The Internet Society’s African Chapters Join the African Union and Other Partners to Discuss IoT Security, Privacy, and Digital ID in Africa
In collaboration with the Africa Union Commission (AUC), the Africa Telecommunication Union (ATU), and Omidyar Network, from 8-11 April 2019 the Africa Regional Bureau successfully gathered in Addis Ababa, Ethiopia 103 participants comprising Internet Society Chapter leaders, African Regional economic bodies, privacy experts, regulators, and data protection agencies to a two-day workshop on IoT Security, Privacy, and Digital ID followed by the 2019 African Chapters Advocacy Meeting.
The first day of the workshop focused on IoT opportunities and security considerations. It explored the IoT landscape in Africa and shared active deployments and chapter-led projects. The day also discussed IoT security and privacy considerations with emphasis on frameworks that could be implemented to ensure the security and safety of IoT devices. A dedicated session on aligning policy and IoT security needs shared the experience of the Senegal multistakeholder IoT security process and motivated member states to initiate a similar process in their countries.
The second day focused on localizing the AUC and Internet Society Personal Data Protection Guidelines. Our partners AUC, Omidyar Network, Mozilla Foundation, and UNECA unpacked issues related to digital identity, personal data protection and privacy in the region. The meeting explored the nature of policies in place to Continue reading
10 Years of Auditing Online Trust – What’s Changed?
Last week we released the 10th Online Trust Audit & Honor Roll, which is a comprehensive evaluation of an organization’s consumer protection, data security, and privacy practices. If you want to learn more about this year’s results, please join us for our webinar on Wednesday, 24 April, at 1PM EDT / 5PM UTC. Today, though, we thought it would be interesting to see how the Audit and results have evolved over time. Here are some quick highlights over the years:
- 2005 – The Online Trust Alliance issued “scorecards” tracking adoption of email authentication (SPF) in Fortune 500 companies.
- 2008 – Added DKIM tracking to the scorecards, and extended the sectors to include the US federal government, banks, and Internet retailers.
- 2009 – Shifted from scorecard to “Audit” because criteria were expanded to include Extended Validation (EV) certificates and elements of site security (e.g., website malware).
- 2010 – Introduced the Honor Roll concept, highlighting organizations following best practices. Only 8% made the Honor Roll.
- 2012 – Expanded criteria to include DMARC, Qualys SSL Labs website assessment, and scoring of privacy statements and trackers. Shifted overall sector focus to consumer-facing organizations, so dropped the Fortune 500 and added Continue reading
Programming languages infosec professionals should learn
Code is an essential skill of the infosec professional, but there are so many languages to choose from. What language should you learn? As a heavy coder, I thought I'd answer that question, or at least give some perspective.The tl;dr is JavaScript. Whatever other language you learn, you'll also need to learn JavaScript. It's the language of browsers, Word macros, JSON, NodeJS server side, scripting on the command-line, and Electron apps. You'll also need to a bit of bash and/or PowerShell scripting skills, or SQL for queries. Other languages are important as well, Python is very popular for example. Actively avoid C++ and PHP as they are obsolete.
Also tl;dr: whatever language you decide to learn, also learn how to use an IDE with visual debugging, rather than just a text editor. That problems means Visual Code from Microsoft.
Let's talk in general terms. Here are some types of languages.
- Unavoidable. As mentioned above, familiarity with JavaScript, bash/Powershell, and SQL are unavoidable. If you are avoiding them, you are doing something wrong.
- Small scripts. You need to learn at least one language for writing quick-and-dirty command-line scripts to automate tasks or process data. As a tool using animal, this Continue reading
Was it a Chinese spy or confused tourist?
Politico has an article from a former spy analyzing whether the "spy" they caught at Mar-a-lago (Trump's Florida vacation spot) was actually a "spy". I thought I'd add to it from a technical perspective about her malware, USB drives, phones, cash, and so on.The part that has gotten the most press is that she had a USB drive with evil malware. We've belittled the Secret Service agents who infected themselves, and we've used this as the most important reason to suspect she was a spy.
But it's nonsense.
It could be something significant, but we can't know that based on the details that have been reported. What the Secret Service reported was that it "started installing software". That's a symptom of a USB device installing drivers, not malware. Common USB devices, such as WiFi adapters, Bluetooth adapters, microSD readers, and 2FA keys look identical to flash drives, and when inserted into a computer, cause Windows to install drivers.
Visual "installing files" is not a symptom of malware. When malware does its job right, there are no symptoms. It installs invisibly in the background. Thats the entire point of malware, that you don't know it's there. It's not to say Continue reading
The Confluence of SD-WAN and Microsegmentation
If you had to pick two really hot topics in the networking space right now, you’d be hard-pressed to find two more discussed than SD-WAN and microsegmentation. SD-WAN is the former “king of the hill” in the network engineering. I can remember having more conversations about SD-WAN in the last couple of years than anything else. But as the SD-WAN market has started to consolidate and iterate, a new challenger has arrived. Microsegmentation is the word of the day.
However, I think that SD-WAN and microsegmentation are quickly heading toward a merger of ideas and solutions. There are a lot of commonalities between the two technologies that make a lot of sense running together.
SD-WAN isn’t just about packet switching and routing any longer. That’s because networking people have quickly learned that packet-by-packet processing of traffic is inefficient. All of our older network analysis devices could only see things one IP packet at a time. But the new wave of devices think in terms of flows. They can analyze a stream of packets to figure out what’s going on. And what generates those flows?
Applications.
The key to the new wave of SD-WAN technology isn’t some kind of magic method Continue reading
Distributed Firewall on VMware Cloud on AWS
This blog post will provide a deep dive on the distributed firewall (DFW) on VMware Cloud on AWS (VMC on AWS). Let’s start with the basic concepts of a distributed firewall:
Distributed Firewall Concepts
The distributed firewall is an essential feature of NSX Data Center and essentially provides the ability to wrap virtual machines around a virtual firewall.
The virtual firewall is a stateful Layer 4 (L4) firewall – it’s capable of inspecting the traffic up to the Layer 4 of the OSI model: in simple terms, it means they look at IP addresses (source and destination) and TCP/UDP ports and filter the traffic based upon these criteria.
What’s unique about our firewall is that it has contextual view of the virtual data center – this means our distributed firewall can secure workloads based on VM criteria instead of just source and destination IP addresses.
Traditional firewalling is based on source and destination IPs – constructs that have no business logic or context into applications. Our distributed firewall can secure workloads based on smarter criteria such as the name of the virtual machine or metadata such as tags.
This enables us to build security rules based on business logic (using Continue reading
Why You Should Block Notifications and Close Your Browser
Every so often, while browsing the web, you run into a web page that asks if you would like to allow the site to push notifications to your browser. Apparently, according to the paper under review, about 12% of the people who receive this notification allow notifications. What, precisely, is this doing, and what are the side effects?
Allowing notifications allows the server to kick off one of two different kinds of processes on the local computer, a service worker. There are, in fact, two kinds of worker apps that can run “behind” a web site in HTML5; the web worker and the service worker. The web worker is designed to calculate or locally render some object that will appear on the site, such as unencrypting a downloaded audio file for local rendition. This moves the processing load (including the power and cooling use!) from the server to the client, saving money Continue reading
Time protection: the missing OS abstraction
Time protection: the missing OS abstraction Ge et al., EuroSys’19
Ever since the prominent emergence of timing-based microarchitectural attacks (e.g. Spectre, Meltdown, and friends) I’ve been wondering what we can do about them. When a side-channel is based on observing improved performance, a solution that removes the improved performance can work, but is clearly undesirable. In today’s paper choice, for which the authors won a best paper award at EuroSys’19 last month, Ge et al., set out a principled basis for protecting against this class of attacks. Just as today’s systems offer memory protection, they call this time protection. The paper sets out what we can do in software given today’s hardware, and along the way also highlights areas where cooperation from hardware will be needed in the future.
Timing channels, and in particular microarchitectural channels, which exploit timing variations due to shared use of caches and other hardware, remain a fundamental OS security challenge that has eluded a comprehensive solution to date… We argue that it is time to take temporal isolation seriously, and make the OS responsible for time protection, the prevention of temporal inference, just as memory protection prevents spatial inference.
Master of web puppets: abusing web browsers for persistent and stealthy computation
Master of web puppets: abusing web browsers for persistent and stealthy computation Papadopoulus et al., NDSS’19
You’ve probably heard about crypto-currency mining and the like in hijacked browsers.
From a security perspective, a fundamental problem of web applications is that by default their publisher is considered as trusted, and thus allowed to run JavaScript code (even from third parties) on the user side without any restrictions… On the positive side JavaScript execution so far has been constrained chronologically to the lifetime of the browser window or tab that rendered the compromised or malicious website.
Not any more! This paper shows how modern browsers with support for Service Workers can be stealthily connected into a botnet, with a connection that persists until the user closes the browser completely: “in contrast to previous approaches for browser hijacking, a key feature of MarioNet is that it remains operational even after the user browses away from the malicious webpage.”
MarioNet building blocks: Service Workers and WebRTC
Service Workers are non-blocking modules that reside in the user’s browser. Once registered they can run in the background without requiring the user to continue browsing on the originating site. In addition, service workers have Continue reading
Assange indicted for breaking a password
In today's news, after 9 years holed up in the Ecuadorian embassy, Julian Assange has finally been arrested. The US DoJ accuses Assange for trying to break a password. I thought I'd write up a technical explainer what this means.According to the US DoJ's press release:
Julian P. Assange, 47, the founder of WikiLeaks, was arrested today in the United Kingdom pursuant to the U.S./UK Extradition Treaty, in connection with a federal charge of conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer.The full indictment is here.
It seems the indictment is based on already public information that came out during Manning's trial, namely this log of chats between Assange and Manning, specifically this section where Assange appears to agree to break a password:
What this says is that Manning hacked a DoD computer and found the hash "80c11049faebf441d524fb3c4cd5351c" and asked Assange to crack it. Assange appears to agree.
So what is a "hash", what can Assange do with it, and how did Manning grab it?
Computers store passwords in an encrypted (sic) form called a "one way hash". Since it's "one way", it can Continue reading
Internet of Things Devices as a DDoS Vector
As adoption of Internet of Things devices increases, so does the number of insecure IoT devices on the network. These devices represent an ever-increasing pool of computing and communications capacity open to misuse. They can be hijacked to spread malware, recruited to form botnets to attack other Internet users, and even used to attack critical national infrastructure, or the structural functions of the Internet itself (we give several examples from recent headlines in the Reference Section, below).
The problem this poses is what to do about IoT as a source of risk. This blog post includes reflections on events that came to light in recent weeks, sets out some thoughts about technical mitigations, and sketches out the boundaries of what we think can be done technically. Beyond those boundaries lie the realms of policy measures, which – while relevant to the big picture – are not the topic of this post.
Why are we exploring this issue now? Partly because of our current campaign to improve trust in consumer IoT devices.
And partly, also, because of recent reports that, as a step towards mitigating this risk, connected devices will be subjected to active probing, to detect whether or not they Continue reading
Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild
Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild Steffens et al., NDSS’19
Does your web application make use of local storage? If so, then like many developers you may well be making the assumption that when you read from local storage, it will only contain the data that you put there. As Steffens et al. show in this paper, that’s a dangerous assumption! The storage aspect of local storage makes possible a particularly nasty form of attack known as a persistent client-side cross-site scripting attack. Such an attack, once it has embedded itself in your browser one time (e.g. that one occasion you quickly had to jump on the coffee shop wifi), continues to work on all subsequent visits to the target site (e.g., once you’re back home on a trusted network).
In an analysis of the top 5000 Alexa domains, 21% of sites that make use of data originating from storage were found to contain vulnerabilities, of which at least 70% were directly exploitable using the models described in this paper.
Our analysis shows that more than 8% of the top 5,000 domains are potentially susceptible to a Continue reading
Guest Introspection Re-introduction for NSX-T 2.4
(Re-)Introduction to Guest Introspection
The Guest Introspection platform has been included in NSX Data Center for vSphere for several years, mostly as a replacement for the VMware vShield Endpoint product and providing customers the ability to plug in their VMware certified partner solutions to allow agent-less anti-virus and anti-malware protections for a variety of data center workloads.
The Benefit of the Guest Introspection Platform
The Guest Introspection platform provides customers several outcomes.
Simplified AV management – Manual installation of agents into the guest operating system requires massive operational overhead just getting the agents deployed out on every virtual workload, managing the agent life-cycle post deployment, and for troubleshooting issues with the in-guest agents in day 2 operations.
Guest Introspection provides a centralized management interface for deploying the agentless components to the vSphere hosts, including the security policies, all while using vSphere objects and grouping of those objects to associate the endpoint policy. This provides granular policy creation and association in the workload environments.
Improved endpoint performance – When several or all of the virtual workloads kick off a scheduled AV scan, this can produce a massive resource drain from host resources where workloads might suffer performance concerns during Continue reading
How bad can it git? Characterizing secret leakage in public GitHub repositories
How bad can it git? Characterizing secret leakage in public GitHub repositories Meli et al., NDSS’19
On the one hand you might say there’s no new news here. We know that developers shouldn’t commit secrets, and we know that secrets leaked to GitHub can be discovered and exploited very quickly. On the other hand, this study goes much deeper, and also provides us with some very actionable information.
…we go far beyond noting that leakage occurs, providing a conservative longitudinal analysis of leakage, as well as analyses of root causes and the limitations of current mitigations.
In my opinion, the best time to catch secrets is before they are ever committed in the first place. A git pre-commit hook using the regular expressions from this paper’s appendix looks like a pretty good investment to me. The pre-commit hook approach is taken by TruffleHog, though as of the time this paper was written, TruffleHog’s secret detection mechanisms were notably inferior (detecting only 25-29%) to those developed in this work (§ VII.D). You might also want to look at git-secrets which does this for AWS keys, and is extensible with additional patterns. For a belt and braces approach, also Continue reading
Ginseng: keeping secrets in registers when you distrust the operating system
Ginseng: keeping secrets in registers when you distrust the operating system Yun & Zhong et al., NDSS’19
Suppose you did go to the extreme length of establishing an unconditional root of trust for your system, even then, unless every subsequent piece of code you load is also fully trusted (e.g., formally verified) then you’re open to post-boot attacks. This is especially true in a context where lots of third-party application code (e.g. apps on a mobile phone) gets loaded.
Many mobile and IoT apps nowadays contain sensitive data, or secrets, such as passwords, learned models, and health information. Such secrets are often protected by encryption in the storage. However, to use a secret, an app must decrypt it and usually store it as cleartext in memory. In doing so, the app assumes that the operating system (OS) is trustworthy. OSes are complex software and have a large attack surface… Increasingly abundant evidence suggests that prudent apps should not trust the OS with their secrets.
Instead of trying to protect absolutely everything, Ginseng assumes that some data matters more than others. It arranges things such that this sensitive data is only ever in the clear in registers Continue reading
Establishing software root of trust unconditionally
Establishing software root of trust unconditionally Gligor & Woo, NDSS’19
The authors won a best paper award for this work at NDSS this year. The main result is quite something, but as you might expect the lines of argument are detailed and not always easy to follow (and certainly not critically!) for non-experts like me. I’ll use today’s write-up to convey the big ideas as I understand them. Close reading of the original paper (and it’s accompanying technical report) will be essential if you then want to dig deeper.
The problem: establishing a root of trust
Root of trust (RoT) establishment on an untrusted system ensures that a system state comprises all and only content chosen by the user, and the user’s code begins execution in that state. All implies that no content is missing, and only that no extra content exists. If a system state is initialized to content that satisfies security invariants and RoT establishment succeeds, a user’s code begins execution in a secure initial state.
That is to say, even in the presence of persistent malware e.g. in the firmware of peripheral controllers, network interface cards, disk and USB controllers, and so on, root of Continue reading
Automatic Clean-and-Updated Firewall Ruleset
This is a guest blog post by Andrea Dainese, senior network and security architect, and author of UNetLab (now EVE-NG) and Route Reflector Labs. These days you’ll find him busy automating Cisco ACI deployments.
Following the Ivan’s post about Firewall Ruleset Automation, I decided to take a step forward: can we always have up-to-date and clean firewall policies without stale rules?
The problem
We usually configure and manage firewalls using a process like this:
Read more ...Switzerland’s Leading Provider of Customized Financial Services for Dental Facilities Ensures the Safe Handling of Patient Records
The core business of Zahnärztekasse AG revolves around financial services for dentists and therefore secure patient records. The 33 employees look after the fee management of over 1,000 dental facilities in Switzerland. Recently, the company introduced a new level of security, because in the face of current threats and threats of cybercrime, sensitive data can fall into the wrong hands. The dental facilities often ask about the level of safety of the IT products and services offered. In addition, it is necessary to comply with the new federal law on data protection, the Swiss counterpart to GDPR. Therefore, IT security is very important. A digital transformation was necessary, because the systems in use were not completely protected against current threat scenarios. Furthermore, Zahnärztekasse was also striving for an ISO certification.
Interfaces and platforms already digitized
Digitalization is a major challenge for the conservative dental market. Zahnärztekasse has responded to this trend by digitizing its assets including interfaces, various platforms (www.debident.ch and www.zahngeld.ch) and the iOS app Crediflex, and is now considered to be a market leader and pioneer in the field. As early as 2010, Zahnärztekasse started virtualizing its systems and built on this trend Continue reading
The crux of voice (in)security: a brain study of speaker legitimacy detection
The crux of voice (in)security: a brain study of speaker legitimacy detection Neupane et al., NDSS’19
The key results of this paper are easy to understand, but the implications are going to take us a long time to unravel. Speech morphing (voice morphing) is the process of translating a speaker’s voice to sound like a given impersonation target. This capability is now available off-the-shelf —this paper uses the CMU Festvox voice converter— and is getting better all the time. Being able to impersonate someone’s voice takes things like social engineering attacks to a whole new level…
…voice imitation is an emerging class of threats, especially given the advancement in speech synthesis technology seen in a variety of contexts that can harm a victim’s reputation and her security/safety. For instance, the attacker could publish the morphed voice samples on social media, impersonate the victim in phone conversations, leave fake voice messages to the victim’s contacts, and even launch man-in-the-middle attacks against end-to-end encryption technologies that require users to verify the voices of the callers, to name a few instances of such attacks.
So voice should sit alongside images and video as a source we can’t trust in our new Continue reading