Wow! Way to pull out the 3 year old report featuring Capitol Hill theater!
Of course, I would be more comfortable if they would explicitly state that TSA, a part of DHS, was precluded from having any (cyber) authorities.
Start with ICS-CERT (Industrial Control Systems - Cyber Emergency Response Team). Note: While they use the "us-cert.gov" domain, they are NOT a part of US-CERT.
Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution.
Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution.
Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting.
FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.
Do you snore or have other signs of sleep apnea? I am a heavy sleeper, but when my apnea was left untreated my sleep behavior was exactly like you described above.
1) The code function does NOTHING with any data returned by the server.
2) This version of pushdo is using SSLv3 to phone home (HTTP over SSL) to its C2 (Command & Control).
3) When looking purely at netflow records or using tcpdump/wireshark, you will see 30+ SSL connections taking place at once. Only 1-2 of those connections is to the C2.
3.5) Many admins don't set up matching PTR records in DNS, so you won't easily be able to map back the IPs to the "common"/well-known hostnames.
4)... ?
5) profit!
The idea is to make it HARD, not impossible to identify the C2 systems. Note well that the C2's might never connect back to the botnet client systems. Instead another tier of slightly more disposable hosts are likely to perform that function.
Slashdot Mirror
Wow! Way to pull out the 3 year old report featuring Capitol Hill theater!
Of course, I would be more comfortable if they would explicitly state that TSA, a part of DHS, was precluded from having any (cyber) authorities.
Start with ICS-CERT (Industrial Control Systems - Cyber Emergency Response Team). Note: While they use the "us-cert.gov" domain, they are NOT a part of US-CERT.
Specifically, take a look at their "Recommended Practices: section: http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution. Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution. Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting. FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.
Do you snore or have other signs of sleep apnea? I am a heavy sleeper, but when my apnea was left untreated my sleep behavior was exactly like you described above.
Search for "2210", "1550", or similar "interdisciplinary" cyber jobs within DHS NPPD:
JobID=86515922 JobTitle=INTERDISCIPLINARY+(CYBER)
JobID=86667657 JobTitle=INTERDISCIPLINARY+(CYBER)
JobID=86642799 JobTitle=INTERDISCIPLINARY+(CYBER)
1) The code function does NOTHING with any data returned by the server.
2) This version of pushdo is using SSLv3 to phone home (HTTP over SSL) to its C2 (Command & Control).
3) When looking purely at netflow records or using tcpdump/wireshark, you will see 30+ SSL connections taking place at once. Only 1-2 of those connections is to the C2.
3.5) Many admins don't set up matching PTR records in DNS, so you won't easily be able to map back the IPs to the "common"/well-known hostnames.
4)
5) profit!
The idea is to make it HARD, not impossible to identify the C2 systems. Note well that the C2's might never connect back to the botnet client systems. Instead another tier of slightly more disposable hosts are likely to perform that function.