-
Next question: How many responses are clients actually willing to look at?
Coincidentally, the limit on OpenBSD until very recently was 16. More than that, and the resolver would return “none” instead. That was a regression, since the previous limit had been 35 for a long time, and so it was restored. And the failure mode was changed from returning an error to truncating. But if you were hoping to assign 42 aliases to a host and have a single query round robin between all of them, you’re still out of luck.
-
My tests using nslookup on ubuntu gave me all 4095 IP addresses. I also tested an application that used standard DNS libraries and found it got all 4095 queries, but it caused the app to hang for half a minute as it wasn’t prepared to handle so many responses. I bet someone, somewhere, hardcoded a buffer size to the max IPs returned in 512 byte UDP packet. =)
BIND interestingly would rotate the IP addresses sent if you assigned more than max addresses to a domainname. The first query would be 1..4095 addresses, the next query would be 3..4098 and so on (I didn’t write down the exact numbers in my notes so actual values may vary slightly). Give bind a zone file with 16,000 IP addresses mapped to the same domainname and see what happens.
-
Made me try it.
First attempt with nslookup worked, but returned truncated results because my local unbound cache doesn’t permit TCP connections. That was by accident, but I doubt I’m alone, so it’s probably not a good idea to publish records that don’t fit in UDP packets for anything serious.
Changing resolvers to the BIND server, nslookup returned everything. traceroute printed a warnng about many addresses, but ping didn’t like it all.
ping: unknown host: manyThat’s the error I alluded to earlier. Now I have to go see why traceroute and ping are different. I would have assumed they’d be about the same.
-
-
I think I’ve found my new favorite way to prevent people from pinging my hosts!
-
-
-
-
-
Also, and particularly damning, we’ve gotten to the point where SSDs are just soldered onto boards in our laptops, which means we simply can’t replace them with known firmware virus free versions…
-
Firmware storage should be removable, replaceable, auditable. Changes to hardware firmware should require physical user interaction (push this button) and should be permanently logged and viewable (a small eink display showing the number of all firmware updates, dates and hashes of the update).
-
Yes, that should be the case (it’s not), but any and all of that could still be a ruse. And, how do you train people to understand that, and understand that any tampering (e.g. an extraneous wire, extraneous chip) means somethings up?
Keep in mind that there’s a good portion of the population who doesn’t give a shit about the NSA spying, and that an even greater percentage of the population doesn’t equate the day to day privacy invasion of using the WWW without a condom (adblock, HTTPS everywhere, NoScript, etc) is an even bigger problem than the NSA.
Why is it a bigger problem? What if the NSA just orders the collection of all of your data instead of tapping fiber optic lines? Do you even know which of the data collection companies has all of your data? Would the news of such an event say to you, “Oh shit! My data is now in the hands of the NSA!” No. Those data agencies are even more secretive and fishy than the NSA is! (OK, I’m exaggerating a little bit of course)
-
-
-
The scariest one on this list is the postal one, and I’m not sure how it could be stopped. You could go to a store and buy a machine, but who is to say that it is not already backdoored?
We need free firmware, and the ability to make anonymous purchases. But even then, we’re not necessarily safe…
-
But even then, we’re not necessarily safe…
Yeah, the whole thing devolves into “trusting trust” pretty fast. Hard disk controllers have multiple ARM cores now, cellphones have dedicated OSes to run the radios - the attack surface just keeps getting bigger and bigger. The foundations are getting so complex it’s impossible to audit what’s below.
Heck, whose to say that seemingly unused Cortex-M3 isn’t waiting for the NSA’s magic word today…
-
The foundations are getting so complex it’s impossible to audit what’s below
It is going to be really hard, but this is why we need to start securing, monitoring and auditing the network inside systems as well as the networks between systems. Passive sensors could detect and alarm on firmware changes. Run IDS and ACLs on the PCI bus. Setup honey pot systems and look for unusual interdevice chatter or RF signals. I vouch for none of these approaches but I’d love to test them, the security world is going to be a crazy ride for next 20 years.
-
-
And it is not limited to nation state actors. A hacker with hardware skills wants to break into a banking network, all she needs to do is get a job as a FedEx driver and she could put firmware or hardware backdoors in the servers/switches/routers she delivers. I’ve had pallets of servers delivered in which a loader put a forklift through through the pallet and some 1U23s.
-
… you hope :|
-
-
-
EthanHeilman
3 years ago
|
link
| on:
If the NSA has been hacking everything, how has nobody seen them coming?
How many of the global “threat intelligence” companies are highlighting TTPS actually in use by APEX predators (instead of merely spotting low hanging fruit).
I’ve been thinking about this a lot lately, so many of the NSA attacks used mechanisms that were not within typical threat models. For instance IRATEMONK^0 which compromises the firmware on the your harddrive to replace the MBR on bootup to ensure their implant persists. One wonders if these sorts of attacks were not caught when the NSA did them, have other actors used this methods as well and we are just unaware?
Is there a feedback loop at work here whereby basic attackers use simple tactics, those tactics get the attack discovered, the discovery gets attention which becomes written in articles which future simple attackers read? An amplifying street light effect?
If someone had a 0-day for cheap home routers^1 and used it to perform passive interception against businesses of interest, would this ever be discovered? Or an RF side channel^2 which allows someone to make money off the stock market?
How do you get VC to fix security problems that you have no evidence anyone is exploiting? Anti-virus software isn’t going to sell prior to the first computer virus.
-
Attackers use basic attacks because they often have a success ratio that justifies their use. If you send a binary to 100 people at a random company, and ask them to run it up-front, you can probably expect somebody to do so. No electronic vulnerability involved.
I’m not sure people care about the quality of their tech until it gets in the way of them doing something. To be honest, that’s how I treat a pretty large proportion of the things I use. The things I do will cause me to run into more problems with technology than a non-tech worker would, but the same mechanism is at play. In terms of infrastructure quality, manufacturers often only make more secure things when they are being broken so frequently that they face a threat to their business unless they fix it. This was starting to seem like the case for Windows, and Microsoft stepped up their security game a bit in response.
It’s interesting that so many of these attacks target layers that are much more expensive to fix. A lot of them exploit problems with protocols and basic characteristics of electronics rather than a software memory corruption. There’s not an easy answer for a lot of these. I go on rants all the time about how I hope Rust will make the world safer by preventing vulnerabilities that stem from software-triggered memory corruption, but we still have to trust hardware and standard protocols, and that trust is being actively exploited.
I’m curious how many people are using honeypots that they use to lure the NSA into attacking to harvest some free (minus a bit of reverse engineering) exploits and tools. I wonder if we’ll see groups doing this and then just going crazy with them on the open internet at some point. It would really be destructive, but it may also lead to manufacturers producing slightly safer things afterward.
-
Attackers use basic attacks because they often have a success ratio that justifies their use.
There are two qualities at work here, visibility of an attack and cost to execute. Attacks which are highly visible and easy to execute, are likely to be well known and enter the standard malware tool box becoming mainstream. What about attacks which are invisible and easy to execute? If an attacker discovers such a method it it unlikely to become common knowledge for sometime. Tools will not be built to catch it because “no one exploits it”. Even if it started to spread among attackers, if it is hard to measure, it might not become something that CSOs worry about. Known Known and Known Unknown’s drive markets.
Rust will make the world safer by preventing vulnerabilities that stem from software-triggered memory corruption, but we still have to trust hardware and standard protocols, and that trust is being actively exploited.
One result from the Snowden revelations that I expect to see is security companies selling fixes for these vulnerabilities. I’m waiting for PCI-bus firewalls and IDSes.
I’m curious how many people are using honeypots that they use to lure the NSA into attacking to harvest some free (minus a bit of reverse engineering) exploits and tools. I wonder if we’ll see groups doing this and then just going crazy with them on the open internet at some point.
0-days and novel tools is so dangerous. Captured tools provide cover, which enable nations to strike back with reduced fear of attribution. Consider if Iran had discovered Stuxnet, changed the payload slightly so it just caused all ICS' to malfunction and released it into the oil refining systems of Saudi-Arabia. The physical damage would be slight but the diplomatic effects would be far greater.
If Saudi-Arabia blamed Iran without evidence, Iran could rightly point out that the code is covered in US/Israeli intelligence fingerprints. If Iran got caught they could accurately claim that the US struck first. The US would figure out what happened, but would they be willing to go public and expose themselves to claims of responsibility. It certainly would make the decision to use Stuxnet look irresponsible, the US foolish, and Iran powerful, who in the US government wants to own that. From Iran’s perspective this is all win, since the US would be far less likely to target them in the future (the “one burned twice shy”-theory of international relations might not be true in all cases, but I could see the argument being made). Some people believe that the Saudi Aramco attack was in revenge for Stuxnet, so Iran has shown the political will to strike back^0.
-
-
…so an “eclipse attack” is essentially a distributed MITM attack, I take it?
It can be that, but more generally it is any situation in which a victim node in a network is prevented (eclipsed) from seeing information from the rest of the network.