Setting Sail on Secret Seas with Trireme
Container networking is a tough challenge to solve. The evolving needs of creating virtual networks to allow inter-container communications is difficult. But ensuring security at the same time is enough to make you pull your hair out. Lots of companies are taking a crack at it as has been demonstrated recently by microsegmentation offerings from Cisco, VMware NSX, and many others. But a new development on this front set sail today. And the captain is an old friend.
Sailing the Security Sea
Dimitri Stiladis did some great things in his time at Nuage Networks. He created a great overlay network solution that not only worked well for software defined systems but also extended into the container world as more and more people started investigating containers as the new way to provide application services. He saw many people rushing into this area with their existing solutions as well as building new solutions. However, those solutions were all based on existing technology and methods that didn’t work well in the container world. If you ever heard someone say, “Oh, containers are just lightweight VMs…” you know what kind of thinking I’m talking about.
Late last year, Dimitri got together with some of Continue reading
Cryptography
How Does Internet Work - We know what is networking
If you want to send or store data and be sure it is safe from being intercepted, you will use Cryptography. Cryptography uses chipper as mathematical virtual lock to make data scrambled so that is not understandable if intercepted by unauthorized third parties. There are different cryptography techniques, some of them are: encryption, hashing, and steganography. Cryptography can be differentiated by usage of different key types: Symmetric Key Encryption Asymmetric Key Encryption Symmetric Key Encryption is sometimes known as Secret Key Cryptography. Main characteristic of this type of cryptography is the same key usage in encryption and decryption of transferred
Aporeto Thinks Container Security Can Really Be This Simple
Step One: Take the network out of it.
Apcera Platform Primes Containers for Enterprise Deployment
Legacy apps and security are two of the big-ticket items.
Debunking Trump’s “secret server”
According to this Slate article, Trump has a secret server for communicating with Russia. Even Hillary has piled onto this story.It's time for Trump to answer serious questions about his ties to Russia. https://t.co/D8oSmyVAR4 pic.twitter.com/07dRyEmPjX— Hillary Clinton (@HillaryClinton) October 31, 2016
This is nonsense. The evidence available on the Internet is that Trump neither (directly) controls the domain "trump-email.com", nor has access to the server. Instead, the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump's hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philidelphia.
In other words, Trump's response is (minus the political bits) likely true, supported by the evidence. It's the conclusion I came to even before seeing the response.
When you view this "secret" server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what's going on. In the same Internet address range of Trump's servers you see a bunch of similar servers, many named [client]-email.com. In other words, trump-email. Continue reading
GRE over IPSec Tunnel and NAT Between Cisco and VyOS
The goal of this tutorial is to provide a configuration for Cisco and VyOS network devices with configured PAT (Port Address Translation) that connect two remote sides A and B through point-to-point GRE tunnel encapsulated into a IPsec tunnel. In a previous tutorial we proved that GRE tunnels in conjunction with IPsec tunnels transmit multicast traffic while data integrity, authentication and confidentiality was in place. I also provided a simple configuration of GRE, IPsec tunnel and OSPF routing protocol on the Cisco and VyOS routers. In this tutorial I will go further and provide full configuration of the all network devices including PAT and access-lists. 
Picture 1 - Network Topology
Topology Description - Side A
Each side has a Layer 2 Cisco switch located in a LAN network. A switch connects hosts to its switchports. Each switchport is assigned to a particular VLAN. For instance, a host PC1 is connected to the switch SW1 and the switchport is assigned to a VLAN 100. Hosts in VLAN 100 (subnet 192.168.1.0/24) have guaranteed access to a remote subnet 192.168.2.0/24 via GRE/IPsec tunnel. A NAT access-list configured on a router R1 ensures that IP address of the host in VLAN 100 is not translated by PAT when a destination address is Continue reading
Nuage Thinks SD-WAN Should Reach Farther, Even Into Public Clouds
Other SD-WANs don't think end-to-end, Nuage claims.
Configuring Raspberry Pi as a router
I'm setting up a little test network for IoT devices, one isolated a bit from my home network. This is a perfect job for a computer like the Raspberry Pi (or similar computers, such as the Odroid-C2, which is what I'm actually using here). I thought I'd blog the setup details in case anybody else wanted to setup their own isolated home network.
Choice of hardware
The Raspberry Pi B v3 is a fine choice, but there are many alternatives. I'm using the Odroid C2 instead. It's nearly the same, but the chief difference for my purposes is that the Ethernet adapter is native. On the RPi, the Ethernet adapter is actually connected via USB. Network utilities don't like USB Ethernet as much.
The choice of hardware dictates the operating system. Download the latest version of Ubuntu for the Odroid C2. They keep moving around where to get it, but you can google "odroid c2 downloads" to find it. My version is Ubuntu MATE 16.04 LTS.
Your home network
Your home network likely uses the addresses 192.168.1.xxx. This is also the range that most of the devices I'm testing will use as their initial defaults. Therefore, Continue reading
Fortinet Q3 Earnings Disappoint
Fortinet recently restructured its sales team.
F5 Beats Q4 Predictions With Strong Sales in North America
Security seems to promise growth for the company.
New Attack Vector Can Amplify DDoS by 55x
With LDAP and botnets, the amplification factor can reach unprecedented levels.
Mirai Botnet: Now the Government Is Involved
Can the FCC really do anything about botnets?
Reaction: DevOps and Security
Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It’s interesting to me because this is actually an area I’d never thought about before, even though it makes sense. Given DevOps is essentially writing software to control infrastructure (like routers, compute, and storage), and software needs to be written in a way that is secure, then it should be obvious that DevOps software should be developed with good security principles gleaned from software development as part of the foundation.
And here we face a challenge, as Chris says—
The key point in here is that every organization is doing things their own way. This isn’t wrong, of course, because every organization must have some “snowflakiness” to justify its existence, and that “snowflakiness” is often likely to show up, in a large way, in something like handling resources within Continue reading
Lamers: the problem with bounties
In my last two posts, I pointed out that the anti-spam technique known as "DKIM" cryptographically verifies emails. This can be used to verify that some of the newsworthy emails are, indeed, correct and haven't been doctored. I offer a 1 btc (one bitcoin, around ~$600 at current exchange rates) bounty if anybody can challenge this assertion.
Unfortunately, bounties attract lamers who think they deserve the bounty.
This faked email show _undetectable_ addition of cc: field (& other fields) and whitespace in email body; no tricks #PayUpRob @ErrataRob https://t.co/X8oUplx2UL— ((( Matt Beebe ))) (@VoteBeebe) October 25, 2016
This guy insists he wins the bounty because he can add spaces to the email, and add fields like "Cc:" that DKIM doesn't check. Since DKIM ignores extra spaces and only checks important fields, these changes pass. The guy claims it's "doctored" because technically, he has changed things, even though he hasn't actually changed any of the important things (From, Date, Subject, and body content).
No. This doesn't qualify for the bounty. It doesn't call into question whether the Wikileaks emails say what they appear to say. It's so obvious that people have already contacted me and passed on it, Continue reading
IoT Botnet To Blame for Big DDoS Attack
The infamous Mirai was the likely culprit.
Swisscom, UKCloud Adopt Red Hat OpenStack Platform
Swisscom will use OpenStack to develop its own cloud platform.
Operators Want Flexibility & Reduced Costs From SD-WAN & vCPE, Report Says
Service providers want reduced costs while the enterprise looks for flexibility.
Yahoo! User Data Breach: The Case for Pervasive Security and Monitoring
These breaches are now affecting millions and sometimes hundreds of millions of people.
Politifact: Yes we can fact check Kaine’s email
This Politifact post muddles over whether the Wikileaks leaked emails have been doctored, specifically the one about Tim Kaine being picked a year ago. The post is wrong -- we can verify this email and most of the rest.In order to bloc spam, emails nowadays contain a form of digital signatures that verify their authenticity. This is automatic, it happens on most modern email systems, without users being aware of it.
This means we can indeed validate most of the Wikileaks leaked DNC/Clinton/Podesta emails. There are many ways to do this, but the easiest is to install the popular Thunderbird email app along with the DKIM Verifier addon. Then go to the Wikileaks site and download the raw source of the email https://wikileaks.org/podesta-emails/emailid/2986.
As you see in the screenshot below, the DKIM signature verifies as true.
If somebody doctored the email, such as changing the date, then the signature would not verify. I try this in the email below, changing the date from 2015 to 2016. This causes the signature to fail.
There are some reasons DKIM might fail, specifically if the sender uses short keys. This doesn't apply to GMail, which uses strong 2048 bit keys, Continue reading
Yes, we can validate the Wikileaks emails
Recently, WikiLeaks has released emails from Democrats. Many have repeatedly claimed that some of these emails are fake or have been modified, that there's no way to validate each and every one of them as being true. Actually, there is, using a mechanism called DKIM.DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.
Hillary's team uses "hillaryclinton.com", which as DKIM enabled. Thus, we can verify whether some of these emails are true.
Recently, in response to a leaked email suggesting Donna Brazile gave Hillary's team early access to debate questions, she defended herself by suggesting the email had been "doctored" or "falsified". That's not true. We can use DKIM to verify it.
You can see the email in question at the WikiLeaks site: https://wikileaks.org/podesta-emails/emailid/5205. The title suggests they have early access to debate questions, and includes one specifically on the death penalty, with the text:
since 1973, 156 people have been on death row and later set free. Since 1976, 1,414 people have been executed in the U.S