Categories
Data Center hosting Networking Security WISP

Homeland Security US-Cert e-mail on Network infrastructure

A few days ago Homeland Security published an e-mail on threats to network devices and securing them.  Rather than cut and paste I exported the e-mail to a PDF. Some good best practices in here.

TA16250A The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

Categories
Networking Security WISP xISP

Calea and the ISP

The Communications and Law Enforcement Act (CALEA) passed in 1994 is a piece of legislation every U.S. ISP should know about and be in compliance with.  If for the simple fact the government can levy heavy fines if you aren’t compliant.

For those of you wanting some background please follow these links:
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/general/communications-assistance

First of all CALEA isn’t simply sticking wireshark onto your network and sending a packet dump to a law enforcement agency. It is much more complicated than that. You have several things which the CALEA standard addresses.

1.The ability to send multiple streams, in real time, to different law enforcement agencies.
2.The ability to not interrupt the connection to a person of interest.  In other words you don’t want to interrupt their connection to insert a piece of hardware.
3.The ability to provide just the information on the warrant.  Too much information can actually violate the court order.
4.There is a difference between a typical “request for information” warrant and a CALEA request.  These are not the same.  CALEA almost always comes from a federal agency. They are expecting you to be compliant with CALEA.

Now, here is where things get a little subjective.  The FBI has https://askcalea.fbi.gov/ which is linked from the above fcc.gov web-site.  The askcalea web-site has not been updated since 2011.  The service provider login and service provider registration simply does not work. The information about CALEA is pretty outdated.

So what does this mean for you as a small ISP? Stay tuned for more information.

Categories
Security

SHA-1 Certificates EOL

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to besince at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

https://googleonlinesecurity.blogspot.ro/2015/12/an-update-on-sha-1-certificates-in.html