Palo Alto Virtual Firewalls on Software Gone Wild
One of the interesting challenges in the Software-Defined Data Center world is the integration of network and security services with the compute infrastructure and network virtualization. Palo Alto claims to have tightly integrated their firewalls with VMware NSX and numerous cloud orchestration platforms - it was time to figure out how that’s done, so we decided to go on a field trip into the scary world of security.
Read more ...Platitudes are only skin deep
I overdosed on Disney Channel over the holidays, because of course children control the remote. It sounds like it's teaching kids wholesome lessons, but if you pay attention, you'll realize it's not. It just repeats meaningless platitudes with no depth, and sometimes gets the platitudes wrong.For example, it had a segment on the importance of STEAM education. This sounds a lot like "STEM", which stands for "science, technology, engineering, and math". Many of us believe in interesting kids in STEM. It's good for them, because they'll earn twice that of other college graduates. It's good for society, because there aren't enough technical graduates coming out of college to maintain our technology-based society. It's also particularly important for girls, because we still have legacy sexism that discourages girls from pursuing technical careers.
But Disney adds an 'A' in the middle, making STEM into STEAM. The 'A' stands for "Arts", meaning the entire spectrum of Liberal Arts. This is nonsense, because at this point, you've now included pretty much all education. The phrase "STEAM education" is redundant, conveying nothing more than simply "education".
What's really going on is that they attack the very idea they pretend to promote. Proponents of STEM Continue reading
Anybody can take North Korea offline
North Korea has a roughly ~10-gbps link to the Internet for it's IP addresses. That's only about ten times what Google fiber provides. In other words, 10 American households can have as much bandwidth as the entire country. Anonymous's capabilities exceed this, scaling past 1-terabit/second, or a hundred times more than needed to take down North Korea.
Attacks are made easier due to amplifiers on the Internet, which can increase the level of traffic by about 100 times. Thus, in order to overload a 10-gbps link of your target, you only need a 100-mbps link yourself. This is well within the capabilities of a single person.
Such attacks are difficult to do from your home, because your network Continue reading
The GoP pastebin hoax
Neither the FBI nor the press is terribly honest or competent when discussing "hackers". That's demonstrated by yesterday's "terrorists threaten CNN" story.
It started with Glenn Greenwald's paper The Intercept which reported:
The cyberterrorists who hacked Sony Pictures Entertainment’s computer servers have threatened to attack an American news media organization, according to an FBI bulletin obtained by The Intercept.
They were refering to this bulletin which says:
On 20 December, the GOP posted Pastebin messages that specifically taunted the FBI and USPER2 for the "quality" of their investigations and implied an additional threat. No specific consequence was mentioned in the posting.Which was refering to this pastebin with the vague threat:
P.S. You have 24 hours to give us the Wolf.Today, @DavidGarrettJr took credit for the Pastebin, claiming it was a hoax. He offered some evidence in the form of the following picture of his browser history:
Of course, this admission of a hoax could itself be a hoax, but it's more convincing than the original Pastebin. It demonstrates we have no reason to believe the original pastebin.
In the hacker underground, including pastebin, words get thrown around a lot. There was nothing in the pastebin that Continue reading
Using IPv6 to Defeat Multi-tenancy Separation
I’ve always advised my clients to carefully plan the implementation of IPv6. The protocol opens new attack vectors on which ne’er-do-wells can assault your infrastructure. There are countless examples I’ve seen such as service providers locking down access to routers using IPv4 transport but leaving IPv6 transport completely open. About a year ago, I stumbled […]
Author information
The post Using IPv6 to Defeat Multi-tenancy Separation appeared first on Packet Pushers Podcast and was written by Jeff Loughridge.
Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors
Many old-style marketing people believe that capturing your contact information is the first step in making a sale. But any capture of your personal information is also leaking critical security information about your organisation, technology and personnel that are perfect for reconnaisance.
The post Vendor Marketing as a Security Risk – Badge Scans and Sign-up Attack Vectors appeared first on EtherealMind.
BGPSEC: Replays, Timers, and Performance
Let’s return to our simple four AS network to look at a number of issues with BGPSEC — the bits you won’t often hear discussed in just about any forum. Assume, for a moment, that AS65000 advertises some route, say 192.0.2.0/24, to AS65001, and not to AS65002. For whatever reason, a few days pater, the […]
Author information
The post BGPSEC: Replays, Timers, and Performance appeared first on Packet Pushers Podcast and was written by Russ White.
That Spiegel NSA story is activist nonsense
Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we'ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call "TUNDRA".It is difficult to figure out why TUNDRA is even mentioned in the story. It's cited to support some conclusion, but I'm not sure what that conclusion is. It appears the authors wanted to discuss the "conflict of interest" problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can't understand what's going on. In this post, I'm going to describe the context around this.
TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.
It's given a code-name "TUNDRA" and the paragraph in the document is labeled "TOP SECRET". The Continue reading
How to integrate F5 BIG-IP VE with GNS3
I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.
Dear Leader’s Lesson in Confirmation Bias
Brian Krebs has a blogpost citing those who claim evidence of North Korea involvement in the massive Sony hack. He uses as an example the similarities between the Sony defacement and a South Korean defacement that was attributed to the North Koreans. He shows these two images side-by-side so that you can see that they are obvious similar.
However, they don't look similar at all. This is generally what all website defacements look like. Specifically, the common components among defacements in are:
- black background
- green, red, and white foreground
- "Hacked by" message
- WARNING banner
- Phrack-style headers (like ::: on either side of header)
- Powerful picture in center, often a skull
- Message that strokes the ego, often "we are legion" style
In the bottom of this post, I include a gallery of other defacement pictures, so that you can see that this is normal hacker underground culture.
There are certainly some similarities, such as the "we have all your data" message. But that's easily explained by the fact that the South Korean hack was widely popularized in the media, so it's easy to see how they would take this as inspiration. Or, it's just simply that if the goal of your Continue reading
Expiring The Internet
An article came out this week that really made me sigh. The title was “Six Aging Protocols That Could Cripple The Internet“. I dove right in, expecting to see how things like Finger were old and needed to be disabled and removed. Imagine my surprise when I saw things like BGP4 and SMTP on the list. I really tried not to smack my own forehead as I flipped through the slideshow of how the foundation of the Internet is old and is at risk of meltdown.
If It Ain’t Broke
Engineers love the old adage “If it ain’t broke, don’t fix it!”. We spend our careers planning and implementing. We also spend a lot of time not touching things afterwards in order to prevent it from collapsing in a big heap. Once something is put in place, it tends to stay that way until something necessitates a change.
BGP is a perfect example. The basics of BGP remain largely the same from when it was first implemented years ago. BGP4 has been in use since 1994 even though RFC 4271 didn’t officially formalize it until 2006. It remains a critical part of how the Continue reading
Ask a nerd
One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It's on the right side of the debate (FBI's evidence pointing to North Korea is bad), but it's still crap.For example, it says: "One hears a lot in cybersecurity circles that the government has “solved” the attribution problem". That's not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he's not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality -- you really ought to consult technical people.
He then says: "it is at least possible that some other nation is spoofing a North Korean attack". This is moronic, accepting most of the FBI's premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security -- it required no special sophistication by the hacker. Anybody Continue reading
Sony hack was the work of SPECTRE
The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn't work -- hacking needs to be understood in its own terms.But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrosist organization in the James Bond films that is independent of all governments. Let's imagine that it's SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.
This trope adequately explains the FBI "evidence" pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren't controlled by North Korea.
The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn't make sense if the Sony hack were purely the work of the Continue reading
The FBI’s North Korea evidence is nonsense
The FBI has posted a press release describing why they think it's North Korea. While there may be more things we don't know, on its face it's complete nonsense. It sounds like they've decided on a conclusion and are trying to make the evidence fit. They don't use straight forward language, but confusing weasel words, like saying "North Korea actors" instead of simply "North Korea". They don't give details.The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it's own malware from scratch.
Here's the thing with computer evidence: you don't need to keep it secret. It wouldn't harm Sony and wouldn't harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don't need to take the FBI's word for it, we should be able to see the evidence ourselves. In other words, instead of saying "IP addresses associated with North Korea", then can tell us what those IP addresses are, like "203.131.222.102".
But Continue reading
I just bought a ticket for The Interview
Free speech is only partly a government issue ("1st Amendment"). Throughout the world, speech is chilled more by thugs than by police. It could be youth gangs beating up journalists like in Russia, or Islamists killing cartoonists and movie makers. Even in America, we increasingly have a culture that seeks to silence debate, rather than countering bad speech with more speech.
There is action we can take, and it's this: when some are threatened, they should not stand alone. They can't kill, beat up, or dox all of us when we are many. We should draw pictures of Mohamed. We should criticize the despotic rule of Putin. We should buy tickets to The Interview and brag about it online.
What they miss about Uber/Lyft pay
In this story, writer Timothy B. Lee (@binarybits) becomes a Lyft driver for a week. He focuses on the political questions, such as the controversially low pay. He makes the same mistakes that everyone else makes.Lyft (and Uber) pay can be low for the same reason McDonalds is open at midnight. In absolute terms, McDonalds loses money staying open late. But, when you take into account all the sunk costs for operating during the day, they would lose even more money by not remaining open late. In other words, staying open late is marginally better.
The same is true of Lyft/Uber drivers. I take Uber/UberX on a regular basis and always interview the drivers. Without exception, it's a side business.
This one time, my UberX driver was a college student. He spent his time between pickups studying. When calculating wait-time plus drive-time, he may have been earning minimum wage. However, when calculating just drive-time, he was earning a great wage for a student -- better than other jobs open to students.
Without exception, all the Uber black-car drivers have their own business. They have fixed contracts with companies to drive employees/clients. Or, they have more personal relationships with Continue reading
Notes on the CIA light-torture report
I'm reading through the Senate report on the CIA's light-torture program, and I came across this giggly bit:#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinionOf course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.
Moreover, this Executive Summary wasn't simply published, but given to select people in the media beforehand in order to shape the message.
There's no doubt that the CIA's brutal treatment of prisoners is evil, a stain on the nation's honor, and something that should be prosecuted. But Senator Feinstein and her colleagues are as guilty of this as anybody else. This report is political garbage designed to shield Feinstein from the blame she shares.
All malware defeats 90% of defenses
When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”
He's trying to show how sophisticated, organized, and unprecedented the hackers were.
This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.
Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and Continue reading
Are SDN Controllers a Security Risk ?
No. When compared to the operation of existing networks, SDN is much more secure.
The post Are SDN Controllers a Security Risk ? appeared first on EtherealMind.
BGPSEC: Protections Offered
In my last post on the subject of BGPSEC, I explained the basic operation of the modifications to BGP itself. In this post, I’ll begin looking at some of the properties — both good and bad — of these extensions to BGP. To being, we’ll look at the simple network illustrated here, and see what […]
Author information
The post BGPSEC: Protections Offered appeared first on Packet Pushers Podcast and was written by Russ White.