Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
At 6:34 PM + 5/20/07, John Levine wrote: I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the underground economy, with a most horrifying set of both live demos and selected snapshots of the online bazaars where online warez are traded, everything from zombie farms to spamware to stolen credit cards. One of the more amusing was a guy who offered a zombie in some part of the government that you'd hope would be moderately secure, NASA or someplace like that, at a higher than normal price. The immediate response was ridicule, bots on government nets are a dime a dozen, and aren't worth any more than any other bot. Oh, goodie. I get to the same source to show the opposite. At Rob's talk at the AOTA summit, he talked about someone offering some botted machines in a particular US government subnet at a normal prices and someone quickly over-bid by a suspiciously high amount. The assumption is that it was for the possible data on those machines. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
A while ago, I did a rough calculation that made me state that 15-30% of all machines are no longer under the sole control of their owner. In the intervening months, I got some hate mail on this, but in those same intervening months Vint Cerf said 40%, Microsoft said 2/3rds, and IDC said 3/4ths. Whatever it is, it is 0. And, of course, definitions matter. I don't think that 0wned is a binary variable any more; there are degrees of 0wned-ness with a wide range between the optimist (I replaced` the only program that was trojaned) to the pessimist (Any compromise of any sub-component makes the entire edifice untrustable). --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
Ivan Krstić wrote: I think it's anything but surprising. There's only so much you can do to significantly improve systems security if you're unwilling to break backwards compatibility -- many of the fundamental premises of desktop security are fatally flawed, chief among them the idea that all programs execute with the full privileges of the executing user. part of this is that many of the basic platforms providing internet connectivity evolved from disconnected/unconnected desk/table top environment ... with lots of applications assuming that they had full free access to all resources. attempting to leverage the same platforms for connectivity to extremely hostility and anarchy of the internet creates diametrically opposing requirements. one countermeasure from the 60s is to use a dynamically created (padded cell) virtual machine for internet connectivity ... with limited scope and accesses. then when the session completes ... the environment is collapsed and everything is discarded. while the native system operation may have little or no defenses against the hostile internet ... the padded cell virtual machine environment is used to bound the scope of any penetration ... somewhat analogous to air gapping. recent post: http://www.garlic.com/~lynn/2007k.html#48 somewhat older reference: http://www.nsa.gov/selinux/list-archive/0409/8362.cfm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the underground economy, with a most horrifying set of both live demos and selected snapshots of the online bazaars where online warez are traded, everything from zombie farms to spamware to stolen credit cards. One of the more amusing was a guy who offered a zombie in some part of the government that you'd hope would be moderately secure, NASA or someplace like that, at a higher than normal price. The immediate response was ridicule, bots on government nets are a dime a dozen, and aren't worth any more than any other bot. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't heard this. | | I've heard nothing formal, but my strong understanding is a lot of US | government machines, at least if we're talking workstations on | non-classified nets, are in fact 0wn3d at this point. This should http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html claims to measure bot activity. Now, it may be that US .gov hosts are worth more, and so don't get used in random DOS attacks, but I think this is some of the more interesting evidence out there. I've asked some questions about it in http://www.emergentchaos.com/archives/2007/04/month_of_owned_corporatio.html Speaking for me only, Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
Perry E. Metzger wrote: What is interesting to me is that, even though things have nearly gotten as bad as they could possibly get, we still have seen very little real effort made to improve systems security (at least in comparison with what is necessary to make a big dent). I think it's anything but surprising. There's only so much you can do to significantly improve systems security if you're unwilling to break backwards compatibility -- many of the fundamental premises of desktop security are fatally flawed, chief among them the idea that all programs execute with the full privileges of the executing user. One Laptop per Child is breaking application backwards compatibility for a number of reasons, one of which is security. As a result, I'm earnestly hoping that our systems security platform, Bitfrost[0], will be an improvement on the scale you're talking about. But time will tell. (Sidenote: I'm giving a keynote at AusCERT tomorrow about exactly this, titled 'Everything you know about desktop security is wrong, or: How I Learned to Stop Worrying and Love the Virtual Machine'. Any list members who are at the conference should mail me if they want to play with an OLPC laptop and commiserate about desktop security over beer.) [0] Summary at http://wiki.laptop.org/go/Bitfrost with full spec at http://wiki.laptop.org/go/OLPC_Bitfrost -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]