Startup Radar: Menlo Security Taps Containers To Stop Malware
Startup Menlo Security tackles endpoint malware prevention using containers to proxy Web and email sessions.
Author information
The post Startup Radar: Menlo Security Taps Containers To Stop Malware appeared first on Packet Pushers Podcast and was written by Drew Conry-Murray.
How would you use Lua scripting in a DNS server?
I'm currently putting Lua into a DNS server, and I'm trying to figure out how people would use it.A typical application would be load-balancing. How I would do this is to create a background Lua thread that frequently (many times a second) queried an external resource to discover current server utilitzation, then rewrote the RRset for that server to put the least utilized server first. This would technically change the zone, but wouldn't be handled as such (i.e. wouldn't trigger serial number changes, wouldn't trigger notification of slave zones).
Such a thread could be used for zone backends. Right now, DNS servers support complex backends like SQL servers and LDAP servers. Instead of making the server code complex, this could easily be done with a Lua thread, that regularly scans an SQL/LDAP server for changes and updates the zone in memory with the changes.
Both these examples are updating static information. One possible alternative is to execute a Lua script on each and every DNS query, such as adding a resource record to a zone that would look like this:
*.foo.example.com. TXT $LUA:my_script
Every query would cause the script to be executed. There are some Continue reading
Because dossiers
Here's the thing about computers -- even your laptop can support "big-data" applications. There are only 300-million people in the united states. At 1-kilobyte per person, that's still only 300-gigabytes -- which fits on my laptop hard-drive.Building dossiers is becoming a thing in the hacking underground. Every time they break into a retail chain, hospital, insurance company, or government agency, they correlate everything back to the same dossier, based on such things as social security numbers, credit card numbers, email addresses, and even IP addresses. Beyond hacked secrets, public sources of information are likewise scanned in order to add to the dossier. Tools such as Maltego make it surprisingly easy to combine your own private information with public sources in order to build such dossiers.
When even the small hacking groups are focused on this effort, you can bet the big guys like China and Russia are even more interested in this.
This is one explanation behind the OPM hack. The hackers may have had something specific in mind, such as getting the personal information from SF86 forms where those seeking clearance are forced to disclose their various addictions and perversions. It may be used to blackmail people -- Continue reading
Should I panic because Lastpass was hacked?
Maybe, maybe not. Lastpass uses 100000 iterations in its PBKDF2 algorithm. If you chose a long, non-dictionary password, nobody can crack it. Conversely, if you haven't, then yes, you need to change it.I benchmarked this on my computer using "oclHashcat". It's not an exact match with the Lastpass algorithm, but it's close enough to show the performance.
As you can see, my machine is getting 2577 (two and a half thousand) random password guesses per second. This may sound like a lot, but it's not not, because cracking passwords is exponentially difficult.
Consider normal hashes, not the stronger ones used by Lastpass. My desktop can crack 1 billion of those per second. Consider that a password can be built from UPPER and lower case letters, numbers, and punctuation marks -- or about 64 variations per character.
In this case, a 5 letter password has 1 billion combinations, so a fast computer can guess it in a second. Adding one letter, with it's 64 different possibilities, makes this 64 times harder, meaning it'll take a minute. Another letter (7), and it becomes an hour. Another letter (to 8), and it becomes several days. Another letter (9), and it becomes a Continue reading
How to code: lesson 27
I was reading some code on the Internet today and came across this:
The thing to notice is the hang & symbols in front of the variables, instead of just making things line up. It's a stylistic quirk of the author of this code. It's a good lesson on what not to do.
There is only one important style rule and it is this: make your code look like everyone else's. The question isn't whether it's good or bad, only that it's unusual. Yes, this quick is relatively insignificant, but I point it out is that you should not be tempted, even on the smallest of things.
You see this with the evolution of programmers. In the beginning, their code is quirky as hell. Over time, as they they are exposed to more and more source by others, they start to see how these quirks are irritating, and stop doing them in their own code. The style becomes blander and blander -- but at the same time, the greatness of their construction of the code starts to shine.
When you start writing great code, you'll eventually have to break this rule and do something big and strange. For example, I Continue reading
How we really know the Sunday Times story is bogus
Stories sourced entirely from "anonymous senior government officials" are propaganda, not journalism. The identities of the sources are hidden not to protect them from speaking out against the government, since they are in fact delivering exactly the message the government wants to get out. Instead, their identities are kept secret so that their message cannot be challenged.It's not just me claiming this. Every journalistic organization criticizes the practice. Every set of journalistic ethics guidelines calls this unethical.
Yet, somehow it keeps happening. The latest example is the The Sunday Times, Britains largest newspaper, reporting government officials critical of Snowden. We know the story is bogus, because it quotes solely government official spouting the party line. Moreover, even if that weren't the case, it's obvious propaganda, arguing one side of the story, and not even attempting to get the other point of view from Russia, China, or Snowden himself. Snowden is often quoted in newspapers, he can't be that hard to get a hold of. Not contacting Snowden for his side is also a violation of journalistic ethics.
I point this out because there are lots of good criticisms of the story, for example, pointing out that the correct term Continue reading
Global Collateral Damage of TMnet leak
The Washington Post recently published a great piece about the development and current weaknesses of the Border Gateway Protocol (BGP, which is used to route all Internet traffic). This morning Telekom Malaysia (a.k.a TMnet) helped to illustrate the points made in the article by leaking almost half of the global routing table via Level 3 at 08:44 UTC.
Some of the most affected companies were those peering with Telekom Malaysia. The following graphics illustrate the impact to routes from Amazon and Cloudflare.
 |
 |
Google’s extensive peering likely insulated it from some of the effects of having its routes leaked. However, it didn’t escape the incident completely unscathed. Here is an example of a normal traceroute to Google’s data center in Council Bluffs, Iowa from Prague, which goes via Frankfurt and London before crossing the Atlantic Ocean.
trace from Prague to Google, Council Bluffs, IA at 02:45 Jun 11, 2015
1 *
2 212.162.8.253 ge-6-14.car2.Prague1.Level3.net 16.583
3 4.69.154.135 ae-3-80.edge3.Frankfurt1.Level3.net 22.934
4 4.68.70.186 Level 3 (Frankfurt, DE) 23.101
5 209.85.241.110 Google (Frankfurt, DE) 23.796
6 209.85.250.143 Google (Frankfurt, DE) 24.086
7 72.14.235.17 Google (London, GB) 32.709
8 209.85.247.145 Google (New York City) 103.091
9 216.239.46.217 Google (Council Bluffs) 133.098
10 209.85.250.4 Google (Council Bluffs) 133.245
11 216.239.43.217 Google (Council Bluffs) 133. Continue reading
Worth Reading 06:12
According to the Data Center Journal:
What’s the problem with IT resumes? They’re useless.
The real problem with IT resumes, though, is we want to see a long list of technologies, because we want to find the specific technology we want to implement (or are implementing) — rather than a good engineer. The hiring process is a fishing expedition rather than a search for solid talent and personality fit. If we want to fix this problem we can. The question is — do we want to?
Bruce Schneier has some wise thoughts on airport security this week —
We don’t need perfect airport security. We just need security that’s good enough to dissuade someone from building a plot around evading it. If you’re caught with a gun or a bomb, the TSA will detain you and call the FBI. Under those circumstances, even a medium chance of getting caught is enough to dissuade a sane terrorist
Replace “airport” with “network,” and you get the drift of where network security is going, I think. Of course, there’s the reality that you can’t stop insane attackers… Worth remembering. The same point can be made for network uptime, by the way. Perfection is Continue reading
Intel has 4 processor lines
Just a quick note: Intel has four different processor lines -- or four different "microarchitectures". All Intel processors support the x86 instruction set externally, but have very different microarchitectures internally.To start with is their mainstream processor in desktops, notebooks, servers, and supercomputers. This accounts for the bulk of their business, and what we think of as an "Intel processor". The latest version of this microarchitecture is "Broadwell". Previous versions have been Haswell, Ivy Bridge, Sandy Bridge. It's sold as the Xeon, Core i7/i5/i3, Pentium, Celeron, etc.
Then there is the low power processor to compete against ARM in cellphone devices known as the "Atom". There are have been two radically different versions of this processor. The older version of the microarchitecture from 2008 was known as "Bonnel", and it kinda sucked (dual-issue, but in-order). The newer version of the microarchitecture, "Silvermont", is out-of-order, and is much better. Atom processors are just as power efficient as ARM processors. Indeed, many phones use them without people really being aware of the difference. I point this out because there is a widespread misconception that ARM processors are more power efficient than Intel processors. Note that all these processors are 64-bit internally, though Continue reading
Is IoT a Threat or an Opportunity for Service Providers?
Implications of IoT for service providers.
BRKSEC-2137 – Snort Implementation in Cisco Products
Presenter: Eric Kostlan, Technical Marketing Engineer, Cisco Security Technologies Group
Above all, Snort is a community –Eric
Snort stats
- over 4 million downloads
- nearly 500,000 registered users
Snort was created in 1998 (!!). Sourcefire founded in 2001.
The Snort engine
- Packet sniffer (DAQ)
- Packet decoder
- Preprocessors
- Detection engine
- Output module
DAQ – packet acquisition library(ies?). Snort leverages this to pull packets off the wire (Snort doesn’t have its own built-in packet capture abilities). DAQ provides a form of abstraction between the Snort engine and the hardware where the bits are flowing. DAQ – Data AcQusition. DAQ modes: inline, passive or read from file.
Packet decoder – look for header anomalies, look for weird TCP flags, much more. Generator id (GID) is 116 for the packet decoder. Decodes Layer and Layer 3 protocols with a focus on TCP/IP suite.
Preprocessors – apply to Layer 3, 4, and 7 protocols. “Protocol decoders”. Normalizes traffic. Major preprocessors: frag3 (reassembly), stream5 (reconstruct TCP streams), http_inspect (normalizes http traffic), protocol decoders (telnet, ftp, smtp, so on).
Detection engine – various performance settings (eg, how long to spend on regex). Two components: rule builder and inspection component. Rule builder: assembles the rules into Continue reading
Cisco Security Has a Job Waiting for John Chambers
Security is pervasive to networking, so it's an area Chambers will keep an eye on.
BRKSEC-2139: Advanced Malware Protection
Presenter: Eric Howard, Techincal Marketing Engineer
Why aren’t we stopping all the malware???
The term “APT” has become the boogey man of cyber security. :-)
You don’t need to know squat about writing malware in order to launch malware
- Malware rentals
- Malware as a Service (swipe CC, pay bitcoin)
Why aren’t we stopping all the malware?
- To solve the malware problem is to follow a very involved, multi-step process. Not every step can be automated; humans are needed (analysis, triage, more). This makes the process expensive, too.
- There’s no silver bullet
Product does not solve the issue. Process is required, too. Ideally, good process backed by good product.
If you knew you were going to be compromised, would you do security differently? — Marty Roesch, Cheif Architect, Cisco Security, founder of Sourcefire
Do security different:
- Plan A – Prevention: shore up the environment; dig a bigger moat, build thicker walls
- Plan B – Retrospection: track system behaviors without regard for disposition (ie, do this for everything, not just known malware but also “known good” and “unknown”)
Plan A
- 1-to-1 signatures: like anti-virus; also hashes; AV vendors only enable 8-10% of their rules; AMP cloud runs all sigs all the time; Continue reading
vArmour Releases Free Visibility Tool for Data Center Security
Visibility is the first step toward data center security, vArmour reasons.
Do We Still Need Subnets in Virtualized Networks?
The proponents of microsegmentation are quick to explain how the per-VM-NIC traffic filtering functionality replaces the traditional role of subnets as security zones, often concluding that “you can deploy as many tenants as you wish in a flat network, and use VM NIC firewall to isolate them.”
Read more ...BRKSEC-2010: Emerging Threats – The State of Cyber Security
Presenter: Craig Williams (@security_craig) – Sr Technical Leader / Security Outreach Manager, Cisco TALOS
I’m from Talos. We love to stop bad guys.
Talos by the numbers:
- 1.1 million incoming malware samples per day
- 1.5 billion Sender Base reputation queries per day
Talos has a serious amount of data. For serious.
Data is key. It allows generation of real threat intel.
We basically have a bottomless pit of data
Talos vuln dev team:
- Looking for ways to programmatically find 0-days
- Takes this research and feeds it back into Cisco to a) make Cisco products more secure and b) generate sigs and threat intel to protect customers
With ransomware, you’re basically funding the malware underground.
Malvertizing:
- Malicious ads which redirect user to malware and then infects them
- Kyle & Stan campaign dynamically generated a new .exe every time it was downloaded; prevented matching on the file hash; Cisco AMP can stay on the bleeding edge of this
- blogs.cisco.com/security/talos/kyle-and-stan
Destructive/Wiper Malware:
- Targets your data
- Not just file data, but also seen targetting network devices and wiping their configs
- Cryptolocker 2.0: uses TOR for C&C; encrypted binary to avoid hash fingerprinting; anti-VM check
- Cryptolocker 3.0: still Continue reading
Cisco’s Newest Network Security Product Is the Entire Network
Rather than relying on point products, enterprises should let the network become a security sensor and enforcer, Cisco says.
What’s the state of iPhone PIN guessing
I think even some experts have gotten this wrong, so I want to ask everyone: what's the current state-of-the-art for trying to crack Apple PIN codes?This is how I think it works currently (in iOS 8).
To start with, there is a special "crypto-chip" inside the iPhone that holds your secrets (like a TPM or ARM TrustZone). I think originally it was ARM's TrustZone, but now that Apple designs its own chips, that they've customized it. I think they needed to add stuff to make Touch ID work.
All the data (on the internal flash drive) is encrypted with a random AES key that nobody, not even the NSA, can crack. This random AES key is stored on the crypto-chip. Thus, if your phone is stolen, the robbers cannot steal the data from it -- as long as your phone is locked properly.
To unlock your phone, you type in a 4 digit passcode. This passcode gets sent to the crypto-chip, which verifies the code, then gives you the AES key needed to decrypt the flash drive. This is all invisible, of course, but that's what's going on underneath the scenes. Since the NSA can't crack the AES key Continue reading
Juniper’s Security CTO, Christofer Hoff, Leaves the Valley
Juniper loses a big name to the world outside Silicon Valley.
Menlo Security Raises $25M for Its Isolation Platform
If you can't secure the endpoints, Menlo figures you might as well eliminate them.