[161158] in North American Network Operators' Group
Fwd: Re: NYT covers China cyberthreat
daemon@ATHENA.MIT.EDU (jjanusze@wd-tek.com)
Wed Feb 27 11:30:09 2013
Date: Wed, 27 Feb 2013 11:29:51 -0500 (EST)
From: "jjanusze@wd-tek.com" <jjanusze@wd-tek.com>
To: nanog@nanog.org
Reply-To: "jjanusze@wd-tek.com" <jjanusze@wd-tek.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Defense in Depth has been paid lipservice for too long, and now we are
witnessing the outcome.
> ---------- Original Message ----------
> From: Adele Thompson <paigeadele@gmail.com>
> To: Kyle Creyts <kyle.creyts@gmail.com>
> Cc: Derek Noggle <dnoggle@gmail.com>, nanog@nanog.org
> Date: February 27, 2013 at 1:24 AM
> Subject: Re: NYT covers China cyberthreat
>
> On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts <kyle.creyts@gmail.com> wrot=
e:
>
> > I think it is safe to say that finding a foothold inside of the United
> > States from which to perform/proxy an attack is not the hardest thing
> > in the world. I don't understand why everyone expects that major
> > corporations and diligent operators blocking certain countries'
> > prefixes will help. That being said, you make a solid point to which
> > people should absolutely listen: applying an understanding of your
> > business-needs-network-traffic baseline to your firewall rules and
> > heuristic network detections (in a more precise fashion than just "IPs
> > from country $x") is a SOLID tactic that yields huge security
> > benefits. Nobody who cares about security should really be able to
> > argue with it (plenty of those who care don't will hate it, though),
> > and makes life _awful_ for any attackers.
> >
> > On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <rsk@gsp.org> wrote:
> > > On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote:
> > >
> > > [a number of very good points ]
> > >
> > > Geoblocking, like passive OS fingerprinting (another technique that
> > > reduces attack surface as measured along one axis but can be defeated
> > > by a reasonably clueful attacker), doesn't really solve problems, per=
se.
> > > If you have a web app that's vulnerable to SQL injection attacks, the=
n
> > > it's still just as hackable -- all the attacker has to do is try from
> > > somewhere else, from something else.
> > >
> > > But...
> > >
> > > 1. It raises the bar. And it cuts down on the noise, which is one of =
the
> > > security meta-problems we face: our logs capture so much cruft, so ma=
ny
> > > instances of attacks and abuse and mistakes and misconfigurations and
> > > malfunctions, that we struggle to understand what they're trying to t=
ell
> > > us. That problem is so bad that there's an entire subindustry built
> > > around the task of trying to reduce what's in the logs to something
> > > that a human brain can process in finite time. Mountains of time
> > > and wads of cash have been spent on the thorny problems that arise
> > > when we try to figure out what to pay attention to and what to ignore=
...
> > > and we still screw it up. Often.
> > >
> > > So even if the *only* effect of doing so is to shrink the size of
> > > the logs: that's a win. (And used judiciously, it can be a HUGE win,
> > > as in "several orders of magnitude".) So if your security guy is
> > > as busy as you say...maybe this would be a good idea.
> > >
> > > And let me note in passing that by raising the bar, it ensures that
> > > you're faced with a somewhat higher class of attacker. It's one
> > > thing to be hacked by a competent, diligent adversary who wields
> > > their tools with rapier-like precision; it's another to be owned
> > > by a script kiddie who has no idea what they're doing and doesn't
> > > even read the language your assets are using. That's just embarassing=
.
> > >
> > > 2. Outbound blocks work too, y'know. Does anybody in your marketing
> > > department need to reach Elbonia? If not, then why are you allowing
> > > packets from that group's desktops to go there? Because either
> > > (a) it's someone doing something they shouldn't or (b) it's something
> > doing
> > > something it shouldn't, as in a bot trying to phone home or a data
> > > exfiltration attack or something else unpleasant. So if there's
> > > no business need for that group to exchange packets with Elbonia
> > > or any of 82 other countries, why *aren't* you blocking that?
> > >
> > > 3. Yes, this can turn into a moderate-sized matrix of inbound and
> > > outbound rules. That's why make(1) and similar tools are your friends=
,
> > > because they'll let you manage this without needing to resort to scot=
ch
> > > by 9:30 AM. And yes, sometimes things will break (because something's
> > > changed) -- but the brokeness is the best kind of brokeness: obvious,
> > > deterministic, repeatable, fixable.
> > >
> > > It's not hard. But it does require that you actually know what your
> > > own systems are doing and why.
> > >
> > > 4. "We were hacked from China" is wearing awfully damn thin as the
> > > feeble whining excuse of people who should have bidirectionally
> > firewalled
> > > out China from their corporate infrastructure (note: not necessarily
> > > their public-facing servers) years ago. And "our data was exfiltrated
> > > to Elbonia" is getting thin as an excuse too: if you do not have an
> > > organizational need to allow outbound network traffic to Elbonia, the=
n
> > > why the hell are you letting so much as a single packet go there?
> > >
> > > Like I said: at least make them work for it. A little. Instead of
> > > doing profoundly idiotic things like the NYTimes (e.g., "infrastructu=
re
> > > reachable from the planet", "using M$ software", "actually believing =
that
> > > anti-virus software will work despite a quarter-century of uninterrup=
ted
> > > failure", etc.). That's not making them work for it: that's inviting
> > > them in, rolling out the red carpet, and handing them celebratory
> > champagne.
> > >
> > > ---rsk
> > >
> >
> >
> >
> > --
> > Kyle Creyts
> >
> > Information Assurance Professional
> > BSidesDetroit Organizer
> >
> >
>
> I've been doing some thinking about the internet tonight and came across
> this e-mail by which I am intrigued. Currently we suffer from DDoS downti=
me
> on Rackspace (granted it's a very small amount of time, its a hit to our
> only single point of failure for which I am currently trying to solve by
> obtaining a /24 and an anycast address as a means of mitigation and
> providing a highly available HTTP cluster of load balancers. I can't help
> but wonder if the cost (both in ipv4 resources and cash) outweighs the
> worth of an environment that is sanctioned from the globe. While cloud
> hosting has proven to be a scalable solution for our needs, we currently
> are only serving US-based organizations as far as I know. Even so, the
> desire to grow beyond that isn't far fetched when adding networks that ar=
e
> still segregated from access outside of a country becomes more available
> (kinda like vlans.)
>
>
>
>
> Germany, Russia, and Spain.
> >
> > "IN vain is the net spread in the sight of anybird," especially if the
> > bird be as keen-eyed asPrince Bismarck. The Carlist attempts to
> > irritateGermany
> > into intervention =E2=80=94whether by
> >
> > firing on her gunboats, or, as report says,attempting to take prisoners
> > the German andAustrian representatives to Madrid in the courseof their
> > railway journey, or by any other means=E2=80=94have been, and will be, =
failures.
> > Prince Bismarck knows as well as anybody that nothingwould give so
> > effectual a spur to the Carlistcause as a German intervention against i=
t,
> > andwe may therefore well believe his organ when ittells us that nothing
> > so wild as the project oflanding German troops in Spain was ever
> > contemplated
> > by him. Prince Bismarck was wiseenough, even during the war with France=
,
> > whenthe German power was already in possession,and was on the spot, to
> > avoid anythinglike taking a part between the differentpolitical faction=
s
> > into which France was divided.Is it reasonable to suppose that, after
> > keeping socarefully out of the net with which his feet werealmost in
> > contact in France, he would allow himself to be entangled in it in Spai=
n
> > ? The realdanger on the Franco-Spanish frontier is not ofa German
> > intervention in Spain, but of jealousiesgrowing up between Germany and
> > France sokeen as to render a renewal of the war all butinevitable. No
> > doubt that would suit PrinceBismarck's book much better than a barren
> > intervention in Spain. No doubt his agents are notparticularly delicate
> > in their modes of insistingthat France shall cut off all supplies from
> > theCarlist
> > forces, and in indirectly reminding Frenchmen of the difference beween
> > their position now,when they are kept to their internationalduties
> > towards Spain by the watchful eye ofGermany, and their position four
> > yearsago,
> > when they made the mere suggestion of aGerman candidate for the throne =
of
> > Spain aground of affront, and ultimately a cause of war.We do not suppo=
se
> > that Prince Bismarck wishesfor another big war, and all the new odium
> > itwould
> > bring on the victor, but if it must come,no doubt he would like it to
> > come soon. It wasa good notion of his to pose as the protector ofthe
> > regency of Marshal Serrano in Spain, and sowin an ally south of the
> > Pyrenees, as well assouth of the Alps. But in spite of his no doubtsinc=
ere
> > wish to see Ultramontanism defeated inthe defeat of Don Carlos, it is
> > pretty certainthat his Spanish policy is studied much morewith a view t=
o
> > crippling France, than with aview to crippling Rome.There is indeed
> > something encouraging in theclear evidence afforded, both by Prince
> > Bismarck's
> > and by Prince GortschakofTs policyin regard to Spain=E2=80=94though the=
se
> > policies aredifferent -that even the least teachable of thegreat Europe=
an
> > Powers have learned the lessonthat interventions for the purpose of
> > settling theinternal disputes of any great nation are thesilliest of
> > mistakes. Germany has recognised,and has probably persuaded various oth=
er
> > greatPowers to recognise, the Government of Madrid,while Russia decline=
s
> > to recognise it; but evenRussia carefully explains that her reason for
> > holding back is not any wish to strengthen the hopes ofthe Carlist
> > insurrection, but rather on even greaterdelicacy than that shown by the
> > other Powersfor the free choice of the Spanish nation, and areluctance
> > therefore to enter into formal relations with a Government which, since
> > GeneralPavin's coup Witat, has had no sanctionfrom the will of the
> > people. Nodoubt one may fairly smile at the reasongiven, when it comes
> > from the Ministerof Russia. No doubt it is quite natural to suspect tha=
t
> > other motives mingle with the refusal=E2=80=94the dislike to follow imp=
licitly
> > German lead=E2=80=94the uueasiuess lest the example of Spain shouldbe e=
ventually
> > pleaded for Republican institutions;but even though it be so, the fact
> > remains thatRussia offers an almost pedantically constitutional reason
> > for refusing to acknowledge as yetthe Government of Marshal Serrano, an=
d
> > wishesto be understood as setting an example of evengreater delicacy an=
d
> > greater deference to thewishes of the Spanish nation than either
> > GreatBritain
> > or France. No doubt Russia Las pushedthe doctrine to an extreme, if she
> > has allowedher deference to the wishes of the Spanishpeople to prevent
> > her from recognising a Government the continuance of which she would th=
inka
> > great safeguard to the peace of Europe. Inpoint of fact, Russia, in all
> > probability, holds nosuch opinion. The Greek Church is too wellestablis=
hed
> > and too popular in Russia to makeit a matter of any account to her
> > whether thenew Government of Spain be Ultramontane orotherwise, while i=
t
> > can never be a matter ofabsolute indifference to the Czar of Russiawhet=
her
> > another European people throws offthe monarchy or not. If Don Carlos we=
re
> > tosucceed, at least the Republican current ofevents would be reversed f=
or
> > a time. Butwhether the success of Marshal Serrano willmean a Republican
> > or a Throne for Spain is amatter extremely doubtful. On the otherhand, =
to
> > neither Germany, nor England, norItaly can it fail to be a matter of so=
me
> > interestwhether or not a new stimulus or a new checkis to be applied to
> > Ultramontane zeaL And asregards France, the Government of MarshalMacMah=
on
> > has a very difficult problem to solve.Doubtless the Extreme Right, and
> > with theExtreme Right the whole Sacerdotal party,would prefer to see Do=
n
> > Carlos succeed, sincesuch a success would be a new ground of hopefor
> > Henri V. and the white flag. But thenMarshal MacMahon has been obliged =
to
> > quarrelwith the Extreme Right, who make light of hisSepteunate, and
> > affect to treat him as a merelocum tenena for the coming king. Hence it
> > isessential
> > for him to secure a certain amount ofmoderate Liberal support, and the
> > regency ofMarshal Serrano is so very homogeneous a kindof power to his
> > own=E2=80=94namely, a mere excuse fordelay=E2=80=94that he can hardly f=
ail to feel a
> > certainsympathy with its position. Add to this theextreme desirability =
of
> > conceding to Germanyall that can be conceded while the fears of quarrel=
and
> > the occasions of quarrel are still so numerous,and we do not doubt that=
a
> > very wise decision hasbeen taken, even in the interest of the Governmen=
t
> > itself, in recognising the de facto Government of Madrid. On the whole,
> > we regard itas a very satisfactory evidence of the progressmade in
> > mastering elementary Constitutionalideas, eveu by the most despotic
> > Powers, thatall the great Powers alike repudiate intervention
> > Fix this
> > text<http://trove.nla.gov.au/ndp/del/captchaForm?target=3Docr&t=3D13619=
46009073>
> > in Spain, and use even their fair privilege ofgiving a sort of moral
> > support to that one ofthe rival Governments which they think be3tcalcul=
ated
> > to maintain the peace of Europe, withgreat reserve and moderation. The
> > day of HolyAlliances to mould the internal institutions ofrefractory
> > countries is now, at last, probablypast, aud with these, the day of som=
e
> > of themoot mischievous European combinations whichthe world has ever
> > seen.=E2=80=94 Spectator.
> >
> > It is learned that the arrest of Count YonAmiin was effected without th=
e
> > knowledge of theEmperor. The musing documents hare beengiven to the
> > Ultraniontanes by Deputy Windernorst.
> >
