quite a bit of coverage lately from the media.
http://online.wsj.com/article/SB10001424127887323764804578313101135258708.html
http://www.bbc.co.uk/news/world-asia-pacific-21505803
http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
boys and girls, all the cyber-capable countries are cyber-culpable. you
can bet that they are all snooping and attacking eachother, the united
states no less than the rest. news at eleven.
randy
We have done our part to China as well along with other countries in state sponsored "hacking". This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a "kill switch" type bill back.
Zaid
An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications?
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
Don't be lulled into complacency by a private network: all it takes is one thumb-drive or rogue AP and you have a back door. Private networks reduce but do not eliminate attackable surface.
David Barak
This is a improvement over some russian spies, that have the passwords
written down in a piece of paper.
http://www.networkworld.com/news/2010/063010-russian-spy-ring.html?hpg1=bn
<<One of the technical issues the ring faced was described by one suspect
in a message to Moscow reporting on a meeting between two spies "A" and
"M": "Meeting with M went as planned … A passed to M laptop, two flash
drives, and $9K in cash. From what M described, the problem with his
equipment is due to his laptop "hanging"/"freezing" before completion of
the normal program run." >>
Windows XP crapines, slowing down russian spies 
My password at home is "don't be the low hanging fruit".
Every time that I read on the news that USA is funding this or that
cracking group I get a bit angry. Thats a world where is best to not put
money. More like direct Interpol to stop mafias profiting from it, to
remove money from it. The least thing we want is a "cyber arms race". But
if you don't want one, don't start one.
Well, Warren, I once had a discussion with someone about whether dedicated
DS-1 to tie your SCADA network together were "secure enough" and they asked
me:
"Does it run through a DACS? Where can you program the DACS from?"
Cheers,
-- jra
If you are doing DS0 splitting on the DACS, you'll see that on the other
end (it's not like channelized CAS ds1's or PRI's are difficult to look at
now) assuming you have access to that. If the DACS is an issue, buy the
DACS and lock it up. I was on a .mil project that used old school Coastcom
DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty
top notch traffic and the microwave network (licensed .gov band) brought
it right back to the base that project was owned by. Security is
expensive, because you cannot leverage a service provider model
effectively around it. You can explain the billion dollars you spent on
your global network of CRS-1's, but CRS-1's for a single application
usually are difficult to swallow. I'm not saying that it isn't done EVER,
I'm just saying there are ways to avoid your 1998 red hat box from
rpc.statd exploitation - unplug aforementioned boxen from inter webs.
If you created a LAN at your house, disabled all types of insertable
media, and had a decent lock on your front door, it would be pretty
difficult to own that network. Sure there are spy types that argue EMI
emission from cable etc, but they solved that issue with their tin foil
hats. We broadcast extremely sensitive information (financial, medical,
etc) to probably 75% of the worlds population all day long, if you walk
outside of your house today my signal will be broadcasting down upon sunny
St. Petersburg, Florida. Satellite Communications are widely used, the
signal is propagated (from GSO generally) over a relatively wide area and
no one knows the better. And for those of you who say.. I CAN LOOK AT A
SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread
spectrum TDMA operation - my signal to noise on my returns is often -4dB
to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as
far as the planet is concerned they are awgn. I guess it's my argument
that if you do a good enough job blending a signal into the noise, you are
much more likely to maintain secrecy.
From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
We as Americans have plenty of things we have done halfass.. I hope an
Internet kill switch doesn't end up being one of them. Build your own
private networks, you can't get rooted if someone can't knock. Simple
as that.Well, Warren, I once had a discussion with someone about whether dedicated
DS-1 to tie your SCADA network together were "secure enough" and they asked
me:"Does it run through a DACS? Where can you program the DACS from?"
Did you open that PDF regarding DACS security ?
Hackers take aim at key U.S. infrastructure
CB
From: Warren Bailey [mailto:wbailey@satelliteintelligencegroup.com]
If you are doing DS0 splitting on the DACS, you'll see that on the
other
end (it's not like channelized CAS ds1's or PRI's are difficult to look
at
now) assuming you have access to that. If the DACS is an issue, buy the
DACS and lock it up. I was on a .mil project that used old school
Coastcom
DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
pretty
top notch traffic and the microwave network (licensed .gov band)
brought
it right back to the base that project was owned by. Security is
expensive, because you cannot leverage a service provider model
effectively around it. You can explain the billion dollars you spent on
your global network of CRS-1's, but CRS-1's for a single application
usually are difficult to swallow. I'm not saying that it isn't done
EVER,
I'm just saying there are ways to avoid your 1998 red hat box from
rpc.statd exploitation - unplug aforementioned boxen from inter webs.
Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them.
Jamie
I did not approach the inline encryption units on purpose. Obviously
anything that leaves .mil land not riding something blessed by DISA is
going to have something like a KG on both ends. Generally Satellite
systems use TRANSEC, though in our line of work it's an extremely
expensive add-on to an otherwise decent security implementation. I'm not
saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs
who are going to look to own something are doing so because it is somehow
exposed to public infrastructure. If I were to put up an SCPC (single
channel per carrier, synonymous to point to point circuits) circuit
between point A and B, the persons looking to intercept my traffic would
need to know quite a bit of information about my signals.. Origination
Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN
codes, TRANSEC keys, IP lay out, etc.
You won't hear me talk about how something is absolutely and completely
secure, but you will hear me preach from the rooftops the application of
technology that many people believe is outdated and abandoned. There is a
reason media providers and MSO's still use Satellite to downlink video
signals. The military is still heavily invested in this type of technology
because you are able to completely bypass traditionally used
infrastructure, and Utility companies are jumping on the band wagon as
well. I know of several SCADA (massive power companies) networks that ride
satellite completely for this reason. You can justify the cost and latency
with the security of owning a network that is completely removed from the
usual infrastructure.
The scary part is that so many things got hacked by a bunch of people
who made the totally noob mistake of launching all their attacks from
the same place....
See thread: nanog impossible circuit
Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
Many DACS have provision for "monitoring" circuits and feeding the data
off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the
circuit, it was about DACS inside the circuit provider. When you buy a
DS1 that goes through more than one CO in between two points, you're
virtually guaranteed that it goes through one or more of {DS-3 Mux,
Fiber Mux, DACS, etc.}. All of these are under the control of the circuit
provider and not you.
Owen
Correct, and they expand the attack surface in ways that even many
network engineers may not consider unless prompted.
Cheers,
-- jra
Isn't this a strong argument to deploy and operate a network independent
of the traditional switch circuit provider space?
If you have that option, I suppose that would be one way to solve it.
I, rather, see it as a reason to:
1. Cryptographically secure links that may be carrying private data.
2. Rotate cryptographic keys (relatively) often on such links.
YMMV, but I think encryption is a lot cheaper than building a telco. Especially
over long distances.
Owen
This is precisely the value of encryption on point to point links, preferably at the link layer rather than at the IP layer. When coupled with decent end-to-end application-layer encryption on top of that, the value proposition for sniffing traffic from the network drops a whole lot.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
Jack