Category Archives: research

Should you block newly registered domains? Researchers say yes

7 out of 10 newly registered domains (NDRs) are either malicious, suspicious or not safe for work, say Palo Alto Networks researchers, and advise organizations to block access to them with URL filtering. “While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility,” … More

The post Should you block newly registered domains? Researchers say yes appeared first on Help Net Security.

Identifying vulnerable IoT devices by the companion app they use

For better or worse, connected “smart” devices are springing up like mushrooms. There is no doubt that they can be very helpful but, unfortunately, most have a slew of security vulnerabilities that could turn them into a nightmare. Until legislation catches up and manufacturers start caring about implementing security from the start, security researchers are our only hope when it comes to improving IoT security. Consequently, every approach that makes the process of identifying as … More

The post Identifying vulnerable IoT devices by the companion app they use appeared first on Help Net Security.

Researchers develop cybersecurity system to test for vulnerabilities in technologies that use GPS

Southwest Research Institute has developed a cybersecurity system to test for vulnerabilities in automated vehicles and other technologies that use GPS receivers for positioning, navigation and timing. “This is a legal way for us to improve the cyber resilience of autonomous vehicles by demonstrating a transmission of spoofed or manipulated GPS signals to allow for analysis of system responses,” said Victor Murray, head of SwRI’s Cyber Physical Systems Group in the Intelligent Systems Division. GPS … More

The post Researchers develop cybersecurity system to test for vulnerabilities in technologies that use GPS appeared first on Help Net Security.

Researchers develop new technique to identify malware in embedded systems

A technique for detecting types of malware that use a system’s architecture to thwart traditional security measures has been developed by researchers from North Carolina State University and the University of Texas at Austin. The new detection approach works by tracking power fluctuations in embedded systems. “Embedded systems are basically any computer that doesn’t have a physical keyboard – from smartphones to Internet of Things devices,” says Aydin Aysu, co-author of a paper on the … More

The post Researchers develop new technique to identify malware in embedded systems appeared first on Help Net Security.

TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

As privacy tech continues to proliferate and embed itself in day-to-day privacy functions in the enterprise, the IAPP, together with TrustArc, seeks feedback to better understand how privacy pros are adopting the privacy tech tools outlined in our Privacy Tech Vendor Report. This year’s survey builds on a similar one we did last year looking at how privacy tools are acquired and deployed. Now, with obligations that both the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are imposing on organizations, are we seeing a move toward greater tech adoption? The survey should only take about … Continue reading TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption

The post TrustArc Partnering with IAPP to Benchmark Privacy Tech Adoption appeared first on TrustArc Blog.

Research on private key generation reveals theft of ETH funds from accounts with discoverable keys

Researchers at Independent Security Evaluators (ISE) have discovered 732 actively used private keys on the Ethereum blockchain. In their new study titled Ethercombing, ISE found that poorly implemented private key generation is also facilitating the theft of cryptocurrency. Example flow of deriving an Ethereum address from a private key The researchers identified 13,319 Ether (ETH) which was transferred to both invalid destination addresses and forever lost, as well as to wallets derived from weak private … More

The post Research on private key generation reveals theft of ETH funds from accounts with discoverable keys appeared first on Help Net Security.

CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 3 of 3)

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens. To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. … Continue reading CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 3 of 3)

The post CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 3 of 3) appeared first on TrustArc Blog.

CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 2 of 3)

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens. To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. … Continue reading CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 2 of 3)

The post CCPA and GDPR Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 2 of 3) appeared first on TrustArc Blog.

Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 1 of 3)

The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens. To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. … Continue reading Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 1 of 3)

The post Compliance Report: New Research Measures Compliance Status and Plans for CCPA and GDPR (Part 1 of 3) appeared first on TrustArc Blog.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.