search menu icon-carat-right cmu-wordmark

Archive: 2015

Border Gateway Protocol Update Metric Analysis

Border Gateway Protocol Update Metric Analysis

• CERT/CC Blog
Leigh Metcalf

MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new program created at the CERT Division for searching the files. The program is designed to find routes that affect a given set of CIDR blocks, and to do it quickly....

Read More
E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

E Pluribus, Que? Identifying Vulnerability Disclosure Stakeholders

• CERT/CC Blog
Allen Householder

On September 29, Art Manion and I attended the first meeting of the Multistakeholder Process for Cybersecurity Vulnerabilities initiated by the National Telecommunications and Information Administration (NTIA), part of the United States Department of Commerce. There has been ample coverage of the meeting in blogs (e.g., by Dr. Neal Krawetz and by Cris Thomas), mailing lists, and media reports, so I won't attempt to duplicate that information. During the course of the meeting, I became...

Read More
Supporting the Android Ecosystem

Supporting the Android Ecosystem

• CERT/CC Blog
Will Dormann

A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to end-user devices is another story. Many Android devices have a lengthy supply chain, which can make the process of deploying OS updates a slow and uncertain process. In this blog post, I investigate the supply chain of the Android...

Read More
CVSS and the Internet of Things

CVSS and the Internet of Things

• CERT/CC Blog
Dan J. Klinedinst

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT devices. At the CERT/CC, we coordinate information about and discover vulnerabilities in various devices, and the number of vulnerabilities keeps growing. One thing that I've personally been researching is finding vulnerabilities in vehicles. In recent...

Read More
Instant KARMA Might Still Get You

Instant KARMA Might Still Get You

• CERT/CC Blog
Will Dormann

About a year ago, I started looking into Android applications that aren't validating SSL certificates. Users of these applications could be at risk if they fall victim to a man-in-the-middle (MITM) attack. Earlier this year, I also wrote about the risks of MITM attacks on environments that use SSL inspection. Lately I've been checking whether IOS applications are consistently checking SSL certificates, and they appear to be pretty similar to Android applications in that regard....

Read More
Reach Out and Mail Someone

Reach Out and Mail Someone

• CERT/CC Blog
Garret Wassermann

Every day, we receive reports from various security professionals, researchers, hobbyists, and even software vendors regarding interesting vulnerabilities that they discovered in software. Vulnerability coordination--where we serve as intermediary between researcher and vendor to share information, get vulnerabilities fixed, and get those fixes out in the public eye--is a free service we provide to the world....

Read More
Comments on BIS Wassenaar Proposed Rule

Comments on BIS Wassenaar Proposed Rule

• CERT/CC Blog
Allen Householder

Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here....

Read More
The Risks of Disabling the Windows UAC

The Risks of Disabling the Windows UAC

• CERT/CC Blog
Will Dormann

While investigating a few of the exploits associated with the recent HackingTeam compromise, I realized an aspect of the Windows User Account Control (UAC) that might not be widely known. Microsoft has published documents that indicate that the UAC is not a security boundary. For these or other reasons, some folks may have disabled the UAC on their Windows systems. I will explain in this blog post why disabling the UAC is a bad idea....

Read More
Like Nailing Jelly to the Wall: Difficulties in Defining

Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"

• CERT/CC Blog
Allen Householder

During the Watergate hearings, Senator Howard Baker asked John Dean a now-famous question: "My primary thesis is still: What did the president know, and when did he know it?" If you understand why that question was important, you have some sense as to why I am very concerned that "zero-day exploit capability" appears as an operative phrase in the Department of Commerce Bureau of Industry and Security (BIS) proposed rules to implement the Wassenaar Arrangement...

Read More
YAF App Label Signature Context with Analysis Pipeline

YAF App Label Signature Context with Analysis Pipeline

• CERT/CC Blog
Angela Horneman

In my last post, I presented how to create a YAF application label signature rule that corresponds to a text-based Snort-type rule. In this post, I discuss methods for using Analysis Pipeline to provide context to those signatures. The context for signatures can take many forms. Some context can be derived from the individual flows that match the signatures. This information is easy to obtain from either SiLK or another traffic analysis tool--just look at...

Read More
Domain Blacklist Ecosystem - A Case Study

Domain Blacklist Ecosystem - A Case Study

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our general results. We get a lot of questions about which list is which and if we can recommend a list. We won't reveal which is which generally, but in this blog post we'll make a...

Read More
Making YAF App Labels from Text-Based Snort Rules

Making YAF App Labels from Text-Based Snort Rules

• CERT/CC Blog
Angela Horneman

Ever want to use a Snort-like rule with SiLK or Analysis Pipeline to find text within packets? Timur Snoke and I were recently discussing how we could do this and realized that while neither SiLK nor Analysis Pipeline themselves do packet inspection, YAF can be used to create an application label that can be used in analyses in both SiLK and Pipeline (field 29, application). This post outlines the steps required and provides an example....

Read More
Baseline Network Flow Examples

Baseline Network Flow Examples

• CERT/CC Blog
Angela Horneman

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful. We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using...

Read More
The Risks of SSL Inspection

The Risks of SSL Inspection

• CERT/CC Blog
Will Dormann

Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to realize a few things. In this blog post, I will explain The capabilities of SSL and TLS are not well understood by many. SSL inspection is much more widespread than I suspected. Many applications that...

Read More
Blacklist Ecosystem Analysis

Blacklist Ecosystem Analysis

• CERT/CC Blog
Jonathan Spring

Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper telling you everything you wanted to know about blacklists. Turns out, that did not save the Internet on its own. We're extending that analysis with more blacklist ecosystem analysis this year....

Read More
 What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between ENS and traditional computing in the context of vulnerability discovery, analysis, and disclosure....

Read More