Dailydave mailing list archives
Re: We got owned by the Chinese and didn't even get a "lessons learned"
From: "val smith" <mvalsmith () gmail com>
Date: Wed, 24 May 2006 10:40:33 -0600
Ive dealt with this problem extensively on networks that have 1000's of users, various IDS, firewalls, automated patching systems, configuration management, well defined policies, etc. In short, decently managed enterprise environments. They constantly get owned and its usually via the user. Many people on this list know how to get past IDS, firewalls, etc. and so do the bad guys. Looking at the politics, cost/benefits analysis, training, etc. what I have seen is that you pretty much can't avoid being seriously hacked if you are one of these high profile places. So whats the answer then? Well one flaw ive seen in these types of networks is the lack of data segregation. They often have their accounting in the same network as their research info as their web intranet as their development environment. So what happens is that when one machine gets penetrated, everything falls. The places I have seen do it right (albeit painful) are those that have severe segregation of information functions. For example one place has a network with no connection to the internet. Then they have internet stations behind locked doors that you can sign up to use for internet research / communications on a time share style basis. Another place went so far as to have an internet "building" where there were basically tons of terminals with inet access. So you did your real work on a closed network and went to a different building to surf the web. There were non-network methods for transfering data from one to the other which were slow but functional. Now this would make alot of our jobs super inefficient but depending on your profile and risks maybe this is a partial answer for these types of organizations. V. On 5/24/06, Joanna Rutkowska <joanna () invisiblethings org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nicolas RUFF wrote: >> So, I'm quite curious what kind of (mature) products we have today to >> detect advanced malware on Windows/x86-32 platform? Only please do not >> mention hidden files, registry and process detectors (and not even try >> thinking about signature detectors)... Anybody? (this is not a >> rhetorical question, I really am curious!) > > Well, this is an interesting question indeed. > From the sample we got, there are 2 things to notice : > > - The eggdrop part won't run if you do not have administrative rights on > your computer (because it is trying to create a "c:\~.exe" file). > Oh, come on! And what if the malware exploits some kernel bug (we all have seen several such bugs last year, haven't we)? Obviously running as privilege user will not help in this case (although it's a very good idea indeed). > - It won't run either if you have no "c:" drive on your computer (same > reason). > Again, this doesn't solve the problem of more advanced malware (see e.g. my black hat federal presentation). > From my experience, those 2 security features may block more than 99.9% > of "DownloadToFile" viruses. So we are safe ... for now ! > But we're not talking about blocking 'DownloadToFile viruses', we're talking about protecting sensitive (government, corporate) networks against sophisticated targeted attacks... What we really need (IMO) is a good *detection* to complement our protection (NX/DEP, ASLR, Patch Guard on x64, etc), which is quite advanced, but as life shows, still not 100% proof. joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFEdIO1ORdkotfEW84RAjZlAKCN4IHqgj6d9h4Lb0UmIoObdWL4VQCgzN3N 1vNSRNMpdF7yU5AEXQ0GMOM= =5Gg7 -----END PGP SIGNATURE-----
Current thread:
- We got owned by the Chinese and didn't even get a "lessons learned" Dave Aitel (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" val smith (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Halvar Flake (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Etaoin Shrdlu (May 24)