Archive

Category Archives for "Security"

Biden vs Risk Analysis

What we try to do in cybersecurity is "risk analysis". Most people get this wrong.

An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.

The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.

Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.

In other words, would you pay $10 for a 5% Continue reading

Ever Heard of Role-Based Access Control?

During my recent SDN workshops I encountered several networking engineers who use Nexus 1000V in their data center environment, and some of them claimed their organization decided to do so to ensure the separation of responsibilities between networking and virtualization teams.

There are many good reasons one would use Nexus 1000V, but the one above is definitely not one of them.

Read more ...

DEF CON drink-off — for science!

The DEF CON hacking conference is a mixture of techies and drinkers. I propose we exploit this for science. Specifically, we should take a look at vodka. Vodka is just ethanol and water with all taste removed by distillation and filtering. We can answer two important questions.

  1. Poorly made, cheap vodka lets too much of the (bad) flavor through. Can this be improved by running it through a filter? (Such as a cheap Brita water filter).
  2. Well-made vodka should be indistinguishable from each other. Can people really taste the difference? Or are they influenced by brands?

We need to science the shit out of these questions with a double-blind taste test. DEF CON is a perfect venue for getting a statistically relevant number of samples. We should setup a table in a high-traffic area. We'll ask passersby to taste a flight of several vodkas and to rate them.

I suggest the following as the set of vodkas to test.

1. Smirnoff, by far the market leading vodka in America, a "mid-shelf" vodka at $22 for a 1.75 liter bottle.
2. Grey Goose, the third most popular vodka in America, a "top-shelf" vodka for $58 a 1.75 liter bottle.
Continue reading

DH-1024 in Bitcoin terms

The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.

The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:
The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.
(Update: I did some math wrong, it's 154 minutes not 23 minutes)

Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, Continue reading

Global Impacts of Recent Leaks

65.54.215.0_24_1444474800

Recent routing leaks remind us why monitoring Internet routing and performance is important and requires effective tools.  Routing leaks are the ‘benign cousin’ of the malicious BGP route hijack.  They happen accidentally, but the result is the same: traffic to affected prefixes is redirected, lost, or intercepted.  And if they happen to you, your online business and brand suffers.

In this blog, we look at examples of a full-table peer leak, an origination leak, and a small peer leak and what happens to traffic when these incidents occur.  As we will see, some events can go on for years, undetected and hence, unremediated, but extremely impactful never the less.  As you read this blog, keep the following  questions in mind.  Would  you know if the events described here were happening to you?  Would you know how to identify the culprit if you did?

 

iTel/Peer1 routing leak

Starting on 10 October at 10:54 UTC, iTel (AS16696) leaked a full routing table (555,010 routes) to Peer 1 (AS13768).  Normally, iTel exports 49 routes to Peer 1;  however, over the course of several minutes, it leaked 436,776 routes from Hurricane Electric (AS6939) and 229,537 Continue reading

Infosec is good people

For all that we complain about drama in our community, we are actually good people. At a small conference yesterday, I met "Kath". She just got her degree in advertising, but has become disillusioned. Her classes in web development and app development has shown her how exploitative online advertising can be. ("PHP has made me cry" -- yes, it's made all of us cry at some point).

She's felt alone, as if it were only her who that those feelings, then she discovered the EFF, and privacy activists like Yan (@bcrypt) who have been fighting for privacy. Kath grew up in the middle of nowhere in Texas, and went to college in another middle-of-nowhere place in Texas. Being a muggle, she's never heard of infosec before -- but she got a ticket and flew to New York to attend this little infosec conference where Yan was speaking. (Well, that and also to apply for the NYU graduate program in media).

She found things she didn't expect. She found, for example, how she can contribute, using her skills in usability to make crypto and privacy better for users. She also found a community that was accepting and approachable. Advertising is a Continue reading

Control Plane Protection in Cisco IOS

How does Internet work - We know what is networking

CoPP – Control Plane Protection or better Control Plain Policing is the only option to make some sort of flood protection or QoS for traffic going to control plane. In the router normal operation the most important traffic is control plain traffic. Control plane traffic is traffic originated on router itself by protocol services running on it and destined to other router device on the network. In order to run properly, routers need to speak with each other. They speak with each other by rules defined in protocols and protocols are run in shape of router services. Examples for this

Control Plane Protection in Cisco IOS

GRE over IPSec Tunnel Between Cisco and VyOS

The previous tutorial shown GRE tunnel configuration between Cisco router and Linux Core. The big advantage of GRE protocol is that it encapsulates L3 and higher protocols inside the GRE tunnel so routing updates and other multicast traffic can be successfully transferred over the tunnel. The main drawback of GRE protocol is the lack of built-in security. Data are transferred in plain-text over the tunnel and peers are not authenticated (no confidentiality). Tunneled traffic can be changed by attacker (no integrity checking of  IP packets). For this reason GRE tunnel is very often used in conjunction with IPSec. Typically, GRE tunnel is encapsulated inside the IPSec tunnel and this model is called GRE over IPSec.

The tutorial shows configuration of OSPF routing protocol, GRE and IPSec tunnel on Cisco 7206 VXR router and appliance running VyOS network OS. Devices are running inside GNS3 lab an they are emulated by Dynamips (Cisco) and Qemu (VyOS).

Picture1-Topology

Picture 1 - Topology

Note: VyOS installation is described here. You can easily build your own VyOS Qemu appliance using the Expect and Bash script shared in the article.

1. R3 Configuration

R3(config)# interface gigabitEthernet 1/0
R3(config-if)# ip address 1.1.1.1 255.255.255.0
R3(config-if)# no shutdown

R3(config-if)# interface gigabitEthernet 0/0
R3(config-if)# ip Continue reading

Jeb Bush is a cyber-weenie

Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.

For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their services
Uh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.

Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.

Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.


A better example is Jeb's position Continue reading
1 157 158 159 160 161 178