Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
sarehu
Apr 20, 2007

(call/cc call/cc)

ExcessBLarg! posted:

Prime numbers exist above 10,000, so the claim that 9533 is the largest prime is pretty laughable. As for why, I'm not a Mathematician so I won't explain it in a rigorous way, but intuitively there's nothing particularly special about "10,000" to think that there aren't prime numbers larger than that.
Um. The problem is, you can't just be greater than 10,000. You also have to be greater than 9,999, 9,898, and 9,876. That makes the barrier a bit thicker.

Adbot
ADBOT LOVES YOU

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
related to the recent dell stuff, i was just linked this: http://rol.im/dell/

arbitrary service tag disclosure via dell's "tribbles" software.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
also, seems that a new POS malware that is extremely sophisticated is making the rounds: https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/

quote:

‘ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. We believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.’

:stare:

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

deep impact on vhs posted:

also, seems that a new POS malware that is extremely sophisticated is making the rounds: https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/


:stare:

Not particularly special in terms of its capabilities, but it has been floating about for a while it appears. Here's some links to look at:

https://www.virustotal.com/en/ip-address/130.0.237.22/information/
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121211-5404-99&tabid=2

I can't share the report directly as it's tied to my work account, but I can share excerpts:

quote:

iSIGHT Partners has been tracking a sophisticated malware framework with individual modules that are difficult to detect and are typically packed kernel drivers, suggesting the malware author’s sophistication level is high.

One module of this framework has been observed capturing credit card track data out of memory and associating itself to a point-of-sale (POS) environment. This indicates possible targeting of any sector that uses POS systems, including retail, food services, hospitality and health care.

It should be noted that it has probably been picked up in the wild by an AV vendor well before this report came out (as per my previous links) but iSIGHT is the first team to figure out what is going on here.

quote:

This driver contains the actual POS scraper code that collects credit card track data from memory. We believe the malware authors target specific POS software processes; however, in one sample we observed the malware injecting code into credit.exe and hooking the “__vbaStrCopy” function. Stolen credit card data is AES-256 encrypted and stored in the Windows Installer directory using random characters for the filename and a “.bin” filename extension, such as C:\WINDOWS\Installer\{GUID}_<random_characters>.bin.

A “.dat” file may also be created in this same directory. Encrypted status logs are stored in Temp using a .temp filename extension. A .bin file may also be created in this same directory.

Lain Iwakura fucked around with this message at 00:23 on Nov 25, 2015

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

OSI bean dip posted:

Not particularly special in terms of its capabilities, but it has been floating about for a while it appears. Here's some links to look at:

https://www.virustotal.com/en/ip-address/130.0.237.22/information/
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121211-5404-99&tabid=2

I can't share the report directly as it's tied to my work account, but I can share excerpts:


It should be noted that it has probably been picked up in the wild by an AV vendor well before this report came out (as per my previous links) but iSIGHT is the first team to figure out what is going on here.

This is precisely why our credit data does not hit our internal systems at retail locations, it (somewhat) traverses the same network, segmented via VLAN to the router and goes straight out to the credit processor. We USED to handle credit reconciliation, but decided to get out of the extreme PCI hell (and legal liability) and pay a 3rd party to assume the risk. basically you swipe a card on the verifone, it's segmented on say VLAN 3 which nothing else lives on, and that heads from switch to router and off to credit processor, our hands are (mostly) wiped clean of all those shenanigans.

M_Gargantua
Oct 16, 2006

STOMP'N ON INTO THE POWERLINES

Exciting Lemon
I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords.

My use is very mundane. Mostly I want to have my music on the same drive as everything else, but have everything on the drive encrypted. I want to get back to using encryption as a common part of my habits. So should I have the mundane items on a separate logical volume or is bundling it all together equally secure? Probably going to go with Veracrypt unless there's something glaring that I haven't turned up?

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
i honestly don't know, that's kind of a weird setup since i'm used to people either encrypting everything or nothing.

is this going to be for linux or something else?

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
ok, i misread your post, sorry

i think you're overthinking this- you're better off using dm-crypt if you're on linux; as for windows/mac, i really don't know since i haven't really used encryption on either (don't own any macs and my gaming pc doesn't need to be encrypted)

Antillie
Mar 14, 2015

I don't see much reason to bother splitting data up between multiple encrypted volumes if each of them is going to use the same encryption and have a password of equal complexity. I guess having multiple volumes would force an attacker to try and break each one individually but breaking just one should be essentially impossible anyway. And if some flaw in VeraCrypt/TrueCrypt allows an attacker to break one volume easily they would be able to break multiple volumes the same way anyway.

For me the question would be whether or not to have a separate or even an unencrypted volume for the OS. If I have an unencrypted volume for the OS then I can boot the machine and use it for basic things like web surfing and email without needing to mount the encrypted data volume. This allows other people to use the PC without needing to know a password and it keeps your encrypted data safe and unmounted when you are not using it. The downside of course is that you, and other people, can use the PC without needing a password and poke around on the OS drive all they like and look for stuff that you might have accidentally saved there and forgotten to move to the encrypted volume.

If you encrypt the entire drive, OS and all, then you would need to enter the password for the encryption every time the machine boots up. This is nice for keeping people from using your PC but it could get annoying if you ever have to reboot frequently for any reason. It also means that your data is mounted and accessible at all times when the machine is running. This is convenient but also reduces the security of your data as VeraCrypt/TrueCrypt are intended to secure data at rest when the volume is not mounted.

I think the best of both worlds would probably be to have the OS on one volume and your data on another volume with both volumes encrypted with very different passwords. That way you can give out the OS volume password to people who you want to allow to use the PC and it keeps random people from poking around on the OS drive without the password. And your data is still safely unmounted when you are not using it but simply checking your email or whatever.

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib
How common is DNS-based command and control / data exfiltration at this point? Does it only show up in APT-level attacks or has it started to filter down to more off-the-shelf type malware?

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

wyoak posted:

How common is DNS-based command and control / data exfiltration at this point? Does it only show up in APT-level attacks or has it started to filter down to more off-the-shelf type malware?

Here's a question for you: what is an APT and why do you use that term?

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib

OSI bean dip posted:

Here's a question for you: what is an APT and why do you use that term?
It's a bad acronym, but I mean high level attacks that are aimed specifically at a certain target.

Actually just ignore that part completely, how common is communication over DNS these days?

wyoak fucked around with this message at 20:38 on Nov 25, 2015

Pile Of Garbage
May 28, 2007



Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.

sarehu
Apr 20, 2007

(call/cc call/cc)

M_Gargantua posted:

I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords.

Encrypt the whole thing, enter your password at boot. Do bitlocker with the whole drive, or whole of C: or whatever, or VeraCrypt, or do the Linux version where you install it with one (1) encrypted LVM. Your swap partition should be encrypted, your "OS" stuff should be encrypted, all under the same thing, because what if it writes data there, like some log file or Tmp file?

The whole purpose of this is if somebody steals your laptop from your car, or breaks into your house and steals your computer. Nobody's gonna cold-boot your stuff, you aren't going to get held up at gunpoint and be thankful your "important" stuff is on a different VM that was locked at the moment. (If that were a realistic concern, you should be using a completely separate computer.)

dougdrums
Feb 25, 2005
CLIENT REQUESTED ELECTRONIC FUNDING RECEIPT (FUNDS NOW)

Mr Chips posted:

Can you explain the mathematics for the first bit for everyone else who's interested in understanding why?

This is Euclid's theorem. (In this case, Wikipedia probably has a simpler explanation, next to scanning a textbook.)

Also, small primes can be easily guessed, which is supposed to be the hard part about RSA.

M_Gargantua posted:

I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords.

My use is very mundane. Mostly I want to have my music on the same drive as everything else, but have everything on the drive encrypted. I want to get back to using encryption as a common part of my habits. So should I have the mundane items on a separate logical volume or is bundling it all together equally secure? Probably going to go with Veracrypt unless there's something glaring that I haven't turned up?

I don't think there's any reason not to just encrypt everything. I'm not sure what the windows equivalent is, but I've used the single group LVM/LUKS approach sarehu mentioned without any issues, and without doubting it. You only need one key, too. I also wouldn't trust the OS to not write something telling with multiple volumes mounted. Also it's easy to make sure that my swap partition/file is encrypted.

This is what I'm talking about : LVM on LUKS. You just leave the boot partition unencrypted. I think there's a way to finagle GRUB into using an encrypted kernel image and initramfs too, but I never tried.

dougdrums fucked around with this message at 16:15 on Nov 28, 2015

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
http://malwarefor.me/2015-12-01-angler-ek-sending-cryptowall/

angler ek + cryptowall info with pcaps and samples

pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Inspector_666 posted:

It seems like when people get to brute force passwords these days it's because they were able to get the hashes via a compromised account and download the table, rather than somebody hammering a webserver or something.

It's still annoyingly common unfortunately. Apple iCloud celebrity nudes thing was cause they didn't have rate limiting on the webserver for instance.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php

Wiggly Wayne DDS
Sep 11, 2010



deep impact on vhs posted:

facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php
have you been near a bug bounty in your life? the man went well beyond scope and is lucky he isn't in jail

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

deep impact on vhs posted:

facebook refuses to pay out bug bounty based on arbitrary, unwritten rules: http://exfiltrated.com/research-Instagram-RCE.php

Uh. Did you read the article? He did get paid.

KS
Jun 10, 2003
Outrageous Lumpwad
https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929

Response from Facebook CSO.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe

Wiggly Wayne DDS posted:

have you been near a bug bounty in your life? the man went well beyond scope and is lucky he isn't in jail

considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope

now, if he had downloaded, altered, accessed or otherwise gotten at user data instead of just the bucket it was hosted on, then i'd agree with you, but it's pretty clear that he didn't

also, the timeline didn't load for me initially so i was unaware that he got paid, but i'd still say that what he found is deserving of a fair bit more than what he got

Wiggly Wayne DDS
Sep 11, 2010



deep impact on vhs posted:

considering he didn't touch any user data, only confirm he was able to pivot to a bucket containing user data, i'd say he was fairly safely within scope

now, if he had downloaded, altered, accessed or otherwise gotten at user data instead of just the bucket it was hosted on, then i'd agree with you, but it's pretty clear that he didn't

also, the timeline didn't load for me initially so i was unaware that he got paid, but i'd still say that what he found is deserving of a fair bit more than what he got
a bug bounty is a test of the perimeter, you are not allowed to go past that (or use materials you've gained from past compromises on third-party services i.e. AWS)

he kept a copy of undisclosed sensitive material for over a month after notifying them of the initial bug, then worked off of that to try and pull more payments

you'd be pushing the limits on a pentest by doing this, nevermind a bug bounty

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554

also it turns out juniper hosed up and their netscreen vpn can potentially be MITM'd, at least that's what i'm gleaning from what i've seen so far

Wiggly Wayne DDS
Sep 11, 2010



deep impact on vhs posted:

http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554

also it turns out juniper hosed up and their netscreen vpn can potentially be MITM'd, at least that's what i'm gleaning from what i've seen so far
intentionally planted source code causing a security compromise for admin access and vpn decryption. you can also glean that their largest customer is SWIFT, and the attackers are very likely to be outside the scope of possible defenses given the resources this must have taken. i wouldn't call it them loving up, if anything good on them for finding a backdoor and disclosing that to their customers rather than talking around the issue

Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Here's a question for you: what is an APT and why do you use that term?

You can substitute the word "targeted attack" for APT when you see the term if you want to:

(A) get the gist of what the person is saying
(B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Rakthar posted:

You can substitute the word "targeted attack" for APT when you see the term if you want to:

(A) get the gist of what the person is saying
(B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument

Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable?

Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable?

I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?

Wiggly Wayne DDS
Sep 11, 2010



Rakthar posted:

I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?
You're not willing to try and understand a concept, so are taking shortcuts to avoid the tough questions?

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Rakthar posted:

I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?

No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter?

Ham Sandwiches
Jul 7, 2000

Wiggly Wayne DDS posted:

You're not willing to try and understand a concept, so are taking shortcuts to avoid the tough questions?

So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what?

Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question?

[edit]Really, my credentials on APT for a freaking acronym holy hell.

Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter?

Hello, using my expert knowledge, I have reconstructed this guy's impossible to parse query as:

"Is malware using DNS callbacks for C2 communication generally limited to malware that would be used in targeted attacks, or would also be found in commodity malware such as crimeware, ransomware, etc"

Wiggly Wayne DDS
Sep 11, 2010



Rakthar posted:

So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what?
This is called a shortcut:

Rakthar posted:

You can substitute the word "targeted attack" for APT when you see the term if you want to:

(A) get the gist of what the person is saying
(B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument
You're substituting a phrase for an entirely different one, while avoiding talking about what the original phrase means, or explaining why your substitution was appropriate and accurate.

Rakthar posted:

Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question?

[edit]Really, my credentials on APT for a freaking acronym holy hell.
You opted into answering the question, don't be surprised if you get replies back. No one asked you for credentials, and you are entirely missing the point of the original question.

Ham Sandwiches
Jul 7, 2000

Wiggly Wayne DDS posted:

This is called a shortcut:

You're substituting a phrase for an entirely different one, while avoiding talking about what the original phrase means, or explaining why your substitution was appropriate and accurate.

Are you familiar with the term 'paraphrase'

quote:

You opted into answering the question, don't be surprised if you get replies back. No one asked you for credentials, and you are entirely missing the point of the original question.

I don't know what the gently caress you're saying to me in this exchange, and I have a feeling you don't either. A guy asked a pretty simple question and got told to gently caress off by someone who was too dumb to understand what he was asking. I pointed out that the question was simple and straightforward, then paraphrased the question when pressed. That's about it. Hopefully we are now on the same page and can return to the exciting topic of infosec and malware discussion.

Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Rakthar posted:

Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?

Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not.

Only one vendor is allowed to use "APT" and that is Mandiant/FireEye, as they use it to describe what they suspect as state actor groups. The term is misused just as much as "0-day". So unless you are describing a state actor, an "APT" is not a loving targeted attack.

Now to answer your question: what the gently caress are you trying to get at? Targeted attacks will use any means to get out with whatever level of obfuscation. Any malware author engaging in a targeted attack will have scoped out your network enough to determine whether or not they need to communicate over DNS, HTTP, or the hell of it, UUCP. If I am going to target your organization, I sure as gently caress am going to use whatever means to get out.

This seems like an un-researched question really because if you had any clue about "targeted attacks", you'd not be asking how they'd engage in them.

Wiggly Wayne DDS
Sep 11, 2010



Rakthar posted:

Are you familiar with the term 'paraphrase'


I don't know what the gently caress you're saying to me in this exchange, and I have a feeling you don't either. A guy asked a pretty simple question and got told to gently caress off by someone who was too dumb to understand what he was asking. I pointed out that the question was simple and straightforward, then paraphrased the question when pressed. That's about it. Hopefully we are now on the same page and can return to the exciting topic of infosec and malware discussion.

Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?
Their question was already answered:

wyoak posted:

It's a bad acronym, but I mean high level attacks that are aimed specifically at a certain target.

Actually just ignore that part completely, how common is communication over DNS these days?

cheese-cube posted:

Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.

Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not.

Only one vendor is allowed to use "APT" and that is Mandiant/FireEye, as they use it to describe what they suspect as state actor groups. The term is misused just as much as "0-day". So unless you are describing a state actor, an "APT" is not a loving targeted attack.

Now to answer your question: what the gently caress are you trying to get at? Targeted attacks will use any means to get out with whatever level of obfuscation. Any malware author engaging in a targeted attack will have scoped out your network enough to determine whether or not they need to communicate over DNS, HTTP, or the hell of it, UUCP. If I am going to target your organization, I sure as gently caress am going to use whatever means to get out.

This seems like an un-researched question really because if you had any clue about "targeted attacks", you'd not be asking how they'd engage in them.
So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally.

When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task.

And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for.

You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker.

This answer:

quote:

cheese-cube posted:

Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.

So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues.

Here's a writeup on DNS based C2:
https://zeltser.com/c2-dns-tunneling/

Wiggly Wayne DDS
Sep 11, 2010



Rakthar posted:

So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally.

When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task.

And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for.

You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker.

This answer:


So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues.

Here's a writeup on DNS based C2:
https://zeltser.com/c2-dns-tunneling/
If you're going to clarify something have the decency to tell someone you have no experience or knowledge on the subject. Your post is a mix of the obvious, the misguided, and the ignorant and attempting to give a point by point breakdown is a waste of everyone's time. As a starter though the evasion technique parts goes without saying, then you suddenly limited the class of malware using dns tunneling to ransomware, and finish it off by clarifying on how a port being used for large data transfers is "unheard of", then immediately contradict yourself.

Wiggly Wayne DDS fucked around with this message at 03:21 on Dec 18, 2015

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Rakthar posted:

So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally.

When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task.

No. I am giving you the definition based on the organization that actually created the term "APT" (which if you are unsure because so far I believe you are, stands for "Advanced Persistent Threat"). You're giving the definition of APT based on how you've been marketed to. I am not sure why you're trying to refute this unless you're in marketing for an anti-virus firm or some company that claims to be "next-generation" [insert poo poo box here].

When people (like you and many others) throw the term "APT" around, they mean that "they have no clue what they're talking about but have bought into the hot new buzz word to try and push their poo poo products". When someone says that they offer "APT protection", they're just offering protection from threats. No specific product is going to protect you from a targeted attack because as the statement reads: it's a targeted attack, meaning that you've been scoped out, researched, and they've crafted their attack specifically at you and nobody else. This is the sort of thing that a vendor will have a hard time defending against because of the fact that whatever protections you have in place could become meaningless because the aggressor has taken that poo poo into account.

Throwing around "APT" generally means you have no clue and probably shouldn't be talking as some sort of expert in here. Unless you work for FireEye/Mandiant, you have no loving business using that term.

quote:

And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for.

You have no clue how a targeted attack works.

quote:

You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker.

Why are we talking about this in relation to CryptoLocker? By the way, why are you bringing up malware from 2013 in relation to a targeted attack? Or are you going on unrelated tangents in some feeble attempt to demonstrate knowledge in something?

quote:

So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues.

OK. Great. Why are you going on about this in relation to targeted attacks?

Adbot
ADBOT LOVES YOU

Mr Chips
Jun 27, 2007
Whose arse do I have to blow smoke up to get rid of this baby?

OSI bean dip posted:

. Unless you work for FireEye/Mandiant, you have no loving business using that term.
If no-one ITT works for them, can we stop talking about it?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply