Category Archives: Networking

Issues and news relating to networking.

Google Wants To Speed Up The Web With Its QUIC Protocol

Posted on by

On a typical secure TCP connection, it typically takes two or three round-trips before the browser can actually start receiving data. Using QUIC, a browser can immediately start talking to a server it has talked to before. QUIC also introduces a couple of new features like congestion control and automatic re-transmission, making it more reliable that pure UDP.

via Google Wants To Speed Up The Web With Its QUIC Protocol | TechCrunch.

Users who connect to YouTube over QUIC report about 30 percent fewer rebuffers when watching videos and because of QUIC’s improved congestion control and loss recover over UDP, users on some of the slowest connection also see improved page load times with QUIC.

Google says it plans to propose HTTP2-over-QUIC to the IETF as a new Internet standard in the future.

Decertifying the worst voting machine in the US

Posted on by

I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.

via Decertifying the worst voting machine in the US.

So how would someone use these vulnerabilities to change an election?

  1. Take your laptop to a polling place, and sit outside in the parking lot.
  2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
  3. Connect to the voting machine over WiFi.
  4. If asked for a password, the administrator password is “admin” (VITA provided that).
  5. Download the Microsoft Access database using Windows Explorer.
  6. Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
  7. Use Microsoft Access to add, delete, or change any of the votes in the database.
  8. Upload the modified copy of the Microsoft Access database back to the voting machine.
  9. Wait for the election results to be published.

The freedom to tinker blog has been doing research on voting machines for a very long time although in this case they are reporting the results of research done by Virginia IT people in their decertification. In the past most vulnerabilities uncovered required physical access to a voting machine and a bit of skullduggery making it difficult to change votes on a large scale. I simply cannot comprehend for what purpose these voting devices needed to be on a wifi network other than someone thought it was “cool.” This entire report is mind boggling and makes me wonder how many more areas of the country are doing this now.

US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree

Posted on by

A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and compromise them. However, other experts disagree and call the report “deceiving.”

via US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree.

From:  Cyberhijacking Airplanes: Truth or Fiction? – DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf.

Closing Thoughts
● Nearly every protocol used in aviation is
unsecured
● There is certainly the potential to annoy
ATC and/or small aircraft
● Increasing automation while continuing
with unsecured protocols is problematic
● Airliners are relatively safe (for now)

The above pdf is a good read.

Fault Tolerant Router

Posted on by

Fault Tolerant Router is a daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux multipath routing. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the multipath routing, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email.

via  Fault Tolerant Router

The big money behind Iran’s Internet censorship

Posted on by

Independent Iranian media have reported that “elements within the government and the Revolutionary Guard provide support to a number of VPN sellers,” according to a 2014 report from Small Media. “Reports hypothesize that this is a mutually profitable arrangement; lining the pockets of officials at the same time as it allows VPN sellers to continue in their work without the threat of state interference.”

BBC Persian journalist Hadi Nili says that not only do Iranian authorities sell VPN accounts, the Iranian government even uses VPNs in order to protect their own connections.

via The big money behind Iran’s Internet censorship.

Root command execution bug found across wireless router range

Posted on by

The vulnerability that Drake outlines rises from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr, Drake explains, runs with root privileges and contains an unauthenticated command execution vulnerability. In turn this permits anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router.

via Root command execution bug found across wireless router range.

This seems more like a designed in feature not implemented correctly.  Transferring config information on an unsecure network is difficult to implement without some kind of flaw.

This kind of hack is well above the capability of your average hacker.  Very unlikely they could do much more than Man In the Middle which they could do anyway without hacking the router.  I do not chase updates on SOHO routers because it’s pointless, a waste of time that possibly introduces different bugs.

Gogo Inflight Internet is intentionally issuing fake SSL certificates

Posted on by

In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.

For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

via Gogo Inflight Internet is intentionally issuing fake SSL certificates – Neowin.

Issuing fake SSL certificates is clearly a deceptive practice that should be illegal for providers of wifi.  This article shows a good reminder that an attacker must get your permission from your system to grant the fake certificate and pop up windows explaining this on most systems are very clear.  Never click yes when this window pops up unless on a secure network with prior knowledge as to the purpose for the certificate issuance.

Past reports on Gogo from this blog here and here.

Apparently Gogo’s Terms of Service may claim hijacking SSL connections is an acceptable form of “filtering.”   Beware of any open wifi system that does this.  It’s bad enough with third party script kiddies hijacking your sessions let alone the provider of your network.

Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.

Hotel group asks FCC for permission to block some outside Wi-Fi

Posted on by

However, the FCC did act in October, slapping Marriott with the fine after customers complained about the practice. In their complaint, customers alleged that employees of Marriott’s Gaylord Opryland Hotel and Convention Center in Nashville used signal-blocking features of a Wi-Fi monitoring system to prevent customers from connecting to the Internet through their personal Wi-Fi hotspots. The hotel charged customers and exhibitors $250 to $1,000 per device to access Marriott’s Wi-Fi network.

via Hotel group asks FCC for permission to block some outside Wi-Fi | Network World.

how to calculate packet loss from a binary TCPDUMP file

Posted on by

You can measure packet retransmits from the client to the server by counting the number of duplicate sequence numbers.

Packet retransmits from the server to the client can be measured by counting duplicate Ack numbers.

Note that a retransmit is triggered by more than just total loss (= timeout); if the remote machine rejects the packet, or the packet is corrupted, the local machine must also retransmit.

via networking – how to calculate packet loss from a binary TCPDUMP file – Server Fault.

I needed a way to measure this on a wifi network where packet loss can be very high and bursty.  This answer seems relatively simple to implement — just store off  ACK sequence numbers into an array of limited size and count how many times every new ACK matches in that array.  By monitoring this count I can determine where and when certain areas are getting bad and perhaps alert or alarm based upon a certain threshold.

Snowflake-shaped networks are easiest to mend

Posted on by

They found the best networks are made from partial loops around the units of the grid, with exactly one side of each loop missing. All of these partial loops link together, back to a central source. These have a low repair cost because if a link breaks, the repair simply involves adding back the missing side of a loop. What’s more, they are resistant to multiple breaks over time, as each repair preserves the network’s fundamental design.

via Snowflake-shaped networks are easiest to mend – tech – 03 October 2014 – New Scientist.