Dailydave mailing list archives
Re: Hacker opsec case study
From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Thu, 19 Apr 2007 11:10:10 -0400
As in infosec contactor "working for the government in the Baltimore/Washington Metro" I often see a lot of crazy things. Often intrusion sets are defined and detected like they are in the corporate world: by a signature rule-set and ip location (address range). Usually the rule-set is created after the attacker does something obvious like pulling down gigs of data in one night to an unfriendly state. To me this implies that they expect to get noticed. I have seldom (almost never) seen an attack discovered where the technology was something I'd consider doing such as: 1. Non-public implant with http call backs to a dynamic dns server 2. Call backs are slow and initially occur a while after exploitation 3. You don't use encryption (its generally easy to detect) 4. Traffic is to/from "safe" IPs -- lets say if you were a local power company well then traffic to Russia is unexpected but traffic to a local small business is generally "safe". 5. You don't do something stupid (your version of windows is non-us, you scan from your IP, etc). To me those are basic steps when performing a covert pen-test (modified to be legal and compliant with the rules of engagement). I can't imagine that a nation state would do any less. There's at least the first clear mistake of calling back to Asia and Congress men are quoted as *"These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information," Thompson said. *And a second is implied by *tripwires severed Internet connections in the region after a limited amount of data was detected being stolen* (I've seldom seen a "tripwire" that wasn't tuned to sever connections until something blatently bad was occurring). So things are bad when one Word 0-day gives you prologned access to US govt assets, but it's even worse when the attacker was doing some dumb things and the people in charge think the attack was extremely sophisticated and beyond the skill and resource level of a 20-something computer science student. On 4/19/07, Dave Aitel <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department This is a great article from the perspective of "How long in the State dept. does one Word 0day buy you." It's like a hacker opsec case study. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R YL/rw3zpGJS5FCY3h2/zW4A= =ydkC -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- Matthew Wollenweber mwollenweber () gmail com skytel: 800-206-3041 | 2063041 () skytel com
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Hacker opsec case study Dave Aitel (Apr 18)
- Re: Hacker opsec case study Pete Herzog (Apr 19)
- Re: Hacker opsec case study Dominique Brezinski (Apr 19)
- CFP it1tk1 '07 El Nahual (Apr 24)
- Re: Hacker opsec case study matthew wollenweber (Apr 19)
- Re: Hacker opsec case study Pete Herzog (Apr 19)