Archive

Category Archives for "Security"

A Secure Supply Chain for Kubernetes

The beta release of the Docker Enterprise Edition (Docker EE) container platform last month integrates Kubernetes orchestration, running alongside Swarm, to provide a single container platform that supports both legacy and new applications running on-premises or in the cloud. For organizations that are exploring Kubernetes or deploying it in production, Docker EE offers integrated security for the entire lifecycle of a containerized application, providing an additional layer of security before the workload is deployed by Kubernetes and continuing to secure the application while it is running.

Mike Coleman previously discussed access controls for Kubernetes. This week we’ll begin discussing how Docker EE secures the Kubernetes supply chain.

What is a Software Supply Chain?

When you purchase something from a retail store, there is an entire supply chain that gets the product from raw materials to the manufacturer to you. Similarly, there is a software supply chain that takes an application from code on a developer’s laptop to production.

Every company’s software supply chain may be slightly different; some outsource software development, some have adopted Continuous Integration and Continuous Delivery processes, and some deploy production applications across multiple clouds, some on-premises. Regardless of what the software supply chain consists of, Continue reading

Memcrashed – Major amplification attacks from UDP port 11211

Memcrashed - Major amplification attacks from UDP port 11211

Memcrashed - Major amplification attacks from UDP port 11211CC BY-SA 2.0 image by David Trawin

Over last couple of days we've seen a big increase in an obscure amplification attack vector - using the memcached protocol, coming from UDP port 11211.

In the past, we have talked a lot about amplification attacks happening on the internet. Our most recent two blog posts on this subject were:

The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources - most typically the network itself.

Memcrashed - Major amplification attacks from UDP port 11211

Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) "amplifying" the attacker's bandwidth.

Memcrashed

Obscure amplification attacks happen all the time. We often see "chargen" or "call Continue reading

Using Cloudflare Workers to identify pwned passwords

Using Cloudflare Workers to identify pwned passwords

Last week Troy Hunt launched his Pwned Password v2 service which has an API handled and cached by Cloudflare using a clever anonymity scheme.

The following simple code can check if a password exists in Troy's database without sending the password to Troy. The details of how it works are found in the blog post above.

use strict;
use warnings;

use LWP::Simple qw/$ua get/;
$ua->agent('Cloudflare Test/0.1');
use Digest::SHA1 qw/sha1_hex/;

uc(sha1_hex($ARGV[0]))=~/^(.{5})(.+)/;
print get("https://api.pwnedpasswords.com/range/$1")=~/$2/?'Pwned':'Ok', "\n";

It's just as easy to implement the same check in other languages, such as JavaScript, which made me realize that I could incorporate the check into a Cloudflare Worker. With a little help from people who know JavaScript far better than me, I wrote the following Worker:

addEventListener('fetch', event => {
  event.respondWith(fetchAndCheckPassword(event.request))
})

async function fetchAndCheckPassword(req) {
  if (req.method == "POST") {
    try {
      const post = await req.formData()
      const pwd = post.get('password')
      const enc = new TextEncoder("utf-8").encode(pwd)

      let hash = await crypto.subtle.digest("SHA-1", enc)
      let hashStr = hex(hash).toUpperCase()
  
      const prefix = hashStr.substring(0, 5)
      const suffix = hashStr.substring(5)

      const pwndpwds = await fetch('https://api.pwnedpasswords.com/range/' + prefix)
      const t =  Continue reading

Improving Routing Security: Introducing Six New MANRS Tutorials

Routing outages or attacks – such as hijacking, leaks, and spoofing – can lead to stolen data, lost revenue, reputational damage and more, all on a global scale. Routing security is therefore vital to the future and stability of the Internet, and the Mutually Agreed Norms for Routing Security (MANRS) initiative implements crucial fixes. Today, we are pleased to announce a series of six new MANRS tutorials that will help network operators improve both the Internet’s routing security and their own network’s operational efficiency.

These tutorials are intended for network administrators, network engineers, and others with a working knowledge of routing and security who are looking for steps to improve their network’s routing security and to join the growing list of MANRS participants.

About the Tutorials

Module 1: Introduction to MANRS

What is MANRS, and why should you join? MANRS is a global initiative to implement crucial fixes needed to eliminate the most common routing threats. In this module you will learn about vulnerabilities of the Internet routing system and how four simple steps, called MANRS Actions, can help dramatically improve Internet security and reliability.

Module 2: IRRs, RPKI, and PeeringDB

This module helps you understand the databases and repositories Continue reading

What’s Your #TechConfession?

 

 

Think back to the first moment you fell in love with technology. Was it love at first deployment? What about developing code to trick your school’s bell system into letting your class out early? If you love all things technology, or you’re a technologist, then you should definitely put #TechConfessions, the podcast and YouTube playlist, on your radar.

#TechConfessions is a weekly podcast and web series that uncovers the deep, dark tech secrets of some of high tech’s finest minds. The series looks to expose the inner thoughts and forgotten stories of tech professionals. Hear from top tech pros as they divulge the early beginnings of their tech careers and proclaim their favorite software-defined moments. Get insights into what makes these tech leaders tick, and discover their long-burning passion for all things tech.

Director of Influence Marketing at VMware, Amy Lewis, one of the hosts of #TechConfessions, gives a voice to the professionals witnessing industry changes. Going from a hardware to a software state of mind happens differently for everyone. As the host of #TechConfessions, Amy digs deep to get the real backstory behind each individual’s transition into the world of software.

 

So far, season one Continue reading

Creating a single pane of glass for your multi-cloud Kubernetes workloads with Cloudflare

Creating a single pane of glass for your multi-cloud Kubernetes workloads with Cloudflare

(This is a crosspost of a blog post originally published on Google Cloud blog)

One of the great things about container technology is that it delivers the same experience and functionality across different platforms. This frees you as a developer from having to rewrite or update your application to deploy it on a new cloud provider—or lets you run it across multiple cloud providers. With a containerized application running on multiple clouds, you can avoid lock-in, run your application on the cloud for which it’s best suited, and lower your overall costs.

If you’re using Kubernetes, you probably manage traffic to clusters and services across multiple nodes using internal load-balancing services, which is the most common and practical approach. But if you’re running an application on multiple clouds, it can be hard to distribute traffic intelligently among them. In this blog post, we show you how to use Cloudflare Load Balancer in conjunction with Kubernetes so you can start to achieve the benefits of a multi-cloud configuration.

To continue reading follow the Google Cloud blog here or if you are ready to get started we created a guide on how to deploy an application using Kubernetes on GCP and AWS Continue reading

The Cost of Cybercrime

Most people paying attention would expect that the cost of cybercrime has gone up in recent years. But a new report has put a number on it: Worldwide cybercrime costs an estimated $600 billion USD a year.

That’s up from $500 billion USD in 2014, the last time security vendor McAfee and think tank the Center for Strategic and International Studies released a similar study. The new estimate amounts to 0.8 percent of global GDP, up from 0.7 percent in 2014.

“Cybercrime is relentless, undiminished, and unlikely to stop,” writes report author James Lewis, senior vice president at CSIS. “It is just too easy and too rewarding, and the chances of being caught and punished are perceived as being too low.”

Lewis points to poorly-protected IoT devices as a particular problem. Insecure IoT devices “provide new, easy approaches to steal personal information or gain access to valuable data or networks,” he writes. They also power botnets that can create massive denial-of-service attacks.

Among the other reasons for the growth in the cost of cybercrime:

  • Cybercriminals are embracing new attack technologies.
  • Many new Internet users come from countries with weak cybersecurity.
  • Online crime is becoming easier through cybercrime-as-a-service Continue reading

Future Thinking: Niel Harper on Cyber Threats

In 2017, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. In February 2018, we interviewed two stakeholders – Cyrating, a cybersecurity ratings agency, and Niel Harper, Senior Manager, Next Generation Leaders at the Internet Society – to hear their different perspectives on the forces shaping the Internet.

Niel Harper is a Young Global Leader at the World Economic Forum. He has more than 20 years of experience in the areas of telecoms management, cybersecurity, IT governance and strategy, ICT policy research and advisory services, and program management. (You can read Cyrating’s interview here).

The Internet Society: Experts predict an increase of frequency and impact of cyberattacks. What form are they likely to take in the future?

Niel Harper: In the foreseeable future, attackers are likely to fall under three categories: organized criminals seeking to profit from malicious online activities, online protesters (also known as hacktivists), and governments who target their own citizens or target other governments, whether for cyberespionage or cyberwarfare.

Criminals will continue to become more organized, selling Continue reading

Future Thinking: Cyrating on Cyber Threats

In 2017, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. In February 2018, we interviewed two stakeholders – Cyrating, a cybersecurity ratings agency, and Niel Harper, Senior Manager, Next Generation Leaders at the Internet Society – to hear their different perspectives on the forces shaping the Internet’s future.

Cyrating is the first cybersecurity ratings agency anchored in Europe, and helps forward-thinking organizations maximize their cybersecurity performance and investments. It identifies potential for improvement, benchmarks it against industry best practices, and provides standardized cybersecurity metrics. We spoke to François Gratiolet, one of Cyrating’s founders, about the future of a secure and trusted Internet.

(You can read Niel Harper’s interview here).

The Internet Society: Experts predict an increase of frequency and impact of cyberattacks. What form are they likely to take in the next three to five years?

François Gratiolet: We believe cyberattacks will intensify in the next three to five years; targeting both Internet users and the Internet’s underlying infrastructure. User attacks will move from phishing to social media, with Continue reading

Validating Leaked Passwords with k-Anonymity

Validating Leaked Passwords with k-Anonymity

Validating Leaked Passwords with k-Anonymity

Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security.

I have written about how we need to rethink password security and Pwned Passwords v2 in the following post: How Developers Got Password Security So Wrong. Instead, in this post I want to discuss one of the technical contributions Cloudflare has made towards protecting user information when using this tool.

Cloudflare continues to support Pwned Passwords by providing CDN and security functionality such that the data can easily be made available for download in raw form to organisations to protect their customers. Further; as part of the second iteration of this project, I have also worked with Troy on designing and implementing API endpoints that support anonymised range queries to function as an additional layer of security for those consuming the API, that is visible to the client.

This contribution allows for Pwned Passwords clients to use range queries to search for breached passwords, without having to disclose a complete unsalted Continue reading

How Developers got Password Security so Wrong

How Developers got Password Security so Wrong

How Developers got Password Security so Wrong

Both in our real lives, and online, there are times where we need to authenticate ourselves - where we need to confirm we are who we say we are. This can be done using three things:

  • Something you know
  • Something you have
  • Something you are

Passwords are an example of something you know; they were introduced in 1961 for computer authentication for a time-share computer in MIT. Shortly afterwards, a PhD researcher breached this system (by being able to simply download a list of unencrypted passwords) and used the time allocated to others on the computer.

As time has gone on; developers have continued to store passwords insecurely, and users have continued to set them weakly. Despite this, no viable alternative has been created for password security. To date, no system has been created that retains all the benefits that passwords offer as researchers have rarely considered real world constraints[1]. For example; when using fingerprints for authentication, engineers often forget that there is a sizable percentage of the population that do not have usable fingerprints or hardware upgrade costs.

Cracking Passwords

In the 1970s, people started thinking about how to better store passwords and cryptographic hashing started to Continue reading

1 104 105 106 107 108 182