Category Archives: Uncategorized

Who is winning the personal cloud storage price wars? (chart)

Storing data on the cloud is essential for most people. Do you have strategy on data classification, searching, indexing, or data backup?

Gigaom

Amid the introduction of iOS 8 and OS X Yosemite this week, Apple also announced its iCloud Drive along with some price cuts to go with it. Of course, a large part of choosing a cloud storage provider is based on the features they provide.

Apple’s iCloud, for instance, is obviously more tailored to an iPhone user than Android while Dropbox and Box aim to be more multi-platform. Price is still a priority though so here’s how the personal cloud storage competition shakes out:

Personal Storage
Cloud ProviderFreePricing Tiers
Apple iCloud Drive5GB20GB = $0.99/month
200GB = $3.99/month
Tiers available up to 1TB
Amazon Cloud Drive5GB20GB = $10/year
50GB = $25/year
100GB = $50/year
200GB = $100/year
500GB = $200/year
1000GB = $500/year
Box Personal10GB
(up to 250mb file size)
100GB = $10/month with 5GB file upload size ($120/year)
Dropbox2GB+
(Earn more space…

View original post 63 more words

Is this a Cold War in knowledge age?

Two news report this week call up the term Cold War.

First, Reuters reported that U.S. may act to keep Chinese hackers out of Def Con hacker event. Then China strike back State-owned enterprises banned from working with companies such as McKinsey because of fears they are passing on commercial secrets to Washington

Obviously, we see both sides are building a wall stopping intelligence exchange. 

 

Problem solving is mapping what you know to what you need to know.

what you know = knowledge 

mapping = creativity 

what you need to know = innovation 

Privacy has been described as an “adjustment process” in which humans continuously adjust the views of themselves that they present to others.

Steering Committee on the Usability, Security, and Privacy of Computer Systems; National Research Council. Toward Better Usability, Security, and Privacy of Information Technology : Report of a Workshop.

 

Mobile Payment in HK – Jetco & Tradelink

 

Hong Kong going to have a new mobile payment venture, this time Jetco with Tradelink. Their platform is from a Israel company OTI which is endorsed by MasterCard. 

I have been following Tradelink for a few years. They are transforming from an commerce platform to a security and payment company. Well done. 

http://hk.finance.yahoo.com/news/貿易通-00536-hk-首推跨平台外置式流動電子錢包方案-將推廣至台灣澳門-081100918.html

Layer 7 DDoS Attack : A Web Architect Perspective

The arm race on cyber security makes protecting Internet resources harder and harder. In the past, DDoS was mostly on Layer 3 and Layer 4 but reports from various sources identified Layer 7 DDoS is the prevalent threat. The slide below from Radware explains the changes in new DDoS trend. While protection on network traffic flooding is mature, attacker shift target to application layer.

radware ddos layer7

As DDoS attack evolves and now is targeting application layer, the responsibility to protect web application is not only rest on the shoulder of CISO or network security team. It is time for web application architects to go to the front line. This article will analyse Layer 7 DDoS attacks and discuss some measures web application architects could deploy to mitigate impacts.

Types of Layer 7 DDoS Attack 

A study conducted by Arbor Network showed that while attacks on DNS and SMTP exist, the most prevalent attack vector is still on HTTP.

DDoS Attack types

Layer 7 DDoS attack is usually targeting the landing page of website or a specific URL. If an attacker successfully consume the either the bandwidth or OS resources (like socket) of the target, normal users are not able to access these resources.

A closer look at the targeted web resources

When developing protection strategy for website against Layer 7 DDoS attacks, we need to understand not all webpage are created equal. Diagram 1 shows different types of web pages. There are two ways to classify webserver resources: one is based on their access rights, the other is based on their content type. When the content is for registered users, usually there is a user authentication process which prevents unauthenticated HTTP request. Pages only accessible by authenticated users are usually not the target of DDoS attack unless the attacker pre-registered a large number of user accounts and also automated the login process. The login page which usually uses HTTPS is another websever resource that will be exploited by DDoS attackers since HTTPS handshaking is a high loading process for webserver. Public accessible content has higher risk of HTTP Flooding. The impact of HTTP Flooding is different depends on the content type. Over load these resources for a long period of time would mean the DDoS attack is successful. On the other hand, DDoS attack on static web page usually impacts the outbound bandwidth and web server resources (like http connection pool, socket, memory and CPU). Dynamic pages will generate backend database queries and it has impact on the application server and database server. Those types with red word are facing a higher risk of DDoS attack.

Web Resources types

In the above paragraphs, we established a general understanding of Layer 7 DDoS attacks on different types of web resources. Below is a discussion on how to minimize the DDoS attack impact and lower the impact of website users. These steps do not replace Layer 3 and 4 DDoS defenses and traffic filtering. However, unless your website is designed with these principles in mind, a carefully crafted Layer 7 DDoS attack could also bring down your website.

Protecting the Static Page

The most effective and also expensive way to protect static page against DDoS attack is buying services from a reputable Content Delivery Network (CDN). However, cost to run whole website on CDN may add up to a large sum. An alternative is to make uses of cloud platforms and distribute graphics, flash and JS files to one or more web servers located in another network. This method is already practiced by most high traffic web site which has dedicated server used for delivering images only.

Nowadays, most webpage sizes are over 100k bytes when all graphic, CSS and JS are loaded. Using the LOCI DDoS tool, it can easily consume all the bandwidth and web server CPU resources. In a HTTP GET Flood attack, both inbound link and outbound link will become a bottleneck. A Web developer could not do much on managing the inbound traffic, however there are ways to lower the risk of outbound link becoming a bottleneck when under DDoS attack. Web architect should monitor the inbound/outbound traffic ratio for web server network interfaces.

One simple way to increase website defense against HTTP GET flooding attack is to store images and other large size media files in another sever (either within the same data centre or in another data centre). By using another web server for delivering non-HTML static content, it helps to lower the both the CPU loading and also bandwidth consumption of the main web site. This method is similar to creating a DIY CDN. The cloud platforms and on-demand charging scheme is a excellent resources for deploying this solution. Since the graphic files are public accessible, placing on a public cloud platform will not increase data security risk. Although this is a simple solution for static page, there are a few points to note. First, in the HTML code the “height” and “width” attribute of each image should be defined. This will ensure user see a proper screen layout even when the image server is inaccessible. Secondly, when choosing a cloud platform it is best to find one that does not share the same upstream connectivity provider as your primary data centre. When DDoS attack happens, a good architecture should eliminate performance bottleneck as much as possible.

Protecting the Dynamic Page

Dynamic pages are generated based on user input and it involves business logic at application server and data queries at database server. If the web application displays large amount of data or accept user upload media files, an attacker could easily write a script and generate a large number of legitimate requests and consume both bandwidth and CPU power. DDoS defenses mechanism relies on filtering out malicious traffic via pattern recognition will not be much useful if the attack target this weakness in dynamic pages. It is the web application developer responsibility to identify high risk web pages and develop mitigation measures to prevent DDoS attack

As displaying large amount of data based on user input is getting popular, web architects should develop strategy to prevent misuses of high loading webpage, particularly when it is publicly available.

One way is to make uses a form-specific cookie and verify the HTTP request is submitted from a valid HTML form. The steps would be

  1. When the browser loads a HTML form, the web server set a cookie specific to this form. When user click on the submit button, a cookie is also set in the HTTP request.
  2. When the web server process user request, the server side logic first check if a cookie is properly set before processing the user request.
  3. If the cookie does not exist or value not correct, the server side logic should forward the request to a landing page that displaying a URL link points to the HTML form.

Below diagram show the logical flow.

dynamic ddos

The principle of this method is to establish an extra checking before executing the server side logic supporting the dynamic page, thus preserving CPU resources at the application server and database server. Most DDoS attacking tools has simple HTTP functions and is not able to process cookies. When using Wireshark to capture HTTP request from LOIC DDoS attack tool, the packets show that LOIC does not accept cookie from web sites. The similar result is obtained from HOIC tool. 

LOIC traffic

DDoS attacker may record this cookie and send out this cookie within the attack traffic, which could be easily done using a script. To compensate this, this form specific cookie should be changed regularly or following a triggering logic.

Unfinished Story

This article only shows some ways web architects could use and add DDoS defense into the DNA of web application. The methods described will increase a web application ability to survive a HTTP Flooding attacks. When attacks are more application specific, web architects should start take on DDoS defense responsibility and design systems that both secure and scalable.

[1] http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool

[1] http://www.securelist.com/en/analysis/204792126/Black_DDoS

[1] http://www.ihteam.net/advisory/make-requests-through-google-servers-ddos/

Is the Internet still safe?

The details about US NSA program Bullrun and SIGINT are now in public eyes. An atomic bomb is literally dropped. The real one dropped on Hiroshima forced Japan to end the war. This one is very different.

The documents released only gave a high level overview of programs funded by US and UK government intelligence units. Without details on how the agencies are able to decrypt commercial communication using de facto Internet encryption technologies SSL, HTTS and VPN, people feel worried about their privacy..

People start to ask “Are the Internet safe?” and they are right in asking this question. The documents show that there is systematic and long term planning to comprise encryption technology. Without the technical details, skepticism is spreading. However, without details and prove the encryption technologies is still our best defense against peeping eyes, from criminals or from gov. The atomic bomb I referred earlier is about the foundation of trust is destroyed. BUT not on the safety of Internet.

I like to highlight that the word “backdoor” is used a few times in the explanatory note on New York Times website. Backdoor is a very general concept and it is used by the reporter to help the public to comprehend the technical details. It does not mean there exists backdoor in commercial technologies. I think the better interpretation is the agencies has the ability and means if they need to.

An excellent write up by TrendMicro Security Blog offers similar views.