Archive

Category Archives for "Security"

Research ‘net: Dirt jumper -smart

Distributed Denial of Service (DDoS) attacks are often used to hold companies—particularly wealthy companies, like financial institutions—to ransom. Given the number of botnets in the world which can be purchased by the hour, and the relative ease with which new systems can be infected (especially given the rise of the Internet of Things), it’s important to find new and innovative ways to protect against such attacks. Dirt Jumper is a common DDoS platform based on the original Dirt, widely used to initiate such attacks. Probably the most effective protection against DDoS attacks, particularly if you can’t pin down the botnet and block it on a per-IP-address basis (try that one some time) is to construct a tar pit that will consume the attacker’s resources at a rate faster than your server’s are consumed.

The paper linked here describes one such tar pit, and even goes into detail around a defect in the Dirt Jumper platform, and how the defenders exploited the defect. This is not only instructive in terms of understanding and countering DDoS attacks, it’s also instructive from another angle. If you think software is going to eat the world, remember that even hacking software has defects that Continue reading

Will Cisco Shine On?

Digital Lights

Cisco announced their new Digital Ceiling initiative today at Cisco Live Berlin. Here’s the marketing part:

And here’s the breakdown of protocols and stuff:

Funny enough, here’s a presentation from just three weeks ago at Networking Field Day 11 on a very similar subject:

Cisco is moving into Internet of Things (IoT) big time. They have at least learned that the consumer side of IoT isn’t a fun space to play in. With the growth of cloud connectivity and other things on that side of the market, Cisco knows that is an uphill battle not worth fighting. Seems they’ve learned from Linksys and Flip Video. Instead, they are tracking the industrial side of the house. That means trying to break into some networks that are very well put together today, even if they aren’t exactly Internet-enabled.

Digital Ceiling isn’t just about the PoE lighting that was announced today. It’s a framework that allows all other kinds of dumb devices to be configured and attached to networks that have intelligence built in. The Constrained Application Protocol (CoaP) is designed in such a way as to provide data about a great number of devices, not just lights. Yet lights are the launch Continue reading

Some notes on Apple decryption San Bernadino phone

Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter's iPhone 5C. Specifically:
  1. disable the auto-erase that happens after 10 bad guesses
  2. enable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-one
  3. likely accomplish this through a fimware update
The text of the court order almost exactly matches that of the "IOS Security Guide". In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.

The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening.

The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Continue reading

We’ve always been at war with Eastasia

Our media is surprisingly Orwellian, and it's not always due to government control. People practice "doublethink" at their own volition, without a Thought Police. Social media (Twitter, Facebook) are instituting their own private Thought Police. Online journalism now means that the press is free to edit old articles, to change past reporting to conform to new political realities.

Consider the example in the book 1984 regarding the ongoing war between the three superstates of Oceania, Eurasia, and Eastasia (representing English, Russian, and Chinese empires respectively).

At the start of the book, Oceania is at war with Eurasia. They have always been at war with Eurasia. That's the political consensus, and all historic documents agree. However, Winston Smith (the protagonist) remembers a time five years ago when Oceania was instead at war with Eastasia. Winston Smith struggles with philosophical idea of "truth". Which is more true, what everyone knows and what's in the newspapers, or the memories within his head?

Then Ocean's allegiance switched back again. On the sixth day of Hate Week, as crowds gathered to denounce Eurasia, the Party switched enemies to Eastasia. In a particularly rousing speech against their enemy, the speaker was handed a slip of paper, Continue reading

Fscking Visual Studio Code JS Hello World

The reason Linux never succeeded on the desktop is the lack of usability testing. Open-source programmers hate users, and created such an ugly baby that only a fanboy could love it. It's funny watching the same thing happen to "Visual Studio Code", Microsoft's answer to the Atom editor. You'd think with Microsoft behind it, that it'd be guided by usability testing. The opposite is true. It spends a lot of time hyping it, but every time I try to use it, I encounter unreasonable hurdles for the simplest of things. It's the standard open-source paradigm -- they only spend effort to make something work in theory without the extra effort to make it usable in practice.

The most common thing you'll want to do is first create a "hello world" program, then debug it. As far as I can tell, there are no resources that'll explain how to do this. So, for JavaScript on Windows, I thought I'd explain how this works.

Firstly, you'll need to install NodeJS and VS Code. Just choose the defaults, it's uneventful.

Secondly, you need to understand how projects work. This is the first hurdle everyone has with an IDE. You don't simply run the Continue reading

3 Reasons Why Your Security Strategy is not Mobile-Cloud Era Ready (Webcast)

Geoff Huang, VMware

Geoff Huang, VMware

As technology evolves, companies adapt and grow. We are no longer confined to conducting business within brick and mortar offices. We can hold a meeting on our tablet in a coffee shop or organize our schedules in our smartphones at the grocery store. Even storage has travelled from overflowing file cabinets into a vast, expansive cloud that can be reached from portable devices wherever, whenever. As businesses go mobile, security is more vital than ever, and it’s important that we enhance it while remaining productive. But how can we be certain that our valuable, business-critical resources are protected?

Geoff Huang, VMware’s Director of Product Marketing, Networking and Security, will host this half-hour webcast on February 18th at 11:00 am PST on why yesterday’s security measurements have become inadequate with the rise of network virtualization, and how NSX can offer a remedy in the modern, mobile workspace.

The truth is, the mobile cloud’s increased efficiency also comes with increased security threats. Before, security was created by building a moat around a network to guard company resources against outsiders trying to break-in. Once that network transitions into a mobile workspace, however, its borders can no longer be tangibly defined, so Continue reading

Hackers aren’t smart — people are stupid

The cliche is that hackers are geniuses. That's not true, hackers are generally stupid.

The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.


Phishing

Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts.

But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept.

What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it Continue reading

Nothing says “establishment” as Vox’s attack on Trump

I keep seeing this Ezra Klein Vox article attacking Donald Trump. It's wrong in every way something can be wrong. Trump is an easy target, but the Vox piece has almost no substance.

Yes, it's true that Trump proposes several unreasonable policies, such as banning Muslims from coming into this country. I'll be the first to chime in and call Trump a racist, Nazi bastard for these things.

But I'm not sure the other candidates are any better. Sure, they aren't Nazis, but their politics are just as full of hate and impracticality. For example, Hillary wants to force Silicon Valley into censoring content, brushing aside complaints from those people overly concerned with "freedom of speech". No candidate, not even Trump, is as radical as Bernie Sanders, who would dramatically reshape the economy. Trump hates Mexican works inside our country, Bernie hates Mexican workers in their own countries, championing punishing trade restrictions.

Most of substantive criticisms Vox gives Trump also applies to Bernie. For example, Vox says:
His view of the economy is entirely zero-sum — for Americans to win, others must lose. ... His message isn't so much that he'll help you as he'll hurt them... 
That's Bernie's Continue reading

E-Rate Dollars Can Now Be Used To Take Advantage of SDN with VMware NSX

The need for substantive network security in schools has never been greater. According to ID vmw-phto-nsx-erate-420x276-tnAnalytics, more than 140,000 minors are victims of identity fraud per year—and when their data is exposed, it is misused more frequently. One reason for this is that minors’ clean credit reports can make them extra attractive to identity thieves.

“The educational space is extremely concerned about ensuring [that] Personally Identifiable Information (PII) about students, and their respective data, is kept safe, secure, and only used for the learning environment,” says Jason Radford, head of operations for IlliniCloud. Continue reading

Firewall – Some Insight into the Cisco ASA Failover Process

I’m currently working on a design and needed to verify some failover behavior of the Cisco ASA firewall.

The ASA can run in active/active or active/standby mode where most deployments I see run in active/standby mode. When in a failover pair the firewalls will share an IP address and MAC address, very similar to HSRP or VRRP but it also synchronizes the state of TCP sessions, IPSec SA’s, routes and so on. The secondary firewall gets its config from the primary firewall so everything is configured exactly the same on both firewalls.

To verify if the other firewalls is reachable and to synchronize state, a failover link is used between the firewalls. The firewalls use a keepalive to verify if the other firewall is still there. This works just like any routing protocol running over a link where you expect to see a hello from your neighbor and if you miss 3 hello’s, the other firewall is gone. This timer can be configured and in my tests I used a hello of 333 ms and a holdtime of 999 ms which means that convergence should happen within one second.

The first scenario I was testing was to manually trigger a Continue reading

Twitter has to change

Today, Twitter announced that instead of the normal timeline of newest messages on top, they will prioritize messages they think you'll be interested in. This angers a lot of people, but my guess it's it's something Twitter has to do.

Let me give you an example. Edward @Snowden has 1.4 million followers on Twitter. Yesterday, he retweeted a link to one of my blogposts. You'd think this would've caused a flood of traffic to my blog, but it hasn't. That post still has fewer than 5000 pageviews, and is only the third most popular post on my blog this week. More people come from Reddit and news.ycombinator.com than from Twitter.

I suspect the reason is that the older twitter gets, the more people people follow. (...the more persons each individual Twitter customer will follow). I'm in that boat. If you tweeted something more than 10 minutes since the last time I checked Twitter, I will not have seen it. I read fewer than 5% of what's possible in my timeline. That's something Twitter can actually measure, so they already know it's a problem.

Note that the Internet is littered with websites that were once dominant in Continue reading
1 154 155 156 157 158 182