this post was submitted on 26 Aug 2024
56 points (100.0% liked)

Cybersecurity

5618 readers
155 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social
56
After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud (arstechnica.com)
submitted 2 months ago by neme@lemm.ee to c/cybersecurity@sh.itjust.works
15 comments fedilink hide all child comments
top 15 comments
sorted by: hot top controversial new old
[–] esc27@lemmy.world 17 points 2 months ago (1 children)

It has been a few years, but I was once asked to implement 800-171. The document was aggressively vague and really the sort of thing that requires hiring a consultant to setup and probably at least one FTE to maintain. Thankfully our project was abandoned before I had to start looking for other employment just get away from the damn thing.

So I emphasize with Georgia Tech for not perfectly implementing the rules to the governments confusing standards.

However, the researchers refusal to run anti-virus even when required by the contract was just stupid. "Academic freedom" doesn't mean anything when your grants are revoked or you get sued for millions over a breach. That said, they should have been able to work out some sort of "compensating control" to use instead of anti-virus and get that approved by the government.

[–] harrys_balzac@lemmy.dbzer0.com 9 points 2 months ago* (last edited 2 months ago) (1 children)

I think you meant "empathize," not "emphasize."

I agree, though - running without any sort of AV is just arrogant and foolish.

[–] flying_sheep@lemmy.ml 15 points 2 months ago* (last edited 2 months ago) (2 children)

No, that's not the take-away.

Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can't be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

The take-away is that if you're deciding for an institution that's contractually obligated to do a thing, you should do it.

[–] jet@hackertalks.com 8 points 2 months ago (2 children)

I think it's important to be clear about the difference between antivirus, and an in resident black box agent.

An antivirus that you run on static files, is perfectly fine in any environment. t's controllable it's known you know the inputs you know the outputs. You know what you're exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don't leak anything

An agent that stays with privileged access to the machine, is basically a root kit, and they're often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That's just crazy. That's more than an antivirus, that is I don't even know the right word, but it's a lot.

[–] flying_sheep@lemmy.ml 6 points 2 months ago* (last edited 2 months ago)

Very true. I doubt the researcher in question would object to use a virus scanner like you described.

Every consumer antivirus software works like the black box rootkit you described, AFAIK.

[–] stringere@sh.itjust.works 2 points 2 months ago

That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

I think SIEM is what you're looking for: Security Information and Event Monitoring

[–] Ajen@sh.itjust.works 2 points 2 months ago

Depending on how the contract was written, running a clamav scan periodically may have been sufficient.

[–] jet@hackertalks.com 12 points 2 months ago (2 children)

I think the security researcher has a valid point.

In a secure environment you don't want random things running in memory, sending samples to third parties.

Would a static virus scanner run periodically on the volume itself been sufficient? If yes, then the researcher was being unreasonable.

[–] corsicanguppy@lemmy.ca 10 points 2 months ago* (last edited 2 months ago) (1 children)

The last time I saw this, we debated hard around this fixation on running third-party admin-level agents on boxes. Especially since our side was running non-windows, we maintained that our setup adequately mitigated any issues. They were adamant, and the contractors they brought in were boneheads, and we were not friends.

But. The brass said capitulate. Our terms:

  • they acknowledge they're asking for unknown 'black box' third-party software into hosts to run with admin-level access. They hammered at that one hard but it's not wrong.
  • they acknowledge that it poses an avoidable risk and it's done entirely at their express and direct request.
  • they furnish a bond in an amount to cover the rebuild of the related hosts because it's a risk.
  • with their link to the rest of the world, these hosts are declared non-sovereign, and no P-I can be near them.
  • the hosts live in a ring-fence to protect the rest of the organization from their non-sovereign selves
  • they furnish a team and a member standing-by like a regular stand-by team to respond to alerts related to potentially-spotted viruses on the hosts - even if not immediately considered a risk to the hosts.
  • they sign indemnity agreements stating this was all their decision, that we had consulted them about increased costs and reduced effectiveness, and risk, and they understood and accepted it.

They signed readily.

I think that was it. This isn't my plan, since I'm just not that smart, but the guy who itemized the terms was really good.

So we got machines, ring-fenced them, locked them away and got the scanner agent set up. Every day or so we'd have our stby wake their guys up - and they were bargain contractors so, no standby pay - and they'd get to go over an analysis of the suspected virus, decide it was nothing - suspected no risk, but inconclusive (no one says 100% in security) - and go back to bed.

This went on for weeks; even after the machines were deemed unusable for the project. You see, it was a system that handled registrations ... for something; names, numbers, times; P-I. And they couldn't handle P-I because they were non-sovereign and we couldn't violate our data sovereignty requirements.

But we had to set it up. Someone paid good money for that hardware; which, because it had to be ring-fenced, couldn't be part of our standard private-cloud (on prem) setup. Wow, but that budget went out the window.

After only a few weeks of this comedy they begged for a meeting. "Kill the agents," they said. But why? We paid for them and it's in the plan. You agreed to support the agents for the life of the project!". Okay, we laid it on thick.

They said please no; they'd go with our plan. "our plan? We like your plan. You want to do this other thing, we're gonna need indemnity for the risks in the plan you call ours that you rejected but now you want to do." And they could really only agree.

Agents removed. Boxes rebuilt - on their dime because of the "inconclusive" above and the "bond" clause - as we can't be sure what went on those boxes. We fulfilled the VM requirements from our genpop, and added the new boxes in as common hardware as the hardware was EOSL and the maker wanted to support it but never see it again. They took a penalty because what we called their bumbling ran them over the delivery timeline, but at least it was done. Project complete, brass pats themselves on the back, cheapo contractors stung and tired. Kinda less our friends at that point..

And we got new hardware, which the CFO said was never gonna happen. Like a half-mil he signed-off on, and that went into genpop as mentioned. And every time they went to hire a cheap whore, we got to remind them of how this one ran over so poorly, and they get to explain themselves to the top brass. That was a gift that kept on giving, even if THEY reminded us how much the contractors didn't earn via delivery penalties and how much they had to pay back on that "bond" clause, which was just labour we needed to spend anyway on fixing a delivery process.

And we laughed like the end of a Bellisarius serial right before the freeze-frame.

[–] jet@hackertalks.com 3 points 2 months ago (1 children)

That's a real roller coaster ride of a journey. Thanks for sharing it. Glad you got some bonus hardware out of it.

[–] corsicanguppy@lemmy.ca 2 points 2 months ago

I'd like to say it was all masterfully done plan, but I'm sure it was 90% CYA and luck.

Still, yeah, hardware budget was non-zero, and when FIN is pulling the strings, that's always nice. ;-)

[–] flying_sheep@lemmy.ml 4 points 2 months ago

Totally reasonable to not do a dumb thing if you have no contractual obligation to do the dumb thing.

Sadly they had that obligation, so they have to weigh the cost of doing the dumb thing with the cost of breaching contract.

[–] Saik0Shinigami@lemmy.saik0.com 7 points 2 months ago (1 children)

But this "overall" plan was basically fictional—it was a model, and apparently not an accurate one. Georgia Tech doesn't have a unified IT setup; it has hundreds of different IT setups, including a different one at most research labs.

Yes... this is actually common. Your typical state school is actually made up of many different colleges working in tandem with each other. The nursing "school" is different than the law "school" at your university. Often even holding completely different names internally.

[–] stoly@lemmy.world 1 points 2 months ago

Yep. Only private schools have things centralized. Public universities are a libertarian bastion.

[–] technocrit@lemmy.dbzer0.com 5 points 2 months ago* (last edited 2 months ago)

The imperial economy is approximately 95% people grifting off the fundamentally corrupt military state. It will never be fixed because it's a major point of its existence. These GT people are just dust in the wind relatively.