NYT covers China cyberthreat

Adele Thompson paigeadele at gmail.com
Wed Feb 27 06:24:25 UTC 2013


On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts <kyle.creyts at gmail.com> wrote:

> I think it is safe to say that finding a foothold inside of the United
> States from which to perform/proxy an attack is not the hardest thing
> in the world. I don't understand why everyone expects that major
> corporations and diligent operators blocking certain countries'
> prefixes will help. That being said, you make a solid point to which
> people should absolutely listen: applying an understanding of your
> business-needs-network-traffic baseline to your firewall rules and
> heuristic network detections (in a more precise fashion than just "IPs
> from country $x") is a SOLID tactic that yields huge security
> benefits. Nobody who cares about security should really be able to
> argue with it (plenty of those who care don't will hate it, though),
> and makes life _awful_ for any attackers.
>
> On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> > On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote:
> >
> > [a number of very good points ]
> >
> > Geoblocking, like passive OS fingerprinting (another technique that
> > reduces attack surface as measured along one axis but can be defeated
> > by a reasonably clueful attacker), doesn't really solve problems, per se.
> > If you have a web app that's vulnerable to SQL injection attacks, then
> > it's still just as hackable -- all the attacker has to do is try from
> > somewhere else, from something else.
> >
> > But...
> >
> > 1. It raises the bar.  And it cuts down on the noise, which is one of the
> > security meta-problems we face: our logs capture so much cruft, so many
> > instances of attacks and abuse and mistakes and misconfigurations and
> > malfunctions, that we struggle to understand what they're trying to tell
> > us.  That problem is so bad that there's an entire subindustry built
> > around the task of trying to reduce what's in the logs to something
> > that a human brain can process in finite time.  Mountains of time
> > and wads of cash have been spent on the thorny problems that arise
> > when we try to figure out what to pay attention to and what to ignore...
> > and we still screw it up.  Often.
> >
> > So even if the *only* effect of doing so is to shrink the size of
> > the logs: that's a win.  (And used judiciously, it can be a HUGE win,
> > as in "several orders of magnitude".)  So if your security guy is
> > as busy as you say...maybe this would be a good idea.
> >
> > And let me note in passing that by raising the bar, it ensures that
> > you're faced with a somewhat higher class of attacker.  It's one
> > thing to be hacked by a competent, diligent adversary who wields
> > their tools with rapier-like precision; it's another to be owned
> > by a script kiddie who has no idea what they're doing and doesn't
> > even read the language your assets are using.  That's just embarassing.
> >
> > 2. Outbound blocks work too, y'know.  Does anybody in your marketing
> > department need to reach Elbonia?  If not, then why are you allowing
> > packets from that group's desktops to go there?  Because either
> > (a) it's someone doing something they shouldn't or (b) it's something
> doing
> > something it shouldn't, as in a bot trying to phone home or a data
> > exfiltration attack or something else unpleasant.  So if there's
> > no business need for that group to exchange packets with Elbonia
> > or any of 82 other countries, why *aren't* you blocking that?
> >
> > 3. Yes, this can turn into a moderate-sized matrix of inbound and
> > outbound rules.  That's why make(1) and similar tools are your friends,
> > because they'll let you manage this without needing to resort to scotch
> > by 9:30 AM.  And yes, sometimes things will break (because something's
> > changed) -- but the brokeness is the best kind of brokeness: obvious,
> > deterministic, repeatable, fixable.
> >
> > It's not hard.  But it does require that you actually know what your
> > own systems are doing and why.
> >
> > 4. "We were hacked from China" is wearing awfully damn thin as the
> > feeble whining excuse of people who should have bidirectionally
> firewalled
> > out China from their corporate infrastructure (note: not necessarily
> > their public-facing servers) years ago.  And "our data was exfiltrated
> > to Elbonia" is getting thin as an excuse too: if you do not have an
> > organizational need to allow outbound network traffic to Elbonia, then
> > why the hell are you letting so much as a single packet go there?
> >
> > Like I said: at least make them work for it.  A little.  Instead of
> > doing profoundly idiotic things like the NYTimes (e.g., "infrastructure
> > reachable from the planet", "using M$ software", "actually believing that
> > anti-virus software will work despite a quarter-century of uninterrupted
> > failure", etc.).  That's not making them work for it: that's inviting
> > them in, rolling out the red carpet, and handing them celebratory
> champagne.
> >
> > ---rsk
> >
>
>
>
> --
> Kyle Creyts
>
> Information Assurance Professional
> BSidesDetroit Organizer
>
>

I've been doing some thinking about the internet tonight and came across
this e-mail by which I am intrigued. Currently we suffer from DDoS downtime
on Rackspace (granted it's a very small amount of time, its a hit to our
only single point of failure for which I am currently trying to solve by
obtaining a /24 and an anycast address as a means of mitigation and
providing a highly available HTTP cluster of load balancers. I can't help
but wonder if the cost (both in ipv4 resources and cash) outweighs the
worth of an environment that is sanctioned from the globe. While cloud
hosting has proven to be a scalable solution for our needs, we currently
are only serving US-based organizations as far as I know. Even so, the
desire to grow beyond that isn't far fetched when adding networks that are
still segregated from access outside of a country becomes more available
(kinda like vlans.)




Germany, Russia, and Spain.
>
> "IN vain is the net spread in the sight of anybird," especially if the
> bird be as keen-eyed asPrince Bismarck. The Carlist attempts to irritateGermany
> into intervention —whether by
>
> firing on her gunboats, or, as report says,attempting to take prisoners
> the German andAustrian representatives to Madrid in the courseof their
> railway journey, or by any other means—have been, and will be, failures.
> Prince Bismarck knows as well as anybody that nothingwould give so
> effectual a spur to the Carlistcause as a German intervention against it,
> andwe may therefore well believe his organ when ittells us that nothing
> so wild as the project oflanding German troops in Spain was ever contemplated
> by him. Prince Bismarck was wiseenough, even during the war with France,
> whenthe German power was already in possession,and was on the spot, to
> avoid anythinglike taking a part between the differentpolitical factions
> into which France was divided.Is it reasonable to suppose that, after
> keeping socarefully out of the net with which his feet werealmost in
> contact in France, he would allow himself to be entangled in it in Spain
> ? The realdanger on the Franco-Spanish frontier is not ofa German
> intervention in Spain, but of jealousiesgrowing up between Germany and
> France sokeen as to render a renewal of the war all butinevitable. No
> doubt that would suit PrinceBismarck's book much better than a barren
> intervention in Spain. No doubt his agents are notparticularly delicate
> in their modes of insistingthat France shall cut off all supplies from theCarlist
> forces, and in indirectly reminding Frenchmen of the difference beween
> their position now,when they are kept to their internationalduties
> towards Spain by the watchful eye ofGermany, and their position four yearsago,
> when they made the mere suggestion of aGerman candidate for the throne of
> Spain aground of affront, and ultimately a cause of war.We do not suppose
> that Prince Bismarck wishesfor another big war, and all the new odium itwould
> bring on the victor, but if it must come,no doubt he would like it to
> come soon. It wasa good notion of his to pose as the protector ofthe
> regency of Marshal Serrano in Spain, and sowin an ally south of the
> Pyrenees, as well assouth of the Alps. But in spite of his no doubtsincere
> wish to see Ultramontanism defeated inthe defeat of Don Carlos, it is
> pretty certainthat his Spanish policy is studied much morewith a view to
> crippling France, than with aview to crippling Rome.There is indeed
> something encouraging in theclear evidence afforded, both by Prince Bismarck's
> and by Prince GortschakofTs policyin regard to Spain—though these
> policies aredifferent -that even the least teachable of thegreat European
> Powers have learned the lessonthat interventions for the purpose of
> settling theinternal disputes of any great nation are thesilliest of
> mistakes. Germany has recognised,and has probably persuaded various other
> greatPowers to recognise, the Government of Madrid,while Russia declines
> to recognise it; but evenRussia carefully explains that her reason for
> holding back is not any wish to strengthen the hopes ofthe Carlist
> insurrection, but rather on even greaterdelicacy than that shown by the
> other Powersfor the free choice of the Spanish nation, and areluctance
> therefore to enter into formal relations with a Government which, since
> GeneralPavin's coup Witat, has had no sanctionfrom the will of the
> people. Nodoubt one may fairly smile at the reasongiven, when it comes
> from the Ministerof Russia. No doubt it is quite natural to suspect that
> other motives mingle with the refusal—the dislike to follow implicitly
> German lead—the uueasiuess lest the example of Spain shouldbe eventually
> pleaded for Republican institutions;but even though it be so, the fact
> remains thatRussia offers an almost pedantically constitutional reason
> for refusing to acknowledge as yetthe Government of Marshal Serrano, and
> wishesto be understood as setting an example of evengreater delicacy and
> greater deference to thewishes of the Spanish nation than either GreatBritain
> or France. No doubt Russia Las pushedthe doctrine to an extreme, if she
> has allowedher deference to the wishes of the Spanishpeople to prevent
> her from recognising a Government the continuance of which she would thinka
> great safeguard to the peace of Europe. Inpoint of fact, Russia, in all
> probability, holds nosuch opinion. The Greek Church is too wellestablished
> and too popular in Russia to makeit a matter of any account to her
> whether thenew Government of Spain be Ultramontane orotherwise, while it
> can never be a matter ofabsolute indifference to the Czar of Russiawhether
> another European people throws offthe monarchy or not. If Don Carlos were
> tosucceed, at least the Republican current ofevents would be reversed for
> a time. Butwhether the success of Marshal Serrano willmean a Republican
> or a Throne for Spain is amatter extremely doubtful. On the otherhand, to
> neither Germany, nor England, norItaly can it fail to be a matter of some
> interestwhether or not a new stimulus or a new checkis to be applied to
> Ultramontane zeaL And asregards France, the Government of MarshalMacMahon
> has a very difficult problem to solve.Doubtless the Extreme Right, and
> with theExtreme Right the whole Sacerdotal party,would prefer to see Don
> Carlos succeed, sincesuch a success would be a new ground of hopefor
> Henri V. and the white flag. But thenMarshal MacMahon has been obliged to
> quarrelwith the Extreme Right, who make light of hisSepteunate, and
> affect to treat him as a merelocum tenena for the coming king. Hence it isessential
> for him to secure a certain amount ofmoderate Liberal support, and the
> regency ofMarshal Serrano is so very homogeneous a kindof power to his
> own—namely, a mere excuse fordelay—that he can hardly fail to feel a
> certainsympathy with its position. Add to this theextreme desirability of
> conceding to Germanyall that can be conceded while the fears of quarreland
> the occasions of quarrel are still so numerous,and we do not doubt that a
> very wise decision hasbeen taken, even in the interest of the Government
> itself, in recognising the de facto Government of Madrid. On the whole,
> we regard itas a very satisfactory evidence of the progressmade in
> mastering elementary Constitutionalideas, eveu by the most despotic
> Powers, thatall the great Powers alike repudiate intervention
> Fix this text<http://trove.nla.gov.au/ndp/del/captchaForm?target=ocr&t=1361946009073>
> in Spain, and use even their fair privilege ofgiving a sort of moral
> support to that one ofthe rival Governments which they think be3tcalculated
> to maintain the peace of Europe, withgreat reserve and moderation. The
> day of HolyAlliances to mould the internal institutions ofrefractory
> countries is now, at last, probablypast, aud with these, the day of some
> of themoot mischievous European combinations whichthe world has ever
> seen.— Spectator.
>
> It is learned that the arrest of Count YonAmiin was effected without the
> knowledge of theEmperor. The musing documents hare beengiven to the
> Ultraniontanes by Deputy Windernorst.
>



More information about the NANOG mailing list