tag:blogger.com,1999:blog-13756280.post5815607365349823678..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Web-based systems vs. Advanced Persistent ThreatJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-13756280.post-63921022596921813342010-01-15T16:40:14.435-08:002010-01-15T16:40:14.435-08:00"The fact that the U.S. government is moving ..."The fact that the U.S. government is moving their system in this direction really concerns me."<br /><br />Sure, if the government is moving towards using standard consumer "gmail" its concerning. On the other hand, if they are using an air-gaped google hosted gmail instance that is only available via encrypted VPN sessions originating from approved government networks with appropriate encryption for "data at rest" - I'd tend to be less concerned.<br /><br />@Jim - There are any number of simple ways to attack Google or any other company from anywhere in the world and appear to come from where ever you would like (even if you went to the extreme of blocking all of the China net-blocks as some have suggested on the mailing lists). <br /><br />Requiring the use of proxies or tunnels doesn't protect you from what we are calling "APT's" (although it might provide some small risk reduction (spammers, malware, script kiddies and the like) at the cost of annoying 1/6 of the world's population).<br /><br />I suspect that this attack merely provides Google with a convenient excuse to do what they wanted to do anyway.Anonymoushttps://www.blogger.com/profile/03730177947678680397noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64185087569595076632010-01-14T12:44:57.064-08:002010-01-14T12:44:57.064-08:00Fair enough Jeremiah. But I do think one of the ma...Fair enough Jeremiah. But I do think one of the main reasons that Google is considering pulling out of China is because they cannot cost-effectively defend against this adversary.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36007837401437694452010-01-14T06:49:02.185-08:002010-01-14T06:49:02.185-08:00@Russell thank you. Re: "what responsibility ...@Russell thank you. Re: "what responsibility should Google and the other web service business have in disclosing their threat models"<br /><br />For myself, this appears to be a market opportunity that providers may capitalize on. This opens door to differentiate based-upon security. If threat models are important to a customer, they can ask for it, and might even get it.<br /><br />@Jim, If properly motivated to do so, I believe we have the ability to reasonable fend off APTs. Is it worth the security investment worth it free web-based services, eh.. not so much.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11319272842581003912010-01-13T21:09:56.674-08:002010-01-13T21:09:56.674-08:00Jeremiah,
Good post. Now, keep in mind - this isn...Jeremiah,<br /><br />Good post. Now, keep in mind - this isn't just any ol' APT, this is most likely the Chinese government (CAPT). We are talking nearly unlimited resources and offense-based talent. When facing this kind of adversary, there does not seem to be any way to win (defend) with today's current state of defensive technologies.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23350274086770738272010-01-13T12:58:51.029-08:002010-01-13T12:58:51.029-08:00Great post, J. I'm also reminded of Brian Sno...Great post, J. I'm also reminded of Brian Snow's 2005 paper: "We Need Assurance" http://www.acsac.org/2005/papers/Snow.pdf . He gave a very compelling explanation of the difference between an opportunistic attacker who trolls for weakest link and the targeted, determined attacker.<br /><br />As I usually do, I'm thinking about this problem from the perspective of risk management. Shifting to "web-based systems" (web service provider) only makes risk management more important, but also harder. If all your IT services are in-house, then you can focus on the possible threat agents who might go after your business. But if you are using web-based services, then you have to think through all the threat agents who might have something to gain by attacking each of your web service providers. Thus, a small business that uses Google Docs, Gmail, etc. now has to *actively* consider the nation-state threat agents that might attack Google, as in this case. (Or, more precisely, both state and non-state APTs)<br /><br />Spinning this around, what responsibility should Google and the other web service business have in disclosing their threat models, to allow their customers to do rational risk analysis? It may be that the only way this will happen is either via regulatory mandate or some sort of risk pooling or shared liability for both web service provider and also their customers.Russell Thomashttp://newschoolsecurity.com/author/russell/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28703531043909024502010-01-13T12:10:15.442-08:002010-01-13T12:10:15.442-08:00@Thanks Jack. To me, the "sophisticated"...@Thanks Jack. To me, the "sophisticated" and cool stuff is what will be used against us in the future when all the easy stuff today is exhausted. A primary reason why I track it via the top ten web hacking list effort. I like to be a little ahead of the curve. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1252582773300783042010-01-13T11:36:09.792-08:002010-01-13T11:36:09.792-08:00Good post, the ideas you presented as well as Rich...Good post, the ideas you presented as well as Richard's echo a lot of the things I've tried to drive home to various groups. The timing couldn't be better actually, as I'm giving a talk next month raising a lot of the same issues. <br /><br />The scariest part that I think many fail to realize is that the "sophisticated" and cool stuff isn't always required. If one application in an SSO environment allows for you to reset a user's password through a poorly implemented "Forgot Password" function, its pretty much game over if your sole motivation is harvesting sensitive data.Jack Manninohttps://www.blogger.com/profile/00934466872781213241noreply@blogger.com