Sunday, 25 September 2011

Air gaps never exist.

In the nature of getting myself into trouble I have decided to write a little personal anecdote. As anybody who has read my posts and more will quickly determine, I am outspoken and at times far from diplomatic, but these are never the things that had me in trouble the most.
It was usually silly things that I should have shut up about if I really cared for my career more than security that are the bane of my life.
I do not usually wear a watch, but in this tale, I had one on. It was an interesting watch, it had a Bluetooth mobile and a 512MB USB hard drive but looked just like a normal every day watch.
A ways back, I was contracting through a company I owned with CSC and DFAT. Fun stuff such as “Advice on Information Technology Security” . That much is public information and that is about as far as it needs to be said and is as far as I will say as it is not at all important here.
Well to the story, I was working in a data centre and comms centre in Forrest. One of the fun places that have the blue cables in gas filled tubes and have loads of copper throughout as to create a faraday cage to DSD Tempest specs.
I did the normal stuff and wasted the normal long amount of time getting in through the man-trap and having the scanner go off many times as they are too sensitive. Side note, I have several chunks of metal in me that are now “me” due to the collections of broken bones I have accrued in the years I have walked this earth.
I did the pad down and wondered just how friendly the guard was getting. They took my phone, issued me with a laptop to work on (as I could not take my own in) and gave me the general spiel of how and what for the location I was working in that week. Basic things that I knew already like “if the person has more tinsel than a Christmas tree, do not bother him just agree”.
Well, the watch was left on and I forgot it. Completely by accident, but it was on all day as I was left alone in a data centre hosting A*** data for a number of 4 letter agencies. Here in Oz we have 4 letter agency names to demonstrate that we are good Smile
I did a full day playing with a number of Unix and VMS systems (real Unix and not Linux) and finished up. I did the pad down, left and was in a meeting room outside the secure area doing a debrief on what we had configured etc. when I was dumb enough to pipe up and say…
Oh, I forgot to say my watch has a hard drive in it…”
Shite, fan… I need not say too much.
I was still in my 20’s at this point, young and stupid (stupider than now even). I managed to spend a couple hours with a few people who did not seem really happy. I personally think it was too much starch in their laundry.
If I was smart, I would have shut up at that point and it would have passed. But being a 20-something at the time, after being told that I could not take a drive into this facility and that if I had left with it and not been stopped (so much for saying I had it) it would have been a felony, I was dumb enough to say, “what is the big deal. I can just send and receive data over the Net
The response was normal…
Don’t be daft kid we are air gapped. Nothing goes in or out.
Now, if you ever want to see a Brigadier go funny colours just say what I did…
How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website.”
Then there was a gap as this was explained in detail, all the time the colours on the faces were amazing.
Not naming names here and nor will I even when plied with drink, but basically, some of the CSC guys I worked with also did the Telstra tower and worked in TS and general systems. They needed to manage these and the budget only allowed them to do so much.
So, they had implemented TCP 53 outgoing from anything on the firewall. All the auditors missed this. It was simply DNS and so nothing was ever noted in a single report.
So, not that I have said as much as I could to make this clear and though in some ways I have said too much and can expect to end up berated yet again, I will say, there are no air gapped systems.

  • Air gaps do not work.
  • Data diodes do not work.
  • If you are placing your trust in this, you are already done.
Even in TS cleared faraday controlled bases with no links, there are links. I have seem so many kludges connecting SIPPER and NIPPER networks in the US it is not funny and they have links to us here in Oz as well.
So, the things we do to try and ruin our careers.
Then, at least unlike Stephen Northcutt, I never managed to take down a battle ship.

No comments: