ICS Attacks, The Real National Emergency
News, via the astonishingly prolific security writer Dan Goodin, editing, and reporting at Ars Technica, tells the tale of oil and gas network attacks in the United States, by a group monikered Xenotime. Think we're protected? Think again. Read the Dragos security researcher's post for truly concerning national security relevance.
"The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East." via Dan Goodin, Security Editor reporting at Ars Technica
##
"Ultimately, XENOTIME’s expansion to an additional ICS vertical is deeply concerning given this entity’s willingness to undermine fundamental process safety in ICS environments placing lives and environments at great risk. - via Dragos
C2 Hiding
Carrie Roberts, writing at the superlative Black Hills Information Security blog, presents, for your bits related pleasure, the hiding of C2 encapsulated by SSH. Today's Must Read.
Image Credit: BGP Stream. Image is the graphical representation of the in-process BGP redirection attack emanating and under the control of the People’s Republic of China on 2018/12/28.
ARTEMIS: Targets BGP Hijacks
via Jeff Stone writing at Cyberscoop, comes this fascinating reportage, detailing an open-source based effort targeting BGP hijack exploits monikered ARTEMIS (Automatic and Real-Time Detection and Mitigation System, ARTEMIS - a research effort of the INSPIRE group, FORTH Greece (www.inspire.edu.gr) and the Center for Applied Internet Data Analysis (CAIDA), University of California San Diego, USA). Examine, if you will - the ARTEMIS ReadMe on the ARTEMIS group's GitHub site.
And, while your at it, read the projects' paper authored by Pavlos Sermpezis, Vasileios Kotronis, Petros Gigis, Xenofontas Dimitropoulos, Danilo Cicalese, Alistair King, and Alberto Dainotti. Entitled "ARTEMIS: Neutralizing BGP Hijacking within a Minute", it will astound you with the technical chops this team possesses. H/T
Action Taken to Curtail Portuguese Internetwork Firm Accused of Latest BGP Hijack
via Ronald F. Guilmette (writing on the NANOG Mailinmg List), in which, his evident disgust (shared I'm sure by the majority of network engineers reading the NANOG List), at BGP route hijacks executed allegedly by BitCanal - a Portuguese firm, at this point, held in the lowest regards. Read more on the Oracle+Dyn blog post well crafted by Doug Madory, or Ronald F. Guilmette's email on the NANOG List (a short snippet also follows).
"Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example:https://bgp.he.net/AS3266#_prefixes I mean seriously, WTF? As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. (And to their credit, even Spamhaus has a couple of the U.S. legacy /16 blocks explicitly listed as such.)" - Ronald F. Guilmette at NANOG Mailing List Archive
Diameter Protocol Found To Be Vulnerable - On Par With SS7 For Flaw Tally
Whilst the flaws in Signaling System 7 (SS7) are the gift that keeps on giving, in this case, that gift has been inherited by the DIAMETER protocol, to the delight of miscreants unknown... With internal system, billing and bridging protocols like these, deeply embedded in cellular network infrastructure (all carriers) - who needs enemies; which brings to mind: 'We have met the enemy, and he is us! - Walt Kelly's Pogo, h/t
BGP Management SNAFU Culprit in Amazon Attack? →
BGP Related Issues, Along With Malicious Redirection Predicated On Fraudulent Routes To Blame
via Dan Goodin's typically superlative prose, at Ars Technica, in which, Dan details the issues, titled 'Suspicious Event Hijacks Amazon Traffic For 2 Hours, Steals Cryptocurrency' comes the root cause of the Amazon Route53 debacle. Additionally, a great tell-all piece entitled 'Another BGP Hijacking Event Highlights the Importance of MANRS and Routing Security' (discussing the same issues as Mr. Goodin), via The Internet Society's Megan Kruse and Aftab Siddiqui is also worthy of note. Fundamentally, the IETF should step up it's efforts to deal with these issues (and perhaps take MANRS into consideration ASAP. It is important to note that the Internet Engineering Task Force (IETF) is an organized activity of The Internet Society's, and has been for more that a decade. Both posts are Today's Must Read.
IPv6, The DDoSing →
Meanwhile in DDoS news... Reportage of IPv6 DDoSing via El Reg, (and well-written by Kieren McCarthy) detailing an IPv6-transported DDoS attack - a 1.35Tbps attack on GitHub - that should be baking a lot of noodles out there in the network protection racket...
"Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host." The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team." - via Kieren McCarthy writing at El Reg
DGA, The Algorithm →
Hongliang Liu and Yuriy Yuzifovich, writing at the Security & Data Science Blog, a Nominum blog, provide a tour dé force analysis of the so-called DGA - Domain Generation Algorithm battleground. Today's Must Read.
Nonce, The Reuse Gambit
Alas, the WPA assumed 'secure implementation' is no more with the discovery (by Dr. Vanhoef) of forced nonce reuse.
'In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.' - via Mathy Vanhoef, Ph.D. and Frank Piessens, Ph.D.
IPv6, The Fragmentation Chronicles →
or, How I learned to Relax and Trust in Large-Addressing-Schemes-That-Should-Have-Been-Designed-To-Be-Free-From-Worry...
IoT'd →
News, via the inimitable Dan Goodin, writing at Ars Technica, of newly released DDoS source code leveraging IoT devices. Beware that new Bluetooth cuddly stuffed bear, it's a killer (and let's ignore the rabbit for now)...
ISOC, Why Routing Security Matters →
Yes, Virginia, routing security is fundamental. via Andrei Robachevsky, Technology Program Manager at the Internet Society.
ISOC Interplanetary Networking SIG Announces May Confab →
The InterPlanetary Networking Special Interest Group (IPNSIG) of the Internet Society (ISOC) has announced the organizations' Second Annual IPN Conference in Washington, DC; slated for Monday, May 18, 2015. This time focusing on Delay & Disruption Tolerant Networking (DTN): the Emerging Standard for Space Data Communications.
Speakers include:
- Vint Cerf (Google VP, co-author of TCP-IP, one of the “fathers of the Internet—and IPN-ISOC board member) will provide an overview of InterPlanetary Networking.
- The NASA/Boeing team (Brett Willman & Suzanne Davidson) working on DTN aboard the International Space Station
- The NASA team (David Israel & Donald Cornwell) who concluded the very successful Lunar Laser Communication Demonstration in late 2013 and who are planning the 2017 Laser Relay Communication Demonstration.
- Scott Burleigh (JPL’s chief DTN architect) will be explaining recent significant enhancements to the ION DTN distribution (the distribution currently in use on ISS).
- Keith Scott leads the Consultative Consortium for Space Data Systems (CCSDS) DTN working group that is standardizing DTN protocols for use in civilian space missions. He will talk about the Bundle Protocol becoming one of the networking protocols being standardized for space communication as part of the Solar System Internet (the other is IP).
- Scott Pace is the Director of the Space Policy Institute at George Washington University. He will be speaking about the increasing importance of space policies as more nation states engage and collaborate in space exploration.
While admission is free for all to attend, and breakfast, lunch and an afternoon snack will be provided it is crucial that you register to attend. Physical attendance is limited to 150 people. The event will reportedly be webcast on the Internet Society’s LiveStream Channel and presentations will also be published on YouTube for VOD streaming poste-event. You can register for the event at the IPN's Eventbrite site.
OpenDNS, Experimental DNS →
via ArsTechnica's Sean Gallagher, comes an interesting DNS nugget, this time, focusing on efforts at OpenDNS to provide protective filtration at the name resolution level. Monikered NLPRank, it's an interesting solution to a vexing problem.
'O'Connor's approach, which is currently being tested by OpenDNS using live DNS query traffic, gets around the reputation problem by simply analyzing the domain name itself for sketchiness. It works in a way similar to natural language processing of any stream of text content.' - via ArsTechnica's Sean Gallagher