Archive

Category Archives for "Security"

Technology Short Take #79

Welcome to Technology Short Take #79! There’s lots of interesting links for you this time around.

Networking

  • I was sure I had mentioned Skydive before, but apparently not (a grep of all my blog posts found nothing), so let me rectify that first. Skydive is (in the project’s own words) an “open source real-time network topology and protocols analyzer.” The project’s GitHub repository is here, and documentation for Skydive is here.
  • OK, now that I’ve mentioned Skydive, I can talk about this article that provides an example of functional SDN testing with Terraform and Skydive. Terraform is used to turn up OpenStack infrastructure, and Skydive (via connections into Neutron and OpenContrail, in this example) is used to validate SDN functionality.
  • Tony Sangha took PowerNSX (a set of PowerShell cmdlets for interacting with NSX) and created a tool to help document the NSX Distributed Firewall configuration. This tool exports the DFW configuration and then converts it into Excel format, and is available on GitHub. (What’s that? You haven’t heard of PowerNSX before? See here.)

Servers/Hardware

Nothing this time around. Should I keep this section, or ditch it? Feel free to give me your feedback on Twitter.

Security

Latest Packet Pushers Podcast Offers a New Perspective on Networking

What’s more likely to spawn change and innovation in networking? A highly-concentrated team working on a small project, or a multi-disciplinary team working on a massive project? Multiple small teams working on 100’s of projects around the globe, or one big massive team banking on a single idea? These questions and more are posed by Bruce Davie, the recently appointed CTO for Asia Pacific and Japan at VMware, and a long time contributor, collaborator, and friend of the Packet Pushers (Greg Ferro and Ethan Banks).

In a brand new Packet Pushers podcast, Bruce, Greg and Ethan take you along for an in-depth look at various networking approaches, and the changes in store for networking as a whole Hear how networking will continue to evolve: namely, how distributed application architectures and other factors are driving big-time industry shifts. Every topic is fair game, and these networking stalwarts aren’t afraid of challenging status quo thought processes to uncover new theories. So, prepare yourself for a lively discussion and debate that transcends the present, and heads straight into the future of networking.

Take a listen!

For those who haven’t already hurried to plug in, here’s a preview of a couple topic areas Continue reading

Into the Gray Zone: Considering Active Defense

Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including “the old magic bullet,” the firewall. The game of cannons and walls is over, however, and the cannons have won; those who depend on walls are in for a shocking future. What is the proper response, then? What defenses are there The reality is that just like in physical warfare, the defenses will take some time to develop and articulate.

One very promising line of thinking is that of active defense. While the concept is often attributed to some recent action, active defense has been one form of warfare for many centuries; there are instances of what might be called active defense outlined in the Bible and in Greek histories. But it is only recently, in light of the many wars around Israel, that defense in depth has taken on its modern shape in active defense. What about active defense is so interesting from a network security perspective? It is primarily this: in active defense, the defender seeks to tire an attacker out by remaining mobile, misdirecting the attacker, and using every opportunity to learn about the attacker’s techniques, aims, and resources to reflect Continue reading

Some moon math

So "Brianna Wu" (famous for gamergate) is trending, and because I love punishment, I clicked on it to see why. Apparently she tweeted that Elon Musk's plan to go to the moon is bad, because once there he can drop rocks on the Earth with the power of 100s of nuclear bombs. People are mocking her for the stupidity of this.

But the math checks out.


First of all, she probably got the idea from Heinlein's book The Moon is a Harsh Mistress where the rebel moon colonists do just that. I doubt she did her own math, and relied upon Heinlein to do it for her. But let's do the math ourselves.

Let's say that we want to stand at the height of the moon and drop a rock. How big a rock do we need to equal the energy of an atomic bomb. To make things simple, let's assume the size of bombs we want is that of the one dropped on Hiroshima.

As we know from high school physics, the energy of a dropped object (ignoring air) is:

energy = mass * gravity * height

Solving for mass, the equation is:

mass = energy/(gravity * height)

So Continue reading

Some notes on space heaters (GPU rigs)

So I carried my GPU rig up to my bedroom to act as a space heater. I thought I'd write some notes on it.

This is a "GPU rig", containing five graphics cards. Graphics cards have highly parallel processors (GPUs) with roughly 10 times the performance of a CPU -- but only for highly parallel problems.

Two such problems are password cracking [*] and cryptocurrency mining.


Password cracking is something cybersecurity professionals regularly need to do. When doing a pentest, or assessment, we'll get lists of passwords we need to crack. Having a desktop computer with a couple of graphics cards is a useful thing to have.

There are three popular cryptocurrencies: Bitcoin, Ethereum, and ZCash. Everyone is using ASICs for Bitcoin, so you can't mine them on a GPU any more, but GPUs are still useful for Ethereum and ZCash.

The trick to building a rig with lots of GPU is to get a PCIe 1x extender, so that you can mount the card far away from the motherboard for better cooling. They cost around $10 each. You then need to buy a motherboard with lots of PCIe slots. One with lots of 1x slots will do Continue reading

Securing Electronic Healthcare Records: The New Frontier

We didn’t find any medical sutures or gauze at HIMSS last week, but there sure was a lot of talk about the future of healthcare IT security. The status of electronic health record (EHR) security as a hot topic is clear, too: patient information is increasingly being moved to electronic form in order for healthcare organizations to increase clinician efficiency and remain compliant, but as we’ve seen in other industries, electronic information is difficult to keep safe. EHR data contains our medical identities, complete with medical histories, address histories, extended family names and histories, and more, making it a prime target for bad actors attempting to steal personal information.

What is the current threat landscape for this EHR data? A recent Accenture survey found approximately 26 percent of Americans have been impacted by a healthcare data breach. To combat the rise in healthcare cyber attacks, health providers are looking to IT for infrastructure and application support that prioritizes data security while continuing to maximize clinician workflow efficiency and drive better patient outcomes.

That’s where VMware NSX comes in. NSX empowers healthcare organizations to secure the infrastructure that EHR systems and other critical care applications live on. This ensures the healthcare Continue reading

A quick note about iconoclasm

I'm an iconoclast [*]. Whenever things become holy, whereby any disagreement is treated as heresy, then I disagree. There are two reasonable sides to every argument. When you vilify one of the sides in the argument, then I step into defend them -- not that they are right, but that they are reasonable.

This makes many upset, because once a cause has become Holy, anybody disagreeing with orthodoxy (like me) is then, by definition, a horrible person. I get things like the image to the right.

(Please don't harass/contact this person -- she believes what many do, and singling her out would be mean).

For the record, I'm rabidly feminist, anti-racist, pro-LGBT, pro-civil-rights. It's just that while I care a lot, I'm not Orthodox. I likely disagree with you about the details. When you vilify those who disagree with you, I will defend them.

...which is the best troll, ever. Admitting somebody is wrong, but defending them as reasonable, seems to upset people more than just arguing the other side is right.

Border Digital Safety for Journalists

The CPJ, the "Committee to Protect Journalists", offers some horrible advice [*] on Digital Security, especially when crossing the border.

The most important piece of advice I can give you is this: if somebody's life depends upon it, then no simple piece of advice, no infographic, is going to help you. You have to learn about cybersecurity enough to make intelligent decisions for yourself. You have to make difficult tradeoffs yourself. Anybody giving you simple advice or infographics is a charlatan.

So I thought I'd discuss what's wrong with the following infographic:


I. Passwords, managers, and two-factor

The biggest issue is don't reuse passwords across different accounts. If you do, when hackers breach one of your accounts, they breach all of them. I use a simple password for all the accounts I don't care about, then complex unique passwords for all my important accounts. I have to write them down on a piece of paper I've got hidden at home, because sometimes I forget them.

Password managers certainly help you have multiple strong passwords across many accounts. On the other hand, it puts all your eggs in one basket, and the police can grab them from the company.

Continue reading

Skillz: editing a web page

So one of the skillz you ought to have in cybersec is messing with web-pages client-side using Chrome's Developer Tools. Web-servers give you a bunch of HTML and JavaScript code which, once it reaches your browser, is yours to change and play with. You can do a lot with web-sites that they don't intend by changing that code.

Let me give you an example. It's only an example -- touching briefly on steps to give you an impression what's going on. It's not a ground up explanation of everything, which you may find off-putting. Click on the images to expand them so you can see fully what's going on.


Today is the American holiday called "Presidents Day". It's actually not a federal holiday, but a holiday in all 50 states. Originally it was just Washington's birthday (February 22), but some states choose to honor other presidents as well, hence "Presidents Day".

Thus of us who donated to Donald Trump's campaign (note: I donated to all candidates campaigns back in 2015) received an email today suggesting that to honor Presidents Day, we should "sign a card" for Trump. It's a gross dis-honoring of the Presidents the day is supposed to commemorate, Continue reading

Reaction; Do we really need a new Internet?

The other day several of us were gathered in a conference room on the 17th floor of the LinkedIn building in San Francisco, looking out of the windows as we discussed some various technical matters. All around us, there were new buildings under construction, with that tall towering crane anchored to the building in several places. We wondered how that crane was built, and considered how precise the building process seemed to be to the complete mess building a network seems to be.

And then, this week, I ran across a couple of articles arguing that we need a new Internet. For instance—

What we really have today is a Prototype Internet. It has shown us what is possible when we have a cheap and ubiquitous digital infrastructure. Everyone who uses it has had joyous moments when they have spoken to family far away, found a hot new lover, discovered their perfect house, or booked a wonderful holiday somewhere exotic. For this, we should be grateful and have no regrets. Yet we have not only learned about the possibilities, but also about the problems. The Prototype Internet is not fit for purpose for the safety-critical and socially sensitive types of Continue reading

You don’t need printer security

So there's this tweet:



What it's probably refering to is this:


This is an obviously bad idea.

Well, not so "obvious", so some people have ask me to clarify the situation. After all, without "security", couldn't a printer just be added to a botnet of IoT devices?

The answer is this:
Fixing insecurity is almost always better than adding a layer of security.
Adding security is notoriously problematic, for three reasons

  1. Hackers are active attackers. When presented with a barrier in front of an insecurity, they'll often find ways around that barrier. It's a common problem with "web application firewalls", for example.
  2. The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
  3. Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.

It's the last one that's most important. HP markets features, but there's no guarantee they work. In particular, similar features in Continue reading

Technology Short Take #78

Welcome to Technology Short Take #78! Here’s another collection of links and articles from around the Internet discussing various data center-focused technologies.

Networking

Servers/Hardware

Nothing this time around, sorry!

Security

1 126 127 128 129 130 178