Archive

Category Archives for "Security"

What Makes IoT A Security Risk?

IoT security is a pretty hot topic in today’s world. That’s because the increasing number of smart devices is causing issues with security professionals everywhere. Consumer IoT devices are expected to top 20 billion by 2020. And each of these smart devices represents an attack surface. Or does it?

Hello, Dave

Adding intelligence to a device increases the number of ways that it can compromised. Take a simple thermostat, for example. The most basic themostat is about as dumb as you can get. It uses the expansion properties of metal to trigger switches inside of the housing. You set a dial or a switch and it takes care of the rest. Once you start adding things like programmability or cloud connection, you increase the number of ways that you can access the device. Maybe it’s a webpage or an app. Maybe you can access it via wireless or Bluetooth. No matter how you do it, it’s more available than the simple version of the thermostat.

What about industrial IoT devices? The same rule applies. In this case, we’re often adding remote access to Supervisory Control And Data Acquistion (SCADA) systems. There’s a big market from enterprise IT providers to create Continue reading

DNS-over-TLS in Linux (systemd)

Whilst we were putting together some content about DNS privacy recently, we learned that recent distributions of Linux ship with support or this. We therefore decided to give Ubuntu 18.10 a try on a laptop.

More recent versions of Ubuntu employ a special service for name resolution called ‘system-resolved.service(8)’. The configuration file ‘resolved.conf(5)’ specifies most of the details for name resolution, including which protocols and resolvers should be employed, whilst the ‘/etc/systemd/network/*.network’ configuration files (see ‘systemd.network(5)’ for details) of the ‘systemd-networkd.service(8)’ specify any per-link specific settings.

The default configuration of ‘systemd-resolved’ is selected at compile time, and ‘/etc/systemd/resolved.conf’ normally contains commented-out lines describing such defaults. For example, the contents of the aforementioned file on a fresh Ubuntu 18.10 installation are:

As may be inferred from the file, DNS-over-TLS (DoT) is supported, but disabled by default. At the time of  writing, only opportunistic DoT is supported according to the manual, which means that the resolver will first try resolution using DoT before falling back to traditional DNS in the event of failure – thus allowing for downgrade attacks where an attacker intentionally causes a DoT failure in order to cause name resolution to downgrade Continue reading

DNS-over-HTTPS (DoH) Support in Mozilla Firefox

Recent releases of Firefox have introduced the concept of DNS privacy under the name “Trusted Recursive Resolver”. Although Firefox ships with DNS-over-HTTPS (DoH) disabled by default, there has been some discussion within the Mozilla developer community about changing the default to “enabled”.

Although DoH is somewhat controversial because it moves control plane (signalling) messages to the data plane (data forwarding), and can thereby bypass local network policies, DoH advocates argue that it makes it harder to block or monitor DNS queries which is a commonly used method for restricting access to the Internet and/or monitoring user behaviour.

But putting these arguments aside, if you want to try out DoH then the DNS privacy (or “TRR” in Firefox speak) configuration in Firefox can be accessed as follows:

  • Enter “about:config” in the address box of the browser
  • Search for “trr” (without quotes)

A sample output of DNS privacy configuration in Mozilla Firefox is as follows:

Firefox offers its technical users quite a few settings to play with, but the most important options (along with their recommended settings) for TRR are:

“network.trr.bootstrapAddress” specifies the IP address of a recursive resolver that should Continue reading

Concise Christmas Cryptography Challenges 2019

Concise Christmas Cryptography Challenges 2019

Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we're doing the same. Whether you're bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go.

We're withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we'll be giving the first 5 people to get the answers right some Cloudflare swag. Fill out your answers and details using this form so we know where to send it.

Have fun!

NOTE: Hints are below the questions, avoid scrolling too far if you want to avoid any spoilers.

Concise Christmas Cryptography Challenges 2019

Challenges

Client says Hello

Client says hello, as follows:

00000c07ac01784f437dbfc70800450000f2560140004006db58ac1020c843c
7f80cd1f701bbc8b2af3449b598758018102a72a700000101080a675bce16787
abd8716030100b9010000b503035c1ea569d5f64df3d8630de8bdddd1152e75f
528ae577d2436949ce8deb7108600004400ffc02cc02bc024c023c00ac009c0
08c030c02fc028c027c014c013c012009f009e006b0067003900330016009d
009c003d003c0035002f000a00af00ae008d008c008b010000480000000b
000900000663666c2e7265000a00080006001700180019000b0002010000
0d0012001004010201050106010403020305030603000500050100000000
001200000017000052305655494338795157524c656d6443436c5246574651
675430346754456c4f52564d674e434242546b51674e513d3d

[Raw puzzle without text wrap]

Time-Based One-Time Password

A user has an authenticator device to generate one time passwords for logins to their banking website. The implementation contains a fatal flaw.

At the following times, the following codes are generated (all in GMT/UTC):

The Wired Nursery

This month, we’ve asked parents to share their experiences of raising kids in the tech age. Today’s guest author is Kimberly Rae Miller, author of Beautiful Bodies and the bestselling memoir Coming Clean.

Being a parent means living with constant, underlying anxiety over just about everything from how to slice hot dogs, to the age old winter jacket vs. car seat conundrum, to whether all the tech used to keep kids alive/make life with them easier is actually going to screw them up/destroy your life.

The latter takes a fair bit of cognizant dissonance. Most of us know at least some of the pitfalls of our wired life. After all, the digital assistant in my living room knew that I was pregnant again about five seconds after I did (and yes, there are Bluetooth-enabled home pregnancy tests), and voila, almost immediately targeted ads for diapers and nursery furniture started showing up when I shopped online. Most of the time I brush aside how uncomfortable it all makes me, because the gizmos and gadgets that make momming slightly easier are maybe worth the invasion of privacy.

When I was pregnant with my now two-year-old son, I knew that I didn’t know Continue reading

Verify Your Segmentation is Working with Stealthwatch

Network segmentation…. air gap segmentation… the names go on and on.  But no matter what you call it, you designed it and deployed it for a reason.  Likely a very good reason.  Potentially even a reason with fines and consequences should the segmentation not work.  So once you deploy it…. what then?  Just trust it is working and will always stay working?

 Trust, But Verify

I admit I am likely viewed as boringly logical when it comes to the network.  It just doesn’t seem logical to me to spend so many hours in the design and the deploy phase and then just trust that it is working.   

Don’t just trust.  Verify. 

Use whatever tool you want.  Just please… know what is really going on in your network.  Know reality.   

In this blog I’m going to show you how you can use Stealthwatch to get visibility into what is REALLY going on in your networking in reference to your segmentation.  

How can Stealthwatch tell you if your segmentation is working or not?  I refer to Stealthwatch as “Your Network Detective Command Center”.  If Continue reading

Find Rogue DNS Servers in your Network with Stealthwatch

Rogue DNS kinda reminds of me of a crime scene show I saw once.  The killer was hijacking the GPS mapping system in the rental cars of their victims.

Imagine that who you think is your valid DNS server actually isn’t.  Yeah… i know – scary.   …. If you are not familiar with the term “Rogue DNS” … maybe you might know the exposure via other terms like DNS hijacking or DNS redirection to name just a few.

In this blog I’m not going to teach about what Rogue DNS… DNS hijacking… or DNS redirection. Nor am I going to talk about solutions like OpenDNS (Cisco’s Umbrella).  I’m going to just show you how you can use Stealthwatch to get visibility into what is REALLY going on in your network in reference to DNS.  We are going to cover 2 situations where having a tool like Stealthwatch could help you with your DNS.

  1. Finding Rogue DNS
  2. DNS Server Cutover:  Checking Reality before Decommissioning DNS Servers

How does Stealthwatch do this?  I refer to Stealthwatch as “Your Network Detective Command Center”.  If there are rogue DNS in your network and your end devices are Continue reading

Facebook’s Mattress Problem with Privacy

If you haven’t had a chance to watch the latest episode of the Gestalt IT Rundown that I do with my co-workers every Wednesday, make sure you check this one out. Because it’s the end of the year it’s customary to do all kinds of fun wrap up stories. This episode focused on what we all thought was the biggest story of the year. For me, it was the way that Facebook completely trashed our privacy. And worse yet, I don’t see a way for this to get resolved any time soon. Because of the difference between assets and liabilities.

Contact The Asset

It’s no secret that Facebook knows a ton about us. We tell it all kinds of things every day we’re logged into the platform. We fill out our user profiles with all kinds of interesting details. We click Like buttons everywhere, including the one for the Gestalt IT Rundown. Facebook then keeps all the data somewhere.

But Facebook is collecting more data than that. They track where our mouse cursors are in the desktop when we’re logged in. They track the amount of time we spend with the mobile app open. They track information in the background. Continue reading

Firewall Rules – Priority and Ordering

Firewall Rules - Priority and Ordering
Firewall Rules - Priority and Ordering

Firewall Rules are one of the best security features we released this year and have been an overwhelming success. Customers have been using Firewall Rules to solve interesting security related use cases; for example, advanced hotlink protection, restricting access to embargoed content (e.g. productId=1234), locking down sensitive API endpoints, and more.

One of the biggest pieces of feedback from the Cloudflare community, Twitter, and via customer support, has been around the order in which rules are actioned. By default, Firewall Rules have a default precedence, based on the actions set on the rule:

Firewall Rules - Priority and Ordering

If two or more rules match a request, but have different actions, the above precedence will take effect. However, what happens if you've got a bad actor who needs to be blocked from your API, and you have other specific allow or challenge rules already created for their originating ASN or a perhaps one of your URLs? Once a Firewall Rule is matched, it will not continue processing other rule, unless you are using the Log action. Without a method of overriding the default precedence, you cannot easily achieve what's needed.

Today, we’re launching the ability for customers to change the ordering of their rules. Continue reading

1 67 68 69 70 71 178