Containers or virtual machines: ​Which is more secure? The answer will surprise you

Containers or virtual machines: ​Which is more secure? The answer will surprise you:

The real point, though, isn’t which technology is more secure per se. It’s that, for the most severe security problems, containers and VMs have about the same level of security. Indeed, Bottomley thinks, “it is perfectly possible to have containers that are more secure than hypervisors and lays to rest, finally, the arguments about which is the more secure technology.”

“The next step,” he continued, “is establishing the full extent of exposure to a malicious application and to do that, some type of fuzz testing needs to be employed”

In addition, Bottomley’s work is only the start. He’s shown it’s possible to objectively measure an application’s security. As he said, “I don’t expect this will be the final word in the debate, but by describing how we did it I hope others can develop quantitative measurements as well.”

(Via Latest Topic for ZDNet in security)

I highly recommend reading the source post here: Measuring the Horizontal Attack Profile of Nabla Containers. It’s about as long but more technical than the above article.

I’ve not kept up with containers much in the last few years. I was taken by the technology and the approach to the point of having a rather nice lab set up at home on a spare BSD box I had kicking around. I remember someone presenting a talk on using containers (specifically, Docker instances) on the desktop for better process isolation of web browsers and security testing tools. I almost wish I had the cycles to dive back in.

p.s. — Steven J. Vaughan-Nichols, the author of the first article, should donate, some, of his, many, extra, commas to James for his post. 😉

Also on:

An Example of Deterrence in Cyberspace

An Example of Deterrence in Cyberspace:

In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.

I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump, by Michael Isikoff and David Corn. Here’s the quote:

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.

“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure — and possibly shut down the electrical grid.

The second is from the book The World as It Is, by President Obama’s deputy national security advisor Ben Rhodes. Here’s the New York Times writing about the book.

Mr. Rhodes writes he did not learn about the F.B.I. investigation until after leaving office, and then from the news media. Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations. Mr. Obama did impose sanctions after the election but Mr. Rhodes’s suggestion that the targets include President Vladimir V. Putin was rebuffed on the theory that such a move would go too far.

When people try to claim that there’s no such thing as deterrence in cyberspace, this serves as a counterexample.

Tags: , , ,

(Via Schneier on Security)

Well said and cited.

Is Your SOC Flying Blind?, (Sun, Jun 3rd)

Is Your SOC Flying Blind?, (Sun, Jun 3rd):

After you have finished impressing your VIPs, what actionable information should be displayed in your SOC to help them respond to threats in your environment?

Consider spending time this week ensuring your SOC wall is populated with meaningful screens that add value to your SOC by asking these questions.

  • Which security controls are not sending data to your SOC?
  • Would your SOC know when your most critical systems stopped sending their logs?
  • What is the baseline of traffic volume in and out of your sensitive network zones?
  • What is the health status of your security agents?

Share what you find valuable on your SOC wall!

(Via SANS Internet Storm Center, InfoCON: green)

Typical mistakes of SOCs – forgetting the audience, not accommodating multiple audiences, and not providing content tailored to each audience. Metrics, analytics, dashboards, and reporting are every bit important as any other SOC function.

All Women on Deck at RESET Cyber Conference

All Women on Deck at RESET Cyber Conference

With more than 15 female experts in cybersecurity scheduled to speak on the evolving cyber threat landscape, RESET, hosted by BAE Systems, claims to be challenging the status quo with its all-female speaker lineup.

Scheduled for 14 June at the Kennedy Lecture Theatre, University College London (UCL), the conference is open to all security professionals and will “provide in-depth knowledge of destructive cyber-attacks and criminal operations, threat hunting and strategy, and human centric security. In panel discussions, we consider public and private roles in defending cyber space and the risks of securing the un-securable as new technologies emerge.”

What is unique about this event is the speaker lineup. BAE Systems threat intelligence analysts Kirsten Ward and Saher Naumaan have launched the event not only to bring professionals together to engage in a discussion about the evolving threat landscape, but also in part to showcase the impressive women who are often not invited to speak at industry conferences.

Click through to get all the details.

Duct Tape & Baling Wire -vs- DRM

Appliance Companies Are Lobbying to Protect Their DRM-Fueled Repair Monopolies

The bill (HB 4747) would require electronics manufacturers to sell replacement parts and tools, to allow independent repair professionals and consumers to bypass software locks that are strictly put in place to prevent “unauthorized” repair, and would require manufacturers to make available the same repair diagnostic tools and diagrams to the general public that it makes available to authorized repair professionals. Similar legislation has been proposed in 17 other states, though Illinois has advanced it the furthest so far.

Companies such as Apple and John Deere have fought vehemently against such legislation in several states, but the letters, sent to bill sponsor David Harris and six other lawmakers and obtained by Motherboard, show that other companies are fighting against right to repair as well.

(Via Motherboard)

The right to repair used to be assumed. I remember working on my grandfather’s car with my Dad. I remember changing oil and tires and brakes and head units and shocks and mufflers, &t for that and other cars.And I wasn’t (and still am not) a car guy.

I built and fixed computers when replaceable parts were the norm.

My Dad, members of my family, and people with whom I went to university worked on farms and ranches & regularly repaired the heavy equipment.These were the real instances of duct tape and baling wire.

How about early the early telephone system, which sometimes used barbed wire stretched along fences in rural communities?

We’re not in the early telephone days. We’re in a world where companies can prevent their customers from having agency over products they purchase. Companies can put their customers at risk and not allow the very same customers to protect themselves or even be able to figure out if they’re at risk in the first place.

Also on:

I think no one learned a valuable lesson …

Yahoo gets $35 million slap on wrist for failing to disclose colossal 2014 data breach

The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.

Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.

What would have been paid under GDPR? $198M if this article is correct.

Calling this a “slap on the wrist” is an insult to wrist slaps everywhere.

Also on:

The State of InfoSec Podcasts

With a few exceptions, InfoSec podcasts sound the same to me as they did in 2014, both in production quality and in content.

There are two daily shows: SANS ISC Storm Cast and the Cyberwire. They run the gamut – SANS has a brief unpolished production sense and the Cyberwire is perhaps overproduced and over sponsored. Both provide solid daily content. I’m happy to skip both show’s “research” component.

And then there’s the rest.

Most non-vendor podcasts fall into two general categories: echo chambers and interviews.

The “echo chambers”, essentially panel shows full of inside jokes, are mostly gone from my pod catcher. Their production quality is close to zero and they’re mostly op-ed (opinion & editorial) with no counter argument. On PVCSec we tried and mostly failed to counter the standard InfoSec podcast.

The interview shows can be better. The production quality tends to be higher. Several make the interview more about the show host/interviewer and less about the interviewee. Sponsored shows are just that.

There is a third category: “NPR”-style free podcasts. These are the ones that talk about topics most other typical security podcasts miss – legal, governmental, and diplomatic.

Here’s what I’m catching:

If your InfoSec podcast is not on my list and you want it on there, let me know why I should include it.

Also on:

DNS for privacy, security, and performance

Cloudflare and Quad9 Aim to Improve DNS

Cloudflare and
Quad9 offer public DNS servers that
provide a combination of verification, privacy-focused protocols, and
encryption to mitigate DNS’s leaks and flaws.

I’ll cut to the chase to tell you how to configure your devices to use
these services before getting into the nitty-gritty of how DNS works
and how these services improve on an insecure and easy-to-corrupt
design

(Via TidBITS)

Go to the article for the how, but …

For the different services, the IP addresses to enter are: Cloudflare:
1.1.1.1 and 1.0.0.1 (see note below) Google Public DNS: 8.8.8.8 and 8.8.4.4 Quad9: 9.9.9.9 and 149.112.112.112

The last 60% of the article is a solid, easy to understand write up on DNS and how Quad9 and Cloudflare (and, to a lesser extent, Google) are trying to address inherent issues and risks them without a complete redesign (see the last section in the article).

Nevertheless, every step you take toward greater security and privacy is a positive one. It’s important to think about where your data ends up, and only you can decide whether having your queries available to Cloudflare, Google, or Quad9 is an improvement over your existing exposure to your ISP, which may not employ any of the above mitigations.

Full Disclosure: I work for IBM, a founding member of Quad9.

Also on:

Restricting Security Intel from prime consumers

Today’s Headlines and Commentary:

Secretary of Homeland Security Kirstjen Nielsen informed the Senate intelligence committee on Wednesday that only 20 of 150 state and local election officials have the security clearances they need to receive election security intelligence, Axios . Officials require this clearance to receive crucial information from the department on how best to decrease election infrastructure vulnerabilities ahead of Russian interference in the upcoming congressional midterm elections. Nielsen said that the department will sponsor a maximum of three officials per state to receive the sensitive clearance, and said her department will work through the interagency process to bypass the security clearance process and share urgent intelligence with local officials if needed.

(Via Lawfare – Hard National Security Choices)

How useful is security intelligence if the primary audience by and large isn’t allowed to read it?

Also on:

The Cambridge Analytica-Facebook Debacle: A Legal Primer

Another strong largely hyperbole free summary from Lawfare including possible legal ramifications.

The Cambridge Analytica-Facebook Debacle: A Legal Primer:

What Happened?

On March 17, the New York Times that Cambridge Analytica, the British data analysis firm with ties to Robert Mercer and Stephen K. Bannon and that was hired by the Trump campaign, “harvested private information from the Facebook profiles of more than 50 million users without their permission.” This set off a firestorm in the U.S. and the U.K. as regulators announced they would get to the bottom of what went wrong. Sen. Ron Wyden asked Facebook a . Massachusetts Attorney General Maura Healey into the matter, followed by the . And the U.K.’s information commissioner, Elizabeth Denham, said she would . This in turn —down nearly 7 percent by the market’s close on Monday, March 19 and down nearly another two points on Tuesday, March 20. On Monday night, the New York Times revealed that Facebook’s chief security officer, Alex Stamos, is after much internal disagreement with the way the firm handled concerns about misinformation in the 2016 elections.

(Via Lawfare – Hard National Security Choices)

Enjoy!

Also on: