From the monthly archives: "February 2010"

In this article Google is reportedly asking for assistance from the NSA. From my limited knowledge of the NSA, this sounds like the right thing to do. I have done plenty of work under non-discolure agreements (NDAs). Given the people that work at the NSA, I don’t see a problem with Google working with them.  The people at the NSA are very bright (on par with the talent Google has in-house, perhaps even brighter).

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks — doing so is a nearly impossible task after the fact — but building a better defense of Google’s networks, or what its technicians call “information assurance.”

I have two words for Google, “air gap”, at the most basic level.  If the packets can not enter or leave the computer/network than at least the system is secure from over the wire attacks.  Ignoring physical attacks. After all the DoD operates SIPRNet and except for a few cases of people bringing a virus to SIPRNet it is secure.  Of course that is just one small part of a complete “information assurance” program, but a good foundation is required.

Unlike SIPRNet which could have multiple organizations connected which thus opens up potential security challenges, Google could have a less difficult time.  Google has one entity, itself.  If the reports about employees assisting the attackers is true, in a way the air gap is even more important.  On the other hand if an employee(s) wanted to collaborate and get information from a secure network to the open Internet it would not impossible.  If this network is secured properly, then it would be extremely difficult to accomplish, if not impossible. With no CDs, USB device, physical inspections upon entering/leaving the rooms and armed guards the ability to get information off the network either electronically or in hard copy would be difficult.

I’m reading this story and I quote

Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.

Hopefully now they’ve come to realize that monitoring your network, as in the traffic patterns, rates, etc. is very important too.  In the past I know I’ve looked at a graph of traffic, say email messages over a 24 hour period, and when compared to previous data, it seemed very high.  Due to the change in trend data that I was able to see visually I investigated further and found that indeed there was a problem.

Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.

In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.

That is sad, the tools exist so that companies can detect and stop this type of thing in house. If you have something that is very important to your organization then put an air gap between it and the rest of your network.  In other words don’t connect it to your network, isolate it completely.  While that makes it more difficult to use, what is the loss to your organization if the information leaves your company?

Stolen e-mail messages and documents are collected and stored on a staging server inside the company’s network before being encrypted with custom algorithms and compressed into an .rar file. The files are then siphoned out in small random bursts generally via normal protocols with spoofed headers to disguise the activity. In the case of the Google hack, the attackers used an SSL port but a custom protocol.

All applications should be forced to use a proxy, otherwise the applications should not be allowed to enter or leave your network.  I learned a while ago while taking the SANS Hacker Techniques and Incident Handling class I learned about a tool that lets you craft ping packets.  While that is not amazing, what I did not know at the time was that ping packets (icmp echo/reply) can contain a payload, i.e. data.  In other words, if I had the motivation I could write a script that could take the data I want to smuggle out of a network and get it out all via ping.  It would take a while, but it would work.  Egress filtering, is a must.  The first rule set of a firewall should be deny all.  Only open up what is absolutely required, and only to a limited set of devices.  APT requires defense in depth and more.  :)

In the back of my mind are the recent attacks against Google and others by the Chinese government.  I keep asking myself how I would setup and defend against such attacks, and more importantly mitigate them. The end goal of this exercise for me, is to limit Internet access to devices that have authenticated to the gateway/proxy.  Thus when the user logouts of their workstation for the day and goes home, their computer is now cut off from the Internet.

I’ve thought about using key based authentication.  Trick is, if the system has a keyboard logger installed, then both the keys and the passphrase protecting the keys can be stolen.  Harder than most, but not fool proof.

I’m thinking of a case where the user’s computer is compromised by someone external to the company.  At this point my intent is to limit the ability of the computer to access the Internet.  If the computer can not talk with the Internet then the person who compromised the system can not get data out of the company network.

At this point the solution in my head was to use authpf, ssh, and s/key.  I would prefer that users not have a local password.  Instead they can only use s/key to login.  I also would prefer that users don’t have to type user:skey@host and instead just user@host and have s/key forced upon them.  I created a new login class, a new user, and had s/key as the authentication method for the class.  I assigned the user to the class.  Then  I ‘su – user’ and then tried skeyinit but the “user” then gets prompted for their password.  Because their login class requires s/key the password being requested is an s/key password.  A catch-22.  :(

If you’re reading this and have a suggestion or idea on how I might work around this or otherwise accomplish my goal, please leave a comment.