Archive

Category Archives for "Security"

An open letter to Sec. Ashton Carter

Hi.

For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.

The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.

These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).

Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.

I write to you now because you are Continue reading

Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms

So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA).  Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]

The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.

Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms

So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA).  Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]

The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.

Juniper Introduces Software-Defined Secure Networks, Integrating Threat Detection & Adaptive Policy Control for Network Wide Enforcement

juniper-channel1-02-29-2016 Traditional perimeter-based approaches to security are not enough to protect against increasingly sophisticated attacks that engineer their way into internal networks. Juniper introduces software-defined secure networks, a new model that integrates adaptive policy detection and enforcement into the entire network.

A tale of a DNS exploit: CVE-2015-7547

This post was written by Marek Vavruša and Jaime Cochran, who found out they were both independently working on the same glibc vulnerability attack vectors at 3am last Tuesday.

A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous as it affects any platform with recent GNU libc—CPEs, load balancers, servers and personal computers alike. The big question is: how exploitable is it in the real world?

It turns out that the only mitigation that works is patching. Please patch your systems now, then come back and read this blog post to understand why attempting to mitigate this attack by limiting DNS response sizes does not work.

But first, patch!

Man in the middle attack (MitM)

Let's start with the PoC from Google, it uses the first attack vector described in the vulnerability announcement. First, a 2048-byte UDP response forces buffer allocation, then a failure response forces a retry, and finally the last two answers smash the stack. 

$ echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
$ sudo python poc. Continue reading

Early Internet services considered harmful

This journalist, while writing a story on the #FBIvApple debate, got his email account hacked while on the airplane. Of course he did. His email account is with Earthlink, an early Internet services provider from the 1990s. Such early providers (AOL, Network Solutions, etc.) haven't kept up with the times. If that's still your email, there's pretty much no way to secure it.

Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.

You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.


Thus, if you are a reporter using Continue reading

Introducing CloudFlare Registrar: Designed for Security, Not the Masses

CloudFlare Registrar Badge

At CloudFlare, we’ve constructed one of the world’s largest networks purpose-built to protect our customers from a wide range of attacks. We’re so good at it that attackers increasingly look for ways to go around us, rather than go through us. One of the biggest risks for high-profile customers has been having their domain stolen at the registrar.

In 2013, we became intimately familiar with this problem when domains for the New York Times were hijacked and the newspaper’s CTO reached out to us to help get it back. We were able to assist, but the newspaper had its web and email traffic rerouted for hours.

Since the New York Times domain hijack, a number of other sites have had their domains stolen. We ourselves have seen multiple attempts to take control of CloudFlare’s registrar account. Thankfully, none have been successful—but some have gotten closer than we were comfortable with. Given the risk, we began looking for a registrar with security protocols that we could trust.

A Brief History of Registries and Registrars

In the early days of the Internet, domain registration was free. As the Internet began to take off, demand for domain registrations exploded. In 1993, unable to Continue reading

Security ‘net: Security by obscurity

This week I have two major themes to discuss on the topic of security, and one interesting bit of research. Let’s start with some further thoughts on security by obscurity.

First: Obscurity isn’t security

I’ve heard this at least a thousand times in my life as a network engineer, generally stated just about the time someone says, “well, we could hide this server…” Reality, of course, is far different; I still put curtains on my house even though they don’t increase the amount of time it takes a thief to break in. Whether or not we want to believe it, obscurity does play a positive role in security.

But there are two places where obscurity is a bad thing in the world of security. The first is the original reference of this common saying: algorithms and implementations. Hiding how you encrypt things doesn’t improve security; in fact, it decreases the overall security of the system. The second place? Communication between companies and security professionals about the types, frequency, and methods of attack. Imagine, for a moment, that you were commanding a unit on a battlefield. You hear the sounds of combat in the distance. Realizing a unit in your army is Continue reading

Band-Aids over Basics: Anti-Drone Bill Revisions Compound Earlier Missteps

Glossing over fundamental legislation flaws in favor of quick fixes only serves lawyers and lobbyists.  In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) highlights the importance of fixing the underlying technology concepts as Georgia’s anti-drone legislation continues to miss the mark and kill innovation. 




by Elizabeth Wharton

Georgia's proposed anti-drone legislation, HB 779, remains on a collision course to crush key economic drivers and technology innovations within the state.  Draft revisions ignore all of the legislation's flawed technical building blocks in favor of a series of peripheral provision modifications (in some cases removing entire safe harbor carve-outs), making a bad piece of legislation worse for Georgia's film, research, and aviation technology industries. Only the lawyers and lobbyists hired to challenge and defend the resulting lawsuits benefit from this legislative approach.  Georgia should scrap this piece-meal, awkward legislation in favor of a commission of industry experts to craft a policy foundation for unmanned aircraft systems within Georgia.

Band-aid technology policy approaches skip over the technical issues and instead focus on superficial revisions.  Whether a company is prohibited from flying over a railroad track in addition to a road becomes a moot point when the definition of Continue reading

“Split and smear” your security policies: Static Unidimensional vs. Dynamic Multi-Dimensional Policies

In my previous post I explained why current security architectures aiming at inspecting all inline traffic via hardware appliances are failing to provide proper segmentation and scale in modern day data centers.  As I described, this has nothing to do with the type of security technology being deployed but rather with engineering security services that can answer the requirements of scale, high bandwidth, micro-segmentation and distributed applications.

We have to remind ourselves why we are having these architectural discussions: the application and service landscape has been virtualized, generally in excess of 70%, while entertaining any cloud solution will force you down the path of moving to 100% virtualization.  Yes, there are still physical servers and legacy applications to which we will extend security services to.  But instead of being the norm, we now have to consider their place in the overall architecture as exceptions and design security and networking services around what makes up the bulk of the workloads, i.e. virtualized applications in the form of VMs and containers.

With this understanding, let’s discuss how years of deploying hardware security architectures have boxed us in a complex unidimensional, sequential approach to security policies and how we can now move beyond this implementation scheme with virtualization and the proper software tools. Continue reading

The disingenuous question (FBIvApple)

I need more than 140 characters to respond to this tweet:

It's an invalid question to ask. Firstly, it's asking for the emotional answer, not the logical answer. Secondly, it's only about half the debate, when the FBI is on your side, and not against you.


The emotional question is like ISIS kidnappings. Logically, we know that the ransom money will fund ISIS's murderous campaign, killing others. Logically, we know that paying this ransom just encourages more kidnappings of other people -- that if we stuck to a policy of never paying ransoms, then ISIS would stop kidnapping people.

If it were my loved ones at stake, of course I'd do anything to get them back alive and healthy, including pay a ransom. But at the same time, logically, I'd vote for laws to stop people paying ransoms. In other words, I'd vote for laws that I would then happily break should the situation ever apply to me.

Thus, the following question has no meaning in a policy debate over paying Continue reading

About McAfee’s claim he could unlock iPhone

So John McAfee has claimed he could unlock the terrorist's iPhone. Is there any truth to this?

http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2

No, of course this is bogus. If McAfee could do it, then he's already have done it.

In other words, if it were possible, he'd just say "we've unlocked an iPhone 5c running iOS 9 by exploiting {LTE baseband, USB stack, WiFi stack, etc.}, and we can therefore do the same thing for the terrorist's phone". Otherwise, it's just bluster, because everyone knows the FBI won't let McAfee near the phone in question without proof he could actually accomplish the task.

There's a lot of bluster in the hacking community like this. There is a big difference between those who have done, and those who claim they could do.

I suggest LTE baseband, USB stack, and WiFi stack because that's how I'd attack the phone. WiFi these days is pretty well tested, so that's the least likely, but LTE and USB should be wide open. I wouldn't do anything to help the FBI, though. The corrupt FBI goes around threatening security-researchers like me, trampling on our rights, so they've burned a lot of bridges with precisely the people Continue reading
1 153 154 155 156 157 182