Some notes on IoCs

Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.

These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.

Consider the Yara rule included in US-CERT's "GRIZZLY STEPPE" announcement:


What is this? What does this mean? What do I do with this information?

It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.

What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here Continue reading

Technology Short Take #75

Welcome to Technology Short Take #75, the final Technology Short Take for 2016. Fortunately, it’s not the final Technology Short Take ever, as I’ll be back in 2017 with more content. Until then, here’s some data center-related articles and links for your enjoyment.

Networking

  • Ajay Chenampara has some observations about running Ansible at scale against network devices.
  • Andrey Khomyakov shares some information on automating the setup of whitebox switches running Cumulus Linux in part 2 of this series on learning network automation.
  • Russell Bryant has shared the results of some testing comparing ML2+OVS and OVN as backends for OpenStack networking. As Russell indicates in his post, some additional analysis is needed to truly understand what’s happening, but early looks at the results of his tests show performance improvements in OVN versus ML2+OVS when it comes to total time required to boot a VM.
  • Ivan Pepelnjak shares a Python script that creates Ansible inventory from Vagrant’s SSH configuration. Handy.

Servers/Hardware

Nothing this time around!

Security

A Broken Process Placing Consumers at Risk

Below is a chat session I had with Pearson Vue several months ago as I attempted to schedule a recertification exam. Apparently, I have two accounts with them and that prevents next day test scheduling. To put it mildly, I don’t think they adequately explain how they could possibly guarantee non-disclosure of data with email as a transport. Moreover, this seems to indicate a serious disconnect between security and business operations.

Screen Shot 2016-04-07 at 2.00.18 PM

Image Link – for FULL Size View

I’m not going to explain the problems with this, PacketU readers understand why email is not [in and of itself] a secure method for file transport. When I experience an exchange like this, I see how segregated business practices can be and what a negative impact it can have from an information security perspective. Its not a matter of if, but a matter of when, bad things will happen as a result of not taking security seriously.

 —

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

The post A Broken Process Placing Consumers at Risk appeared Continue reading

The US has sanctioned Russia over election hacking

The U.S. government has sanctioned Russia's main two intelligence agencies, four military intelligence officers and is kicking out 35 Russian diplomats over what it says was aggressive harassment of U.S. officials and cyber operations around the 2016 presidential election. The move follows up on a pledge made by President Obama to retaliate against Russia for hacks of the Democratic National Committee and other political targets. The U.S. also released a detailed assessment by the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) of the cyber attacks.To read this article in full or to leave a comment, please click here

The US has sanctioned Russia over election hacking

The U.S. government has sanctioned Russia's main two intelligence agencies, four military intelligence officers and is kicking out 35 Russian diplomats over what it says was aggressive harassment of U.S. officials and cyber operations around the 2016 presidential election. The move follows up on a pledge made by President Obama to retaliate against Russia for hacks of the Democratic National Committee and other political targets. The U.S. also released a detailed assessment by the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) of the cyber attacks.To read this article in full or to leave a comment, please click here

New year’s resolution for IoT vendors: Start treating LANs as hostile

In November, researchers from cybersecurity firm Invincea reported a vulnerability that could have allowed hackers to infect Belkin WeMo smart plugs with malware. The flaw was located in a configuration protocol that worked over the local area network and didn't require any authentication.In 2015, when researchers from vulnerability intelligence firm Rapid7 analyzed nine Internet-connected baby monitors, they found hardcoded credentials in four of them. Those backdoor accounts provided administrative access to the devices over the local network.To read this article in full or to leave a comment, please click here

New year’s resolution for IoT vendors: Start treating LANs as hostile

In November, researchers from cybersecurity firm Invincea reported a vulnerability that could have allowed hackers to infect Belkin WeMo smart plugs with malware. The flaw was located in a configuration protocol that worked over the local area network and didn't require any authentication.In 2015, when researchers from vulnerability intelligence firm Rapid7 analyzed nine Internet-connected baby monitors, they found hardcoded credentials in four of them. Those backdoor accounts provided administrative access to the devices over the local network.To read this article in full or to leave a comment, please click here

New year’s resolution for IoT vendors: Start treating LANs as hostile

In November, researchers from cybersecurity firm Invincea reported a vulnerability that could have allowed hackers to infect Belkin WeMo smart plugs with malware. The flaw was located in a configuration protocol that worked over the local area network and didn't require any authentication.In 2015, when researchers from vulnerability intelligence firm Rapid7 analyzed nine Internet-connected baby monitors, they found hardcoded credentials in four of them. Those backdoor accounts provided administrative access to the devices over the local network.To read this article in full or to leave a comment, please click here

It’s 2017 and changing other people’s flight bookings is incredibly easy

The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem. Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg.To read this article in full or to leave a comment, please click here

It’s 2017 and changing other people’s flight bookings is incredibly easy

The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem. Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg.To read this article in full or to leave a comment, please click here

Top Docker content of 2016

2016 has been an amazing year for Docker and the container industry. We had 3 major releases of Docker engine this year , and tremendous increase in usage. The community has been following along and contributing amazing Docker resources to help you learn and get hands-on experience. Here’s some of the top read and viewed content for the year:

Releases

Of course releases are always really popular, particularly when they fit requests we had from the community. In particular, we had:

  • Docker for Mac & Docker for Windows Beta and GA release blog posts, and the video

Windows Containers

When Microsoft made Windows 2016 generally available, people rushed to

Docker resources for Microsoft

About Docker

We also provide a lot of information about how to use Docker. In particular, these posts and articles that we shared on social media were the most read:

brvirt: when brctl meets virsh

Hypervisors diversity is definitely one of the benefits of having Nuage managing your next-generation network. That means that we, as Nuage engineers, have to play with all kinds of hypervisors — like KVM, ESXi and Hyper-V to be more precise. As to me, I love to work with KVM most, simply because it gives you that feel that you

IDG Contributor Network: More file sync and sharing industry FUD

I received a pitch the other day from a vendor in the enterprise file sharing and synchronization (EFSS) space. I won't name the company. I probably should, to really show my scorn, but I'll deny them the Google juice instead.Anyway, the pitch told me about how said vendor made a "startling discovery" as it was planning a routine Google Adwords Campaign. It seemed that searches inadvertently turned up sensitive and confidential materials.Said vendor apparently disclosed the finding to the two other EFSS vendors, who indicated they would address the "security flaw." Now, some three years later, the same thing is happening.To read this article in full or to leave a comment, please click here

APIC-EM Path Trace Examples – Overlay Networks

Since seeing the APIC-EM Path Trace demo for the first time and seeing how it represents CAPWAP, I’ve been curious how well it deals with other types of overlay/underlay networking. This article is a brief synopsis of that testing and provides some visuals around what was produced with this free management tool.

TL;DR–APIC-EM adds value to most network path traces and typically represents what it knows. The single exception is with MPLS VPNv4. If the MPLS PE nodes are pulled into the device inventory, path trace has a total lack of understanding around the recursive lookup into the global vrf that is required for VPNv4 functionality.

CAPWAP Representation — The Gold Standard

I wanted to start out by showing what an ideal representation of an overlay network would be for a tool like this. Path Trace understands AND clearly represents both the underlay and the overlay network for traffic flowing through a CAPWAP tunnel. The image below shows the extent of the tunnel (darker gray) and the physical components that are responsible for delivery (both through the tunnel and outside of the tunnel).

pathtrace-capwap

 

Testing Topology

For the additional testing, I built the following topology and integrated APIC-EM into my Continue reading

1 2,380 2,381 2,382 2,383 2,384 3,794