Author: Lorin Olsen

DNS Rebinding Attacks: “Lions, and tigers, and bears – oh my!”

Lorin Olsen

What’s a new day without a new attack vector being published? Yesterday, Google, Roku, and Sonos all announced that they will be updating their home devices in order to address DNS rebinding attacks.

So what is a DNS rebinding attack? According to BleepingComputer.com,

The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains. DNS rebinding attacks are usually used to compromise devices and use them as relay points inside an internal network. A typical DNS rebinding attack usually goes through the following stages:

1) Attacker sets up a custom DNS server for a malicious domain.

2) Attacker fools victim into accessing a link for this malicious domain (this can be done via phishing, IM spam, XSS, or by hiding a link to the malicious domain on a malicious site or inside ads delivered on legitimate sites).

3) The user’s browser makes a query for that domain’s DNS settings.

4) The malicious DNS server responds, and the browser caches an address like XX.XX.XX.XX.

5) Because the attacker has configured the DNS TTL setting inside the initial response to be one second, after one second, the user’s browser makes another DNS request for the same domain, as the previous entry has expired and it needs a new IP address for the malicious domain.

6) The attacker’s malicious DNS setting responds with a malicious IP address, such as YY.YY.YY.YY, usually for a domain inside the device’s private network.

7) Attacker repeatedly uses the malicious DNS server to access more and more of these IPs on the private network for various purposes (data collection, initiating malicious actions, etc.).

In short, an attacker can hijack your DNS queries and provide invalid (and malicious) responses.

So what should you do in response?

Actually, that is a tough question. This truly affects home users. It is not nearly as big a threat for enterprise administrators. Yes, every enterprise should mitigate this vulnerability through appropriate maintenance. And yes, if you place products/services within your customers’ home, then this is a current issue for you. But even if you are not involved today, it is important to note that as more devices in the home are becoming Internet-aware, this problem will become larger.

  • As a customer, update your client software as soon as updates are made available by the vendors. This is a default answer for most things. But in this case, it applies as well. Fundamentally, the issue is with the client software. So the client software is where the fix must be applied. Google, Roku, and Sonos have already committed to bringing forward appropriate fixes.
  • Press other product vendors to provide updates to their software. This includes: Amazon, Netgear, TP-Link, Phillips, Ikea (Tradfri), Blink, GE, and many others. As a professional, this is probably not your call to resolve. After all, do you really want to get involved in the dealings between a customer and another premise-device provider? Usually, I’d recommend keeping your nose out of other people’s business. But in this case, this is a matter of domestic hygiene. Your products and services will never work optimally if the entire home ecosystem is “polluted”. Of course, the biggest reason to be involved is to provide more mass in order to affect the “gravitational” effect upon these vendors. As an advocate for your customers, encourage your peers to “do the right thing”.
  • As a homeowner, I would recommend running your own DNS, if you can. Maintain its currency to ensure that its software does not become the next attack vector. Unfortunately, this step won’t resolve the current problem. But it will resolve many other problems – especially problems imposed by lax ISP maintenance procedures. If you can’t run your own DNS, then use a logical (or physical) “proxy” for your DNS queries. This will resolve many of these issues. For example, your SmartThings hub can deal with the internet-based DNS services for your devices. But whatever technical steps you may take, please be a counselor and advocate for your customers. At the same time, maybe it’s time for your company to provide a DNS appliance solution. Maybe this isn’t just “table stakes” for the OEM router providers and the ISP’s. Maybe your company can economically provide a cool product that bundles DNS, ad blocking, and proxy services.
  • If you use your own DNS, then use DNSSEC. This won’t be the short-term solution. Indeed, most IoT clients won’t have the processing power to provide authentication and encryption to a secure DNS infrastructure. But if you can bake this into your products, then do so – soon. Please, and thank you.

In the final analysis, this problem is an “edge” problem. So all solutions must occur at the edge. But if you are a service provider, then you have an obligation to your customers to act as a trusted advisor. Help them to be successful and they will help you to be successful.

https://www.bleepingcomputer.com/news/security/google-roku-sonos-to-fix-dns-rebinding-attack-vector/

Get Ranked to Become More Secure

Lorin Olsen
I’ve been in the business world for a few years. And in the past two decades, the forced ranking of employees has been used by most HR departments. These ranking systems have generated both great advantages and equally great disadvantage. But the motivation for implementing such competitive systems is quite clear: as humans, most of us are driven to compete. So it is theorized that this imperative can be channeled to “inspire” maximum performance while on the job.
 
We want to be the “best” in whatever we do. This includes having the best house (or car), maintaining the best yard, encouraging the best students (or student/athletes), or being the “best” member of a great team. These kinds of systems inspire us to be the best that we can be. Such reward-based systems are nothing new in technology either. For a generation, game designers have built reward systems into their products. It is no longer just about beating the “big bad”. It is also about wearing the best armor or having the coolest spaceship. And social media systems have often devolved into follower counting or “influence” ratings.
 
So how can such comparison and esteem systems result in a stronger security posture?
 
The folks at LastPass (which is owned by LogMeIn) have been using a “security challenge” program to motivate people to be more secure than they have ever been. While such a system does not work for everyone, it has always worked for me. As a result of this system, I remained dissatisfied with being in the top ten percent of LastPass users. The test inspired me to work hard in order to join the top one percent of users. And this week, it inspired me to implement any and all recommended areas of improvement.
 
I’m not certain whether the aforementioned example speaks to the power of motivation systems or to a fundamental facet of my personal psyche. But for the sake of this article, I’ll assume the former while considering the latter at some point in the future. After cleaning up (and locking down) all of my credentials, I decided to turn my focus towards household vulnerabilities. And my tool of choice to evaluate vulnerabilities is Nessus (http://www.tenable.com).
 
I’ll probably write a follow-up article about my findings – and my subsequent actions. In the meantime, I will tell you that the very first thing which I started to do after seeing the most recent results was to triage the important vulnerabilities. I looked at the items that Tenable noted as most important. I then researched and worked towards remediation of all of the highlighted vulnerabilities. Bottom line: I was motivated to be better than my nearest neighbors. This “better than the Jones’s” compulsion is driven by my fundamental view that to be a survivor, one cannot be the slowest antelope in the herd. Consequently, I am using an incentive-based system (and some fear-based motivation) to further strengthen my security posture.
 
In the final analysis, I am convinced that harnessing ego rewards and highlighting real risks (i.e., letting people know of the possible punishments for not addressing vulnerabilities) are a winning strategy – if you have a company with employees like myself.
 
http://smallbusiness.chron.com/employee-motivation-reward-systems-15978.html

Trading Privacy for a Little Convenience

Lorin Olsen
Benjamin Franklin once wrote, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” The quote (and its source) is often disputed (see https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century). But it is clear that modern privacy advocates see this quote as a proof text for the shortsightedness of exchanging your privacy for your security. Indeed, I too have used this quote as a rallying cry. But in candor, my use of this quote is more of an “appeal to authority” rhetorical argument rather than a reasoned defense of unfettered freedom.
 
But how should we respond to HART (the Homeland Advanced Recognition Technology project)? DHS is building a massive repository of identity information. This is, ostensibly, for ensuring our security. From the Electronic Freedom Foundation (at https://www.eff.org/deeplinks/2018/06/hart-homeland-securitys-massive-new-database-will-include-face-recognition-dna-and),
 

DHS’s plans for future data collection and use should make us all very worried. For example, despite pushback from EFFGeorgetownACLU, and others, DHS believes it’s legally authorized to collect and retain face data from millions of U.S. citizens traveling internationally. However, as Georgetown’s Center on Privacy and Technology notes, Congress has never authorized face scans of American citizens.
 
Despite this, DHS plans to roll out its face recognition program to every international flight in the country within the next four years. DHS has stated “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”

On its face, this is repulsive. And for most Americans, this kind of assault on our freedom and our right to privacy is unthinkable. But the federal government apparently hoped that this effort would gain little public attention.

But while we chafe over such obvious governmental incursions, why do we embrace the same incursions when they come from a private company? Most Apple users applauded the availability of facial recognition as part of the new Face ID feature. And I daresay that Android users would welcome the very same technology, if they knew that it already existed on their phones.

So what’s the problem with a company doing this?

There is little problem if you trust the company and if you read your grant of license. I daresay that miwe do trust companies and we don’t read license agreements. Of course, it should be the other way around. If we read the grant of license, then we would realize that most companies will use whatever they can leverage to increase profits for their owners/shareholders. And if we give away our rights (as well as personally identifiable information), then we are worse than those who gave away freedom for security. We’re doing it to save a few seconds of login time.

It’s Time to Sow and Go!

Lorin Olsen

What you sow does not come to life unless it dies first. – 1 Corinthians 15:36

Today is my last day with General Dynamics and with the United States Marine Corps. And I am overwhelmed with many emotions. But God has been immensely gracious. He has gently reminded me that the things which I have planted and nurtured won’t come to pass until my time at MCEITS ends. Consequently, I am joyful that the seeds which I have planted WILL bear fruit – even though I won’t be here to see (or taste) that fruit.  Indeed, I was reminded that my role was to be like that of Johnny AppleseedI must sow and go.  So it is now time to leave the forest that I and others have planted.  We might be fooled into thinking that this forest still looks like bare soil. But we have all seen the vision of the forest.  Ladies and gentlemen, I planted the seeds that were in my bag. I made sure that the spring rains haven’t washed away the seeds.  And now I must leave the forest for each of you (and all of you) to tend.

Be true to the mission and vision that you have for yourselves and for MCEITS. Good luck – and thanks for the fish!

 

Sincerely,

Lorin B. Olsen
Senior Manager
Sears Holding Corporation
(913) 735-3658 cell
cyclingroo@gmail.com
http://cyclingroo.com

https://plus.google.com/112039022986516057445/posts

It's Time to Sow and Go!

Lorin Olsen

What you sow does not come to life unless it dies first. – 1 Corinthians 15:36

Today is my last day with General Dynamics and with the United States Marine Corps. And I am overwhelmed with many emotions. But God has been immensely gracious. He has gently reminded me that the things which I have planted and nurtured won’t come to pass until my time at MCEITS ends. Consequently, I am joyful that the seeds which I have planted WILL bear fruit – even though I won’t be here to see (or taste) that fruit.  Indeed, I was reminded that my role was to be like that of Johnny AppleseedI must sow and go.  So it is now time to leave the forest that I and others have planted.  We might be fooled into thinking that this forest still looks like bare soil. But we have all seen the vision of the forest.  Ladies and gentlemen, I planted the seeds that were in my bag. I made sure that the spring rains haven’t washed away the seeds.  And now I must leave the forest for each of you (and all of you) to tend.

Be true to the mission and vision that you have for yourselves and for MCEITS. Good luck – and thanks for the fish!
 

Sincerely,

Lorin B. Olsen
Senior Manager
Sears Holding Corporation
(913) 735-3658 cell
cyclingroo@gmail.com
http://cyclingroo.com

https://plus.google.com/112039022986516057445/posts

The Valuation of Trust

Lorin Olsen


 
Thanks to +Edward Coles and +Merlina Sapphire for sharing this video. It is a good overview of the basics of money and financing. I used the video to launch a rousing discussion on Google+.

This is fundamental Econ 101 stuff. But it is great to see it explained so simply and understandably.
Nevertheless, the narrator makes a simplifying assumption: increases in the money supply gain their value from the existing money supply itself. This assumption is misstated. The value of newly created money is directly proportional to the trust that we place in the banking system and the measure of trust we place in the repayment of debts. When we stop trusting the system, we withdraw our funds and create a run on the banking establishment. And as we saw in the Great Depression, no bank could provide the funds required if all demand deposits were demanded.
So what is the #OccupyWallStreet movement? In my mind, it is an effort to diminish and/or destroy the trust that America has in its banking system. The threat of flagging trust in our system must be challenged. We must begin to trust each other to repay the debts that we owe. And we must trust our banks as institutional that we trust to fulfill the promises/contracts that we have made with them.

After submitting the above text for discussion on Google+, I got some very rousing debate on the issue of trust and the kinds of change that we should be advocating.  Here was my response to one reader:

+Jonathan Xavier, I think we can all agree on the definition of the problem. Where we disagree is on the root cause of the problem and/or the solution that we would propose to address the inherent ills in the system.
At a macro level, the issues relate to a lack of trust. We do not trust the banks. And the banks don’t trust their customers. I know of many people that have simply walked away from the commitments that they made to bankers and their depositors. This is true of home mortgages as well as student loans. Any system that makes it simple to abandon promises is a flawed system. If you default on a loan, there should be penalties. But in today’s culture, walking away from your commitment to repay the people that have invested their savings in the bank is wholly unsatisfactory.
At the same time, our banks should not be treating us as a carcass from which they can nourish their bloated excesses. If you thought that current banking fees were unreasonable, just wait for transaction fees that are coming for ATM’s and for mobile phone transactions via NFC. The banking institutions exist as a public trust. And they should be held accountable for that position of trust.
But what are the causes of these troubles?
From my perspective, the challenge is not systemic but personal. We have lost our position as a moral authority in the world because we have failed to act in ethical and moral ways. We need to foster a culture where we work together – not separately. We need to act as communities – not collections of individuals. I need to honor my commitments and hold others to honoring the commitments that they have made to me.
But how do we foster a disciplined and moral personal life that can be replicated throughout out communities? Let’s deal with first things first. Hold yourself accountable for making moral decisions. This is not a question of legalities but of ethics. Our culture has become fascinated with “letter of the law” obedience. Instead, we need to hold ourselves to the “spirit of the law” in our lives.
As for me and my family, we will serve the Lord. And we will honor our commitments. And we will try to live intentional lives – not accidental lives. Let your every decision be something that you consider and decide. And make sure that your frame of reference is something beyond yourself. Too many of us live without a system of values. And then we are surprised when others don’t act compassionately or even honestly.
Our culture was based upon a shared view of ethics. And these ethics were personified in the Ten Commandments. [Note: I’m not advocating religious tests. I’m speaking of the Ten Commandments in their most basic and ethical sense.] If we hope to reclaim stability in times of transition, we must all be using the same moral compass as our guide.
Phew. I need to take a breath. Sorry for the screed. But I believe that in order to make substantive changes in our society, we need to address the root causes that are inherent in the system. BTW, I don’t know that we should impose this on one another until we enact it within our own lives. And as noted before, I believe that change starts within each heart. So I am covenanting (to myself and everyone who can read this) to live by a simple metric: WWJD.

I will be pondering this issue for a while as I think I have more to consider – especially as such conversations prompt deep thought over a protracted period of time.  Here’s hoping that the musings and discussions will lead me to a deeper understanding of myself and my place in this society.
-Roo

The Real Cloud Computing Transformation

Lorin Olsen


I recently gave the keynote address at a Kansas City symposium on cloud computing. So when I saw this article, my interest was piqued. The author believes that cloud computing is devouring itself. Um, alright. I guess I can buy the premise. But I think the author may be too absorbed with the technical layers of the infrastructure rather than focusing on the real transformation.
From my vantage point (as a consumer and as a technologist), I see this wave of transformation as being more about business and less about technology. Maybe even more important is the fact that tech-centric companies are moving from a capex-centric budgeting model to an opex-centric budgeting model.
What does this imply? First, it means that businesses are seeing IT as fundamental to their future. But while it is fundamental, it is no longer a strategic differentiator. Indeed, most companies are frustrated after spending thousands of dollars (or millions or billions) on IT capital without any real strategic benefit. The cloud allows a company to abandon capex investments in favor of opex outlays. This means that companies can be nimble – assuming that the cloud vendors are nimble enough to meet their customers’ needs.
But the larger and more fundamental implication of this capex/opex migration is that businesses are moving to an even more short-term focus. With a capex focus, companies were thinking about tax advantages and long-term viability. With an opex focus, they are looking at short-term return to the owners/shareholders. This does ensure that a company is competitive as long as it is agile.
But are we abandoning the future by focusing even more acutely on the short term? I am not certain. It does mean that on a micro-level, individual companies are trusting their future to their partners. On a macro-level, we may not be losing future investment streams to other countries. But we are pushing capital investment into the hands of a smaller number of companies that will be managing public or private clouds on behalf of other companies.
If this is indeed what is happening, then the savvy investor will need to look at hosting providers within the tech sector as these companies will be the real capital aggregation points. I’m looking at HP, Rackspace and Amazon being some of the biggest players in this space. And I would throw Salesforce.com into the mix as a software aggregation point.

I Remember When…

Lorin Olsen


…remote control was either difficult or expensive.
You could choose the Microsoft approach.  You could use the RDP solution from any client.  But if you wanted to actually connect to a desktop, that system needed to be running a “professional” version of the OS.  That meant that you could have remote control from Microsoft if you paid them first.
But if you refused to pay the Microsoft tax, you could always pay Citirix for the right to use their remote control tool.  Yes, it worked well.  And it didn’t require a special version of the operating system.  Instead, you just paid a license to Citrix and you could help whoever you wanted to help.  But licensing was horribly complex.  You had to have a license for a certain number of supported desktops or every desktop had to have a license of its own.  So if you wanted to get help, you had to set stuff up BEFORE you had a problem.
Fortunately, you could always roll your own solution.  You could install a VNC client and server on the systems that you wanted to access remotely.  And if you wanted real security, you could always use an SSH client and server to make sure that your connection was encrypted.  It was so easy to do that… OK, it wasn’t that easy to do.  If you had an uber-geek for a spouse (or any teenage child could substitute), then you could brute force your way through the maze of complexity.
So the choice was simple: build a terribly complex solution or pay for someone else to do it for you.  Now you have another option: Chrome Remote Desktop.
Google is building the Chrome OS.  And they need to have a way to provide for remote desktop administration.   It has to be secure and it has to be simple to use.   So how do you do both?  You build a tool on top of other infrastructure that already exists.

  1. You need a rendering engine that can run anywhere.  So build it on your browser.
  2. You need a transport mechanism that is easily secured and can pass through almost any firewall.   So build it on secure HTTP (https/443).
  3. You need an extensible platform that can encode almost anything into an XML stream.  So use jabber (i.e., xmpp) as the transport and stream platform.
  4. Finally, you need a well known means of connecting users to each other.  So use GTalk as the central nexus for interconnecting people.

In the end, what you have is a secure infrastructure that can easily be implemented via Google accounts and extensions to the Chrome browser.
I’m still a little leery of anything that is so simple and easy to use.  But I think that this one may be a real winner.

Switchfoot @ Six Flags St. Louis

Lorin Olsen

The Switchfoot concert I attended yesterday was fantastic.
– Maybe it was fantastic because of the weather: I was blown away when it was raining and sunny and a rainbow spread across the park. We are so blessed by this beautiful world. May we treat this precious gift with the dignity that His generosity demands.
– Maybe it was fantastic because of the spirit of everyone in attendance: I loved it when all the young men and women came together in the center of the venue. The sense of spontaneous and uninhibited joy was palpable. I was reminded why I love working with youth so very much. Lord, please bless me with the ability to always teach people that burn brightly on your behalf.
– Maybe it was fantastic because Jon, Tim and the band were really going with where the Spirit led them. They were fantastic – as always. But it was so intensely cool to watch Jon change up the set list just because he felt led to do so. I don’t know if that was planned or not. But it was staggeringly awesome.
– Maybe it was fantastic because I was there with members of my family. While we didn’t have the full complement of my family there, it was wonderful to be with my children and the people that they love. It was amazingly intimate to be with them – and with a few thousand other people.
– Maybe it was fantastic because God’s Spirit was really present with us. In fact, I can guarantee that God’s intimate Spirit was the reason that yesterday was so fantastic. For me, it was one of the most meaningful concerts that I have ever been able to attend. I can’t tell you how many times I cried during the concert. In fact, I’m crying as I write these words.
Some days you tuck away into your memory because they are so very special. This was one such day for me. When I finally see my Savior face to face, I will be tearfully thanking Him for moments like this.
Thank you, Lord Jesus!

DLNA Difficulties Defy Desires

Lorin Olsen

Over the past couple of days, I’d completed all the chores that needed to be done on this long weekend. So today was a free day. The weather was amazing today. But Cindy and I decided to take care of a few things: Cindy spent the day working on schoolwork while I worked on configuring the new TV to work with the rest of the household network.
My goal was simple: facilitate streaming movies from our media server to the new Samsung TV. I have ripped almost a hundred of our DVD’s into MP4 (i.e., .m4v) file formats. And I’ve used these files on other computers as well as mobile phones. So I assumed that this was going to be rather simple. But simple technology tasks often become very complicated – as was the case today.
The first step of the process was to set up a DLNA server. Since we have a Twonky server already built into our media server (i.e., a Western Digital NAS server), I figured that I would go ahead and use that platform first. But when I attempted to play a movie from the media server, the Samsung TV just displayed an “in progress” graphic. It took almost five minutes before it timed out with an error.
After playing with this for a while, I finally decided that the embedded Twonky server in my WD NAS might be outdated. So I decided to buy a copy of the software for my main system. After a failed transaction through Paypal, I was finally able to purchase and download a current version of Twonky server. After a few minutes of configuration, I was able to try streaming content once again. The results were identical. So I was now out a couple of sawbucks and I was no closer to a solution.
After tasting failure twice, it was time to do some research. First, I found out that I am not the only person who has had this problem. Second, I learned that many of the problems with streaming via Twonky were the result of multiple Twonky servers on the same network. While that didn’t make much sense, it was worth spending the time to reconfigure my systems. Of course, the result was some lost time and no substantial progress towards solving the problem. So it was three strikes – but I wasn’t out.
Next I was coming to the conclusion that the problem might lie with the new Samsung TV and not the streaming server. There are enough references to Samsung TV’s not support every MP4 container type. Indeed, some references even suggested that AVI files solved the problem for them. Of course, I’m not going to convert all of my AVI files on a whim. So I decided to pursue a different short-term course.
I saw quite a few derogatory references to Samsung’s DLNA implementation. So just in case it was the DLNA client built into the TV, I decided to copy one of the MP4 movies to a USB drive. I plugged the drive into the TV (after renaming the file from .m4v to .mp4). After finding out how to browse to a USB connected drive, I was able to successfully watch one of the movies that I couldn’t stream to the TV.
So now I’m left with a quadry: should I convert and/or rip my DVD’s again? I hardly think that this would be worth it. Since I really want this to work via DLNA, I’ll be entering a ticket with Samsung service concerning their DLNA server on the 6-series televisions.
[Note: If you’re wondering why the movie poster from Serenity is attached to this post, it’s because Serenity was the movie that I used to perform my various tests.]
 
-Roo