Here's a fairly decent breakdown of the TCP/IP layered model.

As you can see, TCP and UDP are part of the "Transport Layer", and both are built on top of the "Internet Layer".

So no, UDP is not a lower layer in the stack upon which other transport protocols are built.

1 members found this post helpful.

This left me wondering things about the HSE hack:

Let's say you have your backup server on a different network, which is apparently industry standard, and let's presume a network connection to maximise throughput.

• I can imagine backing up boxes on network 1 to disks on network 2, but how do you back up the servers?
• How do you prevent attacks on the backup server, presuming your system has been compromised? So, network 1 is in the hands of hackers; how is network 2 protected?
• Imagine worst case: network 2 has started backing up network 1 when the hacker strikes …

Example from one client I once managed.
1. the backup and control networks are local non-routed networks that can ONLY be addressed locally. In other words, and attack must come FROM one of the secured servers. There is no direct access to or from the internet. Only control access is allowed onthe control network, only backup/restore traffic is allowed on the backup network.
2. The data secured servers are on a local non-routed network with only tight control to the internet and NO access FROM the internet. Access to the server production and test networks will be either indirect (more about that in a moment) or via a doubly secured VPN between the server network and client sites allowing only the client software access.
3. The web servers that allow internet access are on a controlled local non-routed network with one secure gateway allowing tightly controlled access to the web server via filtering and address translation. Another gateway allows only tightly controlled access between the web server and its specific service on the specific internal server. These are virtual machines in containers (I did prefer OpenVZ containers at the time. All of those docket based attacks just fizzled! ;-) These can be destroyed and recreated with a few moments notice, and contain no client data: they are only a portal with unique java applications running under tomcat in a non-standard installation.
4. The backup server only opens connections on demand or on schedule and is not addressable otherwise (except at the local console access, natch). Backups are performed at night. Each day the backup server is itself backed up to removable storage which is moved offsite in a generational pattern.
5. Windows servers exist, and are on their own secured network apart from all others, and considered a constant vulnerability. They have their own backup server.

All non-client access to servers containing data are over the control network, which is only accessible by the SA, Security, and Networking staff. All client access iss using an in-house client that encrypts all traffic and connects only to the server application on the server.

Is it possible to break that security? Sure! Without inside information and detail? Well, that might be tricky! In the time it would take one might hope that the multiple layers of intrusion detection would wake up the operator on-call and trigger appropriate manual or automated blocking or lockdown events.

One would also hope that some security ignorant VP of IT would not complain about all of the security being confusing and inconvenient and insist upon adding ways to bypass all of it, but this IS the real world! (sigh)

"Whoever's on call?" ROTFL

This HSE was was Friday night - the beginning of the weekend, a time when anyone with money is drinking and chasing partners of their particular choice of sex. Any loser who did get a graveyard shift was probably studying for exams or binging on netflix.

Right, things have gone quiet here. The incompetents doing the HSE restore/replace job have stopped with the updates, and are just plodding away. The Health System has adjusted fairly simply to the fact that they have no IT Systems up and running, just like they would adapt to any other disaster. People are writing on paper instead of tapping on keyboards.

We can let this very educational thread lapse, or add the latest ransomware hack of a big corporation. It was interesting to see someone on trial for contributing code to the Trickbot site, apparently with it's own github address? https://yro.slashdot.org/story/21/06...ansomware-gang

There will probably be an auction of 'tainted' hardware at some future point with all the HSE kit up there because it's no longer trusted. With linux on it, there should be bargains there. Apparently it isn't unusual for IT managers to call for this. Frankly, I don't see how the hardware makes the remotest bit of difference.

I have been, in my profession, on the receiving end of two such attacks that were partly successful, and one attempted. In no instance did any criminal make a dime. My backups were good and I was able to scrub the storage and find the last version of every file/folder prior to the encryption and restore everything.

We lost about an hour of work the first time because the user became suspicious FAST and pulled the plug on his workstation. The AV protection never even twigged. He was MY choice for employee of the week!

The second instance was more sneaky, the user did not notice for a significant time, and again TWO AV packages (we thought we had learned something the first time. HAH!) totally ignored the threat. This one progressed over the network to one server, and at that point MY alerts blew up. I had it locked down within seconds, but it had done enough damage that it took hours to get everything functional, and some historical data took three full days to restore.

There were some significant differences between the two kinds of ransomware, but some interesting parallels in the activity. I built triggers for that behavior and the next attempt was simply stopped and that workstation isolated faster than a human could have reacted. The workstation was cleaned, reloaded, and back online the next morning. No one except that single user and the manager had to know.

I was quite happy with that success, but quite critical of the AV packages the VP of IT had chosen as the corporate standard. I also made noise about a client workstation standard that would have prevented these attacks earlier, and would prevent attacks like this in the future, and pointed out what that would cost and how it would save many times the cost of that three day restore. So, the next year there was a IT department RIF and I was gone.

Aside from explaining my celebration of the anniversary of that day the point is that a good Network and System Administrator who can learn form his own and others previous experience and prevent such loss. Even if they cannot prevent it, if their job has been well done they can recover quickly and without a change of hardware. There must be MANY balls not just dropped, but dropped into a hole with a frag grenade and disintegrated violently, for a professional network to be so compromised that they have to pay the criminals.

Only non-professional networks or networks run by politicians would ever be THAT bad.

Yes, the HSE can apparently be that bad. You reckon 'only politicians or non-professionals?' I would suggest you think about civil servants. Groucho Marx said that Civil Servants are similar. There were series in the UK called "Yes Minister," & "Yes Prime Minister." Many of the funnier clips are on youtube, which nicely makes fun of civil service vs politician tensions. Efficiency is nowhere.

This bit got me thinking What were your alerts?

I was monitoring certain files that should never change (and a few others that should change only when our custom packages were updated) using something not unlike tripwire. I was also using a few other things, but it was the TRIP that gave me the first alert. I was also monitoring files with a certain extension because the encryption seemed to always start with files with those names. I had configured the trip to alert me via email and SMS.

BTW: both attacks came in through Windows workstations via Outlook. The first only progressed over drive mounts FROM that workstation and was stopped before any other transfer mechanism was engaged. The second attempted to progress over drive mounts and email (our Linux based email server AV filtered it out, but I would not count on that working again).

In both cases it impacted development space only, as the production space was isolated from incoming email and allowed no drive mounts. That helps, but I would never count on that degree of isolation alone.

It i easy to resolve these security issues - but no one want to do that - behind are incomes of big companies. Improved security means lower income - that is simple equation. Besides 5 million of dollars for company or government is not much compared to loses due to introducing strict security - intranet network, dedicated hardware, etc. Those who decide don't want this: behind are usually standing huge tech-companies lobby.

As we went presuming Darkside originally when in fact it was wizard, this news about the ransom paid by the owners of the Colonial Pipeline will gladden some hearts
https://news.slashdot.org/story/21/0...able-than-cash

It appears bitcoin is not only traceable, but recoverable.

I can't help but develop a newfound respect for the FBI's IT department, and their open-minded superiors who obviously can give them the rope to run with this sort of project. There's what look like an impenetrable wall in front of them, and they are given the time and budget to do it. Here is some other stuff. https://www.youtube.com/watch?v=XtLF-8Tj9vM

My Netgear router uses a table with the Media Access Control addresses of machines that are allowed Internet Access.

If I spoof my Ether MAC on my FreeBSD box while I'm online and that MAC address isn't already in the table of allowed MAC Addresses I lose Internet connection as soon as I refresh the page:

Spoof Your Ethernet MAC Address Using FreeBSD

I don't allow myself remote access so I haven't looked into making a table of allowed MAC addresses, especially when I wrote a tutorial how to spoof them.