Re: firewall-wizards Digest, Vol 64, Issue 3 phishing

[Dave Piscitello <dave () corecom com>]

I suspect that a composite of what Stephen, Kyle and I constructed
yields a reasonable analog for the current and sad state of affairs.

On Sat, Apr 13, 2013 at 3:01 AM, Kyle Creyts <kyle.creyts () gmail com> wrote:
> For one, the ship's hull is supposed to have "leaks" because water is
> supposed to flow through the hull, this is how this particularly strange
> ship operates and provides the passengers with essentials to do their
> duties.
>
> Otherwise we'd keep it out of the water. (ha ha, air gap)
>
> However, as security folk, we're rather concerned about things that are
> toxic to the passengers coming in with the water...
>
> Unfortunately, to most of the systems we use to filter hull intake and
> output, protecting the passengers and their belongings, the toxic materials
> tend to look a lot like water.
>
> Most of these filters don't even know what the toxins are today. They're
> mostly throwback technology from a time before toxins, which only had to
> know the difference between water, seaweed, and sand. They know what water
> typically looks like, and they'll keep out the seaweed and sand, but we've
> told them that we want to let water in.
>
> Some newer systems are a bit better about filtering out the toxins, but they
> frequently cost quite a bit, and most ships continue to run without them in
> place.
>
> Of course most of the passengers can't distinguish either.
>
> In spite of people running around and announcing the dangers of toxins,
> nobody really seems to know how to teach the passengers to identify them,
> and most of the passengers are in too big of a hurry to care; drinking one
> glass of water with toxins in it probably won't kill them. Besides, many of
> them have filters on the faucets. Even if most of the faucet filters can
> only catch toxins they've seen before...
>
> Some passengers even bring toxins with them onto the ship.
>
> As others have mentioned, this whole process is only one of many
> responsibilities of those responsible for it, if they are even still with
> the ship. There are only so many engineers on the boat, they usually have to
> be trained to maintain this process or clean up toxins, and they have a lot
> of other systems to care for.
>
>
>
> On Fri, Apr 12, 2013 at 1:33 AM, Dave Piscitello <dave () corecom com> wrote:
> > Stephen,
> >
> > I think your premise - that we are comfortable with this architecture
> > - is wrong, at least for this choir.
> >
> > Your analog also only looks at one dimension of the problem space.
> >
> > - the ship hull is compromised
> > - the pumps are working because someone thought to enable this
> > automation, and he's now serving on another ship
> > - much of the crew are not competent to deal with the crisis, and
> > don't have the time to fully assess the damage because they are
> > distracted by requests to solve far less critical issues so that other
> > of the ship's services remain in operation for the passengers
> > - the passengers pay no attention to the warnings, alarms, and have no
> > clue as to how to abandon ship
> >
> > I suspect that few on this list are comfortable with this scene. The
> > pump is there for many because it's keeping the ship afloat while we
> > patch and re-think how to prevent future hull breaches. Part of
> > re-thinking is coming up with better monitoring (of hull integrity)
> > and AWS; part is raising competencies among crew, and part is raising
> > security awareness among passengers. All of these require the
> > captain's approval and the captain has to empower the officers.
> >
> > On Thu, Apr 11, 2013 at 8:46 PM, Stephen P. Berry <spb () meshuggeneh net>
> > wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > > John Michealson writes:
> > >
> > > > Check Point's gateway based AV went cloud based last fall. It has over
> > > > 6M
> > > > signatures. They also have AntiBot, which has hundreds of millions of IP
> > > > and hosts classified. They are reclassifying 50k sites/hosts a day with
> > > > their ThreatCloud, and ThreatEmulation is in EA. Their Application
> > > > Control
> > > > has 4900 apps defined locally and 300K in the cloud. Combined with
> > > > education these are very effective tools.
> > >
> > > Perhaps I just have a bad attitude, but I'm imagining a ship with a
> > > great jagged hole below the water line and a very high output bilge
> > > pump that's almost but not quite keeping up with the flooding.  The ship
> > > doesn't sink -immediately-, and hey that is a pretty impressive pump.
> > > But
> > > I'm not sure that I'd say that the pump is a very effective tool,
> > > because
> > > the task I'm actually concerned with isn't---or, I would argue shouldn't
> > > be---pumping water out, which the pump does quite well, but rather with
> > > keeping the ship seaworthy by keeping the water from getting in in the
> > > first place, and the pump doesn't do that at all.
> > >
> > > I'm not trying to badmouth Checkpoint here.  I'm sure their product is
> > > wonderful for what it is.  But I find it distressing how comfortable
> > > we've become with living with network architectures that are perpetually
> > > in a state of failure.  That are designed failed.  You speak in glowing
> > > words
> > > of the monumental efforts expended by Checkpoint.  But while I can
> > > admire
> > > all that hard work, when I see as system that -needs- this sort of
> > > heroic
> > > effort -on an ongoing basis- just to continue functioning, I see a
> > > system
> > > that is fundamentally broken.
> > >
> > >
> > >
> > > - -spb
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >
> > > iQEVAwUBUWcEsR+T8Ptkg9h9AQI4swf/SAXPVaI8DXdOZ7OaUpcBUe6t2Y6ZQCGX
> > > 9VB0F2/3pyTWWdcVNUcDMVAiasgF1Pc/uHEhGFbFJNB13ubiUDsvQmjwJMkhN5fk
> > > GRT1eJLQrwSjAhzpwnQxTnQQQxwGBlaCb9Lo3db/PMZcxwFaYjzWncthZ6tX9YW5
> > > IOD1Th0fvOEEJvtl+imqYanWUC2HXFJPP+F2f8eswOv2EI80C38EnTd/+Bn6vRcW
> > > PkCKJO3RCwRjdDACIlS/bx4aMrt36M/bbGgF+mRtn3NNNHqeGkMQV490b8pvRlxM
> > > DfeH/RAdUdOMQ7PVRCJAEKreI268ywabltzOya5MPBhY3RjRgJeBJQ==
> > > =JaqR
> > > -----END PGP SIGNATURE-----
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () listserv icsalabs com
> > > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
> --
> Kyle Creyts
>
> Information Assurance Professional
> BSidesDetroit Organizer
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards