While not immediately or obviously related to information security, I was so profoundly affected by my recent read of Andrew Blum's (@ajblum) Tubes, A Journey to the Center of the Internet, I believe it warrants a review for the Internet Storm Center readership. Remember an Internet ice age ago (2006) when Senator Ted Stevens described the Internet as "a series of tubes?" To this day it's a well recognized Internet meme, but Blum's Tubes goes a long way towards establishing discernible credibility for the good Senator's declaration. In this extraordinarily well-written exploration of the Internet's phyiscal infrastructure he acknowledges that "one thing it most certainly is, nearly everywhere, is, in fact, a series of tubes."
Even as an engineer and analyst who has spent many years helping defend one of the world's largest Internet presences I found Blum's book extremely refreshing and deeply insightful. I've been in some of the very datacenters and Internet exchanges he describes and yet sadly have taken for granted that, as this book forces you to recognize, the Internet is a physical, living thing and does indeed flow through tubes.
Blum manages to convey a true sense of the physicality of the Internet while asking lucid questions regarding its core nodes and links. Of a router he ponders that which is invisible to the naked eye. "What was the physical path in there? And what might that tell me about how everything else is connected? What was the reductio ad absurdum of the tubes?" Heady stuff to be sure, be he continues a few pages later indicating that on his journey to the center of the Internet his bare common turned out to be the router lab, and that what he saw "was not the essence of the Internet but its quintessence-not the tubes, but the light." That light, that quintessence, is all about the fiber, the glass tendrils, that make up our incredibly connected world. What Blum's book requires of you to consider and always rememeber is how physical that connectivity really is.
Blum's exploration of the Internet is an actual walk through major network exchanges (PAIX, LINX) and providers (Equinix), to the cable landing station near Land's End in the UK where endless fiber connections terminate before their transoceanic journey via cables to points world wide. He spends time in datacenters near and dear to my heart in the Columbia River Valley while encapsulating the work of visionary people whose work I've long admired, such as Michael Manos.
Blum's digital safari even occasionally wanders into the darker corners of the Internet where much of my worry focuses.
First, he expresses nervousness regarding the "concentrated" nature of the exchanges and datacenters that serve as the core hubs of our Internet and wonders if it's responsible to explore and describe their physicality at such length. Yet, he discovers and concludes that there is an openness derived from the Internet's legendary robustness. "Well designed networks have redundancies built in; in the event of a failure at a single point, traffic would quickly route around it." He points out that one of the more significant threats to the Internet "is an errant construction backhoe." I can't tell you how many times we've lost connections due to fiber cuts while unrelated construction was underway that directly intersected our physical paths, or an anchor dragged the ocean floor in just the right (wrong) spot.
Second, Blum calls into question some of the "disingenuous" and "feigned obscurity" of the cloud "which asks us to believe that our data is an abstraction, not a physical reality." He voices his frustration further referring to that "feigned obscurity" as a malignant advantage of the cloud as it practically demands our ignorance with a "we'll take care of that for you" attitude. Blum points out that our data is always somewhere, often in two or more places, and that we should know where it is. He asserts that a basic tenet of today's Internet is that if "we're entrusting so much of who we are to large companies, they should entrust us with a sense of where they're keeping it all, and what it looks like."
Weigh this premise against revelations brought to light via Snowden's disclosures and you've got some deeper thinking to do as to the true nature of your data and expectations of privacy.
Tubes, A Journey to the Center of the Internet, is quite simply the best book I've read in a very long time. Blum's ability to converge technology and wit, data and philosophy, and dare I say, humanity with the Internet, transcends information security or network engineering. Blum is a gifted writer who eloquent storytelling and turn of phrase bring many positive returns.
Tubes reminds us that the "Internet is made up of pulses of light" and while those pulses might seem miraculous, they're not magic. Blum asks that we remember that the Internet exists, that it has a physical reality and an essential infrastructure. In his effort to "wash away the technogical alluvium of contemporary life in order to see - fresh in the sunlight - the physical essence of our digital world", Blum succeeds well beyond words that my simple review can convey.
Treat yourself, and a friend or loved one, to Tubes this holiday season and enjoy; you will experience the Internet in a wholly different light.

Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Planning for PCI DSS 3.0: What you need to know
Bobsguide (press release)
Michael Aminzade is director of delivery for the Europe, Middle-East and Africa (EMEA) and Asia-Pacific (APAC) regions at infosec services and solutions vendor, Trustwave. The new Payment Card Industry Data Security Standard (PCI DSS 3.0) was released ...

and more »
Testa OTMS Multiple SQL Injection Vulnerabilities
Light Alloy '.m3u' File Remote Buffer Overflow Vulnerability
Nagios XI 'tfPassword' Parameter SQL Injection Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ManageEngine DesktopCentral 'AgentLogUploadServlet' Directory Traversal Vulnerability
The doppelgänger Facebook profile scraped from WBAL producer Chris Dachille convinced many of his friends that it was actually him—and then spammed them with requests for money and malicious links.

Reporters and producers at a television station in Baltimore recently found out the hard way that they shouldn't blindly accept Facebook friend requests. Last month, they found that their profiles had been cloned by an attacker who quickly used their network of friends to spread malicious links and ask for money.

Attacks on media organizations' social media accounts have been at an all-time high this past year, including "hacktivist" and state-sponsored attacks on media outlets from the Syrian Electronic Army. But the attack on the staff of WBAL-TV was directed toward staff members' personal accounts. And this initiative was a more workaday one, less targeted at the station itself than the friends, co-workers, and viewers who were connected to the cloned accounts.

Because some of WBAL's staff members mixed their personal and professional social networking together, the attack gave the scammer access to a huge audience's Facebook news feeds. After the attack was discovered, it took weeks for Facebook to shut down the fake accounts.

Read 12 remaining paragraphs | Comments


The U.S. Army will pay Apptricity, a supply chain and financial software developer, US$50 million to settle a copyright infringement claim that it used but didn't pay for thousands of copies of logistics management software.
Zavio IP Cameras CVE-2013-2570 Command Injection Vulnerability
[SECURITY] [DSA 2806-1] nbd security update
LinuxSecurity.com: Multiple vulnerabilities were found in Perl, the worst of which could allow a local attacker to cause a Denial of Service condition.
LinuxSecurity.com: joernchen of Phenoelit discovered two command injection flaws in Sup, a console-based email client. An attacker might execute arbitrary command if the user opens a maliciously crafted email. [More...]
LinuxSecurity.com: Several security issues were fixed in Ruby.
LinuxSecurity.com: It was discovered that nbd-server, the server for the Network Block Device protocol, did incorrect parsing of the access control lists, allowing access to any hosts with an IP address sharing a prefix with an allowed address. [More...]
LinuxSecurity.com: Multiple vulnerabilities have been found in Namazu, worst of which allows remote attackers to cause a Denial of Service condition.
LinuxSecurity.com: A heap-based buffer overflow in cpio might allow a remote rmt server to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: A heap-based buffer overflow in Okular might allow a remote attacker to execute arbitrary code or cause a Denial of Service condition.
LinuxSecurity.com: Multiple vulnerabilities have been found in rssh, allowing local attackers to bypass access restrictions.
LinuxSecurity.com: Multiple Denial of Service vulnerabilities have been found in Unbound.
FreeBSD Security Advisory FreeBSD-SA-13:14.openssh [REVISED]
NewsAktuell PressePortal DE - Remote SQL Injection Web Vulnerability

Authentication service benefits smaller firms
TechTarget UK
Security services reseller Infosec Cloud, has launched of a fully managed tokenless, two-factor authentication service to benefit smaller companies without in-house expertise. The service uses SecurEnvoy Tokenless two-factor authentication enabling ...

Linux Kernel 'kvm_main.c' Local Denial of Service Vulnerability
Attackers could force phones from Google's Nexus line to reboot or fail to connect to the mobile Internet service by sending a large number of special SMS messages to them.
Apple earlier today launched its annual Black Friday sale, but rather than directly discount hardware -- as it's done for years -- it offered gift cards of up to $150 with a purchase.
Network Block Device Server 'strncmp()' Function Access Bypass Vulnerability
OpenTTD 'MapSize()' Function Denial Of Service Vulnerability
Debian adequate '-- user' Option Local Privilege Escalation Vulnerability

Join Ars' Sean Gallagher in Manhattan for the 2014 Security Threatdown
Ars Technica
On Tuesday, December 3, I'll be in New York City at the Harvard Club to moderate a panel hosted by the Information Security Forum, discussing the top six reasons why infosec professionals will continue to collect a paycheck in the new year. The ...

The big problem facing supercomputing is that the firms that could benefit most from the technology aren't using it. It is a dilemma.
chuggnutt.com HTML to Plain Text Conversion Remote Code Execution Vulnerability
Perl Multiple NULL Pointer Dereference Denial Of Service Vulnerabilities
Internet Storm Center Infocon Status