Obama’s War on Hackers
Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT
— Rob Graham (@ErrataRob) January 14, 2015In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.
You might assume that things would never become that bad, but it’s already happening even with the current laws. Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barret Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic.
Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, Continue reading
Rules Shouldn’t Have Exceptions
On my way to Virtualization Field Day 4, I ran into a bit of a snafu at the airport that made me think about policy and application. When I put my carry-on luggage through the X-ray, the officer took it to the back and gave it a thorough screening. During that process, I was informed that my double-edged safety razor would not be able to make the trip (or the blade at least). I was vexed, as this razor had flown with me for at least a whole year with nary a peep from security. When I related as much to the officer, the response was “I’m sorry no one caught it before.”
Everyone Is The Same, Except For Me
This incident made me start thinking about polices in networking and security and how often they are arbitrarily enforced. We see it every day. The IT staff comes up with a new plan to reduce mailbox sizes or reduce congestion by enforcing quality of service (QoS). Everyone is all for the plan during the discussion stages. When the time comes to implement the idea, the exceptions start happening. Upper management won’t have mailbox limitations. The accounting department is Continue reading
A Call for Better Vulnerability Response
Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.Ten years ago, Microsoft dominated the cybersecurity industry. It employed, directly or through consultancies, the largest chunk of security experts. The ability to grant or withhold business meant influencing those consulting companies -- Microsoft didn't even have to explicitly ask for consulting companies to fire Microsoft critics for that to happen. Every product company depended upon Microsoft's goodwill in order to develop security products for Windows, engineering and marketing help that could be withheld on a whim.
This meant, among other things, that Microsoft dictated the "industry standard" of how security problems ("vulnerabilities") were reported. Cybersecurity researchers who found such bugs were expected to tell the vendor in secret, and give the vendor as much time as they needed in order to fix the bug. Microsoft sometimes sat on bugs for years before fixing them, relying upon their ability to blacklist researchers to keep them quiet. Security researchers who didn't toe the line found bad things happening to them.
I experienced this personally. We found a bug in a product called TippingPoint that allowed us to decrypt their Continue reading
BGPSEC: Leaks and Leaks
This is the final post in my series on BGPSEC — I will probably follow this up, at some point, with a couple of posts on some alternatives to BGPSEC, and the larger issue of the evolution of BGP. Basic Operation Protections Offered Replays, Timers, and Performance Signatures and Performance In this final post, I […]
Author information
The post BGPSEC: Leaks and Leaks appeared first on Packet Pushers Podcast and was written by Russ White.
Mikrotik L2TP with IPsec for mobile clients
I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.
Palo Alto Virtual Firewalls on Software Gone Wild
One of the interesting challenges in the Software-Defined Data Center world is the integration of network and security services with the compute infrastructure and network virtualization. Palo Alto claims to have tightly integrated their firewalls with VMware NSX and numerous cloud orchestration platforms - it was time to figure out how that’s done, so we decided to go on a field trip into the scary world of security.
Read more ...Platitudes are only skin deep
I overdosed on Disney Channel over the holidays, because of course children control the remote. It sounds like it's teaching kids wholesome lessons, but if you pay attention, you'll realize it's not. It just repeats meaningless platitudes with no depth, and sometimes gets the platitudes wrong.For example, it had a segment on the importance of STEAM education. This sounds a lot like "STEM", which stands for "science, technology, engineering, and math". Many of us believe in interesting kids in STEM. It's good for them, because they'll earn twice that of other college graduates. It's good for society, because there aren't enough technical graduates coming out of college to maintain our technology-based society. It's also particularly important for girls, because we still have legacy sexism that discourages girls from pursuing technical careers.
But Disney adds an 'A' in the middle, making STEM into STEAM. The 'A' stands for "Arts", meaning the entire spectrum of Liberal Arts. This is nonsense, because at this point, you've now included pretty much all education. The phrase "STEAM education" is redundant, conveying nothing more than simply "education".
What's really going on is that they attack the very idea they pretend to promote. Proponents of STEM Continue reading
Anybody can take North Korea offline
North Korea has a roughly ~10-gbps link to the Internet for it's IP addresses. That's only about ten times what Google fiber provides. In other words, 10 American households can have as much bandwidth as the entire country. Anonymous's capabilities exceed this, scaling past 1-terabit/second, or a hundred times more than needed to take down North Korea.
Attacks are made easier due to amplifiers on the Internet, which can increase the level of traffic by about 100 times. Thus, in order to overload a 10-gbps link of your target, you only need a 100-mbps link yourself. This is well within the capabilities of a single person.
Such attacks are difficult to do from your home, because your network Continue reading
The GoP pastebin hoax
Neither the FBI nor the press is terribly honest or competent when discussing "hackers". That's demonstrated by yesterday's "terrorists threaten CNN" story.
It started with Glenn Greenwald's paper The Intercept which reported:
The cyberterrorists who hacked Sony Pictures Entertainment’s computer servers have threatened to attack an American news media organization, according to an FBI bulletin obtained by The Intercept.
They were refering to this bulletin which says:
On 20 December, the GOP posted Pastebin messages that specifically taunted the FBI and USPER2 for the "quality" of their investigations and implied an additional threat. No specific consequence was mentioned in the posting.Which was refering to this pastebin with the vague threat:
P.S. You have 24 hours to give us the Wolf.Today, @DavidGarrettJr took credit for the Pastebin, claiming it was a hoax. He offered some evidence in the form of the following picture of his browser history:
Of course, this admission of a hoax could itself be a hoax, but it's more convincing than the original Pastebin. It demonstrates we have no reason to believe the original pastebin.
In the hacker underground, including pastebin, words get thrown around a lot. There was nothing in the pastebin that Continue reading
Using IPv6 to Defeat Multi-tenancy Separation
I’ve always advised my clients to carefully plan the implementation of IPv6. The protocol opens new attack vectors on which ne’er-do-wells can assault your infrastructure. There are countless examples I’ve seen such as service providers locking down access to routers using IPv4 transport but leaving IPv6 transport completely open. About a year ago, I stumbled […]
Author information
The post Using IPv6 to Defeat Multi-tenancy Separation appeared first on Packet Pushers Podcast and was written by Jeff Loughridge.
Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors
Many old-style marketing people believe that capturing your contact information is the first step in making a sale. But any capture of your personal information is also leaking critical security information about your organisation, technology and personnel that are perfect for reconnaisance.
The post Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors appeared first on EtherealMind.
BGPSEC: Replays, Timers, and Performance
Let’s return to our simple four AS network to look at a number of issues with BGPSEC — the bits you won’t often hear discussed in just about any forum. Assume, for a moment, that AS65000 advertises some route, say 192.0.2.0/24, to AS65001, and not to AS65002. For whatever reason, a few days pater, the […]
Author information
The post BGPSEC: Replays, Timers, and Performance appeared first on Packet Pushers Podcast and was written by Russ White.
That Spiegel NSA story is activist nonsense
Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we'ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call "TUNDRA".It is difficult to figure out why TUNDRA is even mentioned in the story. It's cited to support some conclusion, but I'm not sure what that conclusion is. It appears the authors wanted to discuss the "conflict of interest" problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can't understand what's going on. In this post, I'm going to describe the context around this.
TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.
It's given a code-name "TUNDRA" and the paragraph in the document is labeled "TOP SECRET". The Continue reading
How to integrate F5 BIG-IP VE with GNS3
I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.
Dear Leader’s Lesson in Confirmation Bias
Brian Krebs has a blogpost citing those who claim evidence of North Korea involvement in the massive Sony hack. He uses as an example the similarities between the Sony defacement and a South Korean defacement that was attributed to the North Koreans. He shows these two images side-by-side so that you can see that they are obvious similar.
However, they don't look similar at all. This is generally what all website defacements look like. Specifically, the common components among defacements in are:
- black background
- green, red, and white foreground
- "Hacked by" message
- WARNING banner
- Phrack-style headers (like ::: on either side of header)
- Powerful picture in center, often a skull
- Message that strokes the ego, often "we are legion" style
In the bottom of this post, I include a gallery of other defacement pictures, so that you can see that this is normal hacker underground culture.
There are certainly some similarities, such as the "we have all your data" message. But that's easily explained by the fact that the South Korean hack was widely popularized in the media, so it's easy to see how they would take this as inspiration. Or, it's just simply that if the goal of your Continue reading
Expiring The Internet
An article came out this week that really made me sigh. The title was “Six Aging Protocols That Could Cripple The Internet“. I dove right in, expecting to see how things like Finger were old and needed to be disabled and removed. Imagine my surprise when I saw things like BGP4 and SMTP on the list. I really tried not to smack my own forehead as I flipped through the slideshow of how the foundation of the Internet is old and is at risk of meltdown.
If It Ain’t Broke
Engineers love the old adage “If it ain’t broke, don’t fix it!”. We spend our careers planning and implementing. We also spend a lot of time not touching things afterwards in order to prevent it from collapsing in a big heap. Once something is put in place, it tends to stay that way until something necessitates a change.
BGP is a perfect example. The basics of BGP remain largely the same from when it was first implemented years ago. BGP4 has been in use since 1994 even though RFC 4271 didn’t officially formalize it until 2006. It remains a critical part of how the Continue reading
Ask a nerd
One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It's on the right side of the debate (FBI's evidence pointing to North Korea is bad), but it's still crap.For example, it says: "One hears a lot in cybersecurity circles that the government has “solved” the attribution problem". That's not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he's not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality -- you really ought to consult technical people.
He then says: "it is at least possible that some other nation is spoofing a North Korean attack". This is moronic, accepting most of the FBI's premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security -- it required no special sophistication by the hacker. Anybody Continue reading
Sony hack was the work of SPECTRE
The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn't work -- hacking needs to be understood in its own terms.But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrosist organization in the James Bond films that is independent of all governments. Let's imagine that it's SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.
This trope adequately explains the FBI "evidence" pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren't controlled by North Korea.
The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn't make sense if the Sony hack were purely the work of the Continue reading
The FBI’s North Korea evidence is nonsense
The FBI has posted a press release describing why they think it's North Korea. While there may be more things we don't know, on its face it's complete nonsense. It sounds like they've decided on a conclusion and are trying to make the evidence fit. They don't use straight forward language, but confusing weasel words, like saying "North Korea actors" instead of simply "North Korea". They don't give details.The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it's own malware from scratch.
Here's the thing with computer evidence: you don't need to keep it secret. It wouldn't harm Sony and wouldn't harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don't need to take the FBI's word for it, we should be able to see the evidence ourselves. In other words, instead of saying "IP addresses associated with North Korea", then can tell us what those IP addresses are, like "203.131.222.102".
But Continue reading
I just bought a ticket for The Interview
Free speech is only partly a government issue ("1st Amendment"). Throughout the world, speech is chilled more by thugs than by police. It could be youth gangs beating up journalists like in Russia, or Islamists killing cartoonists and movie makers. Even in America, we increasingly have a culture that seeks to silence debate, rather than countering bad speech with more speech.
There is action we can take, and it's this: when some are threatened, they should not stand alone. They can't kill, beat up, or dox all of us when we are many. We should draw pictures of Mohamed. We should criticize the despotic rule of Putin. We should buy tickets to The Interview and brag about it online.