BF2S Forums Chinese hackers steal JSF secrets

AussieReaper wrote:

FEOS wrote:

"Terabytes of data" is irrelevant. Which data was taken? Can that data be used to glean classified information about the F-35? Possibly, but simply saying "terabytes of data were exfiltrated" and then act like that in and of itself is some measure of effectiveness is simply wrong. If they exfiltrated terabytes of LockMart corporate administrivia, it doesn't amount to jackshit.

"Terrabytes of data is not irrelevant" ? What a stupid comment to make. That hackers could break into a system and download such a large amount of data whether it is critical or not is still an unwarranted loss of data and for terrabytes to be taken is a very clear indication that the data was taken over a long period of time and not a simple breach.

Such a hack went undetected for so long, it is incredibly embarrassing that so much data was taken without authorisation.

You're right. It's totally a stupid thing to say. I'm sure I have nothing to base that on.

Oh...except that it's my fucking job to understand the operational impact of these types of things. That my office did the post-mortem on the events to determine the possible operational impact of these very events.

Probably have no idea what I'm talking about.

Too many people use "terabytes" of data as some sort of a metric. But when you're determining if the breach has operational or security impacts, you have to look at the nature of the data taken...the amount is truly irrelevant. If all they're getting is admin crap like supply lists or open-source performance data, it's irrelevant. If there was classified data or sensitive data that when compiled gives insight into classified information, that's a different story.

From a network security perspective, it's significant. From an operational perspective...not so much.

And you're making an assumption that it went on without people knowing. Believe it or not, there are people who understand more about this stuff than you do.

Diesel_dyk wrote:

After milliseconds upon milliseconds on the internet I came up with the solution. Unplug!?

You're right. Then the network is fairly unusable for the purpose it was put into use. You can completely, 100% secure a network by not connecting it...but that sort of defeats the purpose, does it not? You must balance risk with benefit.

Diesel_dyk wrote:

Now, why in world is sensitive data like this being stored on a network with access to the outside.... that's just stupid.

It wasn't. Unclassified data is stored on unclassified systems which are normally connected to the internet. Classified data is stored on classified networks/systems...which aren't connected to the internet.

The WSJ is being hyperbolic, to say the least.

FEOS wrote:

AussieReaper wrote:

FEOS wrote:

"Terabytes of data" is irrelevant. Which data was taken? Can that data be used to glean classified information about the F-35? Possibly, but simply saying "terabytes of data were exfiltrated" and then act like that in and of itself is some measure of effectiveness is simply wrong. If they exfiltrated terabytes of LockMart corporate administrivia, it doesn't amount to jackshit.

"Terrabytes of data is not irrelevant" ? What a stupid comment to make. That hackers could break into a system and download such a large amount of data whether it is critical or not is still an unwarranted loss of data and for terrabytes to be taken is a very clear indication that the data was taken over a long period of time and not a simple breach.

Such a hack went undetected for so long, it is incredibly embarrassing that so much data was taken without authorisation.

You're right. It's totally a stupid thing to say. I'm sure I have nothing to base that on.

Oh...except that it's my fucking job to understand the operational impact of these types of things. That my office did the post-mortem on the events to determine the possible operational impact of these very events.

Probably have no idea what I'm talking about.

Too many people use "terabytes" of data as some sort of a metric. But when you're determining if the breach has operational or security impacts, you have to look at the nature of the data taken...the amount is truly irrelevant. If all they're getting is admin crap like supply lists or open-source performance data, it's irrelevant. If there was classified data or sensitive data that when compiled gives insight into classified information, that's a different story.

From a network security perspective, it's significant. From an operational perspective...not so much.

And you're making an assumption that it went on without people knowing. Believe it or not, there are people who understand more about this stuff than you do..

Oh I'm sorry I only have an Information Technology degree from University to base my knowledge on.

"From a network security perspective, it's significant."

That's funny, because it is a network security perspective I was basing this breach on. Since it was classified and restricted systems that were breached. You did notice that, didn't you?

No security system is going to us OSS or basic vendor supplied security when dealing with information of this nature. That should be obvious to you also.

AussieReaper wrote:

No security system is going to us OSS or basic vendor supplied security when dealing with information of this nature. That should be obvious to you also.

You'd be surprised what's used where sometimes.

How about NSA guidelines on securing RHEL 5, aka SELinux.

I worked on army systems that were ...  well, I needed a fairly high clearance (TS/SCI FYI, YMMV etc etc).  One was based on HP-UX, another was based on a bare bones SCO kernel.  Both of them were under 512KB in total system code size (KB, not MB). Both of them probably shared code that AT&T had left "open" to Berkeley (BSD anyone?).

And, those systems have been obsolete and gone for many years. 
My TI-89 (Texas Instruments $100 handheld calculator) can completely replace one of them, with a few hours of coding.
The other system was so crash-prone, that I did often replace it's functionality with a TI-34 ($20 calculator from 1989(?)), pencil, paper, compass, and ingenuity.
Yet.. I've read and reread the above paragraphs to make damn sure I've been sufficiently vague about them.
In est, Aussie, cut FEOS some slack.  He currently works in that area (military, with security & OPSEC concerns), and has to keep himself a few miles away from crossing the magical OPSEC line.  Give him the benefit of the doubt that he may know a thing or two in that field, even when he may not feel like putting his toes on that OPSEC line just to prove his bona fides to the internet at large.

AussieReaper wrote:

Oh I'm sorry I only have an Information Technology degree from University to base my knowledge on.

Not so politely, a university degree in IT means precisely fuckall about practical experience.  A degree means only that "yes, I know the basics, I know the lingo, and I am ready to be trained in how to be a useful professional in this particular field".  Impress me with "I've been doing this professionally for 20 years" or something like that.  FEOS has probably been in his career for 10-20 years, in addition to having a university degree, in addition to having a metric assload of mandatory security training, etc, etc.

When it comes to network security issues, I'd take FEOS's mere whisper - over any amount of documentation you could write up in a 200 page  senior design project thesis.

Nobody will notice their money is missing!