And i love that quote, because it suggests the existence of another - very slow, but very high troughput network, human to human, embedded device to embedded device. You could even go without centralized infrastructure there.
Just the organisms formed by the devices ( a line of home-routers is a "street", a group of devices meeting every morning is a "bus" etc.) and the routing address is basically a "interaction" with data-organism map route-finding. No ISP involved anywhere. But your info still gets to the airport, hops on a cellphone and gets to the goal.
> And i love that quote, because it suggests the existence of another - very slow, but very high troughput network, human to human, embedded device to embedded device
This is the network that operation Olympic Games used to get Stuxnet into the Natanz facility. Contactor laptops are a major part of that network.
For the old SunRay thin clients one could disable the USB ports by policy (and enable for certain users, iirc). That was an important feature there, as one intended application was as public kiosk systems, e.g. in a library.
The same is possible in Windows 10 and 11, but the users will revolt, if a sysadmin were to enforce such (the same users who insist on using Windows instead of a more secure system).
But isn’t part of security realizing that there is no 100% solution? It’s all about probability. Air gapping cuts down on the number of interactions with the network at large. Lots of packet drops that will never reach it, easy to make sure the number of ports available to interact with it? I worked at places with 25 year old DOS running in a VM running multi-million dollar machines and they had never been infected with anything, probably because they are air gapped and who can “touch” them is quite limited to trained personal only.
> But isn’t part of security realizing that there is no 100% solution? ... Air gapping cuts down on the number of interactions with the network at large.
My point is that, practically speaking, most companies don't have the discipline to actually keep an air gap up, long-term. You inevitably need to get data in and out of the air-gapped systems.
The "air gapped" networks I've seen end up not actually being air gaps. Real air gaps are inconvenient, so eventually somebody installs a dual-homed host or plugs the entire segment into a "dedicated interface" on a firewall. Even without that, contractors plug-in random laptops and new machines, initially connected to the Internet to load drivers / software, get plugged-in to replace old machines. The "air gap" ends up being a ship of Theseus.
I had a Customer who had DOS machines connected to old FANUC controllers. They loaded G-code off floppy diskettes. Eventually those broke and they started loading G-code over RS-232. The PCs didn't have Ethernet cards-- their serial ports were connected to Lantronix device servers. It wasn't ever really an air gap. It was a series of different degrees of "connectivity" to the outside world.
Reminds me of the time I was looking after a SECURE system: One of the tasks was the daily update of the antivirus. So I would grab the blessed stick, insert it into the Internet-PC, and using FTP would download the latest antivirus update. Then I'd walk over to the SECURE system, insert the stick, and run the exe from the stick. There, system SECURED for today!
You forgot that you need to use read-only media to transfer data from Internet-connected system to air gapped system, such as CD-ROM, or destroy writeable media after use in an air-gapped system.
If the purpose of the attack is to bring something into the network, to e.g. destroy something (Stuxnet), or blink an LED that faces a window, then RO media will be pretty useless, and will probably cause a false sense of security.
The professionals who defined this update protocol have access to classified information I'm sure that allows them to assess risks us readers of public blog posts are not privy to! So we shouldn't judge on the morsels of public information what must have been an elaborate evaluation of best practices only accessible to the echelon of administrators in the government branch where I was doing my duty.
Seriously though, I learned a lot there. If I wanted friends to have access to such a system, this is the plausibly deniable access route I'd set up for them.
That makes complete sense if your threat model is preventing data from leaving a secure network, assuming the USB drive stayed in the secure network or was destroyed after entering it.
I didn't expand on that but actually that system was part of a global network; entirely separate from the Internet. There was MS Outlook installed on the terminal nodes. One can see how somebody could become nervous about not having AV on the nodes and come up with a "protection" scheme like the one I described.
The weak-point is the shared USB device that copies from one machine to another which seems to defeat the whole purpose of being air-gapped - you could have printed-and-OCR'd data three decades ago so the air-gapped machine is never reading anything from outside at all, these days a video stream and AI could probably automate that?
> But what if I need
to send data two-ways?
Some systems cannot operate one-way, so they require a two-way solution. For these use cases, Owl has a unique bidirectional data diode solution – ReCon – that operates on two parallel one-way paths. Get all the security advantages of data diodes with the flexibility of a two-way solution.
…but…what? Why are we doing the blinking-light song and dance at all then?
If you're already using a data transfer mechanism that the human can't verify every character going over the line, why use infrared? What does that give over a USB cable or, gasp, an internet connection?
I can definitely imagine use cases where a network is air gapped internally for security but bidirectional transfer still takes place. The point is that humans are supposed to be in control of exactly what is transferred, in both directions (not feasible with a network connection, to my knowledge).
Yes, humans are in control, but in the case of Windows the humans that control the default behavior of the system when an USB device is connected are not the ones that are using it. Frankly, I wonder why implement an air gap if Windows is being used. Even in the case of Linux a hardened configuration should be used.
I created such a system (though to transfer Bitcoin Transactions/Signatures from an airgapped system). The problem is that if you have a lot of bi-directional traffic, you'd want to automate the process of scanning/storing the information. Suddenly, you just have a slow USB device.
What you want is to minimize your data to less than a 1Kb so that it can be manually transmitted.
Wouldn't it be easier to just have every port blocked except for a very simple application which has no privileges and just writes ASCII to some file? Such an application would be very easy to audit
You're on the right track in the sense that a key characteristic for a successful air gap is diligent human review of all the information that flows in and out.
Surely some government has come up with physically-unidirectional data transmission mechanisms for getting data onto airgapped networks. There has to be something more sophisticated than single-use CD-ROMs, even if it's just a blinking LED on one end and a photosensor on the other end.
> There has to be something more sophisticated than single-use CD-ROMs
But why, when a DVD-R handles most use cases at a cost of < $0.25 each, are reliable and ubiquitous, the hardware is likely already there (unless you are using Apple - caveat emptor) and they close the threat vector posed by read/write USB devices.
Sometimes the simplest solution is the best solution.
I have heard (on HN) of... 100 MBit ethernet with the transmit wires cut. Probably in the context of in-flight infotainment: plane data to infotainment yes, infotainment anything to plane control anything no. If it's stupid but it works...
Yeah they exist. Data diodes or data guards. They operate at currently available line speeds and there are 100s of thousands in operation. Data diodes are favored by OT companies. For government, Data Guards as they tend to have more robust inspection
> The weak-point is the shared USB device that copies from one machine to another which seems to defeat the whole purpose of being air-gapped...
Yup. I was going to post that TFA and the people at these embassies apparently have a very different definition of what people consider an air-gapped system.
Pushing the non-sense a bit further you could imagine they'd recreate ethernet, but air-gapped, using some hardware only allowing one packet in at a time, but both ways:
"Look ma, at this point in time it's not talking to that other machine, so it's air-gapped. Now it got one packet, but it's only a packet in, so it's air-gapped! Now it's sending only a packet out, so it's air-gapped!".
> TFA and the people at these embassies apparently have a very different definition of what people consider an air-gapped system.
And Wikipedia? Which says:
> To move data between the outside world and the air-gapped system, it is necessary to write data to a physical medium such as a thumbdrive, and physically move it between computers.
Lol. Even if it's with the QR code, it will not be safe. If you can read a bit, you can read a file. Security is a mote, and the hacker is a catapult. Any sufficiently complex system, any metric of security will be incomplete or ignoring that Turning complete and uncomputable. Security is about intelligence in all layers of the stack, from the electron to the application and even the front door. A USB exploit attacks a driver or the OS. A QR code attacks the application. There are other ways to exploit besides breaking and entering. Sometimes it's about influence. In the age of AI, the entire internet and all knowledge could be shifted to reframe a single organization to make an exploit possible. Pandora's box is wide open. It's pouring out. Even a machine on the internet can be secure, but an air gap is only the transport layer. It's a false sense of security. You need to be worried about the full stack because that's the only way to be safe, to never be safe, the eternal guard and gaze. The vigilance. Security in layers. Security in depth.
Super old… my first experience with a “virus” was an Amiga boot sector attack from 1986!
At the time the morris worm had inspired some folks to see if they could spread binaries by infecting every disk inserted. That’s all it did….. spread. I think the virus lives off an interrupt generated by disk insertions.
Fortunately it was harmless (except for a few extra crashes) and I had my original OS disks that could be booted from to clean up the disks.
Just in case anyone isn't aware of this history - the "Morris worm" being referred to here is named after Robert Morris who wrote it. He's also one of the co-founders of YC, which built HN.
Why would you go through all the hassle of setting up an air-gapped system, only to stop at enforcing strict code signing for any executable delivered via USB?
Just the fact that one can insert a USB drive into the air-gapped system amazes me. I remember my days as a contractor at NATO and nothing could be plugged into those machines!
I guess the problem is that most air-gapped guides and practices out there mostly focus on sucking the "air" out of computers: internet, networking, bluetooth, etc from the get-go ("remove the network card before starting!"). But even air-gapped systems need some sort of input/output, so a keyboard, mouse/trackpad, displays and monitors will be connected to it - all pretty much vectors for an attack; a base sw will be installed (making possible supply-chain attacks); largely USB drives and even local networking may be present.
As a general rule, I'd say anything that executes code in a processor can be breached to execute malicious code somehow. Signing executables helps, but it's just another hoop to jump over. In fact I thought the threat in OP was about a USB firmware issue, but alas, it was just an executable disguised with a folder icon some user probably clicked on.
To make things worse, critical hardware (trains, power plants...) vendor's fondness for Windows is notorious. Just try to find nix-compatible infrastructure hardware controllers at, say, a supplier like ABB who (among other many things) makes hydroelectric power-plant turbines and controllers: https://library.abb.com/r?dkg=dkg_software - spoiler, everything is Windows-centric, there's plenty of non-signed .EXEs for download at their website. This is true in many other critical industries. So common it's scary these things could be compromised and the flood gates, literally, opened wide open.
Air gaps are easily enforced and require absolutely zero technical knowledge.
You just need a PC and then have a CD delivered through a trusted source – embassies should already have a way of ensuring physical integrity of their mail.
The technical knowledge needed for code signing, especially now with trusted hardware modules, is orders of magnitute more complicated than that.
Not just knowledge: code signing is going to be a lot of whack-a-mole work dealing with every tool you use. I’d expect that to cost more than you expect and get political blowback from whoever needs tools which get broken.
Employees (unknowingly(?)) using infected USB drives caused security problems.
Well imagine that.
As several others pointed out the USB ports on the secure serfver should all be
fullly disabled
In addition I would suggest leaving one rewired seemingly availble USB port
that will cause a giant alarm to blare if someone inserted anything into it.
Further all informatin being somehow fed into the secure machines should be
based on simple text based files with no binary components.
To be read by a bastion host with a drive and driver that will only read those specific
files, that it is able to parse succefully and write it out to the destination
target, that I would suggest be an optical worm device that can then be
used to feed the airgapped system.
> As was the case in the Kaspersky report, we can’t attribute GoldenJackal’s activities to any specific nation-state. There is, however, one clue that might point towards the origin of the attacks: in the GoldenHowl malware, the C&C protocol is referred to as transport_http, which is an expression typically used by Turla (see our ComRat v4 report) and MoustachedBouncer. This may indicate that the developers of GoldenHowl are Russian speakers.
This is quite a stretch. So we have nothing so far.
As soon as the article started describing malware being installed upon insertion of a USB thumb drive, I had to Ctrl-F for "Windows", and indeed, of course that's the OS these machines are running.
I'd be really curious to hear of stories like this where the attacked OS is something a little less predicable/common.
As a Linux user, I'll defend Microsoft here and say that I'd rather suspect it's a sign of Windows' prevalence than Windows' (un)safety. Around the Snowden leaks I had a different opinion but nowadays I feel like those calling the shots at Microsoft realised it's no longer an optional component or that security is merely a marketing story
Speaking of Snowden, and since we're at the State actor level, both Windows and Intel CPUs (and maybe also Ryzen CPUs) have to be assumed to be backdoored by the NSA.
Whether that is a threat worth dealing with for the concerned embassies is another question of course.
Readit News
"At best, an air gap is a high-latency connection" -Ed Skoudis - DerbyCon 3.0
This is the network that operation Olympic Games used to get Stuxnet into the Natanz facility. Contactor laptops are a major part of that network.
https://en.wikipedia.org/wiki/Delay-tolerant_networking
The same is possible in Windows 10 and 11, but the users will revolt, if a sysadmin were to enforce such (the same users who insist on using Windows instead of a more secure system).
My point is that, practically speaking, most companies don't have the discipline to actually keep an air gap up, long-term. You inevitably need to get data in and out of the air-gapped systems.
The "air gapped" networks I've seen end up not actually being air gaps. Real air gaps are inconvenient, so eventually somebody installs a dual-homed host or plugs the entire segment into a "dedicated interface" on a firewall. Even without that, contractors plug-in random laptops and new machines, initially connected to the Internet to load drivers / software, get plugged-in to replace old machines. The "air gap" ends up being a ship of Theseus.
I had a Customer who had DOS machines connected to old FANUC controllers. They loaded G-code off floppy diskettes. Eventually those broke and they started loading G-code over RS-232. The PCs didn't have Ethernet cards-- their serial ports were connected to Lantronix device servers. It wasn't ever really an air gap. It was a series of different degrees of "connectivity" to the outside world.
Norton, trust no other!
Seriously though, I learned a lot there. If I wanted friends to have access to such a system, this is the plausibly deniable access route I'd set up for them.
Unfortunately I wasn't prepared to broach the subject in a way that didn't have me say "you'd be safer without the AV". So I got nowhere.
Here is a random vendor with nice pictures: https://owlcyberdefense.com/learn-about-data-diodes/
…but…what? Why are we doing the blinking-light song and dance at all then?
Dead Comment
What you want is to minimize your data to less than a 1Kb so that it can be manually transmitted.
But why, when a DVD-R handles most use cases at a cost of < $0.25 each, are reliable and ubiquitous, the hardware is likely already there (unless you are using Apple - caveat emptor) and they close the threat vector posed by read/write USB devices.
Sometimes the simplest solution is the best solution.
I don't know if people class something connected using a data diode as airgapped or not.
Deleted Comment
Yup. I was going to post that TFA and the people at these embassies apparently have a very different definition of what people consider an air-gapped system.
Pushing the non-sense a bit further you could imagine they'd recreate ethernet, but air-gapped, using some hardware only allowing one packet in at a time, but both ways:
"Look ma, at this point in time it's not talking to that other machine, so it's air-gapped. Now it got one packet, but it's only a packet in, so it's air-gapped! Now it's sending only a packet out, so it's air-gapped!".
Yeah. But no.
And Wikipedia? Which says:
> To move data between the outside world and the air-gapped system, it is necessary to write data to a physical medium such as a thumbdrive, and physically move it between computers.
Source: https://en.m.wikipedia.org/wiki/Air_gap_(networking)#Use_in_...
Moving a USB key between two windows machines sounds as bad of an idea as it can get for airgapped data exchange.
https://en.wikipedia.org/wiki/2008_malware_infection_of_the_...
At the time the morris worm had inspired some folks to see if they could spread binaries by infecting every disk inserted. That’s all it did….. spread. I think the virus lives off an interrupt generated by disk insertions.
Fortunately it was harmless (except for a few extra crashes) and I had my original OS disks that could be booted from to clean up the disks.
I guess the problem is that most air-gapped guides and practices out there mostly focus on sucking the "air" out of computers: internet, networking, bluetooth, etc from the get-go ("remove the network card before starting!"). But even air-gapped systems need some sort of input/output, so a keyboard, mouse/trackpad, displays and monitors will be connected to it - all pretty much vectors for an attack; a base sw will be installed (making possible supply-chain attacks); largely USB drives and even local networking may be present.
As a general rule, I'd say anything that executes code in a processor can be breached to execute malicious code somehow. Signing executables helps, but it's just another hoop to jump over. In fact I thought the threat in OP was about a USB firmware issue, but alas, it was just an executable disguised with a folder icon some user probably clicked on.
To make things worse, critical hardware (trains, power plants...) vendor's fondness for Windows is notorious. Just try to find nix-compatible infrastructure hardware controllers at, say, a supplier like ABB who (among other many things) makes hydroelectric power-plant turbines and controllers: https://library.abb.com/r?dkg=dkg_software - spoiler, everything is Windows-centric, there's plenty of non-signed .EXEs for download at their website. This is true in many other critical industries. So common it's scary these things could be compromised and the flood gates, literally, opened wide open.
You just need a PC and then have a CD delivered through a trusted source – embassies should already have a way of ensuring physical integrity of their mail.
The technical knowledge needed for code signing, especially now with trusted hardware modules, is orders of magnitute more complicated than that.
What is your priority?
(1) Ensuring Actual Security
(2) Following the Official Security Theater Script
In most government orgs, idealists who care about #1 don't last very long.
Employees (unknowingly(?)) using infected USB drives caused security problems. Well imagine that.
As several others pointed out the USB ports on the secure serfver should all be fullly disabled
In addition I would suggest leaving one rewired seemingly availble USB port that will cause a giant alarm to blare if someone inserted anything into it.
Further all informatin being somehow fed into the secure machines should be based on simple text based files with no binary components. To be read by a bastion host with a drive and driver that will only read those specific files, that it is able to parse succefully and write it out to the destination target, that I would suggest be an optical worm device that can then be used to feed the airgapped system.
This is quite a stretch. So we have nothing so far.
Deleted Comment
I'd be really curious to hear of stories like this where the attacked OS is something a little less predicable/common.
I dunno, if a company has for more than two decades (2002: https://www.cnet.com/tech/tech-industry/gates-security-is-to...) said that security is the top priority, and they keep re-iterating that every now and then (2024: https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...), yet they still don't actually seem to act like it, I'm pretty sure they still see it as an optional component/marketing story.
Whether that is a threat worth dealing with for the concerned embassies is another question of course.