Archive

Category Archives for "Security"

Join Us to Discuss Attack Response at Internet Scale

How do we coordinate responses to attacks against Internet infrastructure and users? Internet technology has to scale or it won’t survive for long as the network of networks grows ever larger. But it’s not just the technology, it’s also the people, processes and organisations involved in developing, operating and evolving the Internet that need ways to scale up to the challenges that a growing global network can create.

One such challenge is unwanted traffic, ranging from spam and other forms of messaging-related abuse to multi-gigabit distributed denial of service attacks. Numerous incident response efforts exist to mitigate the effects of these attacks. Some are focused on specific attack types, while others are closed analysis and sharing groups spanning many attack types.

We are helping to bring together operators, researchers, CSIRT team members, service providers, vendors, information sharing and analysis centre members to discuss approaches to coordinating attack response at Internet scale. The Internet Society is sponsoring a two-day “Coordinating Attack Response at Internet Scale (CARIS) Workshop” intended to help build bridges between the many communities working on attack response on the Internet and to foster dialogue about how we can better collaborate.

The workshop will take place on February 28 Continue reading

Securify: practical security analysis of smart contracts

Securify: practical security analysis of smart contracts Tsankov et al., CCS’18

Sometimes the perfect is the enemy of the good. When we’re talking about securing smart contracts, we need all the help we can get! Bugs can cost millions of dollars. Securify uses a set of expert heuristics (patterns) to help identify issues in smart contracts. It’s available at https://securify.ch, has analysed over 18K uploaded contracts, and is used by security auditors as part of their arsenal.

The increased adoption of smart contracts demands strong security guarantees. Unfortunately, it is challenging to create smart contracts that are free of security bugs. As a consequence, critical vulnerabilities in smart contracts are discovered and exploited every few months. In turn, these exploits have led to losses reaching millions worth of USD in the past few years…. Despite their potential, repeated security concerns have shaken the trust in handling billions of USD by smart contracts.

Too right! We’ve examined some of the challenges involved in creating correct smart contracts in previous editions of The Morning Paper, as well as tools such as Zeus that help with verification.

It’s not a solvable problem in the general case (i.e., ‘perfect’ Continue reading

Customer Data Isn’t Always an Asset: Lessons from the Marriott Data Breach

As data analytics have improved, the massive amounts of data that companies acquire from their customers has only gained in economic value. In the corporate world of today, this data can be a real asset for companies. However, as today’s news, that the records of over 500 million guests of Marriott International’s Starwood division hotels were involved in a data breach, makes clear, corporate thinking about the value of customer data needs to be reevaluated.

Especially when it comes to corporate acquisitions, companies need to start treating customer data as a potential liability, as well as an asset.

In September 2016, Marriott International acquired Starwood for $13.6 billion. When Marriott International sought to buy the Starwood hotel chain, Starwood’s customer data, played a central role in their reasoning for the acquisition. Citing higher income and better brand loyalty among program members,  Arne Sorenson, the Marriott CEO, specifically referred to Starwood’s loyalty program as a “central, strategic rationale for the transaction.” Loyalty programs, in addition to attracting repeat customers, also “provide hotels with a wealth of information on their guests” which hotels can use to “create laser focused marketing campaigns for various different kinds of guests.”

While Continue reading

A Critical First Step for IoT Security in Senegal

As barriers to entry start to fall, the Internet of Things (IoT) industry could provide Africa with an opportunity to build a brighter economic future.

Several countries are already establishing tech hubs that could supply the infrastructure to fuel IoT, and while there is still a wide gap between the haves and have-nots of Internet access, with more than 60 per cent of Africa still offline, it’s easy to build a case for connectivity.

Mass urbanization is on the rise, and investing in the infrastructure needed to fuel future smart cities and connect more Africans to the opportunity the Internet offers is a logical step forward. But it’s also important that security is in place to support this promising new economy.

Unfortunately, many IoT devices are rushed to market with little thought for basic security and privacy protections. In a world with so many newly connected things, it’s hard for consumers to keep up – and to know if manufactures are protecting their privacy and security.

To address this, Senegal has taken a critical first step. They’ve signed a memorandum of understanding with the Internet Society to strengthen IoT security. Together, they will develop an IoT Security Framework for Senegal Continue reading

Know your SCM_RIGHTS

As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously.

It is no secret that Cloudflare uses nginx to handle user traffic. A little less known fact, is that we have several instances of nginx running. I won’t go into detail, but there is one instance whose job is to accept connections on port 443, and proxy them to another instance of nginx that actually handles the requests. It has pretty limited functionality otherwise. We fondly call it nginx-ssl.

Back then we were using OpenSSL for TLS and Crypto in nginx, but OpenSSL (and BoringSSL) had yet to announce a timeline for TLS 1.3 support, therefore we had to implement our own TLS 1.3 stack. Obviously we wanted an implementation that would not affect any customer or client that would not enable TLS 1.3. We also needed something that we could iterate on quickly, because the spec was very fluid back then, and also something Continue reading

Knowledge of the “Truths in Your Network” is KEY

I am a huge believer in “knowledge is key”.  Yeah… I know… just reading that statement you are probably saying “well yeah… duh”.

Of course knowledge is key… duh, Fish!  We know that!  We love knowledge.  We are knowledge seekers and we love to learn!  I mean… if we didn’t love learning and knowledge why would we be reading this?   Okay… got it.  You love knowledge.  You want to grow your knowledge.   I hear you.  You are basically saying… bring on the knowledge… max the setting!   Got it.

So you most likely extend that desire for knowledge to most of the areas in your life.

For example….

  • Buying a House:  When buying a house you want the knowledge you can get by hiring a subject matter expert to walk thru the entirety of the house and inspect it.  You want knowledge of the truths of that house.
  • Hiring a Financial Advisor: When hiring a financial advisor you just go and “bare all” in reference to your financial situation so they can review every nuance of it.   You want knowledge of the truths of your finances.

Let’s Continue reading

L4Drop: XDP DDoS Mitigations

L4Drop: XDP DDoS Mitigations

Efficient packet dropping is a key part of Cloudflare’s distributed denial of service (DDoS) attack mitigations. In this post, we introduce a new tool in our packet dropping arsenal: L4Drop.

L4Drop: XDP DDoS Mitigations
Public domain image by US Air Force

We've written about our DDoS mitigation pipeline extensively in the past, covering:

  • Gatebot: analyzes traffic hitting our edge and deploys DDoS mitigations matching suspect traffic.
  • bpftools: generates Berkeley Packet Filter (BPF) bytecode that matches packets based on DNS queries, p0F signatures, or tcpdump filters.
  • Iptables: matches traffic against the BPF generated by bpftools using the xt_bpf module, and drops it.
  • Floodgate: offloads work from iptables during big attacks that could otherwise overwhelm the kernel networking stack. Incoming traffic bypasses the kernel to go directly to a BPF interpreter in userspace, which efficiently drops packets matching the BPF rules produced by bpftools.

Both iptables and Floodgate send samples of received traffic to Gatebot for analysis, and filter incoming packets using rules generated by bpftools. This ends up looking something like this:

L4Drop: XDP DDoS Mitigations
Floodgate based DDoS mitigation pipeline

This pipeline has served us well, but a lot has changed since we implemented Floodgate. Our new Gen9 and ARM servers use different network Continue reading

New Report: Major Online Retailers Increase Email Marketing Trustworthiness and Follow Unsubscribe Best Practices

Today, the Internet Society’s Online Trust Alliance released its fifth annual Email Marketing & Unsubscribe Audit. OTA researchers analyzed the email marketing practices of 200 of North America’s top online retailers and, based on this analysis, offer prescriptive advice to help marketers provide consumers with choice and control over when and what messages they receive. The Audit assesses the end-to-end user experience from signing up for emails, to receiving emails, to the unsubscribe process and its results.

In the 2018 Audit, seventy-four percent of the top online retailers received “Best of Class” designation, meaning they scored eighty percent or higher in OTA’s analysis of their email marketing. In addition, ten retailers received perfect scores, meaning they adopted all twelve of OTA’s best practices. They are: Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots, and Walgreens.

In the subscribe process there were several positive findings. The percentage of sites that had subscribe forms that were easy for the user to find was 94% in 2018, up from 85% in 2017. In addition, one-quarter of sites offered incentives such as free shipping to entice users to subscribe, down slightly from 28% in 2018.

Continue reading

1 73 74 75 76 77 182