0

You shouldn’t be using gethostbyname() anyway

Today's GHOST vulnerability is in gethostbyname(), a Sockets API function from the early 1980s. That function has been obsolete for a decade. What you should be using is getaddrinfo() instead, a newer function that can also handle IPv6.

The great thing about getaddrinfo() is the fact that it allows writing code that is agnostic to the IP version. You can see an example of this in my heartleech.c program.

x = getaddrinfo(hostname, port, 0, &addr);
fd = socket(addr->ai_family, SOCK_STREAM, 0);
x = connect(fd, addr->ai_addr, (int)addr->ai_addrlen);

What you see here is your normal call to socket() and connect() just use the address family returned by getaddrinfo(). It doesn't care if that is IPv4, IPv6, or IPv7.

The function actually returns a list of addresses, which may contain a mixture of IPv4 and IPv6 addresses. An example is when you lookup www.google.com:

[ ] resolving "www.google.com"
[+]  74.125.196.105:443
[+]  74.125.196.147:443
[+]  74.125.196.99:443
[+]  74.125.196.104:443
[+]  74.125.196.106:443
[+]  74.125.196.103:443
[+]  [2607:f8b0:4002:801::1014]:443

My sample code just chooses the first one in the list, Continue reading

0

Using GNS3 for Basic Network Security Testing

(The original idea for this post came from a post my blog, “The Console Port,” which you can find at

0

Needs more Hitler

Godwin's law applies especially to inappropriate, inordinate, or hyperbolic comparisons with Nazis. The law would not apply to mainstays of Nazi Germany such as genocide, eugenics, racial superiority, or to a discussion of other totalitarian regimes, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate.

Last week, I wrote a piece about how President Obama's proposed cyber laws were creating a Cyber Police State. The explicit topic of my conversation is totalitarian regimes.

This week, during the State of the Union address, I compared the text of Mein Kampf to the text of President Obama's speech. Specifically, Mein Kampf said this:

The state must declare the child to be the most precious treasure of the people. As long as the government is perceived as working for the benefit of the children, the people will happily endure almost any curtailment of liberty and almost any deprivation.

Obama's speech in support of his cyber legislation says this:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or Continue reading

0

Drums of cyberwar: North Korea’s cyber-WMDs

People ask me if today's NYTimes story changes my opinion that North Korea didn't do the Sony hack. Of course it doesn't. Any rational person can tell that the story is bogus. Indeed, such stories hint the government is hiding something.

The story claims the NSA has thoroughly hacked North Korea since 2010, and that's what enabled the US government to tell who was responsible for the Sony hack. But if this were true, then we hacked first, and the Sony hack is retaliation -- meaning we had no justification for Obama's sanctions. But, if the story is false, then again sanctions against North Korea aren't justified, because we don't have the proof our government claims. True or false, this story means the U.S. sanctions against North Korea aren't justified.

The reason this story is nonsense is that it's not journalism. It relies almost entirely on anonymous sources in the government. These aren't anonymous whistle-blowers who fear retaliation, but government propagandists who don't want to be held accountable. The government exploits the New York Times, promising them exclusive breaking news in exchange for them publishing propaganda. This allows government to have a story that is simultaneous true and false, Continue reading

0

Notes on the CIA spying case

The CIA announced it wasn't going to punish those responsible for spying/hacking on Senate computers. Since journalists widely get this story wrong, I thought I'd write up some notes getting it right. That's because while the CIA organization is guilty of gross misconduct, it's actually likely that no individual employees did anything wrong. The organization is guilty, but (possibly) the people aren't.

The first thing to note is that no hacking happened. These were CIA computers, at a CIA facility, managed by CIA sysadmins, who had the admin passwords.

That's the complicated bit. In 2009 when the Intelligence committee demanded to look at the torture/interrogation documents, the CIA balked about the security issues of staffers taking documents offsite. Therefore, they came to an agreement with the Senate: the CIA would set up a special secured network at their building, disconnected from the rest of the CIA network. The Senate staffers would go there to work. Documents would be transferred from the CIA's main network onto this special network by hand (probably USB flash drive or something).

The Senate committee didn't have to agree to this. By law, they have oversight, and can make decisions that screw the CIA. But the Continue reading

0

Obama’s War on Hackers

Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT
— Rob Graham (@ErrataRob) January 14, 2015

In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.

You might assume that things would never become that bad, but it’s already happening even with the current laws. Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barret Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic.

Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, Continue reading

0

Rules Shouldn’t Have Exceptions

On my way to Virtualization Field Day 4, I ran into a bit of a snafu at the airport that made me think about policy and application. When I put my carry-on luggage through the X-ray, the officer took it to the back and gave it a thorough screening. During that process, I was informed that my double-edged safety razor would not be able to make the trip (or the blade at least). I was vexed, as this razor had flown with me for at least a whole year with nary a peep from security. When I related as much to the officer, the response was “I’m sorry no one caught it before.”

Everyone Is The Same, Except For Me

This incident made me start thinking about polices in networking and security and how often they are arbitrarily enforced. We see it every day. The IT staff comes up with a new plan to reduce mailbox sizes or reduce congestion by enforcing quality of service (QoS). Everyone is all for the plan during the discussion stages. When the time comes to implement the idea, the exceptions start happening. Upper management won’t have mailbox limitations. The accounting department is Continue reading

0

A Call for Better Vulnerability Response

Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.

Ten years ago, Microsoft dominated the cybersecurity industry. It employed, directly or through consultancies, the largest chunk of security experts. The ability to grant or withhold business meant influencing those consulting companies -- Microsoft didn't even have to explicitly ask for consulting companies to fire Microsoft critics for that to happen. Every product company depended upon Microsoft's goodwill in order to develop security products for Windows, engineering and marketing help that could be withheld on a whim.

This meant, among other things, that Microsoft dictated the "industry standard" of how security problems ("vulnerabilities") were reported. Cybersecurity researchers who found such bugs were expected to tell the vendor in secret, and give the vendor as much time as they needed in order to fix the bug. Microsoft sometimes sat on bugs for years before fixing them, relying upon their ability to blacklist researchers to keep them quiet. Security researchers who didn't toe the line found bad things happening to them.

I experienced this personally. We found a bug in a product called TippingPoint that allowed us to decrypt their Continue reading

0

BGPSEC: Leaks and Leaks

This is the final post in my series on BGPSEC — I will probably follow this up, at some point, with a couple of posts on some alternatives to BGPSEC, and the larger issue of the evolution of BGP. Basic Operation Protections Offered Replays, Timers, and Performance Signatures and Performance In this final post, I […]

Author information

The post BGPSEC: Leaks and Leaks appeared first on Packet Pushers Podcast and was written by Russ White.

0

Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Read more on Mikrotik L2TP with IPsec for mobile clients…

0

Palo Alto Virtual Firewalls on Software Gone Wild

One of the interesting challenges in the Software-Defined Data Center world is the integration of network and security services with the compute infrastructure and network virtualization. Palo Alto claims to have tightly integrated their firewalls with VMware NSX and numerous cloud orchestration platforms - it was time to figure out how that’s done, so we decided to go on a field trip into the scary world of security.

Read more ...

0

Platitudes are only skin deep

I overdosed on Disney Channel over the holidays, because of course children control the remote. It sounds like it's teaching kids wholesome lessons, but if you pay attention, you'll realize it's not. It just repeats meaningless platitudes with no depth, and sometimes gets the platitudes wrong.

For example, it had a segment on the importance of STEAM education. This sounds a lot like "STEM", which stands for "science, technology, engineering, and math". Many of us believe in interesting kids in STEM. It's good for them, because they'll earn twice that of other college graduates. It's good for society, because there aren't enough technical graduates coming out of college to maintain our technology-based society. It's also particularly important for girls, because we still have legacy sexism that discourages girls from pursuing technical careers.

But Disney adds an 'A' in the middle, making STEM into STEAM. The 'A' stands for "Arts", meaning the entire spectrum of Liberal Arts. This is nonsense, because at this point, you've now included pretty much all education. The phrase "STEAM education" is redundant, conveying nothing more than simply "education".

What's really going on is that they attack the very idea they pretend to promote. Proponents of STEM Continue reading

0

Anybody can take North Korea offline

A couple days after the FBI blamed the Sony hack on North Korea, that country went offline. Many suspected the U.S. government, but the reality is that anybody can do it -- even you. I mention this because of a Vox.com story that claims "There is no way that Anonymous pulled off this scale of an attack on North Korea". That's laughably wrong, overestimating the scale of North Korea's Internet connection, and underestimating the scale of Anonymous's capabilities.

North Korea has a roughly ~10-gbps link to the Internet for it's IP addresses. That's only about ten times what Google fiber provides. In other words, 10 American households can have as much bandwidth as the entire country. Anonymous's capabilities exceed this, scaling past 1-terabit/second, or a hundred times more than needed to take down North Korea.

Attacks are made easier due to amplifiers on the Internet, which can increase the level of traffic by about 100 times. Thus, in order to overload a 10-gbps link of your target, you only need a 100-mbps link yourself. This is well within the capabilities of a single person.

Such attacks are difficult to do from your home, because your network Continue reading

0

The GoP pastebin hoax

On 20 December, the GOP posted Pastebin messages that specifically taunted the FBI and USPER2 for the "quality" of their investigations and implied an additional threat. No specific consequence was mentioned in the posting.

Which was refering to this pastebin with the vague threat:

P.S. You have 24 hours to give us the Wolf.

Today, @DavidGarrettJr took credit for the Pastebin, claiming it was a hoax. He offered some evidence in the form of the following picture of his browser history:


Of course, this admission of a hoax could itself be a hoax, but it's more convincing than the original Pastebin. It demonstrates we have no reason to believe the original pastebin.

In the hacker underground, including pastebin, words get thrown around a lot. There was nothing in the pastebin that Continue reading

0

Using IPv6 to Defeat Multi-tenancy Separation

I’ve always advised my clients to  carefully plan the implementation of IPv6. The protocol opens new attack vectors on which ne’er-do-wells can assault your infrastructure. There are countless examples I’ve seen such as service providers locking down access to routers using IPv4 transport but leaving IPv6 transport completely open. About a year ago, I stumbled […]

Author information

The post Using IPv6 to Defeat Multi-tenancy Separation appeared first on Packet Pushers Podcast and was written by Jeff Loughridge.

0

Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors

Many old-style marketing people believe that capturing your contact information is the first step in making a sale. But any capture of your personal information is also leaking critical security information about your organisation, technology and personnel that are perfect for reconnaisance.

The post Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors appeared first on EtherealMind.

0

BGPSEC: Replays, Timers, and Performance

Let’s return to our simple four AS network to look at a number of issues with BGPSEC — the bits you won’t often hear discussed in just about any forum. Assume, for a moment, that AS65000 advertises some route, say 192.0.2.0/24, to AS65001, and not to AS65002. For whatever reason, a few days pater, the […]

Author information

The post BGPSEC: Replays, Timers, and Performance appeared first on Packet Pushers Podcast and was written by Russ White.

0

That Spiegel NSA story is activist nonsense

Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we'ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call "TUNDRA".

It is difficult to figure out why TUNDRA is even mentioned in the story. It's cited to support some conclusion, but I'm not sure what that conclusion is. It appears the authors wanted to discuss the "conflict of interest" problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can't understand what's going on. In this post, I'm going to describe the context around this.

TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.

It's given a code-name "TUNDRA" and the paragraph in the document is labeled "TOP SECRET". The Continue reading

0

How to integrate F5 BIG-IP VE with GNS3

I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.

Read more on How to integrate F5 BIG-IP VE with GNS3…

0

Dear Leader’s Lesson in Confirmation Bias

Brian Krebs has a blogpost citing those who claim evidence of North Korea involvement in the massive Sony hack. He uses as an example the similarities between the Sony defacement and a South Korean defacement that was attributed to the North Koreans. He shows these two images side-by-side so that you can see that they are obvious similar.