Defense in Depth has been paid lipservice for too long, and now we are witnessing the outcome.
> ---------- Original Message ---------- > From: Adele Thompson <paigead...@gmail.com> > To: Kyle Creyts <kyle.cre...@gmail.com> > Cc: Derek Noggle <dnog...@gmail.com>, nanog@nanog.org > Date: February 27, 2013 at 1:24 AM > Subject: Re: NYT covers China cyberthreat > > On Tue, Feb 26, 2013 at 8:39 AM, Kyle Creyts <kyle.cre...@gmail.com> wrote: > > > I think it is safe to say that finding a foothold inside of the United > > States from which to perform/proxy an attack is not the hardest thing > > in the world. I don't understand why everyone expects that major > > corporations and diligent operators blocking certain countries' > > prefixes will help. That being said, you make a solid point to which > > people should absolutely listen: applying an understanding of your > > business-needs-network-traffic baseline to your firewall rules and > > heuristic network detections (in a more precise fashion than just "IPs > > from country $x") is a SOLID tactic that yields huge security > > benefits. Nobody who cares about security should really be able to > > argue with it (plenty of those who care don't will hate it, though), > > and makes life _awful_ for any attackers. > > > > On Tue, Feb 26, 2013 at 3:43 AM, Rich Kulawiec <r...@gsp.org> wrote: > > > On Thu, Feb 21, 2013 at 11:47:44AM -0600, Naslund, Steve wrote: > > > > > > [a number of very good points ] > > > > > > Geoblocking, like passive OS fingerprinting (another technique that > > > reduces attack surface as measured along one axis but can be defeated > > > by a reasonably clueful attacker), doesn't really solve problems, per se. > > > If you have a web app that's vulnerable to SQL injection attacks, then > > > it's still just as hackable -- all the attacker has to do is try from > > > somewhere else, from something else. > > > > > > But... > > > > > > 1. It raises the bar. And it cuts down on the noise, which is one of the > > > security meta-problems we face: our logs capture so much cruft, so many > > > instances of attacks and abuse and mistakes and misconfigurations and > > > malfunctions, that we struggle to understand what they're trying to tell > > > us. That problem is so bad that there's an entire subindustry built > > > around the task of trying to reduce what's in the logs to something > > > that a human brain can process in finite time. Mountains of time > > > and wads of cash have been spent on the thorny problems that arise > > > when we try to figure out what to pay attention to and what to ignore... > > > and we still screw it up. Often. > > > > > > So even if the *only* effect of doing so is to shrink the size of > > > the logs: that's a win. (And used judiciously, it can be a HUGE win, > > > as in "several orders of magnitude".) So if your security guy is > > > as busy as you say...maybe this would be a good idea. > > > > > > And let me note in passing that by raising the bar, it ensures that > > > you're faced with a somewhat higher class of attacker. It's one > > > thing to be hacked by a competent, diligent adversary who wields > > > their tools with rapier-like precision; it's another to be owned > > > by a script kiddie who has no idea what they're doing and doesn't > > > even read the language your assets are using. That's just embarassing. > > > > > > 2. Outbound blocks work too, y'know. Does anybody in your marketing > > > department need to reach Elbonia? If not, then why are you allowing > > > packets from that group's desktops to go there? Because either > > > (a) it's someone doing something they shouldn't or (b) it's something > > doing > > > something it shouldn't, as in a bot trying to phone home or a data > > > exfiltration attack or something else unpleasant. So if there's > > > no business need for that group to exchange packets with Elbonia > > > or any of 82 other countries, why *aren't* you blocking that? > > > > > > 3. Yes, this can turn into a moderate-sized matrix of inbound and > > > outbound rules. That's why make(1) and similar tools are your friends, > > > because they'll let you manage this without needing to resort to scotch > > > by 9:30 AM. And yes, sometimes things will break (because something's > > > changed) -- but the brokeness is the best kind of brokeness: obvious, > > > deterministic, repeatable, fixable. > > > > > > It's not hard. But it does require that you actually know what your > > > own systems are doing and why. > > > > > > 4. "We were hacked from China" is wearing awfully damn thin as the > > > feeble whining excuse of people who should have bidirectionally > > firewalled > > > out China from their corporate infrastructure (note: not necessarily > > > their public-facing servers) years ago. And "our data was exfiltrated > > > to Elbonia" is getting thin as an excuse too: if you do not have an > > > organizational need to allow outbound network traffic to Elbonia, then > > > why the hell are you letting so much as a single packet go there? > > > > > > Like I said: at least make them work for it. A little. Instead of > > > doing profoundly idiotic things like the NYTimes (e.g., "infrastructure > > > reachable from the planet", "using M$ software", "actually believing that > > > anti-virus software will work despite a quarter-century of uninterrupted > > > failure", etc.). That's not making them work for it: that's inviting > > > them in, rolling out the red carpet, and handing them celebratory > > champagne. > > > > > > ---rsk > > > > > > > > > > > -- > > Kyle Creyts > > > > Information Assurance Professional > > BSidesDetroit Organizer > > > > > > I've been doing some thinking about the internet tonight and came across > this e-mail by which I am intrigued. Currently we suffer from DDoS downtime > on Rackspace (granted it's a very small amount of time, its a hit to our > only single point of failure for which I am currently trying to solve by > obtaining a /24 and an anycast address as a means of mitigation and > providing a highly available HTTP cluster of load balancers. I can't help > but wonder if the cost (both in ipv4 resources and cash) outweighs the > worth of an environment that is sanctioned from the globe. While cloud > hosting has proven to be a scalable solution for our needs, we currently > are only serving US-based organizations as far as I know. Even so, the > desire to grow beyond that isn't far fetched when adding networks that are > still segregated from access outside of a country becomes more available > (kinda like vlans.) > > > > > Germany, Russia, and Spain. > > > > "IN vain is the net spread in the sight of anybird," especially if the > > bird be as keen-eyed asPrince Bismarck. The Carlist attempts to > > irritateGermany > > into intervention —whether by > > > > firing on her gunboats, or, as report says,attempting to take prisoners > > the German andAustrian representatives to Madrid in the courseof their > > railway journey, or by any other means—have been, and will be, failures. > > Prince Bismarck knows as well as anybody that nothingwould give so > > effectual a spur to the Carlistcause as a German intervention against it, > > andwe may therefore well believe his organ when ittells us that nothing > > so wild as the project oflanding German troops in Spain was ever > > contemplated > > by him. Prince Bismarck was wiseenough, even during the war with France, > > whenthe German power was already in possession,and was on the spot, to > > avoid anythinglike taking a part between the differentpolitical factions > > into which France was divided.Is it reasonable to suppose that, after > > keeping socarefully out of the net with which his feet werealmost in > > contact in France, he would allow himself to be entangled in it in Spain > > ? The realdanger on the Franco-Spanish frontier is not ofa German > > intervention in Spain, but of jealousiesgrowing up between Germany and > > France sokeen as to render a renewal of the war all butinevitable. No > > doubt that would suit PrinceBismarck's book much better than a barren > > intervention in Spain. No doubt his agents are notparticularly delicate > > in their modes of insistingthat France shall cut off all supplies from > > theCarlist > > forces, and in indirectly reminding Frenchmen of the difference beween > > their position now,when they are kept to their internationalduties > > towards Spain by the watchful eye ofGermany, and their position four > > yearsago, > > when they made the mere suggestion of aGerman candidate for the throne of > > Spain aground of affront, and ultimately a cause of war.We do not suppose > > that Prince Bismarck wishesfor another big war, and all the new odium > > itwould > > bring on the victor, but if it must come,no doubt he would like it to > > come soon. It wasa good notion of his to pose as the protector ofthe > > regency of Marshal Serrano in Spain, and sowin an ally south of the > > Pyrenees, as well assouth of the Alps. But in spite of his no doubtsincere > > wish to see Ultramontanism defeated inthe defeat of Don Carlos, it is > > pretty certainthat his Spanish policy is studied much morewith a view to > > crippling France, than with aview to crippling Rome.There is indeed > > something encouraging in theclear evidence afforded, both by Prince > > Bismarck's > > and by Prince GortschakofTs policyin regard to Spain—though these > > policies aredifferent -that even the least teachable of thegreat European > > Powers have learned the lessonthat interventions for the purpose of > > settling theinternal disputes of any great nation are thesilliest of > > mistakes. Germany has recognised,and has probably persuaded various other > > greatPowers to recognise, the Government of Madrid,while Russia declines > > to recognise it; but evenRussia carefully explains that her reason for > > holding back is not any wish to strengthen the hopes ofthe Carlist > > insurrection, but rather on even greaterdelicacy than that shown by the > > other Powersfor the free choice of the Spanish nation, and areluctance > > therefore to enter into formal relations with a Government which, since > > GeneralPavin's coup Witat, has had no sanctionfrom the will of the > > people. Nodoubt one may fairly smile at the reasongiven, when it comes > > from the Ministerof Russia. No doubt it is quite natural to suspect that > > other motives mingle with the refusal—the dislike to follow implicitly > > German lead—the uueasiuess lest the example of Spain shouldbe eventually > > pleaded for Republican institutions;but even though it be so, the fact > > remains thatRussia offers an almost pedantically constitutional reason > > for refusing to acknowledge as yetthe Government of Marshal Serrano, and > > wishesto be understood as setting an example of evengreater delicacy and > > greater deference to thewishes of the Spanish nation than either > > GreatBritain > > or France. No doubt Russia Las pushedthe doctrine to an extreme, if she > > has allowedher deference to the wishes of the Spanishpeople to prevent > > her from recognising a Government the continuance of which she would thinka > > great safeguard to the peace of Europe. Inpoint of fact, Russia, in all > > probability, holds nosuch opinion. The Greek Church is too wellestablished > > and too popular in Russia to makeit a matter of any account to her > > whether thenew Government of Spain be Ultramontane orotherwise, while it > > can never be a matter ofabsolute indifference to the Czar of Russiawhether > > another European people throws offthe monarchy or not. If Don Carlos were > > tosucceed, at least the Republican current ofevents would be reversed for > > a time. Butwhether the success of Marshal Serrano willmean a Republican > > or a Throne for Spain is amatter extremely doubtful. On the otherhand, to > > neither Germany, nor England, norItaly can it fail to be a matter of some > > interestwhether or not a new stimulus or a new checkis to be applied to > > Ultramontane zeaL And asregards France, the Government of MarshalMacMahon > > has a very difficult problem to solve.Doubtless the Extreme Right, and > > with theExtreme Right the whole Sacerdotal party,would prefer to see Don > > Carlos succeed, sincesuch a success would be a new ground of hopefor > > Henri V. and the white flag. But thenMarshal MacMahon has been obliged to > > quarrelwith the Extreme Right, who make light of hisSepteunate, and > > affect to treat him as a merelocum tenena for the coming king. Hence it > > isessential > > for him to secure a certain amount ofmoderate Liberal support, and the > > regency ofMarshal Serrano is so very homogeneous a kindof power to his > > own—namely, a mere excuse fordelay—that he can hardly fail to feel a > > certainsympathy with its position. Add to this theextreme desirability of > > conceding to Germanyall that can be conceded while the fears of quarreland > > the occasions of quarrel are still so numerous,and we do not doubt that a > > very wise decision hasbeen taken, even in the interest of the Government > > itself, in recognising the de facto Government of Madrid. On the whole, > > we regard itas a very satisfactory evidence of the progressmade in > > mastering elementary Constitutionalideas, eveu by the most despotic > > Powers, thatall the great Powers alike repudiate intervention > > Fix this > > text<http://trove.nla.gov.au/ndp/del/captchaForm?target=ocr&t=1361946009073> > > in Spain, and use even their fair privilege ofgiving a sort of moral > > support to that one ofthe rival Governments which they think be3tcalculated > > to maintain the peace of Europe, withgreat reserve and moderation. The > > day of HolyAlliances to mould the internal institutions ofrefractory > > countries is now, at last, probablypast, aud with these, the day of some > > of themoot mischievous European combinations whichthe world has ever > > seen.— Spectator. > > > > It is learned that the arrest of Count YonAmiin was effected without the > > knowledge of theEmperor. The musing documents hare beengiven to the > > Ultraniontanes by Deputy Windernorst. > >
