Fwd: Re: NYT covers China cyberthreat

jjanusze at wd-tek.com jjanusze at wd-tek.com
Wed Feb 27 16:29:51 UTC 2013


Defense in Depth has been paid lipservice for too long, and now we are
witnessing the outcome.

> ---------- Original Message ----------
> From: Adele Thompson <paigeadele at gmail.com>
> To: Kyle Creyts <kyle.creyts at gmail.com>
> Cc: Derek Noggle <dnoggle at gmail.com>, nanog at nanog.org
> Date: February 27, 2013 at 1:24 AM
> Subject: Re: NYT covers China cyberthreat
>
> On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts <kyle.creyts at gmail.com> wrote:
>
> > I think it is safe to say that finding a foothold inside of the United
> > States from which to perform/proxy an attack is not the hardest thing
> > in the world. I don't understand why everyone expects that major
> > corporations and diligent operators blocking certain countries'
> > prefixes will help. That being said, you make a solid point to which
> > people should absolutely listen: applying an understanding of your
> > business-needs-network-traffic baseline to your firewall rules and
> > heuristic network detections (in a more precise fashion than just "IPs
> > from country $x") is a SOLID tactic that yields huge security
> > benefits. Nobody who cares about security should really be able to
> > argue with it (plenty of those who care don't will hate it, though),
> > and makes life _awful_ for any attackers.
> >
> > On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> > > On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote:
> > >
> > > [a number of very good points ]
> > >
> > > Geoblocking, like passive OS fingerprinting (another technique that
> > > reduces attack surface as measured along one axis but can be defeated
> > > by a reasonably clueful attacker), doesn't really solve problems, per se.
> > > If you have a web app that's vulnerable to SQL injection attacks, then
> > > it's still just as hackable -- all the attacker has to do is try from
> > > somewhere else, from something else.
> > >
> > > But...
> > >
> > > 1. It raises the bar. And it cuts down on the noise, which is one of the
> > > security meta-problems we face: our logs capture so much cruft, so many
> > > instances of attacks and abuse and mistakes and misconfigurations and
> > > malfunctions, that we struggle to understand what they're trying to tell
> > > us. That problem is so bad that there's an entire subindustry built
> > > around the task of trying to reduce what's in the logs to something
> > > that a human brain can process in finite time. Mountains of time
> > > and wads of cash have been spent on the thorny problems that arise
> > > when we try to figure out what to pay attention to and what to ignore...
> > > and we still screw it up. Often.
> > >
> > > So even if the *only* effect of doing so is to shrink the size of
> > > the logs: that's a win. (And used judiciously, it can be a HUGE win,
> > > as in "several orders of magnitude".) So if your security guy is
> > > as busy as you say...maybe this would be a good idea.
> > >
> > > And let me note in passing that by raising the bar, it ensures that
> > > you're faced with a somewhat higher class of attacker. It's one
> > > thing to be hacked by a competent, diligent adversary who wields
> > > their tools with rapier-like precision; it's another to be owned
> > > by a script kiddie who has no idea what they're doing and doesn't
> > > even read the language your assets are using. That's just embarassing.
> > >
> > > 2. Outbound blocks work too, y'know. Does anybody in your marketing
> > > department need to reach Elbonia? If not, then why are you allowing
> > > packets from that group's desktops to go there? Because either
> > > (a) it's someone doing something they shouldn't or (b) it's something
> > doing
> > > something it shouldn't, as in a bot trying to phone home or a data
> > > exfiltration attack or something else unpleasant. So if there's
> > > no business need for that group to exchange packets with Elbonia
> > > or any of 82 other countries, why *aren't* you blocking that?
> > >
> > > 3. Yes, this can turn into a moderate-sized matrix of inbound and
> > > outbound rules. That's why make(1) and similar tools are your friends,
> > > because they'll let you manage this without needing to resort to scotch
> > > by 9:30 AM. And yes, sometimes things will break (because something's
> > > changed) -- but the brokeness is the best kind of brokeness: obvious,
> > > deterministic, repeatable, fixable.
> > >
> > > It's not hard. But it does require that you actually know what your
> > > own systems are doing and why.
> > >
> > > 4. "We were hacked from China" is wearing awfully damn thin as the
> > > feeble whining excuse of people who should have bidirectionally
> > firewalled
> > > out China from their corporate infrastructure (note: not necessarily
> > > their public-facing servers) years ago. And "our data was exfiltrated
> > > to Elbonia" is getting thin as an excuse too: if you do not have an
> > > organizational need to allow outbound network traffic to Elbonia, then
> > > why the hell are you letting so much as a single packet go there?
> > >
> > > Like I said: at least make them work for it. A little. Instead of
> > > doing profoundly idiotic things like the NYTimes (e.g., "infrastructure
> > > reachable from the planet", "using M$ software", "actually believing that
> > > anti-virus software will work despite a quarter-century of uninterrupted
> > > failure", etc.). That's not making them work for it: that's inviting
> > > them in, rolling out the red carpet, and handing them celebratory
> > champagne.
> > >
> > > ---rsk
> > >
> >
> >
> >
> > --
> > Kyle Creyts
> >
> > Information Assurance Professional
> > BSidesDetroit Organizer
> >
> >
>
> I've been doing some thinking about the internet tonight and came across
> this e-mail by which I am intrigued. Currently we suffer from DDoS downtime
> on Rackspace (granted it's a very small amount of time, its a hit to our
> only single point of failure for which I am currently trying to solve by
> obtaining a /24 and an anycast address as a means of mitigation and
> providing a highly available HTTP cluster of load balancers. I can't help
> but wonder if the cost (both in ipv4 resources and cash) outweighs the
> worth of an environment that is sanctioned from the globe. While cloud
> hosting has proven to be a scalable solution for our needs, we currently
> are only serving US-based organizations as far as I know. Even so, the
> desire to grow beyond that isn't far fetched when adding networks that are
> still segregated from access outside of a country becomes more available
> (kinda like vlans.)
>
>
>
>
> Germany, Russia, and Spain.
> >
> > "IN vain is the net spread in the sight of anybird," especially if the
> > bird be as keen-eyed asPrince Bismarck. The Carlist attempts to
> > irritateGermany
> > into intervention —whether by
> >
> > firing on her gunboats, or, as report says,attempting to take prisoners
> > the German andAustrian representatives to Madrid in the courseof their
> > railway journey, or by any other means—have been, and will be, failures.
> > Prince Bismarck knows as well as anybody that nothingwould give so
> > effectual a spur to the Carlistcause as a German intervention against it,
> > andwe may therefore well believe his organ when ittells us that nothing
> > so wild as the project oflanding German troops in Spain was ever
> > contemplated
> > by him. Prince Bismarck was wiseenough, even during the war with France,
> > whenthe German power was already in possession,and was on the spot, to
> > avoid anythinglike taking a part between the differentpolitical factions
> > into which France was divided.Is it reasonable to suppose that, after
> > keeping socarefully out of the net with which his feet werealmost in
> > contact in France, he would allow himself to be entangled in it in Spain
> > ? The realdanger on the Franco-Spanish frontier is not ofa German
> > intervention in Spain, but of jealousiesgrowing up between Germany and
> > France sokeen as to render a renewal of the war all butinevitable. No
> > doubt that would suit PrinceBismarck's book much better than a barren
> > intervention in Spain. No doubt his agents are notparticularly delicate
> > in their modes of insistingthat France shall cut off all supplies from
> > theCarlist
> > forces, and in indirectly reminding Frenchmen of the difference beween
> > their position now,when they are kept to their internationalduties
> > towards Spain by the watchful eye ofGermany, and their position four
> > yearsago,
> > when they made the mere suggestion of aGerman candidate for the throne of
> > Spain aground of affront, and ultimately a cause of war.We do not suppose
> > that Prince Bismarck wishesfor another big war, and all the new odium
> > itwould
> > bring on the victor, but if it must come,no doubt he would like it to
> > come soon. It wasa good notion of his to pose as the protector ofthe
> > regency of Marshal Serrano in Spain, and sowin an ally south of the
> > Pyrenees, as well assouth of the Alps. But in spite of his no doubtsincere
> > wish to see Ultramontanism defeated inthe defeat of Don Carlos, it is
> > pretty certainthat his Spanish policy is studied much morewith a view to
> > crippling France, than with aview to crippling Rome.There is indeed
> > something encouraging in theclear evidence afforded, both by Prince
> > Bismarck's
> > and by Prince GortschakofTs policyin regard to Spain—though these
> > policies aredifferent -that even the least teachable of thegreat European
> > Powers have learned the lessonthat interventions for the purpose of
> > settling theinternal disputes of any great nation are thesilliest of
> > mistakes. Germany has recognised,and has probably persuaded various other
> > greatPowers to recognise, the Government of Madrid,while Russia declines
> > to recognise it; but evenRussia carefully explains that her reason for
> > holding back is not any wish to strengthen the hopes ofthe Carlist
> > insurrection, but rather on even greaterdelicacy than that shown by the
> > other Powersfor the free choice of the Spanish nation, and areluctance
> > therefore to enter into formal relations with a Government which, since
> > GeneralPavin's coup Witat, has had no sanctionfrom the will of the
> > people. Nodoubt one may fairly smile at the reasongiven, when it comes
> > from the Ministerof Russia. No doubt it is quite natural to suspect that
> > other motives mingle with the refusal—the dislike to follow implicitly
> > German lead—the uueasiuess lest the example of Spain shouldbe eventually
> > pleaded for Republican institutions;but even though it be so, the fact
> > remains thatRussia offers an almost pedantically constitutional reason
> > for refusing to acknowledge as yetthe Government of Marshal Serrano, and
> > wishesto be understood as setting an example of evengreater delicacy and
> > greater deference to thewishes of the Spanish nation than either
> > GreatBritain
> > or France. No doubt Russia Las pushedthe doctrine to an extreme, if she
> > has allowedher deference to the wishes of the Spanishpeople to prevent
> > her from recognising a Government the continuance of which she would thinka
> > great safeguard to the peace of Europe. Inpoint of fact, Russia, in all
> > probability, holds nosuch opinion. The Greek Church is too wellestablished
> > and too popular in Russia to makeit a matter of any account to her
> > whether thenew Government of Spain be Ultramontane orotherwise, while it
> > can never be a matter ofabsolute indifference to the Czar of Russiawhether
> > another European people throws offthe monarchy or not. If Don Carlos were
> > tosucceed, at least the Republican current ofevents would be reversed for
> > a time. Butwhether the success of Marshal Serrano willmean a Republican
> > or a Throne for Spain is amatter extremely doubtful. On the otherhand, to
> > neither Germany, nor England, norItaly can it fail to be a matter of some
> > interestwhether or not a new stimulus or a new checkis to be applied to
> > Ultramontane zeaL And asregards France, the Government of MarshalMacMahon
> > has a very difficult problem to solve.Doubtless the Extreme Right, and
> > with theExtreme Right the whole Sacerdotal party,would prefer to see Don
> > Carlos succeed, sincesuch a success would be a new ground of hopefor
> > Henri V. and the white flag. But thenMarshal MacMahon has been obliged to
> > quarrelwith the Extreme Right, who make light of hisSepteunate, and
> > affect to treat him as a merelocum tenena for the coming king. Hence it
> > isessential
> > for him to secure a certain amount ofmoderate Liberal support, and the
> > regency ofMarshal Serrano is so very homogeneous a kindof power to his
> > own—namely, a mere excuse fordelay—that he can hardly fail to feel a
> > certainsympathy with its position. Add to this theextreme desirability of
> > conceding to Germanyall that can be conceded while the fears of quarreland
> > the occasions of quarrel are still so numerous,and we do not doubt that a
> > very wise decision hasbeen taken, even in the interest of the Government
> > itself, in recognising the de facto Government of Madrid. On the whole,
> > we regard itas a very satisfactory evidence of the progressmade in
> > mastering elementary Constitutionalideas, eveu by the most despotic
> > Powers, thatall the great Powers alike repudiate intervention
> > Fix this
> > text<http://trove.nla.gov.au/ndp/del/captchaForm?target=ocr&t=1361946009073>
> > in Spain, and use even their fair privilege ofgiving a sort of moral
> > support to that one ofthe rival Governments which they think be3tcalculated
> > to maintain the peace of Europe, withgreat reserve and moderation. The
> > day of HolyAlliances to mould the internal institutions ofrefractory
> > countries is now, at last, probablypast, aud with these, the day of some
> > of themoot mischievous European combinations whichthe world has ever
> > seen.— Spectator.
> >
> > It is learned that the arrest of Count YonAmiin was effected without the
> > knowledge of theEmperor. The musing documents hare beengiven to the
> > Ultraniontanes by Deputy Windernorst.
> >


More information about the NANOG mailing list