Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
From: Dave Piscitello <dave () corecom com>
Date: Sat, 13 Apr 2013 11:30:32 +0200

I suspect that a composite of what Stephen, Kyle and I constructed
yields a reasonable analog for the current and sad state of affairs.

On Sat, Apr 13, 2013 at 3:01 AM, Kyle Creyts <kyle.creyts () gmail com> wrote:
For one, the ship's hull is supposed to have "leaks" because water is
supposed to flow through the hull, this is how this particularly strange
ship operates and provides the passengers with essentials to do their

Otherwise we'd keep it out of the water. (ha ha, air gap)

However, as security folk, we're rather concerned about things that are
toxic to the passengers coming in with the water...

Unfortunately, to most of the systems we use to filter hull intake and
output, protecting the passengers and their belongings, the toxic materials
tend to look a lot like water.

Most of these filters don't even know what the toxins are today. They're
mostly throwback technology from a time before toxins, which only had to
know the difference between water, seaweed, and sand. They know what water
typically looks like, and they'll keep out the seaweed and sand, but we've
told them that we want to let water in.

Some newer systems are a bit better about filtering out the toxins, but they
frequently cost quite a bit, and most ships continue to run without them in

Of course most of the passengers can't distinguish either.

In spite of people running around and announcing the dangers of toxins,
nobody really seems to know how to teach the passengers to identify them,
and most of the passengers are in too big of a hurry to care; drinking one
glass of water with toxins in it probably won't kill them. Besides, many of
them have filters on the faucets. Even if most of the faucet filters can
only catch toxins they've seen before...

Some passengers even bring toxins with them onto the ship.

As others have mentioned, this whole process is only one of many
responsibilities of those responsible for it, if they are even still with
the ship. There are only so many engineers on the boat, they usually have to
be trained to maintain this process or clean up toxins, and they have a lot
of other systems to care for.

On Fri, Apr 12, 2013 at 1:33 AM, Dave Piscitello <dave () corecom com> wrote:


I think your premise - that we are comfortable with this architecture
- is wrong, at least for this choir.

Your analog also only looks at one dimension of the problem space.

- the ship hull is compromised
- the pumps are working because someone thought to enable this
automation, and he's now serving on another ship
- much of the crew are not competent to deal with the crisis, and
don't have the time to fully assess the damage because they are
distracted by requests to solve far less critical issues so that other
of the ship's services remain in operation for the passengers
- the passengers pay no attention to the warnings, alarms, and have no
clue as to how to abandon ship

I suspect that few on this list are comfortable with this scene. The
pump is there for many because it's keeping the ship afloat while we
patch and re-think how to prevent future hull breaches. Part of
re-thinking is coming up with better monitoring (of hull integrity)
and AWS; part is raising competencies among crew, and part is raising
security awareness among passengers. All of these require the
captain's approval and the captain has to empower the officers.

On Thu, Apr 11, 2013 at 8:46 PM, Stephen P. Berry <spb () meshuggeneh net>
Hash: SHA1

John Michealson writes:

Check Point's gateway based AV went cloud based last fall. It has over
signatures. They also have AntiBot, which has hundreds of millions of IP
and hosts classified. They are reclassifying 50k sites/hosts a day with
their ThreatCloud, and ThreatEmulation is in EA. Their Application
has 4900 apps defined locally and 300K in the cloud. Combined with
education these are very effective tools.

Perhaps I just have a bad attitude, but I'm imagining a ship with a
great jagged hole below the water line and a very high output bilge
pump that's almost but not quite keeping up with the flooding.  The ship
doesn't sink -immediately-, and hey that is a pretty impressive pump.
I'm not sure that I'd say that the pump is a very effective tool,
the task I'm actually concerned with isn't---or, I would argue shouldn't
be---pumping water out, which the pump does quite well, but rather with
keeping the ship seaworthy by keeping the water from getting in in the
first place, and the pump doesn't do that at all.

I'm not trying to badmouth Checkpoint here.  I'm sure their product is
wonderful for what it is.  But I find it distressing how comfortable
we've become with living with network architectures that are perpetually
in a state of failure.  That are designed failed.  You speak in glowing
of the monumental efforts expended by Checkpoint.  But while I can
all that hard work, when I see as system that -needs- this sort of
effort -on an ongoing basis- just to continue functioning, I see a
that is fundamentally broken.

- -spb

Version: GnuPG v1.4.10 (GNU/Linux)

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]