<div>As in infosec contactor "working for the government in the Baltimore/Washington Metro" I often see a lot of crazy things. Often intrusion sets are defined and detected like they are in the corporate world: by a signature rule-set and ip location (address range). Usually the rule-set is created after the attacker does something obvious like pulling down gigs of data in one night to an unfriendly state. To me this implies that they expect to get noticed.
</div>
<div> </div>
<div>I have seldom (almost never) seen an attack discovered where the technology was something I'd consider doing such as:</div>
<div>1. Non-public implant with http call backs to a dynamic dns server</div>
<div>2. Call backs are slow and initially occur a while after exploitation</div>
<div>3. You don't use encryption (its generally easy to detect)</div>
<div>4. Traffic is to/from "safe" IPs -- lets say if you were a local power company well then traffic to Russia is unexpected but traffic to a local small business is generally "safe". </div>
<div>5. You don't do something stupid (your version of windows is non-us, you scan from your IP, etc). </div>
<div> </div>
<div>To me those are basic steps when performing a covert pen-test (modified to be legal and compliant with the rules of engagement). I can't imagine that a nation state would do any less. <br> </div>
<div>There's at least the first clear mistake of calling back to Asia and Congress men are quoted as <em>"These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information," Thompson said.
</em>And a second is implied by <em>tripwires severed Internet connections in the region after a limited amount of data was detected being stolen</em> (I've seldom seen a "tripwire" that wasn't tuned to sever connections until something blatently bad was occurring).
</div>
<div> </div>
<div>So things are bad when one Word 0-day gives you prologned access to US govt assets, but it's even worse when the attacker was doing some dumb things and the people in charge think the attack was extremely sophisticated and beyond the skill and resource level of a 20-something computer science student.
</div>
<div><br> </div>
<div><span class="gmail_quote">On 4/19/07, <b class="gmail_sendername">Dave Aitel</b> <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><a href="http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department">
http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department</a><br><br>This is a great article from the perspective of "How long in the State<br>dept. does one Word 0day buy you."<br><br>It's like a hacker opsec case study.
<br><br>- -dave<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.6 (GNU/Linux)<br><br>iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R<br>YL/rw3zpGJS5FCY3h2/zW4A=<br>=ydkC<br>-----END PGP SIGNATURE-----
<br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">
http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote></div><br><br clear="all"><br>-- <br>Matthew Wollenweber<br><a href="mailto:mwollenweber@gmail.com">mwollenweber@gmail.com</a><br>skytel: 800-206-3041 |
<a href="mailto:2063041@skytel.com">2063041@skytel.com</a>