently trying to solve by obtaining a /24 and an anycast address as a means of mitigation and providing a highly available HTTP cluster of load balancers. I can't help but wonder if the cost (both in ipv4 resources and cash) outweighs the worth of an environment that is sanctioned from the globe. While cloud hosting has proven to be a scalable solution for our needs, we currently are only serving US-based organizations as far as I know. Even so, the desire to grow beyond that isn't far fetched when adding networks that are still segregated from access outside of a country becomes more available (kinda like vlans.) Germany, Russia, and Spain.
"IN vain is the net spread in the sight of anybird," especially if the bird be as keen-eyed asPrince Bismarck. The Carlist attempts to irritateGermany into intervention —whether by
firing on her gunboats, or, as report says,attempting to take prisoners the German andAustrian representatives to Madrid in the courseof their railway journey, or by any other means—have been, and will be, failures. Prince Bismarck knows as well as anybody that nothingwould give so effectual a spur to the Carlistcause as a German intervention against it, andwe may therefore well believe his organ when ittells us that nothing so wild as the project oflanding German troops in Spain was ever contemplated by him. Prince Bismarck was wiseenough, even during the war with France, whenthe German power was already in possession,and was on the spot, to avoid anythinglike taking a part between the differentpolitical factions into which France was divided.Is it reasonable to suppose that, after keeping socarefully out of the net with which his feet werealmost in contact in France, he would allow himself to be entangled in it in Spain ? The realdanger on the Franco-Spanish frontier is not ofa German intervention in Spain, but of jealousiesgrowing up between Germany and France sokeen as to render a renewal of the war all butinevitable. No doubt that would suit PrinceBismarck's book much better than a barren intervention in Spain. No doubt his agents are notparticularly delicate in their modes of insistingthat France shall cut off all supplies from theCarlist forces, and in indirectly reminding Frenchmen of the difference beween their position now,when they are kept to their internationalduties towards Spain by the watchful eye ofGermany, and their position four yearsago, when they made the mere suggestion of aGerman candidate for the throne of Spain aground of affront, and ultimately a cause of war.We do not suppose that Prince Bismarck wishesfor another big war, and all the new odium itwould bring on the victor, but if it must come,no doubt he would like it to come soon. It wasa good notion of his to pose as the protector ofthe regency of Marshal Serrano in Spain, and sowin an ally south of the Pyrenees, as well assouth of the Alps. But in spite of his no doubtsincere wish to see Ultramontanism defeated inthe defeat of Don Carlos, it is pretty certainthat his Spanish policy is studied much morewith a view to crippling France, than with aview to crippling Rome.There is indeed something encouraging in theclear evidence afforded, both by Prince Bismarck's and by Prince GortschakofTs policyin regard to Spain—though these policies aredifferent -that even the least teachable of thegreat European Powers have learned the lessonthat interventions for the purpose of settling theinternal disputes of any great nation are thesilliest of mistakes. Germany has recognised,and has probably persuaded various other greatPowers to recognise, the Government of Madrid,while Russia declines to recognise it; but evenRussia carefully explains that her reason for holding back is not any wish to strengthen the hopes ofthe Carlist insurrection, but rather on even greaterdelicacy than that shown by the other Powersfor the free choice of the Spanish nation, and areluctance therefore to enter into formal relations with a Government which, since GeneralPavin's coup Witat, has had no sanctionfrom the will of the people. Nodoubt one may fairly smile at the reasongiven, when it comes from the Ministerof Russia. No doubt it is quite natural to suspect that other motives mingle with the refusal—the dislike to follow implicitly German lead—the uueasiuess lest the example of Spain shouldbe eventually pleaded for Republican institutions;but even though it be so, the fact remains thatRussia offers an almost pedantically constitutional reason for refusing to acknowledge as yetthe Government of Marshal Serrano, and wishesto be understood as setting an example of evengreater delicacy and greater deference to thewishes of the Spanish nation than either GreatBritain or France. No doubt Russia Las pushedthe doctrine to an extreme, if she has allowedher deference to the wishes of the Spanishpeople to prevent her from recognising a Government the continuance of which she would thinka great safeguard to the peace of Europe. Inpoint of fact, Russia, in all probability, holds nosuch opinion. The Greek Church is too wellestablished and too popular in Russia to makeit a matter of any account to her whether thenew Government of Spain be Ultramontane orotherwise, while it can never be a matter ofabsolute indifference to the Czar of Russiawhether another European people throws offthe monarchy or not. If Don Carlos were tosucceed, at least the Republican current ofevents would be reversed for a time. Butwhether the success of Marshal Serrano willmean a Republican or a Throne for Spain is amatter extremely doubtful. On the otherhand, to neither Germany, nor England, norItaly can it fail to be a matter of some interestwhether or not a new stimulus or a new checkis to be applied to Ultramontane zeaL And asregards France, the Government of MarshalMacMahon has a very difficult problem to solve.Doubtless the Extreme Right, and with theExtreme Right the whole Sacerdotal party,would prefer to see Don Carlos succeed, sincesuch a success would be a new ground of hopefor Henri V. and the white flag. But thenMarshal MacMahon has been obliged to quarrelwith the Extreme Right, who make light of hisSepteunate, and affect to treat him as a merelocum tenena for the coming king. Hence it isessential for him to secure a certain amount ofmoderate Liberal support, and the regency ofMarshal Serrano is so very homogeneous a kindof power to his own—namely, a mere excuse fordelay—that he can hardly fail to feel a certainsympathy with its position. Add to this theextreme desirability of conceding to Germanyall that can be conceded while the fears of quarreland the occasions of quarrel are still so numerous,and we do not doubt that a very wise decision hasbeen taken, even in the interest of the Government itself, in recognising the de facto Government of Madrid. On the whole, we regard itas a very satisfactory evidence of the progressmade in mastering elementary Constitutionalideas, eveu by the most despotic Powers, thatall the great Powers alike repudiate intervention Fix this text<http://trove.nla.gov.au/ndp/del/captchaForm?target=ocr&t=1361946009073> in Spain, and use even their fair privilege ofgiving a sort of moral support to that one ofthe rival Governments which they think be3tcalculated to maintain the peace of Europe, withgreat reserve and moderation. The day of HolyAlliances to mould the internal institutions ofrefractory countries is now, at last, probablypast, aud with these, the day of some of themoot mischievous European combinations whichthe world has ever seen.— Spectator.
It is learned that the arrest of Count YonAmiin was effected without the knowledge of theEmperor. The musing documents hare beengiven to the Ultraniontanes by Deputy Windernorst.
::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem "upset" that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's "business" profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin ---- On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote ----
--- Valdis.Kletnieks@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place.... ------------------------------------------------
This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only.
The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that "bank" email.
Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't.
scott
participants (8)
-
Adele Thompson
-
calin.chiorean
-
Kyle Creyts
-
Naslund, Steve
-
Rich Kulawiec
-
Scott Weeks
-
Suresh Ramasubramanian
-
Warren Bailey