Re: We got owned by the Chinese and didn't even get a "lessons learned"

["val smith" <mvalsmith () gmail com>]

Ive dealt with this problem extensively on networks that have 1000's of
users, various IDS, firewalls, automated patching systems, configuration
management, well defined policies, etc. In short, decently managed
enterprise environments.

They constantly get owned and its usually via the user. Many people on this
list know how to get past IDS, firewalls, etc. and so do the bad guys.
Looking at the politics, cost/benefits analysis, training, etc. what I have
seen is that you pretty much can't avoid being seriously hacked if you are
one of these high profile places.

So whats the answer then? Well one flaw ive seen in these types of networks
is the lack of data segregation. They often have their accounting in the
same network as their research info as their web intranet as their
development environment. So what happens is that when one machine gets
penetrated, everything falls.

The places I have seen do it right (albeit painful) are those that have
severe segregation of information functions. For example one place has a
network with no connection to the internet. Then they have internet stations
behind locked doors that you can sign up to use for internet research /
communications on a time share style basis. Another place went so far as to
have an internet "building" where there were basically tons of terminals
with inet access. So you did your real work on a closed network and went to
a different building to surf the web. There were non-network methods for
transfering data from one to the other which were slow but functional.

Now this would make alot of our jobs super inefficient but depending on your
profile and risks maybe this is a partial answer for these types of
organizations.

V.

On 5/24/06, Joanna Rutkowska <joanna () invisiblethings org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nicolas RUFF wrote:
> >> So, I'm quite curious what kind of (mature) products we have today to
> >> detect advanced malware on Windows/x86-32 platform? Only please do not
> >> mention hidden files, registry and process detectors (and not even try
> >> thinking about signature detectors)... Anybody? (this is not a
> >> rhetorical question, I really am curious!)
> >
> > Well, this is an interesting question indeed.
> > From the sample we got, there are 2 things to notice :
> >
> > - The eggdrop part won't run if you do not have administrative rights on
> > your computer (because it is trying to create a "c:\~.exe" file).
> >
> Oh, come on! And what if the malware exploits some kernel bug (we all
> have seen several such bugs last year, haven't we)? Obviously running as
> privilege user will not help in this case (although it's a very good
> idea indeed).
>
> > - It won't run either if you have no "c:" drive on your computer (same
> > reason).
> >
> Again, this doesn't solve the problem of more advanced malware (see e.g.
> my black hat federal presentation).
>
> > From my experience, those 2 security features may block more than 99.9%
> > of "DownloadToFile" viruses. So we are safe ... for now !
> >
>
> But we're not talking about blocking 'DownloadToFile viruses', we're
> talking about protecting sensitive (government, corporate) networks
> against sophisticated targeted attacks...
>
> What we really need (IMO) is a good *detection* to complement our
> protection (NX/DEP, ASLR, Patch Guard on x64, etc), which is quite
> advanced, but as life shows, still not 100% proof.
>
> joanna.
>
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFEdIO1ORdkotfEW84RAjZlAKCN4IHqgj6d9h4Lb0UmIoObdWL4VQCgzN3N
> 1vNSRNMpdF7yU5AEXQ0GMOM=
> =5Gg7
> -----END PGP SIGNATURE-----