Archive

Category Archives for "Security"

All app developers should learn from WhatsApp-v-Brazil incident and defend against it

So Brazil forced the ISPs to shutdown WhatsApp (a chat app) for 48 hours, causing more than a million of their customers to move to Telegram (another chat app). Apparently, this was to punish WhatsApp for not helping in a criminal investigation.




Well, this is similar to how ISPs block botnets. Botnets, the most common form of malware these days, have a command-channel back to the hacker that controls all the bots in the network. ISPs try to block the IP address and/or DNS name in order to block access to the botnet.

Botnets use two ways around this. One way is "fast-flux DNS", where something like "www.whatsapp.com" changes its IP address every few minutes. This produces too many IP addresses for ISPs to block. WhatsApp can keep spinning up new cloud instances at places like Amazon Web Services or Rackspace faster than ISPs can play whack-a-mole.

But ISPs can also block the domain name itself, instead of the IP address. Therefore, an app can also choose to Continue reading

No, you can’t shut down parts of the Internet

In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn't even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust -- abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn't work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn't do.

But "routing" is just a logical layer built on top of telecommunications links. Since Syria and Iraq own their respective IP address space, I'm not even sure ISIS is allowed to use it. Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes Continue reading

Security ‘net

The ‘web has been abuzz with security stuff the last couple of weeks; forthwith a small collection for your edification.

The man in the middle attack is about as overused as the trite slippery slope fallacy in logic and modern political “discourse” (loosely termed — political discourse is the latest term to enter the encyclopedia of oxymorons as it’s mostly been reduced to calling people names and cyberbullying, — but of course, putting the social media mob in charge of stopping bullying will fix all of that). But there are, really, such things as man in the middle attacks, and they are used to gather information that would otherwise be unavailable because of normal security provided by on the wire encryption. An example? There is no way to tell if your cell phone is connecting to a real cell phone tower or a man-in-the-middle device that sucks all your information out and ships it to an unintended recipient before forwarding your information along to its correct destination.

The list of aliases used by the devices that masquerade as a cell phone tower, trick your phone into connecting with them, and suck up your data, seems to grow every day. But Continue reading

Policy wonks aren’t computer experts

This Politico story polls "cybersecurity experts" on a range of issues. But they weren't experts, they were mostly policy wonks and politicians. Almost none of them have ever configured a firewall, wrote some code, exploited SQL injection, analyzed a compromise, or in any other way have any technical expertise in cybersecurity. It's like polling a group of "medical experts", none of which has a degree in medicine, or having a "council of economic advisers", consisting of nobody with economics degrees, but instead representatives from labor unions and corporations.

As an expert, a real expert, I thought I'd answer the questions in the poll. After each question, I'll post my answer (yes/no), the percentage from the Politico poll of those agreeing with me, and then a discussion.

Should the government mandate minimum cybersecurity requirements for private-sector firms?

No (39%). This question is biased because they asked policy wonks, most of which will answer "yes" to any question "should government mandate". It's also biases because if you ask anybody involved in X if we need more X, they'll say "yes", regardless of the subject you are talking about.

But the best answer is "no", for three reasons.

Firstly, we experts don't know Continue reading

Some notes on fast grep

This thread on the FreeBSD mailing discusses why GNU grep (that you get on Linux) is faster than the grep on FreeBSD. I thought I'd write up some notes on this.

I come from the world of "network intrusion detection", where we search network traffic for patterns indicating hacker activity. In many cases, this means solving the same problem of grep with complex regexes, but doing so very fast, at 10gbps on desktop-class hardware (quad-core Core i7). We in the intrusion-detection world have seen every possible variation of the problem. Concepts like "Boyer-Moore" and "Aho-Corasick" may seem new to you, but they are old-hat to us.

Zero-copy

Your first problem is getting the raw data from the filesystem into memory. As the thread suggests, one way of doing this is "memory-mapping" the file. Another option would be "asynchronous I/O". When done right, either solution gets you "zero-copy" performance. On modern Intel CPUs, the disk controller will DMA the block directly into the CPU's L3 cache. Network cards work the same way, which is why getting 10-gbps from the network card is trivial, even on slow desktop systems.

Double-parsing

Your next problem is stop with the line parsing, idiots. All these Continue reading

Joking aside: Trump is Unreasonable

Orin Kerr writes an excellent post repudiating Donald Trump. As a right-of-center troll, sometimes it looks like I support Trump. I don't -- I repudiate everything about Trump.

I often defend Trump, but only because I defend fairness. Sometimes people attack Trump for identical policies supported by their own favorite politicians. Sometimes they take Trump's bad policies and make them even worse by creating "strawman" versions of them. Because I believe in fairness, I'll defend even Trump from unfair attacks.

But Trump is an evil politician. Trump is "fascism-lite". You'll quickly cite Godwin's Law, but fascism is indeed the proper comparison. He's nationalistic, racist, populist, and promotes the idea of a "strongman" -- all the distinctive hallmarks of Nazism and Italian Fascism.

Scoundrels, like Trump, make it appear that opposition is unreasonable, that they are somehow sabotaging progress, and that all it takes is a strongman with the "will" to overcome them. But the truth is that in politics, reasonable people disagree. I'll vigorously defend my politics and call yours wrong, but at the end of the day, we can go out and have a beer together without hating each other. Trump-style politicians, on the other hand, do everything in Continue reading

Internet Redundancy with ASA SLA and IPSec

I’ve seen a lot of examples of redundant Internet connections that use SLA to track a primary connection. The logic is that the primary Internet connection is constantly being validated by pinging something on that ISP’s network and routing floats over to a secondary service provider in the event of a failure. I was recently challenged with how this interacted with IPSec. As a result I built out this configuration and performed some fairly extensive testing.

It is worth noting that this is not a substitute for a properly multi-homed Internet connection that utilizes BGP. It is, however, a method for overcoming the challenges often found in the SMB environments where connections are mostly outbound or can alternatively be handled without completely depending on either of the service provider owned address spaces.

In this article, we will start out with a typical ASA redundant Internet connection using IP SLA. Then we will overlay a IPSec Site to Site configuration and test the failover process.

ASA_IPSec_Redundant

The base configuration for this lab is as follows. Continue reading

Tesla is copying Apple’s business model

One of the interesting things about Tesla is that the company is trying to copy Apple's business model. As a Silicon Valley entrepreneur myself, and an owner of a Tesla car, I thought I'd write up what that means.

There are two basic business models in the world. The first is cheap, low-quality, high-volume products. You don't make much profit per unit, but you sell of a ton of them. The second is expensive, high-quality (luxury), low-volume products. You don't sell many units, but you make a lot of profit per unit.

It's really hard to split the difference, selling high-volume, high-quality products. If you spend 1% more on quality, your customers can't tell the difference (without more research on their part), so you'll lose 10% of your customers who won't accept the higher price. Or, you are selling to the luxury market, lowering price to sell more units means lowering quality standards, destroying your brand.

Rarely, though, companies can split the difference. A prime example is Costco. While the average person who shops at Walmart (low-quality, high-volume store) earns less than $20,000 per year, the average income of a Costco customer is over $90,000 per year. Costco sells high-quality Continue reading

Why “Force Awakens” will suck

JJ Abram’s movie “Super 8” is an underrated masterpiece. It leads me to believe that he actually “gets it”. But then, everything else JJ has done convinces me he really doesn’t. He destroyed Star Trek, and I’m convinced he’ll do the same to Star Wars. I thought I’d list the things he almost certainly gets wrong in the “Star Wars: Force Awakens” movie.

The movie hangs on spoilers

The original Star Wars was known for the way that people repeatedly saw it in theatres. There were no spoilers. Sure, they blow up the Death Star, but knowing this ahead of time detracts not a whit from the movie. In Episode I, most of us know that Palpatine is the Emperor. Knowing this spoiler doesn’t detract from the movie, but adds to it. Sure, the original series had the “Luke I am your father” spoiler, but knowing that ahead of time detracts nothing from the movies.

But JJ loves the big reveal. It’s like Lost, where season after season we didn’t know what was going on. Worse yet, it’s like his second Star Trek movie, where we weren’t supposed to know it was really Khan. It Continue reading

NSA needs more EFF hoodies

A few months ago, many stories covered "intelexit.org", a group that bought billboards outside NSA buildings encouraging moderates to leave intelligence organizations. This is a stupidbad idea.

For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.

The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.

In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. It really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.

A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near Continue reading

Security ‘net: Google, Watson, and other thoughts

Encryption, security, and privacy are at the top of our list, it seems. The question is — who really cares about your privacy? Is Google a champion of freedom, or a threat to national sovereignty?

Google is unique in its leadership, plans, and global marketpower to accelerate the majority of all global Web traffic “going dark,” i.e. encrypted by default. Google’s “going dark” leadership seriously threatens to neuter sovereign nations’ law-enforcement and intelligence capabilities to investigate and prevent terrorism and crime going forward.

Or has Google just figured out that encryption is the best way to funnel all the world’s information through their servers so it can be properly indexed and used to its maximum commercial value?

But the truth about where the giants of tech stand on user privacy is another matter entirely. No organizations on earth have exploited users more than Google (GOOGL) and Facebook (FB) have in their zealous quest to boost ad revenues by providing users’ personal data – demographics, searches, email and location, among others – to an ever-growing list of digital advertisers.

Russ’ take: The truth is probably out there someplace, but I doubt it’s as clean cut as either of these articles Continue reading

First Internet ecommerce was at least 1990

This article from FastCompany claims that the first Internet e-commerce transaction was 1994. This isn't true. The site "cdconnection.com" was selling CDs online since 1990. Well, they claim 1990, I don't know what evidence they have. But I personally can remember buying CDs on their site for over a year before I switched jobs in mid-1994 (so probably at least 1993).

I write this up because it's apparently an important concern when Internet e-commerce was "invented", so I'm writing up what I witnessed. It's a silly competition, of course, since Internet e-commerce is such an obvious idea that nobody can "invent" it. Somebody probably accepted payments for things online even before that. But, as of 1993 when I purchased music, CDconnection was a well-honed business, a "site", with an interface, with a wide selection, using Telnet with V100 commands to format the screen.






Security for the New Battlefield

What will be our security challenge in the coming decade? Running trusted services even on untrusted infrastructure. That means protecting the confidentiality and integrity of data as it moves through the network. One possible solution – distributed network encryption – a new approach made possible by network virtualization and the software-defined data center that addresses some of the current challenges of widespread encryption usage inside the data center.

VMware’s head of security products Tom Corn recently spoke on the topic at VMworld 2015 U.S., noting, “Network encryption is a great example of taking something that was once a point product, and turning it into a distributed service—or what you might call an infinite service. It’s everywhere; and maybe more importantly it changes how you implement policy. From thinking about it through the physical infrastructure—how you route data, etcetera—to through the lens of the application, which is ultimately what you’re trying to protect. It eventually becomes really a check box on an application.”

VMware NSX holds the promise of simplifying encryption, incorporating it directly so that it becomes a fundamental attribute of the application. That means so as long as it has that attribute, any packet will be Continue reading

Collecting MAC and IP Adresses of Hosts Connected to Cisco Switches Using SNMP

The goal of this article is to introduce a script that automates a process of collecting MAC and IP address of hosts connected to Cisco switches using Simple Network Management Protocol (SNMP). We will configure SNMP version 2c and 3 on Cisco switches and create a BASH script that collects required data for us. For this purpose I have created a test network lab using GNS3. The topology consists of three Cisco virtual switch appliances running vIOS-L2 and one network management station (NMS) based on Kali Linux. Network hosts are simulated by Core Linux appliances connected to Cisco vIOS-l2 switches.

1. GNS3 Lab

1.1 List of software used for creating GNS3 lab

  • Host OS
    x86-64 Linux Fedora with installed GNS3 1.3.11 and Qemu1.4.0
  • Network Management Station
    Linux Kali 3.18.0-kali3-amd64
  • Swiches
    Cisco vIOS l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2
    Cisco Catalyst 3550 (C3550-IPSERVICESK9-M), Version 12.2(55)SE9
  • Network Host (End device)
    Linux Core 3.16.6-tinycore64

1.2 Network Topology Description

All virtual network and host devices are running inside GNS3 project and they are emulated by Qemu emulator and virtualizer. The only exception is a Cisco Catalyst 3550 switch that is connected to topology via GNS3 network Continue reading

Some notes on the eDellRoot key

It was discovered this weekend that new Dell computers, as well as old ones with updates, come with a CA certificate ("eDellRoot") that includes the private key. This means hackers can eavesdrop on the SSL communications of Dell computers. I explain how in this blog post, just replace the "ca.key" with "eDellRoot.key".

If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.

I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.

Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.