Dailydave mailing list archives
RE: We got owned by the Chinese and didn't even get a"lessons learned"
From: Chris <info () delsec net>
Date: Wed, 24 May 2006 14:40:19 -0700
Air gap isnt the best word for this description. It should be considered more of a complete physical gap. Where no media from one touches the other. But I think this topic is running wayyy of course. Dave, can you explain why blocking worm propgation isn't security? Chris ---------------------------------------- Chris Key ID: 7E8DE44E info () delsec net www.delsec.net ----------------------------------------
-------- Original Message -------- Subject: Re: [Dailydave] We got owned by the Chinese and didn't even get a"lessons learned" From: "Halvar Flake" <halvar () gmx de> Date: Wed, May 24, 2006 2:20 pm To: "Etaoin Shrdlu" <shrdlu () deaddrop org>, <dailydave () lists immunitysec com> Hey all,Sure, most of the gov and mil internet facing networks are a lot more lax than they should be, but the classified stuff (even the stuff classified at a mere Confidential level) is not there. Not. Look up things like siprnet.So correct me if I am wrong, but would a better way to ferret stuff out of classified networks go like this: 1) Payload infects other DOC files on the HD and converts them to exploit as well 2) Payload does text-search for certain keywords, encrypts the text of the documents it found and adds the encrypted blobs to existing word files (up to a certain size) While you'd only have limited control about the time and place when data will leak out again, anytime they pass a DOC file through the airgap you have a chance of getting something useful. All this very much depends on getting a clean resume on the exploit. Does anyone know if the attackers had that ? Cheers, Halvar
Current thread:
- RE: We got owned by the Chinese and didn't even get a"lessons learned" Chris (May 24)