Fwd: Re: NYT covers China cyberthreat
Defense in Depth has been paid lipservice for too long, and now we are witnessing the outcome. -- Original Message -- From: Adele Thompson paigead...@gmail.com To: Kyle Creyts kyle.cre...@gmail.com Cc: Derek Noggle dnog...@gmail.com, nanog@nanog.org Date: February 27, 2013 at 1:24 AM Subject: Re: NYT covers China cyberthreat On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts kyle.cre...@gmail.com wrote: I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk
Re: NYT covers China cyberthreat
I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts kyle.cre...@gmail.com wrote: I think it is safe to say that finding a foothold inside of the United States from which to perform/proxy an attack is not the hardest thing in the world. I don't understand why everyone expects that major corporations and diligent operators blocking certain countries' prefixes will help. That being said, you make a solid point to which people should absolutely listen: applying an understanding of your business-needs-network-traffic baseline to your firewall rules and heuristic network detections (in a more precise fashion than just IPs from country $x) is a SOLID tactic that yields huge security benefits. Nobody who cares about security should really be able to argue with it (plenty of those who care don't will hate it, though), and makes life _awful_ for any attackers. On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec r...@gsp.org wrote: On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: [a number of very good points ] Geoblocking, like passive OS fingerprinting (another technique that reduces attack surface as measured along one axis but can be defeated by a reasonably clueful attacker), doesn't really solve problems, per se. If you have a web app that's vulnerable to SQL injection attacks, then it's still just as hackable -- all the attacker has to do is try from somewhere else, from something else. But... 1. It raises the bar. And it cuts down on the noise, which is one of the security meta-problems we face: our logs capture so much cruft, so many instances of attacks and abuse and mistakes and misconfigurations and malfunctions, that we struggle to understand what they're trying to tell us. That problem is so bad that there's an entire subindustry built around the task of trying to reduce what's in the logs to something that a human brain can process in finite time. Mountains of time and wads of cash have been spent on the thorny problems that arise when we try to figure out what to pay attention to and what to ignore... and we still screw it up. Often. So even if the *only* effect of doing so is to shrink the size of the logs: that's a win. (And used judiciously, it can be a HUGE win, as in several orders of magnitude.) So if your security guy is as busy as you say...maybe this would be a good idea. And let me note in passing that by raising the bar, it ensures that you're faced with a somewhat higher class of attacker. It's one thing to be hacked by a competent, diligent adversary who wields their tools with rapier-like precision; it's another to be owned by a script kiddie who has no idea what they're doing and doesn't even read the language your assets are using. That's just embarassing. 2. Outbound blocks work too, y'know. Does anybody in your marketing department need to reach Elbonia? If not, then why are you allowing packets from that group's desktops to go there? Because either (a) it's someone doing something they shouldn't or (b) it's something doing something it shouldn't, as in a bot trying to phone home or a data exfiltration attack or something else unpleasant. So if there's no business need for that group to exchange packets with Elbonia or any of 82 other countries, why *aren't* you blocking that? 3. Yes, this can turn into a moderate-sized matrix of inbound and outbound rules. That's why make(1) and similar tools are your friends, because they'll let you manage this without needing to resort to scotch by 9:30 AM. And yes, sometimes things will break (because something's changed) -- but the brokeness is the best kind of brokeness: obvious, deterministic, repeatable, fixable. It's not hard. But it does require that you actually know what your own systems are doing and why. 4. We were hacked from China is wearing awfully damn thin as the feeble whining excuse of people who should have bidirectionally firewalled out China from their corporate infrastructure (note: not necessarily their public-facing servers) years ago. And our data was exfiltrated to Elbonia is getting thin as an excuse too: if you do not have an organizational need to allow outbound network traffic to Elbonia, then why the hell are you letting so much as a single packet go there? Like I said: at least make them work for it. A little. Instead of doing profoundly idiotic things like the NYTimes (e.g., infrastructure reachable from the planet, using M$ software, actually believing that anti-virus software will work despite a quarter-century of uninterrupted failure, etc.). That's not making them work for it: that's inviting them in, rolling out the red carpet, and handing them celebratory champagne. ---rsk -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer I've been doing some thinking about the internet tonight and came across
Re: NYT covers China cyberthreat
On 21 February 2013 21:58, Jack Bates jba...@brightok.net wrote: ... The A-team doesn't get caught and detailed. The purpose of the other teams is to detect easy targets, handle easy jobs, and create lots of noise for the A-team to hide in. Hacking has always had a lot in common with magic. Misdirection is a useful tool. Jack Or theres only a B-team, and the china government is as corrupted and infective as the USA one. -- -- ℱin del ℳensaje.
Re: NYT covers China cyberthreat
- Original Message - From: valdis.kletni...@vt.edu To: Suresh Ramasubramanian ops.li...@gmail.com Cc: nanog@nanog.org Sent: Thursday, February 21, 2013 5:54 PM Subject: Re: NYT covers China cyberthreat And since it's Wacky Friday somewhere: http://arstechnica.com/security/2013/02/how-anonymous-accidentally-helped-expose-two-chinese-hackers/
Re: NYT covers China cyberthreat
::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem upset that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's business profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote --- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott
Re: NYT covers China cyberthreat
The focus on platform here is ridiculous; can someone explain how platform of attacker or target is extremely relevant? Since when did people fail to see that we have plenty of inter-platform tools and services, and plenty of tools for either platform built with the express purpose of interaction with the other? Just because you learned to code/operate on/for/with/from a *nix doesn't mean that teams of Chinese coders can't make a tool that gets the job done on/for/with/from a Windows box. Many people write many softwares of diverse purpose and use for many platforms. Platform is, as far as I can tell, moot in this discussion. Feel free to enlighten me. Consider the US's indignation over the targeting of civillian or corporate intellectual property and the shifting of reality from preconceived expectation. I have had it explained to me as a purely ideological difference between the US and China. Simply put: just because we might find it immoral for state-sponsored espionage to feed stolen IP into the private sector, doesn't mean that China will feel the same; to some, it is perceived as nationalistic, another way the government helps to strengthen the nation. For another example of this, an acquaintance once told me about the process of getting internationally standardized technologies approved for deployment in China; the process that was described to me involved giving China the standards-based spec that had been drafted and approved, being told that for deployment, they would have to improve upon it in a laundry list of ways to bring it some 5-10 years ahead of the spec, and THEN it would be allowed to be deployed. Whenever you have enough new players, or the game goes on long enough, the rules end up changing. On Thu, Feb 21, 2013 at 12:28 AM, calin.chiorean calin.chior...@secdisk.net wrote: ::This all seems to be noobie stuff. There's nothing technically cool ::to see here You mean the report or the activity? You seem upset that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix? Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$. They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's business profitable. You need to look at this action from business perspective. IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system. Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found. Cheers, Calin On Thu, 21 Feb 2013 01:29:48 +0100 Scott Weeks wrote --- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
On 21-Feb-13 04:25, Kyle Creyts wrote: For another example of this, an acquaintance once told me about the process of getting internationally standardized technologies approved for deployment in China; the process that was described to me involved giving China the standards-based spec that had been drafted and approved, being told that for deployment, they would have to improve upon it in a laundry list of ways to bring it some 5-10 years ahead of the spec, and THEN it would be allowed to be deployed. My recent experience doing exactly this at $EMPLOYER doesn't match this story at all. The main problem, as with several other second world countries, is that the standards you must comply with are only in the local language and you must make your submission in the local language as well. However, if you have a local technical presence, you can often get software approval (or a formal notice of exemption--even for products that contain dangerous features like encryption) in a matter of days or even hours. If you don't, it can drag on for months. Hardware testing can be even worse because it must be performed in their labs and can cost tens of thousands of dollars, but at least that doesn't have to be repeated each time you publish a new version of code. In contrast, first world countries generally publish their standards in, and accept submissions in, English. They also tend not to care about software features, just hardware. The standards tend to be shared across countries (eg. EU/EFTA and US/Canada), or at least they accept test results from third-party labs that can test for all such countries at the same time. As a result, many vendors simply don't bother going past that group--or do it so infrequently that they don't gain the institutional knowledge of how to navigate the approval processes in the other group successfully and with minimal effort/cost. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: NYT covers China cyberthreat
Scott Weeks wrote: Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf Anybody happen to notice that the report sounds awfully like the scenario laid out in Tom Clancy's latest book, Threat Vector? -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 01:34:13AM +, Warren Bailey wrote: I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn't get to Joe's web site or Joe's mail server or especially Joe's VPN server? Probably not. Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either. This is why I've been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. [1] I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it's in. I also deny selected networks access to selected services, e.g., Amazon's cloud doesn't get access to port 25 because of the non-stop spam and Amazon's refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic. This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches. An even better approach, when appropriate, is to block everything and then only enable access selectively. This is a particularly good idea when defending things like ssh. Do you *really* need to allow incoming ssh from the entire planet? Or could the US, Canada, the UK and Germany suffice? If so, then why aren't you enforcing that? Do you really think it's a good idea to give someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts *per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts per most bots is a much better idea. Let 'em eat packet drops while they try to figure out which subset of bots can even *reach* your ssh server. Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why, given that the NYTimes apparently handed wads of cash over to various consulting firms, did none of those firms get the NYTimes to make a first-order attempt at solving this problem? Why in the world was anything in their corporate infrastructure accessible from the 2410 networks and 143,067,136 IP addresses in China? Who signed off on THAT? (Yes, yes, I *know* that the NYTimes has staff there, some permanently and some transiently. A one-off solution crafted for this use case would suffice. I've done it. It's not hard. And I doubt that it would need to work for more than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh, and lock it out of everything that a field reporter/editor/photographer doesn't need, e.g., there is absolutely no way someone coming in through one of those should be able to reach the subscriber database.) Two more notes: first, blocking inbound traffic is usually not enough. Blocks should almost always be bidirectional. [2] This is especially important for things like the DROP/EDROP lists, because then spam payloads, phishes, malware, etc. won't be able to phone home quite so readily, and while your users will still be able to click on links that lead to bad things...they won't get there. Second, this may sound complex. It's not. I handle my needs with make, rsync, a little shell, a little perl, and other similar tools, but clearly you could do the same thing with any system configuration management setup. And with proper logging, it's not hard to discover the mistakes and edge cases, to apply suitable fixes and temporary point exceptions, and so on. ---rsk [1] 'Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is! To which I respond, How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing? A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning,
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. Jack
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On Thu, Feb 21, 2013 at 11:23 AM, Jack Bates jba...@brightok.net wrote: On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. and... some (most?) line-side encryptors light the line up fullspeed between the encryptors... if they are also attempting to suppress traffic analysis... so that can be costly if you don't own the whole pipe :)
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
Not to mention, the KG units are dot government only.. For obvious reasons. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Christopher Morrow morrowc.li...@gmail.com Date: 02/21/2013 8:37 AM (GMT-08:00) To: Jack Bates jba...@brightok.net Cc: nanog@nanog.org Subject: Re: Network security on multiple levels (was Re: NYT covers China cyberthreat) On Thu, Feb 21, 2013 at 11:23 AM, Jack Bates jba...@brightok.net wrote: On 2/21/2013 12:03 AM, Scott Weeks wrote: I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott Agreed. I've generally skipped the line side and stuck with L3 side encryption for the same reason. and... some (most?) line-side encryptors light the line up fullspeed between the encryptors... if they are also attempting to suppress traffic analysis... so that can be costly if you don't own the whole pipe :)
RE: NYT covers China cyberthreat
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response First thing is the Chinese government would rejoice since they don't want their citizens on our networks (except the ones they recruit for cyber warfare, they can get other address ranges for those guys). Second thing is someone will make a ton of money bouncing Chinese traffic through somewhere else (and someone will create a SPAMHAUS like service to detect that, and so on, and so on, and so on) Third thing is all the companies that do business in and around China would be screaming because tons of them use VPNs that are sourced from Chinese IP address space. Some people even like to travel and access things back home, you know weird stuff, like email, news, music, videos. One of the biggest problems with geoblocking is that often the addresses do not reveal the true source of the traffic. If you block everything from China, you miss attacks sourced from China that are bouncing through bot networks with hosts worldwide. Remember Tor, it is built to defeat just that sort of security by obscuring source locations. Corporations also often have egress points to the Internet in countries other than the one the user is in. If you block everything from China, then you are locking out any of your own personnel that travel Internationally or any of your customers that travel. Who here has not surfed the web from a hotel room on business. Anyone with malicious intent has a zillion ways to bypass that sort of security. Obscuring your source address is child's play. The management of the geoblocking will not be worth the minimal protection it provides. Trying to locate someone by address is a complete PITA in my opinion. If you go to Europe you will often get sent to the wrong Google sites because they attempt to locate you instead of just letting you put in the correct URL (if you are in the UK, it is not that hard to include .co.uk in your URL. I have been in the UK and gotten Google Germany and Google Spain for no apparent reason (except that carriers in Europe have addresses from all over the place because of mergers, alliances, and all sort of other arrangements). Blocking networks by service will also be a management nightmare since addresses often change and new blocks get assigned and companies offer different services. Who manages all of that and who is going to tell you when something changes (the answer is nobody, you will know when stuff breaks). If my network security guy had enough time to keep track of all of Amazon's address space and what services they are offering this week and all the services they host in their datacenters, I would fire him for having that much time on his hands. Can you keep track of all the stuff coming from Akamai and where all their servers are at on a continuing basis? Cloud services will make blocking by service nearly impossible since the network can reconfigure at any time. I would love to see this implementation in a large corporate or government network. What a huge game of whack a mole that is. Seems to me that the time would be much better spent tuning up firewalls and securing hosts properly. I think geoblocking gives you nothing but a false sense of security. I also believe that if you see an attack coming from China in particular it is because they WANT you to know it is coming from China. I would think any state sponsor conducting a very serious attack would conceal themselves better than that. I also believe that a lot of attacks that look like they are coming from China are actually coming from elsewhere. Think about this, if I am a hacker in the US, attacking a US victim, it would be a big advantage to look like I was coming from China because it almost guarantees no attempt to prosecute or track me down since everyone in this business knows that if it comes out of China you can't do anything about it. I would not be surprised to find out China is letting their capabilities be known just to remind everyone of what the implications of messing with them is. Remember Doctor Strangelove, what good is a doomsday bomb if you don't tell anyone about it ?!?!? Steven Naslund -Original Message- From: Rich Kulawiec [mailto:r...@gsp.org] Sent: Thursday, February 21, 2013 10:00 AM To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat On Thu, Feb 21, 2013 at 01:34:13AM +, Warren Bailey wrote: I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. Would it hurt their business? Really? Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net :: This all seems to be noobie stuff. There's nothing technically cool :: to see here You mean the report or the activity? The activity. You seem upset that they are using M$ only(target and source). I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... This is a technical mailing list where cutting edge stuff is discussed. The compromise was not using cutting edge stuff and, so, is a big yawn for this list. The report was mainly for reporters. That's why they had the omg sound byte bullet points at the top. It's also why they had to explain several low level things in detail. snip Maybe it was meant to be found. That is a definite possibility. scott
Re: NYT covers China cyberthreat
Scott Weeks wrote: --- calin.chior...@secdisk.net wrote: You seem upset that they are using M$ only(target and source). I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... This is a technical mailing list where cutting edge stuff is discussed. The compromise was not using cutting edge stuff and, so, is a big yawn for this list. Not to be pedantic, but I thought the list was about network operations - and as much (or more) about practice, than about cutting edge stuff. (Well maybe a little pedantic.) From an operational point of view, unless I'm an exceptionally high-value target, I'm more likely to be threatened by the B-team (or C-team), than the A-team (recognizing, of course, that what the A-team is doing today, is what the script kiddies will be doing tomorrow). Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: NYT covers China cyberthreat
--- kyle.cre...@gmail.com wrote: From: Kyle Creyts kyle.cre...@gmail.com The focus on platform here is ridiculous; can someone explain how platform of attacker or target is extremely relevant? Since when did -- It implies their skillset. Here's something I just saw that says it better than I can... http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-that-hacked-115-u-s-targets-likely-wasnt-even-chinas-a-team/2/ scott
Re: NYT covers China cyberthreat
On Feb 20, 2013, at 9:07 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Mandiant apparently feels the same way: http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-that-hacked-115-u-s-targets-likely-wasnt-even-chinas-a-team/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: NYT covers China cyberthreat
On 2/21/2013 12:17 PM, Scott Weeks wrote: I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... The A-team doesn't get caught and detailed. The purpose of the other teams is to detect easy targets, handle easy jobs, and create lots of noise for the A-team to hide in. Hacking has always had a lot in common with magic. Misdirection is a useful tool. Jack
Re: NYT covers China cyberthreat
And so their bush league by itself was responsible for all the penetrations that mandiant says they did? Which shows that they don't have to be particularly smart, just a bit smarter than their average spear phish or other attack's victim. On Friday, February 22, 2013, Jack Bates wrote: On 2/21/2013 12:17 PM, Scott Weeks wrote: I'm not upset. I'm pointing out what Steven Bellovin said in just a few words: This strongly suggests that it's not their A-team... The A-team doesn't get caught and detailed. The purpose of the other teams is to detect easy targets, handle easy jobs, and create lots of noise for the A-team to hide in. Hacking has always had a lot in common with magic. Misdirection is a useful tool. Jack -- --srs (iPad)
Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 3:58 PM, Jack Bates jba...@brightok.net wrote: The A-team doesn't get caught and detailed no, the A-team has BA Baraccus... he pities the fool who gets caught and detailed... the last thing BA detailed was his black van.
Re: NYT covers China cyberthreat
On Fri, 22 Feb 2013 06:11:21 +0530, Suresh Ramasubramanian said: And so their bush league by itself was responsible for all the penetrations that mandiant says they did? Which shows that they don't have to be particularly smart, just a bit smarter than their average spear phish or other attack's victim. As I said - that's the scary part. :) pgpPMq9BxFn7e.pgp Description: PGP signature
Re: NYT covers China cyberthreat
Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes? scott
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - They're not all available for m$. scott On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes?
Re: NYT covers China cyberthreat
They are when you have a college full of programmers. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Scott Weeks sur...@mauigateway.com Date: 02/20/2013 12:23 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - They're not all available for m$. scott On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes?
Re: NYT covers China cyberthreat
I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - From: Scott Weeks sur...@mauigateway.com ::: They're not all available for m$. --- wbai...@satelliteintelligencegroup.com wrote: From: Warren Bailey wbai...@satelliteintelligencegroup.com They are when you have a college full of programmers. -- Please elaborate. I didn't follow that. scott
Re: NYT covers China cyberthreat
They don't have 20 brains, they have a country full. I was in Beijing last year, it was eye opening to the see the state of affairs there. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: calin.chiorean calin.chior...@secdisk.net Date: 02/20/2013 12:36 AM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: sur...@mauigateway.com,nanog@nanog.org Subject: Re: NYT covers China cyberthreat IMO, if we stick to the document and they are organized in military style, then a person who collect information, should focus only on that particular phase. That person is an operator, he or she should not be keep busy remembering long CLI commands. The scope is to deliver ASAP. No matter how much I like CLI and to put my fingers into text mode, I have to admit that point and click in windows is an easier and faster method to achieve the task I did mention. As Warren mention, if you have 20 brains it's easy to put those people port a tool from *nix to other platform and have the other 500 operators run it in windows. It's just a matter of good sense and business effectiveness :) Maybe I misinterpret information, but this is how I see things. Cheers, Calin On Wed, 20 Feb 2013 09:24:10 +0100 Warren Baileywbai...@satelliteintelligencegroup.com wrote They are when you have a college full of programmers. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Scott Weeks sur...@mauigateway.com Date: 02/20/2013 12:23 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - They're not all available for m$. scott On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes?
Re: NYT covers China cyberthreat
Part of the entire 'chinese l337 hxx0r spy' 1st complex is apparently the local equivalent of a community college, where the passing out assignment is probably something on the lines of 'get me a dump of the dalai lama's email'. --srs (htc one x) On 20-Feb-2013 2:08 PM, Scott Weeks sur...@mauigateway.com wrote: I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - From: Scott Weeks sur...@mauigateway.com ::: They're not all available for m$. --- wbai...@satelliteintelligencegroup.com wrote: From: Warren Bailey wbai...@satelliteintelligencegroup.com They are when you have a college full of programmers. -- Please elaborate. I didn't follow that. scott
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net IMO, if we stick to the document and they are organized in military style, then a person who collect information, should focus only on that particular phase. That person is an operator, he or she should not be keep busy remembering long CLI commands. The scope is to deliver ASAP. - What's that randy says? ;-) I can only hope you're right, but my point was to bring suspicion to the report itself for (possibly; I'm only on page 19) saying that m$ is the only attacking OS. -- No matter how much I like CLI and to put my fingers into text mode, I have to admit that point and click in windows is an easier and faster method to achieve the task I did mention. As Warren mention, --- bzt. Wrong answer. Please study more. Next! scott
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net It was just an example :-) to point out the scale of developers vs operators. You'd be surprised at how much better brains are than brawn on these things... ;-) scott
Re: NYT covers China cyberthreat
Part of the entire 'chinese l337 hxx0r spy' 1st complex is apparently the local equivalent of a community college, where the passing out assignment is probably something on the lines of 'get me a dump of the dalai lama's email'. american education is behind in many things. this is but one. randy
Re: NYT covers China cyberthreat
Have you been to The Great Wall? That statement does not apply in the PRC. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Scott Weeks sur...@mauigateway.com Date: 02/20/2013 12:54 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net It was just an example :-) to point out the scale of developers vs operators. You'd be surprised at how much better brains are than brawn on these things... ;-) scott
Re: NYT covers China cyberthreat
--- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net It was just an example :-) to point out the scale of developers vs operators. :: You'd be surprised at how much better brains are than brawn :: on these things... ;-) --- wbai...@satelliteintelligencegroup.com wrote: Have you been to The Great Wall? That statement does not apply in the PRC. It would be interesting, I suppose, to see what can massively parallel better. brains or brawn :) That's what I'm saying. If this is done by m$ toolage only, as the report seems to say, on page 4, for example: 817 of the 832 (98%) IP addresses logging into APT1 controlled systems using Remote Desktop resolved back to China. Then they have missed the more interesting part of the puzzle, I believe. scott ps. If you gottem both, well that's a whole other thingie.
Re: NYT covers China cyberthreat
Don't be lulled into complacency by a private network: all it takes is one thumb-drive or rogue AP and you have a back door. Private networks reduce but do not eliminate attackable surface. David Barak Sent from a mobile device, please forgive autocorrection. On Feb 20, 2013, at 2:04 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications? We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Zaid Ali Kahn z...@zaidali.com Date: 02/19/2013 10:44 PM (GMT-08:00) To: Kyle Creyts kyle.cre...@gmail.com Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat We have done our part to China as well along with other countries in state sponsored hacking. This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a kill switch type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts kyle.cre...@gmail.com wrote: quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
If I didn't miss any part of the report, no *nix is mentioned. I'm a *nix fan, but why they (when I say they, I mean an attacker, not necessary the one in this document) should complicate their life, when all tools are available for windows os, you just have to compile them. Cheers, Calin On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes? scott
Re: NYT covers China cyberthreat
IMO, if we stick to the document and they are organized in military style, then a person who collect information, should focus only on that particular phase. That person is an operator, he or she should not be keep busy remembering long CLI commands. The scope is to deliver ASAP. No matter how much I like CLI and to put my fingers into text mode, I have to admit that point and click in windows is an easier and faster method to achieve the task I did mention. As Warren mention, if you have 20 brains it's easy to put those people port a tool from *nix to other platform and have the other 500 operators run it in windows. It's just a matter of good sense and business effectiveness :) Maybe I misinterpret information, but this is how I see things. Cheers, Calin On Wed, 20 Feb 2013 09:24:10 +0100 Warren Baileywbai...@satelliteintelligencegroup.com wrote They are when you have a college full of programmers. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Scott Weeks sur...@mauigateway.com Date: 02/20/2013 12:23 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - They're not all available for m$. scott On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes?
Re: NYT covers China cyberthreat
::: They don't have 20 brains, they have a country full It was just an example :-) to point out the scale of developers vs operators. Calin On Wed, 20 Feb 2013 09:39:24 +0100 Warren Baileywbai...@satelliteintelligencegroup.com wrote They don't have 20 brains, they have a country full. I was in Beijing last year, it was eye opening to the see the state of affairs there. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: calin.chiorean calin.chior...@secdisk.net Date: 02/20/2013 12:36 AM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: sur...@mauigateway.com,nanog@nanog.org Subject: Re: NYT covers China cyberthreat IMO, if we stick to the document and they are organized in military style, then a person who collect information, should focus only on that particular phase. That person is an operator, he or she should not be keep busy remembering long CLI commands. The scope is to deliver ASAP. No matter how much I like CLI and to put my fingers into text mode, I have to admit that point and click in windows is an easier and faster method to achieve the task I did mention. As Warren mention, if you have 20 brains it's easy to put those people port a tool from *nix to other platform and have the other 500 operators run it in windows. It's just a matter of good sense and business effectiveness :) Maybe I misinterpret information, but this is how I see things. Cheers, Calin On Wed, 20 Feb 2013 09:24:10 +0100 Warren Baileywbai...@satelliteintelligencegroup.com wrote They are when you have a college full of programmers. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Scott Weeks sur...@mauigateway.com Date: 02/20/2013 12:23 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: NYT covers China cyberthreat --- calin.chior...@secdisk.net wrote: From: calin.chiorean calin.chior...@secdisk.net snipped :: when all tools are available for windows os, you just have to compile them. sniped out the rest - They're not all available for m$. scott On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes?
Re: NYT covers China cyberthreat
This is a improvement over some russian spies, that have the passwords written down in a piece of paper. http://www.networkworld.com/news/2010/063010-russian-spy-ring.html?hpg1=bn One of the technical issues the ring faced was described by one suspect in a message to Moscow reporting on a meeting between two spies A and M: Meeting with M went as planned … A passed to M laptop, two flash drives, and $9K in cash. From what M described, the problem with his equipment is due to his laptop hanging/freezing before completion of the normal program run. Windows XP crapines, slowing down russian spies :D My password at home is don't be the low hanging fruit. Every time that I read on the news that USA is funding this or that cracking group I get a bit angry. Thats a world where is best to not put money. More like direct Interpol to stop mafias profiting from it, to remove money from it. The least thing we want is a cyber arms race. But if you don't want one, don't start one. -- -- ℱin del ℳensaje.
Network security on multiple levels (was Re: NYT covers China cyberthreat)
- Original Message - From: Warren Bailey wbai...@satelliteintelligencegroup.com We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were secure enough and they asked me: Does it run through a DACS? Where can you program the DACS from? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: NYT covers China cyberthreat
- Original Message - From: Randy Bush ra...@psg.com Part of the entire 'chinese l337 hxx0r spy' 1st complex is apparently the local equivalent of a community college, where the passing out assignment is probably something on the lines of 'get me a dump of the dalai lama's email'. american education is behind in many things. this is but one. So true, Randy. But I think the underlying point here was more when you do these things on the scale that nation-states do them, the result is different in type, not merely in degree. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs. If you created a LAN at your house, disabled all types of insertable media, and had a decent lock on your front door, it would be pretty difficult to own that network. Sure there are spy types that argue EMI emission from cable etc, but they solved that issue with their tin foil hats. We broadcast extremely sensitive information (financial, medical, etc) to probably 75% of the worlds population all day long, if you walk outside of your house today my signal will be broadcasting down upon sunny St. Petersburg, Florida. Satellite Communications are widely used, the signal is propagated (from GSO generally) over a relatively wide area and no one knows the better. And for those of you who say.. I CAN LOOK AT A SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread spectrum TDMA operation - my signal to noise on my returns is often -4dB to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as far as the planet is concerned they are awgn. I guess it's my argument that if you do a good enough job blending a signal into the noise, you are much more likely to maintain secrecy. On 2/20/13 9:13 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Warren Bailey wbai...@satelliteintelligencegroup.com We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were secure enough and they asked me: Does it run through a DACS? Where can you program the DACS from? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On Wed, Feb 20, 2013 at 9:13 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Warren Bailey wbai...@satelliteintelligencegroup.com We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were secure enough and they asked me: Does it run through a DACS? Where can you program the DACS from? Did you open that PDF regarding DACS security ? http://money.cnn.com/2013/02/20/news/economy/hacking-infrastructure/index.html CB Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
RE: Network security on multiple levels (was Re: NYT covers China cyberthreat)
From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs. Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them. Jamie
About private networks (Was Re: NYT covers China cyberthreat)
( Well I'm sure that there is a few hundrends of paper on this subject ) I have a few ideas but it involve: .Dark Fiber; . All devices at FIPS 140 level; . Tonnes of resin; . Wire mesh; . Fiber DB monitoring; . Cable Shield monitoring; . Single Encryption Key injection for the FIPS 140 devices; . Central Provisioning; . Kill switch for suspected segments; add your own crazy ideas etc add more of your own crazy ideas And a private fab because it would not be a good idea to sub-contract that to lets says... some Chinese outfit =D TLDR: Feasable, hella costly. PS: http://spybusters.blogspot.ca/2010/11/fiber-optics-easier-to-wiretap-than.html Enjoy this week end of the world news. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
I did not approach the inline encryption units on purpose. Obviously anything that leaves .mil land not riding something blessed by DISA is going to have something like a KG on both ends. Generally Satellite systems use TRANSEC, though in our line of work it's an extremely expensive add-on to an otherwise decent security implementation. I'm not saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs who are going to look to own something are doing so because it is somehow exposed to public infrastructure. If I were to put up an SCPC (single channel per carrier, synonymous to point to point circuits) circuit between point A and B, the persons looking to intercept my traffic would need to know quite a bit of information about my signals.. Origination Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN codes, TRANSEC keys, IP lay out, etc. You won't hear me talk about how something is absolutely and completely secure, but you will hear me preach from the rooftops the application of technology that many people believe is outdated and abandoned. There is a reason media providers and MSO's still use Satellite to downlink video signals. The military is still heavily invested in this type of technology because you are able to completely bypass traditionally used infrastructure, and Utility companies are jumping on the band wagon as well. I know of several SCADA (massive power companies) networks that ride satellite completely for this reason. You can justify the cost and latency with the security of owning a network that is completely removed from the usual infrastructure. On 2/20/13 10:05 AM, Jamie Bowden ja...@photon.com wrote: From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com] If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs. Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them. Jamie
Re: NYT covers China cyberthreat
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place pgpnlgCnfgHdJ.pgp Description: PGP signature
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On Wed, 20 Feb 2013, Jay Ashworth wrote: Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were secure enough and they asked me: Does it run through a DACS? Where can you program the DACS from? See thread: nanog impossible circuit Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
Many DACS have provision for monitoring circuits and feeding the data off to a third circuit in an undetectable manner. The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Owen On Feb 20, 2013, at 09:47 , Warren Bailey wbai...@satelliteintelligencegroup.com wrote: If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs. If you created a LAN at your house, disabled all types of insertable media, and had a decent lock on your front door, it would be pretty difficult to own that network. Sure there are spy types that argue EMI emission from cable etc, but they solved that issue with their tin foil hats. We broadcast extremely sensitive information (financial, medical, etc) to probably 75% of the worlds population all day long, if you walk outside of your house today my signal will be broadcasting down upon sunny St. Petersburg, Florida. Satellite Communications are widely used, the signal is propagated (from GSO generally) over a relatively wide area and no one knows the better. And for those of you who say.. I CAN LOOK AT A SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread spectrum TDMA operation - my signal to noise on my returns is often -4dB to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as far as the planet is concerned they are awgn. I guess it's my argument that if you do a good enough job blending a signal into the noise, you are much more likely to maintain secrecy. On 2/20/13 9:13 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Warren Bailey wbai...@satelliteintelligencegroup.com We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were secure enough and they asked me: Does it run through a DACS? Where can you program the DACS from? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
- Original Message - From: Owen DeLong o...@delong.com Many DACS have provision for monitoring circuits and feeding the data off to a third circuit in an undetectable manner. The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
Isn't this a strong argument to deploy and operate a network independent of the traditional switch circuit provider space? On 2/20/13 11:22 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Owen DeLong o...@delong.com Many DACS have provision for monitoring circuits and feeding the data off to a third circuit in an undetectable manner. The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: NYT covers China cyberthreat
--- valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place Maybe. The report says the following, but it doesn't make clear (I'm only on page 31, so I don't know if they do later in the report) if this is a small botnet, or individuals manning the 937 CC servers: »» APT1 controls thousands of systems in support of their computer intrusion activities. »» In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109). »» In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses. »» Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system. »» In the last several years we have confirmed 2,551 FQDNs attributed to APT1. »» We observed 767 separate instances in which APT1 intruders used the “HUC Packet Transmit Tool” or HTRAN to communicate between 614 distinct routable IP addresses and their victims’ systems using their attack infrastructure. scott
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
If you have that option, I suppose that would be one way to solve it. I, rather, see it as a reason to: 1. Cryptographically secure links that may be carrying private data. 2. Rotate cryptographic keys (relatively) often on such links. YMMV, but I think encryption is a lot cheaper than building a telco. Especially over long distances. Owen On Feb 20, 2013, at 11:33 , Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Isn't this a strong argument to deploy and operate a network independent of the traditional switch circuit provider space? On 2/20/13 11:22 AM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Owen DeLong o...@delong.com Many DACS have provision for monitoring circuits and feeding the data off to a third circuit in an undetectable manner. The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
--- On Wed, 2/20/13, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Owen DeLong o...@delong.com The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted. This is precisely the value of encryption on point to point links, preferably at the link layer rather than at the IP layer. When coupled with decent end-to-end application-layer encryption on top of that, the value proposition for sniffing traffic from the network drops a whole lot. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On 2/20/2013 1:05 PM, Jon Lewis wrote: See thread: nanog impossible circuit Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident. This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks. Jack
Re: NYT covers China cyberthreat
--- valdis.kletni...@vt.edu wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott
Re: NYT covers China cyberthreat
Net net - what we have here is, so far, relatively low tech exploits with a huge element of brute force, and the only innovation being in the delivery mechanism - very well crafted spear phishes They don't particularly need to hide in a location where they're literally bulletproof (considering how many crimes have the death penalty in china, said penalty being enforced by a bullet to the head and your family billed for the bullet, if I remember correctly) Now there's a light shone on it all, despite the official denial, you'll simply see this office building shift to an even more anonymous business park halfway across the country (or maybe inside an army base that people just can't wander into and photograph), and the exploits will simply start to cover their traces better. Sure they'll evolve - let them. The point here is that they're going to evolve anyway if we let them operate with impunity from a location where they're bulletproof. --srs On Thursday, February 21, 2013, Scott Weeks wrote: --- valdis.kletni...@vt.edu javascript:; wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott -- --srs (iPad)
Re: NYT covers China cyberthreat
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. It seems like China takes very little seriously until it goes mainstream. This is happening right now with their political system, they are attempting (publicly) to rid themselves of bad apples. I think this applies to the majority of the Internet dependant countries, people are ready to jump out of a window if facebook or Twitter is down. Imagine the revolt after every major US based provider stopped taking their calls, and data. I understand the implications, but I think this may be the only real way to spank them (I know the financial ramifications..) From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Suresh Ramasubramanian ops.li...@gmail.com Date: 02/20/2013 5:22 PM (GMT-08:00) To: sur...@mauigateway.com Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat Net net - what we have here is, so far, relatively low tech exploits with a huge element of brute force, and the only innovation being in the delivery mechanism - very well crafted spear phishes They don't particularly need to hide in a location where they're literally bulletproof (considering how many crimes have the death penalty in china, said penalty being enforced by a bullet to the head and your family billed for the bullet, if I remember correctly) Now there's a light shone on it all, despite the official denial, you'll simply see this office building shift to an even more anonymous business park halfway across the country (or maybe inside an army base that people just can't wander into and photograph), and the exploits will simply start to cover their traces better. Sure they'll evolve - let them. The point here is that they're going to evolve anyway if we let them operate with impunity from a location where they're bulletproof. --srs On Thursday, February 21, 2013, Scott Weeks wrote: --- valdis.kletni...@vt.edu javascript:; wrote: The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This all seems to be noobie stuff. There's nothing technically cool to see here. All they do is spear phishing and, once the link is clicked, put in a backdoor that uses commonly available tools. As I suspected earlier it's M$ against M$ only. The downside is nontechnical folks in positions of power often have sensitive data on their computers, only know M$ and don't have the knowledge to don't click on that bank email. Technically, it was 74 pages of yawn. Don't waste your time unless you're interested in how they found out where the attack was originating from and how they tied it to the .cn gov't. scott -- --srs (iPad)
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
On Feb 20, 2013, at 3:20 PM, Jack Bates jba...@brightok.net wrote: On 2/20/2013 1:05 PM, Jon Lewis wrote: See thread: nanog impossible circuit Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident. This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks. An amazing percentage of private lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the real circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or fishing trawlers, that our circuits mighty suddenly end up on a satellite link. And we were only worrying about commercial-grade security.) --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: NYT covers China cyberthreat
Failure to understand reality is not reality's fault. On February 20, 2013 at 09:10 calin.chior...@secdisk.net (calin.chiorean) wrote: If I didn't miss any part of the report, no *nix is mentioned. I'm a *nix fan, but why they (when I say they, I mean an attacker, not necessary the one in this document) should complicate their life, when all tools are available for windows os, you just have to compile them. Cheers, Calin On Wed, 20 Feb 2013 09:02:35 +0100 Scott Weeks wrote Be sure to read the source: intelreport.mandiant.com/Mandiant_APT1_Report.pdf I'm only part way through, but I find it hard to believe that only micro$loth computers are used as the attack OS. Maybe I haven't gotten far enough through report to find the part where they use the *nix boxes? scott -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: NYT covers China cyberthreat
On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of I'm shocked, shocked to find that there's spying going on here. Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is cyberexploitation, as opposed to cyberwar. The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: NYT covers China cyberthreat
Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets. Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage. --srs (htc one x) On 21-Feb-2013 7:40 AM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of I'm shocked, shocked to find that there's spying going on here. Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is cyberexploitation, as opposed to cyberwar. The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)
--- s...@cs.columbia.edu wrote: From: Steven Bellovin s...@cs.columbia.edu An amazing percentage of private lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the real circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. - I would sure be interested in hearing about hands-on operational experiences with encryptors. Recent experiences have left me with a sour taste in my mouth. blech! scott
Re: NYT covers China cyberthreat
When you really look at human behavior the thing that remains the same is core motives. The competition makes sense in that it is human nature to aggresse for resources. We are challenged in the fact that we 'want' to belong among the other five. This will never change but. What is really a travesty here is that most of us have been saying hey this is critical and can now shift to I told you so… in that if you did what we said to do 1 … 5 …. 10 … years ago .. you would have mitigated this risk.. Basically, genetically we have not changed, so what behavior would suggest that (even with the introduction of faster calculators).. why would we change? Just means we would do X faster ……. This is my first comment to the list.. please flame me privately to save the list :) *** or publicly who think I should really be spanked!!! *** Regards, Richard On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote: Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets. Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage. --srs (htc one x) On 21-Feb-2013 7:40 AM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of I'm shocked, shocked to find that there's spying going on here. Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is cyberexploitation, as opposed to cyberwar. The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy-for-the-cyber-exploitation-threat/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: NYT covers China cyberthreat
The only spanking that has been going on nanog lately is Jay using his email to keep us up to date on current news. I am going to call it a night, and look for a SCUD fired from Florida in the morning. ;) On 2/20/13 11:29 PM, Richard Porter rich...@pedantictheory.com wrote: When you really look at human behavior the thing that remains the same is core motives. The competition makes sense in that it is human nature to aggresse for resources. We are challenged in the fact that we 'want' to belong among the other five. This will never change but. What is really a travesty here is that most of us have been saying hey this is critical and can now shift to I told you soŠ in that if you did what we said to do 1 Š 5 Š. 10 Š years ago .. you would have mitigated this risk.. Basically, genetically we have not changed, so what behavior would suggest that (even with the introduction of faster calculators).. why would we change? Just means we would do X faster ŠŠ. This is my first comment to the list.. please flame me privately to save the list :) *** or publicly who think I should really be spanked!!! *** Regards, Richard On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote: Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets. Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage. --srs (htc one x) On 21-Feb-2013 7:40 AM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place This strongly suggests that it's not their A-team, for whatever value of their you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of I'm shocked, shocked to find that there's spying going on here. Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is cyberexploitation, as opposed to cyberwar. The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-stra tegy-for-the-cyber-exploitation-threat/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: NYT covers China cyberthreat
On Thursday, February 21, 2013, Warren Bailey wrote: The only spanking that has been going on nanog lately is Jay using his email to keep us up to date on current news. I am going to call it a night, and look for a SCUD fired from Florida in the morning. ;) Nanog setting their list server up to mandate that envelope from matches header from should take care of this .. I see the envelope being whatever, nob...@server.example.com type stuff more often than not, in all these forwarded articles that are supposed to be coming from Jay's account. --srs -- --srs (iPad)
Re: NYT covers China cyberthreat
quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. randy
Re: NYT covers China cyberthreat
We have done our part to China as well along with other countries in state sponsored hacking. This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a kill switch type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts kyle.cre...@gmail.com wrote: quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: NYT covers China cyberthreat
An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications? We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that. From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Zaid Ali Kahn z...@zaidali.com Date: 02/19/2013 10:44 PM (GMT-08:00) To: Kyle Creyts kyle.cre...@gmail.com Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat We have done our part to China as well along with other countries in state sponsored hacking. This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a kill switch type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts kyle.cre...@gmail.com wrote: quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth j...@baylink.com wrote: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer