Archive

Category Archives for "Security"

Technology Short Take #80

Welcome to Technology Short Take #80! This post is a week late (I try to publish these every other Friday), so my apologies for the delay. However, hopefully I’ve managed to gather together some articles with useful information for you. Enjoy!

Networking

  • Biruk Mekonnen has an introductory article on using Netmiko for network automation. It’s short and light on details, but it does provide an example snippet of Python code to illustrate what can be done with Netmiko.
  • Gabriele Gerbino has a nice write-up about Cisco’s efforts with APIs; his article includes a brief description of YANG data models and a comparison of working with network devices via SSH or via API.
  • Giuliano Bertello shares why it’s important to RTFM; or, how he fixed an issue with a Cross-vCenter NSX 6.2 installation caused by duplicate NSX Manager UUIDs.
  • Andrius Benokraitis provides a preview of some of the networking features coming soon in Ansible 2.3. From my perspective, Ansible has jumped out in front in the race among tools for network automation; I’m seeing more coverage and more interest in using Ansible for network automation.
  • Need to locate duplicate MAC addresses in your environment, possibly caused by cloning Continue reading

Video: Software Secures the World

Martin Casado doesn’t have a proper job since he left VMware. This gives him times to think deeply about the future of IT security as part of his role of wasting investors money at A16Z and considering where the next advances or futures will be. This video makes a lot of sense to me.

Once upon a time, we thought of security measures as being built like a wall around a medieval city. Then, as threats grew in complexity, we began to think of it more like securing a city or nation-state. Finally, security grew alike to aerial warfare — mobile, quick, wide-ranging. Each of these new modes for thinking about security represented a major misalignment between the security threats that had evolved and our strategies/tactics for dealing with them.
Now we are once again at another such major misalignment — thanks largely to the cloud and new complexity — requiring both a shift in how we think about and respond to threats. But we also have security “overload” given the vast size of our systems and scale of notifications.
How do security threats develop? How should CEOs and CSOs think of planning for them? What role will AI and Continue reading

ARP, ARP Inspection, ARP Types and Deployment Considerations

Layer 2 security –  ARP and ARP Inspection   Introduction   This article is the second of our layer 2 attacks identification and mitigation techniques series, which will be a part of a bigger series discussing Security Infrastructure. Dynamic ARP Inspection relies on DHCP snooping technology explained in the previous article. It’s strongly recommended to […]

The post ARP, ARP Inspection, ARP Types and Deployment Considerations appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Pranksters gonna prank

So Alfa Bank (the bank whose DNS traffic link it to trump-email.com) is back in the news with this press release about how in the last month, hackers have spoofed traffic trying to make it look like there's a tie with Trump. In other words, Alfa claims these packets are trying to frame them for a tie with Trump now, and thus (by extension) it must've been a frame last October.

There is no conspiracy here: it's just merry pranksters doing pranks (as this CNN article quotes me).

Indeed, among the people pranking has been me (not the pranks mentioned by Alfa, but different pranks). I ran a scan sending packets from IP address to almost everyone one the Internet, and set the reverse lookup to "mail1.trumpemail.com".



Sadly, my ISP doesn't allow me to put hyphens in the name, so it's not "trump-email.com" as it should be in order to prank well.

Geeks gonna geek and pranksters gonna prank. I can imagine all sorts of other fun pranks somebody might do in order to stir the pot. Since the original news reports of the AlfaBank/trump-email.com connection last year, we have to assume any further data Continue reading

F5 BIG-IP Plugin with Firefox 52 workaround

It’s not news anymore that Mozilla is stopping support for NPAPI (Netscape Plugin API). With the release of Firefox 52 version, I believe that only Flash plugin is enabled by default.

I’ll skip the discussion about NPAPI plugins and Mozilla’s decision to stop the support, however the reality is that for me it has a strong impact in certain areas. One of this areas is the F5 BIG-IP, specifically the APM and possibility to launch Application (like RDP) from the Webtop interface.

I’m relying heavily on a F5 BIG-IP VE machine to connect to my home lab when I’m remote. The Webtop functionality gives me the possibility to use only a Browser to connect to my applications at home, keeping me away from any F5 client installation on the machine that I use. Usually this machine is my MacBook or PC, and the F5 client installation should not be a big thing, however I like the clientless option.

The F5 Webtop functionality is possible due to a NPAPI plugin called “F5 Network Host Plugin” which usually installs in the browser when you access the F5 APM. So yes, you still need to install something, but this browser plugin is Continue reading

Layer 2 security – DHCP Details, DHCP Snooping

Layer 2 security – DHCP Details, DHCP Snooping  Introduction   This article is the first of a series explaining layer 2 attacks identification and mitigation techniques, which will be a part of a bigger series discussing Security Infrastructure.   We will be discussing the most common attacks and how to mitigate them; but more important, […]

The post Layer 2 security – DHCP Details, DHCP Snooping appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Assert() in the hands of bad coders

Using assert() creates better code, as programmers double-check assumptions. But only if used correctly. Unfortunately, bad programmers tend to use them badly, making code worse than if no asserts were used at all. They are a nuanced concept that most programmers don't really understand.

We saw this recently with the crash of "Bitcoin Unlimited", a version of Bitcoin that allows more transactions. They used an assert() to check the validity of input, and when they received bad input, most of the nodes in the network crashed.

The Bitcoin code is full of bad uses of assert. The following examples are all from the file main.cpp.


Example #1this line of code:

  1.     if (nPos >= coins->vout.size() || coins->vout[nPos].IsNull())
  2.         assert(false); 

This use of assert is silly. The code should look like this:

  1.     assert(nPos < coins->vout.size());
  2.     assert(!coins->vout[nPos].IsNull());

This is the least of their problems. It understandable that Continue reading

Video: “…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube

Funny and insightful. Maybe.

Jake Davis, former Anonymous and LulzSec hacker, shares his hacker journey while exploring just what makes hackers tick…

“…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube : https://www.youtube.com/watch?v=E0h_pNv1a98&app=desktop

The post Video: “…You can either be a farmer, or join a politically motivated global hacking collective” – YouTube appeared first on EtherealMind.

Some confusing language in the 0day debate

As revealed in last week's CIA #Vault7 leaks, the CIA has some 0days. This has ignited the debate about whether organizations like the CIA should be disclosing these 0days so that vendors can fix them, rather than "stockpiling" them. There seems to be some confusion about language.


Stockpile

The word "stockpile" has multiple connotations, as shown below:


This distorts the debate. Using the word "stockpile" strongly implies "reserve for use" at some time in the future. This prejudices the debate. If the the 0day is sitting on a shelf somewhere not being used, then it apparently has little value for offense, and thus, should be disclosed/patch for defense.

The truth is that that government does not buy 0days to sit on the shelf. With few exceptions, it buys 0days because it plans to use them in an offensive operation. This was described in that recent RAND report:

It's the sellers who might keep 0days on the shelf, because the buyers have no immediate need. It's not the government buyers who are stockpiling.

Words like "stockpiling", "amassing", or "hoarding" also bring the connotation that the number is too big. Words like "hoarding" bring the connotation that the government is doing something Continue reading

FBI: what to look for in the Trump/AlfaBank connection

As CNN reports, the FBI seems to be looking into that connection between Trump and Alfa Bank. Here are some things to look for.

First, get your own copy of the logs from root name servers. I don't trust the source of the original logs. I suspect they've been edited in order to show a relationship with Alfa Bank. You've got lots of sources both inside government and in private industry that can provide a copy of these logs without a warrant. (Which sucks, you should need a warrant, but that's the current state of affairs).

Second, look at the server in question. It's probably located at 140 Akron Road, Ephrata, PA. What you are looking for are the logs of anything sent from the server during that time, specifically any e-mails.

Third, talk to Cendyn, and ask them what that server was used for during that time. Their current statement is that it was used by the Metron meeting software. In other words, they say that after they stopped using it to send marketing emails, they started using it for their meeting product. They seem a little confused, so it'd be nice to pin them down. Specifically, get Continue reading

ESG Lab Review: VMware NSX

“If your organization is interested in improving the agility, security, and economic efficiency of your networks, ESG Lab recommends taking a close look at VMware NSX.”

ESG Lab recently reached out to the VMware technical product marketing team about the network virtualization and security platform, VMware NSX.  The team at ESG had set a goal of examining the NSX platform to better understand how network administrators in organizations from SMBs to large enterprises leveraged NSX and used tools to aid in the operational aspects of network virtualization.  Many benefits come with modern software tools on better visibility, ease of troubleshooting, and OpEx-related savings related to faster time to resolution for mission critical workloads. ESG wanted to evaluate and consider existing tools as well as newer tools in the VMware portfolio to substantiate these potential benefits.

Application architectures are drastically changing and enterprise networking and IT teams are seeing a shift in the requirements, based on emerging cloud-based architectures.  Since modern business agility drives the network to support new architectures and newer consumption models, and the network is at the center of any IT infrastructure. ESG proposes that network security is top of mind for every organization’s Continue reading

Some notes on the RAND 0day report

The RAND Corporation has a research report on the 0day market [ * ]. It's pretty good. They've got the pricing about right ($1 million for full chain iPhone exploit, but closer to $100k for others). They've got the stats about right (5% chance somebody else will discover an exploit). Yet, they've got some problems, namely phrasing the debate as activists want, rather than a neutral view of the debate.

The report frequently uses the word "stockpile". This is a biased term used by activists. According to the dictionary, it means:
a large accumulated stock of goods or materials, especially one held in reserve for use at a time of shortage or other emergency.
Activists paint the picture that the government (NSA, CIA, DoD, FBI) buys 0day to hold in reserve in case they later need them. If that's the case, then it seems reasonable that it's better to disclose/patch the vuln then let it grow moldy in a cyberwarehouse somewhere.

But that's not how things work. The government buys vulns it has immediate use for (primarily). Almost all vulns it buys are used within 6 months. Most vulns in its "stockpile" have been used in the previous year. These Continue reading

A note about “false flag” operations

There's nothing in the CIA #Vault7 leaks that calls into question strong attribution, like Russia being responsible for the DNC hacks. On the other hand, it does call into question weak attribution, like North Korea being responsible for the Sony hacks.

There are really two types of attribution. Strong attribution is a preponderance of evidence that would convince an unbiased, skeptical expert. Weak attribution is flimsy evidence that confirms what people are predisposed to believe.


The DNS hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this.

The Sony hacks have weak evidence pointing to North Korea. One of the items was the use of the RawDisk driver, used both in malware attributed to North Korea and the Sony attacks. This was described as "flimsy" at the time [*]. The CIA dump [*] demonstrates that indeed it's flimsy -- as apparently CIA malware also uses the RawDisk code.

In the coming days, biased partisans are going Continue reading
1 129 130 131 132 133 182