Security Blog

Your source for information security news and views.
Tags >> News

So much for the chain of trust

Posted by: Patrick Snyder

Tagged in: News , Google , digital certificate

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet. 

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters that would results damages and minimal disruption has been reported among data centers within range of the quake, however, the most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

For those that don't know, tomorrow is world IPv6 day. A day when over 400 corporation, government, and university websites will switch their networking over to IPv6 protocol for a 24 hour period. The changeover will signify the start of a new generation of internet protocol and hopefully give credit to the IPv6 system, which has been driven into the market since 1999. With the now imminent depletion of all existing available IPv4 addresses, IPv6 day aims to push the remaining non-conformers over to the new system and bring much more attention to it as a necessary protocol. Though this will be a landmark day due to its introduction of the largest wide scale implementation of IPv6 to date, it could also be D-Day for the largest wide scale implementation of DDoS attacks. 

Though the trial changeover will only last from 8:00p.m. tonight  until 7:59p.m. tomorrow night, there is still the possibility for some major issues. One of the most probable being DDoS attacks. These attacks rely on jamming up network routers and devices with overwhelming amounts of traffic and thus causing the network to crash and deny all remaining requests. Since IPv6 header packets are four times the size of IPv4 header packets, they take four times as long to process by routers. In a digital world this takes only nanoseconds but multiply this by thousands of requests a minute or even per second combined with the increased processing time it takes to handle a larger IPv6 header and the system can potentially jam up very quickly.

Many large corporate websites on the IPv6 trial list, such as Google, Facebook, and Juniper, have seen their fair share of attempted attacks in the past. This vulnerable new system still in its infancy could be the perfect opportunity for hackers to finally break through to the information they want.

One advantage to being on this list of the 400 is that these corporations have done their homework on IPv6 and their systems have been built to handle this protocol. Another attack vector comes with those companies who have yet to make the switch to a dual stack implementation of their packet inspection network systems to handle both IPv4 and IPv6 traffic. These companies will be accepting uninspected IPv6 traffic through their devices thus holding the potential for a broad array of network attacks.

This trial period will be a major learning experience for all IPv6 amateurs. If your corporation has plans to implement increased network security, today would be the day to do so.  Be prepared to hear more about this all across the cyber world as the day goes on.

No more than a week after the Pentagon's military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I'm sure most of you have heard the ancient Japanese proverb, "The nail that sticks out gets hammered down." The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test our claims of military force.

Another phrase that comes to mind is the African proverb "Speak softly and carry a big stick." Which was popularized by Theodore Roosevelt in his Big Stick ideology regarding peaceful negotiations backed by the threat of military force. So what happens when that threat of force is tested? Is it truly customary to take out the big stick and start swinging? This will be the true test of something I will call "cyberwar policy." 

Cyber policies will soon become a very hot topic in lieu of recent events. One event being the government controlled network outages that began in Egypt, which now seem to be trending seeing as the Nigerian government has done the same. This caused questioning in the U.S. which led to the introduction of "kill switch" litigation now being passed throughout Congress. A second event was the Pentagon's consideration of cyber attacks as acts of war. 

These recent events have begun to outline rules of cyberwar. There are many questions to be asked and much policy to be drawn up regarding these and future events. One thing is certain, our representatives had better get a handle on this policy soon before things get out of control.

Throwing Stones in a Glass Infrastructure

Posted by: Patrick Snyder

Tagged in: stuxnet , News , Egypt , cyber warfare


We must all understand that the net is fragile and it can be taken down. We have seen this 'kill switch' in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of 'Internet Kill Switch' from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only be concerned with the authorities doing it but everyone else who can now see that this capability does indeed exist.

Taking down the Internet is easier then you may think. The net has two fundamental services. First being a name and address service, this is handled through the Domain Name Service infrastructure and without it we don't have email, VoIP, web traffic or any web 2.0 technologies, including the growing Cloud infrastructure. The second service is routing. IP routers run software and can be attacked through a wide range of exploits. Last week, researchers at the University of Minnesota described a targeted DDoS attack that could knock out these services.

Another aspect the Egyptian outage showed us is that nation-states either already have or are aggressively building the tools to disrupt the internet. Think back to the Stuxnet attacks, Iran acknowledges that a joint effort between the United States and the Israelis caused serious damage to the Iranian power infrastructure by damaging centrifuges in their nuclear power plant. If we can attack their infrastructure and get away with it, why would we think they won't attack ours. Mass terrorism could very well go cyber sooner than we know it. Last week, the head of the National Security Agency said that the United States should expect to be attacked. Thats right, EXPECT it.

I think the message is clear, for Cloud computing and for general business continuity, resiliency and back up systems are not luxuries, they're mandatory!




Looks like a Re-Evolution

Posted by: Patrick Snyder

Tagged in: News


New Year, New Technology, New Game, New Threats As we all have heard, 2010 was the year of game-changers. With more malicious attacks and new technology then any preceding year. But now that the rules have changed its time to get back in the game.

So far 2011 is outlining huge innovations in technology, tablet PCs will take over our offices, mobility and wireless networking are approaching a new forefront of innovation.

But as we improve our playing strategies so do our enemies. The fight to protect our emerging technology assets is not a game we can afford to lose.

Obama's recent State of the Union address has called for huge investments in information technology innovation. Supercomputing and the advancement of technology were stressed repeatedly within his speech. This spells big things for the IT community.

Get ready for new projects, new technology, and best of all new budgets.

Human resource management will be begging for information technology professionals soon, so be prepared for a job market comeback in IT. The recession is ending and soon the technology movement will be back in full force.

Not only will information technology be the hot topic in industry but also in education. This will open up even more opportunities for IT technicians, security experts, and teachers. Obama has already made the call out to start filling schools and universities with more of these professionals.

So prep your resumes and shine up your certification plaques, the IT revolution is on its way.

In other news IPv4 D-Day is approaching fast. As of February 1, 2011 (maybe even sooner) all IPv4 addresses will be exhausted. Time to start prepping your company for a dual stack implementation. Don't want to lose your competitive edge!