DDoS attacks on the rise; China and Russia behind most credential abuse attacks, report

Cyber defenders need to stay on their toes as DDoS attacks are still on the rise, a 16 percent increase in the number of attacks recorded since last year, as well as attackers devising new and advanced DDoS methods. Since last year, there has been a 4 percent increase in reflection-based DDoS attacks, a 38 percent increase in application-layer attacks like SQL injection or cross-site scripting and 1.35 terabyte per second memcached reflector attack – the largest DDoS attack to hit the internet yet.

Aclima sucks in $24M to scale its air quality mapping platform

Aclima, a San Francisco-based company which builds Internet-connected air quality sensors and runs a software platform to analyze the extracted intel, has closed a $24 million Series A to grow the business including by expanding its headcount and securing more fleet partnerships to build out the reach and depth of its pollution maps.

Cilium 1.1: Istio sidecar mode, cri-o/containerd support, improved efficiency & scale, init policies

We are excited to announce Cilium 1.1. 33 contributors have contributed 964 commits to this release. Below is a list of highlighted features and architectural improvements that have made the 1.1 release in addition to the countless bugfixes.

Highlights

  • Deep Istio Integration

    • mTLS compatibility: New alternative mode to enforce Cilium application protocol security policies directly in the Istio sidecar proxy managed by Pilot to support application level policy enforcement when Mutual TLS is in effect. Pod and port-level policies continue to be enforced outside of the pod.
    • Istio guide: New getting started guide based on Istio 0.8.0 release that features Helm charts to deploy Istio.
    • Init policies: A new init identity covers the time span of a pod while it is being initialized, i.e. while the labels and or policy of an endpoint is not known yet. The init policy enforces a configurable policy. It is in particular importance to Istio architectures because the sidecar proxy of a pod is required to have privileges to communicate with the control plane running in the istio-system namespace.

    Support for additional container runtimes

    • The runtimes are automatically detected as reliably as possible but can also be explicitly specified using the --container-runtime option.
    • cri-o: Includes an extension of the minikube getting started guide with the cri-o specific deployment steps.
    • containerd

    Additional Network Security for Kubernetes

    • podSelector && namespaceSelector: Support for the new combined podSelector and namespaceSelector in NetworkPolicy as introduced in Kubernetes 1.11.
    • Service accounts: Ability to match on the Kubernetes Service Account association of a pod. Please see example below.
    • NodePort security: Ability to differentiate between local host and traffic that is SNATed to the node IP when entering the node. This allows differentiation between host traffic performing health checks and external accesses via NodePort. Old behavior can be preserved with the --k8s-legacy-host-allows-world option.
    • Changing pod labels: The policy enforcement layer now supports containers and pods changing their labels on the fly.
    • Policy correlation: Annotations of a CiliumNetworkPolicy are now mirrored in the status field for each node. This simplifies the correlation of what policy is being enforced on which node.

    Extended IP/CIDR policy enforcement capabilities

    • Combined IP+L4/L7: Support to specify port and application protocol (L7) rules that only apply in combination with IP/CIDR matching.
    • Unlimited # of CIDR prefix lengths: CIDR enforcement implementation with new BPF longest-prefix-match map when available. Leads to support of unlimited number of prefix lengths.

    Improved connection tracker efficiency

    • CT cleanup on deny: Removal of connection tracking entries when policy denies the traffic. This is possible because the policy enforcement cost is only O(1).
    • Improved UDP conntrack: More aggressive cleaning of connection tracking table for non-TCP traffic. This primarily improves resource usage of workloads such as Prometheus metrics scraping causing a continously large number of DNS lookups per second.

    Efficiency & Scale

    • Large identity count environments: Massive improvement of identity allocation performance in environments with several thousand workload identities.
    • MTU improvements: Better MTU handling by implementing the encapsulation packet overhead via the MTU metric of the transmission route to allow using the full MTU on receive. This reduces the probability of fragmentation and packet drops.

    Additional Prometheus metrics

    • L3/L4/L7 forwards/drops: Counters for all forwarded and rejected traffic on both packet and application protocol request layer. Packet level metrics are exported directly from the BPF datapath using efficient per-CPU maps. Application protocol metrics are exported by the proxies.
    • Status as a metric: Representation of all status-relevant failure scenarios such as the number of failing controllers.

    Reliability Work

    • Support for changing host IPs: If you add or change one of the IPs of the host, it will be properly detected and policy is applied accordingly. This is made possible by replying to all ARP requests with the virtual MAC address of the Cilium router regardless of the IP being requested as all traffic is always L3 forwarded.
    • Continous BPF synchronization: Synchronization of policy to BPF maps is now done via controllers. If something modifies the state of the BPF maps other than Cilium, the state in the BPF map is automatically fixed again.
    • Reuse of devices & routes: Network devices and routes are no longer re-created but modified if possible to ensure continued connectivity across agent restarts.
    • Synchronous CNI plugin: The CNI plugin is now performing the plumbing in a synchronous fashion. This guarnatees that networking is being provided from the moment the application container is being spawned. See init policy to define policy privileges for the duration when workload identity is not known yet.
    • TCP keepalive support: Envoy and the Kafka proxy now enable TCP keepalive by default to ensure that persistent connections are never subject to connection tracking expiration even if no data is being sent for days.
    • IPv6: Improved handling of unsupported IPv6 extension headers.

    Operations

    • Require k8s PodCIDR allocation: New agent options --k8s-require-ipv4-pod-cidr and --k8s-require-ipv6-pod-cidr to require the Kubernetes PodCIDR to be provided by Kubernetes via the Node resource.
    • IPv6: New --ipv6-cluster-alloc-cidr option to specify the IPv6 CIDR when Cilium allocates the per node IPv6 CIDR.
    • CNI compatibility: Rename of default CNI configuration name from 10-cilium.conf to 00-cilium.conf to simplify plugging Cilium into existing Kubernetes environments as some CNI plugins do not remove the configuration file when they get uninstalled.
    • State pruning: New clean-cilium-state option in the Kubernetes ConfigMap which will trigger running an init container when the Cilium pods starts up to clean all existing state before Cilium starts up.
    • BPF filesystem: Improved automatic mounting of the BPF filesystem when Cilium is being run in a separate mount namespace.
    • Ubuntu 18.04 base image: The base image for the Cilium container image has been upgraded to Ubuntu 18.04.

    Documentation

    • Kubernetes versions: Documentation now features multiple tabs to provide example YAML files for different Kubernetes versions to account for different resource naming versioning requirements.
    • Istio GSG: New getting started guide with Istio 0.8.
    • cri-o: New getting started guide using cri-o.
    • Elasticsearch: New Elasticsearch getting started guide.
    • BPF reference guide: Additions to the BPF reference guide including sections on XDP, iproute2, and LLVM.

    Deep Istio integration

    Cilium deeply integrates with Istio. Cilium operates as a CNI plugin and provides connectivity as well as transparent security starting packet level all the way up to API level. Among many things, Istio can provide Mutual TLS-based authentication between Istio managed services as well as authorization. Both are implemented with the help of a sidecar proxy running inside of the application pod. When running Istio in combination with Cilium, Cilium can:

    • Secure the Istio sidecar and control plane. More on this below.
    • Run in a Mutual TLS-compatible configuration allowing Cilium to enforce Cilium security policies using the Istio sidecar architecture.
    • Enhance the performance of Istio and Envoy by reducing the overhead introduced by the sidecar architecture. More details on this can be found in this separate blog post.

    Restrict unsupported protocols

    Istio ignores network traffic for protocols that are not supported by Istio. This includes all UDP, ICMP and IPv6 traffic. Traffic using these unsupported protocols is thus not subject to Istio’s authentication and authorization rules and will bypass enforcement.

    Cilium guarantees enforcement of all security policies outside of the pod regardless of the protocol being used. Cilium follows a strict whitelist model which will result in rejection of any unknown traffic. This allows restriction of traffic with protocols not supported by Istio and cover scenarios such as:

    • Prevent a compromised pod to leak information using a UDP based gossip protocol by only allowing UDP traffic to kube-dns running in the kube-system namespace.
    • Apply security policies to TCP ports which are excluded from the sidecar redirection logic. This could include restriction of traffic to only the port that is being redirected to the sidecar.
    • Prevent a compromised pod to leak information to a public IPv6 address which would otherwise bypass the proxy.

    Securing the Sidecar

    The sidecar proxy itself is not subject to any security rules as the proxy is being excepted from the redirection logic else it would cause a continuous loop. As Cilium provides enforcement outside of the pod, the traffic of a potentially compromised sidecar proxy is still subject to the security policies rules by:

    • Limiting communication to allowed services in the cluster to complement Mutual TLS. This is particularly important as a compromised sidecar gains access to all other services that are not using Mutual TLS because there is no ingress protection on the receiving side of the service.

    • Preventing a pod from leaking sensitive information by either not allowing the pod to communicate outside of the cluster at all or by limiting it to well known IP/CIDR ranges on well known ports.

    Securing the Control Plane

    All Istio sidecars communicate with the Istio control plane that is deployed within the cluster. This communication is required for operations and application pods are required to have access to these services. Here are a few examples of how Cilium improves security of the overall architecture:

    • Only allow application pods that have been injected with an Istio sidecar to have access to the control plane. This can be achieved having Cilium policies match on Istio annotation added to pods during injection. Pods without an injected Istio sidecar proxy should not have access to the control plane.

    • The Istio control plane collects a lot of sensitive information as it manages certificates, performs tracing and host authorization logic. The control plane components obviously must be subject to security policies to prevent leaking of this information.

    mTLS-compatible API-aware security policies

    Prior to the 1.1 release, use of the Istio Mutual TLS functionality encrypted all of the TCP traffic between services, which restricted the capability of Cilium to enforce API-aware security policies for such services. Starting with Cilium 1.1, Cilium is capable of reusing the Envoy instance running as a sidecar inside the pod to enforce the Cilium security policies.

    No change to the policies is required. All API level policies will be enforced in the sidecar and all policies on a pod/service and port level continue to be applied outside of the pod. Thus it will continue to include network traffic that is currently unsupported by Istio.

    Please follow the Istio Getting Started Guide to learn how to run Cilium in the Mutual TLS compatible mode.

    Init Policy

    Security labels are bound to pod and container labels. Certain labels are only associated with a pod while the pod is being initialized. Consequently, the privileges granted by the policy matching on such labels are only applied while the pod is being initialized. This can lead to lack of connectivity while a pod or container initialization. Cilium 1.1 introduces a new init policy concept which allows definition of privileges which should be applied to pods and containers that are being initialized.

    Kubernetes Example:

    apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: init-allow-dns specs: - endpointSelector: matchLabels: "reserved:init": "" egress: - toEntities: - all toPorts: - ports: - port: "53" protocol: UDP

Awareness is not enough to thwart cybersecurity

By Tim Brown, VP security at SolarWinds MSP

Every year, the entire month of October is given over to Cybersecurity Awareness—a campaign dedicated to promoting information security and safer use of the internet by everyone. But is it having an effect? Are UK businesses more aware of—and better prepared for—the cyberthreats they face?

Making Continuous HIPAA Compliance Easy with ExpertOps

Healthcare organizations continue to face relentless cyberattacks owing to the immense value placed on patient health information on the dark web. Patient records have almost everything the attacker needs to carry out sophisticated insurance fraud schemes, purchase medical supplies or drugs, or commit other types of fraud including outright identity theft.In addition to the theft of personal health information (PHI), healthcare organizations are increasingly faced with ransomware attacks that cripple operations and make it nearly impossible to deliver patient care. Because of the grave risks to patient care and safety in the event of a cyberattack, healthcare organizations are required to be HIPAA compliant.Continuous compliance with HIPAA has been shown to help healthcare organizations secure their environment from cyberattacks; meeting the requirements of HIPAA requires most businesses to set up strong processes, methods and controls to assure auditors that security and integrity of PHI are assured.However, because of the technical skills gap – the difficulty in hiring, training and retaining skilled cybersecurity talent – healthcare organizations are often faced with the difficult choice of merely passing a HIPAA audit by adopting check-box practices or expending resources to implement continuous compliance practices.On the one hand, check-box compliance practices help healthcare organizations meet the short-term goal of passing a HIPAA audit. However, though these practices help healthcare organizations pass the audit, they are often not sufficient to truly secure their environment.To do this, healthcare organizations must implement continuous compliance practices, such as file integrity monitoring (FIM) and secure configuration management (SCM). Robust file integrity monitoring and secure configuration management can help healthcare organizations truly secure their environment whilst achieving continuous HIPAA compliance.However, due to the technical skills gap, healthcare organizations often don’t have the necessary resources to devote to continuous compliance.Healthcare organizations need not choose between passing an audit and having continuous compliance. By leveraging the benefits of a managed security provider, healthcare organizations can have the best of both worlds. They can achieve and prove compliance with HIPAA audit and truly secure their environment with continuous compliance.Managed security providers help healthcare organizations by acting as an extension of their team, providing end-to-end visibility and ensuring that their environments are not only compliant with HIPAA but that their critical assets including EHR systems are secure. And all of these benefits are available to healthcare organizations without the concern about hiring training and retaining skilled staff.Tripwire ExpertOps combines managed services with the industry’s best FIM and SIM solutions to help healthcare organizations address the requirements of the HIPAA security rule, as outlined in Section 164. ExpertOps also provides personalized consulting, HIPAA audit support and cloud-based infrastructure to help you achieve and maintain compliance. The solution is easy to deploy and use, with simple subscription pricing and a low total cost of ownership.Tripwire ExpertOps enables you to rapidly achieve compliance with HIPAA by reducing the attack surface, increasing system integrity and delivering continuous compliance, including ensuring the security of your EHR system. Plus, because Tripwire ExpertOps includes personalized consulting, you receive ongoing support from a designated Tripwire Expert.ExpertOps can help healthcare organizations surmount the challenges of achieving HIPAA compliance and have great security with small teams. To learn more about how Tripwire ExpertOps can help you achieve HIPAA compliance, click here.

GRR 3.2.3.0

GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work” means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.

BrandPost: MFA: Enhancing Digital Workspace Security Without Sacrificing Convenience

As digital transformation leads more organizations to discover the value of digital workspaces for today’s work-anywhere workforce, the question of how to keep them secure inevitably comes up. After all, most digital workspaces rely primarily on a username/password combination for access credentials—and that can pose a real risk when 81% of hacking-related data breaches today are password-related. If you want to make sure your digital workspace is as secure as it is convenient, consider multi-factor authentication (MFA).

We’re Baking Have I Been Pwned into Firefox and 1Password

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it’s after someone has searched Have I Been Pwned (HIBP) and found themselves pwned somewhere or other. Frequently, it’s some long-forgotten site they haven’t even thought about in years and also frequently, the first people know of these incidents is via HIBP:

In cases like Ticketfly, loading the data into HIBP meant notifying 105k of my subscribers. That’s out of a subscriber base that just recently ticked over the 2M million mark:

2 million is more than I ever expected, if I’m honest, but it’s also only a tiny, tiny drop in the ocean. Of the 5.1 billion records that are in HIBP today, there’s 3.1B unique email addresses. I’m reaching 0.06% of them via the notification service and not a whole lot more in terms of people coming to the site and doing an ad hoc search (usually 100k – 200k people a day). Don’t get me wrong – I’m enormously happy and personally fulfilled by having been able to do even this – but clearly, I’m barely scratching the surface. However, that scope is about to expand dramatically via 2 new partnerships which I’m announcing today, starting with Firefox:

Mozilla and Firefox Monitor

Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature – people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that’s what I’m sharing here today.

Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called “Firefox Monitor”.

Here’s what it looks like:

This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream. You can read Mozilla’s announcement of the new feature and how they plan to conduct the testing and rollout.

I’m really happy to see Firefox integrating with HIBP in this fashion, not just to get it in front of as many people as possible, but because I have a great deal of respect for their contributions to the technology community. In particular, Mozilla was instrumental in the birth of Let’s Encrypt, the free and open certificate authority that’s massively increased the adoption of HTTPS on the web. Arguably, the work done by Mozilla’s Josh Aas and Eric Rescorla (still the Mozilla CTO today) has been one of the greatest contributions to online privacy and security we’ve seen and Mozilla remains a platinum sponsor to this day. They’ve also been instrumental in helping define the model which HIBP uses to feed them data without Mozilla disclosing the email addresses being searched for. I’m going to talk more about the mechanics of that model in a moment but first, let me talk about 1Password:

1Password

My relationship with 1Password stretches all the way back to 2011 when I came to the realisation that the only secure password is the one you can’t remember. Over the last 7 years, I’ve continued to buy their product and use it every single day across all my devices and my entire family’s devices. In February, only the day after I launched Pwned Passwords V2, 1Password turned around and built it into their product so that users of the password manager could see if their password had been previously exposed in a breach. That effort was a large factor in my choosing 1Password to partner with HIBP back in March and since that time, they’ve built Pwned Passwords into the desktop apps for Mac and Windows and provided the ability to check all your passwords in one single go. But today, we’re announcing something much bigger:

As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product.

This helps Watchtower become “mission control” for accounts and introduces the “Breach Report” feature:

As with Pwned Passwords, by pushing this out in the web-based version of the product they can get it to customers quickly then over time, bake it right into the desktop versions as well. There’s also a bunch of other ways 1Password can use the data to streamline how users protect their accounts and that’s something we’re actively discussing. I expect we’ll see the existing functionality enhanced in the not too distant future.

If you’re a 1Password user you can use this feature right now, just head on over to the 1Password login page. And if you’re not already putting all your passwords in 1Password, go and grab a free trial and give it a go. You can also find a more detailed write-up on 1Password’s implementation in the very aptly titled blog post: we shall fight on the breaches (why didn’t I ever think of that?!)

Enabling Anonymous Searches with k-Anonymity

I want to talk about protecting the identities of Firefox and 1Password users because more than ever – and regardless of where you are in the world – we’re becoming increasingly conscious of our online privacy. We’re also becoming increasingly connected and sharing unprecedented volumes of data which, let’s face it, isn’t exactly analogous with privacy and anonymity! But we can have both and I want to illustrate that by talking about the Pwned Passwords model for a moment.

When this feature launched, Cloudflare (hat-tip again to Junade Ali there) did some great work on a “k-anonymity” model which works like this: when searching HIBP for a password, the client SHA-1 hashes it then takes the first 5 characters and sends this to the API. In response, a collection of hashes is returned that match that prefix (477 on average). By looking at the hash prefix sent to the service, I have no idea what the password is. It could be any one of those 477 or it could be something totally different, I don’t know. Of course, I could always speculate based on the prevalence of each password but it would never be anything more than that – speculation. (Just to add to that, I’ve never got any idea of the username attached to the password either so even if I take an educated guess at it, there’s nothing I can actually do with it.)

The email address being searched for by Firefox and 1Password works in the same fashion, albeit it with slightly different numbers due to the significantly larger data set at play. When I processed the source HIBP data in preparation for this feature, out of the 5B records in the system at the time there were 3.1B unique email addresses. (In other words, each address has been in an average of 1.6 data breaches.) I took each one of those 3.1B addresses, hashed it and stored it in a new data construct I’ll talk about later. That gave me a repository to search against, now let’s cover the mechanics of that search:

For the purposes of anonymity, I needed to decide on how many characters of the SHA-1 hash to allow searching by such that a sufficiently large number was returned to have no reasonable way of knowing which address was searched for, but also for the system to respond quickly. For Pwned Passwords, that number was 5 characters resulting in 16^5 possible search ranges which, across a data set of 500M records, meant the aforementioned 477 results per range. However, if I’d used 5 chars with the 3.1B email addresses, each range would contain an average of almost 3K results which is starting to get pretty sizeable.

Ultimately, I settled on 6 characters which means 16^6 possible ranges with an average of 185 results per range. Now, on the one hand you might say “that’s less than Pwned Passwords therefore provides less protection”, but it’s a bit more nuanced than that. Firstly, because this number will grow significantly over time; more data breaches means more new email addresses means larger results in the range search. More importantly though, email addresses are far less predictable than passwords; as I mentioned earlier, if I was to spy on searches for Pwned Passwords (and I don’t, but this is the threat k-anonymity is protecting us from), the prevalence of passwords in the system beginning with that hash can indicate the likelihood of what was searched by. But when we’re talking about email addresses, there’s no such indicator, certainly the number of breaches each has been exposed in divulges nothing in terms of which one is likely being searched for.

Here’s what a search for an email address ultimately looks like:

Address: test@example.com SHA-1 hash: 567159D622FFBB50B11B0EFD307BE358624A26EE 6 char prefix: 567159 API endpoint: https://[host]/[path]/567159

Remote Access For Third Parties

Securing third party remote access has become a top priority for enterprises according to SecureLink’s “Third Party Remote Access Study”. Matan Or-El, Co-Founder and CEO at Panorays commented below.