
The Adventures of AV and the Leaky Sandbox [pdf] - GordonS
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf
======
pmorici
This is really talking about environments with very restrictive firewalls.

------
chris_wot
Hmmm... Kapersky's response is quite concerning!

------
ech
that is not what an air gap is. if at any time there is an exchange of data
between the air gapped hosts/network and a non air gapped one, there is no air
gap anymore. and yes, that includes an analyst taking a sample to an internet-
connected host.

side channel exfiltration techniques like "fansmitter"[1] and
"diskfiltration"[2] or the well known TEMPEST attacks are more interesting
challenges in air gapped designs than relying on a very basic security
boundary violation. (and solved in very much the same way, by having the
secure terminals be as dumb as bricks as possible, with extremely limited
known inputs and outputs, preventing the insertion of unclassified electronics
in the secure zone through policy, and enforcing it through physical searches,
RF hardening the zone with a faraday cage, absence of windows, etc... the
"Technical Specifications for Construction and Management of Sensitive
Compartmented Information Facilities"[3] is a great ressource for those
interested in such designs)

incidentally, there are awfully little true air gapped networks (which are not
ICSes and/or assorted single purpose hosts/networks whose absence of network
connectivity is not a primary design feature) in the wild. they're
operationally heavy precisely because of their nature, and outside of very
specific situations, their security is not perceived as cost efficient by
management, for good reasons.

[1][https://arxiv.org/abs/1606.05915](https://arxiv.org/abs/1606.05915)
[2][https://arxiv.org/abs/1608.03431](https://arxiv.org/abs/1608.03431)
[3][https://fas.org/irp/dni/icd/ics-705-ts.pdf](https://fas.org/irp/dni/icd/ics-705-ts.pdf)

~~~
vinceguidry
The paper never once uses the term "air gap." It's only in the headline as
submitted to HN.

~~~
dang
Ok, we'll revert the title to the original. (Submitted title was "Air-gapped
data exfiltration via cloud AV sandboxes".)

Submitters: please read the HN guidelines, which ask you to use the original
title, unless it is misleading or linkbait.

~~~
GordonS
My bad, it was titled like that on Twitter, but I should have checked the
title in the PDF.

------
wepple
Misleading title, there's no real discussion of how you get to the cloud over
an air gap.

~~~
Crontab
Agreed. A mod should retitle this submission.

------
lelandgaunt
To call this "Air-gapped" would be a misnomer.

------
nickpsecurity
Title Suggestion:

Leaking Data through Firewalls using Cloud AV.

Or original:

The Adventures of AV and the Leaky Sandbox

Mine is more descriptive.

------
hamandcheese
What does AV mean in this context? It isn't defined in the slides.

~~~
phonon
Anti-virus

