Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices

Reply
 
Thread Tools
Old 12th October 2017, 5:22 PM   #26866
itsmydamnation
Member
 
itsmydamnation's Avatar
 
Join Date: Apr 2003
Location: Canberra
Posts: 9,789
Default

Quote:
Originally Posted by elvis View Post
Appears to be working well. Not much in the news of late of high profile public sector fuck ups. #qldhealthfail #censusfail #absfail #atofail #youwannaseemyspyplanecadfiles
Not to be that guy, but aren't #censusfail #absfail the same thing?

Also aircraft design files aren't classified very high or cared about.

The stuff they actually care about(war fighting) is on networks that dont have links to the internet/ one way data diodes.
__________________
OCAU Guitar Players Club #22
xp2500 @2310 210x11 stock hsf |asus a7n8x deluxe | 1024mb ddr400 | X800 445/515
Get a grip adolf, you lost the war, and you can't kill any more jews.
Rhythm in jump. dancing close to you D3 account1 D3 account 2
itsmydamnation is offline   Reply With Quote
Old 12th October 2017, 5:24 PM   #26867
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,229
Default

Based on phone calls I received vetting a mate of mine who was doing aircraft maintenance for the military, I would assume they're classified at around the Secret level or higher.
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.
millsy_c is offline   Reply With Quote
Old 12th October 2017, 5:26 PM   #26868
Daemon
Member
 
Daemon's Avatar
 
Join Date: Jun 2001
Location: qld.au
Posts: 4,947
Default

Quote:
Originally Posted by GumbyNoTalent View Post
Of course not, because surfing the web is downloaded traffic not uploaded traffic which the 30GB was upload somewhere else. I hope this helps you understand the 2 differences in classification of traffic.
Let me know however how you determine the difference when there's constant websocket streams to hundreds of servers across a 50 user network how you'd differentiate a drip fed exfil to a distributed system?

What system would you use to detect the anomaly?

Again, only the most immature hacker will be simply chugging the data out at full speed and those sorts are rarities. Even the 1/2 way clever ones are going to limit the bandwidth to stay under the noise floor and they know non-HTTP based ports are generally blocked. It's so trivial to stream data over a HTTP connection which looks exactly like other traffic and the programs to do so are easily available.

Quote:
Originally Posted by GumbyNoTalent View Post
EDIT I understand your viewpoint, lets put it into perspective.

I have worked in places where you weren't allowed to do the following;
I used to design and get the places you probably worked in to those standards, including SCIF's. I understand security very well and hence I know exactly why classified systems have an air gap in place.

It doesn't mean a thing however when it comes to a standard business network, other than financial and commercial embarrassment.

You're not going to detect exfil done correctly, it's as simple as that. If they've already gained access to your network then it's a case of game over. I have worked on and had to analyse the root cause for hundreds of compromised systems where the company / government entity wasn't aware. Even when they've had someone employed in an ITSM / CSO roles, UTM, SIEM etc all deployed it's still not enough. It's the equivalent of trying to catch a bullet after someone's shot at you, to think you can do anything effective is just fanciful.

Quote:
Originally Posted by millsy_c View Post
Based on phone calls I received vetting a mate of mine who was doing aircraft maintenance for the military, I would assume they're classified at around the Secret level or higher.
Commercial data only, not classified data.
__________________
Fixing the internet... one cloud at a time.

Last edited by Daemon; 12th October 2017 at 5:31 PM.
Daemon is offline   Reply With Quote
Old 12th October 2017, 5:30 PM   #26869
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,229
Default

That is of course where having a good threat model kicks in, and designing controls appropriately. If you assume data can be exfiltrated undetected, and adversaries will be using 0days to pivot, you go from there. It's all layers. Any sufficiently advanced adversary is going to be almost impossible to detect, look at Kaspersky with their infection. Almost entirely resident in memory, relied on kernel 0days for infecting systems, bugger all comms.

Once the Mossad is on the table all bets are off, and with the ever increasing amount of automation happening the attack surface will continue to increase.

Though as evidenced in the USA, people walking out with data seem to continue to be the bigger threats
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.
millsy_c is offline   Reply With Quote
Old 12th October 2017, 5:57 PM   #26870
Luke212
Member
 
Join Date: Feb 2003
Location: Sydney
Posts: 9,067
Default

Quote:
Originally Posted by Daemon View Post
I'm currently processing large amounts of network data with about 5 different tools at present, including systems which use holt winters, machine learning etc to use anomaly detection. Nothing works well enough yet because traffic patterns on a low level will never conform to a predicable pattern. Think about mapping user traffic, on a large scale it's trivial to see patterns (ie busy 8am onwards, drops off at 5pm) but if you had to write an algorithm to map out 100% of user behaviours per 5 minutes it's impossible.
.
You're pretty much describing how random walk works in financial markets. So if your ML can detect events in your data you probably should get outta IT and work for a hedge fund
__________________
Democracy's greatest trick was convincing man he was informed.
Luke212 is offline   Reply With Quote
Old 12th October 2017, 6:08 PM   #26871
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,889
Default

Quote:
Originally Posted by millsy_c View Post
To be honest it's all a bit of a moot point really, the amount of confidential stuff that staff leak accidentally or uploading to stuff like virustotal etc is probably a way bigger risk!
*Cough* Or Kaspersky to the KGB *Cough*

Quote:
Originally Posted by millsy_c View Post
I was impressed at one org I worked with, captured every DNS request generated globally on their workstations and analysed them looking for data exfiltration over DNS. A truly gigantic amount of data to sift through, and overall probably pretty limited value
How many false positives were generated... One of our endpoints used DNS for its signature lookups... Your DNS request checking system would have probably generated a fucktonne of alerts for it .

Quote:
Originally Posted by GumbyNoTalent View Post
3) Send any information outside of the internal network.
What was in place as far as DLP goes for this.

Right now, I'm sending the text of this post "outside the internal network". Could you post to forums.

Could you make GET Requests to https sites? or did it simply have no internet connection?


Quote:
Originally Posted by millsy_c View Post
Once the Mossad is on the table all bets are off, and with the ever increasing amount of automation happening the attack surface will continue to increase.
NotPetya demonstrated that getting caught in the cross fire of state actors performing cyberwarfare IS going to happen, You don't need to be a target of Russia, to find yourself up against high level state sponsored cybersex.
PabloEscobar is online now   Reply With Quote
Old 12th October 2017, 7:50 PM   #26872
EvilGenius
Member
 
EvilGenius's Avatar
 
Join Date: Apr 2005
Location: _Rocky Status:_Folding!
Posts: 9,150
Default

................................

__________________
i7-4820k @ 4.6 | X79-Deluxe | 64GB GsKill Ares PC-14900 | EVGA GTX 970 | Corsair HX-850 | CM690II
Once more unto the breach dear friends, once more
Cry fold for Team24, OCAU and all the world!
Wanted - N64 console - decent controller/s
EvilGenius is online now   Reply With Quote
Old 12th October 2017, 8:04 PM   #26873
itsmydamnation
Member
 
itsmydamnation's Avatar
 
Join Date: Apr 2003
Location: Canberra
Posts: 9,789
Default

Quote:
Originally Posted by millsy_c View Post
Based on phone calls I received vetting a mate of mine who was doing aircraft maintenance for the military, I would assume they're classified at around the Secret level or higher.
Nope not really, remember a platform is a bunch of really highly protected black box devices connected together. the manuals for that bit that connects everything together isn't that important.

You then have the black boxes, the strategic and tactical information. Defense likely doesn't have any access to many of the black boxes internal details and the other types of information are classified at the level required ( tactical ~S , Strategic ~TS).

Airside can be funny because its unclass, S and TS all at the same time.
__________________
OCAU Guitar Players Club #22
xp2500 @2310 210x11 stock hsf |asus a7n8x deluxe | 1024mb ddr400 | X800 445/515
Get a grip adolf, you lost the war, and you can't kill any more jews.
Rhythm in jump. dancing close to you D3 account1 D3 account 2
itsmydamnation is offline   Reply With Quote
Old 12th October 2017, 8:07 PM   #26874
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 29,932
Default

Quote:
Originally Posted by itsmydamnation View Post
Also aircraft design files aren't classified very high or cared about.

The stuff they actually care about(war fighting) is on networks that dont have links to the internet/ one way data diodes.
So.... we don't care about 30GB of data walking out the door from a company that does work for the military? Like, we're just so numb to this shit now, that it rates as "meh"?

Sign of the times, I guess.
elvis is online now   Reply With Quote
Old 12th October 2017, 8:15 PM   #26875
connico
Member
 
connico's Avatar
 
Join Date: Jan 2004
Location: Sydney
Posts: 2,659
Default

Quote:
Originally Posted by elvis View Post
So.... we don't care about 30GB of data walking out the door from a company that does work for the military? Like, we're just so numb to this shit now, that it rates as "meh"?

Sign of the times, I guess.
admin / admin

thats the sign of the times...

we just recently encouraged a very large banking corporate to change the way their passwords work. move towards a more google type of pass system if you know what i mean... was rejected all around by the board members... as it was too complicated ... maybe i shouldnt have shown what a typical one use key password looked like...
__________________
www.shoepolish.net.au
connico is online now   Reply With Quote
Old 12th October 2017, 8:22 PM   #26876
itsmydamnation
Member
 
itsmydamnation's Avatar
 
Join Date: Apr 2003
Location: Canberra
Posts: 9,789
Default

Quote:
Originally Posted by elvis View Post
So.... we don't care about 30GB of data walking out the door from a company that does work for the military? Like, we're just so numb to this shit now, that it rates as "meh"?

Sign of the times, I guess.
Its not a sign of the time, it has always been this way. Thats the entire point of ASCI33/ISM etc. Its about figuring out what is really worth protecting and putting in controls to actually protect it (the best controls are physical). From a Government point of view the data loss that really actually matters to them is intelligence and strategic planning. From there its a slippery downward slope. Yeah loosing every member of the public private details would be embarrassing but compared to the day before that event, the threat profile to the country hasn't really changed.
__________________
OCAU Guitar Players Club #22
xp2500 @2310 210x11 stock hsf |asus a7n8x deluxe | 1024mb ddr400 | X800 445/515
Get a grip adolf, you lost the war, and you can't kill any more jews.
Rhythm in jump. dancing close to you D3 account1 D3 account 2
itsmydamnation is offline   Reply With Quote
Old 12th October 2017, 10:09 PM   #26877
Daemon
Member
 
Daemon's Avatar
 
Join Date: Jun 2001
Location: qld.au
Posts: 4,947
Default

Quote:
Originally Posted by itsmydamnation View Post
Its not a sign of the time, it has always been this way. Thats the entire point of ASCI33/ISM etc. Its about figuring out what is really worth protecting and putting in controls to actually protect it (the best controls are physical). From a Government point of view the data loss that really actually matters to them is intelligence and strategic planning. From there its a slippery downward slope. Yeah loosing every member of the public private details would be embarrassing but compared to the day before that event, the threat profile to the country hasn't really changed.
This. You can virtually ignore the fact that it's a Defence related company, that's just what makes it sexy for the news channels. It's embarrassing yes and you should expect that they know more about security than other businesses... but it's not the case. From a commercial viability and reputation perspective these sorts of companies should take basic security of their unclassified systems far more seriously but they don't because that's always been the norm for smaller businesses.

Medical and financial companies are just as bad, I've seen passwords in both sorts of organisations with passwords as weak as "Password1". I really didn't think people used anything that simple until I had to investigate breaches... and the reality would horrify people like elvis

Oh, and govt organisations I know of at least two with a system which had admin / admin with zero firewall / DMZ. It's normally the excuses of "it was just to set it up" and 2 years later they forgot. It's why having a strong security ethos within a company takes real dedication, users are there at every step to place barriers in front of you.

I'm all for welcoming our AI overlords to control all things IT, just wish they'd hurry up!
__________________
Fixing the internet... one cloud at a time.
Daemon is offline   Reply With Quote
Old 13th October 2017, 7:39 AM   #26878
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 29,932
Default

Quote:
Originally Posted by itsmydamnation View Post
Its not a sign of the time, it has always been this way. Thats the entire point of ASCI33/ISM etc. Its about figuring out what is really worth protecting and putting in controls to actually protect it (the best controls are physical). From a Government point of view the data loss that really actually matters to them is intelligence and strategic planning. From there its a slippery downward slope. Yeah loosing every member of the public private details would be embarrassing but compared to the day before that event, the threat profile to the country hasn't really changed.
While your response is highly clinical, my comments were more aligned with basic give-a-shit and personal integrity.

The fact that shit gets hacked at the rate it does because absolute basic 101-style suggestions are not followed is alarming.

Although the fact that so many people are not alarmed (some borderline catatonic) is where my "sign of the times" comment comes from. I've worked for some pretty fucking banal businesses in my time, but I sure as shit didn't have unpatched servers and admin/admin type crap going on there.

The attitude from higher in the chain is even more concerning. Turnbull wants a national identification database. People said "what about the security of that database?". Turnbull replies:

"You can't allow the risk of hacking to prevent you from doing everything you can to keep Australians safe."

http://www.smh.com.au/federal-politi...03-gytshq.html

Top answer, boss. Zero fucks given from our PM. That's just super.

This whole industry is fucked from top to bottom.

Last edited by elvis; 13th October 2017 at 7:59 AM.
elvis is online now   Reply With Quote
Old 13th October 2017, 7:42 AM   #26879
Doc-of-FC
Member
 
Doc-of-FC's Avatar
 
Join Date: Aug 2001
Location: Canberra
Posts: 2,765
Default

Quote:
Originally Posted by Daemon View Post
I'm all for welcoming our AI overlords to control all things IT, just wish they'd hurry up!
black box, otherwise users will bias the engine to ensure pwd == username
Doc-of-FC is offline   Reply With Quote
Old 13th October 2017, 7:44 AM   #26880
power
Member
 
power's Avatar
 
Join Date: Apr 2002
Location: brisbane
Posts: 50,694
Default

Quote:
Originally Posted by elvis View Post
"You can't allow the risk of hacking to prevent you from doing everything you can to keep Australians safe."
surely he understands what he just said, surely.
__________________
this is who we are.
power is online now   Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 3:44 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!