Archive

Category Archives for "Security"

“Split and smear” your security policies: Static Unidimensional vs. Dynamic Multi-Dimensional Policies

In my previous post I explained why current security architectures aiming at inspecting all inline traffic via hardware appliances are failing to provide proper segmentation and scale in modern day data centers.  As I described, this has nothing to do with the type of security technology being deployed but rather with engineering security services that can answer the requirements of scale, high bandwidth, micro-segmentation and distributed applications.

We have to remind ourselves why we are having these architectural discussions: the application and service landscape has been virtualized, generally in excess of 70%, while entertaining any cloud solution will force you down the path of moving to 100% virtualization.  Yes, there are still physical servers and legacy applications to which we will extend security services to.  But instead of being the norm, we now have to consider their place in the overall architecture as exceptions and design security and networking services around what makes up the bulk of the workloads, i.e. virtualized applications in the form of VMs and containers.

With this understanding, let’s discuss how years of deploying hardware security architectures have boxed us in a complex unidimensional, sequential approach to security policies and how we can now move beyond this implementation scheme with virtualization and the proper software tools. Continue reading

The disingenuous question (FBIvApple)

I need more than 140 characters to respond to this tweet:

It's an invalid question to ask. Firstly, it's asking for the emotional answer, not the logical answer. Secondly, it's only about half the debate, when the FBI is on your side, and not against you.


The emotional question is like ISIS kidnappings. Logically, we know that the ransom money will fund ISIS's murderous campaign, killing others. Logically, we know that paying this ransom just encourages more kidnappings of other people -- that if we stuck to a policy of never paying ransoms, then ISIS would stop kidnapping people.

If it were my loved ones at stake, of course I'd do anything to get them back alive and healthy, including pay a ransom. But at the same time, logically, I'd vote for laws to stop people paying ransoms. In other words, I'd vote for laws that I would then happily break should the situation ever apply to me.

Thus, the following question has no meaning in a policy debate over paying Continue reading

About McAfee’s claim he could unlock iPhone

So John McAfee has claimed he could unlock the terrorist's iPhone. Is there any truth to this?

http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2

No, of course this is bogus. If McAfee could do it, then he's already have done it.

In other words, if it were possible, he'd just say "we've unlocked an iPhone 5c running iOS 9 by exploiting {LTE baseband, USB stack, WiFi stack, etc.}, and we can therefore do the same thing for the terrorist's phone". Otherwise, it's just bluster, because everyone knows the FBI won't let McAfee near the phone in question without proof he could actually accomplish the task.

There's a lot of bluster in the hacking community like this. There is a big difference between those who have done, and those who claim they could do.

I suggest LTE baseband, USB stack, and WiFi stack because that's how I'd attack the phone. WiFi these days is pretty well tested, so that's the least likely, but LTE and USB should be wide open. I wouldn't do anything to help the FBI, though. The corrupt FBI goes around threatening security-researchers like me, trampling on our rights, so they've burned a lot of bridges with precisely the people Continue reading

Research ‘net: Dirt jumper -smart

Distributed Denial of Service (DDoS) attacks are often used to hold companies—particularly wealthy companies, like financial institutions—to ransom. Given the number of botnets in the world which can be purchased by the hour, and the relative ease with which new systems can be infected (especially given the rise of the Internet of Things), it’s important to find new and innovative ways to protect against such attacks. Dirt Jumper is a common DDoS platform based on the original Dirt, widely used to initiate such attacks. Probably the most effective protection against DDoS attacks, particularly if you can’t pin down the botnet and block it on a per-IP-address basis (try that one some time) is to construct a tar pit that will consume the attacker’s resources at a rate faster than your server’s are consumed.

The paper linked here describes one such tar pit, and even goes into detail around a defect in the Dirt Jumper platform, and how the defenders exploited the defect. This is not only instructive in terms of understanding and countering DDoS attacks, it’s also instructive from another angle. If you think software is going to eat the world, remember that even hacking software has defects that Continue reading

Will Cisco Shine On?

Digital Lights

Cisco announced their new Digital Ceiling initiative today at Cisco Live Berlin. Here’s the marketing part:

And here’s the breakdown of protocols and stuff:

Funny enough, here’s a presentation from just three weeks ago at Networking Field Day 11 on a very similar subject:

Cisco is moving into Internet of Things (IoT) big time. They have at least learned that the consumer side of IoT isn’t a fun space to play in. With the growth of cloud connectivity and other things on that side of the market, Cisco knows that is an uphill battle not worth fighting. Seems they’ve learned from Linksys and Flip Video. Instead, they are tracking the industrial side of the house. That means trying to break into some networks that are very well put together today, even if they aren’t exactly Internet-enabled.

Digital Ceiling isn’t just about the PoE lighting that was announced today. It’s a framework that allows all other kinds of dumb devices to be configured and attached to networks that have intelligence built in. The Constrained Application Protocol (CoaP) is designed in such a way as to provide data about a great number of devices, not just lights. Yet lights are the launch Continue reading

Some notes on Apple decryption San Bernadino phone

Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter's iPhone 5C. Specifically:
  1. disable the auto-erase that happens after 10 bad guesses
  2. enable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-one
  3. likely accomplish this through a fimware update
The text of the court order almost exactly matches that of the "IOS Security Guide". In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.

The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening.

The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Continue reading

We’ve always been at war with Eastasia

Our media is surprisingly Orwellian, and it's not always due to government control. People practice "doublethink" at their own volition, without a Thought Police. Social media (Twitter, Facebook) are instituting their own private Thought Police. Online journalism now means that the press is free to edit old articles, to change past reporting to conform to new political realities.

Consider the example in the book 1984 regarding the ongoing war between the three superstates of Oceania, Eurasia, and Eastasia (representing English, Russian, and Chinese empires respectively).

At the start of the book, Oceania is at war with Eurasia. They have always been at war with Eurasia. That's the political consensus, and all historic documents agree. However, Winston Smith (the protagonist) remembers a time five years ago when Oceania was instead at war with Eastasia. Winston Smith struggles with philosophical idea of "truth". Which is more true, what everyone knows and what's in the newspapers, or the memories within his head?

Then Ocean's allegiance switched back again. On the sixth day of Hate Week, as crowds gathered to denounce Eurasia, the Party switched enemies to Eastasia. In a particularly rousing speech against their enemy, the speaker was handed a slip of paper, Continue reading

Fscking Visual Studio Code JS Hello World

The reason Linux never succeeded on the desktop is the lack of usability testing. Open-source programmers hate users, and created such an ugly baby that only a fanboy could love it. It's funny watching the same thing happen to "Visual Studio Code", Microsoft's answer to the Atom editor. You'd think with Microsoft behind it, that it'd be guided by usability testing. The opposite is true. It spends a lot of time hyping it, but every time I try to use it, I encounter unreasonable hurdles for the simplest of things. It's the standard open-source paradigm -- they only spend effort to make something work in theory without the extra effort to make it usable in practice.

The most common thing you'll want to do is first create a "hello world" program, then debug it. As far as I can tell, there are no resources that'll explain how to do this. So, for JavaScript on Windows, I thought I'd explain how this works.

Firstly, you'll need to install NodeJS and VS Code. Just choose the defaults, it's uneventful.

Secondly, you need to understand how projects work. This is the first hurdle everyone has with an IDE. You don't simply run the Continue reading

3 Reasons Why Your Security Strategy is not Mobile-Cloud Era Ready (Webcast)

Geoff Huang, VMware

Geoff Huang, VMware

As technology evolves, companies adapt and grow. We are no longer confined to conducting business within brick and mortar offices. We can hold a meeting on our tablet in a coffee shop or organize our schedules in our smartphones at the grocery store. Even storage has travelled from overflowing file cabinets into a vast, expansive cloud that can be reached from portable devices wherever, whenever. As businesses go mobile, security is more vital than ever, and it’s important that we enhance it while remaining productive. But how can we be certain that our valuable, business-critical resources are protected?

Geoff Huang, VMware’s Director of Product Marketing, Networking and Security, will host this half-hour webcast on February 18th at 11:00 am PST on why yesterday’s security measurements have become inadequate with the rise of network virtualization, and how NSX can offer a remedy in the modern, mobile workspace.

The truth is, the mobile cloud’s increased efficiency also comes with increased security threats. Before, security was created by building a moat around a network to guard company resources against outsiders trying to break-in. Once that network transitions into a mobile workspace, however, its borders can no longer be tangibly defined, so Continue reading

Hackers aren’t smart — people are stupid

The cliche is that hackers are geniuses. That's not true, hackers are generally stupid.

The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.


Phishing

Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts.

But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept.

What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it Continue reading

Nothing says “establishment” as Vox’s attack on Trump

I keep seeing this Ezra Klein Vox article attacking Donald Trump. It's wrong in every way something can be wrong. Trump is an easy target, but the Vox piece has almost no substance.

Yes, it's true that Trump proposes several unreasonable policies, such as banning Muslims from coming into this country. I'll be the first to chime in and call Trump a racist, Nazi bastard for these things.

But I'm not sure the other candidates are any better. Sure, they aren't Nazis, but their politics are just as full of hate and impracticality. For example, Hillary wants to force Silicon Valley into censoring content, brushing aside complaints from those people overly concerned with "freedom of speech". No candidate, not even Trump, is as radical as Bernie Sanders, who would dramatically reshape the economy. Trump hates Mexican works inside our country, Bernie hates Mexican workers in their own countries, championing punishing trade restrictions.

Most of substantive criticisms Vox gives Trump also applies to Bernie. For example, Vox says:
His view of the economy is entirely zero-sum — for Americans to win, others must lose. ... His message isn't so much that he'll help you as he'll hurt them... 
That's Bernie's Continue reading
1 150 151 152 153 154 178