A Review of RSA Conference
So, I recently went to my first RSA Conference. It’s something I’ve had on my radar for a while but never had the opportunity to do. However, with Security Field Day coming up later this year I thought it was high time I went to see what everything was about. Here are some ideas that I came up with during my pilgrimage to the big security conference.
- It’s Huge. Like, really big. I’ve never seen a bigger conference before. I haven’t gone to Oracle OpenWorld or Dreamforce, but the size of the RSA show floor alone dwarfs anything I’ve seen. Three whole areas, including one dedicated to emerging vendors. That’s big. Almost too big in fact.
- I Still Hate Moscone. It’s official. No conference should ever use this place again. It’s been 4 years since I railed against it and every word still applies. Doubly so this year, as RSA was being held during construction! Seriously. At this point, Moscone must be paying people to hold a convention there. RSA is too big. I don’t care if it’s cheap to ferry people up from Silicon Valley. Stop doing this to yourself and tarnishing your brand. Just go to Vegas if Continue reading
Pulse Secure Q&A: A Trust Model for Multi-Cloud Networks and Applications Beyond Zero Trust
Thanks to all who joined us for the Pulse Secure 2018 Next-Gen Data Center Networking Report Webinar: A Trust Model for Multi-Cloud Networks and Applications Beyond Zero Trust.
What Happened? The Amazon Route 53 BGP Hijack to Take Over Ethereum Cryptocurrency Wallets
Yesterday, we published a blog post sharing the news and some initial details about Amazon’s DNS route hijack event to steal Ethereum cryptocurrency from myetherwallet.com. In this post, we’ll explore more details about the incident from the BGP hijack’s perspective.
As noted by Dyn, CloudFlare, and various other entities who monitor Internet routing and health, Amazon’s Route 53 (the DNS service offered by AWS) prefixes were hijacked. A BGP update taken from Isolario suggests that on 24 April, its BGP feeders were correctly receiving 205.251.192.0/23, 205.251.194.0/23, 205.251.196.0/23, 205.251.198.0/23, originated from Amazon (AS16509), until 11:04:00 (UTC). But, at 11:05:41 (UTC), Isolario recorded the first more specific /24 malicious announcements via BGP feeder and the announcements originated from eNET (AS10297) to its peer 1&1 Internet SE (AS8560). Click to enlarge image.
RIPE Stats collected the first more specific malicious advertisement at 11:05:42 (UTC) originating from eNET (AS10297), but this time through peer Hurricane Electric (AS6939).
Exactly at the same time, 11:05:42 (UTC), the Isolario BGP feeder received another update originating from eNET (AS10297) and it was also coming via Hurricane Electric (AS6939). Click to enlarge image.
Hurricane Electric has a worldwide Continue reading
Service Providers Race Toward Network Automation, Incredible Hulk Style
When asked what superhero they want their future network to be associated with, respondents’ No. 1 pick was the Hulk.
Your Data Center Needs a Network Time Machine
Big Switch’s data center monitoring fabric will add support for public cloud environments including AWS and Azure later this year.
The Cybersecurity Tech Accord Fits Squarely in the Collaborative Security Approach
Last week at RSA, more than 30 global companies came together to sign the Cybersecurity Tech Accord “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.” It is an example of collaboration, which demonstrates the commitment and focus of the signatory companies to take action in order to tackle the significant security threats we are currently facing. It is this type of collective action we have promoted as part of our collaborative security
The Tech Accord is a positive step by large corporations across the globe involved in security to come together in the name of collaboration and make security commitments that resonate with the demands of Internet users everywhere. Per the Accord’s website, there are four main tenets of the Tech Accord:
- Stronger defense
The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online. - No offense
The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design Continue reading
No, Ray Ozzie hasn’t solved crypto backdoors
According to this Wired article, Ray Ozzie may have a solution to the crypto backdoor problem. No, he hasn't. He's only solving the part we already know how to solve. He's deliberately ignoring the stuff we don't know how to solve. We know how to make backdoors, we just don't know how to secure them.The vault doesn't scale
Yes, Apple has a vault where they've successfully protected important keys. No, it doesn't mean this vault scales. The more people and the more often you have to touch the vault, the less secure it becomes. We are talking thousands of requests per day from 100,000 different law enforcement agencies around the world. We are unlikely to protect this against incompetence and mistakes. We are definitely unable to secure this against deliberate attack.
A good analogy to Ozzie's solution is LetsEncrypt for getting SSL certificates for your website, which is fairly scalable, using a private key locked in a vault for signing hundreds of thousands of certificates. That this scales seems to validate Ozzie's proposal.
But at the same time, LetsEncrypt is easily subverted. LetsEncrypt uses DNS to verify your identity. But spoofing DNS is easy, as was recently shown in Continue reading
Another BGP Hijacking Event Highlights the Importance of MANRS and Routing Security
Another BGP hijacking event is in the news today. This time, the event is affecting the Ethereum cryptocurrency. (Read more about it here, or here.) Users were faced with an insecure SSL certificate. Clicking through that, like so many users do without reading, they were redirected to a server in Russia, which proceeded to empty the user’s wallet. DNSSEC is important to us, so please check out the Deploy360 DNSSEC resources to make sure your domain names are protected. In this post, though, we’ll focus on the BGP hijacking part of this attack.
What happened?
First, here’s a rundown of routing attacks on cryptocurrency in general – https://btc-hijack.ethz.ch/.
In this case specifically, the culprit re-routed DNS traffic using a man in the middle attack using a server at an Equinix data center in Chicago. Cloudflare has put up a blog post that explains the technical details. From that post:
“This [hijacked] IP space is allocated to Amazon(AS16509). But the ASN that announced it was eNet Inc(AS10297) to their peers and forwarded to Hurricane Electric(AS6939).
“Those IPs are for Route53 Amazon DNS servers. When you query for one of their client zones, those servers Continue reading
BGP leaks and cryptocurrencies
Over the few last hours, a dozen news stories have broken about how an attacker attempted (and perhaps managed) to steal cryptocurrencies using a BGP leak.
CC BY 2.0 image by elhombredenegro
What is BGP?
The Internet is composed of routes. For our DNS resolver 1.1.1.1 , we tell the world that all the IPs in the range 1.1.1.0 to 1.1.1.255 can be accessed at any Cloudflare PoP.
For the people who do not have a direct link to our routers, they receive the route via transit providers, who will deliver packets to those addresses as they are connected to Cloudflare and the rest of the Internet.
This is the normal way the Internet operates.
There are authorities (Regional Internet Registries, or RIRs) in charge of distributing IP addresses in order to avoid people using the same address space. Those are IANA, RIPE, ARIN, LACNIC, APNIC and AFRINIC.
What is a BGP leak?
The broad definition of a BGP leak would be IP space that is announced by somebody not allowed by the owner of the Continue reading
Fun, Games, and Cryptojacking at RSA Conference
Cyber warfare and cryptomining dominated RSA Conference keynotes and talks with technologists, who advocated a back-to-basics approach to network security.
eBrief: Minimizing Security Challenges in the Cloud
In this SDxCentral eBrief, we look at the types of security threats that are becoming more prevalent and examine some of the latest techniques and tools that enterprises are employing to make sure that their business assets in the cloud are secure.
Now You Can Setup Centrify, OneLogin, Ping and Other Identity Providers with Cloudflare Access
We use Cloudflare Access to secure our own internal tools instead of a VPN. As someone that does a lot of work on the train, I can attest this is awesome (though I might be biased). You can see it in action below. Instead of having to connect to a VPN to reach our internal jira, we just login with our Google account and we are good to go:
Before today, you could setup Access if you used GSuite, Okta or Azure AD to manage your employee accounts. Today we would like to announce support for two more Identity Providers with Cloudflare Access: Centrify and OneLogin.
We launched Cloudflare Access earlier this year and have been overwhelmed by the response from our customers and community. Customers tell us they love the simplicity of setting up Access to secure applications and integrate with their existing identity provider solution. Access helps customers implement a holistic solution for both corporate and remote employees without having to use a VPN.
If you are using Centrify or OneLogin as your identity provider you can now easily integrate them with Cloudflare Access and have your team members login with their accounts to securely reach your internal Continue reading
Networking Gets Entangled in Geo-Political Feuds
ZTE might look to judicial remedies after the U.S. ban; Huawei lays off its Washington, D.C. liason; and Twitter bans ads from Kaspersky Labs.
Will Artificial Intelligence Be Used for Good or Evil?
As AI and ML begin to reach their full potential, the race is on between network administrators and attackers to implement the technologies into their procedures, for better or for worse.
Introducing a New MANRS IXP Programme for Routing Security
Today, we are pleased to announce that the Mutually Agreed Norms for Routing Security (MANRS) is getting a new category of members – IXPs. The MANRS IXP Programme introduces a separate membership category for IXPs with a set of security actions to address the unique needs and concerns of IXPs.
The ten founding participants are Asteroid (International), CABASE (Argentina), CRIX (Costa Rica), DE-CIX (Germany), INEX (Ireland), MSK-IX (Russia), Netnod (Sweden), RINEX (Rwanda), TorIX (Canada), and YYCIX (Canada).
Programme participation provides an opportunity for an IXP to demonstrate its attention to the security and sustainability of the Internet ecosystem and, therefore, its dedication to providing high-quality services.
The IXP Action set was developed by a group of IXPs from all around the world and was presented at multiple IXP fora for discussion and feedback. We hope that with IXPs as partners, their ISP members will also join the Network Operator category of MANRS.
Participation in the MANRS IXP Programme requires an IXP to implement and document a majority of the IXP Programme Actions (at least three out of five). Actions 1 and 2 are mandatory, and the IXP must implement at least one additional Action. Here are the five Actions:
- Facilitate Continue reading
OMG The Stupid It Burns
This article, pointed out by @TheGrugq, is stupid enough that it's worth rebutting.“The views and opinions expressed are those of the author and not necessarily the positions of the U.S. Army, Department of Defense, or the U.S. Government.” <- I sincerely hope so…— the grugq (@thegrugq) April 22, 2018
“the cyber guns of August” https://t.co/xdybbr5B0E
The article starts with the question "Why did the lessons of Stuxnet, Wannacry, Heartbleed and Shamoon go unheeded?". It then proceeds to ignore the lessons of those things.
Some of the actual lessons should be things like how Stuxnet crossed air gaps, how Wannacry spread through flat Windows networking, how Heartbleed comes from technical debt, and how Shamoon furthers state aims by causing damage.
But this article doesn't cover the technical lessons. Instead, it thinks the lesson should be the moral lesson, that we should take these things more seriously. But that's stupid. It's the sort of lesson people teach you that know nothing about the topic. When you have nothing of value to contribute to a topic you can always take the moral high road and criticize everyone for being morally weak for not taking it Continue reading
Micro-segmentation Starter Kit
Traditional security solutions are designed to protect the perimeter. As applications and data are becoming increasingly distributed, they are often spanning not only multiple sites, but also multiple clouds. This is making it harder to identify where the perimeter actually is in order to secure it. But even if the perimeter can be reliably identified, securing it alone is not enough. The east-west traffic inside of the environment must be secured as well. VMware NSX makes security an intrinsic part of the infrastructure that applications and data live on, rather than a bolted-on afterthought; security is built in Day 0.
VMware created a Micro-segmentation Starter Kit to help you get started with securing your network from Planning to Enforcement to Troubleshooting. Each kit includes 6 CPUs of both NSX ADV and vRealize Network Insight ADV at 25% off the global list price.
- Plan: Take the manual and subjective process out of determining what security policies to put in place and where. vRealize Network Insight provides a comprehensive net flow assessment and analysis to model and recommend security groups and firewall rules across your physical, virtual, and cloud environments.
- Enforce: Micro-segmentation, the implementation of security policy Continue reading
It’s Time For Security Apprenticeships
Breaking into an industry isn’t easy. When you look at the amount of material that is necessary to learn IT skills it can be daunting and overwhelming. Don’t let the for-profit trade school ads fool you. You can’t go from ditch digger to computer engineer in just a few months. It takes time and knowledge to get there.
However, there is one concept in non-technical job roles that feels very appropriate to how we do IT training, specifically for security. And that’s the apprenticeship.
Building For The Future
Apprenticeship is a standard for electricians and carpenters. It’s the way that we train new people to do the work of the existing workforce. It requires time and effort and a lot of training. But, it also fixes several problems with the current trend of IT certification:
- You Can’t Get a Job Without Experience – Far too often we see people getting rejected for jobs at the entry level because they have no experience. But how are they supposed to get the experience without doing the job? IT roles paradoxically require you to be cheap enough to hire for nothing but expect you to do the job on day one. Apprenticeships fix Continue reading
Keeping Drupal sites safe with Cloudflare’s WAF
Cloudflare’s team of security analysts monitor for upcoming threats and vulnerabilities and where possible put protection in place for upcoming threats before they compromise our customers. This post examines how we protected people against a new major vulnerability in the Drupal CMS, nicknamed Drupalgeddon 2.
Two weeks after adding protection with WAF rule ID D0003 which mitigates the critical remote code execution Drupal exploit (SA-CORE-2018-002/CVE-2018-7600), we have seen significant spikes of attack attempts. Since the 13th of April the Drupal security team has been aware of automated attack attempts and it significantly increased the security risk score of the vulnerability. It makes sense to go back and analyse what happened in the last seven days in Cloudflare’s WAF environment.
What is Drupalgeddon 2
The vulnerability potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could make a site completely compromised.
Drupal introduced renderable arrays, which are a key-value structure, with keys starting with a ‘#’ symbol, that allows you to alter data during form rendering. These arrays however, did not have enough input validation. This means that an attacker could inject a custom renderable array on one of these keys in the form structure.
Continue reading
Cisco Teases SD-WAN Security Bundle
An integrated SD-WAN security product would likely involve at least three Cisco technologies: Viptela SD-WAN, Meraki network automation, and Umbrella cloud security.