| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Apr 2012 23:03:53 +0530
From: Memory Vandal <memvandal@...il.com>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: STEP Security
This in draft?! man, i been using this protocol for ages. i been calling it
unplug-and-safe (UPnS) and its standard operating procedure (SOP) in my
workplace. must try for everyone, solves any security issue in a sec.
MemoryVandal
On Sun, Apr 1, 2012 at 8:36 PM, J. Oquendo <sil@...iltrated.net> wrote:
> Interweb Re-Engineering Task Force J. Oquendo
> Request for Comments 4012012 E-Fensive Security Strategies
> Category: Informational
> Expires: 2020
>
>
> STEP by STEP Security
>
>
> Status of this Memo
>
> This Internet-Draft is submitted in full nonconformance with
> provisions of BCP 78 and BCP 79. This document may not be modified,
> and derivative works of it may not be created, except to publish it
> as an RFC and to translate it into languages other than English.
> Internet-Drafts are working documents of the Internet Engineering
> Task Force (IETF), its areas, and its working groups. Note that
> other groups may also distribute working documents as Internet-
> Drafts.
>
> Internet-Drafts are draft documents valid for a maximum of six
> months and may be updated, replaced, or obsoleted by other documents
> at any time. It is inappropriate to use Internet-Drafts as
> reference material or to cite them other than as "work in progress."
>
> The list of current Internet-Drafts can be accessed at
> http://www.ietf.org/ietf/1id-abstracts.txt
>
> The list of Internet-Draft Shadow Directories can be accessed at
> http://www.ietf.org/shadow.html
>
> This Internet-Draft will expire on April 01, 2020.
>
> Copyright Notice
>
> Copyright (c) 2012 IETF Trust and the persons identified as the
> document authors. All rights reserved.
>
> This document is subject to BCP 78 and the IETF Trust's Legal
> Provisions Relating to IETF Documents
> (http://trustee.ietf.org/license-info) in effect on the date of
> publication of this document. Please review these documents
> carefully, as they describe your rights and restrictions with
> respect to this document. Code Components extracted from this
> document must include Simplified BSD License text as described in
>
>
>
>
> Oquendo Expires Apr 01, 2020 [Page 1]
>
>
> Internet-Draft Security Step by STEP RFC 4012012
>
>
> Section 4.e of the Trust Legal Provisions and are provided without
> warranty as described in the Simplified BSD License.
>
> Abstract
>
> This framework describes a practical methodology for ensuring
> security in otherwise insecure environments. The goal is to provide
> a rapid response mechanism to defend against the advanced persistent
> threats in the wild.
>
> Table of Contents
>
>
> 1. Introduction..................................................2
> 2. Conventions used in this document.............................4
> 3. Threats Explained.............................................4
> 3.1. Possible Actors..........................................4
> 4. STEP Explained................................................5
> 5. STEP in Action................................................6
> 6. Security Considerations.......................................7
> 7. IANA Considerations...........................................7
> 8. Conclusions...................................................8
> 8.1. Informative References...................................8
> 9. Acknowledgments...............................................8
> Appendix A. Copyright............................................9
>
>
> 1. Introduction
> In the network and computing industry, malicious actions,
> applications and actors have become more pervasive. Response times
> to anomalous events are burdening today's infrastructures and often
> strain resources. As networks under attack are often saturated with
> malicious traffic and advanced persistent threat actors engage in
> downloading terabytes of data, resources to combat these threats
> have diminished.
>
> Additionally, the threats are no longer just anonymized actors
> engaging in juvenile behavior, there are many instances of State
> Actors, disgruntled employees, contractors, third party vendors and
> criminal organizations. Each with separate agendas, each
> consistently targeting devices on the Internet.
>
>
>
>
> Oquendo Informational [Page 2]
> Internet-Draft Security Step by STEP RFC
> 4012012
>
>
> The intent behind this document is to define a methodology for rapid
> response to these threats. In this document, security will be
> achieved using a new methodology and protocol henceforth named
> Scissor To Ethernet Protocol (STEP).
>
>
>
> Initially designed as a last approach for security, STEP ensures
> that no attacker can disaffect any of the Confidentiality,
> Integrity, Availability of data as a whole.
>
>
>
> Many variables are involved in security, but the STEP methodology
> focuses on the following:
>
>
> o FUD (Fear Uncertainty and Doubt)
> o SCAM (Security Compliance and Management)
> o APT (Another Possible Threat)
>
>
>
> This methodology proposes STEP that SHOULD be performed at the onset
> of a cyber attack before more terabytes of data are exfiltrated from
> a network.
>
> 1. Industry Standard IP connection
>
>
> +-----------+ +-----------+ +-----------+
> | | IP | | INGRESS | |
> | Rogue |-------> | Internet | ------> | Target |
> | A | | | | B |
> | | | | EGRESS | |
> +-----------+ +-----------+ <------ +-----------+
>
> Figure 1 Example session between a rogue attacker and target
> Figure 1 illustrates the connection via the Internet from a rogue
> attacker, towards a target. Irrespective of the attack used, IP
> will ALWAYS be used as the attack vector.
>
>
> Oquendo Informational
> [Page 3]
>
>
> Internet-Draft Security Step by STEP RFC 4012012
>
>
>
>
> 2. Conventions used in this document
>
>
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
> document are to be interpreted as described in RFC-2119 [RFC2119].
>
> In this document, these words will appear with that interpretation
> only when in ALL CAPS. Lower case uses of these words are not to be
> interpreted as carrying RFC-2119 significance.
>
>
> 3. Threats Explained
>
> A security threat is a theoretical happening that may not occur but
> should be considered as part of a proper security architecture and
> design. For example, the threat always exists that your systems
> will become the target of a denial of service attack. A threat may
> or may not have a method to mitigate the possibility of attack.
>
> Vendors across the security spectrum offer FUD based solutions often
> promoting SCAM based systems to mitigate against APT. While some of
> the available solutions may minimize the potential for catastrophic
> transfers of terabytes of data, these solutions SHOULD NOT be used
> as an all-inclusive solution for security. Engineers MUST NOT rely
> on FUD, or SCAMs against the APT.
>
> 3.1. Possible Actors
>
> Both malicious attacks and unintended (non-malicious) attacks can
> occur from anywhere in the world including local attacks inside of
> the infrastructure. In the barest threat explanation above, the
> threat that someone can commit a typographical error, causing a
> disruption in service, is as severe as a Distributed Denial of
> Service attack from the public Internet. Actors can never be easily
> identified unless one is watching the Academy Awards on television.
>
>
>
>
> Oquendo Informational [Page 4]
>
>
> Internet-Draft Security Step by STEP RFC 4012012
>
>
> 4. STEP Explained
>
> o S - Scissors
>
> Scissors as defined by wikipedia are" hand-operated cutting
> instruments. They consist of a pair of metal blades pivoted so that
> the sharpened edges slide against each other when the handles (bows)
> opposite to the pivot are closed. Scissors are used for cutting
> various thin materials, such as paper, cardboard, metal foil, thin
> plastic, cloth, rope, and wire. Scissors can also be used to cut
> hair and food. Scissors and shears are functionally equivalent, but
> larger implements tend to be called shears. Scissors is a critical
> component for STEP security and MUST be readily available 99.99999%
> with redundant scissors within armÄ..s reach.
>
>
> | |
> X X
> / \ O O
>
> (Opened) (Closed)
>
>
> o T - To
>
> To: [preposition] (Used for expressing direction or motion or
> direction toward something) in the direction of; toward: from north
> to south.
>
> o E - Ethernet
>
> Ethernet via Wikiepedia is described as a family of computer
> networking technologies for local area networks (LANs) commercially
> introduced in 1980. Standardized in IEEE 802.3, Ethernet has
> largely replaced competing wired LAN technologies. For clarity in
> our protocol, Ethernet is defined as the cabling between a device
> and a network component such as a router or a switch.
>
>
>
> o P - Protocol
>
> A communications protocol is a system of digital message formats and
> rules for exchanging those messages in or between computing systems
> and in telecommunications. A protocol may have a formal
> description.
>
>
> Oquendo Informational [Page 5]
>
>
> Internet-Draft Security Step by STEP RFC
> 4012012
>
>
> Protocols may include signaling, authentication and error detection
> and correction capabilities.
>
> A protocol definition defines the syntax, semantics, and
> synchronization of communication; the specified behavior is
> typically independent of how it is to be implemented. A protocol
> can therefore be implemented as hardware or software or both.
>
> In STEP, Protocol is a rule an engineer MUST follow in order to
> complete STEP. S MUST be in a closed state.
>
>
>
> Actor -----> | Target (secured from the threat)
> X
> O O
>
> (Closed)
>
>
> 5. STEP in Action
> The following illustrates a remote APT attack against a webserver
> located in the demilitarized zone of an infrastucture. In the
> example, an APT attacker is launching a SQLI, XSS and CSRF against a
> target over the Internet.
>
> The attacks are common and according to statistics, are the same
> attacks used to leverage access against major Fortune 500 companies
> in the past decade.
>
> +-------+ +-----+ +-----+ +--------+
> | | SQLi | | + + INGRESS | |
> | APT | -------> | ISP | ---> + ISP + ------> | Target |
> | | XSS/CSRF | A | + B + | www |
> | | | | + + | |
> +-------+ +-----+ +-----+ +--------+
>
> o Figure 5.1 Attacker launching attacks
> +-------+ +-----+ +-----+ +--------+
> | | TCP | | + + Reverse | |
> | APT | <------ | ISP | <--- + ISP + <------ | Target |
> | | | A | + B + Shell | www |
> | | | | + + | |
> +-------+ +-----+ +-----+ +--------+
>
> o Figure 5.2 Attacker executing a reverse shell
>
>
> Oquendo Informational
> [Page 6]
>
>
> Internet-Draft Security Step by STEP RFC
> 4012012
>
>
>
> In the illustration, an attacker is almost certainly attempting to
> obtain a reverse shell. This enables an attacker to access a device
> as if one were physically present at the device itself.
> Using STEP we can mitigate and deny this attack from various points:
>
>
> +-------+ +-----+ +-----+ +--------+
> | | SQLi | | + + | | |
> | APT | -------> | ISP | ---> + ISP + -->| | Target |
> | | XSS/CSRF | A | + B + x | www |
> | | | | + + o o | |
> +-------+ +-----+ +-----+ +--------+
>
> o Figure 5.2 Ingress STEP
>
> +-------+ +-----+ +-----+ +--------+
> | | Attack | | | + + | |
> | APT | ------> | ISP | ->| + ISP + | Target |
> | | | A | x + B + | www |
> | | | | o o + + | |
> +-------+ +-----+ +-----+ +--------+
>
> o Figure 5.4 Provider based STEP
>
>
> Both instances of STEP successfully demonstrate the power of the
> STEP protocol. In no case, can an attacker successfully launch any
> attack against a target as the security posture has now been
> hardened.
>
> 6. Security Considerations
>
> Cutting any Ethernet cable could potentially lead to shock and
> degradation of IP services on your network. Please ensure there are
> additional Ethernet cables for redundancy. Otherwise there is
> nothing to consider.
>
>
> 7. IANA Considerations
>
> There are no alternative considerations. STEP is the ultimate in
> security.
>
>
> Oquendo Informational
> [Page 7]
>
>
> Internet-Draft Security Step by STEP RFC 4012012
>
>
> 8. Conclusions
>
> Step defends against APT while minimizing your exposure to SCAMs and
> FUD.
>
> 8.1. Informative References
>
> [1] http://www.amazon.com/b?ie=UTF8&node=689392011
> [2] http://ha.ckers.org/xss.html
> [3] http://en.wikipedia.org/wiki/Advanced_persistent_threat
> [4] http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
>
>
> 9. Acknowledgments
> Sofia Vergara
> Kenji, Saki and Coco
>
>
>
>
> Oquendo Informational [Page
> 8]
>
>
> Internet-Draft Security Step by STEP RFC 4012012
>
>
> Appendix A. Copyright
>
>
>
> Copyright (c) 2012 IETF Trust and the persons identified as authors
> of the code. All rights reserved.
>
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions
> are met:
>
> o Redistributions of source code must retain the above copyright
> notice, this list of conditions and the following disclaimer.
>
> o Redistributions in binary form must reproduce the above copyright
> notice, this list of conditions and the following disclaimer in
> the documentation and/or other materials provided with the
> distribution.
> o Neither the name of Internet Society, IETF or IETF Trust, nor the
> names of specific contributors, may be used to endorse or promote
> products derived from this software without specific prior
> written permission.
>
> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
> COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
> BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
> ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGE.
>
>
> Author's Addresses
>
> Jesus Oquendo
> E-Fensive Security Strategies
>
>
> Oquendo Informational [Page 9]
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists