<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<a
href="http://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire">http://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire</a><br>
<br>
So I don't usually link to random blogs from the big boys, but this
article is worth a read. On Twitter Ben Nagy asked what an
integrated team looks like - and though Symantec didn't really DELVE
into the details, probably because they'll monitize them somehow,
this is what it probably looks like. Because agility as a component
of an attack team isn't gotten by throwing money at the problem.
It's a matter of organizing your attack flow in the right way. It
comes down to where people sit in physical space, half the time. <br>
<br>
Obviously the numbers in the infographic should all be multiplied by
10.<br>
<br>
And then you look at these teams' successes - and one of them,
obviously, is RSA. RSA is getting hit from both sides. At this point
its marketing message is "We got<a
href="http://allthingsd.com/20120227/seven-questions-for-rsa-security-head-art-coviello/">
hacked by the Chinese</a>, and our main product had a USG backdoor
in it":<br>
<br>
<a
href="http://www.theguardian.com/world/2013/sep/21/rsa-emc-warning-encryption-system-nsa">http://www.theguardian.com/world/2013/sep/21/rsa-emc-warning-encryption-system-nsa</a><br>
<br>
Backdoors go two ways:<br>
<ol>
<li> Make your product have security vulnerabilities that only you
know about, or can QA exploits for, or have the ability to touch
(c.f. scada). I call this "Backdoority through obscurity".</li>
<li>Are provably built in such a way that only you can exploit
them. The <span style="color: rgb(68, 68, 68); font-family:
arial, sans-serif; font-size: small; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 16px; orphans: auto; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px; background-color: rgb(255, 255, 255); display: inline
!important; float: none;"><span class="Apple-converted-space">
</span>Dual<span class="Apple-converted-space"> </span></span><em
style="font-weight: bold; font-style: normal; color: rgb(68,
68, 68); font-family: arial, sans-serif; font-size: small;
font-variant: normal; letter-spacing: normal; line-height:
16px; orphans: auto; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">EC</em><span
style="color: rgb(68, 68, 68); font-family: arial, sans-serif;
font-size: small; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
16px; orphans: auto; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); display: inline
!important; float: none;"><span class="Apple-converted-space"> </span>DRBG</span>
backdoor is a classic example. The<a
href="http://www.networkworld.com/news/2012/060412-microsoft-flame-259828.html">
Flame Certificate</a> attack is another one. This should be
true even for remote access trojans - <a
href="http://www.immunityinc.com/products-hydrogen.shtml">Hydrogen
</a>was built so that without the private key, it wouldn't even
respond to the init packet. I would be surprised if the Naid
trojan system is any different. Pro is pro.<br>
</li>
</ol>
BSAFE being backdoored (and you have to be insane to believe <a
href="http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html">RSA's
weak defense </a>of choosing that PRNG as their default) means
almost every device (from VPNs to SSL Accelerators to crypto-enabled
trading applications) on the Internet was backdoored, because
everyone big uses the BSAFE library to do their crypto. <br>
<br>
When this program went dark it was like a toilet flushing<i> </i><i>trillions</i>
of dollars right into the sewage system (not to mention RSA and NIST
being collateral damage). The silver lining here for most people on
this list is that targeted access was always the future once the
Internet happened, and that future is now. <br>
<br>
-dave<br>
<br>
</body>
</html>