Meet

In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

Matrix: De-centralized Encrypted Real-time Communications over IPMatrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data. One system already operating on Matrix is the open team collaboration app, Riot. While Riot is described as "a simple and elegant collaboration environment that gathers all of your different conversations and app integrations into one single app," it can actually communicate with any user anywhere in the Matrix ecosphere.

The Matrix organization has not adopted the usual method of approaching all the big companies and trying to get the world to adopt Matrix. Instead, technical co-founder Matthew Hodgson told SecurityWeek, "We're just building it -- putting it out there on the internet as a de facto standard, and we then go and build bridges through to the existing communities. We've already got bridges through to Slack and to Skype and to IRC and various other online communities. Since the entire thing is open source, we're also getting contributors from all round the world building bridges to their own systems; such as Ericsson building bridges into their own infrastructure. Or it could be contributors who write their own bridge to link something like Telegram or Twitter -- and they basically act as a bridge to link existing silos into matrix. It's a very pragmatic way of solving the problem."

This still requires cooperation from the vendors. New companies like Slack are often open to cooperation, but larger companies like Microsoft (Skype) are not necessarily so. However, the Nadella Microsoft seems to be far more pragmatic than the Ballmer Microsoft.

"They've not fundamentally changed their spots," said Hodgson, "but at least superficially there's much more openness to this sort of technology; and the reality is that Skype is on the back foot, hemorriging users. Microsoft could do with any help it can get in trying to regain the 'cool' factor and market share. It has actually been very positive in letting us integrate with Skype. We haven't integrated Skype into Matrix, but we're in conversation -- especially since Skype is turning into a platform itself, and Microsoft realizes there is a problem of reach for its O365 customers (who have their own teams using Slack and other 'silos'). Matrix is the only common ground that can be used to link these different apps together."

He said that the only pushback Matrix has had so far has been from Facebook, "unsurprisingly," he added, since they are the incumbent and want to keep their monopoly as long as they can. But literally everyone else is amenable to pooling resources to make the world a better place. Matrix is the necessary counterbalance that can maintain the openness of the internet against monopolistic designs of big organizations."

However, the matrix itself is not enough: users, especially enterprise users, need to trust the privacy of their communications. The solution is the new beta launch of Olm encryption.

"E2E encryption is particularly important to Matrix where its decentralized nature means that a conversation can end up replicated over thousands of different servers. When the participant 'rooms' are public, that's not a problem. But if they're private rooms you get a huge attack envelope where you basically just blindly trust all of the server admins not to snoop on the content of the room." 

"In practice, he added, it's not much different to email. If I send an email to 1,000 people, it could end up on 1,000 different mail servers. But with Matrix we can and should do better. We've spent the last two years building our E2E encryption, so that if I send a message to someone on Matrix it is never stored unencrypted on any of the servers, and it can only be decrypted by the participants. It's much like WhatsApp and Allo; but we are the only one that is decentralized and not dependent on a silo or walled garden like Signal. We think it's the perfect storm for communications, combining encryption with decentralization."

To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm," commented Hodgson, "we have created a universal end-to-end encrypted communication fabric -- we really consider this a key step in the evolution of the Internet."

Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike. It was chosen, explained Hodgson in a blog post Monday, "in its capacity as the most ubiquitous, respected and widely studied e2e algorithm out there – mainly thanks to Open Whisper Systems implementing it in Signal, and subsequently licensing it to Facebook for WhatsApp and Messenger, Google for Allo, etc."

Olm has been reviewed by NCC Group (PDF). In keeping with its open philosophy, Matrix has ensured this review is available online. Several issues were discovered by NCC, including one high risk and one medium risk. The most exotic of these was an 'unknown key share attack'. "Needless to say," wrote Hodgson, "all of these issues have been solved with the release of libolm 2.0.0 on October 25th and included in today’s releases of the client SDKs and Riot."

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

Meet Apache Spot, a new open source project for cybersecurity

The Apache Spot project was announced at Strata+Hadoop World on Wednesday, Sept. 28, 2016.

Credit: Katherine Noyes

Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they've donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

"The idea is, let's create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems," Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. "This is a big deal, and could have a huge impact around the world."

Based on Cloudera's big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior. It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

By providing common open data models for network, endpoint, and user, meanwhile, Spot makes it easier to integrate cross-application data for better enterprise visibility and new analytic functionality. Those open data models also make it easier for organizations to share analytics as new threats are discovered.

Other contributors to the project so far include eBay, Webroot, Jask, Cybraics, Cloudwick, and Endgame.

“The open source community is the perfect environment for Apache Spot to take a collective, peer-driven approach to fighting cybercrime,” said Ron Kasabian, vice president and general manager for Intel's Analytics and Artificial Intelligence Solutions Group. “The combined expertise of contributors will help further Apache Spot’s open data model vision and provide the grounds for collaboration on the world’s toughest and constantly evolving challenges in cybersecurity analytics.”

Analysis It’s not often an entirely new and thriving sector of the “digital economy” – one hitherto unmentioned by the popular press – floats to the surface of the lake in broad daylight, waving a tentacle at us.

This is the DDoS-for-hire industry, and it’s fascinating for a few reasons. This shady marketplace has done everything a legitimate “digital” business should do.

Hitherto, what are euphemistically called “booter” services have been pretty obscure. But if anything deserves an as-a-service “-aaS” (“software as a service, SaaS; platform as a service, PaaS) created in its honour, it’s the 'DDoSaaS' or perhaps 'DoSaaS' industry: Denial-of-service-as-a-service.

We now know much more about the marketplace because its leading business, vDOS, was hacked this year, and security expert Brian Krebs has been joining the dots. Krebs has documented the DaaS business for some years, a thankless job resulting in regular attacks on Krebs' own website. The key business and technical architects also helpfully described it in an academic paper.

Two Israelis allegedly behind vDOS, both 18, were arrested after an FBI investigation. The site had been operating for four years. vDOS offered four retail tiers: from a $ 19.99 “bronze” plan to a $ 199/month “VIP plan”. Just as blogs and social media “democratised” the media, by making the tools of production and distribution cheap and readily available, so too did booter services.

To take a site you didn’t like offline you used to have to have a network of contacts and great technical expertise. But the booter services put a DDoS attack into anyone’s hands, and all it took was a quick retail transaction -as low as $ 20. Booter services were the Uber of DDoS. How’s that for disruption?

“To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last,” Krebs noted, adding:

And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

Like many “booter” services, vDOS had been hiding behind CloudFlare’s CDN. The CloudFlare CDN acts as a cloaking service, and has been criticised for keeping pro-ISIS sites online. CloudFlare has also been under fire for doxing; a sample of CloudFlare’s clients can be found here.)

In a January post entitled Spreading the disease and selling the cure, Krebs observed: “The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online.”

As well as providing protection for the DoS [denial of service] industry, CloudFlare operates a DoS-protection service for clients worried about DoS attacks. Krebs added: “If CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and – more importantly – help eradicate the booter industry.”

CloudFlare says it responds to individual law enforcement requests and will not proactively police its network for DDoS-ers.

What made vDOS particularly interesting was that it operated in both “retail” and “wholesale” markets. “PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS,” Krebs notes.

This isn’t unusual in legitimate sectors. A food manufacturer may sell white label versions of its goods to supermarkets, and mobile networks have for years made better use of their capacity by wholesaling to MVNOs, mobile virtual network operators).

The vDOS pair maintained a network of PayPal accounts but many of the participants are US based.

Damon McCoy, cited at Krebs' blog, notes that vDOS blocked clients from disabling Israeli sites, most likely to avoid unwanted attention from authorities at home: “The main reason was they didn’t want to make trouble in their local jurisdiction in the hopes that no one in their country would be a victim and have standing to bring a case against them.”

The cover story offered by booter operations is that the software has a legitimate use: for sites to stress test their own web servers. In reality, the “democratization of DDoS” – with kits available on the dark web for a fiver – means that buying DDoS protection offered by CloudFlare is almost mandatory. ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.

The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes.

The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way.

Wyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years-old. “I literally grew up among the community,” he says.

Bart (@stumper55) shares the job.

Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 13 years and DEF CON for 16 years, while Stump has chalked up nine years with both hacker meets.

Together with an army of capable network engineers and hackers they operate one of the few hacker conference networks that delegates and journalists are officially advised to avoid.

Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year. The diverse talents – and ethics – of the attending masses render everything from local ATMs to medical implants potentially hostile and not-to-be-trusted.

Some 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create. Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.

“We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job."

The Black Hat NoC. Image: supplied.

The Black Hat NoC. Image: supplied.

The crew operates with conference din as a background, sometimes due to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts. In the NoC, some laugh, some sleep, and all work in a pitch broken by the glow of LEDs and computer screens. Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music.

"Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence; "it'll be quite a sight, you'll be missing something".

Delegates need not. The NoC will again be housed in The Fish Bowl, a glass den housing the crew and mascots Lyle the stuffed ape and Helga the inflatable sheep. Delegates are welcome to gawk.

Risky click

The NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware.

When you see traffic like that, you immediately go into mitigation mode to respond to that threat," Wyler says. "Black Hat is a very interesting network because you can't do that - we have to ask if we are about to ruin some guy's demonstration on stage in front of 4000 people".

Stump recalls intruding on a training session in a bid to claim the scalp of a Black Hat found slinging the infamous Zeus banking trojan. "The presenter says 'it's all good, we are just sending it up to AWS for our labs' and we had a laugh; I couldn't take the normal security approach and simply block crazy shit like this."

Flipping malware will get you noticed and monitored by one of the NoC's eager operators who will watch to see if things escalate beyond what's expected of a normal demonstration.

If legitimate attacks are seeping out of a training room, the sight of Wyler, Stump, or any other NoC cop wordlessly entering with a walkie-talkie clipped to hip and a laptop under arm is enough for the Black Hat activity to cease. "It is part of the fun for us," Wyler says. "Being able to track attacks to a location and have a chat."

Targeting the Black Hat network itself will immediately anger the NoC, however.

The team has found all manner of malware pinging command and control servers over its network, some intentional, and some from unwittingly infected delegates. "We'll burst in and say anyone who's MAC address ends with this, clean up your machine," Stump says.

$ 4000 smut-fest

Training is by far the most expensive part of a hacker conference. Of the 71 training sessions running over the weekend past ahead of the Black Hat main conference, each cost between US$ 2500 (£1887, A$ 3287) and US$ 5300 (£4000, A$ 6966) with many students having the charge covered by generous bosses.

Stump on CNN.

Bart and the blow up doll cameo on CNN Money.

So it was to this writer's initial incredulity that most of the sea of "weird porn" flowing through the Black Hat pipes stems from randy training students. "It is more than it should ever be," Wyler says of the Vegas con's porn obsession. "While you are at a training class - I mean it's not even during lunch."

The titillating tidbit was noticed when one NoC cop hacked together a script to pull and project random images from the network traffic on Fish Bowl monitors. A barrage of flesh sent the shocked operators into laughing fits of ALT-TAB. Another moment was captured when Stump was filmed for on CNN Money and a shopper's blow up doll appeared with perfect timing.

Balancing act

Black Hat's NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference. Think Security Onion, intrusion detection running on Kali, and Openbsd boxes.

Now they have brought on security and network muscle, some recruited from a cruise through a cruise of the expo floor, including two one gigabyte pipes from CenturyLink with both running about 600Mbps on each. "We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we've brought in outsiders," Stump says.

Ruckus Wireless, Fortinet, and CenturyLink are now some of the vendors that help cater to Black Hat's more than 70 independent networks. "It's shenanigans," Wyler says. "But we love it."

The pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs. I feel a responsibility to give back to the community which feeds me," Wyler says. "That's why we put in the late nights." ®

Sponsored: Global DDoS threat landscape report


The Register - Security