Please run windows update now

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Tue May 16 06:06:30 UTC 2017


On Mon, 15 May 2017 16:19:37 -0700, "Aaron C. de Bruyn via NANOG" said:

> Combine that with fail2ban.  When one user has more than 60 writes in
> 60 seconds *or* a write contains a well-known cryptolocker name (i.e.
> *DECRYPT_INSTRUCT*)

Oddly enough, we've seen *lots* of spammers that are *totally* able to
auto-tune their spew rate to whatever you set the knob to.  Set it to 3,293,
and it will quickly adjust to 3,250 or so.  Knock the knob down to 67, it will
tune down to 65. There's no reason to expect that the same methods won't
be used again.

If it's an entire network of vulnerable systems, it's perfectly reasonable for
malware to pick one system (the one with the least number of likely-valuable
files) as a sacrificial goat and burn it down, just to see where you've set the
knobs, and then fly under the radar for the rest of the network.

If malware waits till 5:01PM Friday or whenever it detects the user has left
for the weekend, and does a careful search of file extensions for files most
likely to be valuable enough to make the victim pay the ransom, and does them
at 3 per minute, how bad is the situation Monday morning?

So you restrict file change rate to 1 per hour or something draconian when the
user isn't at the keyboard.

What is the likely amount of time the malware can get away with doing 3 files a
minute in the background while the user *is* using the system, before they hit
an encrypted file and realize there's a problem (hint - avoid files modified in
the last few days and target more static files)?

What is the likely amount of time you can restrict the user to 2 files per
minute before they come looking for you with an ax?

Remember - the first rule of designing security is that if you haven't already
thought through the first several iterations of blatantly obvious ways to work
around your proposal, and dealt with them, it's guaranteed that the bad guys
will do so for you.

Remember this as well - the entire reason why Snowden walked away with so many
files was because the NSA was not using all the available security features
*because it put too much of a crimp in legitimate analyst activity*.  It's also
why almost nobody outside military and spook systems actually deploys MLS/MCS
security.

Given that we've been at this for well over 4 decades now, and we *still* can't
actually do it right, you should be *very* suspicious of any proposal that says
"Just count the number of opens, tie it to fail2ban, handwave yadda yadda
handwave *SECURE*".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20170516/7d1fcf8d/attachment.pgp>


More information about the NANOG mailing list