Archive

Category Archives for "Security"

Notes about the FTC action against D-Link

Today, the FTC filed a lawsuit[*] against D-Link for security problems, such as backdoor passwords. I thought I'd write up some notes.

The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.

This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".

Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.

The key point I'm trying to make is that D-Link can resolve the suit (in theory) by simply removing all claims of "security". Sure, it can claim it supports stateful-inspection firewalls and WPA2, but not things like "WPA2 security". (Sure, the FTC may come back with a new lawsuit -- but it would solve the points raised in this one).

On the other hand, while "deception" Continue reading

Profs: you should use JavaScript to teach Computer Science

Universities struggle with the canonical programming language they should teach students for Computer Science. Ideally, as they take computer science classes, all the homework assignments and examples will be in the same language. Today, that language is usually Java or Python. It should be JavaScript.

The reason for this is simple: whatever language you learn, you will also have to learn JavaScript, because it's the lingua franca of web browsers.

Python is a fundamentally broken language. Version 3 is incompatible with version 2, but after a decade, version 2 is still more popular. It's still unforgivably slow: other languages use JITs as a matter of course to get near native speed, while Python is still nearly always interpreted. Python isn't used in the real world, it's far down the list of languages programmers will use professionally. Python is primarily a middlware language, with neither apps nor services written in it.

Java is a fine language, but there's a problem with it: it's fundamentally controlled by a single company, Oracle, who is an evil company. Consumer versions of Java come with viruses. They sue those who try to come up with competing versions of Java. It's not an "open" system necessary Continue reading

The Back Door Feature Problem

In Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy, the authors ran an experiment that tested for open ports in IPv4 and IPv6 across a wide swath of the network. What they discovered was interesting—

IPv6 is more open than IPv4. A given IPv6 port is nearly always more open than the same port is in IPv4. In particular, routers are twice as reachable over IPv6 for SSH, Telnet, SNMP, and BGP. While openness on IPv6 is not as severe for servers, we still find thousands of hosts open that are only open over IPv6.

This result really, on reflection, should not be all that surprising. There are probably thousands of networks in the world with “unintentional” deployments of IPv6. The vendor has shipped new products with IPv6 enabled by default, because one large customer has demanded it. Customers who have not even thought about deploying IPv6, however, end up with an unprotected attack surface.

The obvious solution to this problem is—deploy IPv6 intentionally, including security, and these problems will likely go away.

But the obvious solution, as obvious as it might be, is only one step in the right direction. Instead of just Continue reading

Dear Obama, From Infosec

Dear President Obama:

We are more than willing to believe Russia was responsible for the hacked emails/records that influenced our election. We believe Russian hackers were involved. Even if these hackers weren't under the direct command of Putin, we know he could put a stop to such hacking if he chose. It's like harassment of journalists and diplomats. Putin encourages a culture of thuggery that attacks opposition, without his personal direction, but with his tacit approval.

Your lame attempts to convince us of what we already agree with has irretrievably damaged your message.

Instead of communicating with the America people, you worked through your typical system of propaganda, such as stories in the New York Times quoting unnamed "senior government officials". We don't want "unnamed" officials -- we want named officials (namely you) who we can pin down and question. When you work through this system of official leaks, we believe you have something to hide, that the evidence won't stand on its own.

We still don't believe the CIA's conclusions because we don't know, precisely, what those conclusions are. Are they derived purely from companies like FireEye and CloudStrike based on digital forensics? Or do you have spies in Continue reading

Hot Off The Press: NSX Light Board Videos

At the start of 2016 we began a series of VMware NSX light board videos. The goal has been to highlight the use cases and capabilities driving the adoption of network virtualization today. Through the use of a light board, these NSX  experts quickly sketch out the technology and business drivers around network virtualization with NSX.

At the end of this year, the team published 20 additional light board videos across these NSX topics: Security and IT Automation as well as Features and Capabilities and OpenStack. And for 2017, more coming soon!

Here are the recently published videos:

New Features and Capabilities videos
New Security videos
New IT Automation videos

Your absurd story doesn’t make me a Snowden apologist

Defending truth in the Snowden Affair doesn't make one an "apologist", for either side. There plenty of ardent supporters on either side that need to be debunked. The latest (anti-Snowden) example is the HPSCI committee report on Snowden [*], and stories like this one in the Wall Street Journal [*]. Pointing out the obvious holes doesn't make us "apologists".

As Edward Epstein documents in the WSJ story, one of the lies Snowden told was telling his employer (Booz-Allen) that he was being treated for epilepsy when in fact he was fleeing to Hong Kong in order to give documents to Greenwald and Poitras.

Well, of course he did. If you are going to leak a bunch of documents to the press, you can't do that without a bunch of lies to your employer. That's the very definition of this sort of "whistleblowing". Snowden has been quite open to the public about the lies he told his employer, including this one.

Rather than evidence that there's something wrong with Continue reading

Some notes on IoCs

Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.

These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.

Consider the Yara rule included in US-CERT's "GRIZZLY STEPPE" announcement:


What is this? What does this mean? What do I do with this information?

It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.

What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here Continue reading

Technology Short Take #75

Welcome to Technology Short Take #75, the final Technology Short Take for 2016. Fortunately, it’s not the final Technology Short Take ever, as I’ll be back in 2017 with more content. Until then, here’s some data center-related articles and links for your enjoyment.

Networking

  • Ajay Chenampara has some observations about running Ansible at scale against network devices.
  • Andrey Khomyakov shares some information on automating the setup of whitebox switches running Cumulus Linux in part 2 of this series on learning network automation.
  • Russell Bryant has shared the results of some testing comparing ML2+OVS and OVN as backends for OpenStack networking. As Russell indicates in his post, some additional analysis is needed to truly understand what’s happening, but early looks at the results of his tests show performance improvements in OVN versus ML2+OVS when it comes to total time required to boot a VM.
  • Ivan Pepelnjak shares a Python script that creates Ansible inventory from Vagrant’s SSH configuration. Handy.

Servers/Hardware

Nothing this time around!

Security

IoT saves lives but infosec wants to change that

The cybersecurity industry mocks/criticizes IoT. That's because they are evil and wrong. IoT saves lives. This was demonstrated a couple weeks ago when a terrorist attempted to drive a truck through a Christmas market in German. The truck has an Internet-connected braking system. When it detected the collision, it deployed the brakes, bringing the truck to a stop. Injuries and deaths were a 10th of the similar Nice truck attack earlier in the year.

All the trucks shipped by Scania in the last five years have had mobile phone connectivity to the Internet. Scania pulls back telemetry from trucks, for the purposes of improving drivers, but also to help improve the computerized features of the trucks. They put everything under the microscope, such as how to improve air conditioning to make the trucks more environmentally friendly.

Among their features is the "Autonomous Emergency Braking" system. This is the system that saved lives in Germany.

You can read up on these features on their website, or in their annual report [*].


My point is this: the cybersecurity industry is a bunch of police-state fetishists that want to stop innovation, to solve the "security" problem first before allowing innovation Continue reading

“From Putin with Love” – a novel by the New York Times

In recent weeks, the New York Times has written many stories on Russia's hacking of the Trump election. This front page piece [*] alone takes up 9,000 words. Combined, the NYTimes coverage on this topic exceeds the length of a novel. Yet, for all this text, the number of verifiable facts also equals that of a novel, namely zero. There's no evidence this was anything other than an undirected, Anonymous-style op based on a phishing campaign.


The question that drives us

It's not that Russia isn't involved, it's that the exact nature of their involvement is complicated. Just because the hackers live in Russia doesn't automatically mean their attacks are directed by the government.

It's like the recent Islamic terrorist attacks in Europe and America. Despite ISIS claiming credit, and the perpetrators crediting ISIS, we are loathe to actually blame the attacks directly on ISIS. Overwhelmingly, it's individuals who finance and plan their attacks, with no ISIS organizational involvement other than inspiration.

The same goes for Russian hacks. The Russian hacker community is complicated. There are lots of actors with various affiliations with the government. They are almost always nationalistic, almost always pro-Putin. There are many individuals and Continue reading
1 130 131 132 133 134 178