Tag Archives: security

KRACK Attack Mitigation – A Call to Arms!

Posted on by
Reply

Ask any wireless engineer about the relationship with vendors who make the non-standard clients on their network and you’ll likely get a range of responses from quiet sobs to yelled expletives.

Problems ranging from bad driver or firmware updates, KRACKdevices which don’t follow the 802.11 standard, and long delays in problem resolution are all part of the experience.

Often we may say to a customer “These clients are causing problems and here is proof. You should look at replacing them.” While the vendor of those products are telling that same customer “Your network sucks!”

With that in mind, I want to consider a few things as we begin the KRACK Attack mitigation.

  • Check CERT’s Vulnerability Notes Database for the status of vendor updates. This is a pretty extensive list, and is worth following:
    CERT’s Vulnerability Database
  • Some vendors will be VERY slow to issue patches. It is absolutely essential that we as wireless engineers who have the ability to approve devices refuse any new client deployments without the appropriate patches.
    Bring the security team into the discussion, and ensure that as a united front, unpatched clients are refused!
    Those who work in a sales role should warn all customers away from vendors who are not actively communicating their patch strategy, with clearly defined release dates. We should not send money to any company that doesn’t see resolving this as one of their highest priorities. Those companies should wither and die.
  • Many large enterprises have specific budgets for IT security related expenditures. If the budget isn’t available from teams responsible for the devices, check with the security team. They may have a budget that can be utilized.
  • Communicate to the vendors this week. Ask about patching schedules for KRACK. Ask to be included in weekly updates on the status until patches are released. Make it very clear that you see this as a high priority and are not willing to accept a “Maybe, eventually” patch schedule.

As a group of wireless engineers, we cannot accept anything less than appropriate patches which clearly mitigate KRACK.

An open letter to Senator Richard Burr

Posted on by
Reply

I sent this to Senator Richard Burr through his website. I am also leaving it here, and will update with his response:

Senator Burr,

First, I want to say Thank You for working on the behalf of North Carolina in our nation’s capital. I recognize that there are hundreds, if not thousands of issues that you are asked to consider on a regular basis, which cannot be easy.

I am contacting you regarding the encryption bill that you are working on with Senator Feinstein. North Carolina is a very tech savvy state. We have major technology companies in almost every tech sector, and now are home to some of the largest and most efficient data centers in the US. There is much to be proud of. With that in mind, I am surprised to see you as one of the advocates of the bill.

I recognize that as the Chair of the Senate Intelligence Committee you hear from our intelligence services on a regular basis. I am certain the current conversation is heavily geared towards how to deal with the pervasive nature of encryption. Today it is easy for a terrorist organization to have fully encrypted end-to-end communication. I am sure that is incredibly frightening to the intelligence services and their job is a very difficult one. I recognize that every attack on American citizens ultimately creates hundreds of questions like “How did the [insert three letter acronym] not know this was going to happen?” It’s an impossible battle.

I am a network engineer and I have worked in IT for many years. I intimately understand encryption and the basic underpinnings of the internet. I have spent many years protecting my employers networks and systems from outside attack. I understand that ever evolving battle first-hand.

With that said, I am very concerned that you feel that you can force companies to provide backdoor access to devices and communication without affecting every citizen who chooses to use an electronic device. I assume that you have chosen to believe the rhetoric which states that open access can be protected. Otherwise, the only other assumption is that you believe that normal everyday citizens should not have the ability to protect their private, personal information; that corporations should not have the ability to protect their intellectual property.

Assuming that you believe the former; I want you to consider these questions. How long do you expect that backdoor to be kept safe? How long do you think it will take before technical terrorist, both foreign and domestic find and utilize that backdoor?

If the US makes and is granted the demand, what prevents other foreign entities from doing the same? What do you think the economic impact would be for companies when China has a backdoor to every corporate device of every manufacturing company in the US? I have spent eight years of my career working with large international manufacturing companies. I know first hand what the impact of that is. I have watched it with my own eyes. I could argue this particular point, citing experience, but I want to respect your time. If you would like to discuss, I will be happy to do so.

I have one more question I would like to present. How do you expect that forcing backdoor access will actually aid the intelligence services? This is an exercise in futility and escalation. Assume for a moment that the NSA/CIA/FBI has root access to every device. What happens when the user also employs an encrypted communication app which also requires a passcode and does not store data locally? Let’s also suppose that they are always running a VPN or TOR client. Finally, let’s assume that the server the encrypted app on the encrypted phone, communicates to through an encrypted tunnel, lives in a non-friendly foreign state. What good does this legislation then do? The answer is, none. The US cannot compel the foreign server to give it a back door. But, the US, who loves to discuss freedom has created a wide exploit that will then begin to be used for a different type of terrorism and removed every citizens right to privacy with their most personal data.

I am not hurling these questions at a wall to see what sticks. I would like a response. This is a very important discussion to be had without rhetoric and fear-mongering. I can be contacted with the information provided if you would like to further discuss these or other concerns.

With respect,

Jonathan Davis

RSA can’t be trusted. Death to RSA.

Posted on by
Reply

RSA has finally admitted that it’s root certificates were compromised, which affects ALL SecurID tokens.

I personally feel that this shows absolute failure on the part of RSA. First, their root certificate was compromised. Second, rather than admit it, begin contacting customers immediately, and notifying the public, they chose to hide behind NDA’s while their customers were being compromised. RSA’s excuse for their lack of communication was that they didn’t want to give the attackers more information that could be used to exploit further companies. Based on the target of the attacks: Lockheed, Northrup Grumman, and L3 Communications, it is clear that the attackers knew everything already.

A company that was built on trusts and security has now been found completely untrustworthy and insecure. I expect to see major lawsuits resulting from this. I hope to see heads roll.

The company I work for uses these tokens. We have asked RSA for more information multiple times, but they have been slow in providing anything.

http://www.net-security.org/secworld.php?id=11122

Could Cisco Prime be the first step towards OpenFlow competition?

Posted on by
Reply

As it has been clear from my previous post, I have a love/hate relationship with Cisco. I love some of their products and I love working in IOS. There are also things that I hate: Cisco’s management platform and the lack of consistency between product lines; subnet mask vs. wildcard mask being a great example. Another thing I hate, Cisco’s management tools. CiscoWorks is a joke, and in smaller environments, where CiscoWorks would be overkill, companies are left with Cisco Network Assistant(CNA).

<RANT>
I realize that CNA is free, that Cisco doesn’t make any money on it, and that it was never meant for large enterprise. However, if there has ever been a product deserving of a “Beta” tag, I’m not sure what it is. What a piece of junk!
</RANT>

Now Cisco has released Cisco Prime. In all of the articles that I have read, the primary function is listed as “unified access across wired and wireless networks”. Clearly Cisco intends this to be a security solution. However, as you read further, things get a little more interesting. Here are the features as per a Cisco Blog post: http://bit.ly/gWBijM

Centralized Policy. Support any user on any device and provide secure access across the entire network by setting a single set of policies that can be distributed and enforced across the entire network.

Network Management. Unified management via Cisco Prime for wired and wireless networks helps increase IT efficiency, reduce IT training, and decrease time to resolve IT issues by providing a converged service-centric management platform.

Automation for Voice and Video. Ensure consistent high-quality user experience on any end-point. The latest innovations using Cisco Medianet enhancements provide automation and troubleshooting in the network to deliver application quality of experience, particularly video. Plus, organizations can reduce cost and time when resolving application choke points in the network, and scale applications to any endpoint with greater speed and efficiency.

The last two items are what piqued my interest. Unified network management, bandwidth control and shaping for audio and video; aren’t these features discussed when OpenFlow comes up? Is it possible that Cisco has recognized the need to address OpenFlow now, before it gets a stronger foothold in the market?

If I’ve properly read between the lines, and my guesses are accurate, there are a few things to remember. IF, then:

-This product has been rushed to production. I wouldn’t touch it within the first 6-9 months, or until it’s been upgraded at least once.
-Let’s face it, some of Cisco’s best new to market products were bought, not built internally. This was built internally. Enough said.
-Prime’s feature set will explode over the next few years, to make it better compete with the full OpenFlow feature set.
-The next version of IOS, ASA, WCS, etc. will have new hooks for this software to continue it’s feature expansion. Use caution with new versions of code for any devices. New hooks in the software = new security vulnerabilities and new bugs
-We may actually see a great security/network management product from Cisco in the next couple of years!

Is Cisco getting back on track?

Posted on by
Reply

Cisco’s big-man-in-charge, John Chambers, sent out an email to all employees this week, which outlined a few important things:

-Cisco has lost focus
-Cisco was caught off guard by certain movements within the Networking community (openflow, new products from other vendors, etc)
-Cisco makes it difficult for new product to make it to market
-Cisco has to focus on the core business components, rather than continuing to diversify into low margin consumer markets
-Most importantly, Cisco shareholders, employees, and customers are not happy with the current direction that Cisco has taken

The message is a great read, and gives me hope that Cisco can get back on the ball, and address some of it’s core issues. Kudos to the Cisco team for taking a hard look at where they are, and making decisions to correct their wandering trajectory. Here’s hoping they follow through!

http://blogs.cisco.com/news/message-from-john-chambers-where-cisco-is-taking-the-network/

RSA hacked? No, really.

Posted on by
1

In an open letter to customers, Art Coviello from RSA admitted that attackers had gained access to some of their internal information regarding the RSA SecurID products. While there was no customer information lost, it says that RSA is working with customers to provide “immediate steps for them to take to strengthen their SecurID implementations.”

I think I’ll go for a walk now…