Archive

Category Archives for "Security"

How not to be a better programmer

Over at r/programming is this post on "How to be a better programmer". It's mostly garbage.


Don't repeat yourself (reuse code)


Trying to reuse code is near the top of reasons why big projects fail. The problem is that while the needs of multiple users of a module may sound similar, they are often different in profound ways that cannot be reconciled. Trying to make the same bit of code serve divergent needs is often more complex and buggy than multiple modules written from the ground up for each specific need.

Yes, we adhere to code cleanliness principles (modularity, cohesion) that makes reuse easier. Yes, we should reuse code when the needs match close enough. But that doesn't mean we should bend over backwards trying to shove a square peg through a round hole, and the principle that all pegs/holes are the same.


Give variables/methods clear names


Programmers hate to read other code because the variable names are unclear. Hence the advice to use "clear names" that aren't confusing.

But of course, programmers already think they are being clear. No programmer thinks to themselves "I'm going to be deliberately obtuse here so that other programmers won't understand". Therefore, Continue reading

Security ‘net: Digital Copyright Edition

security-netThe world of digital copyright is somewhat tangential to “real” security, but it’s a culture issue that impacts every network engineer in myriad ways. For instance, suppose you buy a small home router, and then decide you really want to run your own software on it. For instance, let’s say you really want to build your own router because you know what you can build will outperform what’s commercially available (which, by the way, it will). But rather than using an off box wireless adapter, like the folks at ARS, you really want to have the wireless on board.

Believe it or not, this would be considered, by some folks, as a pretty large act of copyright infringement. For instance, the hardware manufacturer may object to you replacing their software. Or the FCC or some other regulatory agency might even object because they think you’re trying to hog wireless spectrum, or because you don’t like what the wireless providers are doing. The EFF has a good piece up arguing that just such tinkering as replacing the operating system on a commercially purchased device is at the heart of digital freedom.

One of the most crucial issues in the fight for Continue reading

Whatever Happened to “Do No Harm”?

A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:

Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]

WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?

Read more ...

IPv6 Microsegmentation in Data Center Environments

The proponents of microsegmentation solutions would love you to believe that it takes no more than somewhat-stateful packet filters sitting in front of the VMs to get rid of traditional subnets. As I explained in my IPv6 Microsegmentation talk (links below), you need more if you want to have machines from multiple security domains sitting in the same subnet – from RA guard to DHCPv6 and ND inspection.

Read more ...

Flawed From the Start & Missing the Mark: Georgia’s Proposed Anti-Drone Legislation

Bad state laws can have the same chilling effect on technology as bad federal laws.  In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) discusses the latest anti-drone law introduced here in the Georgia legislature and how one bill manages to kill innovation across several key Georgia industries. 




By Elizabeth Wharton 
Georgia’s newly proposed anti-drone legislation is an economic and research buzz kill.  The bill, HB 779, through poorly crafted provisions places unnecessary red tape for use of drones by the film industry and by cellular, telephone, and cable utility companies.  It also completely shuts down Georgia's aerospace defense industry research (and related funding) conducted by universities including Georgia Tech and all related manufacturing by companies such as Lockheed Martin.  Biting the industry hands that bring billions of dollars into Georgia’s economy seems a bold move for state legislators, particularly during an election year.    

Gaps between technology policy and technology practice at the federal level such as the Commerce Department’s proposed Wassenaar Arrangement rules, extend to the states as well.  With over 168 drone-related bills considered by 45 states in 2015 according to the National Conference of State Legislatures, 2016 is already off to a Continue reading

Some notes C in 2016

On r/programming was this post called "How to C (as of 2016)". It has some useful advice, but also some bad advice. I thought I'd write up comments on the topic. As somebody mentioned while I was writing this, only responsible programmers should be writing in C. Irresponsible programmers should write other languages that have more training wheels. These are the sorts of things responsible programmers do.


Use a debugger


The #1 thing you aren't doing, that you should be doing, is stepping through each line of code in a source level debugger as soon as you write it. If you only pull out the debugger to solve particularly difficult problems, then you are doing it wrong.

That means using an IDE like Visual Studio, XCode, or Eclipse. If you are only using an editor (without debugging capabilities), you are doing it wrong. I mention this because so many people are coding in editors that don't have debuggers. I don't even.

It's a concern for all language, but especially with C. When memory gets corrupted, you need to be able to dump structures and memory in order to see that. Why is x some weird value like 37653? Continue reading

The Schelling Game

At the Shmoocon conference, a vendor ("Breach Intelligence") is putting a card in ever schwag bag with an "IoC". The game works by giving everyone a different IoC, in pairs. If you find your matching IoC and come to their booth, they'll give you a free quadcopter.

This is like the "Schelling Point", a question in game theory. You are supposed to meet somebody New York City, but neither of you have been told where to meet. So where do you go? The trick is to estimate the most logical place that the other person, using the same information as you, would make. Most people agree that the answer is the "information booth at Grand Central Station".

So how do you find your matching IoC to win the prize? One guy is walking around asking strangers to match cards. That's useful, because a lot of people who don't want to play the game simply give him their cards, so he's got an ever expanding list of possible matches.

My solution is to tweet the IoC, and of course, blog about it:

If my partner searches Twitter, they will Continue reading

Automating VMware NSX Security Rules Creation using Splunk and Some Code

The VMware NSX network virtualization platform allows us to build sophisticated networking and security constructs in software. NSX has a rich RESTful API which allows one to build highly flexible and automated environments. In this blog, we’re going to focus on operations and automation; we’ll demonstrate one example of automation around security policies/rules that can be done with NSX.

VMware NSX allows for micro-segmentation with a distributed firewall service (DFW). The DFW is a kernel-level module and allows for enhanced segmentation and security across a virtualized environment. One of the common questions we get asked is, “how do I decide what rules to build?” NSX allows for multiple options to create rules such as the use of NSX flow-monitoring or analyzing traffic patterns via logging to create the rules.

We’ll demonstrate how the VMware NSX DFW can be monitored with the popular Splunk platform. Further, we’ll demonstrate, along with using Splunk for monitoring traffic passing through the DFW, how the NSX REST API can be leveraged to automate workflows and creation of DFW rules. Continue reading

Powerball lessons for infosec

"Powerball" is a 44-state lottery whose prize now exceeds $1 billion, so there is much attention on it. I thought I'd draw some lessons for infosec.

The odds of a ticket winning the top prize is 1 in 292-million. However, last week 440-million tickets were purchased. Why did nobody win?

Because most people choose their own numbers. Humans choose numbers that are meaningful and lucky to them, such as birthdays, while avoiding meaningless or unlucky numbers, like 13. such numbers clump. Thus, while theory tells us there should've been at least one winner if everyone chose their number randomly, in practice a large percentage of possible numbers go unchosen. (Letting the computer choose random numbers doesn't increase your odds of winning, but does decrease the odds of having to sharing the prize).

The same applies to passwords. The reason we can crack passwords, even the tough ones using salted hashes, is because we rely upon the fact that humans choose passwords themselves. This makes password guessing a tractable human problem, rather than an intractable mathematical problem.

The average adult in lottery states spends $300 a year on the lottery. The amount spent on lotteries is more than sports, movies, music, Continue reading

BASH Script for Dictionary Attack Against SSH Server

Although they are several dictionary password attack tools available for Linux such as Hydra, Ncrack, I have decided to practice BASH scripting and write a script getsshpass.sh that can perform dictionary attack against SSH server. The script reads usernames and passwords from dictionaries (the one for usernames and the one for passwords) and uses them one-by-one during its login attempt to remote SSH server. Once correct username and password are found, the script save them to the file result.txt and displays them on the desktop. Then it exits.

The script can be started either in a serial mode that opens only single SSH session to SSH server or in a parallel mode which allows multipe SSH sessions to be opened at the same time. Below are parameters of the script.

Picture1-Script_Parameters

Picture 1 - Script Parameters

All parameters are self-explanatory. If a parameter -l is not entered the script is started in a default serial mode. In case of parallel mode is used (-l parameter) it is recommended to use -l parameter together with -n parameter. The -n parameter slows down generating SSH sessions by inserting fixed number of seconds before a new SSH session is generated. This helps the attack to be successful. According to my findings during Continue reading

How Do I Protect My Organisation from Exploit Kits?

Most network architects I’ve worked with seem quite familiar with botnets, but exploit kits (EKs) are somewhat of a mystery. I’ve recently come across a couple of good papers explaining the topic, one from CERT-UK titled ‘Demystifying the exploit kit’, available at the following URL: https://www.cert.gov.uk/resources/best-practices/demystifying-the-exploit-kit/ And ‘Evolution of Exploit Kits’ from Trend Micro: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf […]

The post How Do I Protect My Organisation from Exploit Kits? appeared first on Packet Pushers.

How Do I Protect My Organisation from Exploit Kits?

Most network architects I’ve worked with seem quite familiar with botnets, but exploit kits (EKs) are somewhat of a mystery. I’ve recently come across a couple of good papers explaining the topic, one from CERT-UK titled ‘Demystifying the exploit kit’, available at the following URL: https://www.cert.gov.uk/resources/best-practices/demystifying-the-exploit-kit/ And ‘Evolution of Exploit Kits’ from Trend Micro: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf […]

The post How Do I Protect My Organisation from Exploit Kits? appeared first on Packet Pushers.

1 156 157 158 159 160 182