Archive

Category Archives for "Security"

Do You Use SSL between Load Balancers and Servers?

One of my readers sent me this question:

Using SSL over the Internet is a must when dealing with sensitive data. What about SSL between data center components (frontend load-balancers and backend web servers for example)? Does it make sense to you? Can the question be summarized as "do I trust my Datacenter network team"? Or is there more at stake?

In the ideal world in which you’d have a totally reliable transport infrastructure the answer would be “There’s no need for SSL across that infrastructure”.

Read more ...

Cliché: Security through obscurity (again)

This post keeps popping up in my timeline. It's wrong. The phrase "security through/by security" has become such a cliché that it's lost all meaning. When somebody says it, they are almost certainly saying a dumb thing, regardless if they support it or are trying to debunk it.

Let's go back to first principles, namely Kerckhoff's Principle from the 1800s that states cryptography should be secure even if everything is known about it except the key. In other words, there exists no double-secret military-grade encryption with secret algorithms. Today's military crypto is public crypto.

Let's apply this to port knocking. This is not a layer of obscurity, as proposed by the above post, but a layer of security. Applying Kerkhoff's Principle, it should work even if everything is known about the port knocking algorithm except the sequence of ports being knocked.

Kerkhoff's Principle is based on a few simple observations. Two relevant ones today are:
* things are not nearly as obscure as you think
* obscurity often impacts your friends more than your enemies
I (as an attacker) know that many sites use port knocking. Therefore, if I get no response from an IP address (which I have reason Continue reading

Why cybersecurity certifications suck

Here's a sample question from a GIAC certification test. It demonstrates why such tests suck.
The important deep knowledge you should know about traceroute how it send packets with increasing TTLs to trace the route.

But that's not what the question is asking. Instead, it's asking superfluous information about the default behavior, namely about Linux defaults. It's a trivia test, not a knowledge test. If you've recently studied the subject, your course book probably tells you that Linux traceroute defaults to UDP packets on transmit. So, those who study for the test will do well on the question.

But those with either a lot of deep knowledge or practical experience will find this question harder. Windows and Linux use different defaults (Windows uses ICMP ECHOs, Linux uses UDP). Personally, I'm not sure which is which (well, I am now, 'cause I looked it up, but I'm likely to forget it again soon, because it's a relatively unimportant detail).

Those with deep learning have another problem with the word "protocol". This question uses "protocol" in one sense, where only UDP, TCP, and ICMP are valid "protocols".

But the word can be used in another sense, where "Echo" and "TTL" are also Continue reading

Trump on cybersecurity: vacuous and populist

Trump has published his policy on cybersecurity. It demonstrates that he and his people do not understand the first thing about cybersecurity.

Specifically, he wants “the best defense technologies” and “cyber awareness training for all government employees”. These are well known bad policies in the cybersecurity industry. They are the sort of thing the intern with a degree from Trump University would come up with.

Awareness training is the knee-jerk response to any problem. Employees already spend a lot of their time doing mandatory training for everything from environmental friendly behavior, to sexual harassment, to Sarbannes-Oxley financial compliance, to cyber-security. None of it has proven effective, but organizations continue to force it, either because they are required to, or they are covering their asses. No amount of training employees to not click on email attachments helps. Instead, the network must be secure enough that reckless clicking on attachments pose no danger.

Belief in a technological Magic Pill that will stop hackers is common among those who know nothing about cybersecurity. Such pills don’t exist. The least secure networks already have “the best defense technologies”. Things like anti-virus, firewalls, and intrusion prevention systems do not stop hackers Continue reading

Windows SSH client with TPM

I managed to get an SSH client working using an SSH pubkey protected by a TPM.

Optional: Take ownership of the TPM chip

This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.

  1. Set OSManagedAuthLevel to 4 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel 2 -> 4

    Reboot.

  2. Clear TPM

    Run tpm.msc and choose “Clear TPM”. The machine will reboot and ask you to press F12 or something for physical proof of presence to clear it.

  3. Set owner password from within tpm.msc

Set up TPM for SSH

  1. Create key

    tpmvscmgr.exe create /name "myhostnamehere VSC" /pin prompt /adminkey random /generate

    PIN must be at least 8 characters.

  2. Create CSR

    Create a new text file req.inf:

    [NewRequest]
Subject = "CN=myhostnamehere"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

    certreq -new -f req.inf myhostname.csr

    If you get any errors, just reboot and try again with the command that failed.

  3. Get the CSR signed by any Continue reading

Docker Distributed System Summit videos & podcast episodes

Following LinuxCon Europe in Berlin last week, we organized a first of its kind Docker event called Docker Distributed Systems Summit. This two day event was an opportunity for core Docker engineers and Docker experts from the community to learn, collaborate, problem-solve and hack around the next generation of distributed systems in areas such as orchestration, networking, security and storage.

More specifically, the goal of the summit was to dive deep into Docker’s infrastructure plumbing tools and internals: SwarmKit, InfraKit, Hyperkit, Notary, libnetwork, IPVS, Raft, TUF and provide attendees with the working knowledge of how to leverage these tools while building their own systems.

We’re happy to share with you all the videos recordings, slides and audio files available as #dockercast episodes!

Youtube playlist

Podcast playlist

All the slides from the summit are available on the official Docker slideshare account.

Please join us in giving a big shout out to our awesome speakers for creating and presenting the following projects:

  1. InfraKit: A toolkit for creating and managing declarative, self-healing infrastructure
  1. Heart of the SwarmKit: Store, Topology Continue reading

WTF Yahoo/FISA search in kernel?

A surprising detail in the Yahoo/FISA email search scandal is that they do it with a kernel module. I thought I’d write up some (rambling) notes.

What the government was searching for

As described in the previoius blog post, we’ll assume the government is searching for the following string, and possibly other strings like it within emails:

### Begin ASRAR El Mojahedeen v2.0 Encrypted Message ###

I point this out because it’s simple search identifying things. It’s not natural language processing. It’s not searching for phrases like “bomb president”.

Also, it's not AV/spam/childporn processing. Those look at different things. For example, filtering message containing childporn involves calculating a SHA2 hash of email attachments and looking up the hashes in a table of known bad content (or even more in-depth analysis). This is quite different from searching.


The Kernel vs. User Space

Operating systems have two parts, the kernel and user space. The kernel is the operating system proper (e.g. the “Linux kernel”). The software we run is in user space, such as browsers, word processors, games, web servers, databases, GNU utilities [sic], and so on.

The kernel has raw access to the machine, memory, network devices, graphics Continue reading

Technology Short Take #72

Welcome to Technology Short Take #72. Normally, I try to publish these on Fridays, but some personal travel prevented that this time around so I’m publishing on a Monday instead. Enough of that, though…bring on the content! As usual, here’s my random collection of links, articles, and thoughts about various data center technologies.

Networking

What the Yahoo NSA might’ve looked for

The vague story about Yahoo searching emails for the NSA was cleared up today with various stories from other outlets [1]. It seems clear a FISA court order was used to compel Yahoo to search all their customer's email for a pattern (or patterns). But there's an important detail still missing: what specifically were they searching for? In this post, I give an example.

The NYTimes article explains the search thusly:
Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.
What they are likely referring it is software like "Mujahideen Secrets", which terrorists have been using for about a decade to encrypt messages. It includes a unique fingerprint/signature that can easily be searched for, as shown below.

In the screenshot below, I use this software to type in a secret message:


I then hit the "encrypt" button, and get the following, a chunk of random looking text:


This software encrypts, but does not send/receive messages. You have to do that manually yourself. Continue reading

The Yahoo-email-search story is garbage

Joseph Menn (Reuters) is reporting that Yahoo! searched emails for the NSA. The details of the story are so mangled that it's impossible to say what's actually going on.

The first paragraph says this:
Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails
The second paragraph says this:
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts
Well? Which is it? Did they "search incoming emails" or did they "scan mail accounts"? Whether we are dealing with emails in transmit, or stored on the servers, is a BFD (Big Fucking Detail) that you can't gloss over and confuse in a story like this. Whether searches are done indiscriminately across all emails, or only for specific accounts, is another BFD.

The third paragraph seems to resolve this, but it doesn't:
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
Who are these "some surveillance experts"? Why is the Continue reading
1 139 140 141 142 143 182