Archive for the 'Firewall' Category

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

May 26 2010

Press Release: Astaro RED

Published by under Encryption,Firewall

It may not quite be VPN for Dummies, but Astaro RED sounds pretty close if you ask me.  I talked to Jan Hichert at Astaro about RED (Remote Ethernet Device) at RSA earlier this year and the way he talked about this new product, it seems like it’s an easy way for companies to add a remote office without many of the headaches this often entails.  I haven’t played with it myself and haven’t talked to anyone who has yet, but at least in theory it sounds like a good product.  Basically, you run Astaro Security Gateway at your central office, when you bring the remote RED box online, it phones home to Astaro, where it receives instructions on how to connect to your central office server.  There is configuration, but it’s mostly handled by Astaro before it ever gets to your office.  I’m sure Jack Daniel can tell you more if you’re interested, but in the mean time, the press release follows after the break.

Continue Reading »

Comments Off on Press Release: Astaro RED

Mar 15 2010

Mykonos: WAF, IPS or honeypot?

Published by under Firewall,Hacking,Testing

I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance.  I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative.  Or more accurately, it appears to be doing something new and innovative; it’s still in beta and this is a technology that’s outside my comfort zone.  If you’re someone with an expertise in WAF’s, it should be worth at least a short look.

In a lot of ways, Mykonos appears to be a standard WAF; it can be used to protect your site from many of the standard coding errors that a WAF is designed to deal with.  It addresses the OWASP Top 10, it has all the reporting capabilities to tell you something’s wrong; in this area it doesn’t appear to have a lot of extra punch you can’t get elsewhere.  The place it does start to have some distinguishing capabilities is in the tracking, categorizing and response to malicious attacks on your web site.

You want to know more about who’s probing your web site?  Mykonos will dynamically modify the code your site is serving to get you more information on who’s attacking.  It’ll tell you about the level of sophistication of the attacker, whether they’re just trying to manipulate a price in the shopping cart, if they’re trying a SQL injection attack or if they’re working on something at the higher end of the attack scale.  And it gives you a lot of choices about how you want to respond; simply block the user, send custom code telling them they’ve been identified and logged or act as a honeypot to get even more information about the attacker and how he’s planning on attacking your site.  The tracking and information gathering abilities seem to be pretty impressive and it may be worth looking at for that alone.

Mykonos looks like more than a plain vanilla web application firewall and the downside to that is it requires more work from the administrator and more work from your developers to make full use of it’s capabilities.  This also means it’s potential for becoming shelfware is much greater as well.  But if you’re looking for more than what a standard WAF offers, it might be worth looking at this product.  And once you do, I’d appreciate feedback on your impression of the product.  Is Mykonos a potential new product market, a single product with greater capabilities or just a flash in the pan that won’t amount to much?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Mar 07 2010

RSAC2010: Astaro Internet Security

Published by under Firewall,Podcast

Jan Hichert, CEO of Astaro Internet Security, and I met in one of the quieter hallways of the 2010 RSA Convention.  Of course, ‘quiet’ is a relative term when it comes to RSA, but the audio came out acceptable in any case.  We talked about several of the new products Astaro is offering this year, including Astaro Mail Archiving, Astaro Wireless Security and Astaro RED.  We finished the conversation talking about Jack Daniel’s new position at Astaro, social media and Security BSides.  I think Astaro is one of the few security companies that actually get social media, in large part thanks to Jack. 


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 22 2009

Firewall discussion with Stiennon

Published by under Firewall,IDS,Video

The second in a series of discussions I participated in with Richard “IDS is Dead!” Stiennon, Mike Murray and Amrit Williams is now available for your viewing pleasure.  Richard has been following the firewall and IDS market for a long time now and has a much deeper understanding of it than I ever will.  However his experience is from the market perspective, not the real world where the firewalls and IDSs are actually being installed and used.  Not that I’m configuring and monitoring either technology on a regular basis myself, but I do deal with the people who are very often as a PCI assessor.  So you can imagine we have some differing opinions of where things are going and what’s really being used in the enterprise.  I really need to learn to look directly at the camera.

Demos on Demand Firewall and IDS/IPS Discussion
[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Nov 26 2008

Blocking YouTube with a WRT54G

Published by under Family,Firewall,Simple Security

Ahh, the joys of being a parent.  My youngest son recently started sprinkling his language with profanity, something both his mother and I were certain he didn’t get from us:  she almost never uses profanity and when I do the kids are usually running for cover rather than trying to remember what I said.  At first we thought he was getting it from school, but his older brother finally came forward and told us it was from videos he was watching on YouTube.  What had looked like a fairly innocuous video of SuperMario and other characters turned out to be profanity laden and more than a little disturbing.  He was given a warning and told to turn off any videos that contained profanity, then lost his computer rights for a week when I caught him watching a video with profanity.  The third time’s a charm, so I decided it’s time to block YouTube at the entry way, my WRT54G router.

It seemed simple and straight forward.  But an hour and several internet searches later, and I still couldn’t get the WRT54G to block YouTube.  I created a Policy called YouTube, rather appropriately, I added a list of affected PC’s, set it to everyday, 24 hours a day and entered in the space marked “Website blocking by URL address”.  Then hit “Save Settings” and … nothing.  I was still able to get to YouTube, the kids could get to YouTube and I was not happy.

Then it suddenly struck me: the folks at Linksys and Cisco were creating the software for the average computer user, someone who doesn’t have the faintest idea what “HTTP” or “URL” mean and probably never types the “http://” at the beginning of the URL.  I took that out of the URL and saved the settings and now YouTube is blocked.  I’m happy that I now know how to block a site, but I’m frustrated that the developers couldn’t have taken a few more lines of code to either automatically remove the http:// if typed in, or at the very least taken ten seconds to add an example of what they consider a URL.  If I’d seen even one example of what they consider a URL, I would have been able to block the site in less than 5 minutes, rather than taking over an hour.  And I wonder how many less technical parents have given up in frustration.

As someone put it on Twitter “Sometimes people should check acronym definitions before using them”

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

Jun 11 2008

Security Roundtable: Jericho Forum

Published by under Firewall,Security Advisories

At RSA Michael Santarcangelo and I had a chance to attend a seminar on the Jericho Forum briefly.  Neither of us had heard much about the Jericho Forum before so we invited them to participate in a podcast with us.  And since I didn’t know much about Jericho, I found someone who does:  Chris Hoff.  We were joined by one of the founders of the Jericho Forum, Paul Simmonds, and the CEO of Rohati Systems, Shane Buckley.  You can find the full show notes on the Security Roundtable blog.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Security Roundtable: Jericho Forum

Jul 16 2007

You’ve got to appreciate truth in advertising

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: , ,

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

Jul 10 2007

Using charities to test stolen cards

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Using charities to test stolen cards

May 23 2007

Don’t touch my firewall

When I saw this last night, I couldn’t believe that Adobe would do something as stupid as shutting down the personal firewall so they could do updates.  What makes it funny is that they probably would have gotten away with it if they had just remembered to turn the firewall back on after the fact.  Come on guys, this isn’t rocket science.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Next »