Security: MPLSoUDP fell on the GCP firewall

I have a GCP VM instance that sends MPLSoUDP packets through a VPN gateway to my local.

The packages are much smaller than the MTU.

Other udp tcp (mping) traffic is doing very well.

The packets do not cross the VPN network firewall.

The rules of my firewall between the VPN subnet and the local subnet are to pass all the input and output protocols.

Any ideas.

An MPLSoUDP package has a direct udp external header. MPLS at the top.

Package example below, tcpdump when it left the GCP instance.

Thank you,

Simon

Frame 1: 106 bytes on cable (848 bits), 106 bytes captured (848 bits)
Type of encapsulation: Ethernet (1)
Arrival time: September 14, 2019 11: 14: 01.739649000 BST
(Time change for this package: 0.000000000 seconds)
Time of time: 1568456041.739649000 seconds
(Delta time of the previous captured frame: 0.000000000 seconds)
(Frame delta time shown above: 0.000000000 seconds)
(Time from reference or first frame: 0.000000000 seconds)
Frame Number: 1
Frame length: 106 bytes (848 bits)
Capture Length: 106 bytes (848 bits)
(The frame is marked: false)
(The frame is ignored: false)
(Protocols in the framework: eth: ethertype: ip: udp: mpls: ip: udp: dns)
(Coloring Rule Name: UDP)
(Coloring rule chain: udp)
Ethernet II, Src: 42: 01: 0a: 49: 64: 0c (42: 01: 0a: 49: 64: 0c), Dst: 42: 01: 0a: 49: 64: 01 (42: 01: 0a: 49:64:01)
Destination: 42: 01: 0a: 49: 64: 01 (42: 01: 0a: 49: 64: 01)
Address: 42: 01: 0a: 49: 64: 01 (42: 01: 0a: 49: 64: 01)
…. ..one. …. …. …. …. = LG bit: locally managed address (NOT the factory default)
…. … 0 …. …. …. …. = bit IG: individual address (unicast)
Source: 42: 01: 0a: 49: 64: 0c (42: 01: 0a: 49: 64: 0c)
Address: 42: 01: 0a: 49: 64: 0c (42: 01: 0a: 49: 64: 0c)
…. ..one. …. …. …. …. = LG bit: locally managed address (NOT the factory default)
…. … 0 …. …. …. …. = bit IG: individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol version 4, Src: 10.73.100.12, Dst: 172.30.188.19
0100 …. = Version: 4
…. 0101 = Header length: 20 bytes (5)
Differentiated services field: 0x00 (DSCP: CS0, ECN: no ECT)
0000 00 .. = Differentiated services code point: Default (0)
…. ..00 = Explicit congestion notification: transport not compatible with ECN (0)
Total Length: 92
ID: 0x46b0 (18096)
Flags: 0x0000
0 … …. …. …. = Reserved bit: not set
.0 .. …. …. …. = Do not fragment: not established
..0. …. …. …. = More fragments: not established
… 0 0000 0000 0000 = Fragment offset: 0
Life Time: 64
Protocol: UDP (17)
Checksum header: 0x5d5a (validation disabled)
(Status of header checksum: unverified)
Source: 10.73.100.12
Destination: 172.30.188.19
User datagram protocol, Src port: 56875, Dst port: 6635
Port of Origin: 56875
Destination Port: 6635
Length: 72
(Verification sum: (missing))
(State of checksum: not present)
(Flow rate: 0)
(Timestamps)
(Time since the first frame: 0.000000000 seconds)
(Time from the previous frame: 0.000000000 seconds)
Multiprotocol Label Switching Header, Label: 57, Exp: 0, S: 1, TTL: 63
0000 0000 0000 0011 1001 …. …. …. = MPLS label: 57
…. …. …. …. …. 000. …. …. = MPLS experimental bits: 0
…. …. …. …. …. … 1 …. …. = MPLS Bottom of the label stack: 1
…. …. …. …. …. …. 0011 1111 = MPLS TTL: 63
Internet Protocol version 4, Src: 10.47.255.242, Dst: 10.96.0.10
0100 …. = Version: 4
…. 0101 = Header length: 20 bytes (5)
Differentiated services field: 0x00 (DSCP: CS0, ECN: no ECT)
0000 00 .. = Differentiated services code point: Default (0)
…. ..00 = Explicit congestion notification: transport not compatible with ECN (0)
Total Length: 60
ID: 0x46b0 (18096)
Flags: 0x4000, do not fragment
0 … …. …. …. = Reserved bit: not set
.1 .. …. …. …. = Do not fragment: Set
..0. …. …. …. = More fragments: not established
… 0 0000 0000 0000 = Fragment offset: 0
Life Time: 63
Protocol: UDP (17)
Checksum header: 0xe075 (validation disabled)
(Status of header checksum: unverified)
Source: 10.47.255.242
Destination: 10.96.0.10
User datagram protocol, Src port: 41130, Dst port: 53
Port of Origin: 41130
Destination Port: 53
Length: 40
Sum of control: 0x14c5 (unverified)
(State of checksum: unverified)
(Flow rate: 1)
(Timestamps)
(Time since the first frame: 0.000000000 seconds)
(Time from the previous frame: 0.000000000 seconds)
Domain Name System (query)
Transaction ID: 0xeeef
Flags: standard query 0x0100
0 … …. …. …. = Answer: the message is a query
.000 0 … …. …. = Opcode: standard query (0)
…. ..0. …. …. = Truncated: the message is not truncated
…. … 1 …. …. = Recursion desired: make a recursive query
…. …. .0 .. …. = Z: reserved (0)
…. …. … 0 …. = Unauthenticated data: Unacceptable
Questions: 1
RRs response: 0
Authority RR: 0
Additional RR: 0
Queries
database-svc-1: type A, class IN
Name: database-svc-1
(Name Length: 14)
(Tag count: 1)
Type: A (Host Address) (1)

Class: IN (0x0001)

enterprise sharepoint: list the users in the AD security group on the sp server

You can use the following commands:
Replace the asterisk (*) with the Security Group

Show on screen:

  Get-ADGroupMember -identity "*" | Select Name

Export to CSV:

  Get-ADGroupMember -identity "*" | Select Name | Export-CSV -Path C:WindowsTempSecurityGroups.csv -NoTypeInformation

Link source: http://itnutt.com/powershell-list-members-of-ad-security-group/

Security: How to detect that the internal hard drive is removed and what files were copied?

Encrypt the entire hard drive, then the copied data is useless.

But if someone malicious has unrestricted access to their hardware, they have lost the security game anyway. They can install all kinds of spyware or even hardware errors. Then encryption will not help you either. See Evil Maid Attack.

Securing your hardware is the first and most basic security layer. If you can't do that, everything else makes no sense.

web application: is it a security flaw in LinkedIn or a known behavior?

LinkedIn has a subsite called Linked-Learning. As everyone knows, LinkedIn is considered our online curriculum. On September 9 I conducted an assessment of linkedin skills in a course.

enter the description of the image here

Upon passing, LinkedIn offered me some courses, which you can see in the image above for free only 24 hours

This is where I saw strange behavior, I went to LinkedIn learning and looked for other courses and I saw that there are no options to watch the course for free for 24 hours. that is to say Only the course suggested by them can be seen for free for 24 hours.

enter the description of the image here

I monitored the traffic to find how the suggested courses are unlocked for free for 24 hours and not other courses. After spending time monitoring traffic, a request like this:

https://www.linkedin.com/feed/update/urn:li:lyndaCourse:/?updateEntityUrn=urn%3Ali%3Afs_feedUpdate%3A(V2%26VOYAGER_SINGLE_UPDATE%2Curn%3Ali%3AlyndaCourse%3A379656)

I saw a strange parameter in the url like this: => lyndaCourse:

So, I thought why not replace the free course identification to view the course with the blocked course identification.

Fortunately, I can get the identification of the blocked course by seeing the source of the code page with the parameter name

enter the description of the image here

When a request is made with the identification of the unlocked course replaced by the blocked course, it is unlocked for 24 hours.

enter the description of the image here

My first thought was that I should Vulnerability of indirect reference of objects because there are literally no options to unlock the paid course for free.

Now again ** another strange behavior exhibited when parsing the HTML source **

All the videos were actually meida, that is, simply embedded with video tags that allowed you to download the videos with the right button.

I informed them directly with screenshots and proof of concept videos, and got this answer.

enter the description of the image here

So I thought they took this problem lightly and published it in the linkedin post and tagged them.

You can see that I have demonstrated it with a proof of concept video again in the post. Here is the link to the publication that also tweeted and tagged them according to the advice of other security researchers to inform them.

https://www.linkedin.com/posts/visweswaran-nagasivam-975a8b167_kirstybonner-bug-jobs-activity-6577243206126268416-6L-X

Again I sent them by mail with the link of the publication and I got this answer.

enter the description of the image here

For a moment I thought it was it is not a mistake and a known feature But other security researchers say it's a mistake. To demonstrate my point of view, I also wrote an automated program that exploits this error and downloads all paid courses for free, which is required for a month in bulk. Below is the reference image of the program.

enter the description of the image here

And yet they claim that it is not a mistake. So my question is Is this an error or some known feature or expected behavior?

If each course can be downloaded for free, what is the need to pay? If it is a mistake, let them know that I tried to explain my level better.

budget: security risk of using a budget application connected to bank accounts

I have been tracking my old-fashioned budget for some years by using Excel spreadsheets that have my current account ledger and monthly expenses broken down by categories. But I have noticed that more people have moved to use applications to track their budget and some of them also connect to their bank accounts, which to me seems incomplete, isn't this a great security risk? (It was suggested that you ask this question here from SE Personal finance and money)

security – fix-permissions.sh for Drupal 8

With Drupal 7, when I upload a project from local to server, I generally run the fix-permisions shell script to change the owner and permissions of folders / files.

It is provided in:
https://www.drupal.org/node/244924#script-based-on-guidelines-given-above

This script, may not work with Drupal 8, I had some problems running it.

Is there something similar to the Drupal 8 version?

tls – TLS_RSA_WITH_AES_256_CBC_SHA56 – Exchange of information security stacks

The public key of the server certificate is RSA (2048 bits)

  1. I understand that the RSA algorithm is used here for key exchange, as well as for authentication

    • The only information I have is the length of the public key of the certificate.

Does the certificate that is a 2048 bit RSA public key mean that the RSA algorithm key length for key exchange and authentication is 2048 bits?

Cryptography is new to me, and I appreciate any help! Trying to understand the basics here 🙂

Security: What are the warning signs that a 51% attack is occurring or is about to occur?

I understand that this depends largely on the method of attack. The two most likely scenarios I can see would be:

Scenario 1] New mining platforms that add more than 50% of the power of online hashing to start a 51% attack.
This seems unlikely given how difficult and expensive it would be to buy the necessary equipment and hide them successfully.

or

Scenario 2] Existing mining groups that add> 50% of hash power begin an attack.
This could be the result of state coercion, criminal intent or piracy of mining pools.

Does anyone have any idea what the observable warning signs of these attacks would be? For example: scenario 2 could be preceded by a sharp drop in the hash rate> 50% in the bitcoin network. This would imply that half of the mining network has begun to extract blocks in a parallel chain.

exploit: is it possible to run an iPhone simulator with jailbreak to investigate iOS security?

I have read the series of iOS exploits from Google ProjectZero:

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

I want to try and replicate part of your work. However, I am not the owner of jailbroken iPhones running the respective versions of iOS.

Therefore, is it possible to run iPhone simulators with jailbreak to replicate and investigate iOS exploits?

If not, what are my options?

audit – Security requirement for an R&D team

I have an R&D team that has been created recently. I have been asked to help with the cyber security requirements for the department. They require access to anything and everything that is available on the Internet, and will also require access to non-O365 mail sites. Any clue as to what the different aspects may be that I must make sure are available in my infrastructure to make this safe.
For example
Endpoints: I must implement DLP to prevent the team from sharing confidential documents
Antivirus (but it will be enough for zero-day attacks)

Network point of view: I must segregate the team from the rest of the organization in order to customize the policies specifically for this team …

Am I heading in the right direction? What else should I take care of?