Defining “Gray Hat”
WIRED has written an article defining “White Hat”, “Black Hat”, and “Grey Hat”. It’s incomplete and partisan.Black Hats are the bad guys: cybercriminals (like Russian cybercrime gangs), cyberspies (like the Chinese state-sponsored hackers that broke into OPM), or cyberterrorists (ISIS hackers who want to crash the power grid). They may or may not include cybervandals (like some Anonymous activity) that simply defaces websites. Black Hats are those who want to cause damage or profit at the expense of others.
White Hats do the same thing as Black Hats, but are the good guys. The break into networks (as pentesters), but only with permission, when a company/organization hires them to break into their own network. They research the security art, such vulnerabilities, exploits, and viruses. When they find vulnerabilities, they typically work to fix/patch them. (That you frequently have to apply security updates to your computers/devices is primarily due to White Hats). They develop products and tools for use by good guys (even though they sometimes can be used by the bad guys). The movie “Sneakers” refers to a team of White Hat hackers.
Grey Hat is anything that doesn’t fit nicely within these Continue reading
2016 Security Infrastructure Survey is Here!
Take survey and enter to win one of two $200 Amazon Gift Cards.
Securing BGP: A Case Study (6)
In my last post on securing BGP, I said—
The CAP theorem post referenced above is here.
Before I dive into the technical issues, I want to return to the business issues for a moment. In a call this week on the topic of BGP security, someone pointed out that there is no difference between an advertisement in BGP asserting some piece of information (reachability or connectivity, take your pick), and an advertisements outside BGP asserting this same bit of information. The point of the question is this: if I can’t trust you to advertise the right thing in one setting, then why should I trust you to advertise the right thing in another? More specifically, if you’re using Continue reading
Real-Life Software Defined Security @ Troopers 16
The organizers of Troopers 16 conference published the video of my Real-Life Software Defined Security talk. The slides are available on my web site.
Hope you’ll enjoy the talk; for more SDN use cases watch the SDN Use Cases webinar.
No, Internet should be capitalized
The AP Stylebook and others are now declaring that "Internet" should no longer be capitalized, that you should just say "internet" instead. This is wrong, because the Internet is just an internet.Internet is short for internetwork. This was a term developed in the 1970s to describe interconnecting networks together.
There were many internetworks back then. Each major computer manufacturer had its own, incompatible internetworking "protocol". IBM with it's SNA, DEC with it's DECnet, Xerox with XNS, and later Apple with its AppleTalk.
Since it would be nice to interconnect all computers, and not be locked into a single manufacturer, many efforts were taken to standardize internetworking protocols, so that all computers could be placed on the same network. Most people put their support behind GOSIP, the "Government Open Systems Interconnect Profile", a standard created by the biggest corporations and the biggest governments.
However, in 1982, the DoD paid a consulting company to added Xerox's XNS and a research project called "TCP/IP" into an early form of Unix. This form of Unix, called "BSD", was popular among universities. The DoD's goal was to make it easier for researchers who it funded to talk to each other. After this point, universities Continue reading
Technology Short Take #64
Welcome to Technology Short Take #64. Normally, I try to publish Short Takes on Friday, but this past Friday was April Fools’ Day. Given the propensity for “real” information to get lost among all the pranks, I decided to push this article back to today. Unlike most of what is published around April Fools’ Day, hopefully everything here is helpful, informative, and useful!
Networking
- Phil Gervasi has an article on fate sharing in the network core, where he discusses some of the advantages—and disadvantages—of centralizing the control plane in network designs. The examples Phil uses include StackWise, Virtual Switching System, and Virtual Port Channels.
- Alban Crequy has a post on using Linux queueing disciplines (qdiscs, for short) to help with testing application behavior under degraded network conditions. This is really interesting and something that I want to explore in more detail.
- Cumulus Networks has added another hardware partner to its list of supported hardware partners; this time it’s Mellanox, as outlined in this SDx Central article.
- Carlos Cardenas has a great post that does a great job of explaining SAI (Switch Abstraction Interface) and switchdev, two key abstraction layers involved in building Linux-based network operating systems (NOSes). Carlos Continue reading
Some notes on Ubuntu Bash on Windows 10
So the latest news is that you can run Ubuntu and bash on Windows 10. In other words, from the bash command-line, you execute apt-get to get/run any Ubuntu binary -- the same binary that runs on Linux. How do it work?I don't know yet, but browsing around on the Internet suggests that it's a kernel driver in Windows that emulates Linux system calls.
Remember, the operating system is two parts: the kernel and user-space. The interaction between them is ~300 system-calls. Most of these are pretty straight-forward, such as opening a file, reading from the file, and closing the file.
To make a system call, you put the integer number in eax/rax register, fill in the other registers as needed, then calling the SYSENTER instruction.
Each process maintains a table of what the system calls do. In fact, a hacker/debugging/reversing technique is to edit that table in order to hook system calls, do some hackery things, then call the original system call.
That means Microsoft can write a driver, that runs in the kernel, that replaces the system calls for a process, from Windows ones to Linux ones. This driver then needs to emulate the Linux functionality. Continue reading
tl;dr of LambdaConf drama
Short: SJWs dont like person's politics, try to shutdown small programming con due to person being speaker. (from @jcase).Longer: LambdaConf (a tiny conference for LISP-like programming languages) accepted a speaker with objectionable political views, who under a pseudonym spouted Nazi-like propaganda. "Social justice" activists complained. The conference refused to un-invite the speaker, since his talk content was purely technical, not political. Also, because free-speech. Activists then leaned on sponsors, many of whom withdrew their support of the conference. Free-speech activists took up a collection, and replaced the lost money, so that the conference could continue.
Much longer:
LambaConf is just a tiny conference put on by a small number of people. It exists because, in the last few years, there has been a resurgent interest in "functional languages".
The speaker in question is Curtis Yarvin. He has weird views, like wanting to establish a monarchy. Last year, he was censored from a similar conference "Strangeloop" for a similar reason: a technical, non-political talk censored because people couldn't tolerate his politics. The current talk seems to be similar to last one, about his "Urbit" project.
LambdaConf, in the spirit of diversity, stripped the authors names when Continue reading
Automating Security Group and Policy Creation with NSX REST API
As we’ve seen in many of the prior posts, VMware NSX is a powerful platform decoupling networking services from physical infrastructure. NSX effectively enables logical networking and security within a virtualized environment; this brings many of the same benefits we’re familiar with gaining from server virtualization such as flexibility, faster provisioning, better utilization of hardware, cost savings, decreased downtime, etc. One of the major benefits of the software approach that NSX brings is the ability to automate easily via REST API. In this post, we’ll take a look at a simple yet realistic use case focused around security where automation can help. Continue reading
Docker Machine, OpenStack, and SSH Keys
I wanted to provide readers a quick “heads up” about some unexpected behavior regarding Docker Machine and OpenStack. It’s not a huge deal, but it could catch someone off-guard if they aren’t aware of what’s happening.
This post builds on the earlier post I published on using Docker Machine with OpenStack; specifically, the section about using Docker Machine’s native OpenStack driver to provision instances on an OpenStack cloud. As a quick recap, recall that you can provision instances on an OpenStack cloud (and have Docker Engine installed and configured on those instances) with a command like this:
docker-machine create -d openstack
--openstack-flavor-id 3
--openstack-image-name "Ubuntu 14.04.3 LTS x64"
--openstack-net-name lab-net-5
--openstack-floatingip-pool ext-net-5
--openstack-sec-groups docker,basic-services
instance-name
(Note that I didn’t include all of the optional parameters; refer to either my earlier blog post or the Docker Machine OpenStack driver reference for more details).
One of the optional parameters for Docker Machine’s OpenStack driver is the --openstack-keypair-name parameter, which allows you to specify the name of an existing keypair to use with instances created by Docker Machine. If you omit this parameter, as I have above, then Docker Machine will auto-generate a new SSH Continue reading
HyTrust Intel Compliant SDDC Webinar Q&A: Five Key Questions For a Secure & Compliant SDDC
Your questions from the HyTrust Intel webinar on a secure & compliant SDDC are answered here in this Q&A post. Take a peek!
Sometimes techy details matter
How terrorists use encryption is going to become central to the Cryptowars 2.0 debate. Both sides are going to cite the case of Reda Hame described in this NYTimes article. On one hand, it shows that terrorists do indeed use encryption. On the other hand, the terrorists used TrueCrypt, which can't be stopped, no matter how many "backdoor" laws the police-state tries to pass.The problem with the NYTimes article is that the technical details are garbled. (Update: at the bottom, I correct them). Normally, that's not a problem, because we experts can fill in the details using basic assumptions. But the technique ISIS used is bizarre, using TrueCrypt containers uploaded to a file-sharing site. This is a horrible way to pass messages -- assumptions we make trying to fill in the blanks are likely flawed.
Moreover, there is good reason to distrust the NYTimes article. Small details conflict with a similar article in the French newspaper Le Monde from January 6. Both articles are based on the same confession by Reda Hame from last August.
For example, in discussing a training accident with a grenade, the NYTimes article says "Mr. Hame did not throw it far Continue reading
How to detect TrueCrypt blobs being passed around
So, challenge accepted:@ErrataRob you’re up for writing the blog post “detecting TrueCrypt/encrypt blob transfers” on the wire…— the grugq (@thegrugq) March 29, 2016
tl;dr: The NSA should be able to go back through it's rolling 90 day backlog of Internet metadata and find all other terrorist cells using this method.
From what we can piece together from the NYTimes article, it appears that ISIS is passing around TrueCrypt container files as a way of messaging. This is really weird. It has the has the property of security through obscurity, which is that it has the nice property of evading detection for a while because we'd never consider that ISIS would do such a strange thing. But it has the bad property that once discovered, it now becomes easier to track. With the keys found on the USB drive, we can now start decrypting things that were a mystery before.
We are going off of very little information at the moment, but let's imagine some fictional things.
First, we need to figure out what is meant by a file or hosting site in Turkey. Such hosting sites are all over the place, as you can find with a Continue reading
Join Networking and Security Sessions at VMware’s Largest Online Conference!
If you missed a VMware vForum in a city near you, you can still join us on April 19th for vForum
Online! At this free digital event, you’ll get practical guidance, and develop new strategies for building a digital success plan across the cloud, the virtualized network, and mobile. Continue reading
Some other comments on the ISIS dead-drop system
So, by the time I finished this, this New York Times article has more details. Apparently, it really is just TrueCrypt. What's still missing is how the messages are created. Presumably, it's just notepad. It's also missing the protocol used. It is HTTP/FTP file upload? Or do they log on via SMB? Or is it a service like DropBox?Anyway, I think my way is better for sending messages that I describe below:
Old post:
CNN is reporting on how the Euro-ISIS terrorists are using encryption. The details are garbled, because neither the terrorists, the police, or the reporters understand what's going on. @thegrugq tries to untangle this nonsense in his post, but I have a different theory. It's pure guesswork, trying to create something that is plausibly useful that somehow fits the garbled story.
I assume what's really going is this.
Comments on the FBI success in hacking Farook’s iPhone
Left-wing groups like the ACLU and the EFF have put out "official" responses to the news the FBI cracked Farook's phone without help from the Apple. I thought I'd give a response from a libertarian/technologist angle.First, thank you FBI for diligently trying to protect us from terrorism. No matter how much I oppose you on the "crypto backdoors" policy question, and the constitutional questions brought up in this court case, I still expect you to keep trying to protect us.
Likewise, thank you FBI for continuing to be open to alternative means to crack the phone. I suppose you could've wrangled things to ignore people coming forward with new information, in order to pursue the precedent, in the longer term policy battle. I disagree with the many people in my Twitter timeline who believe this was some sort of FBI plot -- I believe it's probably just what the FBI says it is: they first had no other solution, then they did.
Though, I do wonder if the FBI's lawyers told them they would likely lose the appeal, thus setting a bad precedent, thus incentivizing the FBI to start looking for an alternative to get out of the case. Continue reading
United States Hosts 72% Of Compromised DNS Domains
A recent report from Infoblox says the U.S. far and away hosted the largest number of domains that were used “for hosting and launching attacks using malicious DNS infrastructure” in the fourth quarter of 2015.
The post United States Hosts 72% Of Compromised DNS Domains appeared first on Packet Pushers.
United States Hosts 72% Of Compromised DNS Domains
A recent report from Infoblox says the U.S. far and away hosted the largest number of domains that were used “for hosting and launching attacks using malicious DNS infrastructure” in the fourth quarter of 2015.
The post United States Hosts 72% Of Compromised DNS Domains appeared first on Packet Pushers.
Drop and bogons list on Cisco router
The Cyberspace a.k.a. the Internet is full of bad guys wanting to mess with our computers right? Of course everyone of us have a firewall configured with proper access and inspection rules, don’t ya? Spamhaus and Team Cymru can help providing list of known bad IPs and subnets that should be filtered in our networks. […]Prophylactic Network Security
This week’s comedy gold was listening to a conversation emanating from a nearby inhabitant of our corporate cube accomodations, where one of my colleagues, Bob, was explaining to another coworker, George, the reasoning behind the decision to deploy firewalls to a particular new location.
Roughly summarized, the argument was this:
George, deploying a firewall is like having sex.
(No; I confess I had not anticipated ever typing that particular sentence, and I hope I never have to type it again.)
When you want to have sex, you decide whether you want a baby, and thus you choose whether or not to use contraception. If you don’t use contraception, while there’s no guarantee that a baby will arrive, there’s a real good chance that it will, so don’t be surprised if it does. Contraception isn’t perfect, but it at least reduces the likelihood of having a baby.
I confess I was laughing hard as I listened to the explanation because it’s an inspired analogy. However, buried somewhere in my subconscious was an Australian voice saying something like All these security products are a waste of money. It’s cheaper to save the money you would have spent, deal with a breach Continue reading