Information Security & Occasional Forays Into Adjacent Realms
Via Timothy B. Lee, writing at Ars Technica, comes this tremendous piece enlightening us as to the vagaries DNS Over HTTPS, to the horror of ISPs throught the United States of Surveillance. Today's MustRead. Read it, my friends, for these-here United States of America...
eSNI Image Courtesy of Cloudflare
Another fix is in the works for one of the more hidden aggravations of internetworking security, the so-called Server Name Indication (SNI) extension debacle. The fix - an Encrypted Server Name Indication has been crafted by Clouflare and evidenced by the service itself - eSNI - is an indication of a Company-Doing-The-Right-Thing and enrypting-all-the-things. Additional work is currently underway targeting a IETF Draft RFC. Simply Outstanding Work, Cloudflare.
via CircleID comes word of Eric Schmidt's prognostication of what a future Internet will look like... His prediction, a 'bifurcation' - if you will - of our beloved interwebs. With a Chinese led versus an Amercian led scenario. Sounds sweet, eh?
via Anthony Rutkowski, writing at CircleID, comes this tremendous piece on conveyance as a weapon, entitled 'Internet as Non-Kinetic WMD'. Today's Must Read.
"What is amazing about all of these contemporary developments is that the DARPA Director who originally approved the development of its internet initiative in the 1970s, Steve Lukasik, has been warning of the dangers of an open internet since it found its way into the public infrastructure in the 1990s. He pulled together an initial expert team in the mid-90s supported by NSA, and spent the next decade hosting extraordinary Red Team specialists and producing innumerable DOD reports on the multiple weaponizations of the open internet for kinetic attacks. " - via Anthony Rutkowski, at CircleID, in his thought provoking article: 'Internet as Non-Kinetic WMD
Image Credit: TeleGeography
A deeply (no pun intended) problematic physical security & connectivity planning scenario - specifically the lifespan of in-situ buried internetwork cabling (on, or near land) coupled with a paucity of outcome planning (in the Anthropocene Epoch...) is detailed by highly respected researcher - Paul Barford, Ph.D., a UW-Madison Professor of Computer Science resident at the University of Wisconsin-Madison. Along with Carol Barford, Director of the University of Wisconsin-Madison UW-Madison Center for Sustainability and the Global Environment and Ramakrishnan Durairajan, Assistant Professor, CIS at the University of Oregon) have produced a study detailing failure risks (essentially a call to action, as the buried cable timeline has shriveled from a one hundred year life-span to somewhere less-than-fifty years) of buried internetworked cabling. Superb work. And, here's Rebecca Hersher's reporting for NPR on both the study, and the issues. Enjoy.
'"Most of the damage that's going to be done in the next 100 years will be done sooner than later," says Barford, an authority on the "physical internet" -- the buried fiber optic cables, data centers, traffic exchanges and termination points that are the nerve centers, arteries and hubs of the vast global information network. "That surprised us. The expectation was that we'd have 50 years to plan for it. We don't have 50 years."1 - Paul Barford, Ph.D. in an press-release published at EurekaAlert! (a service of AAAS).
via Ronald F. Guilmette (writing on the NANOG Mailinmg List), in which, his evident disgust (shared I'm sure by the majority of network engineers reading the NANOG List), at BGP route hijacks executed allegedly by BitCanal - a Portuguese firm, at this point, held in the lowest regards. Read more on the Oracle+Dyn blog post well crafted by Doug Madory, or Ronald F. Guilmette's email on the NANOG List (a short snippet also follows).
"Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example:https://bgp.he.net/AS3266#_prefixes I mean seriously, WTF? As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. (And to their credit, even Spamhaus has a couple of the U.S. legacy /16 blocks explicitly listed as such.)" - Ronald F. Guilmette at NANOG Mailing List Archive
The NCCoE has announced a new NIST Cybersecurity Practice Guide (currently in draft mode - for your commenting pleasure...) and entitled - "SP 1800-7 Situational Awareness for Electric Utilities. Enjoy.
Yes, you read it correctly, at least 70% of the District of Columbia's Police surviellance cameras were infected with ransomware immediately prior to the 2017 Inauguration of the President and Vice President of the United States.
The singularly astonishing aspect of this debacle was the Department still managed to keep the streets of Washington, D.C. safe for the throngs of visitors at the 2017 Inauguration. Quite simply, testimony to the hard work of the Department's Officers and Staff.
Hacker News writer Mohit Kumar, regales us with the unfortunate and unsurprising news: A Twelve Year Old SSH Flaw comes back to bite the nascent and deeply flawed IoT industry. Read it and weep my friends, at the show that never ends...
The San Francisco Chapter of the Internet Society has slated February 18th, 2015 as the date for the first INET/IoT Conference.
"The Internet of Things (IoT) is an idea that has been around for a long time but is now starting to come to fruition. The idea is that anything and everything can have a sensor and can provide information to a remote collector somewhere else on The Internet. Our cars, our homes, farm animals, farmer’s fields, light bulbs, roads, just about anything can be fitted with a data collection device and the information used to make smarter decisions. The need to collect and analyze the huge amount of data collected is driving advances in Big Data computing. Such data collection also raises serious privacy and security concerns. More event information is on our website here, including speaker bios: http://www.sfbayisoc.org/iot-conference/ ." via the SF Bay ISOC Chapter
Verisign Principal Research Scientist Shumon Huque, discusses the merits and functionality of DANE (DNS-based Authentication of Named Entities) on CircleID. If you read anything today about DNS, make sure you take a modicum of your precious moments to examine Shumon's outstanding post at CircleID.
Bob Radvanovsky, of Infracritical SCADASEC fame and Critical Infrastructure Protection and Cyber Security Researcher, has completed the RuggedTrax project, and published the findings thereto. Outstanding work Mr. Radvanovsky.
In a well crafted post at CircleID; in which, security design in the network realm is explored, Burt Kaliski proposes a re-focusing on the rationale of secure system design.