From: Chris (infodelsec.net)
Date: Wed May 24 2006 - 16:40:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Air gap isnt the best word for this description. It should be considered
more of a complete physical gap. Where no media from one touches the
other. But I think this topic is running wayyy of course.

Dave, can you explain why blocking worm propgation isn't security?

Chris

----------------------------------------
Chris
Key ID: 7E8DE44E
infodelsec.net
www.delsec.net
----------------------------------------

> -------- Original Message --------
> Subject: Re: [Dailydave] We got owned by the Chinese and didn't even
> get a"lessons learned"
> From: "Halvar Flake" <halvargmx.de>
> Date: Wed, May 24, 2006 2:20 pm
> To: "Etaoin Shrdlu" <shrdludeaddrop.org>,
> <dailydavelists.immunitysec.com>
>
> Hey all,
>
> > Sure, most of the gov and mil internet facing networks are a lot more lax
> > than they should be, but the classified stuff (even the stuff classified
> > at a mere Confidential level) is not there. Not. Look up things like
> > siprnet.
>
> So correct me if I am wrong, but would a better way to ferret stuff out of
> classified
> networks go like this:
> 1) Payload infects other DOC files on the HD and converts them to exploit as
> well
> 2) Payload does text-search for certain keywords, encrypts the text of the
> documents
> it found and adds the encrypted blobs to existing word files (up to a
> certain size)
>
> While you'd only have limited control about the time and place when data
> will leak out
> again, anytime they pass a DOC file through the airgap you have a chance of
> getting
> something useful.
>
> All this very much depends on getting a clean resume on the exploit. Does
> anyone
> know if the attackers had that ?
>
> Cheers,
> Halvar

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]