Weekend Reads 122118

A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones. —Dan Goodin @arstechnica.com

After a year rife with security scandals, high-profile hacks, and data breaches, Congress is starting to take steps toward protecting the privacy of people who use the internet or smartphone apps — in other words, nearly every single American. —Kari Paul @marketwatch.com

According to the APWG’s new Phishing Activity Trends Report released today, phishers are using new techniques to carry out their attacks and hide their origins in order to make the most of every phishing campaign. @circleid.com

With Microsoft’s decision to end development of its own Web rendering engine and switch to Chromium, control over the Web has functionally been ceded to Google. That’s a worrying turn of events, given the company’s past behavior. —Peter Bright @arstechnica.com

The greeting starts out routine. You bump into a friend at the grocery store and they ask how you are. You find yourself thinking you aren’t that busy, at least, not enough to describe how you are. Things have settled down and work and family are status quo. Do you hesitate to say it… that you, in fact, aren’t busy? Are you embarrassed that it will sound as if you are dull, unimportant, or unmotivated? —Rosalinda Rosales @intellectualtakeout.org

It recently came to my attention that I was waging a war across multiple fronts and fatigue had struck — they were winning. For months I had battled, fighting their persistence with my propensity to click x. —Jye SR @freecodecamp.org

A belief in the cooking world says you shouldn’t have any tools in your drawers or any appliances on your countertops that serve a single purpose. Anything without multiple functions is a waste of space. It’s a belief that should extend to the IT world if we want some of these more leading-edge technologies to get a foothold and begin to take off, and I think that’s what you’ll see starting in 2019. —Bruce Milne @datacenterjournal.com

About a month ago, I came across an article that talked about IPv6 being a failure and should be abandoned due to it taking 25 years to reach 25% deployment. What struck me the most was the reference to it having been 25 years. —Jen Linkova @apnic.net

Weekend Reads 121418

Australia’s House of Representatives has finally passed the “Telecommunications Assistance and Access Bill 2018,” also known as the Anti-Encryption Bill, on Thursday that would now allow law enforcement to force Google, Facebook, WhatsApp, Signal, and other tech giants to help them access encrypted communications. —Swati Khandelwal @thehackernews.com

Equifax could have prevented a breach of its systems and the resulting leak of sensitive information on nearly 148 million people by focusing more heavily on security, creating a clear hierarchy of responsibilities, and reducing complexity in its infrastructure, a congressional committee concluded in a report released on Dec. 10. —Robert Lemos @darkreading.com

Small and home office routers are becoming major targets for criminals seeking to steal banking and other online account credentials belonging to Internet users. The latest indication of the trend is “Novidade,” a dangerous new exploit kit that multiple attack groups appear to be using to target routers belonging to millions of users in Brazil and, to a lesser extent, other parts of the world. —Jai Vijayan @darkreading.com

Internet Exchange Points (IXPs) originally aimed to keep local traffic local and reduce dependence on third parties. However, ever-increasing traffic volumes create pressure for more dense and diverse peering, which challenges the traditional IXP model. —asileios Giotsas @apnic.net

A common hacking/pen-testing technique is to drop a box physically on the local network. On this blog, there are articles going back 10 years discussing this. In the old days, this was done with $200 “netbook” (cheap notebook computers). These days, it can be done with $50 “Raspberry Pi” computers, or even $25 consumer devices reflashed with Linux. @erratasec.com

Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late. @krebsonsecurity.com

Many articles have been published comparing the performance of video codecs. The reader of these articles might often be confused by their seemingly contradicting conclusions. One article might claim that codec A is 15% better than codec B, while the next one might assert that codec B is 10% better than codec A. @Netflix

After decades of the unrivalled dominance of JPEG, recent years have witnessed the appearance of new formats — WebP and HEIC — that challenge this position. They have only partial, but significant, support by major players among web browsers and mobile operating systems. Another new image format — AVIF — is expected to enter the scene in 2019 with promise of sweeping through the whole web. —Antón Garcia @freecodecamp.org

There are two kinds of people in this world: those who have been affected by Business Email Compromise (BEC) scams and those who don’t know they have been hit with BEC. It’s happening all the time, in your company, right now. People are getting emails that look official, from a realistic company email address, requesting some form of action; the trouble is, they are not real and they can lead to loss of data, loss of money, or both. —Ben Munroe @cisco.com

Optimal Route Reflection: Next Hop Self

Recently, I posted a video short take I did on BGP optimal route reflection. A reader wrote in the comments to that post:

…why can’t Router set next hop self to updates to router E and avoid this suboptimal path?

To answer this question, it is best to return to the scene of the suboptimality—

To describe the problem again: A and C are sending the same route to B, which is a route reflector. B selects the best path from its perspective, which is through B, and sends this route to each of its clients. In this case, E will learn the path with a next hop of A, even though the path through C is closer from E’s perspective. In the video, I discuss several ways to solve this problem; one option I do not talk about is allowing B to set the next hop to itself. Would this work?

Before answering the question, however, it is important to make one observation: I have drawn this network with B as a router in the forwarding path. In many networks, the route reflector is a virtual machine, or a *nix host, and is not capable of forwarding the traffic required to self the next-hop to itself. There are many advantages to intentionally removing the route reflector from the forwarding path. So while setting nexthop-self might work in this situation, it will not work in all situations.

But will it work in this situation? Not necessarily. The shortest path, for D, is through C, rather than through A. B setting its next hop to itself is going to draw E’s traffic towards 100::/64 towards itself, which is still the longer path from E’s perspective. So while there are situations where setting nexthop-self will resolve this problem, this particular network is not one of them.