Nortel, the bankrupt Canadian networking giant, sold off its IPv4 address space this week to raise money to pay its creditors. The addresses sold to Microsoft for $7.5 million, an average of roughly eleven and a half dollars per IP.
As the article says, prices are only likely to go up as the reality of a dual-stack or v6 implementation becomes more apparent.
Leave a Comment » | 
Legal, Networking | 
Permalink
Posted by matt
It’s a well-known fact that conversations using Voice-over-IP (VoIP) technologies need to be encrypted to ensure privacy; after all, tools like Wireshark offer special modes for reconstructing a phone conversation from a packet capture. But according to this paper (warning: PDF file), encryption might not be enough.
From the paper abstract:
Despite the rapid adoption of Voice over IP
(VoIP), its security implications are not yet fully un-
derstood. Since VoIP calls may traverse untrusted
networks, packets should be encrypted to ensure
confidentiality. However, we show that when the
audio is encoded using variable bit rate codecs, the
lengths of encrypted VoIP packets can be used to
identify the phrases spoken within a call. Our re-
sults indicate that a passive observer can identify
phrases from a standard speech corpus within en-
crypted calls with an average accuracy of 50%, and
with accuracy greater than 90% for some phrases.
Clearly, such an attack calls into question the effi-
cacy of current VoIP encryption standards. In ad-
dition, we examine the impact of various features of
the underlying audio on our performance and dis-
cuss methods for mitigation.
Leave a Comment » | Exploits, Networking | Permalink
Posted by matt
At the end of January, I wrote about the current trend in allowing users to bring their own hardware into an enterprise environment. Some companies are allowing personally owned smartphones and tablets, for example, to connect to their enterprise network. This both makes employees happy and saves the company money.
Other companies are not allowing this. Wells Fargo, for one.
From the article:
“I carry two phones. One for personal, and one for work,” says Martin Davis, executive vice president and head of Wells Fargo’s technology integration office. “I’ve got two iPads in my briefcase, for personal and work. We keep it separate.”
I like the way he thinks.
Leave a Comment » | Legal, Networking, Smartphones | Permalink
Posted by matt
Thunderbolt, a new I/O interface, was introduced last week on the latest line of Macbook Pro portable computers. Physically, it uses a DisplayPort connector – and, if you like, it can be used as a simple DisplayPort interface to connect a monitor or projector to the computer. But it is also a successor to Firewire, capable of daisy-chaining up to five devices with a shared bus bandwidth of 10Gb/s.
It is also a successor to Firewire in that it is an unauthenticated peer-to-peer bus protocol (as distinct from a master-slave protocol like USB). This characteristic has been exploited in Firewire to forensically read the contents of RAM or attached disks from a live machine. While the details on Thunderbolt are rather sketchy right now, it’s easy to imagine that an adversary could rig a display device to surreptitiously harvest data from a client machine, while appearing to function normally.
Physical security is tricky to enforce. Most people are smart enough to avoid plugging a random USB drive or Ethernet cable into a machine that holds sensitive data – but they won’t think twice about using a projector in a classroom or at a conference. Thunderbolt adds a whole new class of peripherals into the “untrusted” group. Watching the professionals take a crack at this will be very interesting.
Leave a Comment » | Exploits, Networking, Physical Security | Permalink
Posted by matt
Here is an interesting article over at Ars Technica about the prevalence of Internet-accessible cameras that you can find with a simple Google query. Some of them are intended for public consumption, like the aquarium cam he posts a picture from. Some of them are not, like the jewelry store security cam. But all of them are available to anyone who can find the URL in a search engine.
Why is this so?
Well, security cameras used to be a dedicated product with specialized cabling and deployment techniques. But like so many things (voice telephones, printers, POS terminals, etc.), someone had the innovative idea to just put cameras onto an IP network instead. This meant that the cameras no longer needed runs of special analog cabling back to a VCR or monitor – instead, you could just access the video feed with a web browser.
Well, this is an excellent advancement. But moving things into the IP world means that you now have to be familiar with how to secure things in that world. And clearly, many people are not. They don’t think to change default passwords, or close firewall holes, or whitelist allowable addresses. And their cameras show up in this article.
Cameras aren’t the only culprit. Here’s a list of common IP devices; are you sure that they’re all properly secured on your network?
Securing an IP network means securing everything on that network, not just what we traditionally think of as “computers”. Because everything on that network is a potential target and a potential beachhead for an attacker.
Leave a Comment » | Exploits, Networking | Permalink
Posted by matt
Google has announced that two-factor authentication will be available for users to log into their Google Apps / GMail accounts. Essentially, the account holder’s mobile phone is used as an authentication token; once the number is registered, the user can opt to receive a numeric authentication code via SMS or voice call, or generate it with a local application. Both the traditional password and the authentication code from the phone must be used to access the account.
This is a tremendous step forward in security, especially for a free online service. Passwords have historically been the weak link in most network security schemes; they are often easily guessed or acquired through social engineering techniques. By requiring users to not only have a password but also have a physical token like a designated mobile phone, Google can render phishing and brute-force attacks completely impotent.
Excellent.
Leave a Comment » | Networking, Smartphones, Social Engineering, Syndicated | Permalink
Posted by matt
Underwriters Laboratories, the independent product testing firm that certifies electrical and electronic devices of all stripes, is launching a new standard for security testing. UL2825, which will be officially launched on February 14, will verify that equipment can handle DDOS traffic, malicious traffic, and other adverse security conditions.
Leave a Comment » | Legal, Networking | Permalink
Posted by matt
If you’re looking to centralize the data storage in your enterprise – perhaps in response to a particularly persuasive and insightful article you read on the Internet somewhere – you might want to take a look at the Openfiler project.
Openfiler is a Linux distribution designed to be used as the interface for a Network Attached Storage device. Essentially, it is used to build a storage pool that the other computers in your environment can connect to in order to share data. It supports NFS, SMB, FTP, iSCSI, and a tremendous number of other acronyms. The only real annoyance is that the otherwise excellent web GUI doesn’t include any tools for setting up an iSCSI initiator, so that must be done from the command line.
Leave a Comment » | Networking | Permalink
Posted by matt
Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Intrusion Detection Systems.
An Intrusion Detection System, often referred to with the abbreviated “IDS”, is exactly what it sounds like. It is a piece of hardware or software that listens to data changes or traffic in a particular environment, watching for suspicious or exploitative trends. Think of it like the high-tech version of a motion detector light on a house; it passively monitors the environment until something triggers it, and then performs a specified task. Just like the motion detector will turn on the light, the IDS will log the problem, generate an SMS text message to an administrator, or email an affected user.
Broadly speaking, there are two common classes of IDS – Network-based IDS systems (NIDS) and Host-based IDS systems (HIDS).
Network-based IDS (NIDS)
A NIDS system passively monitors the traffic in an environment, watching for certain patterns that match a defined set of signatures or policies. When something matches a signature, an alert is generated – the action that occurs then is configurable by the administrator.
The most common NIDS in use these days is probably Snort, an open-source solution written by Marty Roesch and maintained by his company, Sourcefire. Snort is capable of acting as either a passive eavesdropper or as an active in-line part of the network topology. In this diagram, the lefthand example is a passive deployment, the right is in-line.
As you can see in the example on the left, the computer running snort is connected to the firewall – the firewall would be configured with a “mirror” or “spanning” port that would essentially copy all of the incoming and outgoing traffic to a particular interface for the snort software to monitor. This way, any suspicious traffic passing the border of the network would be subject to examination.
In the example on the right, the traffic is passing directly through the snort machine, using two Ethernet interfaces. This is an excellent solution for environments where a mirror port is unavailable, such as a branch office using low-end networking equipment that can’t provide the additional interface.
(It is important to note that a NIDS should be carefully placed within the network topology for maximum effectiveness. If two of the client machines in these diagrams are passing suspicious traffic between them, the snort machine will not notice; it only sees traffic destined for the Internet. It is always possible, of course, to run multiple NIDS systems and tie all of the alerts into one console for processing so as to eliminate these blind spots.)
Because of its large install base, rules for detecting new threats are constantly being produced and published for free usage on sites like Emerging Threats. If you want to be alerted when a host on your network is connecting a known botnet controller, for example, the up-to-the-minute rules for this can be downloaded from ET. The same goes for signatures of new worms and viruses, command-and-control traffic, and more.
So a NIDS is an excellent tool for detecting when a host on your network has been compromised or is otherwise producing suspicious traffic. But what about exploits that don’t cause traffic generation? If someone compromises your e-commerce server, for example, and installs a rootkit and starts modifying the code used to generate web pages, your NIDS will be none the wiser. For more careful monitoring of individual high-priority hosts, you would use a HIDS.
Host-based IDS (HIDS)
While a NIDS watches the traffic on a network segment, HIDS watches the activities of a particular host. A common open-source HIDS system is OSSEC, named as a contraction of Open Source Security.
OSSEC will monitor the Windows Registry, the filesystem of the computer, generated logs, and more, looking for suspicious behavior. As with a NIDS, an alert will be generated by any suspicious activity on the host and the results of the alert can be set by the administrator. If a process is attempting to modify the documents on your main web server, for example, OSSEC can kill that process, lock out the account that launched it, and send an email to the system administrator’s cell phone. It’s a remarkably flexible and impressive system.
Much like a NIDS, the placement of HIDS software needs to be carefully planned. You don’t want to receive an alert every time a file is accessed on a file server, for example; your administrator will be overwhelmed, and will simply stop reading alerts altogether. The system has to be carefully configured and the monitored behaviors pruned to as to eliminate false alarms and ensure that true security issues are noticed and alerted properly.
Leave a Comment » | Definitions, Networking | Permalink
Posted by matt
The annual Pwn2Own contest is next month in Vancouver, and there’s an additional prize this year. As always, the latest copies of Firefox, Safari, and IE will be available as targets – hackers who manage to exploit the browser in a significant way will win a cash prize and the laptop that the browser was running on at the time. For the first time, though, Google’s Chrome is available as a target, and they’ve staked an additional $20,000 as prize money for anyone able to break their product.
Let the games begin. It seems like every year, someone manages to trot out a zero-day exploit and win the contest on at least one platform; it will be interesting to see how Chrome fares against dedicated competition like this.
Leave a Comment » | Exploits, Networking | Permalink
Posted by matt