This Week in Enterprise Tech Episode 505 Transcript
This Week in Enterprise Tech Episode 505 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Louis Maresca (00:00:00):
On This Week in Enterprise Tech, we have Mr. Brian Chee, Mr. Curt, Franklin, back on the show. Now zero date exploits bring a whole new meaning to cyber security question. Is, is your organization ready to defend against one? Talk about some of the things you can do. But today we have Josh Kuo. He's DNS nerd from info blocks on this show, and we're gonna get geeky about DNS, and we're gonna talk about some of the risks and some of the new standards out there that just might pave the way to better security should miss it. TW it on the set
Brian Chee (00:00:31):
Podcasts you love from people you trust. This is TWT.
New Speaker (00:00:40):
This Week in Enterprise Tech episode 5 0 5 recorded August 5th, 2022. Quick win with UDP 8 53. This episode of This Week in Enterprise Tech has brought you by new Relic. Use the data platform made for the curious, right now you get access to the whole new Relic platform and a hundred gigabytes of data per month. Free forever, no credit card required. Sign up at new relic.com/enterprise, and by compiler an original podcast from red hat, discussing tech topics, big, small, and strange listen to compiler on apple podcasts or anywhere you listen to your podcast. And by user way.org user way is the world's number one accessibility solution. And it's committed to enabling the fundamental human right of digital accessibility for everyone. When you're ready to make your site compliant, citing which solution to use is an easy choice to make, go to user way org slash TWI for 30% off user way's AI's powered accessibility solution.
Louis Maresca (00:01:47):
Welcome to TWiT. This Week in Enterprise Tech to show that is dedicated to you, the enterprise professional, the it pro, and that geek who just wants to know how this world's connected. I'm your host Lewis Mosca your guide through this big world of the enterprise, but I can't guide you by myself. I need to bring in the professionals, the experts in their field. Sorry that they very oh Mr. Brian cheese, net architect at sky fiber and all around tech geek cheaper. It's great to see again, my friend, how, how are you been what's been keeping you busy,
Brian Chee (00:02:15):
Actually. I've been wrangling, you know, tech resources, cuz we're getting ready for the 10th annual Orlando maker. Fair. So I'm actually gonna be using some interesting gear. It's actually gig over coax it's using the mocha standard. So it allows me to run over good quality coax cuz there's lots of different varieties of coax 600 meters at gig speeds which is kind of cool. That's cool. And if you are not pushing the distance limit, you can use mocha compliant. So they have to be a certain type of splitter. You can actually split it and have multiple drops. So that's gonna be kind of cool. There is a new thingy out there it's called a magic SFP that allows you to do the same thing in an SFP format. And that definitely plays in the multid drop world. So that might be a way for me to do all kinds of interesting things like set up robot ruckus. Woo. Nice. So it's gonna be fun.
Louis Maresca (00:03:31):
Interesting. You said that cuz I think the, the co gig over coax actually helped me quite a bit. Put another access point in the other part of my, my house since there's so many coax going around, I don't use 'em anymore cause I've cut the cable. So it's been actually really helpful. It really stable too. I'm surprised.
Brian Chee (00:03:46):
Yeah. And the funny part is, is that's one of the ways I got into the industry. I was actually on the old arc net standards committee and one of the big selling points was to use old 32 70 coax for this brand new thing called a local area network.
Louis Maresca (00:04:05):
<Laugh> just one of those things is one of those things. It was great to see you cheaper. Thanks for being back. We also have to welcome back our senior analyst at MD and all around enterprise and security expert. He is Mr. Curtis Franklin. Curtis. You've been busy. You've been you've been doing a lot of research, a lot of traveling. How have you been what's what's been keeping you busy this week.
Curtis Franklin (00:04:26):
Well, I did get more sleep last night than I did before our call last Friday. Since I wasn't flying around the east coast at two in the morning, but I am getting ready to head out. Next week I'm gonna be at black cat and DEFCON. And just to let folks know if you're going to be at black cat I believe there are still a handful of tickets available for the Mia analyst summit where I'm gonna be speaking on Tuesday. If you are coming to black hat, there's no additional cost for the Omni analyst summit head over to dark reading slash Omni and you can find out how to register, but I'm gonna be doing that. And then DEFCON. Both of those are gonna be great events looking forward to it. Finishing up some research, got a lot of writing to do and starting new research. So all kinds of stuff going on in, in the world of Omnia and just looking forward to taking a breath or to after black hat, it's been a wild summer.
Louis Maresca (00:05:38):
I bet it is. I bet it is. Well speaking of lots of things going on, there's lots of things going on in the enterprise. So we definitely should get started. Now zero day exploits bring a whole new meaning to cybersecurity. And the question is, is your organization ready for defending against one on your network? Well, we'll talk about some of the things that you can do there. Plus we have a great guest today. He's DNS, of course, DNS security continues to be a great defense against lots of different types of attacks out there. But today we have Josh Koal he's DNS nerd for info blocks on the show today. It's a great title and we're gonna geek out on DNS security and talk a lot about some of the threats that are out there as well. Some of the defenses, so lots more to talk about there.
Louis Maresca (00:06:15):
So stick around. But before we do, we do have to jump into this week's news flips. Now robot vacuums have been proliferating themselves to many homes around the world. It's one of those inconspicuous things that can assist in the Monday tasks that busy working individuals don't like to do. Now, iRobot has been on the forefront of that market with it Roomba brand since 2002, no 20 years in the market makes you an expert at something, right? Well, Amazon sees that potential with their $1,000 Astra Robert that they launched preview last year, but Amazon has been finding a way to blend its AI platforms and services with more physical devices that have great Reacher greater reach in, into people's dwellings in homes. Now it was a good attempt, but it wasn't as compelling as a device that performed really a dull or monotonous task like vacuuming.
Louis Maresca (00:07:03):
Well, what else can Amazon do to get their foot in the door, but hit and hit the ground running at the same time? Well acquire iRobot of course, in the deal valued at approximately 1.7 billion. Amazon will acquire iRobot for $61 per share in an all cash transaction. Nice to have some cash to spend on the side for some robot vacuums or do they have bigger plans for iRobot? That's the question while the new iRobot OS is one of those things that Amazon has that can now create a way for them to really create a cohesive experience between their cloud services and serve great purposes even more so than including wash full eyes on your property. Even we'll give it a couple years for the acquisition and some of the acclimation into the organization and Amazon just might surprise you with the next generation home smart assistant one hopes. It will also do my laundry Rosie.
Curtis Franklin (00:07:54):
Well, things move quickly in the world of cybersecurity. Just one month after N revealed the first quantum safe algorithms end on web services and IBM have moved forward with implementation plans. Google only slightly behind these three had something of a head start since IBM researchers contributed to three of the four algorithms while AWS had a hand in two and go Google contributed to one of the submitted algorithms. This was a process that started back in 2016 with 69 original candidate algorithms. And it ended up with these four that are becoming N standards N noted that these are not the last four, just the first four. They include crystals ki a public private key encapsulation mechanism for general asymmetric encryption for digital signatures in this selected crystals, di lithium Falcon and FIS plus now at the AWS reinforced conference, I I attended last week. AWS talked about how they're building an open source hybrid post quantum key exchange based on the hybrid post quantum S two N dash GLS with crystals ki, which connects to the AWS key management service and AWS certificate manager.
Curtis Franklin (00:09:15):
IBM moved forward by specifying the new algorithms into its recently launched Z 16 mainframe a system IBM introduced in April calling it the quote first quantum safe system, Google on Bo on its part, released a statement saying that they are a decade into an effort to be ready for PQC that's post quantum computing to be ready before quantum computers become widely available. Now it's important to note that these algorithms are just the first steps in the journey. That's gonna be long and seeing many, many different algorithms and systems come to market with the sole aim of defeating those bad guys, sufficiently rich or well connected to get their hands on a quantum computer.
Brian Chee (00:10:09):
Well, this dark reading story is one of those shame on you stories. So a T-Mobile store owner apparently managed to make 25 million Buckaroo using stolen employee credentials is what the headline reads. Well anyway, law enforcement said, and forgive me on the pronunciation are disti could have Verian owned a phone retailer. And over the course of several years used stolen employee credentials of more than 50 different T-Mobile employees to unlock hundreds of thousands of phones on the networks of at and T sprint. And T-Mobile removing the unlock, allowed the phones to be sold on the black market and enabled T-Mobile customers to stop using T-Mobile services and thereby depriving T-Mobile of revenue generated from services, customer service, contracts, and equipment installment plans, tongue in cheek. I kind of find this hard to believe considering how hard it was for me just to unlock my four year old iPhone six S off the T-Mobile network. So how do you do so many? It's like, you know, how do you do that? Huh? Huh?
Louis Maresca (00:11:29):
<Laugh> browser extensions can be helpful for the most part. They augment capabilities to support broader scenarios for some of the security information or even smart assistance, but sometimes they can be used for nefarious purposes. If not careful now almost monthly. I get a message about removing the extension or add-on in Chrome or safari because they've published or has been published compromised or maybe even a bad malicious add on that has some suspicious activity out there. Well, researchers have a good one for us this week, according to according to them or the security research firm Vilo, there is a new malware disguising itself as a browser extension that siphons data from one of your most precious data sources, dubbed sharpest, and you never seen before malware, that hackers from North Korea have been using to see, really read and download email and attachments from effective users, Gmail and AOL accounts.
Louis Maresca (00:12:23):
Now, since the users already are authenticated, when reading email, the extension only has to invoke the data reading functions of the mail clients itself installed using spearing or social engineering techniques and work quietly in the background. The research firm found out that this was the work of a hacking group. The company tracks as sharp tongue. Now, north Korea's government sponsors this group. The extension also has defense mechanisms to prevent the browser from actually alerting its victims. See these types of people I think really ruin it for the rest of us developers. That means that the browser's not gonna protect against these APIs in the future to make it harder to utilize them. But I guess this goes to show you the more powerful the platform, the more power you give to bad actors as well. Now, one word of caution here, try using really just the vanilla browser regularly out there rather than trying to use extensions to augment it.
Louis Maresca (00:13:11):
And now if you must use extensions, check them regularly that they're not the ones that are, you know, causing UN reactive type involvement in maybe siphoning data or maybe sending data outta your network. Now, even the ones you do trust, you should really ensure that they come from reputable sources and don't use your data for, for bad purposes. Sounds easy, right? Well, browsers are sandboxes. And if you load your precious data in the sandbox and with others there to be play as well, it's really just a public park. Don't let your data become amusement park for the actors around the world. Well, folks that does it for the blips, but we have the bites coming up. And before we get to the bites, we do have to thank a really great sponsor of this weekend, enterprise tech and that's new Relic. Now I know a lot, you know, a lot of developers out there and you are some of the most curious people in the world.
Louis Maresca (00:14:03):
The first to explore new is tech dig into the documentation. Not only wanting to know how things work, but why that's exactly why so many engineers turn to new Relic. New new gives you the data about what you build and shows you really what happens in the software development life cycle. It's a single place to the data from your entire stack. So you don't have to investigate 16 different tools and make those connections manually. Plus new Relic pinpoints issues down to the line of code. So you know why the problems are happening and you can resolve them quickly. That's why dev and op teams at door dash GitHub, epic games, and more than 14,000 other companies use new Relic to debug and improve their software. Now, when teams come together around data, it allows you to triage problems, be confident in decisions and reduce the time needed to implement resolutions. Using data, not opinions. Use the data platform made for the curious, right now you can get access to whole new Relic platform and a hundred gigabytes of data per month, free forever, no credit card required. Sign up at new relic.com/enterprise that's N E w R E L I c.com/enterprise new relic.com/enterprise. And we thank new Relic for their support of this week in enterprise tech.
Louis Maresca (00:15:27):
Well folks, it's time for the bites. Now, what do you do when you become a victim of a zero day threat? Now, most organizations don't have emergency plans in place to really counteract these types of common threats in today's world. Now remote code execution bugs are becoming more prevalent in the online landscape. Now once plant, they can open more deeper complex exploits that really bur themselves down within your network and your services. Now this article from dark reading gives a really nice set of examples, including the most recent remote code ex exploit and D day that's out there. It was actually an Atlassian confluence, remote code execution bug. It actually targeted the object graph, navigation language, injection vulnerabilities that were out there. But when it came time to the attack, it was a massive tidal wave of activity. And what happened next was a really deep set of orchestrations by several groups within their organization and actually several layers within the network to really throw out the attack and minimize the impact that was there.
Louis Maresca (00:16:21):
Now, the question is, how do they do it? How do they do it? Well, let's talk about really what some of the things that CSOs can do to help their organizations really be ready for D-Day when it comes to zero to exploit what's in the playbook is a really good set of questions. Now let's talk about your network layer first. Now your network layer can really give you a lot of information about mitigating attacks. Some believe that, you know, your web application firework is really useless against zero days, but really contr contrary to belief it's they can actually give you a great, cool, great really great tool to combat against them. They can create really virtual network rules to stop these attacks in their tracks and stopping them in their tracks gives you really more room to investigate really how deep the rabbit hole goes.
Louis Maresca (00:17:06):
Now there's also other options here. They give another example of client replication databases, right? It's another way to help prevent attacks from the same compromise IPS that have been performed the same nefarious acts in the past. Again, slowing things down now, governance and controlling traffic rates. That's another really good one increased rate of activity from really specific IPS should, should be an alert or maybe an automatic rule in your network for maybe throttling and you know, maybe shutting down ports of suspicion, even. So at least you're tipped off to something that's bad is happening, right? That leads to the next one, which is watching out for bots. There are really a lot of new tools out there that, that, that actually can detect activity that doesn't really match the daily usage patterns of your users and are really more mechanical like or bot like take advantage.
Louis Maresca (00:17:52):
Really. I really think you should take advantage of those, cuz those are some really useful tools that are out there. Something easy to overlook as well is in the defense against the dark arts of zero days is outbound traffic. A common scenario for attackers is attempting to remote code execution penetration testing. And that's sending a command from the network to like a targeted web server to, to like maybe an outbound single to another DNS or, or Dans call now monitoring those random connections can actually help you uncover potential threats and some of the sleepers on your network. Now, once you detect those things, you can trap and trace them. Now you give yourself some more time to put more defenses up against them and understand what's happening next. And as you wait, make sure you really contain the blast radius and that's minimizing them with the risk.
Louis Maresca (00:18:39):
And we've talked a lot about this. When we talk about zero trust, the whole concept of micro segmentation, shut down access to crucial data and services and really contain the impact. Now there's no silver bullet here. There's no magic recipe. These are just some of the ways that you can make things better and prepare yourself. However, number of these techniques for me, I think are just working in training on some of the playbook items that make things better. I wanna bring my co-host that back in Curtis. A lot of these things come down to staying cool and containing the threat while the impact, the activity is really investigated. Is that a good pattern to follow? Really just, just at least have a set of things in a playbook and, and just start executing on them when you start to see activity.
Curtis Franklin (00:19:24):
Well, let's admit that panic is rarely a winning strategy. So to the extent that you have some sort of playbook set up to handle even less common or unexpected specifics, the better off you're gonna be. When it comes to, to watching these, a couple of things are, are, are critical. Number one, it is not unheard of, but it's less common for zero days to be found in current generation software, by keeping your software updated and patched, you dramatically reduce the extent to which you're vulnerable to these things. The other thing is, and, and Lou alluded to this, the idea of the outbound traffic monitors cannot be overemphasized. Now a lot of people will look primarily for traffic volumes. If you see someone shoving, lots of traffic out, that's a red flag and it is, but we have to admit that there are lots and lots of these attacks that go as they call it in the industry low and slow.
Curtis Franklin (00:20:46):
They try to stay under the radar of the automated and AI based detection systems. The thing is you have to be looking at where your traffic is going and when traffic starts going consistently to a, an unknown location, that's a red flag. We talk about dwell time. And that's how the different, the time that elapses between when an attack is successful, when it gains access. And when it's discovered industry average right now is still measured in weeks or months, rather than hours that needs to come down. But you also have to recognize that once a payload is clicked on once they have access to the system in general, these system, these malware packages have gained persistence on a system within one to one and a half seconds. So if your response involves alerting a professional to do something you're too late already, you've got to use the combination of automation, machine intelligence and a solid human based playbook to do remediation.
Louis Maresca (00:22:22):
Now, Curtis, you bring up a good point because the last one there kind of sparks that question and cheaper. I wanna bring you into, because this is a good question for you. I think, you know, a lot of organizations, they don't have these cybersecurity professionals that they need to really understand some of these protections and defenses mm-hmm <affirmative>, what's, what's, what's some of the things they can do. And Curtis kind of talked about a couple of them. Are they a replacement for those professionals?
Brian Chee (00:22:48):
Actually? I think one small baby step is to not, you know, that old saying if all the only tool you have is a hammer. Everything starts to look like a nail. My big suggestion is education. If you treat, if you treat your problems as company secrets and you're not willing to talk to someone about it, then you're gonna have, you're gonna keep having the same problems over and over and over again. I'm going to say join in INFR regard or an organization like that, share your WOS with other people in the industry. You know, find the guy with the screwdriver, find the girl with the saw, you know, learn the other tools because if you only have a hammer, everything looks like a nail. You know, I I'm gonna keep saying that, but you need to learn what the other tools look like.
Brian Chee (00:23:52):
You know, things like, oh geez, learning meta display. That that was one of the really cool seminars that the Ingar people did. Not too long before I left Honolulu learning how to use something like Melo. So you can do some testing of your own infrastructure means there's less attack surface. Another big one that I, I used to do as a class was make use of V a S you know, segment off your traffic so that if a zero day makes use of things like directed broadcast or broadcast or searching the collision domain for machines, they can infect if the collision domain or the VLAN or whatever, however you want to talk about it is smaller and you've segmented off your traffic. So say for instance, your warehouse is segmented away from accounting. And you have an IDs IPS or a fire at least a firewall in between those segments.
Brian Chee (00:25:02):
So it has a chance to look at the traffic, trying to traverse the VLANs. Maybe just, maybe you'll be less of a surface to attack. So it's something you might wanna do. So down the bottom line, learn how to use the other tools. There's a, there's a lot of open source tools. There's a lot of inexpensive or free tools. I think the biggest thing is reduce your attack surface, make sure you're up to date, make sure you're patched. Use some of the tools out there to automate the patching process because you may not have enough warm bodies to keep up otherwise. So learn to use the other tools. I think that's the bottom line
Louis Maresca (00:25:47):
Like that. I like that. Yeah. I guess Curtis, I wanted to ask you, I mean, obviously you talk about tools. We talk about education, but the fact is the problem of having the right security professionals is a bigger problem than we think, right?
Curtis Franklin (00:26:01):
Oh, it's huge. Depending on exactly who you ask, we are somewhere between 400,000 and 700,000 cybersecurity professionals short of what we need. And the simple fact is we could run a huge national college program and we're not gonna get that many. So what are you left to do? Some companies have decided that the answer is using MSPs or managed security managed security service providers to pick up the slack and take care of it for them. There are many good MSPs, but there are, are also some limits on exactly how far they can go into your enterprise for the rest offering training to your cyber security professionals, to keep them current and happy and offering that training to bring it generalists to a higher level of cybersecurity. Professionalism is a great thing. The human side can't be ignored even when the service providers and the machine learning are doing the best job possible.
Louis Maresca (00:27:19):
Indeed, indeed. Thank you guys. Well, I think that one puts that to bed. I do wanna get to my guess, so we should probably move forward here, but before we do, we do have to thank another great sponsor of this weekend enterprise tech. And that is compiler an original podcast from red hat, discussing tech topics, big, small and strange compiler comes from you from the makers of command line heroes. Another of our sponsors and is hosted by Angela Andrews and Brent semio technology can be big, bold, bizarre, and complicated compiler unravels, industry topics, trends, and the things you've always wanted to know about tech through interviews with the people who know it best. Now on their show, you will hear chorus of perspectives from the diverse communities behind the code. Compiler brings together a curious team of red hatters to tackle big questions in tech. Like what is technical data?
Louis Maresca (00:28:11):
What are tech hiring managers actually looking for? And do you have to know how to code to get started and open source? Now, episode two covers what can video games teach us about edge computing? Now the internet is a patchwork of international agreements and varying infrastructures, but there's something coming to change. The ways we connect in this episode of compiler hosts explore the edge computing and what it can mean for people who enjoy video games. And what can this form of entertainment could teach us about the technology itself, episode nine, how are tech hubs changing? Traditionally, if someone wanted a career in tech, they had to make a move to the tech hub or a city pack with startups and talent, but things are starting to change the hosts of compilers. Speak to a few of the change makers who are thinking outside of the physical and social dimensions.
Louis Maresca (00:28:57):
We've come to associate with innovation, the edge computing episodes really, really good. They did an amazing job of actually distilling down what edge computing is and just how practical applications make it seem more accessible to everyone. So definitely check that one out, learn more about compiler at red HT slash TWI new episodes are out now and go download them anytime and be sure to check back for new shows. Now listen to compiler on apple podcasts or anywhere you listen to your podcast. We'll also include a link on this episode's show page as well, many thanks to compiler for their support of this week and enterprise tech. Well folks, it's my favorite part of this show. We're actually get to bring a guest to drop some knowledge on the twit riot. And today we have Josh Koo. He's a DNS nerd from info blocks. Welcome to show Josh.
Speaker 5 (00:29:50):
Oh, Hey, I didn't see you guys there. I was so wrapped up in this new I E TF draft that was released today. Just rereading up on DNS. I <laugh>,
Louis Maresca (00:30:00):
Things are always changing on DNS, right? All I I'd say, tell you one thing. I, I think you have the best title so far on the show, but before we, we get into what that title means and more about DNS, our part of our audience really loves to hear people's origin stories. Can you maybe take us through a journey through tech and what brought you to info blocks?
Speaker 5 (00:30:19):
Sure. Yeah. So unlike most of you, I wasn't been by a radioactive spider to get into this industry. I went to the university of Hawaii for computer science. That's where I met Brian. I worked in his lab and one of his many what we call chill pads, cuz we were all like little, you know, spawning from his lab. In fact I met my wife while working. We were both working at Brian's lab. Fantastic. So literally a job that changed my life. And from there I, I went to school thinking I'm gonna be a programmer, a software programmer. But just kind of took a lot of turns get into I got into network engineering, got into InfoSec kind of systems. And eventually all that kind of took me to where info blocks is. I was kind of attracted to info blocks because DNS is one of those technologies that doesn't squirly fall into. Any of those, you kind of need to know something about networks. You need to know some, a little bit about systems. It's traditionally that assist admin job. So and, and as we'll see, when we get into it, it's now a crucial part of security. So that's where I'm at now at info blocks. I'm very happy that I have the op opportunity to be on the training team cuz something I learned from Brian. I also love to share my knowledge. So that's yep.
Louis Maresca (00:31:53):
Fantastic. Fantastic. Yeah, it was great to hear these stories. I think we, we wanna hear maybe, maybe offline, some more stories about Brian later, but, but I, I do wanna get into some of the DNS stuff that we've been hoping that you can take us through now or we've been through our show a lot. We've talked a lot about some of the DNS exploits that are out there. Of course it's a foundation to all networks and, and, and the internet, but I wanna start from the beginning. Maybe, maybe take us through just why DNS is such a this is one of those things that's exploitable. And some of the things you are seeing organiz really organizations doing and people doing to really protect themselves from it.
Speaker 5 (00:32:31):
Okay. Sure. And it's really, you're right. It's very foundational, but it's usually often overlooked. And I wonder it was like a perfect setup from from Kurt earlier about looking at your outbound, right? Everybody, I mean, there's a whole separate subject subject. We're gonna get into defending your DNS servers, but I wanna focus on a part that rarely gets enough attention. That's your outbound DNS queries and bad guys are taking full advantage of that. We have all kinds of security apparatus looking at traffic, leaving your network, but these devices traditionally don't look into DNS packets. And in fact I don't know, we can skip around the graphics I have provided if we look at graphics, number four that I sent out earlier that's a nice little illustration to show you how this happens and we call that DNS tunneling.
Speaker 5 (00:33:38):
All right. So in right, so it's a very high level. A client has been infected, maybe went to the coffee shop, came back with the malware and it's sending out a DNS query to say, I wanna look up command.doctor, evil.com since it's nine inspected, it gets all the way back into the, the environment and Dr. Evil.Com can send back whatever they want disguised as a DNS response. And by the same token that can be sending important information out like critical numbers. So I'll take a pause cuz I'm sure. Yeah. Brian or Kurt, my head, something to add here.
Louis Maresca (00:34:23):
Yeah. I'd love, I'd love to have, bring the guys back in cuz I know that Brian, you have a lot of history with Josh as well as a lot of history with security. It's you two as well, Kurt anything to add to what Josh was talking about?
Brian Chee (00:34:36):
Well, I just wanted to bring up something Josh and Josh and I have been working on a project together. I'm still under nondisclosure for it, but one of the things that was highlighted was DNS. You know, how you see your, you know, web addresses. There's a question mark, and there's a ton of stuff behind it. Well, you can do something similar well with DNS and because DNS has almost never looked at all kinds of data can be exfiltrated. And this was one of the things, this was a horror story. When I first learned about it enough that we, I wrote a classified paper on it because one thing I was telling some of the folks in the DOD was, Hey, you may be blocking outbound traffic, but you're not blocking DNS requests. And that is one potential way of actual trading data out of what are potentially secure networks. It kind of gave me the Hebe GVS and I can't wait till I can talk more about this project that Josh and I are working on together. Because I think it's going to be a really, really good way of learning about the tools available to you and the tools on what DNS can do to you if you're not watching.
Louis Maresca (00:36:10):
Indeed, indeed. I'm looking forward to that as well. I'm curious to hear more about it. I do wanna throw it back to Josh really quick. Cause I know that we, we talked about the, we talked about a lot of the exploits that are out there and you know, of course a lot of the users, user devices that go in and out of the network are vulnerable, but we, we hear a lot about some of the network appliances being exploited, where they just install something very small that allows them to exploit some of the DNS so that the users then who are on the network, it doesn't matter if their machines are exploited or not go to more nefarious websites and download malware or, or, you know, or their browsers are then exploited and, and have remote code execution. And that kind of thing. I, is this something that can be stopped because you know, because the network appliance itself is, is, is kind of hosting this and doing this, or do you see organizations doing or not being able to manage against that because of the fact that they're not securing DNS,
Speaker 5 (00:37:12):
That's a really good point. So I don't think we can ever completely stop all these exploits because every time we come up with a new method, the the bad guys just come up with another new one to bypass it <laugh>, but we shouldn't be pessimistic about it. We still need to try to plug all the holes that we can. And right now, in my opinion from based on what I have seen DNS is usually left wide open. We are heavily filtering looking looking into deep packet inspection for mostly HTTP packets sometimes even though decrypted before sending it, just to look at what's inside. But DNS, even the plain DNS usually is not looked at at all. And one of the confusion, a lot of people have is there's a technology called DNS sec, and then there's a, a whole new field of new ones, emerging ones called encrypted DNS.
Speaker 5 (00:38:12):
If you guys could load the first graphic, please, I have illustration showing, showing where they go on the network. The misconception usually is that DNS sec will give you just everything. I mean, it's called sec, but all it's really a protocol today, mainly among DNS servers that provides authentication. So you can be sure I'm really talking to NS one, do google.com. But once that DS server gets the answer, a T R and does plain text to the client over UDP, right? So that's the last we call the last smile. And if I'm a bad guy, well, that's the place where I can do a lot of damage. So a new field emerg in the last couple of years, about three years encrypted DNS came up. And so there's D O T there's do H and this may, we had D O Q.
Speaker 5 (00:39:06):
So your listeners can go Google these names, these are new standards. The basically that's what they do. They, they, they focus on, I'm gonna encrypt the portion from your web browser to the ISPs DNS server. And that sounds great. A lot of people like, oh, that's awesome. That will gimme more security. The here's the problem though that doesn't look into what you are sending. So there's actually malware ran and, and, and, and ransomware, that's taking advantage of this. They're sending out these secret communications, these command and control messages over DNS, and then using encrypted DNS on top of that, counting on, well, you, you're not gonna be able to see this. So this is a huge issue for a lot of enterprise that if your users are using encrypted DNS, then you lose that whole visibility. Even if you wanted to restrict what happens, what's what gets sent over DNS, adding encryption stop, stop.
Louis Maresca (00:40:16):
Right? Right. Well, I wanna throw this over to Kurt cuz Curtis, you, you deal with a lot of organizations do a lot of research here. You know, obviously DNS is one of those most vulnerable parts of, of of, of an organization's network and the internet, right?
Curtis Franklin (00:40:32):
It is. And Josh, I wanna ask questions about the, the practical impact of some of this because you know, the, the fact is that many organizations would like to specify the DNS server that their employees use. And if you're all sitting there, you know, jacked into cat six, it's not a problem, but at a time when so many of us are working from coffee shops, we are working from home, we're doing all of this other stuff. One of the, the huge problems that everyone runs into is what's called the captive portal. And for our, our listeners, this is where you go to a coffee shop, you pop up your browser. And the first thing that happens is that you get a splash screen saying you're on Joe's coffee, shop, internet click, except for our terms of service and maybe sign up for our newsletter specifying a, a DNS server re captive portals. Where are we as an industry on figuring out that process? I know I've talked to some people who say, oh, we're just on the verge of solving that problem or using our tool will get you around the captive portal problem. But realistically, is this still a stopper for a lot of good practices?
Speaker 5 (00:42:11):
I think so, yes. I, I think captive portal continues to be one, one of the many issues that needs to be addressed. And I'm trying to think how DNS might fit into that. But the, actually the one I wanna branch off from your point was, that's the assumption you, so at the very beginning, you said, well, if I am at the corporate office plug in a cable, I have control over my DNS setting. That's a very reasonable assumption from pretty much everyone, but that is not the case with encrypted DNS. So DH DNS over HTTPS has been widely deployed silently. So I'm willing to bet all of us right now who are using a modern browser. We, our DNS traffic is going through port 4 43 encrypted to either CloudFlare or Google. If you would use Firefox a recent version, you can click to the settings to see a lot of them defaulted to, I'm gonna quietly shift your DNS traffic to whoever I want.
Speaker 5 (00:43:23):
Even though at the system setting, you might have said, please use the corporate DNS server. But when you go to a webpage, Firefox is sending that data to whoever they want. Usually I think CloudFlare, same thing for Chrome send to 8, 8, 8, 8. So that's a huge one. It breaks functionality because if you have an internal name say you know internal.tv that can only be resolved in the building. Well, when you visit that site, that intern is site using Firefox Firefox will go to their DNS server and say, I don't know where this is. And that's the least of your concern, because if that gets infected with malware and starts sending out credit card numbers over DNS, you also can't catch it.
Curtis Franklin (00:44:17):
That seems like a significant problem. I could be wrong, but it sounds significant to me. The, the other thing I know that DNS is frequently. One of the protocols that's used in DDoS attacks you can use amplification techniques, all several will, the kind of encrypted connections and the, the DNS security that you're talking about mean that it's more difficult or impossible for criminals to use DNS as an attack vector in Dedos attacks,
Speaker 5 (00:45:01):
Potentially because some of the characteristics of DNS, of traditional what we call D 53 traditional DNS over report, 53, it is mostly UDP based and UDP is fairly simple to spoof. So a bad guy can pretend, oh, my source IP is 10, 10, 10, 10 go to a DNS server, ask a lot of things. And then the return gets reflected to the victim. 10 point 10, 10, 10. Now this reflection is much, much harder to do using TCP. So all of the new encrypted DNS standards use either TCP or TCP, like technology, like quick that's the, the, the latest round of technology that we have at, I guess, layer 3.5, cuz it sit, sits somewhere between layer three and layer four. So yes, I, I, I believe as we move towards more, less UDP based and more TCP based technologies some of these, not all depends on how you carry out the, the, the nature of the dos attack, but these easy things to do in DNS. These are some of the more prevalent ones we see today. Is the reflection counting, counting on spoofing source address. These will hopefully fade away. Hopefully,
Louis Maresca (00:46:32):
Hopefully, hopefully <laugh> well, we've got more to talk about DNS, lots more to talk about here, but before we do, we do have to thank another great sponsor of this week in enterprise tech. And that is user way.org. Now every website with that exception needs to be accessible user ways, incredible AI powered solution, tirelessly enforces the hundreds of Wang guidelines out there. Now a matter of seconds use your way. AI can achieve more than an entire team of developers can do in months. Now at first it may seem overwhelming to make your website accessible, but user way solutions make it simple, easy, and cost effective. You can even use their free scanning tool to see if your website is ADA compliant. Now, if you have an enterprise level website with thousands of pages, they also offer a managed solution where their team can handle everything for you in a managed way.
Louis Maresca (00:47:17):
Now user ways, AI and machine learning solutions, power accessibility for over a million websites, trusted by Coca-Cola Disney, eBay, FedEx, and many other leading brands out there. Now user ways, making its best in class enterprise level accessibility tools available to small and medium businesses. You can get started today for as little as $49 a month on user ways, monthly plan, your company can be ADA compliant, reach more customers and build loyalty. And remember you get 30% off. There are 1 billion people in the world with disabilities. That's roughly 13% of the population that you don't wanna lose as potential customers because you're not compliant. Think about it by not being compliant. Fines and revenue loss will cost you so much more use ways as the leading accessibility solution in the market today with a market share of 61%, the biggest in the world for years user way has been on the cutting edge, creating innovative accessibility technologies that push the envelope of what's possible with AI machine learning and computer vision user way, AI automatically fixes solutions violations at the code level.
Louis Maresca (00:48:22):
And here's some of the things they can actually do. They autogenerate image results. It writes image descriptions for you. Remediates complex nav menus and ensures that all popups are actually accessible. It fixes vague link violations and also broken links. It ensures your websites are really using accessible colors from remaining true to your brand. And user way gives you a detailed report of all the violations that it were fixed on your website. Now user way is platform agnostic and it really integrates seamlessly with WordPress Shopify WICS site core SharePoint and more let user way help your business meet its compliance goals and improve the experience for your users. The voice of sir, Susan Bennett has a message about user way.
Speaker 6 (00:49:07):
Hi, I'm Susan Bennett, the original voice of Siri. You won't hear me say something like this too often. I'm sorry. I don't understand what you're looking for, but every day that's what the internet is like for millions of people with disabilities user way fixes all of that with just one line of code
Louis Maresca (00:49:28):
User way can make any website fully accessible in ADA compliant with user way. Everyone who visits your site can browse seamlessly and customize it to fit their needs. It's also a perfect way to showcase your brand's commitment to million people with disabilities, go to user way.org/twi and get 30% off user way's AI powered accessibility solution book, a short call and get their accessibility guide user way, making the internet accessible for everyone. Visit user way.org/twi today. And we thank user way for their support of this week and enterprise tech. Well folks, we've been talking with Josh Kuo, he's really the DNS expert, DS nerd from info blocks. Josh, thanks so much for being on the show. I do wanna bring sheer back in cuz he has some good questions. Sheer.
Brian Chee (00:50:17):
Actually I wanna let Josh kind of run with a topic that's kind of near and dear to my heart and I know it's near and dear to his heart and that's, you know, DNS over HTPs S or DNS over TLS. They both have, shall we say some problems, but you've been reading up on a new I ETF standard that might actually fix that. So why don't we start off with who's who's supporting these, you know, what's wrong with DOH and what's wrong with D O T
Speaker 5 (00:50:54):
I I'm gonna be careful and not say there's something wrong with either one. Both are pretty good protocols. Just the preferences. So D O T basically takes DNS messages, encrypt them, put it over TCP port 8 53, DOH, the HT PS variant end basically says, we're gonna take all the DNS messages, convert them to well, essentially webpages HTTP messages, and then encrypt them, send them over port 4 43. So the goal is the design goal from the beginning has always been to make it look identical to just any web traffic. So the downside of doing what the upside of doing DOH is, is very, very easy. You update Firefox, boom, you're on DOH, right? That's probably what we're all using today. The downside is there's no device to my knowledge today that can inspect deep into that traffic and go, this is a webpage getting, you know, loading the front page of Facebook or is this a DNS request that contains malicious traffic.
Speaker 5 (00:52:06):
Now the new one that's just ratified in may called D O Q DNS over quick may be the winner. It's too early to tell right now, cause it's only, it's a, it's a baby. It's, it's a, it's an infant, right? Only a couple, couple of months old. But what it aims to do is still encrypt DNS still use quick, which means HTTP S so you can do two way authentication. You can do all the cool security stuff, but we're gonna use U D P port 8 53. The benefit of that is as an enterprise, I can now quickly, easily stop or inspect this traffic instead of mixing your normal web traffic with your encrypted DNS, D O H on the same port 4 43. Now we peel them apart. 4 43 is for your web browser, web browsing traffic, and 8 53 UDP would be your encrypted DNS over quick. So I think personally, I really, really like that. That's a great design. And I hope it, it takes off cuz I think that that's gonna sort of give the, the organizations and enterprises, the best of both worlds. You can, you can have some control and you can have some privacy.
Brian Chee (00:53:28):
Okay. So you've brought some teasers from the project that you and I been working with. And so you've got six slides that kind of take us through the issues with encrypted DNS. Sure. How about we, we go through those and learn a little bit about the encrypted DNS for the client side.
Speaker 5 (00:53:51):
Okay. So maybe we'll just I'll show the last two of five and six that would illustrate why encrypted DNS. I, I think in my view is a double edge sword. So in this diagram we're showing this is a DNS exfiltration. The client has been infected somehow right today. We, we don't know you, you maybe because you're working at home and your son grabbed your laptop and downloaded something and it has stolen some password. The infected client can encode this password to whatever stuff it wants and send it out as a DNS query to the attacker.
Speaker 5 (00:54:29):
And that's it, it goes out and you you're done. There's no coming back. The attacker has your stolen data and I know a lot of people listening to well, that's that sounds really hard to do. Is, are people really doing it? And my next graphic shows, yes. Number six Alina POS, this is a malware that's focused on attacking critical processing point of sale systems. And this has been around since 2013 and the earlier variance of this malware was using web HTTP to send out the stolen credit card info that was getting stopped. So these clever malware authors said, we're gonna switch to DNS because no one's stopping looking at DNS. So that's, you know, so that's what they did. And then, so they can steal your credit card number, make a query to say, what is, you know, Josh cool, one, my credit card number, attacker.com. And that's it, it goes out. We don't need to worry, you know, there's no coming back the, because as soon as that DNS query hits the attacker's DNS server, they're gonna be like, thank you. I've got Josh's credit card number. I don't need to send response,
Brian Chee (00:55:53):
Scary stuff. So what kinds of things can we do now? You know, as a it administrator and then also as a home user, are there things that we can do to make it harder for them to steal our stuff?
Speaker 5 (00:56:14):
So yes and no. <Laugh> so the encrypted, the NS piece is a little trickier. That's not as strictly good or bad, but there's a lot of DNS filtering capabilities out there. There's some commercial pro products and there's open source ones like pie hole. So if you're, you know, obviously I think most of the listeners are very technical. You can get a raspberry pie, install, pie hole and it would download basically a list of bad domains. And when you query the DNS server, Hey, take me to steal my credit card.com. It just says, Nope, sorry, the name doesn't exist. So this is obviously the home version and many vendors have commercial variants and even better more advanced vendors may have AI and ML power machine learning engines that looks at the pattern going on, go, Hey, that looks like a credit card stop. But that I, I'm not aware of any open source projects. I can do that. I mean, if you wanna roll your own, you could maybe send that to a log server, look for the pattern and then tell the DNA server stop. So it's theoretically possible.
Brian Chee (00:57:38):
Well, I'll tell you one of the things I'm really looking forward to is I, I can't say anything, you know, it's not yet. That's why Josh and I are kind of dancing around on certain things. Let's just say there's going to be something available some someday soon that will hopefully help you learn the tools on how to secure or better secured DNS, maybe reduce the attack surface to make the bad guys work a lot harder, which I think that sounds like a great idea, but in the meantime, I think what we need to do is we need to go and get Josh to go and tell the viewers where they can go to get more information about this type of things, you know about DNS security and maybe read a little bit of the work he's been doing for info blocks. So Mr. Josh, where can the go?
Speaker 5 (00:58:37):
Okay, so info blocks.com. That's my employer. And I don't remember the link off the top of my head. You can search for DNS security for dummies. That is a short, short book that had published a a few years ago that covers high level. Also on from our website, you can look under I think, services and look for education services. We have a lot of free resources cuz I think cheap, cheaper also talked about education is I agree very, very important. So there's a lot of free educational resources that you can get and view. And, and then learn about what's happening. Same things like D Q or encrypted DNS or things like that.
Louis Maresca (00:59:34):
Thanks Jess. Well, we really appreciate you being here. Thanks for being on the show.
Speaker 5 (00:59:39):
Thank you. It's a pleasure.
Louis Maresca (00:59:41):
Well folks, you've done it today. Again, you've sat through that album, the best enterprise and it podcast in the universe. So definitely tune your podcaster to TW it. I wanna thank everyone who makes this show possible, especially to my co-host start the very own Mr. Curtis Franklin Curtis, you have a lot of busy stuff coming up very soon. Work people find you in all your work.
Curtis Franklin (01:00:03):
Well, if they want to keep up with me while I'm off doing the conference scene, they can follow me on Twitter at kg four GWA. Keep up with me on LinkedIn. Subscribe to me there because I am gonna be publishing two or three pieces there next week. You can look for me over at dark reading. That's dark reading slash Omnia. And I'm going to have, I've gotten a little behind, but I've got a bunch of new videos that will be going up on my YouTube channel very soon. So just look for me on on the interwebs and I'll be there gonna be trying to talk a lot this coming week because there's gonna be a ton to talk about and look forward to being back on TWI in a couple of weeks to share some of the things that I discovered out in the desert.
Louis Maresca (01:01:01):
I'm looking forward to it. Thank you, Curtis. Great to have you here. Well, you also think of everyone Mr. Brian Chi cheaper, what's going on for you in the coming weeks and where can people find you?
Brian Chee (01:01:11):
First I gotta say I am so proud of my ex students. My goodness. Thanks Josh. <Laugh> does my heart good, but you're also welcome to hear me brag about my students on Twitter. I'm a D V N E T L a B that's advanced net lab. That's actually the name of the lab that Josh, Josh and I first met the advanced network computing laboratory at the university of Hawaii. The whole idea was to try and get the students exposed to some of the leading edge and bleeding edge technology to balance out the ivory tower experience. Give them some practical experience. Josh is actually one of many students that have gone with me to help build the world's largest mobile network. Well world's largest temporary network is what it ended up as, and that's the interrupt net. It's lots of fun. You know, it was a great learning experience for all of us.
Brian Chee (01:02:10):
You're also welcome that if you wanna throw us show ideas and so forth or ask questions, feel free. I am cheaper spelled C H E E B E RT twi.tv. Or you can also send email to twit@twi.tv and that'll hit all the all the hosts. Now I will say, because came up in the pre-show, Josh was one of the group. He wasn't the person, but he was one of the group that actually named me sheer. We had a Dilbert naming theme for all the servers in the lab. And Mike Canata who now I believe still works for SP decided I needed to be sheer. So there you are another piece of trivia for you to play
Louis Maresca (01:02:58):
<Laugh> thanks. Cheaper. Well, folks, we also have to thank you as well. You're the person who drops in each and every week to watch and to listen to our show, to get your enterprise. Goodness, I wanna make it easy for you to watch and listen and catch up on your enterprise and it news. So go to our show page right now, twi.tv/twi. There you'll find all of our amazing back episodes, the show notes, coho information, guest information, of course, the links of the stories that we do during the show, but more importantly, next to those videos there, you get those helpful subscribe and download links, support the show by getting your audio version, video version of your choice and listen on any one of your devices or one of your podcast applications, cuz we're on all of them. So definitely subscribe and support the show, but you can also support us by joining club Twitter as well.
Louis Maresca (01:03:42):
That's right. Club Twitter is a members only ad free podcast service for a bonus TWI plus feed that you can't get anywhere else. And it's only $7 a month. That's right. There are lots of great things about club Twitter. And one of 'em is the exclusive access to a member only discord channel or difficult discord server, lots of channels on there. You can chat with hosts, producers, separate discussion channels. Plus of course they also have some amazing special events on there somewhere. Some that are really super interesting. So definitely check that out. Lots of discussions, lots of channels, definitely join club twit. Be part of the movement, go to TWI that TV slash club TWI and club TWI now also offers corporate group plans as well. It's a great way to give your team access to our ad free tech podcast. That plan starts at five members at a discount rate of just $6 each per month.
Louis Maresca (01:04:30):
And you can add as many seat as alike and it's really great way for your, whether it's your ID department, your developers, your tech teams, your sales teams to stay on top of and also access to all of our podcasts and just like regular memberships. They can join TWI the TWI discord server as well, and also get that TWI plus bonus feed. So definitely join it. TWI that TV slash club TWI. Now, after you subscribe, impress your family members, your coworkers, your friends with the gift of TW cuz we, we talk a lot about some fun tech topics on this show and I guarantee that you will find it fun and interesting as well. So definitely share it with them and get them on and get them subscribed as well. And if you've already subscribed and you're available on Fridays, 1:30 PM Pacific, we do this show live that's right live right now.
Louis Maresca (01:05:16):
Live.Twi.Tv is a website has all of our streams on there. You can watch it live, watch how the pizza's made behind the scenes, all the banter that we do before, during and after the show. So definitely check out the live stream. If you gonna watch the live stream, definitely check out our IRC for miss IRC channel as well. It's irc.twi.tv. Lots of amazing characters in there. We get some great show titles, some great topics for the show questions, some great banter. So thank you guys for being there each and every week and really making our show great because of it. So thank you and definitely join that, that, that IRC channel irc.tv now definitely hit me up at twitter.com/lumm there I post all my enterprise tidbits. I get direct messages for show ideas. I, I love that some, we we've just been talking about some tech topics behind the scenes.
Louis Maresca (01:06:03):
You can also hit me up at linkedin.com as well. I have some great conversations with with people like you about show topics about technology, about software. I even talk to some people about access cause I am the engineering manager of access. So definitely that may hit me up there and, and talk more about that. Of course you wanna do wanna find out what I do during my normal work week at Microsoft, please check out developers.microsoft.com/office. There we post all the latest and greatest ways for you to customize your office experience and make it more productive for you and your organization. So definitely check it out. Lots of fun stuff on there. Lots of fun projects and, and different technologies for you to do that. I wanna thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support this weekend enterprise tech each and every week, and we couldn't do the show without them.
Louis Maresca (01:06:51):
So thank you for all their support over the years. Of course, I wanna thank all the engineers and staff on at TWI as well. And of course thank you to Mr. Brian. She one more time. He's not only our cohost, but he's also our Titleist producer as well. He does all the show bookings and the plannings for the show and we really couldn't do the show without him. So thank you cheaper for all your support over the years now, of course, before we sign out, we have to thank our editor for today. Mr. Anthony, he's gonna make us look good behind the scenes. He's gonna cut out of all, all of our gibberish and all of our mistakes. Thank you, Anthony, for all that. And of course we also have to thank our TD for today. That's right. Mr. Aunt per he's the talented Mr. Aunt per he does a fabulous show. Amazing show called hands on photography, an what's going on this weekend. Hands on photography.
Speaker 7 (01:07:34):
Yes, sir. We talked about Instagram because you know, how do just love photographers, but they actually have some updates going out for their live producers. So if you wanna do Instagram live, but yeah, I just wanted to get everybody's thoughts on that I think is gonna be okay and something that we could all play with. And also I'm gonna give a shout out to Mr. John Ashley. Who's headed in the show today. <Laugh>
Louis Maresca (01:07:58):
Thank you and appreciate that. And of course I appreciate all the support. Well folks I'm Lu rescue duster reminding you, if you wanna know what's going on in the enterprise, just keep quiet.
Speaker 8 (01:08:11):
If you are looking for a midweek update on the week tech news, I gotta tell you, you gotta check out tech news weekly. See it's all kind of built in there with the title you get to learn about the news in tech that matters every Thursday, Jason, how and I talk to the people making and breaking the tech news, get their insights and their interesting stories. It's a great show to check out twi.tv/tnw.