[AusNOG] The Ransomware to come

Mark Smith markzzzsmith at gmail.com
Wed May 17 22:13:41 EST 2017


You keep avoiding the specific question of how all your ideas are going to
prevent attacks such as wannacry.

According to this, the wannacry attack vector is a 32 bit integer being
subtracted from a 16 bit integer, which is simple enough to do
unintentionally with C.

https://www.google.com.au/amp/s/www.theregister.co.uk/AMP/
2017/05/16/microsoft_stockpiling_flaws_too/

How is you "missing" security plane going to audit host OS and application
code for these coding errors?

As a side note, what you're describing sounds like IP security options
(RFC1108) and a multi-level secure OS, which are both old and tested ideas.

Regards,
Mark.

On 17 May 2017 9:45 pm, "Paul Wilkins" <paulwilkins369 at gmail.com> wrote:

> Mark,
> That's a good question and I'm glad you asked.
>
> Once you have a security plane for your data, you can assign profiles
> according to the data's provenance. Integrate this with your OS security
> plane, including as an input to your virus scanner, with a view ultimately
> to preventing control plane actions (like encrypting all your data) that
> emanate from untrusted or untrustworthy sources from ever being allowed
> write access outside of the mail spool.
>
> The basic problem being, the OS treats a control plane action on a socket
> the same, regardless of you're logged in from iLo, or coming remote from
> Ukraine. Firewalls are essentially creating an artificial security plane,
> but it's a bandaid, and requires you architect your network to channel all
> your traffic through a chokepoint. If a socket's security profile was part
> of the API, the profile would follow control actions up the stack, and
> you'd get end to end security.
>
> Kind regards
>
> Paul Wilkins
>
> On 17 May 2017 at 11:12, Mark Newton <newton at atdot.dotat.org> wrote:
>
>> On May 14, 2017, at 3:34 PM, Paul Wilkins <paulwilkins369 at gmail.com>
>> wrote:
>> > My feeling is we could see Cisco invent a means of allocating SGT tags
>> by BGP community extended to 64 bits, and some integration of 802.1x to
>> deliver Trustsec to the desktop. The problem being, this implies separate
>> routing tables for different security profiles, being necessarily the case,
>> which is not something ipv6 could be made to support.
>>
>> How, precisely, would that make any difference to the ransomware attack
>> that sparked your creation of this thread?
>>
>>   - mark
>>
>>
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170517/f1c2b6a4/attachment.html>


More information about the AusNOG mailing list