IPv6-test.com and SRX firewall policies
ipv6-test.com is a useful site for testing IPv4 & IPv6 connectivity. It checks that v4 & v6 are working as expected, and reports your browser v4/v6 preferences. It does have one oddity with ICMPv6 tests. Here’s what I did to work around it with my SRX setup.
The site runs a suite of tests and gives you a score out of 20. Most dual-stack home users will probably get 17/20. They deduct 1 point for no reverse DNS entry for v6, and 2 points for “ICMP Filtered”
How can you improve your score ?
1. Reconfigure your firewall
Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.2. Get a reverse DNS record
The first one is fine, but the second issue is a worry. ICMP is a critical part of IPv6. It’s needed for things like Neighbor Discovery, and Packet Too Big messages.
Most home user firewall setups will be fairly simple. Basically ‘Allow everything out, and allow related traffic back in. Drop everything else.’ Surely the default policy on the SRX should be allowing related Continue reading
Google & Rackspace Back CrowdStrike in $100M Round
Cloud providers make it rain on CrowdStrike.
How to build your own ProxyHam
"ProxyHam" created controversy because the talk was supposedly suppressed by the US government. In this post, I'll describe how you can build your own, with off-the-shelf devices, without any code.First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.
Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you'll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.
Now grab your two locoM9 devices and configure them for "transparent bridging". In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.
Now grab the second WiFi device and configure it as a normal WiFi router.
Now, assuming you aim the localM9's correct toward each other with reasonable line-of-sight, you've got a "ProxyHam".
The reason Continue reading
ProxyHam conspiracy is nonsense
This DEF CON conspiracy theory is about a canceled talk about "ProxyHam", which has been canceled under mysterious circumstances. It's nonsense.The talk was hype to begin with. You can buy a 900 MHz bridge from Ubquiti for $125 (or MicroTik device for $129) and attach it to a Raspberry Pi. How you'd do this is obvious. It's a good DEF CON talk, because it's the application that important, but the technical principles here are extremely basic.
If you look careful at the pic in the Wired story on ProxyHam, it appears they are indeed just using the Ubuiti device. Here is the pic from Wired:
And here is the pic from Ubquiti's website:
I don't know why the talk was canceled. One likely reason is that the stories (such as the one on Wired) sensationalized the thing, so maybe their employer got cold feet. Or maybe the FBI got scared and really did give them an NSL, though that's incredibly implausible.
Anyway, if DEF CON wants a talk on how to hook up a Raspberry Pi to a UbiQuiTi NanoStation LOCOM9 in order bridge WiFi, I'll happily give that talk. It's just basic TCP/IP configuration, and if you Continue reading
MikroTik and Ubiquity routers being Hijacked by Dyre Malware?
[adrotate banner=”4″]
Came across several interesting articles that claim there is a change in the way Dyre aka Upatre malware is spreading. Dyre seems to be getting a lot of press as it is used in browser hijacks to compromise online banking credentials and other sensitive private data. However, most recently – instead of infecting hosts, it appears to be compromising routers as well. Blogger krebsonsecurity.com writes:
Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.
As I first started researching this, I was wondering how they determined the router itself is compromised and not a host that sits on a NAT behind the router. Certainly different devices leave telltale signs visible in an IP packet capture that help point towards the true origin of a packet, so it’s possible that something was discovered in that way. It’s also possible the router isn’t being compromised via the Internet, but rather on the LAN side as it would be much easier for malware to scan the private subnet it sits on and attempt to use well known Continue reading
MikroTik and Ubiquity routers being Hijacked by Dyre Malware?
[adrotate banner=”4″]
Came across several interesting articles that claim there is a change in the way Dyre aka Upatre malware is spreading. Dyre seems to be getting a lot of press as it is used in browser hijacks to compromise online banking credentials and other sensitive private data. However, most recently – instead of infecting hosts, it appears to be compromising routers as well. Blogger krebsonsecurity.com writes:
Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.
As I first started researching this, I was wondering how they determined the router itself is compromised and not a host that sits on a NAT behind the router. Certainly different devices leave telltale signs visible in an IP packet capture that help point towards the true origin of a packet, so it’s possible that something was discovered in that way. It’s also possible the router isn’t being compromised via the Internet, but rather on the LAN side as it would be much easier for malware to scan the private subnet it sits on and attempt to use well known Continue reading
Federal Security Compliance: Challenges, Consequences, and a Solution
Information security is important to every organization, but when it comes to government agencies, security can be considered the priority.VMware Eyes Security and Networking for Docker Containers
Enterprises are combining containers and VMs for production environments, backing up VMware's arguments.
Some notes when ordering Google’s Project Fi
I just ordered my "Project Fi" phone. You probably should, too. Here are some notes (especially near the bottom on getting a new phone number).Project Fi is Google's MVNO. An "MVNO" is a virtual mobile phone company -- they don't have any of their own network backbone or cell towers, but just rent them from the real mobile phone companies (like AT&T or T-Mobile). Most mobile phone companies are actually MVNOs, because building a physical network is expensive.
What makes Google's MVNO interesting:
- Straightforward pricing. It's $20 a month for unlimited calling/texting, plus $10 per gigabyte of data used during the month. It includes tethering.
- No roaming charges, in 120 countries. I can fly to Japan, Australia, and France, and still use email, Google maps, texting -- for no extra charge.
The pricing is similar to other phone companies, a little less or a little more depending on exactly what you want. For around 3 gigs a month, Project Fi is cheaper than AT&T, but for 30 gigs, it's more expensive.
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
CyberUL is a dumb idea
Peiter “mudge” Zatko is leaving Google, asked by the White House to create a sort of a cyber “Underwriter Laboratories” (UL) for the government. UL is the organization that certifies electrical devices, so that they don’t short out and zap you to death. But here’s the thing: a CyberUL is a dumb idea. It’s the Vogon approach to the problem. It imagines that security comes from a moral weakness that could be solved by getting “serious” about the problem.It’s not the hacking problem
According to data-breach reports, 95% of all attacks are simple things, like phishing, SQL injection, and bad passwords – nothing related to software quality. The other 5% is because victims are using old, unpatched software. When exploits are used, it’s overwhelmingly for software that has remained unpatched for a year.
In other words, CyberUL addresses less than 0.1% of real-world attacks.
It’s not the same quality problem
UL is about accidental failures in electronics. CyberUL would be about intentional attacks against software. These are unrelated issues. Stopping accidental failures is a solved problem in many fields. Stopping attacks is something nobody has solved in any field.
In other words, the UL model of accidents is Continue reading
Cisco to Buy Security Firm OpenDNS for $635M
Cisco's security obsession creates an exit for the DNS startup.
Cisco and OpenDNS – The Name Of The Game?
This morning, Cisco announced their intent to acquire OpenDNS, a security-as-a-service (SaaS) provider based around the idea of using Domain Naming Service (DNS) as a method for preventing the spread of malware and other exploits. I’ve used the OpenDNS free offering in the past as a way to offer basic web filtering to schools without funds as well as using OpenDNS at home for speedy name resolution when my local name servers have failed me miserably.
This acquistion is curious to me. It seems to be a line of business that is totally alien to Cisco at this time. There are a couple of interesting opportunities that have arisen from the discussions around it though.
Internet of Things With Names
The first and most obivious synergy with Cisco and OpenDNS is around Internet of Things (IoT) or Internent of Everything (IoE) as Cisco has branded their offering. IoT/IoE has gotten a huge amount of attention from Cisco in the past 18 months as more and more devices come online from thermostats to appliances to light sockets. The number of formerly dumb devices that now have wireless radios and computers to send information is staggering.
All of those devices depend Continue reading
DockerCon 2015 Videos: Day 2 of Docker, Docker, Docker
We posted more videos from DockerCon 2015! Below are the recorded video and slides from the sessions on Day 2 in the Docker, Docker, Docker track at DockerCon 2015. We will publish more videos this week, as soon as we process them. … ContinuedHow to build your own public key infrastructure
A major part of securing a network as geographically diverse as CloudFlare’s is protecting data as it travels between datacenters. Customer data and logs are important to protect but so is all the control data that our applications use to communicate with each other. For example, our application servers need to securely communicate with our new datacenter in Osaka, Japan.
CC BY-SA 2.0 image by kris krüg
Great security architecture requires a defense system with multiple layers of protection. As CloudFlare’s services have grown, the need to secure application-to-application communication has grown with it. As a result, we needed a simple and maintainable way to ensure that all communication between CloudFlare’s internal services stay protected, so we built one based on known and reliable protocols.
Our system of trust is based on a Public Key Infrastructure (PKI) using internally-hosted Certificate Authorities (CAs). In this post we will describe how we built our PKI, how we use it internally, and how to run your own with our open source software. This is a long post with lots of information, grab a coffee!
Protection at the application layer
Most reasonably complex modern web services are not made up of one monolithic Continue reading
Worth Reading: Don’t be so Surprised
The post Worth Reading: Don’t be so Surprised appeared first on 'net work.
Introducing runC: a lightweight universal container runtime
Spinning Out Docker’s Plumbing: Part 1: Introducing runC On Infrastructure Plumbing To build a platform like Docker you need a lot of infrastructure plumbing; in fact over the past two years even though our code base has grown to tens … ContinuedVMware and Docker Deliver Greater Speeds through the Right Controls
This post was co-authored by Guido Appenzeller, CTSO of Networking and Security (@appenz), and Scott Lowe, Engineering 
Architect, Networking and Security Business Unit (@scott_lowe)
In today’s business environment, companies are being asked to go faster than ever before: faster time to market, faster response to customers, faster reactions to market shifts. Having a good idea isn’t enough; companies not only need to have a good idea, but they need get it to market fast, and quickly iterate on improvements to that idea. Speed is a competitive advantage.
The phenomenal success of the open source Docker project is a reflection of the pressure on companies to go faster. Companies across all industries have recognized that successful development teams can be a competitive differentiator. However, developers needed a way to simplify and accelerate the development and deployment of applications and code, and found Docker was one way to help accomplish that. Docker has won a place in the hearts and minds of many developers for its ability to help simplify the development and deployment of many different types of applications.
At the same time, companies face a bewildering array of security threats. Security and compliance remain as important as Continue reading
Google, Zero-Trust Networks, and the Future of Security
by Kevin Dooley, originally published on the Auvik blog Back in January, I blogged about some emerging trends in networking. One of theJust Out: Metro- and Carrier Ethernet Encryptors Market Overview
Christoph Jaggi has just published the third part of his Metro- and Carrier Ethernet Encryptor trilogy: the 2015 market overview. Public versions of all three documents are available for download on his web site:
Packets of Interest (2015-06-19)
It’s been a while since I’ve done a POI so here we go.
The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns
Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them.
Diffie-Hellman Key Exchange
Diffie-Hellman (DH) is the world’s first public key crypto system. It’s used in everything from secure browsing, to secure shell. This video visually demonstrates how the Diffie-Hellman key exchange works. The best part is that you don’t need to know anything about crypto to follow along.
Passphrases That You Can Memorize – But That Even the NSA Can’t Guess
https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
Use this informative guide to generate secure, human-memorizable passphrases that are suitable for protecting your private PGP key, your private SSH key, and your master key for your password safe.
Encrypting Your Laptop Like You Mean It
https://firstlook.org/theintercept/2015/04/27/encrypting-laptop-like-mean/
A well written article about encrypting one’s laptop. Covers topics such as what disk encryption does and does not protect against, attacks against disk encryption, and Continue reading