RE: We got owned by the Chinese and didn't even get a "lessons learned"

["Ferguson, Justin (IARC)" <FergusonJ () nv doe gov>]

I'd be interested in hearing dialogue on detecting covert channels in things
like HTTP/S, DNS, SMTP where all of the traffic is completely valid use of
the application layer protocols that have been assigned secondary definition
to both ends.

Best Regards,

Justin Ferguson
Reverse Engineer
NNSA IARC
702.942.2539

"It is a capital mistake to theorize before one has data. Insensibly one
begins to twist facts to suit theories, instead of theories to suit facts."
-- Sir Arthur Conan Doyle

> -----Original Message-----
> From: Dave Aitel [mailto:dave () immunityinc com] 
> Sent: Wednesday, May 24, 2006 9:14 AM
> To: s.wilson () eris qinetiq com
> Cc: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] We got owned by the Chinese and 
> didn't even get a "lessons learned"
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve Wilson wrote:
> > </delurk>
> >
> > A large government organisation with no egress firewalling 
> policy? No
> > restrictive and monitored outbound proxies? What sort of a 
> perimeter is 
> > that[1]? 
>
> It's most non-classified networks that allow http, https or 
> dns access.
> You can tunnel effectively through any of them. You could even tunnel
> through SMTP if you were ballsy enough. Everyone's been doing 
> this since
> 1992AD, and I assume that if anyone puts an anomaly detection
> application firewall in place on HTTP and HTTPS, there'll be 
> some public
> research into covert channels. Maybe Joanna will release something to
> explain how egress filtering without an air gap is just amusing.
>
> > > Protecting networks against worms is a valuable thing. But it's not
> > > security, and I think events like this are a wake up call 
> to what the
> > > technology you've deployed actually can do.
> >
> > OK, I'm a pedant - so I can't let that slip by. If 
> protecting networks against 
> > worms (or even deliberate targetted attacks) isn 't 
> security, what is it? ;-p
> >
>
> I guess the whole point is that nothing you can deploy right now
> actually protects you from targeted attacks. They just handle worms.
> Worms are essentially a bandwidth problem. :>
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (MingW32)
>
> iD8DBQFEdIYrtehAhL0gheoRAtTkAJ963whzKiAbA43msVuMIwinDwrfJwCghDF/
> /epXbG9QGtFhqwxy5teHbMY=
> =QBFF
> -----END PGP SIGNATURE-----