Daily Tech Digest - August 26, 2022

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited. "The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks," he says. "Google's recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification." The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors. "Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS," Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. 

Kestrel: The Microsoft web server you should be using

Kestrel is an interesting option for anyone building .NET web applications. It’s a relatively lightweight server compared to IIS, and as it’s cross-platform, it simplifies how you might choose a hosting platform. It's also suitable as a development tool, running on desktop hardware for tests and experimentation. There’s support for HTTPS, HTTP/2, and a preview release of QUIC, so your code is future-proof and will run securely. The server installs as part of ASP.NET Core and is the default for sites that aren’t explicitly hosted by IIS. You don’t need to write any code to launch Kestrel, beyond using the familiar WebApplication.CreateBuilder method. Microsoft has designed Kestrel to operate with minimal configuration, either using a settings file that’s created when you use dotnet new to set up an app scaffolding or when you create a new app in Visual Studio. Apps are able to configure Kestrel using the APIs in WebApplication and WebApplicationBuilder, for example, adding additional ports. As Kestrel doesn’t run until your ASP.NET Core code runs, this is a relatively easy way to make server configuration dynamic, with any change simply requiring a few lines of code. 

Private 5G networks bring benefits to IoT and edge

Private 5G's potential in enterprise use cases that involve IoT and edge computing is not without challenges that the industry must address; a production-level system requires many touchpoints. Private 5G networks must be planned, deployed, verified and managed by service providers, system integrators and IT teams. Edge computing is a combination of hardware and software. Each of these elements can fail, so they must be maintained and upgraded practically without any downtime, especially for real-time, mission-critical applications. Admins must manage edge deployments with containers or VM orchestration. Both public cloud vendors and managed open source vendors are addressing this space by providing a virtual edge computing framework for application developers. Public cloud vendors have also started to provide out-of-the-box edge infrastructure that runs the same software tools that run on their public cloud, which can make it easier for developers. For private 5G, IoT and edge to be successful, the industry must develop an extensive roadmap. Many of these solutions require long-term maintenance and upgrades.

Google is exiting the IoT services business. Microsoft is doing the opposite

Google will be shuttering its IoT Core service; the company disclosed last week. Its stated reason: Partners can better manage customers' IoT services and devices. While Microsoft also is relying heavily on partners as part of its IoT and edge-computing strategies, it is continuing to build up its stable of IoT services and more tightly integrate them with Azure. CEO Satya Nadella's "intelligent cloud/intelligent edge" pitch is morphing into more of an intelligent end-to-end distributed-computing play. ... Among Microsoft's current IoT offerings: Azure IoT Hub, a service for connecting, monitoring and managing IoT assets; Azure Digital Twins, which uses "spatial intelligence" to model physical environments; Azure IoT Edge, which brings analytics to edge-computing devices; Azure IoT Central; Windows for IoT, which enables users to build edge solutions using Microsoft tools. On the IoT OS front, Microsoft has Azure RTOS, its real-time IoT platform; Azure Sphere, its Linux-based microcontroller OS platform and services; Windows 11 IoT Enterprise and Windows 10 IoT Core -- a legacy IoT OS platform which Microsoft still supports but which hasn't been updated substantially since 2018.

Twitter's Ex-Security Chief Files Whistleblower Complaint

Zatko's complaint alleges that numerous security problems remained unresolved when he left. It also alleges that Twitter had been "penetrated by foreign intelligence agents," including Indian government agents as well as another, unnamed foreign intelligence agency. A federal jury recently found a former Twitter employee guilty of acting as an unregistered agent for Saudi Arabia while at the company. In his February final report to Twitter, Zatko alleged that "inaccurate and misleading" information concerning "Twitter's information security posture" had been transmitted to the company's risk committee, which risked the company making inaccurate reports to regulators, including the FTC. According to his report, the risk committee had been told that "nearly all Twitter endpoints (laptops) have security software installed." But he said the report failed to mention that of about 10,000 systems, 40% were not in compliance with "basic security settings," and 30% "do not have automatic updates enabled."

Announcing built-in container support for the .NET SDK

Containers are an excellent way to bundle and ship applications. A popular way to build container images is through a Dockerfile – a special file that describes how to create and configure a container image. ... This Dockerfile works very well, but there are a few caveats to it that aren’t immediately apparent, which arise from the concept of a Docker build context. The build context is a the set of files that are accessible inside of a Dockerfile, and is often (though not always) the same directory as the Dockerfile. If you have a Dockerfile located beside your project file, but your project file is underneath a solution root, it’s very easy for your Docker build context to not include configuration files like Directory.Packages.props or NuGet.config that would be included in a regular dotnet build. You would have this same situation with any hierarchical configuration model, like EditorConfig or repository-local git configurations. This mismatch between the explicitly-defined Docker build context and the .NET build process was one of the driving motivators for this feature. 

The Quantum Computing Threat: Risks and Responses

Asymmetric cryptographic systems are most at risk, implying that today’s public key infrastructure that form the basis of almost all of our security infrastructure would be compromised. That being said, the level of risk may be different depending on the data to be protected – for instance, a life insurance policy that will be valid for many years to come; a smart city that is built for our next generation. Similarly, the financial system, both centralized and decentralized, may have different vulnerabilities. For this reason, post-quantum security should be addressed as part of an organization’s overall cybersecurity strategy. It is of such importance that both the C-suite and the board should pay attention. While blockchain-based infrastructures are still considered safe, being largely hash-based, transactions are digitally signed using traditional encryption technologies such as elliptic curve and therefore could be quantum-vulnerable at the end points. Blockchain with quantum-safe features will no doubt gain more traction as NFTs, metaverse and crypto-assets continue to mature.

‘Post-Quantum’ Cryptography Scheme Is Cracked on a Laptop

It’s impossible to guarantee that a system is unconditionally secure. Instead, cryptographers rely on enough time passing and enough people trying to break the problem to feel confident. “That does not mean that you won’t wake up tomorrow and find that somebody has found a new algorithm to do it,” said Jeffrey Hoffstein, a mathematician at Brown University. Hence why competitions like NIST’s are so important. In the previous round of the NIST competition, Ward Beullens, a cryptographer at IBM, devised an attack that broke a scheme called Rainbow in a weekend. Like Castryck and Decru, he was only able to stage his attack after he viewed the underlying mathematical problem from a different angle. And like the attack on SIDH, this one broke a system that relied on different mathematics than most proposed post-quantum protocols. “The recent attacks were a watershed moment,” said Thomas Prest, a cryptographer at the startup PQShield. They highlight how difficult post-quantum cryptography is, and how much analysis might be needed to study the security of various systems.

Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits. The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset. "The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says. Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack.

Why Migrating a Database to the Cloud is Like a Heart Transplant

Your migration project’s enemies are surprises. There are numerous differences between databases from number conversions to date/time handling, to language interfaces, to missing constructs, to rollback behavior, and many others. Proper planning will look at all the technical differences and plan for them. Database migration projects also require time and effort, according to Ramakrishnan, and if they are rushed the results will not be what anyone wants. He recommended that project leaders create a single-page cheat sheet to break down the scope and complexity of the migration to help energize the team. It should include the project’s goals, the number of users impacted, the reports that will be affected by the change, the number of apps it touches, and more. Before embarking on the project, organizations should ask the following question: “How much will it cost to recoup the investment in the new database migration?” Organizations need to check that the economics are sound, and that means also analyzing the opportunity cost for not completing the migration.

Quote for the day:

"Do not follow where the path may lead. Go instead where there is no path and leave a trail." -- Muriel Strode

No comments:

Post a Comment