Archive

Category Archives for "Security"

No, the CIA didn’t spy on other computers

The computer's the CIA spied on were owned and operated by the CIA.

I thought I'd mention this detail that is usually missing from today's news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA's torture program, reviewing classified documents. The CIA didn't trust the staffers, so they setup a special computer network just for the staffers to use -- a network secured and run by the CIA itself.

The CIA, though, spied on what the staffers did on the system. This allowed the CIA to manipulate investigation. When the staffers found some particularly juicy bit of information, the CIA was able to yank it from the system and re-classify it so that the staffers couldn't use it. Before the final report was ready, the CIA was already able to set the political machine in motion to defend itself from the report.

Thus, what the CIA did was clearly corrupt and wrong. It's just that it isn't what most people understand when they read today's headlines. It wasn't a case of the CIA hacking into other people's computers.

Many stories quote CIA director Brennan who said earlier this year:
I think a lot of people Continue reading

A Customer Perspective: VMware NSX, Micro-Segmentation & Next-Generation Security

VMware NSX and Palo Alto Networks are transforming the data center by combining the Columbia-S12_WTR_MGHI_564fast provisioning of network and security services with next-generation security protection for East-West traffic. At VMworld, John Spiegel, Global IS Communications Manager for Columbia Sportswear will take the stage to discuss their architecture, their micro-segmentation use case and their experience. This is session SEC1977 taking place on Tuesday, Aug 26, 2:30-3:30 p.m.

Micro-segmentation is quickly emerging as one of the primary drivers for the adoption of NSX. Below, John shares Columbia’s security journey ahead of VMworld

+++++++++++++++++++++++++++++++++++++++

When I started at Columbia, we were about a $500 million company. Now we’re closing in on $2 billion and hoping to get to $3 billion rather quickly. So as you can imagine, our IT infrastructure has to scale with the business. In 2009, we embarked on a huge project to add a redundant data center for disaster recovery. As part of the project, we partnered with VMware and quickly created a nearly 100% virtualized datacenter.  It was a huge success. But something was missing; a security solution that matched our virtualized data center. There just wasn’t a great way to insert security in order to Continue reading

Cliché: open-source is secure

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

Firstly, there is the problem of usability. Unusable crypto isn't a valid option for most users. Most would rather just not communicate at all, or risk going to jail, rather than deal with the typical dependency hell of trying to get open-source to compile. Moreover, open-source apps are notoriously user-hostile, which is why the Linux desktop still hasn't made headway against Windows or Macintosh. The reason is that developers blame users for being stupid for not appreciating how easy their apps are, whereas Microsoft and Apple spend $billions in usability studies actually listening to users. Desktops like Ubuntu are pretty good -- but only when they exactly copy Windows/Macintosh. Ubuntu still doesn't invest in the usability studies that Microsoft/Apple do.

The second problem is deterministic builds. If I want to install an app on my iPhone or Android, the only usable way is through their app stores. This means downloading the binary, not the source. Without deterministic builds, there is no way to verify the downloaded binary matches the public source. The binary may, in fact, be compiled from different source Continue reading

Everything can be a bomb

This last week, pranksters replaced the US flag on top the Brooklyn Bridge with a white-flag. Nobody knows who or why. Many in the press have linked this to terrorism, pointing out that it could've been a bomb. Not only local New York newspapers have said this, but also CNN.

Such irrational fears demonstrate how deeply we've fallen for police-state fears, where every action is perceived as a potential terrorist threat.

It could've been a bomb, of course. But what could also have been a bomb is a van full of C4 explosives driven across the bridge. There are no checkpoints at either end inspecting vehicles with bomb sniffing dogs. What also could've been a bomb is a ship full of fertilizer that, when ignited, would act as a small nuke. The point is that everything can be a bomb. Instead of using this as justification for an ever increasing police-state, we just need to accept this and live with the danger -- because this danger is, in the end, tiny. A thousand 9/11 events would still not equal cancer, for example.

I mention this because the former 9/11 commission released a new report yesterday stoking the fears of cyber-terrorism, Continue reading

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

I point this out because of this stories like this one hyping the canceled Tor talk at BlackHat. It's titled says the talk was "Suddenly Canceled". The adverb "suddenly" is clearly an attempt to hype the story, since there is no way to slowly cancel a talk.

The researchers are academics at Carnegie-Mellon University (CMU). There are good reasons why CMU might have to cancel the talk. The leading theory is that it might violate prohibitions against experiments on unwilling human subjects. There also may be violations of wiretap laws. In other words, the most plausible reasons why CMU might cancel the talk have nothing to do with trying to suppress research.

Suppressing research, because somebody powerful doesn't want it to be published, is the only reason cancelations are important. It's why the Boston MTA talk was canceled, because they didn't want it revealed how to hack transit cards. It's why the Continue reading

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures.
That's Michael faced away on his right
Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let Continue reading

Omg Hotel Pennsylvania sucks

Customer service is a tradeoff you get with price, thus I'm not terribly offended by things such as that recent terrible Comcast support call. If you don't want shitty service/product, then pay more. Often simply paying 10% more yields something vastly better.

The only problem is finding those "deals".

I'm at the HopeX conference, so to make life easier, I decided to stay at the venue, the Hotel Pennsylvania. Since it's a late booking, the price was $199 a night for an "upgraded" room. The room was horrible. It was tiny, the walls in the bathroom were crumbling as the damp seeped into the concrete, the furniture was scraped and dented, and the room's one tiny window looked out onto other rooms only 20 feet away. I could bear all that -- but the "non-smoking" room stank of smoke to the point that I couldn't fall asleep. So at 1:30am I gave up and checked out.

I went two (short) blocks down to the Hotel Affinia, which cases $224 for a room that's twice the size and "upscale": everything is nice new and pretty, and this non-smoking room doesn't smell a bit like smoke. It doesn't even smell like the Continue reading

EFF lies about NetNeutrality

The EFF has completely and thoroughly repudiated JP Barlow's "Declaration of Independence of Cyberspace", such as in this tweet:




This tweet is lie. Congress can't "kill Net Neutrality" because Net Neutrality doesn't currently exist. Net Neutrality proponents don't want to maintain the status quo, but radically change the Internet, converting it from the private network it is now into a public utility, regulated by the government.

What the left-wing populists tell you about Net Neutrality is a lie. Corporations aren't doing the evil things they claim. There is no technical idea behind it like "end-to-end". Net Neutrality is just the political belief that corporations are inherently evil and that the government must run the Internet.

Internet "fast lanes" are not a bad thing. They already exist, and the Internet can't function without them. Sniff your home traffic and then traceroute every IP address your system communicates with. You'll find that 90% of you home traffic goes to a server in your local city. That's because most websites use a fast lane to the Continue reading

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit Continue reading

Upcoming speaking schedule

I've an unusually dense talk schedule over the next month. Please ask questions at end of talk. Also ambush me afterward and ask more questions.


HopeX:
Sunday July 20, 2:00pm, Olson room
Technology walkthrough of XKeyScore and how to jam it


PasswordsCon 2014:
Wednesday August 6, 12:10pm Track 1
Overview of password hashes in network protocols


DEF CON 22:
Saturday August 9, 10:00am, Track 3
Masscan


DEF CON 22:
Friday August 8, 2:00pm, Track 2
Panel. I'm being this for several years, I still don't know what it is



NSA: walk a mile in their shoes

While this is mostly a technical blog, our most popular posts deal with cyber-rights, supporting Snowden, Weev, and Swartz. Yet sometimes I appear to defend the NSA. People ask me why, so I thought I’d write up a response.

Most American schools force students to read the book To Kill a Mockingbird. It’s a great book for many reasons. Most people think it’s about racism, but it’s not – it’s about bigotry. Racism is just one of the forms of bigotry found in the book. The full message, repeated several times, is that we should get along with others by trying to understand their point of view.

Our society is improving with regards to racism, but other forms of bigotry are alive and well. Webster’s defines bigotry as: “obstinate and unreasoning attachment of one's own belief and opinions, with narrow-minded intolerance of beliefs opposed to them”. Our society praises such bigotry. Tolerance and understanding of other opinions is condemned.

People like Glenn Greenwald, Jacob Appelbaum, and others in the ‘activist’ movement are extreme bigots. There is good reason to oppose the NSA and its leaders who have egregiously mislead the public. Yet, this is still not justification for Continue reading

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

“Fun” with RFC4620 Section 6.4 and discovering IPv4 information over IPv6

As part of a request at work to figure out IPv4 addresses of devices on a network where broadcast pings don’t work, and no administrative access to the switches/routers, I took a look at solving this with IPv6. We know that you can ping6 the all-nodes multicast address, and get DUP! replies from IPv6 enabled hosts on that LAN segment. These will typically be link-local addresses, from which you can determine a MAC address. How to resolve that MAC address on a client host and not the router/switch, I was thinking reverse ARP or something, but support for that wasn’t present in my Ubuntu 13.10 kernel on the main machine I was working with. I started looking around for other options using IPv6 and found RFC4620, Section 6.4.

The gist of it is that you send an ICMPv6 Type 139 packet to an IPv6 address, asking if it has any IPv4 addresses configured either on that interface the target address is on, or any interfaces on the machine itself. And this is why this is disabled by default on hosts, and *IF* you insist on filtering ICMP6 Types, definitely make certain this is one of them. It works Continue reading

Healthy Paranoia Show 15: The Dudes of REN-ISAC

It’s the latest dudilicious episode of Healthy Paranoia! This time we’ll be covering the topic of information sharing and analysis centers (ISAC), specifically in the research and educational networking sector, aka REN-ISAC. Joining Mrs. Y on this adventure into the land of dudeness is Wes Young, REN-ISAC Principal Security Engineer and Architect (El Duderino), Keith […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

The post Healthy Paranoia Show 15: The Dudes of REN-ISAC appeared first on Packet Pushers Podcast and was written by Mrs. Y.

Network Security and the N00b Meter

This morning I read an article in which the writer thought that wireless security was too inconvenient and difficult, so he simply disabled it, leaving his network wide open. He was tired of his complex password being too hard for guests to use and made the comparison that they didn’t have to use these kinds […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

The post Network Security and the N00b Meter appeared first on Packet Pushers Podcast and was written by Mrs. Y.

Snowden Media Douchebaggery

Recently the New York Times posted an article stating that while Edward Snowden was at the NSA, he learned to be a hacker by taking a CEH course and getting the certification. But the certification, listed on a résumé that Mr. Snowden later prepared, would also have given him some of the skills he needed […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

The post Snowden Media Douchebaggery appeared first on Packet Pushers Podcast and was written by Mrs. Y.

Cisco ASA Virtualization with Mixed-Mode Security Contexts

The Cisco ASA firewall has supported multiple security contexts since version 7 was released in 2005. This feature allows you to configure multiple independent logical firewalls in the same ASA hardware.  When version 8.5(1) released in July 2011, support was added for mixed mode firewalls in which both routed and transparent contexts can reside on […]

Author information

Eyvonne Sharp

Eyvonne Sharp

Eyvonne Sharp is a senior network engineer for a large healthcare enterprise where her focus is security and data center architecture. Before working in the enterprise, she spent 10 years working for small VARs and integrators in the SMB space. Eyvonne blogs at esharp.net and you can connect with her on twitter @SharpNetwork

The post Cisco ASA Virtualization with Mixed-Mode Security Contexts appeared first on Packet Pushers Podcast and was written by Eyvonne Sharp.

Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case

Get ready for another nerdilicious episode of Healthy Paranoia featuring Andrew Case, digital forensics researcher and a core developer for the Volatility Framework. Liam Randall joins Mrs. Y. as they discuss topics such as: The difference between forensics and incident response. Malware analysis vs. reverse engineering. Why you should treat a compromised system like a […]

Author information

Mrs. Y

Snarkitecht at Island of Misfit Toys

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

The post Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case appeared first on Packet Pushers Podcast and was written by Mrs. Y.