Archive

Category Archives for "Security"

TCP/IP, Sockets, and SIGPIPE

There is a spectre haunting the Internet -- the spectre of SIGPIPE errors. It's a bug in the original design of Unix networking from 1981 that is perpetuated by college textbooks, which teach students to ignore it. As a consequence, sometimes software unexpectedly crashes. This is particularly acute on industrial and medical networks, where security professionals can't run port/security scans for fear of crashing critical devices.

An example of why this bug persists is the well-known college textbook "Unix Network Programming" by Richard Stevens. In section 5.13, he correctly describes the problem.
When a process writes to a socket that has received an RST, the SIGPIPE signal is sent to the process. The default action of this signal is to terminate the process, so the process must catch the signal to avoid being involuntarily terminated.
This description is accurate. The "Sockets" network APIs was based on the "pipes" interprocess communication when TCP/IP was first added to the Unix operating system back in 1981. This made it straightforward and comprehensible to the programmers at the time. This SIGPIPE behavior made sense when piping the output of one program to another program on the command-line, as is typical under Unix: Continue reading

Election interference from Uber and Lyft

Almost nothing can escape the taint of election interference. A good example is the announcements by Uber and Lyft that they'll provide free rides to the polls on election day. This well-meaning gesture nonetheless calls into question how this might influence the election.

"Free rides" to the polls is a common thing. Taxi companies have long offered such services for people in general. Political groups have long offered such services for their constituencies in particular. Political groups target retirement communities to get them to the polls, black churches have long had their "Souls to the Polls" program across the 37 states that allow early voting on Sundays.

But with Uber and Lyft getting into this we now have concerns about "big data", "algorithms", and "hacking".

As the various Facebook controversies have taught us, these companies have a lot of data on us that can reliably predict how we are going to vote. If their leaders wanted to, these companies could use this information in order to get those on one side of an issue to the polls. On hotly contested elections, it wouldn't take much to swing the result to one side.

Even if they don't do this consciously, their Continue reading

App Micro-segmentation How To’s: Informatica, Oracle and SAP

consolidated posts from the VMware on VMware blog

Are you someone that prefers a blank sheet of paper or an empty text pad screen?  Do you get the time to have that thought process to create the words, images or code to fill that empty space?  Yes to both — I’m impressed!  Creating something from scratch is an absolutely magical feeling especially once it gets to a point of sharing or usefulness.  However, many of us spend a bit more of our time editing, building upon or debugging.  Fortunately, that can be pretty interesting as well.

In the case of setting up mico-segmentation with VMware NSX Data Center, you have a couple options on quickly getting started:

Those resources and more are great jumping off points especially since you likely have more than just Informatica, Oracle and SAP apps in your environments.

Now, should you have those Informatica, Oracle and SAP apps, then here’s the next level of details.  I’m Continue reading

When It Comes to IoT, We Must Work Together to #SecureIt

My first ever rendezvous with the word “IoT” was during my final year at a college conference, when a prominent regional start-up figure dispensed an oblique reference to it. I learned that IoT was the next big thing veering towards the mass market, which would eventually change the course of everyday human existence by making our way of life more convenient. What caught my attention was the term “things” in IoT – an unbounded category which could be anything from the the bed you sleep on, the clothes you drape, or even the personal toiletries you use.

The Internet of Things (IoT) is a class of devices that “can monitor their environment, report their status, receive instructions, and even take action based on the information they receive.” IoT connotes not just the device but also the complex network connected to the device. Multiple studies have revealed that there are more connected devices than people on the planet. Although, combining computers and networks to devices has existed for long, they were previously not integrated to consumer devices and durable goods, used in ordinary day to day life. Furthermore, IoT being an evolving concept, exhibiting a range of ever-changing features, Continue reading

Encrypt that SNI: Firefox edition

Encrypt that SNI: Firefox edition

A couple of weeks ago we announced support for the encrypted Server Name Indication (SNI) TLS extension (ESNI for short). As promised, our friends at Mozilla landed support for ESNI in Firefox Nightly, so you can now browse Cloudflare websites without leaking the plaintext SNI TLS extension to on-path observers (ISPs, coffee-shop owners, firewalls, …). Today we'll show you how to enable it and how to get full marks on our Browsing Experience Security Check.

Encrypt that SNI: Firefox edition

Here comes the night

The first step is to download and install the very latest Firefox Nightly build, or, if you have Nightly already installed, make sure it’s up to date.

When we announced our support for ESNI we also created a test page you can point your browser to https://encryptedsni.com which checks whether your browser / DNS configuration is providing a more secure browsing experience by using secure DNS transport, DNSSEC validation, TLS 1.3 & ESNI itself when it connects to our test page. Before you make any changes to your Firefox configuration, you might well see a result something like this:

Encrypt that SNI: Firefox edition

So, room for improvement! Next, head to the about:config page and look for the network.security.esni.enabled Continue reading

MUST READ: Operational Security Considerations for IPv6 Networks

A team of IPv6 security experts I highly respect (including my good friends Enno Rey, Eric Vyncke and Merike Kaeo) put together a lengthy document describing security considerations for IPv6 networks. The document is a 35-page overview of things you should know about IPv6 security, listing over a hundred relevant RFCs and other references.

No wonder enterprise IPv6 adoption is so slow – we managed to make a total mess.

Notes on the UK IoT cybersec “Code of Practice”

The British government has released a voluntary "Code of Practice" for securing IoT devices. I thought I'd write some notes on it.

First, the good parts

Before I criticize the individual points, I want to praise if for having a clue. So many of these sorts of things are written by the clueless, those who want to be involved in telling people what to do, but who don't really understand the problem.

The first part of the clue is restricting the scope. Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems, or mobile phones that they should never really be talked about in the same guide.

The next part of the clue is understanding the players. It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device. Though they do go too far and include the "retailer", which is a bit nonsensical.

Lastly, while I'm critical of most all the points on the list and how they are described, it's probably a complete list. There's not much missing, and the same time, it includes little that isn't necessary. In contrast, a lot of other Continue reading

DC CyberWeek Is Here!

DC CyberWeek Is Here!
DC CyberWeek Is Here!

Photo by Sarah Ferrante Goodrich / Unsplash

This October is the 15th annual National Cybersecurity Awareness Month in the United States, a collaboration between the US government and industry to raise awareness about the part we can all play in staying more secure online. Here at Cloudflare, where our mission is to help build a better internet, we look forward to this month all year.

As part of this month-long education campaign, Cloudflare is participating in D.C CyberWeek this week, the largest cybersecurity festival in the U.S, taking place in Washington, DC. This year’s event is expected to have over 10,000 attendees, more than 100 events, and feature representatives from over 180 agencies, private companies, and service providers. We will join with other leaders in cybersecurity, to share best practices, find ways to collaborate, and work to achieve common goals.

Along with the United States, the European Union also runs a month-long cyber awareness campaign in October, with the initiative having started back in 2012. The aim of this advocacy campaign is similar: promoting cybersecurity among citizens and organizations, and providing information on available tools and resources. Watch our CTO speak to some of the main considerations around Continue reading

How to irregular cyber warfare

Somebody (@thegrugq) pointed me to this article on "Lessons on Irregular Cyber Warfare", citing the masters like Sun Tzu, von Clausewitz, Mao, Che, and the usual characters. It tries to answer:
...as an insurgent, which is in a weaker power position vis-a-vis a stronger nation state; how does cyber warfare plays an integral part in the irregular cyber conflicts in the twenty-first century between nation-states and violent non-state actors or insurgencies
I thought I'd write a rebuttal.

None of these people provide any value. If you want to figure out cyber insurgency, then you want to focus on the technical "cyber" aspects, not "insurgency". I regularly read military articles about cyber written by those, like in the above article, which demonstrate little experience in cyber.

The chief technical lesson for the cyber insurgent is the Birthday Paradox. Let's say, hypothetically, you go to a party with 23 people total. What's the chance that any two people at the party have the same birthday? The answer is 50.7%. With a party of 75 people, the chance rises to 99.9% that two will have the same birthday.

The paradox is that your intuitive way of calculating Continue reading
1 74 75 76 77 78 178