Archive

Category Archives for "Security"

Secure coding practices in Java: challenges and vulnerabilities

Secure coding practices in Java: challenges and vulnerabilities Meng et al., ICSE’18

TL;DR : don’t trust everything you read on Stack Overflow.

Meng et al. conduct a study of Stack Overflow posts relating to secure coding practices in Java to find out the hot topics, what people struggle with, and whether or not the accepted answers are actually following security best practices.

We conducted an empirical study on Stack Overflow posts, aiming to understand developer’s concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security — a third-party framework designed to secure enterprise applications…

Well, how could I resist reading that! (Some readers may know that I was for many years the CTO of SpringSource). Spring Security does come in for some flak in this paper for the high volume of questions that are asked relating to it. There’s no calibration though for underlying popularity. One of the reasons there are a lot of questions, I posit, is that there are an awful lot of users of Spring Security. Spring Boot applications will use Spring Security, and Spring Boot has been growing Continue reading

NIC.BR and the Internet Society Work Together to Increase Routing Security in Brazil

This week on Tuesday, 26 June, the Internet Society and NIC.BR signed a Memorandum of Understanding (MoU) to work together to increase routing security in Brazil, including the MANRS initiative. Mutually Agreed Norms for Routing Security is a global initiative that provides crucial fixes to reduce the most common routing threats.

We are excited to strengthen our efforts to work together with NIC.br, and in fact this MoU only formalizes an existing long-term relationship between the two organizations. Our goal is to help increase the number of Brazilian Internet Service Providers and Internet Exchange Points joining efforts for a more secure and resilient Internet.

Not a single day goes by without dozens of incidents affecting the Internet’s routing system. Route hijacking, route leaks, IP address spoofing, and other harmful activities can lead to Denial of Service (DoS) attacks, traffic inspection and surveillance, lost revenue, reputational damage, and more. As one of the biggest countries with high access rates, Brazil is also facing these incidents on a daily basis.

NIC.BR is responsible for the coordination and integration of all Internet service initiatives in Brazil, including long-standing activities related to Internet security. They are also responsible for many projects that Continue reading

At IETF 102: The Global Commission on the Stability of Cyberspace – Cyber diplomacy meets InfoSec and Technology

On Tuesday, 17 July, during IETF 102 in Montreal, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology.” During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Global Commission on the Stability of Cyberspace is developing norms and policy initiatives that intend to counter the risk to the overall security and stability of cyberspace due to rise of offensive cyber-activities, and especially those by states.

Session Abstract

In this global environment we see conflict between states takes new forms, and cyber-activities are playing a leading role. There is an increasing risk of undermining the peaceful use of cyberspace and a growing for need norms and policies to enhance international security and stability.

The Global Commission on the Stability of Cyberspace, with commissioners from diverse backgrounds, sets out to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.

During this lunch panel we want to engage with the IETF community to discuss the norms the commission Continue reading

If We Care About the Internet, We Have to Be Willing to Do Our Part

Whether it’s playing dungeons and dragons over voice chat with my college friends hundreds of miles away, reading the latest movie reviews for summer blockbusters I’ll watch once they come out on video, or simply paying electrical bills, the Internet has become an important part of my life.

Yet, while I have come to rely on the Internet, I don’t always do what is best for it.

I don’t always patch my connected devices or applications, leaving them vulnerable to compromise and use in a botnet. I don’t look for security when buying an app or a device, let alone look at the privacy policies.

While I know I am hurting the overall security of the Internet, I find myself thinking, “I’m just one person, how much damage could I do?”

Unfortunately, according to one recent survey, there are a lot of people who act just like me. 

The results from the 2018 CIGI-Ipsos Global Survey on Internet Security and Trust* suggest that many users fail to make security a priority as they shop for Internet of Things (IoT) devices. (IoT refers to “scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human Continue reading

SMB version detection in masscan

My Internet-scale port scanner, masscan, supports "banner checking", grabbing basic information from a service after it connects to a port. It's less comprehensive than nmap's version and scripting checks, but it's better than just recording which ports are open.

I recently extended this banner checking to include SMB. It's a complicated protocol so requires a lot more work than just grabbing text banners like you see on FTP. Implementing this, I've found that nmap and smbclient often fail to get version information. They seem focused on getting the information from a standard location in SMBv1 packets, which gives a text string indicating version. There's another place you get get it, from the NTLMSSP pluggable authentication chunks, which gives version numbers in the form of major version, minor version. and build number. Sometimes the SMBv1 information is missing, either because newer Windows version disable SMBv1 by default (supporting only SMBv2) or because they've disabled null/anonymous sessions. They still give NTLMSSP version info, though.


For example, running masscan in my local bar, I get the following result:

Banner on port 445/tcp on 10.1.10.200: [smb] SMBv1  time=2018-06-24 22:18:13 TZ=+240  domain=SHIPBARBO version=6.1.7601 ntlm-ver=15 domain=SHIPBARBO name=SHIPBARBO domain-dns=SHIPBARBO Continue reading

Routing Security & IPv6 at NANOG 73 in Denver

We’ll be at NANOG 73 in Denver, CO, USA this week talking about routing security, MANRS, and IPv6.

The North American Network Operators Group (NANOG) is the professional association for Internet engineering, architecture and operations. Its core focus is on continuous improvement of the data transmission technologies, practices, and facilities that make the Internet function. NANOG meetings are among the largest in the region, bringing together top technologists on a wide range of topics.

Routing Security

On Tuesday, 26 June, at 1:30PM, Andrei Robachevsky will give a talk called, “Routing Is At Risk. Let’s Secure It Together.”

From the session abstract:

“Stolen cryptocurrency, hijacked traffic blocking access to whole countries, derailing vital Web resources for thousands of people. Routing used to fly under the radar. As long as incidents weren’t too bad, no one asked too many questions, and routing security never made it to the top of the to-do list. But these days, routing incidents are regularly making the news, executives are getting nervous, and engineers are under pressure to make sure their network isn’t next. The problem is, you cannot secure your own network entirely by yourself. But you can help secure the global routing system Continue reading

Watch Live On Monday, 25 June – DNSSEC Workshop at ICANN 62 in Panama

With the DNSSEC Root Key Rollover coming up on October 11, how prepared are we as an industry? What kind of data can we collect in preparation? What is the cost benefit (or not) of implementing DANE? What can we learn from an existing rollover of a cryptographic algorithm?

All those questions and more will be discussed at the DNSSEC Workshop at the ICANN 62 meeting in Panama City, Panama, on Monday, June 25, 2018. The session will begin at 9:00 and conclude at 12:15 EST (UTC-5). [Note: this is one hour different than current US Eastern Daylight Time – Panama does not change to daylight savings time – and so this will begin at 10:00 EDT (UTC-4).]

The agenda includes:

  • DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts
  • Panel: DNSSEC Activities and Post Key Signing Key Rollover Preparation
  • DANE: Status, Cost Benefits, Impact from KSK Rollover
  • An Algorithm Rollover  (case study from CZ.NIC)
  • Panel: KSK Rollover Data Collection and Analysis
  • DNSSEC – How Can I Help?
  • The Great DNSSEC/DNS Quiz

It should be an outstanding session!  For those onsite, the workshop will be in Salon 4, the ccNSO room.

Announcing NDSS 2019 & the Call for Papers

It may seem far away, but it’s time to begin planning for the 26th Network and Distributed System Security Symposium. NDSS 2019 will once again be held in sunny San Diego at the lovely Catamaran Spa and Resort from 24-27 February 2019.

This annual security symposium is a premiere venue for fostering information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

NDSS 2019 will have a new General Chair, Dr. Trent Jaeger of Pennsylvania State University. In addition, the Program Committee for NDSS 2019 is being chaired by Dr. Alina Opera of Northeastern University and Dr. Dongyan Xu of Purdue University. Additional positions will be announced in the coming weeks.

Most importantly for all you researchers out there, the NDSS 2019 Call for Papers has been released. As in years past, the focus of the symposium will be the many aspects of security and privacy including the security of emerging Continue reading

Automated localization for unreproducible builds

Automated localization for unreproducible builds Ren et al., ICSE’18

Reproducible builds are an important component of integrity in the software supply chain. Attacks against package repositories and build environments may compromise binaries and produce packages with backdoors (see this report for a recent prominent example of compromised packages on DockerHub). If the same source files always lead to the same binary packages, then an infected binary can be much more easily detected. Unfortunately, reproducible builds have not traditionally been the norm. Non-determinism creeping into build processes means that rebuilding an application from the exact same source, even within a secure build environment, can often lead to a different binary.

Due to the significant benefits, many open-source software repositories have initiated their validation processes. These repositories include GNU/Linux distributions such as Debian and Guix, as well as software systems like Bitcoin.

If you have a non-reproducible build, finding out why can be non-trivial. It takes time and a lot of effort to hunt down and eradicate the causes. For example, Debian unstable for AMD64 still had 2,342 packages with non-reproducible builds as of August 2017. (The number today as I’m writing this is 2,826). You can see a stubbornly persistent Continue reading

IoT Security is the Heart of the Matter

The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.

Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.

These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and Continue reading

1 86 87 88 89 90 177