Archive

Category Archives for "Security"

New BlueBorne Vulnerability to Bluetooth Devices – What happened and what to do about it

Billions of Bluetooth-enabled devices may be exposed to a new remote attack called “BlueBorne”, even without user interaction or pairing. Affected systems include Windows, iOS (older than iOS 10), the Linux kernel, and Android. What should you do about it?

Bluetooth is ubiquitous, commonly connecting accessories like headsets and keyboards, but is also used throughout the brave new Internet of Things (IoT) world. An attacker exploiting these BlueBorne vulnerabilities can mount a man-in-the-middle attack, or even take control of a device without the user even noticing it.

The vulnerabilities were discovered by a security company called Armis earlier this year. Researchers reached out to the companies responsible for vulnerable implementations that lead to the coordinated disclosure (and patches) on September 12. (You can read more about our views on responsible disclosure and collaborative security in Olaf Kolkman’s blog post here.)

This case once again highlights how crucial it is that software update mechanisms are available to fix vulnerabilities, update configuration settings, and add new functionality to devices. There are challenges, both technological and economic, in having update capabilities ubiquitously deployed, as discussed in the recently published Report from the Internet of Things Software Update (IoTSU) Workshop 2016.

Vulnerabilities Continue reading

Making the World Better by Breaking Things

Ben Sadeghipour, Technical Account Manager, HackerOne, and Katie Moussouris, Founder & CEO, Luta Security

Moderator: John Graham-Cumming, CTO, Cloudflare

Photo by Cloudflare Staff

JGC: We’re going to talk about hacking

Katie Moussouris helps people how to work around security vulnerabilities.

Ben Sadeghipour is a technical account manager at HackerOne, and a hacker at night

JGC: Ben, you say you’re a hacker by night. Tell us about this.

BS: It depends who you ask: if they encourage it; or, we do it for a good reason. “Ethical hacker” - we do it for a good reason. Hacking can be illegal if you’re hacking without permission; but that’s not what we do.

JGC: You stay up all night

BS: I lock myself in the basement

JGC: Tell us about your company.

KM: I was invited to brief Pentagon when I worked at Microsoft; The pentagon was interested in the implementation of this idea in a large corporation like Microsoft.
“Hacking the pentagon” The adoption of Bug Bounty has been slow. We were interested in working with a very large company like Microsoft. There was interest in implementing ideas from private sector at Pentagon. I helped the internal team at Continue reading

The View from Washington: The State of Cybersecurity

Avril Haines, Former Deputy National Security Advisor, Obama Administration

Moderator: Doug Kramer, General Counsel, Cloudflare

Photo by Cloudflare Staff

Avril began her career on the National Security Council, and went on to become the first female deputy at the CIA.

DK: How will cyber will play a role in military operations?

AH: We look at it from the perspective of “asymmetric threats”; state actors (those who have high-value assets that they can hold at risk with no threat to them). The US is more technologically advanced and relies on cyber more and more; we are as a consequence more vulnerable to cyber threats. Asymmetric threats thus hold at risk those things that are most important to us.

In the cyber realm we can’t quite define what constitutes a use of force, and saying so can be used against us. So this is an area that is crucial to continue working in; in many respects the US has the most to lose from using a framework that doesn’t work.

“The private sector is utterly critical in creating a framework that is going to work.”

We want to have widely-accepted norms and rules so that we can ask other countries Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Secure Multi-Tenancy at Scale with Docker Enterprise Edition

With the latest release of Docker Enterprise Edition (EE), enterprise organizations are able to extend the benefits of containers across their entire application portfolio. Docker EE enables rapid modernization of traditional Windows and Linux applications as well as Linux applications running on IBM Z mainframes. By addressing all of these applications, Docker EE provides the opportunity to standardize around a common packaging format for greater portability, agility, and with an additional layer of security, resulting in more teams bringing their workloads into Docker EE.

The key to operating this diverse environment is to have a way to secure and isolate the applications and the multiple teams who build, ship, and deploy them. This release of Docker Enterprise Edition makes it possible for organizations to modernize traditional applications of every variety and to do so in a secure manner that aligns to complex organizational needs.

Building a Secure Software Supply Chain for Windows Applications

 

Windows applications make up about half of all enterprise applications. Docker has been working closely with Microsoft to ensure that the same security benefits that are available to Linux containers are also available to Windows Server containers. When Windows containers are managed with Docker EE, organizations Continue reading

Ensuring Good with VMware AppDefense

co-author Geoff Wilmington

Traditional data center endpoint security products focus on detecting and responding to known bad behavior. There are hundreds of millions of disparate malware attacks, with over a million getting added every day.  In addition, there is the threat of zero-day attacks exploiting previously unknown vulnerabilities. It becomes a never-ending race to “chase bad” without ever staying ahead of the threat landscape.  What if we took an opposite approach to security?  What if, instead of  “chasing bad” we started by “ensuring good”?

VMware AppDefense is a new security product focused on helping customers build a compute least privilege security model for data center endpoints and provide automated threat detection, response, and remediation to security events. AppDefense is focused on “ensuring good” versus “chasing bad” on data center endpoints.  When we focus our attention on what a workload is supposed to be doing, our lens for seeing malicious activity is much more focused and as a result, we narrow the exploitable attack surface of the workload down to what we know about.

 

Changing The Way We Secure Compute

AppDefense applies the concept of “ensuring good” by using three main techniques:

Capture

AppDefense starts by capturing Continue reading

DNS over TLS: experience from the Go6lab

After the experiment with DPRIVE at IETF99, we thought we’d try to implement it in the Go6lab and see how this actually works in day-to-day reality.

The first step was to take a look at https://dnsprivacy.org/wiki/ as we had a feeling this might be the best source for information around this topic. There’s a ton of info about DNS over TLS, but what we were really looking for was simple instructions on how to setup a recursive DNS server to serve DNS responses over TLS (port 853), as well as how to setup a local client on our device that could talk to the server and accept local DNS queries over TLS, thereby protecting our DNS communications over the Internet.

We decided that running a  TLS proxy was not the way to do it, so we used CentOS 7 VPS with Unbound installed. After some time and with extensive help from Willem Toorop from NLnet Labs (thanks Willem!!!) we managed to navigate the setup process for server and client.

Firstly, we installed the default Unbound from the CentOS7 default yum repositories, which turned out not to be a very good idea, as this version is 1.4.20 Continue reading

State of MAC address randomization

tldr: I went to DragonCon, a conference of 85,000 people, so sniff WiFi packets and test how many phones now uses MAC address randomization. Almost all iPhones nowadays do, but it seems only a third of Android phones do.


Ten years ago at BlackHat, we presented the "data seepage" problem, how the broadcasts from your devices allow you to be tracked. Among the things we highlighted was how WiFi probes looking to connect to access-points expose the unique hardware address burned into the phone, the MAC address. This hardware address is unique to your phone, shared by no other device in the world. Evildoers, such as the NSA or GRU, could install passive listening devices in airports and train-stations around the world in order to track your movements. This could be done with $25 devices sprinkled around a few thousand places -- within the budget of not only a police state, but also the average hacker.

In 2014, with the release of iOS 8, Apple addressed this problem by randomizing the MAC address. Every time you restart your phone, it picks a new, random, hardware address for connecting to WiFi. This causes a few problems: every time you restart Continue reading

SIDH in Go for quantum-resistant TLS 1.3

The Quantum Threat

SIDH in Go for quantum-resistant TLS 1.3

Most of today's cryptography is designed to be secure against an adversary with enormous amounts of computational power. This means estimating how much work certain computations (such as factoring a number, or finding a discrete logarithm) require, and choosing cryptographic parameters based on our best estimate of how much work would be required to break the system.

If it were possible to build a large-scale quantum computer, many of the problems whose difficulty we rely on for security would no longer be difficult to solve. While it remains unknown whether large-scale quantum computers are possible (see this article for a good overview), it's a sufficient risk that there's wide interest in developing quantum-resistant (or post-quantum) cryptography: cryptography that works on ordinary computers we have today, but which is secure against a possible quantum computer.

At Cloudflare, our biggest use of cryptography is TLS, which we use both for serving our customers' websites (all Cloudflare sites get free HTTPS), as well as for internal inter-datacenter communication on our backend.

In the TLS context, we want to create a secure connection between a client and a server. There are basically three cryptographic problems here:

  1. Authenticity: the server Continue reading

New Study: Understanding MANRS’ Potential for Enterprises and Service Providers

Mutually Agreed Norms for Routing Security, or MANRS, was founded with the ambitious goal of improving the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for Internet infrastructure. These are undoubtedly essential pillars supporting the Internet’s tremendous growth and success, but we must better articulate the incentives of contributing to global security and resilience to grow MANRS participation and reach our goals.

To do so, we engaged 451 Research to understand the attitudes and perceptions of Internet service providers and the broader enterprise community around MANRS and how it relates to their organizations. The results of the study are documented in the report: https://www.routingmanifesto.org/resources/research/.

The study results demonstrate considerable unrealized potential for MANRS, showing that enterprises are interested in security and their interest should be a strong incentive for more service providers to participate. Market education could be particularly effective in overcoming the operational inertia that many providers face.

The key points from the study are:

  • While MANRS itself is not well known by enterprises, its attributes are highly valued.
  • Enterprises have high expectations for MANRS efforts.
  • Enterprise perceptions of MANRS can translate into increased revenue for service Continue reading