Dailydave: RE: We got owned by the Chinese and didn't even get a"lessons learned"

[Chris <info () delsec net>]

Air gap isnt the best word for this description. It should be considered
more of a complete physical gap. Where no media from one touches the
other. But I think this topic is running wayyy of course.

Dave, can you explain why blocking worm propgation isn't security?

Chris

----------------------------------------
Chris 
Key ID: 7E8DE44E 
info () delsec net
www.delsec.net
----------------------------------------



> -------- Original Message --------
> Subject: Re: [Dailydave] We got owned by the Chinese and didn't even
> get a"lessons learned"
> From: "Halvar Flake" <halvar () gmx de>
> Date: Wed, May 24, 2006 2:20 pm
> To: "Etaoin Shrdlu" <shrdlu () deaddrop org>,
> <dailydave () lists immunitysec com>
>
> Hey all,
>
> > Sure, most of the gov and mil internet facing networks are a lot more lax 
> > than they should be, but the classified stuff (even the stuff classified 
> > at a mere Confidential level) is not there. Not. Look up things like 
> > siprnet.
> So correct me if I am wrong, but would a better way to ferret stuff out of 
> classified
> networks go like this:
> 1) Payload infects other DOC files on the HD and converts them to exploit as 
> well
> 2) Payload does text-search for certain keywords, encrypts the text of the 
> documents
>     it found and adds the encrypted blobs to existing word files (up to a 
> certain size)
>
> While you'd only have limited control about the time and place when data 
> will leak out
> again, anytime they pass a DOC file through the airgap you have a chance of 
> getting
> something useful.
>
> All this very much depends on getting a clean resume on the exploit. Does 
> anyone
> know if the attackers had that ?
>
> Cheers,
> Halvar