Net ring-buffers are essential to an OS
Even by OpenBSD standards, this rejection of 'netmap' is silly and clueless.BSD is a Linux-like operating system that powers a lot of the Internet, from Netflix servers to your iPhone. One variant of BSD focuses on security, called "OpenBSD". A lot of security-related projects get their start on OpenBSD. In theory, it's for those who care a lot about security. In practice, virtually nobody uses it, because it makes too many sacrifices in the name of security.
"Netmap" is a user-space network ring-buffer. What that means is the hardware delivers network packets directly to an application, bypassing the operating system's network stack. Netmap currently works on FreeBSD and Linux. There are projects similar to this known as "PF_RING" and "Intel DPDK".
The problem with things like netmap is that it means the network hardware no longer is a shareable resource, but instead must be reserved for a single application. This violates many principles of a "general purpose operating system".
In addition, it ultimately means that the application is going to have to implement it's own TCP/IP stack. That means it's going to repeat all the same mistakes of the past, such as "ping of death" when a Continue reading
How not to be a better programmer
Over at r/programming is this post on "How to be a better programmer". It's mostly garbage.Don't repeat yourself (reuse code)
Trying to reuse code is near the top of reasons why big projects fail. The problem is that while the needs of multiple users of a module may sound similar, they are often different in profound ways that cannot be reconciled. Trying to make the same bit of code serve divergent needs is often more complex and buggy than multiple modules written from the ground up for each specific need.
Yes, we adhere to code cleanliness principles (modularity, cohesion) that makes reuse easier. Yes, we should reuse code when the needs match close enough. But that doesn't mean we should bend over backwards trying to shove a square peg through a round hole, and the principle that all pegs/holes are the same.
Give variables/methods clear names
Programmers hate to read other code because the variable names are unclear. Hence the advice to use "clear names" that aren't confusing.
But of course, programmers already think they are being clear. No programmer thinks to themselves "I'm going to be deliberately obtuse here so that other programmers won't understand". Therefore, Continue reading
Security ‘net: Digital Copyright Edition
The world of digital copyright is somewhat tangential to “real” security, but it’s a culture issue that impacts every network engineer in myriad ways. For instance, suppose you buy a small home router, and then decide you really want to run your own software on it. For instance, let’s say you really want to build your own router because you know what you can build will outperform what’s commercially available (which, by the way, it will). But rather than using an off box wireless adapter, like the folks at ARS, you really want to have the wireless on board.
Believe it or not, this would be considered, by some folks, as a pretty large act of copyright infringement. For instance, the hardware manufacturer may object to you replacing their software. Or the FCC or some other regulatory agency might even object because they think you’re trying to hog wireless spectrum, or because you don’t like what the wireless providers are doing. The EFF has a good piece up arguing that just such tinkering as replacing the operating system on a commercially purchased device is at the heart of digital freedom.
One of the most crucial issues in the fight for Continue reading
Whatever Happened to “Do No Harm”?
A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:
Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]
WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?
Read more ...IPv6 Microsegmentation in Data Center Environments
The proponents of microsegmentation solutions would love you to believe that it takes no more than somewhat-stateful packet filters sitting in front of the VMs to get rid of traditional subnets. As I explained in my IPv6 Microsegmentation talk (links below), you need more if you want to have machines from multiple security domains sitting in the same subnet – from RA guard to DHCPv6 and ND inspection.
Read more ...Why Security is a Leading Network Virtualization Driver
The SDxCentral research team dug into dozens of network virtualization customer customer case studies and use cases. We found one common characteristic emerging as a driver for many customer deployments: Security.
What to Learn From the Big Security Breaches
They may be your fault.
Flawed From the Start & Missing the Mark: Georgia’s Proposed Anti-Drone Legislation
By Elizabeth Wharton
Gaps between technology policy and technology practice at the federal level such as the Commerce Department’s proposed Wassenaar Arrangement rules, extend to the states as well. With over 168 drone-related bills considered by 45 states in 2015 according to the National Conference of State Legislatures, 2016 is already off to a Continue reading
Some notes C in 2016
On r/programming was this post called "How to C (as of 2016)". It has some useful advice, but also some bad advice. I thought I'd write up comments on the topic. As somebody mentioned while I was writing this, only responsible programmers should be writing in C. Irresponsible programmers should write other languages that have more training wheels. These are the sorts of things responsible programmers do.Use a debugger
The #1 thing you aren't doing, that you should be doing, is stepping through each line of code in a source level debugger as soon as you write it. If you only pull out the debugger to solve particularly difficult problems, then you are doing it wrong.
That means using an IDE like Visual Studio, XCode, or Eclipse. If you are only using an editor (without debugging capabilities), you are doing it wrong. I mention this because so many people are coding in editors that don't have debuggers. I don't even.
It's a concern for all language, but especially with C. When memory gets corrupted, you need to be able to dump structures and memory in order to see that. Why is x some weird value like 37653? Continue reading
The Schelling Game
At the Shmoocon conference, a vendor ("Breach Intelligence") is putting a card in ever schwag bag with an "IoC". The game works by giving everyone a different IoC, in pairs. If you find your matching IoC and come to their booth, they'll give you a free quadcopter.This is like the "Schelling Point", a question in game theory. You are supposed to meet somebody New York City, but neither of you have been told where to meet. So where do you go? The trick is to estimate the most logical place that the other person, using the same information as you, would make. Most people agree that the answer is the "information booth at Grand Central Station".
So how do you find your matching IoC to win the prize? One guy is walking around asking strangers to match cards. That's useful, because a lot of people who don't want to play the game simply give him their cards, so he's got an ever expanding list of possible matches.
My solution is to tweet the IoC, and of course, blog about it:
455f8979143415b9eed0e0d6fc153c1c— Rob Frosty Graham ❄️ (@ErrataRob) January 15, 2016If my partner searches Twitter, they will Continue reading
Automating VMware NSX Security Rules Creation using Splunk and Some Code
The VMware NSX network virtualization platform allows us to build sophisticated networking and security constructs in software. NSX has a rich RESTful API which allows one to build highly flexible and automated environments. In this blog, we’re going to focus on operations and automation; we’ll demonstrate one example of automation around security policies/rules that can be done with NSX.
VMware NSX allows for micro-segmentation with a distributed firewall service (DFW). The DFW is a kernel-level module and allows for enhanced segmentation and security across a virtualized environment. One of the common questions we get asked is, “how do I decide what rules to build?” NSX allows for multiple options to create rules such as the use of NSX flow-monitoring or analyzing traffic patterns via logging to create the rules.
We’ll demonstrate how the VMware NSX DFW can be monitored with the popular Splunk platform. Further, we’ll demonstrate, along with using Splunk for monitoring traffic passing through the DFW, how the NSX REST API can be leveraged to automate workflows and creation of DFW rules. Continue reading
OpenSSH Has Had a Security Hole Since 2010
A hole in OpenSSH roaming has been out there since 2010.
Intel’s Ravi Varanasi Talks Mitigating SDDC Security Risks with the Help of HyTrust
Intel's Ravi Varanasi tackles best practices for securing the software-defined data center.
White House Security Director Nathaniel Gleicher Joins Illumio
Illumio has the funding, it has the customers, and now it has an ex-White House employee.
Top Three Attributes to Future Proof Your Data Center
What do you need to do to make sure your data center is ready for today's security challenges?
Fortinet’s 2014 Security Hole Gets Rediscovered
On the heels of Juniper's firewall incident, programmers spot a hole in FortiOS.
Powerball lessons for infosec
"Powerball" is a 44-state lottery whose prize now exceeds $1 billion, so there is much attention on it. I thought I'd draw some lessons for infosec.The odds of a ticket winning the top prize is 1 in 292-million. However, last week 440-million tickets were purchased. Why did nobody win?
Because most people choose their own numbers. Humans choose numbers that are meaningful and lucky to them, such as birthdays, while avoiding meaningless or unlucky numbers, like 13. such numbers clump. Thus, while theory tells us there should've been at least one winner if everyone chose their number randomly, in practice a large percentage of possible numbers go unchosen. (Letting the computer choose random numbers doesn't increase your odds of winning, but does decrease the odds of having to sharing the prize).
The same applies to passwords. The reason we can crack passwords, even the tough ones using salted hashes, is because we rely upon the fact that humans choose passwords themselves. This makes password guessing a tractable human problem, rather than an intractable mathematical problem.
The average adult in lottery states spends $300 a year on the lottery. The amount spent on lotteries is more than sports, movies, music, Continue reading
BASH Script for Dictionary Attack Against SSH Server
Although they are several dictionary password attack tools available for Linux such as Hydra, Ncrack, I have decided to practice BASH scripting and write a script getsshpass.sh that can perform dictionary attack against SSH server. The script reads usernames and passwords from dictionaries (the one for usernames and the one for passwords) and uses them one-by-one during its login attempt to remote SSH server. Once correct username and password are found, the script save them to the file result.txt and displays them on the desktop. Then it exits.
The script can be started either in a serial mode that opens only single SSH session to SSH server or in a parallel mode which allows multipe SSH sessions to be opened at the same time. Below are parameters of the script.
Picture 1 - Script Parameters
All parameters are self-explanatory. If a parameter -l is not entered the script is started in a default serial mode. In case of parallel mode is used (-l parameter) it is recommended to use -l parameter together with -n parameter. The -n parameter slows down generating SSH sessions by inserting fixed number of seconds before a new SSH session is generated. This helps the attack to be successful. According to my findings during Continue reading
Juniper Pledges to Remove a Weak Link From ScreenOS Security
The ScreenOS back door is closed, Juniper says, but a potential vulnerability is only now being removed.
How Do I Protect My Organisation from Exploit Kits?
Most network architects I’ve worked with seem quite familiar with botnets, but exploit kits (EKs) are somewhat of a mystery. I’ve recently come across a couple of good papers explaining the topic, one from CERT-UK titled ‘Demystifying the exploit kit’, available at the following URL: https://www.cert.gov.uk/resources/best-practices/demystifying-the-exploit-kit/ And ‘Evolution of Exploit Kits’ from Trend Micro: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf […]
The post How Do I Protect My Organisation from Exploit Kits? appeared first on Packet Pushers.