Spot Checks and Logs

 I have a habit of always checking logs of any equipment that I work on.

Clients are surprised when I find the occasional easter egg surprise.

In this example, I was working on a router configuration change, when I checked the log. It was full of a ton of invalid login requests from questionable IP addresses. After showing the client, he was shocked since all his routers have their built-in firewall enabled.

We took a peek, and he was correct, the firewall was enabled, but it had no rules configured. We referred to his configuration document and added his 'standard' wan interface rules. Then we checked the logs to confirm that the poking and prodding ended.

I suggested, at a minimum, he setup a Syslog server to better manage and monitor his equipment. There are tons of free and paid for syslog servers out there. i suggested he get one where he can configure what to get alerted on since some devices can get pretty verbose with their syslog traps.

Heres the thing about Syslog or Network Monitoring in general. The key is to not fall into the trap where there is so much being reported, that you become desensitized and start ignoring everything, missing a legitmate. problem. I suggested creating the most common scenarios that you want to be alerted on and then set alerts on those events first. Try not to be too generic. For example, you might want an alert if a network port that the server is connected to goes down, but not a client or printer.

Two Factors Adversely Affecting U.S. Software and Infrastructure Security – Part 2

 

The last decade has seen a fundamental product development shift — the extensive use of open-source software. This crowd-sourcing effort has made the cost of software development quicker, faster, and potentially riskier. While the rampant use of open-source software (OSS) is a contributor to the problem, this issue extends beyond OSS. The increasing role of Chinese companies in developing software across various sectors, including those deemed critical, raises additional concerns.

In 2023 and 2024, FBI Director Christopher Wray spent considerable time warning the country for over a year that the Chinese government poses a 'broad and unrelenting' threat to U.S. critical infrastructure. A study by Fortress Information Security revealed that a staggering 90% of the software products they reviewed for United States electric power companies (which included information technology (IT) and operational technology (OT) products) contained components developed by individuals from either China or Russia. It is unknown how much of this code is compromised and to what extent. However, the report further stated that software with Russian or Chinese-made code is 2.25 times more likely to have vulnerabilities and that the “software is three times more likely to have critical vulnerabilities.”

This involvement creates worries about potential backdoors being intentionally inserted into the software, data exfiltration, or even the capacity to disrupt these systems, particularly during times of conflict. It also highlights a concern that foreign governments could pressure businesses to compromise their software for nefarious purposes. Additionally, individuals acting independently with malicious intentions could introduce vulnerabilities.

Even when the source of the software is known, ensuring its integrity can be challenging. Sophisticated actors can exploit vulnerabilities to gain unauthorized access or manipulate data, compromising sensitive information and disrupting critical operations. The potential consequences of such breaches, particularly in defense, intelligence, and critical infrastructure, could be catastrophic.

Research from SecurityWeek showed that North Korea (and to some extent China) is using nation-state operatives to pose as fake remote workers to infiltrate US companies. Part of this is to help North Korea fund their nuclear program. However, attackers also performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.

Another SecurityWeek report showed that the incident I just cited above was not an isolated case. There have been hundreds of recent attempts by North Korea to infiltrate US companies with software engineers to steal information and plant malware — all while the engineers are making money to help fund Korea’s nuclear program.

While this blog focuses mainly on the US, this is a global problem. For instance, according to Business Insider, South Korea decided to remove 1,300 cameras from its military bases after discovering that the devices had software designed to send camera feeds back to a Chinese server. Concerns like this are why President Biden sought to enact controls over the sue of software in Chinese manufactured cars. Rear Adm. Jay Vann, commander of Coast Guard’s Cyber Command, has also complained about the use of undocumented “Chinese software” and cellular modems that are installed on approximately 80% of ship to shore cranes used in United States trade ports. The software and modems were undocumented on the bill of sale for the cranes manufactured by a Chinese company called ZPMC.

So, what can be done about the problem?  Organizations must prioritize working with companies committed to developing and delivering secure, trustworthy software, including those that:

o   Prioritize rigorous security standards and certifications:  Look for companies that adhere to internationally recognized security standards like ISO 9001:2015 and possess relevant certifications, such as the DoD Authority to Operate (ATO).

 

o   Focus on domestic development and customization:  U.S.-based companies can offer greater transparency and control over the software development process, minimizing reliance on foreign components and reducing potential risks associated with supply chain vulnerabilities. This approach ensures that sensitive code remains within U.S. jurisdiction.

 

o   Reduce the use of open-source software:  Organizations should develop software internally (where they know the provenance of the code) or seek partners who can provide customizable solutions that meet security requirements.

So how does the industry move forward? Addressing software supply chain risks requires a multi-faceted approach. We need to implement more rigorous vetting processes, especially for critical systems. Supporting U.S.-based software development for key industries is crucial, as is collaborating to improve security practices. Most importantly, we must raise awareness among decision-makers about the importance of software supply chain security. As we continue to secure our digital infrastructure, we need to remember that the integrity of our software is just as crucial as the hardware it runs on. By prioritizing "Made in America" software and addressing the complex challenges of our global software ecosystem, we can build a more resilient and secure digital future.

If you want additional information, check out this sales brief on the Axellio website. Axellio uses United States citizen workers and does not overly rely on the use of open-source code. Axellio carefully manages its use of open-source components and rigorously tests and evaluates the code used to reduce exposure to vulnerabilities.

Why Packet Analysis (and Wireshark) Should Be In Your Security Toolkit

 

Don’t underestimate the value of packet analysis in your security strategy. And if you’re analyzing packets, the open-source Wireshark software is a go-to tool. On today’s episode, we talk with Chris Greer, a Wireshark trainer and consultant specializing in packet analysis.

Chris explains the critical role of packet analysis in cybersecurity, particularly in threat hunting and incident response. He emphasizes why security professionals should understand packet and network protocol fundamentals, and highlights the value of  Wireshark as a learning tool.

We also cover continuous learning options such as Shark Fest, YouTube, and Udemy for those looking to enhance their skills in packet analysis.

https://packetpushers.net/podcasts/packet-protector/pp047-why-packet-analysis-and-wireshark-should-be-in-your-security-toolkit/

Ubiquiti WAN Balancing And Failover Part 2

 I really enjoy hearing from people who read or watch my videos. The feedback is usually very helpful with next article ideas, requests for clarification or help, and most importantly things I may have missed to cover in the article or video.

A great example is when I posted the article “Testing Edgerouter load balancing“ (https://www.networkdatapedia.com/post/testing-edgerouter-load-balancing) . if you didn’t see it, I did a simple video and short write up explaining how I implemented fail over on a Ubiquiti router.

A few people asked if I had tested what would happen if the link was physically up but no data on it. Fortunately I had started that lab, video and write up but nice to know we were on the same mental page.

In this video, I cover this scenario, where I disconnect an upstream connection so the router link status is up but no data flow.

I used this Ubiquiti page to configure my router https://help.ui.com/hc/en-us/articles/205145990-EdgeRouter-WAN-Load-Balancing .  The article does a great job explaining the commands, etc..

Good old Windows Command Prompt

 i can't tell you how many times someone comments on how they had no idea how powerful the command prompt is and how many things you can do from it. The same applies to the CLI interface of most equipment.

Ok, I will admit and confess that since I started in this field during the late 90's, the command prompt or CLI doesn't spook me at all. Truth be told, I go looking for it since I like to script things, and it's much easier to do so from the CLI, rather than a GUI.

Since Microsoft introduced the Terminal application, i thought it would be helpful to review the basic redirection and the new Export Text feature that is available.

Enjoy