Re: Hacker opsec case study

["matthew wollenweber" <mwollenweber () gmail com>]

As in infosec contactor "working for the government in the
Baltimore/Washington Metro" I often see a lot of crazy things. Often
intrusion sets are defined and detected like they are in the corporate
world: by a signature rule-set and ip location (address range). Usually the
rule-set is created after the attacker does something obvious like pulling
down gigs of data in one night to an unfriendly state. To me this implies
that they expect to get noticed.

I have seldom (almost never) seen an attack discovered where the technology
was something I'd consider doing such as:
1. Non-public implant with http call backs to a dynamic dns server
2. Call backs are slow and initially occur a while after exploitation
3. You don't use encryption (its generally easy to detect)
4. Traffic is to/from "safe" IPs -- lets say if you were a local power
company well then traffic to Russia is unexpected but traffic to a local
small business is generally "safe".
5. You don't do something stupid (your version of windows is non-us, you
scan from your IP, etc).

To me those are basic steps when performing a covert pen-test (modified to
be legal and compliant with the rules of engagement). I can't imagine that a
nation state would do any less.

There's at least the first clear mistake of calling back to Asia and
Congress men are quoted as  *"These are experienced, sophisticated people
who are trying to exploit our vulnerabilities and gain access to our
information," Thompson said. *And a second is implied by *tripwires severed
Internet connections in the region after a limited amount of data was
detected being stolen* (I've seldom seen a "tripwire" that wasn't tuned to
sever connections until something blatently bad was occurring).

So things are bad when one Word 0-day gives you prologned access to US govt
assets, but it's even worse when the attacker was doing some dumb things and
the people in charge think the attack was extremely sophisticated and beyond
the skill and resource level of a 20-something computer science student.


On 4/19/07, Dave Aitel <dave () immunityinc com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department
>
> This is a great article from the perspective of "How long in the State
> dept. does one Word 0day buy you."
>
> It's like a hacker opsec case study.
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R
> YL/rw3zpGJS5FCY3h2/zW4A=
> =ydkC
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave



--
Matthew  Wollenweber
mwollenweber () gmail com
skytel: 800-206-3041 | 2063041 () skytel com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave