Archive

Category Archives for "Security"

Worth Reading: Outsourcing

And my second point is even more important: know the allegiance of your outsourcer. The key issue with outsourcing IT is this — who does your IT staff work FOR? via Cringley


This is a point that many people don’t get — if all businesses are data businesses (and they are, despite the constant refrain I’ve heard throughout my career that “we don’t make technology, here, so…”), then all the data, and all the analysis you do on that data, is just like the famous Coke recipe.

Know data, know your business. No data, no business.

It’s really that simple. When will we learn — and take this idea seriously? And when will we realize this rule applies to the network as well as the data in many cases?

The post Worth Reading: Outsourcing appeared first on 'net work.

VLAN Bridging with FirePOWER

Although not immediately obvious, the FirePOWER Series 3 devices can do a form of IPS on a stick. This means that the capability described here should be available to the current appliance versions of the FirePOWER managed devices. The premise involves connecting broadcast domains (VLANs) to bring the managed device inline between the initiator and responder of a flow. Configuration is fairly straightforward but does have some caveats.

Caveats

  • Even though only a single port is required, a virtual switch must be configured (this cannot just be an inline pair)
  • BPDUs being bridged between VLANs are detected and will render the switchport(s) in an inconsistent state
  • The FirePOWER physical interface will not activate until it is also bound to a Virtual Switch

FirePOWER Bridge VLANsThe diagram shows two devices in the same VLAN (we will assume /24 for the configuration). The device on the top is in VLAN 100. The FirePOWER managed device bridges VLAN 100 to VLAN 101 and allows the two devices to communicate directly with one another. The connection to the FirePOWER device is a single 802.1q trunk.

Frames arriving on VLAN 100 will be processed and egress with a VLAN tag of 101. This configuration is similar to a Continue reading

Understanding Rowhammer

As I learned in my early days in electronics, every wire is an antenna. This means that a signal in any wire, given enough power, can be transmitted, and that same signal, in an adjacent wire, can be received (and potentially decoded) through electromagnetic induction (Rule 3 may apply). This is a major problem in the carrying of signals through a wire, a phenomenon known as cross talk. How do communications engineers overcome this? By observing that a signal carried along parallel wires at opposite polarities will cancel each other out electromagnetically. The figure below might help out, if you’re not familiar with this.

induction

This canceling effect of two waveforms traveling a pair of wires 180deg out of phase is why the twisted is in twisted pair, and why it’s so crucial not to unbundle too much wire when punching down a jack or connector. The more untwisted the wire there is, the less effective the canceling effect is around the punch down, and the more likely you are to have near end or far end crosstalk.

If you consider one row of memory in a chip one wire, and a second, adjacent row of memory in the Continue reading

A quick review of the BIND9 code

BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query.  I could use my "masscan" tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn't mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems -- problems that critical infrastructure software should not have.


Its biggest problem is that it has too many feature. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today's bug was in the rarely used "TKEY" feature, for example. DNS servers exposed to the public should have the minimum number of features -- the server priding itself on having the maximum number of features is automatically disqualified.

Another problem is that DNS itself has some outdated design issues. The control-plane and data-plane need to be separate. This bug is in the control-plane code, but it's exploited from the data-plane. (Data-plane is queries from the Internet looking up names, control-plane is zones updates, Continue reading

Mitigate DoS Attack using TCP Intercept on Cisco Router

How does Internet work - We know what is networking

This is really cool feature on Cisco router not usually mentioned until you dig a little deeper inside Cisco IOS. But first a bit of theory… What is TCP SYN flood attack TCP 3-way handshake SYN flood DoS attack happens when many sources start to send a flood of TCP SYN packets usually with fake source IP. This attack uses TCP 3-way handshake to reserve all server available resources with fake SYN requests thus not allowing legitimate users to establish connection to the server. SYN packet is the first step in TCP 3-way handshake where client sends connection synchronization request

Mitigate DoS Attack using TCP Intercept on Cisco Router

Security – Just Another Risk

I made a conscious decision to move away from full-time information security work. I retain an interest, and try to keep up with developments, but I don’t want to be “the security guy.” There are several reasons for it, but a large part is due to the hype, the bullshit, and general inability for the security industry to act like grown-ups.

The most frustrating part was the inability to properly classify risk. Robert Graham put this eloquently here:

Infosec isn’t a real profession. Among the things missing is proper “risk analysis”. Instead of quantifying risk, we treat it as an absolute. Risk is binary, either there is risk or there isn’t. We respond to risk emotionally rather than rationally, claiming all risk needs to be removed. This is why nobody listens to us. Business leaders quantify and prioritize risk, but we don’t, so our useless advice is ignored.

Security folk often forget that they are just another risk. Yes, it’s a risk shipping the product with that bug. But not shipping at all might be a larger risk to the business. Even complete data breach may or may not be catastrophic to the business – RSA is still Continue reading

Packets of Interest (2015-07-24)

I’ve been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.

SCADA and ICS for Security Experts: How to avoid Cyberdouchery (Blackhat 2010)

This is a funny but also educational and truthful presentation by James Arlen that every IT person needs to watch if they intent to work with and gain any credibility with their counterparts in Operations Technology (OT).

Digital Bond Quickdraw SCADA IDS Signatures

https://www.digitalbond.com/tools/quickdraw/

https://github.com/digitalbond/quickdraw

Quickdraw is a set of IDS/IPS signatures for Snort (and other IDS/IPS software that understands the Snort rule language) that deals specifically with ICAS protocols such as DNP3, Modbus/TCP, and EtherNet/IP. The rules appear to be generic in nature and not focused on any particular ICAS vendor equipment.

Digital Bond also wrote Snort preprocessors for DNP3, EtherNet/IP, and Modbus/TCP which some of the rules depend on. I tried browsing through Digital Bond’s diffs to Snort 2.8.5.3 but they are very hard to read because the Continue reading

Infosec’s inability to quantify risk

Infosec isn't a real profession. Among the things missing is proper "risk analysis". Instead of quantifying risk, we treat it as an absolute. Risk is binary, either there is risk or there isn't. We respond to risk emotionally rather than rationally, claiming all risk needs to be removed. This is why nobody listens to us. Business leaders quantify and prioritize risk, but we don't, so our useless advice is ignored.

An example of this is the car hacking stunt by Charlie Miller and Chris Valasek, where they turned off the engine at freeway speeds. This has lead to an outcry of criticism in our community from people who haven't quantified the risk. Any rational measure of the risk of that stunt is that it's pretty small -- while the benefits are very large.

In college, I owned a poorly maintained VW bug that would occasionally lose power on the freeway, such as from an electrical connection falling off from vibration. I caused more risk by not maintaining my car than these security researchers did.

Indeed, cars losing power on the freeway is a rather common occurrence. We often see cars on the side of the road. Few accidents are caused Continue reading

Invalidating Identity Interdiction

identity-theft

It used to be that a data breach was a singular event that caused massive shock and concern. Today, data breaches happen regularly and, while still shocking in scope, are starting to dull the senses. Credit card numbers, security clearances, and even illicit dating profiles have been harvested, coallated, and provided for everyone to expose. It seems to be an insurmountable problem. But why?

Data Cake

Data is a tantalizing thing. Collecting it makes life easier for customers and providers as well. Having your ordering history allows Amazon to suggest products you might like to buy. Having your address on file allows the pizza place to pull it up without you needing to read your address again. Creating a user account on a site lets you set preferences. All of this leads to a custom experience and lets us feel special and unique.

But, data is just like that slice of cheesecake you think you want for dessert. It looks so delicious and tempting. But you know it’s bad for you. It has calories and sugar and very little nutritional value. In the same manner, all that data you collect is a time bomb waiting to be exposed. The more Continue reading

My BIS/Wassenaar comment

This is my comment I submitted to the BIS on their Wassenaar rules:

----
Hi.

I created the first “intrusion prevention system”, as well as many tools and much cybersecurity research over the last 20 years. I would not have done so had these rules been in place. The cost and dangers would have been too high. If you do not roll back the existing language, I will be forced to do something else.

After two months, reading your FAQ, consulting with lawyers and export experts, the cybersecurity industry still hasn’t figured out precisely what your rules mean. The language is so open-ended that it appears to control everything. My latest project is a simple “DNS server”, a piece of software wholly unrelated to cybersecurity. Yet, since hackers exploit “DNS” for malware command-and-control, it appears to be covered by your rules. It’s specifically designed for both the distribution and control of malware. This isn’t my intent, it’s just a consequence of how “DNS” works. I haven’t decided whether to make this tool open-source yet, so therefore traveling to foreign countries with the code on my laptop appears to be a felony violation of export controls.

Of course you don’t intend Continue reading

Software and the bogeyman

This post about the July 8 glitches (United, NYSE, WSJ failed) keeps popping up in my Twitter timeline. It's complete nonsense.

What's being argued here is that these glitches were due to some sort of "moral weakness", like laziness, politics, or stupidity. It's a facile and appealing argument, so scoundrels make it often -- to great applause from the audience. But it's not true.

Legacy


Layers and legacies exist because working systems are precious. More than half of big software projects are abandoned, because getting new things to work is a hard task. We place so much value on legacy, working old systems, because the new replacements usually fail.

An example of this is the failed BIND10 project. BIND, the Berkeley Internet Name Daemon, is the oldest and most popular DNS server. It is the de facto reference standard for how DNS works, more so than the actual RFCs. Version 9 of the project is 15 years old. Therefore, the consortium that maintains it funded development for version 10. They completed the project, then effectively abandoned it, as it was worse in almost every way than the previous version.

The reason legacy works well is the enormous regression testing Continue reading

More ProxyHam stuff

Somebody asked how my solution in the last post differed from the "ProxyGambit" solution. They missed my point. Just because I change the tires on the car doesn't mean I get credit for inventing or building the car. The same thing with this ProxyHam nonsense: nobody is "building a solution". Instead, we are all just using existing products the way they are intended. We are all just choosing a different mix of components.

People get all excited when they see a bare Raspberry Pi board, but the reality is that there's nothing interesting going on here, no more than lifting the hood/bonnet on your car. This is photograph from ProxyGambit:


What ProxyGambit is doing here is using cellular data on the far end rather stealing WiFi from Starbucks or the local library. Their solution looks fancy, but you can do the same thing with off-the-shelf devices for a lot cheaper. Here is the same solution with off-the-shelf products:


This is just a TL-WR703N ($26) router with a 3G USB dongle. You can get these dongles cheap off eBay used, or new for around $17. Combined, they are cheaper than a Raspberry PI. If you want to customize this, Continue reading
1 165 166 167 168 169 182