Archive

Category Archives for "Security"

Worth Reading: Access Control with Segmentation

When you couple software-defined segmentation with an intelligent planning and implementation methodology, you get active segmentation. This approach to segmentation allows network operators to effectively cordon off critical network assets and limit access appropriately with minimal disruption to normal business functions. via the Cloud Security Alliance

The post Worth Reading: Access Control with Segmentation appeared first on 'net work.

Worth Reading: Outsourcing

And my second point is even more important: know the allegiance of your outsourcer. The key issue with outsourcing IT is this — who does your IT staff work FOR? via Cringley


This is a point that many people don’t get — if all businesses are data businesses (and they are, despite the constant refrain I’ve heard throughout my career that “we don’t make technology, here, so…”), then all the data, and all the analysis you do on that data, is just like the famous Coke recipe.

Know data, know your business. No data, no business.

It’s really that simple. When will we learn — and take this idea seriously? And when will we realize this rule applies to the network as well as the data in many cases?

The post Worth Reading: Outsourcing appeared first on 'net work.

VLAN Bridging with FirePOWER

Although not immediately obvious, the FirePOWER Series 3 devices can do a form of IPS on a stick. This means that the capability described here should be available to the current appliance versions of the FirePOWER managed devices. The premise involves connecting broadcast domains (VLANs) to bring the managed device inline between the initiator and responder of a flow. Configuration is fairly straightforward but does have some caveats.

Caveats

  • Even though only a single port is required, a virtual switch must be configured (this cannot just be an inline pair)
  • BPDUs being bridged between VLANs are detected and will render the switchport(s) in an inconsistent state
  • The FirePOWER physical interface will not activate until it is also bound to a Virtual Switch

FirePOWER Bridge VLANsThe diagram shows two devices in the same VLAN (we will assume /24 for the configuration). The device on the top is in VLAN 100. The FirePOWER managed device bridges VLAN 100 to VLAN 101 and allows the two devices to communicate directly with one another. The connection to the FirePOWER device is a single 802.1q trunk.

Frames arriving on VLAN 100 will be processed and egress with a VLAN tag of 101. This configuration is similar to a Continue reading

Understanding Rowhammer

As I learned in my early days in electronics, every wire is an antenna. This means that a signal in any wire, given enough power, can be transmitted, and that same signal, in an adjacent wire, can be received (and potentially decoded) through electromagnetic induction (Rule 3 may apply). This is a major problem in the carrying of signals through a wire, a phenomenon known as cross talk. How do communications engineers overcome this? By observing that a signal carried along parallel wires at opposite polarities will cancel each other out electromagnetically. The figure below might help out, if you’re not familiar with this.

induction

This canceling effect of two waveforms traveling a pair of wires 180deg out of phase is why the twisted is in twisted pair, and why it’s so crucial not to unbundle too much wire when punching down a jack or connector. The more untwisted the wire there is, the less effective the canceling effect is around the punch down, and the more likely you are to have near end or far end crosstalk.

If you consider one row of memory in a chip one wire, and a second, adjacent row of memory in the Continue reading

A quick review of the BIND9 code

BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query.  I could use my "masscan" tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn't mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems -- problems that critical infrastructure software should not have.


Its biggest problem is that it has too many feature. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today's bug was in the rarely used "TKEY" feature, for example. DNS servers exposed to the public should have the minimum number of features -- the server priding itself on having the maximum number of features is automatically disqualified.

Another problem is that DNS itself has some outdated design issues. The control-plane and data-plane need to be separate. This bug is in the control-plane code, but it's exploited from the data-plane. (Data-plane is queries from the Internet looking up names, control-plane is zones updates, Continue reading

Mitigate DoS Attack using TCP Intercept on Cisco Router

How does Internet work - We know what is networking

This is really cool feature on Cisco router not usually mentioned until you dig a little deeper inside Cisco IOS. But first a bit of theory… What is TCP SYN flood attack TCP 3-way handshake SYN flood DoS attack happens when many sources start to send a flood of TCP SYN packets usually with fake source IP. This attack uses TCP 3-way handshake to reserve all server available resources with fake SYN requests thus not allowing legitimate users to establish connection to the server. SYN packet is the first step in TCP 3-way handshake where client sends connection synchronization request

Mitigate DoS Attack using TCP Intercept on Cisco Router

Security – Just Another Risk

I made a conscious decision to move away from full-time information security work. I retain an interest, and try to keep up with developments, but I don’t want to be “the security guy.” There are several reasons for it, but a large part is due to the hype, the bullshit, and general inability for the security industry to act like grown-ups.

The most frustrating part was the inability to properly classify risk. Robert Graham put this eloquently here:

Infosec isn’t a real profession. Among the things missing is proper “risk analysis”. Instead of quantifying risk, we treat it as an absolute. Risk is binary, either there is risk or there isn’t. We respond to risk emotionally rather than rationally, claiming all risk needs to be removed. This is why nobody listens to us. Business leaders quantify and prioritize risk, but we don’t, so our useless advice is ignored.

Security folk often forget that they are just another risk. Yes, it’s a risk shipping the product with that bug. But not shipping at all might be a larger risk to the business. Even complete data breach may or may not be catastrophic to the business – RSA is still Continue reading

Packets of Interest (2015-07-24)

I’ve been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.

SCADA and ICS for Security Experts: How to avoid Cyberdouchery (Blackhat 2010)

This is a funny but also educational and truthful presentation by James Arlen that every IT person needs to watch if they intent to work with and gain any credibility with their counterparts in Operations Technology (OT).

Digital Bond Quickdraw SCADA IDS Signatures

https://www.digitalbond.com/tools/quickdraw/

https://github.com/digitalbond/quickdraw

Quickdraw is a set of IDS/IPS signatures for Snort (and other IDS/IPS software that understands the Snort rule language) that deals specifically with ICAS protocols such as DNP3, Modbus/TCP, and EtherNet/IP. The rules appear to be generic in nature and not focused on any particular ICAS vendor equipment.

Digital Bond also wrote Snort preprocessors for DNP3, EtherNet/IP, and Modbus/TCP which some of the rules depend on. I tried browsing through Digital Bond’s diffs to Snort 2.8.5.3 but they are very hard to read because the Continue reading

Infosec’s inability to quantify risk

Infosec isn't a real profession. Among the things missing is proper "risk analysis". Instead of quantifying risk, we treat it as an absolute. Risk is binary, either there is risk or there isn't. We respond to risk emotionally rather than rationally, claiming all risk needs to be removed. This is why nobody listens to us. Business leaders quantify and prioritize risk, but we don't, so our useless advice is ignored.

An example of this is the car hacking stunt by Charlie Miller and Chris Valasek, where they turned off the engine at freeway speeds. This has lead to an outcry of criticism in our community from people who haven't quantified the risk. Any rational measure of the risk of that stunt is that it's pretty small -- while the benefits are very large.

In college, I owned a poorly maintained VW bug that would occasionally lose power on the freeway, such as from an electrical connection falling off from vibration. I caused more risk by not maintaining my car than these security researchers did.

Indeed, cars losing power on the freeway is a rather common occurrence. We often see cars on the side of the road. Few accidents are caused Continue reading
1 160 161 162 163 164 177