Archive

Category Archives for "Security"

Some notes about Wassenaar

So #wassenaar has infected your timeline for the past several days. I thought I'd explain what the big deal is.

What's a Wassenaar?


It's a town in Europe where in 1996 a total of 41 nations agreed to an arms control treaty. The name of the agreement, the Wassenaar Arrangement, comes from the town. The US, Europe, and Russia are part of the agreement. Africa, Middle East, and China are not.

The primary goal of the arrangement is anti-proliferation, stopping uranium enrichment and chemical weapons precursors. Another goal is to control conventional weapons, keeping them out of the hands of regimes that would use them against their own people, or to invade their neighbors.

Historically in cybersec, we've complained that Wassenaar classifies crypto as a munition. This allows the NSA to eavesdrop and decrypt messages in those countries. This does little to stop dictators from getting their hands on strong crypto, but does a lot to prevent dissidents in those countries from encrypting their messages. Perhaps more importantly, it requires us to jump through a lot of bureaucratic hoops to export computer products, because encryption is built-in to virtually everything.

Why has this become important recently?


Last year, Wassenaar Continue reading

EFF and intrusion software regulation

To its credit, the EFF is better than a lot of other privacy groups like the ACLU or Privacy International. It at least acknowledges that regulating "evil" software can have unintended consequences on "good" software, that preventing corrupt governments from buying software also means blocking their dissidents from buying software to protect themselves. An example is this piece from several years ago that says:
"First and foremost, we want to make sure we do not leave activists with fewer tools than they already have. Parliament must be mindful of legislation just based on types of technology because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm very people that the regulations are trying to protect."
But that does not stop the EFF from proposing such regulations.

In that same piece, the EFF first proposes rules for transparency. This will not stop the bad companies, but will be a burden on the legitimate companies that have no interesting in dealing with corrupt governments anyway. Most of this stuff is sold by small companies, like FinFisher, who focus on the "corrupt regime" market. They would not be embarrassed by transparency -- Continue reading

This is how we get ants

Today's Wassenaar proposal to limit 0days -- and thereby virtually all cybersecurity products -- is partly the result of lobbying by the ACLU and EFF. The principle technologist of the ACLU called 0day sellers "merchants of death". The EFF called for 0day sales to governments to be the center of any policy debate on cybersecurity.

Yet, they deny responsibility for Wassenaar -- because the regulations go too far, and appear to restrict virtually all cybersecurity software and any free-speech on the topic. These groups now back off and claim they never called for 0day restrictions in the first place.

For example, when the EFF said "exploit sales should be key point in cybersecurity debate", nowhere in the article does it explicitly call for a ban on exploit sales.  Their focus was on limiting the actions of the NSA in buying exploits, not so much those who would sell the exploits. 

This is true, but only technically. There's no conceivable situation where the US Government would unilaterally disarm itself of cyberweapons while allowing everyone else to purchase them. It's also not conceivable that when you've put that much work into calling 0days evil and unethical, that a reasonable Continue reading

Using Check Point Identity Awareness with NAT

Check Point Identity Awareness is problematic in environments that have multiple customers, overlapping private address space, and NAT. It can be done, if you understand the traffic flows, the connections needed, and how to combine several features. Here’s how I did it.

NB: This post is not a full explanation of Check Point Identity Awareness, nor is it a discussion of the product design decisions, good or bad. It assumes that the reader understands what Identity Awareness is, and focuses on how to implement it when you also need to use NAT. It will be pretty dull reading to everyone else.

Background: Typical Check Point Management Flows

A quick reminder of the traditional flows used for Check Point firewall management:

Check Point Management FlowsCheck Point Management Clients (e.g. SmartDashboard, SmartLog) connect to the management server to configure policies, view logs, etc.

Policies are compiled and pushed from the management server to the firewall(s). Logs are sent from the firewall back to the management server. All good.

Identity Awareness: Additional Connections

Identity Awareness lets you define rules based upon user identities, rather than IP addresses. So you can say “This AD group is allowed to connect directly to the SQL Server.” Much nicer Continue reading

Do We Need NAC and 802.1x?

Another question I got in my Inbox:

What is your opinion on NAC and 802.1x for wired networks? Is there a better way to solve user access control at layer 2? Or is this a poor man's way to avoid network segmentation and internal network firewalls.

Unless you can trust all users (fat chance) or run a network with no access control (unlikely, unless you’re a coffee shop), you need to authenticate the users anyway.

Read more ...

Our Lord of the Flies moment

In its war on researchers, the FBI doesn't have to imprison us. Merely opening an investigation into a researcher is enough to scare away investors and bankrupt their company, which is what happened last week with Chris Roberts. The scary thing about this process is that the FBI has all the credibility, and the researcher none -- even among other researchers. After hearing only one side of the story, the FBI's side, cybersecurity researchers quickly turned on their own, condemning Chris Roberts for endangering lives by taking control of an airplane.



As reported by Kim Zetter at Wired, though, Roberts denies the FBI's allegations. He claims his comments were taken out of context, and that on the subject of taking control a plane, it was in fact a simulator not a real airplane.

I don't know which side is telling the truth, of course. I'm not going to defend Chris Roberts in the face of strong evidence of his guilt. But at the same time, I demand real evidence of his guilt before I Continue reading

Those expressing moral outrage probably can’t do math

Many are discussing the FBI document where Chris Roberts ("the airplane hacker") claimed to an FBI agent that at one point, he hacked the plane's controls and caused the plane to climb sideways. The discussion hasn't elevated itself above the level of anti-vaxxers.

It's almost certain that the FBI's account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said "I hacked a plane" in order to get a search warrant, then that's what their notes will say. It's like cops who will yank the collar of a drug sniffing dog in order to "trigger" on drugs so that they have an excuse to search the car.

Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we "could" do, others often interpret this either as a threat or a statement of what we already have done.

Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially Continue reading

Revolutionaries vs. Lawyers

I am not a lawyer; I am a revolutionary. I mention this in response to Volokh posts [1, 2] on whether the First Amendment protects filming police. It doesn't -- it's an obvious stretch, and relies upon concepts like a protected "journalist" class who enjoys rights denied to the common person. Instead, the Ninth Amendment, combined with the Declaration of Independence, is what makes filming police a right.

The Ninth Amendment simply says the people have more rights than those enumerated by the Bill of Rights. There are two ways of reading this. Some lawyers take the narrow view, that this doesn't confer any additional rights, but is just a hint on how to read the Constitution. Some take a more expansive view, that there are a vast number of human rights out there, waiting to be discovered. For example, some wanted to use the Ninth Amendment to insist "abortion" was a human right in Roe v. Wade. Generally, lawyers take the narrow view, because the expansive view becomes ultimately unworkable when everything is a potential "right".

I'm not a lawyer, but a revolutionary. For me, rights come not from the Constitution. Bill of Rights, or Supreme Continue reading

NSA: ad hominem is stil a fallacy

An ad hominem attack is where, instead of refuting a person's arguments, you attack their character. It's a fallacy that enlightened people avoid. I point this out because of a The Intercept piece about how some of NSA's defenders have financial ties to the NSA. This is a fallacy.


The first rule of NSA club is don't talk about NSA club. The intelligence community frequently publishes rules to this effect to all their employees, contractors, and anybody else under their thumb. They don't want their people talking about the NSA, even in defense. Their preferred defense is lobbying politicians privately in back rooms. They hate having things out in the public. Or, when they do want something public, they want to control the messaging (they are control freaks). They don't want their supporters muddying the waters with conflicting messaging, even if it is all positive. What they fear most is bad supporters, the type that does more harm than good. Inevitably, some defender of the NSA is going to say "ragheads must die", and that'll be the one thing attackers will cherry pick to smear the NSA's reputation.

Thus, you can tell how close somebody is to the NSA by Continue reading

Some brief technical notes on Venom

Like you, I was displeased by the lack of details on the "Venom" vulnerability, so I thought I'd write up what little I found.

The patch to the source code is here. Since the note references CVE-2015-3456, we know it's venom:
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c

Looking up those terms, I find writeups, such as this one from RedHat:
https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/

It comes down to a typical heap/stack buffer overflow (depending), where the attacker can write large amounts of data past the end of a buffer. Since this is the kernel, there are no protections like NX or ASLR. To exploit this, you'd likely need some knowledge of the host operating system.

The details look straightforward, which means a PoC should arrive by tomorrow.

This is a hypervisor privilege escalation bug. To exploit this, you'd sign up with one of the zillions of VPS providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.

People suggest adding an exploit to toolkits like Continue reading

F5 APM, SRX and DTLS NAT Timeout

I have been having issues using the F5 APM client behind a Juniper SRX-110 using hide NAT. I believe I’ve tracked it down to the default timeout settings used for UDP services. Here’s what I did to resolve it.

Constant Connection Timeouts

The laptop client was behind the SRX-110, using hide NAT. The initial client connection would work, and things would look good for a while. The the client would stop receiving packets. Traffic graphs would show a little bit of outbound traffic, and nothing inbound. Eventually, the client might decide it needed to reconnect. But usually, it would sit there for a few minutes doing nothing. Then I would force a disconnect, which would take a while, and then reconnect. Exceedingly frustrating.

Connecting the client to a different network – e.g. using a phone hotspot – worked fine. No dropouts. Using a wired connection behind the SRX had the same issue. So clearly the problem was related to the SRX.

TLS & DTLS

I dug into the traffic flows to better understand what was going on. This SSL VPN solution makes an initial TLS connection using TCP 443. It then switches over to DTLS using UDP 4433 for ongoing encrypted Continue reading

Check Point SmartLog – Recommended

Trigger warning for Check Point haters: I’m about to say nice things about Check Point.

Continuing the recent theme of Check Point-related posts, I’d like to give Check Point credit for once. SmartLog is what I always wanted from Tracker/Log Viewer, and they’re not even charging me extra for it. Shocking, I know.

Traditional Log Analysis

15-20 years ago, Check Point was well ahead of the competition when it came to viewing firewall logs. “Log Viewer” or “SmartView Tracker,”[1] let you filter logs by source, destination, service, etc., and quickly see what was happening. The GUI worked well enough, and junior admins could learn it quickly.

Most other firewalls only had syslog. That meant that your analysis tools were limited to grep and awk. Powerful yes, but a bit of a learning curve. There was also the problem of ‘saving’ a search – you’d end up hunting through your shell history, trying to recreate that 15-stage piped work of art. Splunk wasn’t around then.

Times Change

Tracker has several issues:

  • Log files are ‘flat’ files. It is a proprietary binary format, but it’s still flat, with no indexing. The format is very structured, but searches are slow when the files get large.
  • Searches Continue reading

Check Point – Don’t Use the ‘Install On’ Column

I got caught out by Check Point’s “Install On” column recently. Most people don’t need this setting any more, but it’s still there for legacy reasons. Time to re-evaluate.

When you create a firewall policy using Check Point, you define the set of possible installation targets. That is, the firewalls that this policy may be installed on. When you compile & install policy, you can choose from this list of targets, and only this list.

In the 4.1 days, we didn’t have this option. At install time, you had to choose from the complete list of firewalls. The default had all firewalls selected. You can imagine the merriment that ensued when someone would install the wrong policy on a firewall.

Most organisations will only have one installation target per policy. But sometimes you want to have the same policy on multiple firewalls. This is pretty easy to do, and might make sense if you have many common rules.

 

But then you say “What if I had 30 common rules, 50 that only applied to firewall A, and another 50 that only applied to firewall B?” That’s where people start using the “Install On” column. This lets you define at a Continue reading

Using VMware NSX, Log Insight, and vRealize Orchestator to Improve Security

This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog

***

There is a lot of power in having security controls in software.  This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.

With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.

Here is the scenario of the workflow.  You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server Continue reading

Replacing Central Router with a Next-Generation Firewall?

One of my readers sent me this question:

After reading this blog post and a lot of blog posts about zero trust mode versus security zones, what do you think about replacing L3 Data Center core switches by High Speed Next Generation Firewalls?

Long story short: just because someone writes about an idea doesn’t mean it makes sense. Some things are better left in PowerPoint.

Read more ...

How to fix the CFAA

Someone on Twitter asked for a blogpost on how I'd fix the CFAA, the anti-hacking law. So here is my proposal.

The major problem with the law is that the term "authorized" isn't clearly defined. You non-technical people think the meaning is obvious, because you can pick up a dictionary and simply point to a definition. However, in the computer world, things are a bit more complicated.

It's like a sign on a store window saying "No shirt, no shoes, no service" -- but you walk in anyway with neither. You know your presence is unwanted, but are you actually trespassing? Is your presence not "authorized"? Or, should we demand a higher standard, such as when the store owner asks you to leave (and you refuse) that you now are trespassing/unauthorized?

What happens on the Internet is that websites routinely make public data they actually don't want people to access. Is accessing such data unauthorized? We saw that a couple days ago, where Twitter accidentally published their quarterly results an hour early on their website. An automated script discovered this and republished Twitters results to a wider audience, ironically using Twitter to do so. This caused $5-billion to drop off Continue reading
1 165 166 167 168 169 178