Dailydave mailing list archives
RE: We got owned by the Chinese and didn't even get a "lessons learned"
From: "Ferguson, Justin (IARC)" <FergusonJ () nv doe gov>
Date: Wed, 24 May 2006 10:20:12 -0700
I'd be interested in hearing dialogue on detecting covert channels in things like HTTP/S, DNS, SMTP where all of the traffic is completely valid use of the application layer protocols that have been assigned secondary definition to both ends. Best Regards, Justin Ferguson Reverse Engineer NNSA IARC 702.942.2539 "It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." -- Sir Arthur Conan Doyle
-----Original Message----- From: Dave Aitel [mailto:dave () immunityinc com] Sent: Wednesday, May 24, 2006 9:14 AM To: s.wilson () eris qinetiq com Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] We got owned by the Chinese and didn't even get a "lessons learned" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Wilson wrote:</delurk> A large government organisation with no egress firewallingpolicy? Norestrictive and monitored outbound proxies? What sort of aperimeter isthat[1]?It's most non-classified networks that allow http, https or dns access. You can tunnel effectively through any of them. You could even tunnel through SMTP if you were ballsy enough. Everyone's been doing this since 1992AD, and I assume that if anyone puts an anomaly detection application firewall in place on HTTP and HTTPS, there'll be some public research into covert channels. Maybe Joanna will release something to explain how egress filtering without an air gap is just amusing.Protecting networks against worms is a valuable thing. But it's not security, and I think events like this are a wake up callto what thetechnology you've deployed actually can do.OK, I'm a pedant - so I can't let that slip by. Ifprotecting networks againstworms (or even deliberate targetted attacks) isn 'tsecurity, what is it? ;-pI guess the whole point is that nothing you can deploy right now actually protects you from targeted attacks. They just handle worms. Worms are essentially a bandwidth problem. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEdIYrtehAhL0gheoRAtTkAJ963whzKiAbA43msVuMIwinDwrfJwCghDF/ /epXbG9QGtFhqwxy5teHbMY= =QBFF -----END PGP SIGNATURE-----
Current thread:
- RE: We got owned by the Chinese and didn't even get a "lessons learned" Ferguson, Justin (IARC) (May 24)