Air gaps never exist (2011)
gse-compliance.blogspot.comDoesn't "air gapped" imply physical separation? Putting a firewall, even if it's totally locked down, between two networks does not make it "air gapped".
You can get physical separation with WAPs, too...
Technically that's not physically separate, as photons are physical entities.
> "How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website."
Sounds like the real problem was they didn't have a better mechanism for getting things like that in. If a security system stops people from doing their jobs, they'll poke a hole in it unless you provide a better option.
> Sounds like the real problem was they didn't have a better mechanism for getting things like that in.
Any mechanism for getting things like that in is a break in the air gap, by definition. (Well, by a strict definition.) But at least a better mechanism would be managed by security policy, not by underlings' need to get their job done. (That is, the security policy would have to take into account the need for updates as well as the potential security implications of importing new executable code from outside.)
Pedantically, not a "gap" if there's a network cable going to another network...
Years ago I was told by a colleague that he was required to setup an administrative system that was NOT connected the network, but also had to be able to send and receive e-mail.
The inherent contradiction was lost on the people giving the orders. So...
Well he was an expert.. wasn't he?
https://www.youtube.com/watch?v=BKorP55Aqvg
(Draw seven perpendicular red lines)
Never thought I'd see it, but here's the solution to the expert problem:
https://www.youtube.com/watch?v=B7MIJP90biM
Credit to D. Scott Williamson, Expert
My personal favorite solution: http://i.imgur.com/fdHpJS4.png
That sketch annoys me. Sure, marketing/sales/PM/design guys are idiots, whatever.
Here are 11 things "I can't do it" can mean:
I don't have time
I don't want to
I don't have anyone who knows how to
I want someone else to do it
I don't want to maintain it once built
I want to work on this other thing
Doing it would take away job security for me
I think it is beneath me
You're not going to use it anyway
I don't think it is worth doing
I think it is too expensive
I think it would be easyish to fill out another 10 reasons for what "can't" really means that are more common than "it is flat out impossible regardless of budget/resources".
>I think it would be easyish to fill out another 10 reasons for what "can't" really means that are more common than "it is flat out impossible regardless of budget/resources".
Yes. But the skit isn't about that.
I often get impossible tasks from managers. Luckily when I tell them why they actually listen and aren't purposefully obtuse like the team from the skit. But the obtuse manner of the meeting is part of the comedy. Sometimes the management/sales/marketing team just doesn't get it.
The most common request?
"Please enhance this 92x92 .jpg logo x5-x10 its current size without lowering the quality of the logo."
My most common pushback?
"Sure. Get with their designer and get me the original file, be it .psd or .ai so that I can work with a larger resolution copy of the image. If they don't have the original file for their logo, you are asking for one of two things: 1) Recreate their logo or 2) The impossible. If (1) my answer is no. If (2) my answer is with modern technology, I can't."
I've also been asked to uncrop photos. Not as in "restore a backup from before we saved over it with a cropped version" but literally uncrop a photo.
I don't necessarily blame these people or get angry with them. I blame CSI and other investigative shows where they "enhance" a blurry photo to 4k crystal-clear resolution and read the reflection off of a button of a guys' jeans to read the licence plate of his car. They've been told this shit is possible by TV shows that use just-enough real tech to make the fake tech seem real to people outside of the loop.
The crazy thing is that the fake tech is also often actually real, but real in the sense that there's a recent academic paper where in certain specific conditions they were able to do what is being asked ask by using lots of math, domain knowledge, and custom programming, at a total cost of hundreds of thousands to millions of dollars when it's all done.
Does that help you in any way in a commercial setting? No, unless you are Google or Apple or the like and it's not a simple request but the basis of a new business division.
Are you talking about the paper where they replicate keys from the roof of a building across the street when the keys were on the floor some several hundred feet away from a photograph? :)
Not specifically, more just the occasional paper you see posted where they've found a way to recover missing data from surrounding context. I.e. something like reverse engineering redaction boxes from JPEGs by reversing a non-lossless algorithm twice, once to get the lossy image in raw form with redactoin boxes, and at that point again to determine what was likely under those boxes from the surrounding lossy compression as it existed before.
> I don't necessarily blame these people or get angry with them. I blame CSI and other investigative shows where they "enhance" a blurry photo to 4k crystal-clear resolution and read the reflection off of a button of a guys' jeans to read the licence plate of his car.
I wouldn't get angry with them, but I would certainly blame them for thinking something is possible which a small child should be able to tell is not. I would advise you avoid working with people who believe computers are literally magic, as your life will be much better.
>I wouldn't get angry with them, but I would certainly blame them for thinking something is possible which a small child should be able to tell is not.
Your domain experience is showing. ;) A small child doubtfully knows what pixels are, how computers represent data, how an image is actually displayed, and why you can make them smaller with minimal (meaningful) data loss but you cannot make them larger.
That part confuses lots of people. From children to adults to my grandparents.
Also photo restoration is black magic to some people - and a joy to my heart when I get the opportunity to restore a photo for someone.
Nah. I'm pretty sure I could have figured out that zooming in makes things fuzzy, just like if you hold it close to your face it doesn't any detail to a photo, at age 7 or so.
Photo restoration is more art than magic, assuming you're more or less drawing in the missing pieces.
Half of those are perfectly valid responses. "I don't have time" or "I don't know anyone who knows how" or "it is too expensive" - these aren't the passive-aggressive responses that you're implying.
Those aren't the responses, otherwise it would be fine, you would be accurately communicating the actual problem. Instead, those are the underlying reason for just saying "I can't do it" instead of being forthcoming.
+1, parenthetical
if the requirement is just email, seems like it would be quite feasible to set something up so that the MTA on the administrative system tunnels the email to the MTA of something network-connected in a non-tcp/ip kind of way (PTP microwave/laser link, printer-carrier pigeon-scanner combo, ...) that just passes the message over while remaining air-gapped
Oh neat... so i just have to own the system by sending a bad attachment (containing the malware), and having exfiltration happen via mail attachments. Got it.
I've seen actual near-airgapped systems that communicate by fax as risk reduction. Email-to-fax gateways rendered attachments and such in the DMZ, then dialed into the secure side, the theory being that owning a T1 fax card over the PSTN is much harder than sending a malicious email.
UUCP delivered email (and Usenet and file transfers) for a very long time before full time network connections became the norm.
https://en.wikipedia.org/wiki/UUCP
So, it is possible to send/receive email without an always on network connection.
Heck, you could even do it with a never-on network connection, if someone wants to periodically ferry the ingoing/outgoing email over on a drive.
That probably isn't what the requirements makers had in mind though.
I can see it now. You spend a month implementing a fancy, modern store-and-forward system that ticks all the boxes and provides an excellent blend of security and functionality. Then you get called into the big shot's office because he wants emails to go through in under ten seconds.
I thought "air gap" meant a machine or network that is physically separated (these days also without any radio connection) to other machines.
How can those not exist?
Perhaps you should read the submission. The larger point here is that even if you set up a network in the first place which is genuinely airgapped, as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere in order to make everyone's lives easier and eventually, whether deliberate or inadvertent, a connection will be made (and of course, we know that the NSA has a variety of infiltration and exfiltration methods to get across air gaps, such as dropping flash drives and waiting for an insider to be foolish enough to bring it inside).
Believing that an air gap exists or will continue to exist indefinitely is hence setting yourself up for some unpleasant surprises in the future, and encourages weak security designs where the network/system is crunchy on the outside and all delicious and soft and gooey on the inside. (Which is more secure, to have your local WiFi set up with WPA or whatever and have employees telnet into servers, or just go Google-style and have fully encrypted end to end links without requiring any belief in security of the links?)
> Perhaps you should read the submission. The larger point here is that even if you set up a network in the first place which is genuinely airgapped, as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere in order to make everyone's lives easier and eventually, whether deliberate or inadvertent, a connection will be made (and of course, we know that the NSA has a variety of infiltration and exfiltration methods to get across air gaps, such as dropping flash drives and waiting for an insider to be foolish enough to bring it inside).
The article is not well written, and I personally had to parse it several times to figure out what he was trying to say. I'm still not even sure if this is the correct interpretation.
> Believing that an air gap exists or will continue to exist indefinitely is hence setting yourself up for some unpleasant surprises in the future, and encourages weak security designs where the network/system is crunchy on the outside and all delicious and soft and gooey on the inside. (Which is more secure, to have your local WiFi set up with WPA or whatever and have employees telnet into servers, or just go Google-style and have fully encrypted end to end links without requiring any belief in security of the links?)
That depends on your physical security. A facility like the one he described should have had regular security audits to verify that no hard lines were placed where they should not be. All hard lines and ports should have been marked with identifying information. Nobody should have been able to keep a line open for any significant period of time unless these processes broke down.
> The article is not well written, and I personally had to parse it several times to figure out what he was trying to say. I'm still not even sure if this is the correct interpretation.
I thought it was perfectly clear. He was telling a funny story about how systems and technologies evolve, giving two examples of that (latter, the watch, former, the system's airgap springing a leak), and furnishing an object lesson in the need for regular thorough audits to ensure that systems and controls thereof are still in place and still working the way that the owners think it's working.
> A facility like the one he described should have had regular security audits to verify that no hard lines were placed where they should not be.
Exactly. In fact, I believe at the time he wrote this blog post, OP was an active auditor for BDO. In some of his other posts, he analyzes observations he made while auditing a variety of companies/organizations; unsurprisingly standards across the board are very poor. He would be the first to say that this sort of thing is what an audit should prevent and why audits are needed (although I'm not sure I agree with his venom against pentesting; which I see analogous to fuzzing).
as time passes and systems evolve there will be constant pressure from within and without to re-establish a network connection somewhere
Thank you.
Proponents of electronic voting and tabulation (eg central count of physical ballots) enthuse about security, air-gapping, data diodes, etc.
Alas, it's turtles all the way down. Dig deep enough and you'll expose the fiction.
Then you're in the trap of explaining technology to policy makers, testifying against trained bureaucrats supported by an army of vendor sales minions defending their cheddar.
You can't win.
It's nutty making.
I tried parsing it several times but from what I understood, they established an Internet connection out from the air gapped network, without coming into the facility with a big reel of network cable. So it seemed the network wasn't physically disconnected after all?
An air gapped computer is pretty easy to create -- just disable the radios and don't connect any network cables to it.
A network would be much harder but the key has to be that there are no other non-air gapped machines in the same facility. If someone wants to bridge the gap it should be obvious by the cable coming in the door and running all the way up to the machine.
Obviously the kind of air-gapped networks I'm talking about are computers never involved in any internet business at all, the kind that operate power plants (or centrifuges...).
That's why you commit to multiple layers and types of defensive and recovery measures. Intelligence, preparation, prevention, prevention, prevention, monitoring, adaptation, more monitoring, effective response, well planned recovery.
I'm pretty sure you missed another 2-3 prevention layers. Shit's pretty dire after you're past that layer.
Air gaps can also be bridged by using radio or sound waves. There could be a bunch on non-networked computers in a secure lab all talking to each other. This assumes trojaned hardware and/or operating system software in the systems that can send and receive data and commands.
Finally, technology such as Morse Code is still useful in these scenarios. Dits and dahs. Zeros and ones. That's all you need to be able to send and recv data.
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...
http://www.wired.com/wp-content/uploads/2014/11/air-hopper-m...
> the blue cables in gas filled tubes
Cat5/6 cables? Why would they be in gas-filled tubes?
Good question - I have no idea. But if I google 'gas-filled tube ethernet', I get a number of hits like http://en.tdk.eu/blob/174150/download/5/smd-surge-arresters-... and http://www.first-electronic.com/uploadfile/2010989552637708.... which suggest that these products are sold for networking purposes to prevent surges. Since this is in a military context, I would hazard a guess that this may be some sort of standard hardening requirement to try to protect the datacenter against lightning strikes, EMPs (such as from nuclear strikes), and general accidents. This may sound paranoid, but then again, so do Faraday cages, and it is the military - it's their job.
The wording didn't sound like he was talking about a gas-discharge tube for surge protection. Also, that wouldn't have anything to do with security.
I think what may be happening is the ethernet cable runs are in sealed tubes running at either positive or negative pressure so that if someone tries to breach the tube and splice onto the cable it would be detected by a pressure sensor.
My interpretation was that the gas tubes were TEMPEST shielding, but if so, I don't understand how it works...
Other responder might be more right, but I was thinking about how hard it would be to discreetly tap into a ethernet cable when I have to break glass.
https://webcache.googleusercontent.com/search?q=cache:wZ0Cex...
http://www.gocsc.com/userfiles/file/ortronics/whitepapergovt...
https://security.stackexchange.com/questions/10447/is-the-us...
I'm honestly not familiar with these kinds of facilities, but with a potential "Collateral Confidential" type cable, one could imagine a gas-filled tube being a countermeasure of some sort.
For instance if the gas were poisonous?
More likely there is a pressure sensor, intended to detect splicing attempts.
You can pressurize the gas and put a barometer in the tube in order to detect any breach of the tube. This was used during the cold war and the NSA tapped the communications cable anyway by filling the space around the tube with gas as well. Source: James Bamford's books on the NSA.
Back in the early days of Ethernet there were fiber to AUI widgets, that used 2 multimode fibers, one for TX, one for RX. We used these on classified systems with ony RX connected - we could send data in to these systems over UDP, and it was truly a one-way path.
> I have seem so many kludges connecting SIPPER and NIPPER networks
I don't know how much I trust someone who can't even get the acronym for SIPR and NIPR right (https://en.wikipedia.org/wiki/SIPRNet https://en.wikipedia.org/wiki/NIPRNet)
from the link: "SIPRNet and NIPRNet are referred to colloquially as sipper-net and nipper-net (or simply sipper and nipper), respectively"
when you pronounce them, sure, but why capitalize them like an acronym, but mis-spell the acronym?