Archive

Category Archives for "Security"

FBI: what to look for in the Trump/AlfaBank connection

As CNN reports, the FBI seems to be looking into that connection between Trump and Alfa Bank. Here are some things to look for.

First, get your own copy of the logs from root name servers. I don't trust the source of the original logs. I suspect they've been edited in order to show a relationship with Alfa Bank. You've got lots of sources both inside government and in private industry that can provide a copy of these logs without a warrant. (Which sucks, you should need a warrant, but that's the current state of affairs).

Second, look at the server in question. It's probably located at 140 Akron Road, Ephrata, PA. What you are looking for are the logs of anything sent from the server during that time, specifically any e-mails.

Third, talk to Cendyn, and ask them what that server was used for during that time. Their current statement is that it was used by the Metron meeting software. In other words, they say that after they stopped using it to send marketing emails, they started using it for their meeting product. They seem a little confused, so it'd be nice to pin them down. Specifically, get Continue reading

ESG Lab Review: VMware NSX

“If your organization is interested in improving the agility, security, and economic efficiency of your networks, ESG Lab recommends taking a close look at VMware NSX.”

ESG Lab recently reached out to the VMware technical product marketing team about the network virtualization and security platform, VMware NSX.  The team at ESG had set a goal of examining the NSX platform to better understand how network administrators in organizations from SMBs to large enterprises leveraged NSX and used tools to aid in the operational aspects of network virtualization.  Many benefits come with modern software tools on better visibility, ease of troubleshooting, and OpEx-related savings related to faster time to resolution for mission critical workloads. ESG wanted to evaluate and consider existing tools as well as newer tools in the VMware portfolio to substantiate these potential benefits.

Application architectures are drastically changing and enterprise networking and IT teams are seeing a shift in the requirements, based on emerging cloud-based architectures.  Since modern business agility drives the network to support new architectures and newer consumption models, and the network is at the center of any IT infrastructure. ESG proposes that network security is top of mind for every organization’s Continue reading

Some notes on the RAND 0day report

The RAND Corporation has a research report on the 0day market [ * ]. It's pretty good. They've got the pricing about right ($1 million for full chain iPhone exploit, but closer to $100k for others). They've got the stats about right (5% chance somebody else will discover an exploit). Yet, they've got some problems, namely phrasing the debate as activists want, rather than a neutral view of the debate.

The report frequently uses the word "stockpile". This is a biased term used by activists. According to the dictionary, it means:
a large accumulated stock of goods or materials, especially one held in reserve for use at a time of shortage or other emergency.
Activists paint the picture that the government (NSA, CIA, DoD, FBI) buys 0day to hold in reserve in case they later need them. If that's the case, then it seems reasonable that it's better to disclose/patch the vuln then let it grow moldy in a cyberwarehouse somewhere.

But that's not how things work. The government buys vulns it has immediate use for (primarily). Almost all vulns it buys are used within 6 months. Most vulns in its "stockpile" have been used in the previous year. These Continue reading

A note about “false flag” operations

There's nothing in the CIA #Vault7 leaks that calls into question strong attribution, like Russia being responsible for the DNC hacks. On the other hand, it does call into question weak attribution, like North Korea being responsible for the Sony hacks.

There are really two types of attribution. Strong attribution is a preponderance of evidence that would convince an unbiased, skeptical expert. Weak attribution is flimsy evidence that confirms what people are predisposed to believe.


The DNS hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this.

The Sony hacks have weak evidence pointing to North Korea. One of the items was the use of the RawDisk driver, used both in malware attributed to North Korea and the Sony attacks. This was described as "flimsy" at the time [*]. The CIA dump [*] demonstrates that indeed it's flimsy -- as apparently CIA malware also uses the RawDisk code.

In the coming days, biased partisans are going Continue reading

Cisco equipment Comprehsively Pwned by US Government

Tough day for Cisco. A large number of Cisco software releases and devices were comprehensively pwned by US Gov spy agencies. This isn’t surprising, thats what they are supposed to do but now the details have been published on WikiLeaks.

This LinkedIn blog post outlines some of what has been found.

When I took a quick look at Wikileaks data, the range of possibilities is substantial but require access to the device itself. The Cisco post has details on the range of exploits in their response published today: http://blogs.cisco.com/security/the-wikileaks-vault-7-leak-what-we-know-so-far which says its too early to frame a response. I agree.

Some thoughts:

  1. Waiting to hear if other vendors are impacted, not known at this time but it seems likely.
  2. Now that these vulnerabilities have been published, your networks are at risk.
  3. There isn’t much that Cisco can do yet.
  4. Cisco as a dominant vendor is a target because one exploit can be widely applied to more targets and because targets are likely to have Cisco assets.
  5. The published vulnerabilities are for older equipment but more recent documentation will be released in the next few weeks. It could get worse if newer equipment is also vulnerable.
  6. While it seems Continue reading

Only lobbyist and politicians matter, not techies

The NSA/CIA will only buy an 0day if they can use it. They can't use it if they disclose the bug.

I point this out, yet again, because of this WaPo article [*] built on the premise that the NSA/CIA spend millions of dollars on 0day they don't use, while unilaterally disarming tiself. Since that premise is false, the entire article is false. It's the sort of article you get when all you interview are Washington D.C. lobbyists and Washington D.C. politicians -- and no outside experts.


It quotes former cyberczar (under Obama) Michael Daniel explaining that the "default assumption" is to disclose 0days that the NSA/CIA get. This is a Sean Spicer style lie. He's paid to say this, but it's not true. The NSA/CIA only buy 0day if they can use it. They won't buy 0day if the default assumption is that they will disclose it. QED: the default assumption of such 0day is they won't disclose them.

The story quotes Ben Wizner of the ACLU saying that we should patch 0days instead of using them. Patching isn't an option. If we aren't using them, then we aren't buying them, and hence, there are Continue reading

Some comments on the Wikileaks CIA/#vault7 leak

I thought I'd write up some notes about the Wikileaks CIA "#vault7" leak. This post will be updated frequently over the next 24 hours.


The CIA didn't remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There's no evidence of them doing so remotely over the Internet. If you aren't afraid of the CIA breaking in an installing a listening device, then you should't be afraid of the CIA installing listening software.


The CIA didn't defeat Signal/WhattsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption -- but such phrases used by Wikileaks arehighly misleading, since nothing related to Signal/WhatsApp is happening. What's happening is the CIA is bypassing/defeating the phone. Sometimes. If they've got an exploit for it, or can trick you into installing their software.


There's no overlap or turf war with the NSA. The NSA does "signals intelligence", so they hack radios and remotely across the Internet. The CIA does "humans intelligence", so they hack locally, with a human. The sort of thing they do Continue reading

Journalists: How hacking details matter

When I write my definitive guide for journalists covering hacking, I'm going to point out how easy it is for journalists to misunderstand the details of a story -- especially when they change the details to fit the story they want to tell.


For example, there is the notorious "CIA hacked Senate computers" scandal. In fact, the computers in question were owned by the CIA, located in a CIA facility, and managed/operated by CIA employees. You can't "hack" computers you own. Yes, the CIA overstepped the bounds of an informal agreement with the Senate committee overseeing them, but in no way did anything remotely like "hacking" occur.

This detail matter. If the CIA had truly hacked the Senate committee, that would be a constitutional crisis. A small misstep breaking an informal agreement is not.


A more recent example is this story, which mentions that AlfaBank-Trump connection, claiming the server was in Trump Tower [*]:
What about the computer server at Trump Tower?
Several news media outlets have reported that investigators last year were puzzled by data transmissions between a computer server at Trump Tower and a computer server associated with a Russian bank. Although Mr. Trump on Twitter Continue reading

Technology Short Take #79

Welcome to Technology Short Take #79! There’s lots of interesting links for you this time around.

Networking

  • I was sure I had mentioned Skydive before, but apparently not (a grep of all my blog posts found nothing), so let me rectify that first. Skydive is (in the project’s own words) an “open source real-time network topology and protocols analyzer.” The project’s GitHub repository is here, and documentation for Skydive is here.
  • OK, now that I’ve mentioned Skydive, I can talk about this article that provides an example of functional SDN testing with Terraform and Skydive. Terraform is used to turn up OpenStack infrastructure, and Skydive (via connections into Neutron and OpenContrail, in this example) is used to validate SDN functionality.
  • Tony Sangha took PowerNSX (a set of PowerShell cmdlets for interacting with NSX) and created a tool to help document the NSX Distributed Firewall configuration. This tool exports the DFW configuration and then converts it into Excel format, and is available on GitHub. (What’s that? You haven’t heard of PowerNSX before? See here.)

Servers/Hardware

Nothing this time around. Should I keep this section, or ditch it? Feel free to give me your feedback on Twitter.

Security

Latest Packet Pushers Podcast Offers a New Perspective on Networking

What’s more likely to spawn change and innovation in networking? A highly-concentrated team working on a small project, or a multi-disciplinary team working on a massive project? Multiple small teams working on 100’s of projects around the globe, or one big massive team banking on a single idea? These questions and more are posed by Bruce Davie, the recently appointed CTO for Asia Pacific and Japan at VMware, and a long time contributor, collaborator, and friend of the Packet Pushers (Greg Ferro and Ethan Banks).

In a brand new Packet Pushers podcast, Bruce, Greg and Ethan take you along for an in-depth look at various networking approaches, and the changes in store for networking as a whole Hear how networking will continue to evolve: namely, how distributed application architectures and other factors are driving big-time industry shifts. Every topic is fair game, and these networking stalwarts aren’t afraid of challenging status quo thought processes to uncover new theories. So, prepare yourself for a lively discussion and debate that transcends the present, and heads straight into the future of networking.

Take a listen!

For those who haven’t already hurried to plug in, here’s a preview of a couple topic areas Continue reading

Into the Gray Zone: Considering Active Defense

Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including “the old magic bullet,” the firewall. The game of cannons and walls is over, however, and the cannons have won; those who depend on walls are in for a shocking future. What is the proper response, then? What defenses are there The reality is that just like in physical warfare, the defenses will take some time to develop and articulate.

One very promising line of thinking is that of active defense. While the concept is often attributed to some recent action, active defense has been one form of warfare for many centuries; there are instances of what might be called active defense outlined in the Bible and in Greek histories. But it is only recently, in light of the many wars around Israel, that defense in depth has taken on its modern shape in active defense. What about active defense is so interesting from a network security perspective? It is primarily this: in active defense, the defender seeks to tire an attacker out by remaining mobile, misdirecting the attacker, and using every opportunity to learn about the attacker’s techniques, aims, and resources to reflect Continue reading

1 130 131 132 133 134 183