Docker Security – part 4(Container image)
This is the fourth part of my Docker security series. In this blog, we will cover ways to secure Container images. Following are the other parts (1, 2, 3) Docker image signing: Docker Container images can be stored either in public or private registry. It is needed to sign Container images so that the client knows that image … Continue reading Docker Security – part 4(Container image)
Docker Security – part 3(Engine access)
This is the third part of my Docker security series. In this blog, we will cover ways to securely access Docker engine. Following are the other parts (1, 2, 4) Docker engine access: Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/ run/docker.sock”. Docker start options are specified in “/etc/default/docker”. To allow … Continue reading Docker Security – part 3(Engine access)
Docker Security – part 2(Docker Engine)
This is the second part of my Docker security series. In this blog, we will cover security features around Docker engine. Following are the other parts(1, 3, 4) Namespaces: Docker makes use of the following Linux kernel Namespaces to achieve Container isolation: pid namespace mount namespace network namespace ipc namespace UTS namespace To illustrate the … Continue reading Docker Security – part 2(Docker Engine)
Docker Security – part 1(Overview)
There is a general perception that Containers, especially Docker Containers, are insecure. It is true that Containers are not as secure as VM since all Containers in a single machine share the same kernel and compromising one Container can cause host level compromise or compromise with other Containers. There are many ways to harden Containers and … Continue reading Docker Security – part 1(Overview)
SDxCentral Weekly News Roundup — March 4, 2016
Dell's post-EMC lineup, plus headlines from RSA.
Security Gets Better With Linux Containers, Twistlock Claims
Just do the policy math.
Notary 0.2 – Delegations and more!
The Notary project has been continuing to forge towards 1.0 and we’re pleased to announce our 0.2 release. In addition to various minor improvements and bugfixes we have added some significant features. Read on to find out more! Delegations Up … ContinuedIn Open Source Software, Security Still Needs Attention
Developers trust open source a little too much, researchers say.
An open letter to Sec. Ashton Carter
Hi.For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).
Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.
I write to you now because you are Continue reading
Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms
So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA). Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]
The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.
Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms
So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA). Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]
The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.
Juniper Introduces Software-Defined Secure Networks, Integrating Threat Detection & Adaptive Policy Control for Network Wide Enforcement
Traditional perimeter-based approaches to security are not enough to protect against increasingly sophisticated attacks that engineer their way into internal networks. Juniper introduces software-defined secure networks, a new model that integrates adaptive policy detection and enforcement into the entire network.
A tale of a DNS exploit: CVE-2015-7547
This post was written by Marek Vavruša and Jaime Cochran, who found out they were both independently working on the same glibc vulnerability attack vectors at 3am last Tuesday.
A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous as it affects any platform with recent GNU libc—CPEs, load balancers, servers and personal computers alike. The big question is: how exploitable is it in the real world?
It turns out that the only mitigation that works is patching. Please patch your systems now, then come back and read this blog post to understand why attempting to mitigate this attack by limiting DNS response sizes does not work.
But first, patch!
Man in the middle attack (MitM)
Let's start with the PoC from Google, it uses the first attack vector described in the vulnerability announcement. First, a 2048-byte UDP response forces buffer allocation, then a failure response forces a retry, and finally the last two answers smash the stack.
$ echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
$ sudo python poc. Continue readingData Center Security Is an Inside Game
Address east-west security by adopting and operationalizing micro-segmentation.
Martin Casado Is Leaving VMware to Become a VC
The SDN wunderkind grows up to join Andreessen Horowitz.
Early Internet services considered harmful
This journalist, while writing a story on the #FBIvApple debate, got his email account hacked while on the airplane. Of course he did. His email account is with Earthlink, an early Internet services provider from the 1990s. Such early providers (AOL, Network Solutions, etc.) haven't kept up with the times. If that's still your email, there's pretty much no way to secure it.Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.
You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.
Thus, if you are a reporter using Continue reading
Introducing CloudFlare Registrar: Designed for Security, Not the Masses
At CloudFlare, we’ve constructed one of the world’s largest networks purpose-built to protect our customers from a wide range of attacks. We’re so good at it that attackers increasingly look for ways to go around us, rather than go through us. One of the biggest risks for high-profile customers has been having their domain stolen at the registrar.
In 2013, we became intimately familiar with this problem when domains for the New York Times were hijacked and the newspaper’s CTO reached out to us to help get it back. We were able to assist, but the newspaper had its web and email traffic rerouted for hours.
Since the New York Times domain hijack, a number of other sites have had their domains stolen. We ourselves have seen multiple attempts to take control of CloudFlare’s registrar account. Thankfully, none have been successful—but some have gotten closer than we were comfortable with. Given the risk, we began looking for a registrar with security protocols that we could trust.
A Brief History of Registries and Registrars
In the early days of the Internet, domain registration was free. As the Internet began to take off, demand for domain registrations exploded. In 1993, unable to Continue reading
Security ‘net: Security by obscurity
This week I have two major themes to discuss on the topic of security, and one interesting bit of research. Let’s start with some further thoughts on security by obscurity.
First: Obscurity isn’t security
I’ve heard this at least a thousand times in my life as a network engineer, generally stated just about the time someone says, “well, we could hide this server…” Reality, of course, is far different; I still put curtains on my house even though they don’t increase the amount of time it takes a thief to break in. Whether or not we want to believe it, obscurity does play a positive role in security.
But there are two places where obscurity is a bad thing in the world of security. The first is the original reference of this common saying: algorithms and implementations. Hiding how you encrypt things doesn’t improve security; in fact, it decreases the overall security of the system. The second place? Communication between companies and security professionals about the types, frequency, and methods of attack. Imagine, for a moment, that you were commanding a unit on a battlefield. You hear the sounds of combat in the distance. Realizing a unit in your army is Continue reading
Band-Aids over Basics: Anti-Drone Bill Revisions Compound Earlier Missteps
Glossing over fundamental legislation flaws in favor of quick fixes only serves lawyers and lobbyists. In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) highlights the importance of fixing the underlying technology concepts as Georgia’s anti-drone legislation continues to miss the mark and kill innovation.
Georgia's proposed anti-drone legislation, HB 779, remains on a collision course to crush key economic drivers and technology innovations within the state. Draft revisions ignore all of the legislation's flawed technical building blocks in favor of a series of peripheral provision modifications (in some cases removing entire safe harbor carve-outs), making a bad piece of legislation worse for Georgia's film, research, and aviation technology industries. Only the lawyers and lobbyists hired to challenge and defend the resulting lawsuits benefit from this legislative approach. Georgia should scrap this piece-meal, awkward legislation in favor of a commission of industry experts to craft a policy foundation for unmanned aircraft systems within Georgia.
Band-aid technology policy approaches skip over the technical issues and instead focus on superficial revisions. Whether a company is prohibited from flying over a railroad track in addition to a road becomes a moot point when the definition of Continue reading
“Split and smear” your security policies: Static Unidimensional vs. Dynamic Multi-Dimensional Policies
In my previous post I explained why current security architectures aiming at inspecting all inline traffic via hardware appliances are failing to provide proper segmentation and scale in modern day data centers. As I described, this has nothing to do with the type of security technology being deployed but rather with engineering security services that can answer the requirements of scale, high bandwidth, micro-segmentation and distributed applications.
We have to remind ourselves why we are having these architectural discussions: the application and service landscape has been virtualized, generally in excess of 70%, while entertaining any cloud solution will force you down the path of moving to 100% virtualization. Yes, there are still physical servers and legacy applications to which we will extend security services to. But instead of being the norm, we now have to consider their place in the overall architecture as exceptions and design security and networking services around what makes up the bulk of the workloads, i.e. virtualized applications in the form of VMs and containers.
With this understanding, let’s discuss how years of deploying hardware security architectures have boxed us in a complex unidimensional, sequential approach to security policies and how we can now move beyond this implementation scheme with virtualization and the proper software tools. Continue reading