Raymond P. Burkholder - Things I Do - Security

Risk Manager for Intrusion Tolerant Systems

nospam@example.com (Raymond P. Burkholder) — Wed, 20 Aug 2025 16:11:52 +0000

Risk Manager for Intrusion Tolerant Systems: Enhancing HAL 9000 with New Scoring and Data Sources

Intrusion Tolerant Systems (ITSs) have become increasingly critical due to the rise of multi-domain adversaries exploiting diverse attack surfaces. ITS architectures aim to tolerate intrusions, ensuring system compromise is prevented or mitigated even with adversary presence. Existing ITS solutions often employ Risk Managers leveraging public security intelligence to adjust system defenses dynamically against emerging threats. However, these approaches rely heavily on databases like NVD and ExploitDB, which require manual analysis for newly discovered vulnerabilities. This dependency limits the system's responsiveness to rapidly evolving threats. HAL 9000, an ITS Risk Manager introduced in our prior work, addressed these challenges through machine learning. By analyzing descriptions of known vulnerabilities, HAL 9000 predicts and assesses new vulnerabilities automatically. To calculate the risk of a system, it also incorporates the Exploitability Probability Scoring system to estimate the likelihood of exploitation within 30 days, enhancing proactive defense capabilities.
Despite its success, HAL 9000's reliance on NVD and ExploitDB knowledge is a limitation, considering the availability of other sources of information. This extended work introduces a custom-built scraper that continuously mines diverse threat sources, including security advisories, research forums, and real-time exploit proofs-of-concept. This significantly expands HAL 9000's intelligence base, enabling earlier detection and assessment of unverified vulnerabilities. Our evaluation demonstrates that integrating scraper-derived intelligence with HAL 9000's risk management framework substantially improves its ability to address emerging threats. This paper details the scraper's integration into the architecture, its role in providing additional information on new threats, and the effects on HAL 9000's management.

This is an interesting take on security: toleration of intruders to systems. I suppose this is somewhat akin to limiting blast radius. One interesting nugget:

... system applies a proactive recovery mechanism to protect the system from undetected attacks. A central controller periodically rotates the state of each VM, transitioning between active, cleansing, ready, and active states.

This would be the pre-emption step of what file checksum utilities would do. However, this doesn't eliminate the types of intrusions where intruders make use of elevated account access.

SIEM, Incident Management

nospam@example.com (Raymond P. Burkholder) — Mon, 27 Nov 2023 03:52:23 +0000

unstruct.ai - An AI-Enabled, Open-Source Alternative to PagerDuty. With UnStruct.AI, you're not just getting another cybersecurity tool – you're getting an all-in-one powerhouse. Instead of juggling multiple tools and racking up costs for each, get everything under one roof. Whether it's for paging, incident response, analysis, status updates, SLO/uptime monitoring, or a sprinkle of tech magic.

Hacker News Perspective

DNS Threat Policy Zones

nospam@example.com (Raymond P. Burkholder) — Sun, 29 Oct 2023 13:56:31 +0000

a href="https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf" target=_blank>Protective DNS – Why It Matters, How to Deploy It On-prem, and to Take Control and Defense back
Threat blocking
Introducing 1.1.1.1 for Families
Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them

At one point Firefox was going to send everything to their favorite DoH resolver but they got a great deal of pushback from people who pointed out that they had policies on their networks and they'd have to ban Firefox. Firefox responded with a lame hack where you can tell your cache to respond to some name and if so Firefox will use your resolver.

Wireguard in a Debian LXC Container

nospam@example.com (Raymond P. Burkholder) — Wed, 19 Jul 2023 02:19:00 +0000

There was a note on reddit/r/debian which states that Wireguard is fully integrated into the Linux Kernel as of kernel v5.10. I suppose I could have saved a bunch of drama with upgrading to Bookworm which has kernel v6.1 natively, by instead using Bullseye-Backports, but I decided to go all the way. Hindsight is 20/20. A few other machines were already running Bookworm so I thought I had no problems.

It is nice to see that wireguard-tools references nftables. And there are a number of examples as reference for various scenarios.

So, with Wireguard in the kernel, no dkms installation is required. Just the installation of the tools (assumes root or sudo). Use the --no-install-recommends, otherwise your kernel will be replaced with a real-time kernel.

# apt install --not-install-recommends wireguard-tools
# cd /etc/wireguard

Create the keys for a peer to peer session:

# wg genkey | tee key_server_private | wg pubkey > key_server_public
# wg genkey | tee key_client_private | wg pubkey > key_client_public
# chmod -v 600 key*
# ls -al /etc/wireguard/
  total 20
  drwx------ 1 root root   54 Jul 18 04:30 .
  drwxr-xr-x 1 root root 2348 Jul 19 01:29 ..
  -rw------- 1 root root   45 Jul 19 02:49 key_client_private
  -rw------- 1 root root   45 Jul 19 02:49 key_client_public
  -rw------- 1 root root   45 Jul 19 02:49 key_server_private
  -rw------- 1 root root   45 Jul 19 02:49 key_server_public

A sample edge interface for server side termination of VPN (file name: wg0.conf):

[Interface]
Address = 10.20.10.1/24
#SaveConfig = true
ListenPort = 51820
PrivateKey = <server private key>

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.20.10.0/24

A sample client interface, say on an Android for connection back to the server side (flie name: wg0-client.conf):

[Interface]
Address = 10.20.10.11/24
PrivateKey = <client private key>
DNS = 10.10.30.100

[Peer]
PublicKey = <server public key>
Endpoint = <server outside address>:51820
AllowedIPs = 10.20.10.0/24, 10.10.0.0/16
PersistentKeepalive = 21

If the allowed address is '0.0.0.0/0', then all traffic goes through the VPN. Use ipv6-test.com or ipleak.net to verify that traffic is going trough the VPN, or use something like WhatIsMyIpAddress.

Impressively, someone has created a QR generator which will generate a code to the terminal window (not a graphic file, but an ansii thingy in a terminal window). This can then be scanned by Android WireGuard to load the configuration.

$ qrencode -t ansiutf8 < wg-android.conf

I use a saltstack script to build a zone based firewall composed of nftable rules. Basically two rules are needed: a) burn a port through the firewall, and b) allow access to the interior network sections for one or all ports.

To turn on the interface and start it automatically:

# chmod -v 600 /etc/wireguard/wg0.conf
# wg-quick up wg0
# systemctl enable wg-quick@wg0.service

To turn off the interface and keep it off:

# wg-quick down wg0
# systemctl disable wg-quick@wg0.service

To show connections and status:

# wg show
interface: wg0
  public key: <server public key>
  private key: (hidden)
  listening port: 51820

peer: 
  endpoint: :4496
  allowed ips: 10.20.10.0/24
  latest handshake: 44 minutes, 26 seconds ago
  transfer: 2.50 MiB received, 33.47 MiB sent

With the SaveConfig enabled, more clients can be added and saved:

# wg genkey | tee key_mac_private | wg pubkey > key_mac_public 
# wg set wg0 peer <mac public key> allowed-ips 10.20.10.12/32

Stan's Blog mentioned terminating the server side VPN on UDP port 53. Many/Most networks allow this out, so would/could be a way out of a heavily protected network to the destination.

Note: this config was added to a privileged lxc container, nothing special was required for building the wireguard interface.

Principles of Secure System Design

nospam@example.com (Raymond P. Burkholder) — Sun, 06 Nov 2022 18:33:02 +0000

A capable attacker will look for plaintext
red/black separation
Schneiers's principle
Zooko's tradeoff
Kerckhoffs's Principle
Corollary to Metcalfe's principle [2]
It is easier for insiders to steal information - also janitors, cleaners
Design for known threats
Design for future threats
Design for unknown threats as far as possible
existing systems persist
defence in depth
monoculture -> target more attractive, usually more brittle
the capital and operating costs of well-designed secure systems are about the same as those of insecure ones until the insecure ones fail
keep intrusion records
keep i/o records
cheap and effective security needs good system design.
if it's expensive, it probably won't be effective.
Unless it is for your use alone you do not control what a system is to be used for
Even if it is for your use alone you do not control the resources which will be pitted against your system
cryptanalysis is difficult - but people can do difficult things
people offering the impossible are lying
in code, nothing ever really goes away

The principles can sometimes be broken or wrong, unlike the laws.

[2] the security of a secret is inversely proportional to the square of the number of people who know it

- Peter Fairbrother

Laws of Secure System Design

nospam@example.com (Raymond P. Burkholder) — Sun, 06 Nov 2022 18:27:08 +0000

It's all about who is in control
Someone else is after the things you have
An attacker can't steal things which aren't there to steal
Everywhere can be attacked
More complex systems provide more places to attack
Attack methods are many, varied, ever-changing and eternal
Only those you trust can betray you
Holes for good guys are holes for bad guys too
A system which is hard to use will be misused, abused and underused
Security is a Boolean. [1]
Items of data once publicly linked cannot be reliably unlinked

[1] Looking back in time from the future - did it work? Then it was secure enough. Can be hard to see that from the present though, and even from the future not all harmful breaches can be seen.

- Peter Fairbrother

Mail Flow Settings to Consider

nospam@example.com (Raymond P. Burkholder) — Sun, 10 Apr 2022 04:27:44 +0000

From an email list on 2022-04-02, some bits and pieces that should be in place for making mail flow:

IP -> PTR lookup -> that hostname lookup, and match to IP again
SPF
DKIM - one possible implementation: OpenDKIM - opendkim is an excellent tool, which helped find the real problem with a simple "Diagnostics yes" in the config file.
DMARC
ARC (for mailinglists)
SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that)
Decent TLS
MTA-STS
DANE

Use a site like internet.nl for testing mail server configuration and capabilities

Follow up comment: Google at least adds ARC headers in Gmail, and did the editing of RFC8617. ARC – Authenticated Received Chain

Follow up comment: Bimi Group - is snakeoil, or well, a scam is more like it: if you can pay and they like you, you get a logo, anybody else is out... marketing companies of the world (and the once earning money for bits ala domains and worse EV SSL certs... rejoice)

Follow up link: mailing lists are the ugly stepchild

Settings for mailing list:
We have SPF, DKIM signing, and a DMARC policy that sets p=none.
We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time.
We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff.

Note: Yup. Gmail has made it quite clear that they will not accept v6 mail that isn't SPF or DKIM authenticated. DKIM is more work but works more reliably.

ARC: It's certainly not a magic ticket into an inbox but it is slowly helping undo DMARC mailing list damage. It's not important unless you forward mail like a mailing list does.

What ARC does:

ARC addreses the problem that mailing lists do a lousy job of spam filtering, A list that usually sends lovely clean mail sometimes doesn't, since a typical list forwards anything with a subscriber's address on the From line including spam from cleverish spammers who take pairs of from/to addresses from stolen mailboxes.
ARC lets the recipient system look back and do what we might call retroactive filtering, using info about messages as they arrived at the previous forwarder. While it would be nice if lists did a better job of spam filtering, they don't, and ARC is a reasonable remedy for that.

Additional protection settings:

I run my own mail server and have no trouble at all delivering mail to Gmail over IPv6. I do have SPF, DKIM, DNSSEC and DANE on my mail servers. My DMARC policy is p=none. If it matters, the MTA is a heavily hacked version of qmail.

Someone mentioned nullmailer as a small mail program that allows you (or your system) to send mails through an existing email account (using an SMTP server).

In response to "Clearly, someone used the reputation of ImprovMX.com to deliver emails by forging them before delivery., "DKIM replay attacks preventative measures

2022/04/24 added - DMARC Domain Checker

2022/06/12 added - Email Audit - Check the DNA of your email against important best practices.

Papers 2022/01/17

nospam@example.com (Raymond P. Burkholder) — Tue, 18 Jan 2022 00:57:25 +0000

Security Orchestration, Automation, and Response Engine for Deployment of Behavioural Honeypots

Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.

crunchy on the outside, chewy on the inside

nospam@example.com (Raymond P. Burkholder) — Tue, 02 Nov 2021 06:03:12 +0000

Today, if you want to do a ransomware attack against a business, first you go on a wardrive, collect a pile of passwords, look for wifi networks of interesting businesses, and then start hacking their network from the inside. You will find plenty of information in the clear on the inside to mount a spearfishing attack, not to mention you will be able to collect a pile of hashes of passwords used on the internal network, and then find a pile of administrative passwords.

The most serious flaw shown here is the delusion that "inside" is more secure than "outside". The good old crunchy on the outside, chewy on the inside... If you are not managing your network with the assumption that the barbarians are already inside, then you are setting yourself for trouble.

Seen on cryptography mail list

What is Yours is Mine

nospam@example.com (Raymond P. Burkholder) — Fri, 22 Oct 2021 03:28:40 +0000

My point is ... there is nothing out there on the Internet that needs data from my device - at least not for any reason useful to me - so there's no need for the device to be able to send packets. -- bear

Open Source Security: Abstracting the Control Plane

nospam@example.com (Raymond P. Burkholder) — Sat, 20 Mar 2021 19:25:52 +0000

From Key Takeaways:

Open source programs are typically platform-agnostic, allowing them to be used in nearly any cloud and run with any application.
Encryption is a fundamental security feature.
Open source programs like Let’s Encrypt use encryption to ensure website domains and other programs have secure communication protocols.
Virtualized security functions are best used with software-defined security orchestration because that brings out benefits like automation and function scalability.
By using an open source update system framework like TUF, attackers have a harder time manipulating the update system and corrupting software.
An open source policy controller works across clouds and platforms and enables application policies to be more uniformly applied and enforced in those environments.
A modern open source runtime security program can better protect a cloud-native application because it can work with many cloud-native applications across multiple clouds.

References to:

Open Security Controller Project
The Update Framework
Open Policy Agent - meat and potatos of policy evaluation and deployment

"Policy Enforcement" vs "Firewall/IDS"

nospam@example.com (Raymond P. Burkholder) — Sun, 07 Mar 2021 00:49:13 +0000

Bringing this back to security—instead of thinking “I need a firewall,” you should be thinking “I need a Policy Enforcement Point that can control network traffic, and a way to define that policy across my infrastructure.” Or, from another angle—instead of thinking “I need to deploy an IDS here to examine my web app traffic for SQL injections,” you should be thinking “I need to make sure that the web application traffic is scanned for SQL injections before it is processed by the app. I have several PEPs in my architecture that may be able to accomplish this goal.” -- Zero Trust Security, An Enterprise Guide, p51

SSH Tooling

nospam@example.com (Raymond P. Burkholder) — Sun, 05 Jul 2020 18:34:47 +0000

Some SSH advanced features:

SSH Emergency Access - design a break glass procedure for reaching SSH hosts in an emergency, using security keys that you can store offline
How to SSH Properly - a few different ways to easily improve the security of the SSH model without needing to deploy a new application or make any huge changes to user experience - certificates, bastion hosts, 2-factor authentication
SSH Handshake Explained
gravitational / teleport - from How Uber, Facebook, and Netflix Do SSH

2021/09/20 - I have some SaltStack code I have yet to publish which implements a solution using the SaltStack event bus to send user and host ssh key/certificates to an ssh certificate authority for signing, and then returning and installing the signed certificates. I say this because today I read about HIBA Host Identity Based Authorization in an article at Google: Announcing HIBA: Host Identity Based Authorization for SSH .

Network Monitoring and Protection

nospam@example.com (Raymond P. Burkholder) — Mon, 20 Jan 2020 20:16:04 +0000

Zeek s a powerful network analysis framework that is much different from the typical IDS you may know. (Zeek is the new name for the long-established Bro system. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Threat Hunting with Bro IDS
BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. The repository contains 2443 tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.
Stratosphere IPS for Linux is an intrusion prevention system that is based on behavioral detections and machine learning algorithms. Makes use of Zeek.
Security Onion - Linux distro for intrusion detection, enterprise security monitoring, and log management
SecTools.Org: Top 125 Network Security Tools - several years old for the newest releases (looks like 2016 is most recent). Doesn't have tools like Suricata.
Argus s the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech, and adopted for cyber security at Carnegie Mellon's Software Engineering Institute in the late 1980's. Network flow technology has become a critical part of modern cyber security and Argus is being used in some of the most important networks in the world. - last code around 2016 though. security links.

Papers:

Botnet Detection and Prevention inSoftware Deﬁned Networks (SDN) usingDNS Protocol in (IJCSIS) International Journal of Computer Science and Information Security,Vol. 17, No. 5, May 2019

Cygwin ssh-pageant

nospam@example.com (Raymond P. Burkholder) — Mon, 09 Dec 2019 21:31:14 +0000

On a Windows platform, I use SSH tools in two incarnations: a) Cygwin, or b) PuTTY.

When using PuTTY, to connect to a destination host, it is convenient to use pageant as a memory resident program to hold 'opened' private keys.

When using SSH on Cygwin, ssh-pageant can be installed via the Cygwin installer. The trick for linking ssh-pageant to the Windows resident pageant is to put the following into .bashrc:

 # ssh-pageant
 eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")