Security and the Cloud: The need for high bandwidth entropy

Entropy. Its the clutter on your desk, the noise from your fan, the randomness in your life. We spent most of our lives trying to reduce entropy (filing things, sorting, making order from chaos).

But what if I told you there is an entropy shortage somewhere near you, and, that you should care? Would you come and lock me up in pyjamas with sleeves in the back? Well.. you see, good entropy (randomness) is important for good encryption. And you use a lot of it when you create connections to things (as well as on an ongoing basis). If someone can predict your randomness, even just a little, your protections are reduced.

Enter the cloud. A big server, shared with a lot of people. I've even heard terms like 'serverless' bandied about for something that looks suspiciously like a server to me, just one that shares with a big pool of the great unwashed.

Lets examine the entropy of one of my home Kubernetes system (which has been pressed into service to build envoy which uses bazel which has previously caused a lot of trouble). See the graph? See how it falls off a cliff when the job starts, and then slowly rebuilds? And this is with a hardware-assisted random-number generator (/rngd is reading from /dev/hwrng). Imagine my poor machine trying to collect randomness, where will it get it from? There's no mouse or keyboard to get randomness from me. It just sits quietly in the basement, same humdrum existence day in and out.

Now, there are usb random number generators (like this one). $100. it generates about 400kbits/s of random. Is it random? Well, that's a hard test to perform. And it matters. What if its random number generator is like the one in my old TI 99 4/A machine? You called 'seed(n)' and it followed a chain.

We could splurge, $300 for this one. Its got 3.2Mb/s of randomness. Maybe I should get a few of these and come up with a cloud service, randomness as a service? O wait, you say that exists?

Mickey Mouse Arrests DDoS Criminal. 10 years hard time!

Now this is getting somewhere. Earlier I wrote about getting no real punishment for big bad deeds online. Seems the powers that be read the blog with the most 🙂

We've got two big sentences here. Mr Daniel Kaye got 3 years for taking down an African mobile carrier (at the behest of their competitor. Oh my! Cellcom plays rough!). He also took down 900K germans and quite a bit of infrastructure, for which he received a suspended sentence. Mirai. You naughty botnet of pvrs and cameras.

But, even bigger, we've got a chap by the name of Martin Gottesfeld. DDoS'd a bunch of hospitals in Boston. Then got in a boat and tried to flee to Cuba. Likely a 3 hour cruise, so just sit right back and you'll hear a tale...

Well, seems the seas got rough, the boat looked to be lost, they hit the SoS, and, well, a giant (no doubt panama-flagged) Disney boat picked him up and dropped him off for 10 years of hard time.

And I gotta say, this should be a bit of a deterrent. And it should be, attacking children's hospitals is a dangerous thing, peoples lives hang in the balance (as they would for knocking out a cell phone company).

Read the gory details on BBC, on Krebs, on Reuters.

$$$ if you are interested in building a better online Canada?

If you are a charity, not-for-profit, or academic institution, and you have an idea for a project build a better online Canada through infrastructure/access/digital literacy/engagement/services, you should consider applying for funding through CIRA's Community Investment Program.

Grants are usually up to $100K, but this year one grant of up to $250K will be available. Think of how you could put that money to work. Now write it in your application.

 

Button down your 2-factor-auth and dnssec lest ye be hijacked

Got a DNS name? (if not, why not?). Make sure the 'console' you use to access/control/edit it is locked down with 2-factor authentication. Ideally its e.g. OAUTH2 off your Google account which uses a Yubikey or at least your Android phone for push. Not sure I'd even both with SMS, but I suppose if its that or nothing. I'll wait, this is important. Its not hard to do, just enable it (and maybe do your Amazon, Github, Gmail while you are at it).

OK, done? Good. You just neutralised half of the horror you are about to read. Now, before I give you the details, while you are in your DNS console, enable DNSSEC, and then check it here. May as well double check your CAA and SPF while you are in there.

OK, back, done? Good. You've neutralised most of the rest. So lets read what the good folks at Fireeye have said. Its a method of broadly harvesting all kinds of information by spoofing a machine, without much chance of the victim detecting.

Now, the next step, and my ask of you. For a couple of sites you care about, do a quick check. Do they have DNSSEC enabled? If not, contact them, open a support ticket, give them a tsk tsk sound as you pass them in the hall, whatever you gotta do.

Here's an example, my bank. No DNSSEC. Why not? Lets check the CAA:
$ dig -t caa royalbank.com
... NO RECORDS...

This is no good. A CAA record helps prevent you from being spoofed. The above attack, if it can get a hold of your DNS, can sign a certificate w/ Let's Encrypt. They might not notice the CAA if you have it there.

So, anyone involved with the Royal Bank of Canada want to comment on their DNSSEC practices, why its disabled? Or anyone else want to check your bank and comment here as to whether it has DNSSEC (and CAA)? Takes 1 second to test here.

Its got another bad practice:

http://royalbank.ca redirects to http://www.rbcroyalbank.com. This in turn does not redirect you to the SSL site but serves content, fetches from remote CDNs. You don't want that. TLS or bust.

$ curl -q www.rbcroyalbank.com |grep https

 

work versus toil, TLS, government shutdowns

There has been some minor news of late of a government shutdown in the USA. tl;dr something about a wall.

Now, you would think that fully automated systems would generally keep running (well, until the hydro bill comes due I guess). But interestingly we can see some certificates have expired. Lets check out e.g. the US DOJ. See how you cannot access this, you get a 'NET::ERR_CERT_DATE_INVALID'? And there's no 'I know what I'm doing, let me in' (note: if you do have this option you should upgrade your browser immediately).

So, what is happening, and why? First, well, the certificate expired on December 17th. Now, interestingly, technically this is before the shutdown started (Dec 22 was the magic date). So no particular excuse there.

Secondly, the site uses 'HSTS' (as it should). HSTS means 'HTTP Strict Transport Security'. In a nutshell it means the site can only be accessed in a secure way. This should be true for all SSL/TLS sites. No exception. You don't want to go to the trouble of making the site and then allow downgrading to 'insecure'.

But, lets assume that somehow the government shutdown was the sole issue here (those missing 5 days between December 17 and 22 ignored). What would that mean? It would mean the lesson of 'toil' versus 'work' was not taken. What is that you say? They are the same? No.

'toil' might technically mean work, but, it usually implies drudgery. The type of thing we would get a machine to do if we could. Imagine the difference between a knowledge-based job (making decisions all day) and something clearly meant to waste your time (counting the number of dots on a ceiling tile).

Here you see someone should have made the certificate renewal automated. Let's Encrypt has API's for this. You run 'certbot', every week or so it checks if the certificate is *near* expired, and, if so, renews it. So why do we instead have a web site that probably has a sticky note on a monitor somewhere saying "remind me to renew certificate Dec 16"? That is toil versus work. If we reduce toil to 0 we have more time for work (value).

Interestingly, the doj.gov site is on the Chrome 'Must HSTS' list (*.usdoj.com is on the list). So this means that even if their developers forget on some site, Chrome has their back. There's a lot of random things on that list, e.g. 1895dentalimplants.com... a 'puget-sound local' dental site that will, for $1895, get you dental implants. (I guess if inflation occurs they change the company name and register a new domain name?). Hmm. How is this list generated? Why are folks near seattle needing more secure dental implant sites than others? Inquiring minds.

What's your favourite site on the 'must encrypt' hardcoded list? Is it this plumber from bratislava? This UK bouncy-castle rental?

Top