News, via the astonishingly prolific security writer Dan Goodin, editing, and reporting at Ars Technica, tells the tale of oil and gas network attacks in the United States, by a group monikered Xenotime. Think we're protected? Think again. Read the Dragos security researcher's post for truly concerning national security relevance.
"The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East." via Dan Goodin, Security Editor reporting at Ars Technica
"Ultimately, XENOTIME’s expansion to an additional ICS vertical is deeply concerning given this entity’s willingness to undermine fundamental process safety in ICS environments placing lives and environments at great risk. - via Dragos
Opinion piece of merit, via James Stavridis, ADM USN (RET) and former Supreme Commander of NATO; in which, the good Admiral details behaviors, focus and actions of the PRC's People's Liberation Army Navy in relation to the world's undersea communications systems. An eye opener of immense potential downside. Today's Must Read.
"Once the researchers gain root access, they can bypass the router's most fundamental security protection. Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world." - via Lily Hay Newman, reporting for Wired Magazine
Andrea Peterson, writing for Ars Technica and the Project on Government Oversight, tells the tale of FCC malfeasance coming to the fore - in not mandating requisite technical remediation of SS7 shortcomings. Today's Must Read.
'A panel advising President Bill Clinton raised the alarm back in 1997, saying that SS7 was among America’s networking “crown jewels” and warning that if those crown jewels were “attacked or exploited, [it] could result in a situation that threatened the security and reliability of the telecommunications infrastructure.” By 2001, security researchers argued that risks associated with SS7 were multiplying thanks to “deregulation” and “the Internet and wireless networks.” They were proved right in 2008 when other researchers demonstrated ways that hackers could use flaws in SS7 to pinpoint the location of unsuspecting cell phone users.' - via Andrea Peterson, writing for both Ars Technica and Project on Government Oversight, tells the sorry tale of SS7
If not, you'd be well advised to get with the Program as it is time to Get Squared Away. You can test your domain here at DNS Flag Day, or educate those always hungry neurons here. All of this fal-de-rol is slated to be accomplished worldwide on or about 2019/02/01.
"The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago. To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks." - via DNS Flag Day
via Muks Hirani, Sarah Jones and Ben Read writing at FireEye's threat research blog, comes notification of world-wide-dns-at-scale hijacks. Pre-election first-pass, stakes-in-the-ground reconnaisance foundation building? Or simple larcency? You be the judge. H/T
"FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors." - via Muks Hirani, Sarah Jones and Ben Read writing at FireEye's threat research blog
via Jeff Stone writing at Cyberscoop, comes this fascinating reportage, detailing an open-source based effort targeting BGP hijack exploits monikered ARTEMIS (Automatic and Real-Time Detection and Mitigation System, ARTEMIS - a research effort of the INSPIRE group, FORTH Greece (www.inspire.edu.gr) and the Center for Applied Internet Data Analysis (CAIDA), University of California San Diego, USA). Examine, if you will - the ARTEMIS ReadMe on the ARTEMIS group's GitHub site.
And, while your at it, read the projects' paper authored by Pavlos Sermpezis, Vasileios Kotronis, Petros Gigis, Xenofontas Dimitropoulos, Danilo Cicalese, Alistair King, and Alberto Dainotti. Entitled "ARTEMIS: Neutralizing BGP Hijacking within a Minute", it will astound you with the technical chops this team possesses. H/T
News - via Help Net Security's Zeljka Zorz, of serious flaws in Wireshark's bits leading to potential crashes apparently caused by stored malicous packet trace files. HelpNet notes that Wireshark has fixed versions: 2.6.3, 2.4.9, or 2.2.17 - all of which can be downloaded on the Wireshark Download page: https://www.wireshark.org/download.html
"The vulnerabilities – CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 – affect three components of Wireshark: the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector, respectively." - via Help Net Security's Zeljka Zorz
via Ronald F. Guilmette (writing on the NANOG Mailinmg List), in which, his evident disgust (shared I'm sure by the majority of network engineers reading the NANOG List), at BGP route hijacks executed allegedly by BitCanal - a Portuguese firm, at this point, held in the lowest regards. Read more on the Oracle+Dyn blog post well crafted by Doug Madory, or Ronald F. Guilmette's email on the NANOG List (a short snippet also follows).
"Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example:https://bgp.he.net/AS3266#_prefixes I mean seriously, WTF? As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. (And to their credit, even Spamhaus has a couple of the U.S. legacy /16 blocks explicitly listed as such.)" - Ronald F. Guilmette at NANOG Mailing List Archive
Whilst the flaws in Signaling System 7 (SS7) are the gift that keeps on giving, in this case, that gift has been inherited by the DIAMETER protocol, to the delight of miscreants unknown... With internal system, billing and bridging protocols like these, deeply embedded in cellular network infrastructure (all carriers) - who needs enemies; which brings to mind: 'We have met the enemy, and he is us! - Walt Kelly's Pogo, h/t
via CircleID, comes a particularly relevant discussion regarding the most abused TLDs (as researched by the Spamhaus Project) on our interwebs. Additionally, read the eponymous Brian Krebs' latest take on the subject, you'll be glad you did.
The beginning of May 2018 saw problematic internetworking operational issues revolving around the notion of robust router security (in reality, the lack thereof...). Today's Must Read comes from ISOC personnel Megan Kruse and Aftab Siddiqui, and lightly details the initiative entitled Mutually Aagreed Norms for Routing Security (MANRS). No resolution of this issue has been unequivocally accepted, but hope does spring eternal, as such, you can learn much more about MANRS here. Enjoy the Norms, and have a go with the MANRS for Network Operators document.