The Hedge 82: Jared Smith and Route Poisoning
Intentionally poisoning BGP routes in the Default-Free Zone (DFZ) would always be a bad thing, right? Actually, this is a fairly common method to steer traffic flows away from and through specific autonomous systems. How does this work, how common is it, and who does this? Jared Smith joins us on this episode of the Hedge to discuss the technique, and his research into how frequently it is used.
Response: The Instagram ads Facebook won’t show you
Facebook is corporate IT security risk.
VMware Debuts A SASE Distributed Work Conglomeration Called Anywhere Workspace
VMware has announced the Anywhere Workspace. Designed to help control access to premises and cloud apps, and enforce security policies regardless of where an employee may be working, Anywhere Workspace is an assemblage of several existing products in VMware’s portfolio: endpoint management for laptops and smartphones, access control, endpoint security, and cloud-based security services. The […]
The post VMware Debuts A SASE Distributed Work Conglomeration Called Anywhere Workspace appeared first on Packet Pushers.
Anatomy of how you get pwned
Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from?
In this blogpost, I follow this rabbit hole on down. It starts with "search engine optimization" links and leads to an entire industry of tricks, scams, exploiting popups, trying to infect your machine with viruses, and stealing emails or credit card numbers.
Evidence of the attack first appeared with occasional popups like the following. The popup isn't part of any webpage.
This is obviously a trick. But from where? How did it "get on the machine"?
There's lots of possible answers. But the most obvious answer (to most people), that your machine is infected with a virus, is likely wrong. Viruses are generally silent, doing evil things in the background. When you see something like this, you aren't infected ... yet.
Instead, things popping with warnings is almost entirely due to evil websites. But that's confusing, since this popup doesn't appear within a web page. It's off to one side of the screen, nowhere near the web browser.
Moreover, we spent some time diagnosing this. We restarted the webbrowser in "troubleshooting mode" with all Continue reading
If you haven’t found the tradeoffs …
One of the big movements in the networking world is disaggregation—splitting the control plane and other applications that make the network “go” from the hardware and the network operating system. This is, in fact, one of the movements I’ve been arguing in favor of for many years—and I’m not about to change my perspective on the topic. There are many different arguments in favor of breaking the software from the hardware. The arguments for splitting hardware from software and componentizing software are so strong that much of the 5G transition also involves the open RAN, which is a disaggregated stack for edge radio networks.
If you’ve been following my work for any amount of time, you know what comes next: If you haven’t found the tradeoffs, you haven’t looked hard enough.
This article on hardening Linux (you should go read it, I’ll wait ’til you get back) exposes some of the complexities and tradeoffs involved in disaggregation in the area of security. Some further thoughts on hardening Linux here, as well. Two points.
First, disaggregation has serious advantages, but disaggregation is also hard work. With a commercial implementation you wouldn’t necessarily think about these kinds of supply chain issues. Continue reading
Ethics: University of Minnesota’s hostile patches
The University of Minnesota (UMN) got into trouble this week for doing a study where they have submitted deliberately vulnerable patches into open-source projects, in order to test whether hostile actors can do this to hack things. After a UMN researcher submitted a crappy patch to the Linux Kernel, kernel maintainers decided to rip out all recent UMN patches.
Both things can be true:
- Their study was an important contribution to the field of cybersecurity.
- Their study was unethical.
It's like Nazi medical research on victims in concentration camps, or U.S. military research on unwitting soldiers. The research can simultaneously be wildly unethical but at the same time produce useful knowledge.
I'd agree that their paper is useful. I would not be able to immediately recognize their patches as adding a vulnerability -- and I'm an expert at such things.
In addition, the sorts of bugs it exploits shows a way forward in the evolution of programming languages. It's not clear that a "safe" language like Rust would be the answer. Linux kernel programming requires tracking resources in ways that Rust would consider inherently "unsafe". Instead, the C language needs to evolve with better safety features and better static Continue reading
Cloudflare obtains new ISO/IEC 27701:2019 privacy certification and what that means for you
This post is also available in French and German.
Cloudflare is one of the first organisations in our industry to have achieved ISO/IEC 27701:2019 certification, and the first web performance & security company to be certified to the new ISO privacy standard as both a data processor and controller.
Providing transparency into our privacy practices has always been a priority for us. We think it is important that we do more than talk about our commitment to privacy — we are continually looking for ways to demonstrate that commitment. For example, after we launched the Internet's fastest, privacy-first public DNS resolver, 1.1.1.1, we didn’t just publish our commitments to our public resolver users, we engaged an independent firm to make sure we were meeting our commitments, and we blogged about it, publishing their report.
Following in that tradition, today we’re excited to announce that Cloudflare has been certified to a new international privacy standard for protecting and managing the processing of personal data — ISO/IEC 27701:2019. The standard is designed such that the requirements organizations must meet to become certified are very closely aligned to the requirements in the EU’s General Data Protection Regulation (“GDPR”). So Continue reading
DDoS attack trends for 2021 Q1
Last week was Developer Week at Cloudflare. During that week, our teams released a bunch of cool new products, including a bunch of improvements to Workers. And it's not just our customers that love deploying apps with Workers, but also our engineering teams. Workers is also what powers our Internet traffic and attack trends on Cloudflare Radar. Today, along with this deep-dive analysis blog, we’re excited to announce the new Radar DDoS Report page, our first fully automated data notebook built on top of Jupyter, Clickhouse, and Workers.
Last month, we introduced our autonomous edge DDoS (Distributed Denial of Service) protection system and explained how it is able to drop attacks at wire speed without impacting performance. It runs in our networks’ edge, analyzes traffic asynchronously to avoid impacting performance, and pushes mitigation rules in-line immediately once attacks are detected. All of this is done autonomously, i.e., without requiring centralized consensus.
Today, we’d like to share the latest DDoS insights and trends that are based on attacks that our system mitigated during the first quarter of 2021. When we analyze attacks, we calculate the “DDoS activity” rate, which is the percent of attack traffic out of Continue reading
First look: new O’Reilly eBook on Kubernetes security and observability *early release chapters*
We are excited to announce the early release of a new O’Reilly eBook on Kubernetes security and observability!
This practical book introduces new cloud-native approaches for Kubernetes practitioners who care about the security and observability of mission-critical microservices. Through practical guidance and best practice recommendations, this book helps you understand why cloud-native applications require a modern approach to security and observability practices and how to implement them.
You should read this book if you want to:
- learn why you need a security and observability strategy for cloud-native applications, and determine your scope of coverage;
- understand key concepts behind Kubernetes’s security and observability approach;
- discover how to split security responsibilities across multiple teams or roles; and/or
- learn how to architect Kubernetes security and observability for multi-cloud and hybrid environments.
Whether you want to know how to secure and troubleshoot your cloud-native applications, or are exploring Kubernetes for your organization and would like to solve security and observability challenges before making a decision, you will find that this book provides valuable insight.
Get your early release copy here!
The post First look: new O’Reilly eBook on Kubernetes security and observability *early release chapters* appeared first on Tigera.
Calico Cloud now available on AWS Marketplace
We are pleased to announce that Calico Cloud, our software as a service (SaaS) for Kubernetes security and observability, is now available on AWS Marketplace! AWS users can now use Kubernetes security and observability as services along with managed Kubernetes services, all with a single click. For more information, see our official press release.
Can’t wait to jump right in? Subscribe and deploy Calico Cloud on AWS Marketplace here.
The post Calico Cloud now available on AWS Marketplace appeared first on Tigera.
Loose Lips
When I was in the military we were constantly drilled about the problem of Essential Elements of Friendly Information, or EEFIs. What are EEFis? If an adversary can cast a wide net of surveillance, they can often find multiple clues about what you are planning to do, or who is making which decisions. For instance, if several people married to military members all make plans to be without their spouses for a long period of time, the adversary can be certain a unit is about to be deployed. If the unit of each member can be determined, then the strength, positioning, and other facts about what action you are taking can be guessed.
Given enough broad information, an adversary can often guess at details that you really do not want them to know.
What brings all of this to mind is a recent article in Dark Reading about how attackers take advantage of publicly available information to form Spear Phishing attacks—
Going back further Continue reading
Dynamic URL Rewriting at the edge with Cloudflare
URLs are ugly. They are hard to read, difficult to memorise and often auto-generated for the benefit of the origin server - not the user.
Today we are announcing the immediate availability of Transform Rules for all Cloudflare plans. Transform Rules provide Cloudflare administrators with the ability to create URL rewrite rules. These rules transform HTTP requests as they flow through Cloudflare providing an interpretation layer between the human friendly and the computer friendly.
Ease of understanding
Imagine you are going on a much needed around-the-world trip and want to buy a copy of John Graham-Cumming’s book The Geek Atlas: 128 Places Where Science and Technology Come Alive to use as inspiration. Would the link https://www.travelbooks247.com/dp/0596523203/ make sense to you? Chances are the answer is no. It's hard for humans to understand these complex, contextless URLs.
This is why companies instead provide user friendly alternatives such as: https://www.travelbooks247.com/Geek-Atlas-Places-Science-Technology/dp/0596523203/ and use web servers as the interpreter. This interpretation is known as URL rewriting.
Large ecommerce retailers take HTTP requests to these human-friendly URLs and rewrite them using a simple pattern that strips the content Geek-Atlas-Places-Science-Technology/ before sending the HTTP request to the backend. The human readable hyperlink Continue reading
Claim: You Don’t Have to Be a Networking Expert to Do Kubernetes Network Security
I was listening to an excellent container networking podcast and enjoyed it thoroughly until the guest said something along the lines of:
With Kubernetes networking policy, you no longer have to be a networking expert to do container network security.
That’s not even wrong. You didn’t have to be a networking expert to write traffic filtering rules for ages.
Claim: You Don’t Have to Be a Networking Expert to Do Kubernetes Network Security
I was listening to an excellent container networking podcast and enjoyed it thoroughly until the guest said something along the lines of:
With Kubernetes networking policy, you no longer have to be a networking expert to do container network security.
That’s not even wrong. You didn’t have to be a networking expert to write traffic filtering rules for ages.
Cloudflare’s WAF is recognized as customers’ choice for 2021
The team at Cloudflare building our Web Application Firewall (WAF) has continued to innovate over the past year. Today, we received public recognition of our work.
The ease of use, scale, and innovative controls provided by the Cloudflare WAF has translated into positive customer reviews, earning us the Gartner Peer Insights Customers' Choice Distinction for WAF for 2021. You can download a complimentary copy of the report here.
Gartner Peer Insights Customers’ Choice distinctions recognize vendors and products that are highly rated by their customers. The data collected represents a top-level synthesis of vendor software products most valued by IT Enterprise professionals.
The positive feedback we have received is consistent and leads back to Cloudflare’s product principles. Customers find that Cloudflare’s WAF is:
- “An excellent hosted WAF, and a company that acts more like a partner than a vendor” — Principal Site Reliability Architect in the Services Industry [Full Review];
- “A straightforward yet highly effective WAF solution” — VP in the Finance Industry [Full Review];
- “Easy and Powerful with Outstanding Support” — VP Technology in the Retail Industry [Full Review];
- “Secure, Intuitive and a Delight for web security and accelerations” — Sr Director-Technical Product Continue reading
End User Security: Account Takeover Protections with Cloudflare
End user account security is always a top priority, but a hard problem to solve. To make matters worse, authenticating users is hard. With datasets of breached credentials becoming commonplace, and more advanced bots crawling the web attempting credential stuffing attacks, protecting and monitoring authentication endpoints becomes a challenge for security focused teams. On top of this, many authentication endpoints still rely just on providing a correct username and password making undetected credential stuffing lead to account takeover by malicious actors.
Many features of the Cloudflare platform can help with implementing account takeover protections. In this post we will go over several examples as well as announce a number of new features. These include:
- Open Proxy managed list (NEW): ensure authentication attempts to your app are not coming from proxy services;
- Super Bot Fight Mode (NEW): keep automated traffic away from your authentication endpoints;
- Exposed Credential Checks (NEW): get a warning whenever a user is logging in with compromised credentials. This can be used to initiate a two factor authentication flow or password reset;
- Cloudflare Access: add an additional authentication layer by easily integrating with third party OATH services, soon with optional enforcement of managed devices (NEW);
- Rate Limiting Continue reading
The Insecurity of Ambiguous Standards
Why are networks so insecure?
One reason is we don’t take network security seriously. We just don’t think of the network as a serious target of attack. Or we think of security as a problem “over there,” something that exists in the application realm, that needs to be solved by application developers. Or we think the consequences of a network security breach as “well, they can DDoS us, and then we can figure out how to move load around, so if we build with resilience (enough redundancy) we’re already taking care of our security issues.” Or we put our trust in the firewall, which sits there like some magic box solving all our problems.
The problem is–none of this is true. In any system where overall security is important, defense-in-depth is the key to building a secure system. No single part of the system bears the “primary responsibility” for “security.” The network is certainly a part of any defense-in-depth scheme that is going to work.
Which means network protocols need to be secure, at least in some sense, as well. I don’t mean “secure” in the sense of privacy—routes are not (generally) personally identifiable information (there are always Continue reading
A quick FAQ about NFTs
I thought I'd write up 4 technical questions about NFTs. They may not be the ones you ask, but they are the ones you should be asking. The questions:
- What does the token look like?
- How does it contain the artwork? (or, where is the artwork contained?)
- How are tokens traded? (How do they get paid? How do they get from one account to another?)
- What does the link from token to artwork mean? Does it give copyrights?
I'm going to use 4 sample tokens that have been sold for outrageous prices as examples.
#1 What does the token look like?
An NFT token has a unique number, analogous to:
- your social security number (SSN#)
- your credit card number
- the VIN# on your car
- the serial number on a dollar bill
- etc.
This unique number is composed of two things:
- the contract number, identifying the contract that manages the token
- the unique token identifier within that contract
Here are some example tokens, listing the contract number (the long string) and token ID (short number), as well as a link to a story on how much it sold for recently.