Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit
Drupal has recently announced an update to fix a critical remote code execution exploit (SA-CORE-2018-002/CVE-2018-7600). In response we have just pushed out a rule to block requests matching these exploit conditions for our Web Application Firewall (WAF). You can find this rule in the Cloudflare ruleset in your dashboard under the Drupal category with the rule ID of D0003.
Drupal Advisory: https://www.drupal.org/sa-core-2018-002
Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit
Drupal has recently announced an update to fix a critical remote code execution exploit (SA-CORE-2018-002/CVE-2018-7600). This patch is to disallow forms and form fields from starting with the “#” character which results in remote code execution.
We have also in accordance, just pushed out a rule to block requests matching these exploit conditions for our Web Application Firewall (WAF). You can find this rule in the Cloudflare ruleset in your dashboard under the Drupal category with the rule ID of D0003.
Drupal Advisory: https://www.drupal.org/sa-core-2018-002
VMware Buys Second Security Startup, E8 Security
The virtualization giant will add E8 Security’s user and entity behavior analytics technology to its digital workspace platform.
McAfee Drops New SOCs, Netskope Takes CASB Beyond Cloud Apps
McAfee opened new security operations centers in Plano, Texas, and Cork, Ireland. Also today Netskope expanded its cloud security platform to include web access.
Kubernetes 1.10 Release Hits Storage, Security, and Networking
The latest release continues the string of recent updates that while important are becoming more "boring" by design as the platform gains further maturity.
A Solution to Compression Oracles on the Web
This is a guest post by Blake Loring, a PhD student at Royal Holloway, University of London. Blake worked at Cloudflare as an intern in the summer of 2017.
Compression is often considered an essential tool when reducing the bandwidth usage of internet services. The impact that the use of such compression schemes can have on security, however, has often been overlooked. The recently detailed CRIME, BREACH, TIME and HEIST attacks on TLS have shown that if an attacker can make requests on behalf of a user then secret information can be extracted from encrypted messages using only the length of the response. Deciding whether an element of a web-page should be secret often depends on the content of the page, however there are some common elements of web-pages which should always remain secret such as Cross-Site Request Forgery (CSRF) tokens. Such tokens are used to ensure that malicious webpages cannot forge requests from a user by enforcing that any request must contain a secret token included in a previous response.
I worked at Cloudflare last summer to investigate possible solutions to this problem. The result is a project called cf-nocompress. The Continue reading
London & Barcelona developers, we want to meet you this week
Are you based in London or Barcelona? Drop by the Cloudflare London office to meet Kenton Varda, lead architect of Cloudflare Workers, front end developers Marta Bondyra and David Sancho from Typeform, or drop by the Typeform office in Barcelona to hear from Jason Harmon, Typeform’s Chief Platform Officer. My Developer Relations teammates and I are visiting these cities over the next two weeks. We’d love to meet you and invite you to the three events we’re hosting.
Our first stop is the Cloudflare London office. Developers from our Cloudflare Apps partner, Typeform, are leading a talk on Tuesday, March 27th. The lead architect of Cloudflare Workers, Kenton Varda, is going to lead a follow-up talk about edge computing on Wednesday, March 28th.
Event #1: Building for a tech audience: Great dev lessons for adventurous makers
Tuesday, March 27th: 18:00-20:00
Location: Cloudflare London - 25 Lavington St, Second floor | SE1 0NZ London
Creating software from scratch, although fun, can be time consuming and expensive. Marta and David, both developers at Typeform, will tell you why their teams built tools to make the lives of developers a little easier and what they learned along the way.
How NSX Is Tapping into the Human Element Behind Network Virtualization
Virtualization can be a tricky concept for some people to wrap their heads around. Trying to explain the functionalities and benefits of technology like VMware NSX can quickly devolve into techno-babble. With that said, we’re trying to take another approach—a more human approach. Below are three customer stories that emphasize a human-interest element behind network virtualization and showcase the power of technologies like NSX to better human lives.
NSX Powers a ‘Classroom in the Cloud’ for Illinois Students
When the technology leaders of Bloomington’s public schools started looking for a way to make advanced, enterprise-level computing and Internet services affordable to students, they went the co-op route and turned to IlliniCloud. IlliniCloud has proven to be a game-changer for a public education system in crisis. The co-op is transforming the technology infrastructures of not just Bloomington’s public school district, but every school district in Illinois with an affordable and efficient model that results in major cost savings for schools, along with upgrades in technology and aging infrastructures.
VMware is the backbone of IlliniCloud and a natural fit, according to Jason Radford, CTO of IlliniCloud: “VMware believed in the IlliniCloud. They gave us the tools that were Continue reading
Should Bug Bounty Programs Pay Hackers Millions to Find Bugs?
Netflix it the latest company taking its bug bounty payouts public with Bugcrowd. But there’s more to fixing security vulnerabilities than simply doling out cash.
Introducing Certificate Transparency and Nimbus
Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services:
- Nimbus: A free and open certificate transparency log
- Merkle Town: A dashboard for exploring the certificate transparency ecosystem
In this blog post we’ll explain what Certificate Transparency is and how it will become a critical tool for ensuring user safety online. It’s important for website operators and certificate authorities to learn about CT as soon as possible, because participating in CT becomes mandatory in Chrome for all certificates issued after April 2018. We’ll also explain how Nimbus works and how CT uses a structure called a Merkle tree to scale to the point of supporting all trusted certificates on the Internet. For more about Merkle Town, read the [follow up post] by my colleague Patrick Donahue.
Trust and Accountability
Everything we do online requires a baseline level of trust. When you use a browser to visit your bank’s website or your favorite social media site, you expect that the server on the other side of the connection is operated by the organization indicated in Continue reading
Symantec Security Report: Cryptojacking Attacks Increased 8,500% in 2017
Cryptojacking exploded last year, according to Symantec’s latest annual security threat landscape report. It found detections of cryptocurrency coin miners grew by a whopping 8,500 percent in 2017.
Google Cloud Security Blitz Attacks Email Phishing, Improves Visibility
Google unleashed more than 20 cloud security updates including better visibility across cloud services and potential threats and beefed up security against email phishing attacks.
Microsoft and OCP Friends Push Open Hardware Security Standard
Microsoft is working with Intel, Facebook, and Google to implement Project Cerberus security architecture. It plans to contribute the open hardware security specs to OCP.
IETF 101, Day 4: The Brass Tacks about DNS and Routing
This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. And Thursday is probably the busiest day for us, covering the whole range of our interests.
ROLL has its first of two sessions starting at 09.30 GMT/UTC; continuing on Friday morning. There are several drafts being discussed dealing with the issues of routing over resource constrained networks where limited updates are possible.
NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.
There’s a choice between a couple of working groups after lunch, starting at 13.30 GMT/UTC.
DOH was chartered to create a single RFC, so clearly the draft DNS queries over HTTPS is going to be the primary focus of discussion. However, there will also be updates on the practical implementation work, and a discussion about possible future work if there is a decision to re-charter the group.
6LO runs in parallel and has a fairly busy agenda with Registration Extensions for 6LoWPAN Neighbor Discovery, and Address Protected Neighbor Discovery for Low-power and Lossy Networks having received feedback from the IESG. Continue reading
Security for Public Clouds (AWS) with vRealize Network Insight
Enterprise IT needs visibility into the network and security status of their workloads, whether hosted on premises, or within AWS. While many AWS workloads are sandboxes for application development teams (DevOps), it is important to analyze these workloads. Increasingly, public cloud workloads are also fulfilling mission-critical production needs for many organizations. Enterprise IT must be ready to determine the best location, security posture, and bandwidth allocation when deploying workloads. Having traffic pattern details as well as security analysis and recommendations readily available, helps organizations make the ideal hosting decisions to meet their business needs.
vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) Public Cloud. The vRNI traffic monitoring features provide visibility into native AWS constructs such as Virtual Private Clouds, VMs, Security Groups, firewall rules, and tags. vRNI also analyzes AWS traffic flows to provide security and micro-segmentation views of cloud workloads. This means you’ll be able to plan micro-segmentation and understand traffic patterns using data collected from your AWS instances.
Let’s review a simple Amazon Web Services (AWS) VPC setup to articulate the value vRealize Network Insight can offer from a Day 1 Day 2 perspective.
- We have an on-premise instance of vRealize Network Insight managing AWS.
- Continue reading
CA Veracode Validates Application Security, DevOps Processes
Eighty-four percent of software buyers include security requirements in new vendor contracts.
Side Channel Attacks in the Wild: The Smart Home
Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren’t familiar with the concept, it might be worth watching that video (a little over 4 minutes) before reading this post.
Side channel attacks are more common, and more dangerous, than many engineers understand. In this post, I’ll take a look at a 2017 research paper that builds and exploits a side channel attack against several smart home devices to see how such a side channel attack plays out. They begin their test with a series of devices, including a children’s sleep monitor, a pair of security cameras, a pair of smart power plugs, and a voice based home assistant.
The attack itself takes place in two steps. The first is to correlate individual traffic flows with a particular device (where a traffic flow is a 5 tuple. The researchers did this in three different ways. First, they observed the MAC address of each device talking on the network, comparing the first three octets of this address to a list of known manufacturers. Most home device manufacturers use a Continue reading
The 3 Commandments of Cloud Security
Addressing key guidelines to keep your AWS cloud secure.
IETF 101, Day 2: A bit of Rosie Lee (Mobility)
This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. After a hectic Monday there’s less dashing around needed today, although there’s a few things to highlight, even if you’ll have to choose between them as they’re unfortunately all scheduled at the same time.
NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.
DNSOP starts its first of two sessions at 15.50 GMT/UTC (it continues on Thursday. Several of the drafts under discussion relate to the Root KSK Rollover and how to better automate and monitor key rollovers.
At the same time, DOTS is also meeting and has a bit of a mixed agenda with four drafts up for discussion, implementation reports, and feedback on the Hackathon.
There are two drafts covering the Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel and Data Channel specifications, one that establishes an architecture for establishing and maintaining signalling within and between domains, with the last one presenting use cases describing the interactions expected between DOTS components and messaging exchanges.
Alternatively, DMM has a very busy agenda with no Continue reading