Is ‘aqenbpuu’ a bad password?
Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?No. It's adequate. Not the best, perhaps, but not "shitty".
It depends upon your threat model. The common threats are password reuse and phishing, where the strength doesn't matter. When the strength does matter is when Twitter gets hacked and the password hashes stolen.
Twitter uses the bcrypt password hashing technique, which is designed to be slow. A typical desktop with a GPU can only crack bcrypt passwords at a rate of around 321 hashes-per-second. Doing the math (26 to the power of 8, divided by 321, divided by one day) it will take 20 years for this desktop to crack the password.
That's not a good password. A botnet with thousands of desktops, or a somebody willing to invest thousands of dollars on a supercomputer or cluster like Amazon's, can crack that password in a few days.
But, it's not a bad password, either. A hack of a Twitter account like this would be a minor event. It's not Continue reading
Cisco Brings the Infrastructure, AppDynamics Brings the Analytics
Cisco being an AppDynamics customer laid some of the groundwork for the deal.
F5 Reports Product Growth in Q1 and Hopes for More
BIG-IP iSeries is here; Herculon and Velcro are imminent.
Security Startup SentinelOne Raises $70M
That makes $110 total raised for defending endpoints and servers.
The Dark Side of Software-Defined Sprawl
Software defined infrastructure sprawl is worst where it is compound.
Dispersing a DDoS: Initial thoughts on DDoS protection
Distributed Denial of Service is a big deal—huge pools of Internet of Things (IoT) devices, such as security cameras, are compromised by botnets and being used for large scale DDoS attacks. What are the tools in hand to fend these attacks off? The first misconception is that you can actually fend off a DDoS attack. There is no magical tool you can deploy that will allow you to go to sleep every night thinking, “tonight my network will not be impacted by a DDoS attack.” There are tools and services that deploy various mechanisms that will do the engineering and work for you, but there is no solution for DDoS attacks.
One such reaction tool is spreading the attack. In the network below, the network under attack has six entry points.
Assume the attacker has IoT devices scattered throughout AS65002 which they are using to launch an attack. Due to policies within AS65002, the DDoS attack streams are being forwarded into AS65001, and thence to A and B. It would be easy to shut these two links down, forcing the traffic to disperse across five entries rather than two (B, C, D, E, and F). By splitting the Continue reading
The command-line, for cybersec
On Twitter I made the mistake of asking people about command-line basics for cybersec professionals. A got a lot of useful responses, which I summarize in this long (5k words) post. It’s mostly driven by the tools I use, with a bit of input from the tweets I got in response to my query.bash
By command-line this document really means bash.
There are many types of command-line shells. Windows has two, 'cmd.exe' and 'PowerShell'. Unix started with the Bourne shell ‘sh’, and there have been many variations of this over the years, ‘csh’, ‘ksh’, ‘zsh’, ‘tcsh’, etc. When GNU rewrote Unix user-mode software independently, they called their shell “Bourne Again Shell” or “bash” (queue "JSON Bourne" shell jokes here).
Bash is the default shell for Linux and macOS. It’s also available on Windows, as part of their special “Windows Subsystem for Linux”. The windows version of ‘bash’ has become my most used shell.
For Linux IoT devices, BusyBox is the most popular shell. It’s easy to clear, as it includes feature-reduced versions of popular commands.
man
‘Man’ is the command you should not run if you want help for a command.
Man pages are designed to drive away Continue reading
Check Point Climbs on Strong Q4 Results
ATP and security gateways are on the rise.
Technology Short Take #76
Welcome to Technology Short Take #76, the first Technology Short Take of 2017. Normally, I’d publish this on a Friday, but due to extenuating circumstances (my mother-in-law’s funeral is tomorrow) I’m posting it today. Here’s hoping you find something useful!
Networking
- As of Vagrant 1.9.1, the Cumulus plugin for Vagrant is no longer needed. See this post for more details.
- Ivan Pepelnjak (one of my absolutely favorite folks in the IT industry) has a great post on using regex filters in Ansible to parse text printouts from network devices. This is a super-practical post that anyone working with network automation can put to use right away.
- Craig Matsumoto has an informative article on why machine learning is hard to apply to networking. I’ve heard David Meyer—who is quoted extensively in the article—speak several times, and most of the time his stuff is way beyond my understanding. At least now, though, I get the general direction he’s heading.
- Interested in using OVS with VXLAN on Hyper-V, but without OpenStack? This article by Alin Serdean from Cloudbase Solutions describes how it’s done.
- Here’s an article describing how to establish a site-to-site VPN between a Cisco ASA and Microsoft Azure. Anecdotally, Continue reading
Gigamon Stock Down On Poor Earnings Pre-Announcement
The weak revenues come from deferred product bookings from large customers.
Public Cloud on the Rise While Private Cloud Usage Declines
AWS and Google Cloud use increases, but Azure decreases.
Walmart Gets a New CIO as It Shifts to E-Commerce
Walmart’s new CIO, along with its Walmart Labs Division, will shift the company's focus to e-commerce.
It’s Security Ignorance, not Featuritis
A blog post by Russ White pointed me to an article describing how IPv6 services tend to be less protected than IPv4 services. No surprise there, people like Eric Vyncke and I were telling anyone who was willing to listen that operating two-protocol networks isn’t the same thing as operating a single-protocol one (see also RFC 1925 rule 4).
Read more ...Managing and Securing the WAN is a Struggle for Companies
The branch network and WAN remain a challenge for most enterprise IT teams.
About that Giuliani website…
Rumors are that Trump is making Rudy Giuliani some sort of "cyberczar" in the new administration. Therefore, many in the cybersecurity scanned his website "www.giulianisecurity.com" to see if it was actually secure from hackers. The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.But here's the deal: it's not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It's there only because people expect if you have a business, you also have a website.
That website designer in turn contracted some basic VPS hosting service from Verio. It's a service Verio exited around March of 2016, judging by the archived page.
The Verio service promised "security-hardened server software" that they "continually update and patch". According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you'd expect from a legacy hosting company that's shut down some old business.
You can probably break into Giuliani's server. I know this because other FreeBSD servers in the same data Continue reading
SD-WAN Summit Brings Together Leading Enterprises, Analysts and Vendors
Attend the online FutureWAN’17 Summit to experience first-hand accounts of the Software Defined-Wide Area Networking (SD-WAN) transformation.
Fortinet Preps Security for Intent-Based Networking
FortiOS 5.6 gets the spotlight in Vegas.
NAT is a firewall
NAT is a firewall. It's the most common firewall. It's the best firewall.I thought I'd point this out because most security experts might disagree, pointing to some "textbook definition". This is wrong.
A "firewall" is anything that establishes a barrier between some internal (presumably trusted) network and the outside, public, and dangerous Internet where anybody can connect to you at any time. A NAT creates exactly that sort of barrier.
What other firewalls provide (the SPI packet filters) is the ability to block outbound connections, not just incoming connections. That's nice, but that's not a critical feature. Indeed, few organizations use firewalls that way, it just causes complaints when internal users cannot access Internet resources.
Another way of using firewalls is to specify connections between a DMZ and an internal network, such as a web server exposed to the Internet that needs a hole in the firewall to access an internal database. While not technically part of the NAT definition, it's a feature of all modern NATs. It's the only way to get some games to work, for example.
There's already more than 10-billion devices on the Internet, including homes with many devices, as well as most mobile phones. Continue reading
No, Yahoo! isn’t changing its name
Trending on social media is how Yahoo is changing it's name to "Altaba" and CEO Marissa Mayer is stepping down. This is false.What is happening instead is that everything we know of as "Yahoo" (including the brand name) is being sold to Verizon. The bits that are left are a skeleton company that holds stock in Alibaba and a few other companies. Since the brand was sold to Verizon, that investment company could no longer use it, so chose "Altaba". Since 83% of its investment is in Alibabi, "Altaba" makes sense. It's not like this new brand name means anything -- the skeleton investment company will be wound down in the next year, either as a special dividend to investors, sold off to Alibaba, or both.
Marissa Mayer is an operations CEO. Verizon didn't want her to run their newly acquired operations, since the entire point of buying them was to take the web operations in a new direction (though apparently she'll still work a bit with them through the transition). And of course she's not an appropriate CEO for an investment company. So she had no job left -- she made her own job disappear.
What happened today Continue reading
Some Reading on Application Containers
One aspect of my pending migration to Ubuntu Linux on my primary laptop has been the opportunity to explore “non-traditional” uses for Linux containers. In particular, the idea of using Docker (or systemd-nspawn or rkt) to serve as a sandbox (of sorts) for GUI applications really intrigues me. This isn’t a use case that many of the container mechanisms are aiming to solve, but it’s an interesting use case nevertheless (to me, anyway).
So, in no particular order, here are a few articles I found about using Linux containers as application containers/sandboxes (mostly focused around GUI applications):
A Docker-Like Container Management using systemd
Running containers without Docker
Containerizing Graphical Applications on Linux with systemd-nspawn
Debian Containers with systemd-nspawn
Using your own containers with systemd-nspawn and overlayfs
I was successful in using Docker to containerize Firefox (see my “dockerfiles” repository on GitHub)), and was also successful in using systemd-nspawn in the same way, including the use of overlayfs. My experiments have been quite helpful and informative; I have some ideas that may percolate into future blog posts.