0

Yes, we can validate leaked emails

When emails leak, we can know whether they are authenticate or forged. It's the first question we should ask of today's leak of emails of Hunter Biden. It has a definitive answer.

Today's emails have "cryptographic signatures" inside the metadata. Such signatures have been common for the past decade as one way of controlling spam, to verify the sender is who they claim to be. These signatures verify not only the sender, but also that the contents have not been altered. In other words, it authenticates the document, who sent it, and when it was sent.

Crypto works. The only way to bypass these signatures is to hack into the servers. In other words, when we see a 6 year old message with a valid Gmail signature, we know either (a) it's valid or (b) they hacked into Gmail to steal the signing key. Since (b) is extremely unlikely, and if they could hack Google, they could a ton more important stuff with the information, we have to assume (a).

Your email client normally hides this metadata from you, because it's boring and humans rarely want to see it. But it's still there in the original email document. An email Continue reading

0

Evolution of Excel 4.0 Macro Weaponization – Continued

Introduction 

The evolution of the Excel 4.0 (XL4) macro malware proceeds apace, with new variations and techniques regularly introduced. To understand the threat landscape, the VMware NSBU Threat Analysis Unit extended its previous research on XL4 macro malware (see the previous blog) to analyze new trends and techniques.  

Against analysis engines, the new samples have some novel evasion techniques, and they perform attacks more reliably. These variants were observed in June and July. Figure 1 depicts the Excel 4.0 macro malware wave.  

Broadly, the samples can be categorized into three clusters. Based on the variation of the samples in these three clusters, the weaponized documents can be grouped into multiple variants. 

Cluster 1: Relative Reference   

The samples in this cluster appeared in the month of June. They use FORMULA.FILL for obfuscation and to move the payload around the sheet. The formula uses relative references to access values stored in the sheet. There are variations in this category; Continue reading

0

Underhanded Code and Automation

So, software is eating the world—and you thought this was going to make things simpler, right? If you haven’t found the tradeoffs, you haven’t looked hard enough. I should trademark that or something! While a lot of folks are thinking about code quality and supply chain are common concerns, there are a lot of little “side trails” organizations do not tend to think about. One such was recently covered in a paper on underhanded code, which is code designed to pass a standard review which be used to harm the system later on. For instance, you might see at some spot—

if (buffer_size=REALLYLONGDECLAREDVARIABLENAMEHERE) {
/* do some stuff here */
} /* end of if */

Can you spot what the problem might be? In C, the = is different than the ==. Which should it really be here? Even astute reviewers can easily miss this kind of detail—not least because it could be an intentional construction. Using a strongly typed language can help prevent this kind of thing, like Rust (listen to this episode of the Hedge for more information on Rust), but nothing beats having really good code formatting rules, even if they are apparently arbitrary, for catching Continue reading

0

Factcheck: Regeneron’s use of embryonic stem cells

This week, Trump's opponents misunderstood a Regeneron press release to conclude that the REG-COV2 treatment (which may have saved his life) was created from stem cells. When that was proven false, his opponents nonetheless deliberately misinterpreted events to conclude there was still an ethical paradox. I've read the scientific papers and it seems like this is an issue that can be understood with basic high-school science, so I thought I'd write up a detailed discussion.

The short answer is this:

• The drug is not manufactured in any way from human embryonic tissues.
• The drug was tested using fetal/embryonic cells, but ones almost 50 years old, not new ones.
• Republicans want to stop using new embryos, the ethical issue here is the continued use of old embryos, which Republican have consistently agreed to.
• Yes, the drug is still tainted by the "embryonic stem cell" issue -- just not in any of the ways that people claim it is, and not in a way that makes Republicans inconsistent.
• Almost all medical advances of the last few decades are similarly tainted.

0

Closing security gaps and eliminating blind spots in the data center: a software-based approach to securing east-west traffic

It’s no secret that traditional firewalls are ill–suited to securing east-west traffic. They’re static, inflexible, and require hair-pinning traffic around the data center. Traditional firewalls have no understanding of application context, resulting in rigid, static policies, and they don’t scale—so they’re unable to handle the massive workloads that make up modern data center traffic. As a result, many enterprises are forced to selectively secure workloads in the data center, creating gaps and blind spots in an organization’s security posture. 

 

A software-based approach to securing east-west traffic changes the dynamic. Instead of hair-pinning traffic, VMware NSX Service-defined Firewall (SDFW) applies security policies to all workloads inside the data center, regardless of the underlying infrastructure. This provides deep context into every single workload.  

 

Anyone interested in learning how the Service-defined Firewall can help them implement micro–segmentation and network segmentation, replace legacy physical hardware, or meet growing compliance needs and stop the lateral spread of threats, should check out the following sessions: 

 

Creating Virtual Security Zones with NSX Firewall Continue reading

0

Meet compliance requirements cost-efficiently by implementing East-West security at scale 

Compliance is more than a necessary evil. Sure, it’s complex, expensive, and largely driven by manual processes, but it’s also a business enabler. Without the ability to prove compliance, you wouldn’t be able to sell your products in certain markets or industries. But meeting compliance requirements can’t be cost-prohibitive: if the barriers are too high, it may not make business sense to target certain markets.  

 

The goal, of course, is to meet and prove compliance requirements in the data center in a simple, cost-effective way. With the intent to provide safety and maintain the privacy of customers, new government and industry regulations are becoming more robust, and many require organizations to implement East-West security through micro-segmentation or network segmentation inside the data center. Of course, this is easier said than done. Bandwidth and latency issues caused by hair–pinning traffic between physical appliances inhibit network segmentation and micro-segmentation at scale.  

 

VMware NSX applies a software-based approach to firewalling that delivers the simplicity and scalability necessary to secure East-West traffic. It does this with no blind spots or gaps in coverage— Continue reading

0

Intrinsic Security: Take security to the next level

The other guys will have you believe that more is better. You have a problem, just buy a solution and patch the hole. Security operations too siloed? Just cobble together some integrations and hope that everything works together. 

 

VMware thinks differently. We believe that “integrated” is just another word for “complexity.” And clearly, complexity is the enemy of security. 

 

Integrated security is bolted–on security. An example would be taking a hardware firewall and making it a blade in a data center switch. That’s what the other guys do. It makes it more convenient to deploy, but it doesn’t actually improve security. 

 

Security always performs better—and is easier to operate—when it’s designed–in as opposed to bolted–on. At VMware, we call this intrinsic security. When we think about security, being able to build it in means you can leverage the intrinsic attributes of the infrastructure. We are not trying to take existing security solutions and integrate them. We are re-imagining how security could work. 

 

Enterprises that want to learn how we’ve built security directly into Continue reading

0

Extend Your Fortinet FortiManager to Kubernetes

Companies are leveraging the power of Kubernetes to accelerate the delivery of resilient and scalable applications to meet the pace of business. These applications are highly dynamic, making it operationally challenging to securely connect to databases or other resources protected behind firewalls.

Visibility into Kubernetes Infrastructure is Essential

Lack of visibility has compliance implications. Like any on-premises or cloud-based networked services, Kubernetes production containers must address both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy their audit requirements. To enable the successful transition of Kubernetes pilot projects to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment.

In response, Fortinet and Tigera jointly developed a suite of Calico Enterprise solutions for the Fortinet Security Fabric that deliver both north-south and east-west visibility and help ensure consistent control, security, and compliance. Key among these integrations is the FortiManager Calico Kubernetes Controller, which enables Kubernetes cluster management from the FortiManager centralized management platform in the Fortinet Fabric Management Center.

View and Control the Kubernetes Environment with FortiManager

The FortiManager Calico Kubernetes Controller translates FortiManager policies into granular Kubernetes network Continue reading

0

AppIQ – Unprecedented visibility that Aviatrix CoPilot brings

Earlier in my career, I worked as a Network Engineer in the high-frequency trading industry at a capital market exchange. It was the time when electronic trading was gaining heavy momentum as open outcry was receding. This was thanks mainly in part to vendors such as Arista who leveraged merchant silicon from Broadcom to lead … Continue reading AppIQ – Unprecedented visibility that Aviatrix CoPilot brings →

0

Introducing API Shield

APIs are the lifeblood of modern Internet-connected applications. Every millisecond they carry requests from mobile applications—place this food delivery order, “like” this picture—and directions to IoT devices—unlock the car door, start the wash cycle, my human just finished a 5k run—among countless other calls.

They’re also the target of widespread attacks designed to perform unauthorized actions or exfiltrate data, as data from Gartner increasingly shows: “by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019, and “Gartner predicted that, by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications”[1][2]. Of the 18 million requests per second that traverse Cloudflare’s network, 50% are directed towards APIs—with the majority of these requests blocked as malicious.

To combat these threats, Cloudflare is making it simple to secure APIs through the use of strong client certificate-based identity and strict schema-based validation. As of today, these capabilities are available free for all plans within our new “API Shield” offering. And as of today, the security benefits also extend to gRPC-based APIs, which use binary Continue reading

0

Speeding up HTTPS and HTTP/3 negotiation with… DNS

In late June, Cloudflare's resolver team noticed a spike in DNS requests for the 65479 Resource Record thanks to data exposed through our new Radar service. We began investigating and found these to be a part of Apple’s iOS14 beta release where they were testing out a new SVCB/HTTPS record type.

Once we saw that Apple was requesting this record type, and while the iOS 14 beta was still on-going, we rolled out support across the Cloudflare customer base.

This blog post explains what this new record type does and its significance, but there’s also a deeper story: Cloudflare customers get automatic support for new protocols like this.

That means that today if you’ve enabled HTTP/3 on an Apple device running iOS 14, when it needs to talk to a Cloudflare customer (say you browse to a Cloudflare-protected website, or use an app whose API is on Cloudflare) it can find the best way of making that connection automatically.

And if you’re a Cloudflare customer you have to do… absolutely nothing… to give Apple users the best connection to your Internet property.

Negotiating HTTP security and performance

Whenever a user types a URL in the browser box without specifying a Continue reading

0

Post-Quantum Cryptography: Hype and Reality

Post-quantum cryptography (algorithms resistant to quantum computer attacks) is quickly turning into another steaming pile of hype vigorously explored by various security vendors.

Christoph Jaggi made it his task to debunk at least some of the worst hype, collected information from people implementing real-life solutions in this domain, and wrote an excellent overview article explaining the potential threats, solutions, and current state-of-the art.

You (RFC 6919) OUGHT TO read his article before facing the first vendor presentation on the topic.

0

Countering the Rise of Adversarial ML 

The security community has found an important application for machine learning (ML) in its ongoing fight against cybercriminals. Many of us are turning to ML-powered security solutions like NSX Network Detection and Response that analyze network traffic for anomalous and suspicious activity. In turn, these ML solutions defend us from threats better than other solutions can by drawing on their evolving knowledge of what a network attack looks like. 

Attackers are well-aware of the fact that security solutions are using AI and ML for security purposes. They also know that there are certain limitations when it comes to applying artificial intelligence to computer security. This explains why cyber criminals are leveraging ML to their advantage in something known as adversarial machine learning. 

In this post I’ll explain just what adversarial machine learning is and what it is not. To start, the label itself can be a bit misleading. It sounds like criminals are actually using ML as part of their attack. But that is not the case. The simple explanation is that they’re using more conventional methods to understand how security solutions are using ML so that they can then figure out how to Continue reading

0

Detecting Malware Without Feature Engineering Using Deep Learning 

Detecting Malware Without Feature Engineering Using Deep Learning 

Nowadays, machine learning is routinely used in the detection of network attacks and the identification of malicious programs. In most ML-based approaches, each analysis sample (such as an executable program, an office document, or a network request) is analyzed and a number of features are extracted. For example, in the case of a binary program, one might extract the names of the library functions being invoked, the length of the sections of the executable, and so forth. 

Then, a machine learning algorithm is given as input a set of known benign and known malicious samples (called the ground truth). The algorithm creates a model that, based on the values of the features contained in the samples, is the ground truth dataset, and the model is then able to classify known samples correctly. If the dataset from which the algorithm has learned is representative of the real-world domain, and if the features are relevant for discriminating between benign and malicious programs, chances are that the learned model will generalize and allow for the detection of previously unseen malicious samples. 

The Role of Feature Engineering 

Even though the description Continue reading

0

Machine Learning, Artificial Intelligence, and How the Two Fit into Information Security 

Everywhere I look, someone’s talking about machine learning (ML) or artificial intelligence (AI). These two technologies are shaping important conversations in multiple sectors, especially marketing and sales, and are at risk of becoming overused and misunderstood buzzwords, if they haven’t already. The technologies have also drawn the attention of security professionals over the past few years, with some believing that AI is ready to transform information security. 

Despite this hype, there’s still a lot of confusion around AI and ML and their utility for information security. In this blog post, I would like to correct some misperceptions. Let’s start by differentiating machine learning from artificial intelligence in general. 

Machine Learning vs. Artificial Intelligence: Understanding the Difference 

Artificial intelligence is the science of trying to replicate intelligent, human-like behavior. There are multiple ways of achieving this — machine learning is one of them. For example, a type of AI system that does not involve machine learning is an expert system, in which the skills and decision process of an expert are captured through a series of rules and heuristics. 

Machine Learning is a specific type of AI. An ML system analyzes a large data set in Continue reading

0

VMware Transit Connect – Simplifying Networking for VMC

The release of VMware Cloud on AWS (VMC) 1.12 brings a number of exciting new capabilities to the managed service offering. A comprehensive list can be reviewed in the release notes. A key feature that is now Generally Available (GA) in all VMC commercial regions worldwide is VMware Transit Connect^TM. VMware Transit Connect enables customers to build high-speed, resilient connections between their VMware Cloud on AWS Software Defined Data Centers (SDDCs) and other resources. This capability is enabled by a feature called SDDC Groups that helps customers to logically organize SDDCs together to simplify management.

The SDDC Group construct empowers customers to quickly and easily define a collection of SDDCs, Virtual Private Clouds (VPCs) or on-premises connectivity that need to interconnect. Additionally, the SDDC Group construct provides value inside the individual SDDCs by simplifying security policy as will be shown later in this post. Behind the simplification that SDDC Groups provide is the instantiation of an VMware Managed AWS Transit Gateway, a VTGW. The VTGW is a managed service from VMware and provides the underlying connectivity between the different resources.

The initial Transit Connect service provides three primary connectivity models:

• SDDC to SDDC
• SDDC to Native AWS VPC
• Continue reading

0

Using Flow Tracking to Build Firewall Rulesets… and Halting Problem

Peter Welcher identified the biggest network security hurdle faced by most enterprise IT environments in his comment to Considerations for Host-based Firewalls (Part 1) blog post:

I have NEVER found a customer application team that can tell me all the servers they are using, their IP addresses, let alone the ports they use.

His proposed solution: use software like Tetration (or any other flow collecting tool) to figure out what’s really going on:

0

Reducing RPKI Single Point of Takedown Risk

The RPKI, for those who do not know, ties the origin AS to a prefix using a certificate (the Route Origin Authorization, or ROA) signed by a third party. The third party, in this case, is validating that the AS in the ROA is authorized to advertise the destination prefix in the ROA—if ROA’s were self-signed, the security would be no better than simply advertising the prefix in BGP. Who should be able to sign these ROAs? The assigning authority makes the most sense—the Regional Internet Registries (RIRs), since they (should) know which company owns which set of AS numbers and prefixes.

The general idea makes sense—you should not accept routes from “just anyone,” as they might be advertising the route for any number of reasons. An operator could advertise routes to source spam or phishing emails, or some government agency might advertise a route to redirect traffic, or block access to some web site. But … if you haven’t found the tradeoffs, you haven’t looked hard enough. Security, in particular, is replete with tradeoffs.

Every time you deploy some new security mechanism, you create some new attack surface—sometimes more than one. Deploy a stateful packet filter to protect a Continue reading

0

Why Don’t We Have Dynamic Firewall Policies

One of the readers of the Considerations for Host-Based Firewalls blog post wrote this interesting comment:

Perhaps a paradigm shift is due for firewalls in general? I’m thinking quickly here but wondering if we perhaps just had a protocol by which a host could request upstream firewall(s) to open access inbound on their behalf dynamically, the hosts themselves would then automatically inform the security device what ports they need/want opened upstream.

Well, we have at least two protocols that could fit the bill: Universal Plug and Play and Port Control Protocol (RFC 6887).

0

Cliché: Security through obscurity (yet again)

Infosec is a largely non-technical field. People learn a topic only as far as they need to regurgitate the right answer on a certification test. Over time, they start to believe misconceptions about that topic that they never learned. Eventually, these misconceptions displace the original concept in the community.

A good demonstration is this discussion of the "security through obscurity fallacy". The top rated comment makes the claim this fallacy means "if your only security is obscurity, it's bad". Wikipedia substantiates this, claiming experts advise that "obscurity should never be the only security mechanism".

Nope, nope, nope, nope, nope. It's the very opposite of what you suppose to understand. Obscurity has problems, always, even if it's just an additional layer in your "defense in depth". The entire point of the fallacy is to counteract people's instinct to suppress information. The effort has failed. Instead, people have persevered in believing that obscurity is good, and that this entire conversation is only about specific types of obscurity being bad.

Hypothetical: non-standard SSH

The above discussion mentions running SSH on a non-standard port, such as 7837 instead of 22, as a hypothetical example.

Let's continue this hypothetical. You do this. Then an 0day Continue reading