Amazon EC2 Credential Exfiltration: How It Happens and How to Mitigate It

An introduction to Amazon EC2 credentials

When you assign an Identity and Access Management (IAM) role to an Amazon Elastic Compute Cloud (EC2) instance, the short-term credentials for the role are made available via a web service known as the Instance Metadata Service (IMDS). The IMDS provides an HTTP endpoint for retrieving instance metadata such as the instance IP address, AWS Region the instance is running in, the Amazon Machine Image used to launch the instance, and the access key, secret access key, and session token associated with the instance's IAM role. The AWS documentation describes how to retrieve instance role credentials from IMDS. If you've seen or used the http://169.254.169.254 or http://fd00:ec2::254 endpoints, then you've seen/used IMDS.

Retrieval of instance role credentials from IMDS is the mechanism by which the AWS CLI and SDKs learn the credentials belonging to the instance's IAM role without you having to configure anything on the instance. Quoting the IAM documentation:

The AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the credentials from the EC2 Instance Metadata Service (IMDS) and use them.

This is great! It means you can start using the AWS CLI, SDKs, or Tools Continue reading

Weekend Reads 072823


Incredible as it may seem, US tax preparation companies using Google and Meta tracking technology have been sending sensitive information back to the megacorps, not to mention other tech firms, it is claimed.


The Federal Trade Commission (F.T.C.) sent a letter to OpenAI, the San Fransisco company responsible for creating ChatGPT, the Large Language Model that captured the world’s imagination in November of 2022.


Steganography is the art of hiding secret data in plain sight. It sounds kind of counter-intuitive, but you’d be surprised how effective it is.


On Wednesday, Microsoft announced that Chinese hackers had managed to secretly access email accounts belonging to 25 different organizations across the country, including government agencies.


But for a human to interact with this hardware, they must really know and understand how it works. The person must also know the order in which to give the computer various tasks to produce a meaningful result.


The UK’s Competition Market Authority (CMA) has provisionally cleared Broadcom’s proposed acquisition of VMWare, paving the way for the $61 billion deal to go ahead.


In 2021, we discussed a potential future shift from established public-key algorithms to so-called “post-quantum” algorithms, which may help protect sensitive Continue reading

Create a Samba Share and Use from in a Docker Container

Overview This article provides a step-by-step guide on how to create a Samba share from within a Docker container using Ubuntu Server as the host operating system. The tutorial covers two main topics: Installing and configuring Samba on an Ubuntu server Install Samba with sudo apt-get install samba -y Start and enable the Samba service Set a password for users who will access the share Creating a persistent Docker volume mapped to the Samba share: Create a new group and add users to it, setting permissions accordingly Create a persistent Docker volume with docker volume create –opt type=none –opt o=bind –opt device=/data public Deploying an NGINX container using the Docker volume: Mount the Docker volume to the /usr/share/nginx/html directory in the NGINX container Run a new NGINX instance with docker run -d –name nginx-samba -p 8090:80 -v public:/usr/share/nginx/html nginx Testing the setup: Verify that the index.html file is served correctly from the Samba share The article concludes by noting that this setup may not be suitable for production environments, but it can be useful for development or internal services/apps. Key takeaways: Install and configure Samba on an Ubuntu server Create a persistent Docker volume mapped to a shared directory Continue reading

Striking a Balance: Exploring Fairness in Buffer Allocation and Packet Scheduling

Recently, I’ve been contemplating the concept of fairness, and I see interesting parallels between being a parent and being a network professional. As human beings, we have an inherent, intuitive sense of fairness that manifests itself in various everyday situations. Let me illustrate this idea with a couple of hypothetical scenarios:

Scenario 1: Imagine I’m a parent with four young children, and I’ve ordered a pizza for them to share. If I want to divide the pizza fairly among the children, fairness would mean that each child receives an equal portion - in this case, one-quarter of the pizza.

Scenario 2: Now let’s say I’ve ordered another pizza for the same four children, but one of the kids only cares for pizza a little and will only eat one-tenth of his share. In this situation, it wouldn’t be fair for me to give that child who doesn’t like pizza more than one-tenth of the piece because the excess would go to waste. The fair way to divide the pizza would be to give the child who doesn’t like pizza a one-tenth portion and split the remaining nine-tenths evenly among the other three kids.

The approach mentioned in the second scenario Continue reading

Hedge 188: Sidewalk, Who’s Responsible?, and Data Breaches

It’s the last show of the month, which means it is time for a roundtable! Today we are discussing three news stories, including Amazon’s Sidewalk Labs, a court case in California involving Cisco and the Great Firewall of China, and yet another data breach.

In case you didn’t see it I’m uploading the rough *machine generated) transcript of each episode about a week after the episode airs. It takes a little time for the transcription to be created, and then for me to log back in and upload the file.

download

Bookkeeping Helps Intel Recover From Server Recession A Little

Accounting is something of an art, and companies always save some accounting tricks – perfectly legitimate items that meet the discerning eye of financial standards – to goose their numbers when they really need it.

The post Bookkeeping Helps Intel Recover From Server Recession A Little first appeared on The Next Platform.

Bookkeeping Helps Intel Recover From Server Recession A Little was written by Timothy Prickett Morgan at The Next Platform.

Heavy Networking 692: Implementing Practical Network Automation – With Tony Bourke

If you’ve been staring down the barrel of network automation and wonder what the proper approach might be, today’s episode is for you. The Packet Pushers chat with Tony Bourke about what network automation tools and techniques have become the default standard, how to prepare your network and team for automation, and how to get started.

The post Heavy Networking 692: Implementing Practical Network Automation – With Tony Bourke appeared first on Packet Pushers.

Cloudflare Radar’s new BGP origin hijack detection system

Cloudflare Radar's new BGP origin hijack detection system
Cloudflare Radar's new BGP origin hijack detection system

Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol used on the Internet. It enables networks and organizations to exchange reachability information for blocks of IP addresses (IP prefixes) among each other, thus allowing routers across the Internet to forward traffic to its destination. BGP was designed with the assumption that networks do not intentionally propagate falsified information, but unfortunately that’s not a valid assumption on today’s Internet.

Malicious actors on the Internet who control BGP routers can perform BGP hijacks by falsely announcing ownership of groups of IP addresses that they do not own, control, or route to. By doing so, an attacker is able to redirect traffic destined for the victim network to itself, and monitor and intercept its traffic. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits.

Cloudflare Radar's new BGP origin hijack detection system

You can learn more about BGP and BGP hijacking and its consequences in our learning center.

At Cloudflare, we have long been monitoring suspicious BGP anomalies internally. With our recent efforts, we are bringing BGP origin hijack detection to the Cloudflare Radar platform, sharing our detection results with the Continue reading

Migration Coordinator – Lift and Shift Migration Modes

In the first part of this blog series, takes a high-level view of all the modes that are available with Migration Coordinator, a fully supported tool built into NSX that enables migrating from NSX from vSphere to NSX (NSX-T). The second blog in this series, takes a closer look at the available options for in-place migrations. This third blog in this series, will take  the options available for lift and shift type of migration.

Distributed Firewall

Distributed Firewall mode is one of the first lift and shift modes that was introduced with NSX 3.1 release. This mode allows migrating only the firewall configuration over to NSX running on its own dedicated HW.

Locating the mode: This mode is part of the three advanced migration modes and is found by expanding the “Advanced Migration Modes” highlighted in red below:

NSX Prep:

  1. Installation: NSX manager and Edges. Optionally bridges.
  2. Configuration:
    1. Configure the N/S network connectivity
    2. Create and configure T0s all the way down to the Segments
      1. Segment ID must match the VNI of the NSX for vSphere logical switches
    3. Optionally configure bridges if the migration is expected to take long time and network connectivity between the workloads on NSX for vSphere Continue reading

Power availability stymies data center growth

The chief obstruction to data center growth is not the availability of land, infrastructure, or talent. It's local power, according to commercial real estate services company CBRE In its 2023 global data center trends report, CBRE says the market is growing steadily and demand is constantly rising, but data center growth has been largely confined to a few select areas, and those areas are running out of power.No region embodies this more than Northern Virginia, which is the world's largest data center market with 2,132 megawatts (MW) of total inventory. Its growth happened for a couple of reasons. First, proximity to the US federal government. Second, because there's a major undersea cable to Europe in Northern Virginia, and data centers want to be as close to it as possible to minimize latency.To read this article in full, please click here

Power availability stymies data center growth

The chief obstruction to data center growth is not the availability of land, infrastructure, or talent. It's local power, according to commercial real estate services company CBRE In its 2023 global data center trends report, CBRE says the market is growing steadily and demand is constantly rising, but data center growth has been largely confined to a few select areas, and those areas are running out of power.No region embodies this more than Northern Virginia, which is the world's largest data center market with 2,132 megawatts (MW) of total inventory. Its growth happened for a couple of reasons. First, proximity to the US federal government. Second, because there's a major undersea cable to Europe in Northern Virginia, and data centers want to be as close to it as possible to minimize latency.To read this article in full, please click here

IBM debuts AI-powered carbon calculator for the cloud

IBM debuted an AI-powered dashboard for tracking carbon emissions used by its cloud computing services, saying that the new Cloud Carbon Calculator can be used to help enterprises with compliance and reduce harmful carbon emissions.The calculator can be accessed via IBM’s cloud dashboard, where it provides a range of graphs and charts to track total carbon emissions created by a customer’s use of IBM’s cloud, breaking it down on a per-service, per-department and per-location basis.The ability to identify carbon emissions in a granular way should let customers identify particularly CO2-heavy workloads, areas or departments and change their cloud profile in order to minimize emissions, according to IBM. The main idea is to identify emissions “hot spots,” which the calculator does via machine learning and algorithmic functions developed in partnership with Intel.To read this article in full, please click here

Cybernews Expert Interview with Tigera President and CEO, Ratan Tipirneni

The challenges companies face regarding private and professional data protection are more important today than ever. In the modern enterprise, cloud computing and the use of cloud-native architectures enable unmatched performance, flexibility, velocity, and innovation. However, as digitalization pushes applications and services to the cloud, cyber criminals’ intrusion techniques have become increasingly sophisticated. To stay current with advancing technologies, doubling or tripling security measures is a must.

To understand the critical need for advanced cybersecurity measures, we turned to an expert in the industry, Ratan Tipirneni, President and CEO of Tigera – a company providing active, zero-trust-based security for cloud-native applications running on containers and Kubernetes.

 

Q: How did the idea of Tigera originate? What has your journey been like so far?

It was over six years ago that Tigera created Project Calico, an open-source container networking and security project.

As containers and Kubernetes adoption grew and organizations started using Kubernetes at scale, Tigera recognized the industry’s need for more advanced security and observability. Tigera has since grown from the Project Calico open-source project to a container security innovator that now supports many Fortune 100 companies across the globe.

Tigera’s continued success comes from listening to customers’ needs, understanding Continue reading

1 250 251 252 253 254 3,836