I think its important to document or learn how to administer your equipment using the GUI and the CLI.
In this example, I use both methods to add and delete a user on a Ubiquiti EdgeSwitch.
Friday, January 24, 2025
Tuesday, January 21, 2025
Two Factors Adversely Affecting U.S. Software and Infrastructure Security – Part 1
There has been attention, maybe even intense attention, paid to the security of United States civilian and government computer hardware systems over the last several years. I’m referring to the various discussions about foreign “white box” technology, the Huawei controversy, etc. But what about software security? There’s been lots of talk about hackers, malware, and state-sponsored hacking groups. However, the software powering these systems presents an equally pressing, yet often overlooked, concern.
There are two fundamental security risks with most software products today:
1 An over reliance on open-source software (OSS)
2 Use of foreign software programmers and foreign software manufacturers
Let’s look at the first concern. OSS has become very popular these days. It can drive down product creation costs and improve time to market. However, software security and product integrity risks increase substantially with its use.
For example, one fundamental risk is that you are relying on others to adequately validate that the software is error free. You can obviously do your own extensive validation, but most people/companies don’t seem to want to do that. After all, if you’re going to put that much effort into the software, you would have written it yourself and own it, rather than working on something that your competitors and anyone else who wants to can have it for free. Therefore, many parts of the code verification process are left to the crowd to conduct. Since this is done for “free” by the community, the verification process can range from being done well to being done very poorly (and every level in between), which leads to software code instability and insecurity.
A prime example of this is the node.js library. According to a 2022 Dark Reading article, researchers at Johns Hopkins University reported that they found 180 different zero-day vulnerabilities that were spread across thousands of Node.js libraries. If you’re not familiar with Node.js, it’s a fairly well distributed set of libraries that were initially created in 2011. With what should have been a large amount of review over 11 years, 180 zero-day flaws is a lot of risk to discover, especially if you are a product manufacturer delivering software solutions to the military or other government departments.
Another example is the Log4Shell vulnerability, that was found in the Log4j library in 2021. The Apache Log4j is a popular Java library for logging error messages in applications. The vulnerability, originally published as CVE-2021-44228, ended up having three more related vulnerabilities. Again, just because a piece of software was reviewed by a group, doesn’t mean it’s safe.
Proponents for OSS will tell you this is the exception and not the rule. They repeatedly state that the community reviews the code to catch problems. While this may be happening, something appears to be very, very wrong. A Synopsis 2024 Open Source Security and Risk Analysis Report found the contrary to be the norm. The report found that 84% of the codebases they assessed for risk contained vulnerabilities. Furthermore, 74% of those codebases vulnerabilities were high-risk issues. If communities are reviewing OSS as extensively as OSS proponents claim, it doesn’t look like they’re doing too good of a job.
What happens to the code after a year, two years, and more. Does anyone go back and update it to eliminate (or at least reduce) software vulnerabilities? While there are some examples of this, the Synopsis report found that 91% of codebases contain components that did not have any new development updates in over two years. The report did show that the number improved by 2 points (dropping to 89%) for code that was 4 years or so out of date.
What about all of the other open-source libraries being used? Not only could there be a lot of accidental “ticking timebombs” out there, but there could also be zero-day flaws discovered by bad actors (especially some foreign governments) that are deliberately not reported so that the bad actors can use those flaws at a later date for nefarious purposes.
So, while every company has a different tolerance for security risk, relying on other companies to do the security analysis and vetting of OSS might not be such a safe bet for you, or your customers (who will probably come after you if they are breached because of your product vulnerabilities). One of the best ways to avoid the situation is to buy software solutions that do not heavily rely on OSS. While a usage of 0% OSS is technically possible, you will be hard pressed to find a manufacturer that does not use any OSS.
A reduced OSS dependency plan gives you two clear benefits. First, you have a substantial possibility of reducing your security risk by not using potentially compromised software. Second, bad actors are generally less inclined to spend time trying to attack proprietary code. There is little in it for them. It takes a lot of time to analyze the code for defects; and even harder for them to get their hands on proprietary code in the first place. It’s so much easier to analyze OSS for flaws, then find products using that OSS, and then attack multiple company products that use that same code. Once they have found an OSS defect, they can literally attack 5, 10, or more products by exploiting the one or two defects that they find in the OSS code.
Axellio uses United States citizen workers and does not overly rely on the use of open-source code. Axellio carefully manages its use of open-source components and rigorously tests and evaluates the code used to reduce exposure to vulnerabilities. If you want additional information, check out this sales brief on the Axellio website.
About Axellio
Axellio provides extreme high-performance, scalable, compact, economical, and simultaneous time-series data ingest, storage and distribution solutions for the defense and intelligence community at speeds exceeding 200 Gbps. Axellio’s PacketXpress® platform focuses on network traffic packet capture, distribution, and analysis for cybersecurity monitoring and forensic analysis, and is operationally deployed with the US Army worldwide. For intelligence, surveillance, and reconnaissance applications (ISR), Axellio’s SensorXpress offers ingestion and storage of RF data from sensors and distributes it to analysis applications simultaneously at rates exceeding 200 Gbps. Learn more about Axellio at www.Axellio.com.
Monday, January 20, 2025
Network Testing Tip
If as I mentioned in the video some of you may find this helpful.
Whenever we test, and more commonly, ping, I find that people can lose focus of the big picture.
Any type of response time tool should be used with a reference point to compare it to.
In this example I show you a simple ping tests where we get a spike. If I did not have a local machine as a reference point, I would’ve thought the spike was due to the Internet or the server.
That’s it folks, I will keep it short and sweet.
Have a great day.
Monday, January 13, 2025
Ubiquiti Edgerouter VPN Configuration
I typically encounter situations where I need to come up with a solution. Sometimes it is a temporary solution while we wait for the ‘proper one to get deployed’ other times, its more of a proof of concept to see if the client will actually use it.
A great example is when I installed a Ubiquiti router for a client at a remote office. We had a discussion afterwards about support and monitoring. Of course, I bring that up since a majority of my work involves troubleshooting.
I respected the client’s honesty when he bluntly said “We have thought of it, but not had any time to follow-up as of yet”. I totally understand and appreciate what he means. He then added that they are currently using the Ubiquiti cloud network management platform. After a quick chat we both realized that there are some blind spots in their monitoring and inability to easily connect to the office locally.
His face lit up when I suggested we set up a test VPN, so we can VPN into the office router and then have full access to all the local hosts and resources. He was concerned that this was going to be complicated and wondered how much this was going to cost.
When I explained that all their routers support various VPN access options and that I have done this before, he gave me the nod to proceed. An hour later, he and the support team where VPN’ed in and happy as can be. I ended up using a LT2P configuration since it was the easiest and most compatible. i figure if he likes, and uses the VPN solution, we can change it to Openvpn or Wireguard later.
one of my favorite portable displays Black Friday Deal
$74.97
Subscribe to:
Comments (Atom)
Popular post
-
I just wanted to take a few minutes to share the results of some of the "Capture Limit" testing I have been doing in my lab. These...
-
From Betty's Linkedin post I've updated my profiles! I've now got over 300 hashtag # Wireshark display filters to share. I had...
-
Everyone loves a reference sheet and this one is very helpful since GREP is so under utilized Found this on www.sysxplore.com my favori...
