Category Archives: cybersecurity

TCP STEALTH, additional security for the internet




Internet-Draft TCP Stealth January 2015.


Since the complete integrity of the internet infrastructure cannot be assumed, it follows that adversaries may be able to observe all traffic of an Internet host and perform man-in-the-middle attacks on traffic originating from specific clients. Furthermore, on the server side, an adversary looking for exploitable systems should be expected to have the ability to perform extensive port scans for TCP servers. To help address this problem, we propose to standardize TCP Stealth, a stealthy port-knocking variant where an authenticator is embedded in the TCP SQN number.



TCP Stealth enables authorized clients to perform a standard TCP handshake with the server, while obscuring the existence of the server from port scanners. The basic idea is to transmit an authorization token derived from a shared secret instead of a random value for the initial TCP SQN number in the TCP SYN packet. The token demonstrates to the server that the client is authorized and may furthermore protect the integrity of the beginning of the TCP payload to prevent man-in-the-middle attacks. If the token is incorrect, the operating system pretends that the port is closed. Thus, the TCP server is hidden from port scanners and the TCP traffic has no anomalies compared to a normal TCP handshake.



The TCP MD5 Signature Option defined in RFC 2385 defines a similar mechanism, except that RFC 2385 does not work in the presence of NATs (RFC 1631) and visibly changes the TCP wire protocol, and can thus be easily detected. While TCP Stealth does not change the TCP wire protocol, the specific method for calculating the authorization token must be consistent across Internet hosts and their TCP/IP implementations to ensure interoperability. By embedding the port knocking logic into the TCP/ IP implementation of an operating system, we minimize the possibility of detecting hidden services via timing attacks, and avoid the pitfalls of applications trying to re-implement TCP in user-space. Implementors MUST make sure that the response to a connection request with wrong ISN value does not differ in any way from the response to a connection request to a closed port. read further :

Remo Hardeman
CEO Omerta Information Security


Omerta Information Security — Rotterdam, The Netherlands



Chinese state hackers hacked the Dutch chipmaker ASML. Various anonymous sources told The hackers in the attack gained access to the Dutch and French Network and stole possible information about high technology machines for chip manufacturing.

ASML Multiple sources, who will not be named, confirm to Tweakers that the hack was carried out by Chinese government hackers. It should be noted that hacking attacks are difficult to trace. The attack would have focused on the Dutch branch of the company, though according to one source also attacked the French branch of the company. ASML wants to confirm the news of Tweakers nor deny. “We never comment on individual security issues,” said a spokesman.



It is not clear when the company was precisely the target of the Chinese government hackers. According to one source, the company has this year been the target of the hack, but according to another source that was last year. It is not entirely clear how great was the impact of the hack. According to one interpretation, which is supported by two independent sources, the impact is large, and there are potentially sensitive documents stolen – although that is not certain.


The hack was part of a wave of attacks on European technology companies of a group which relate security to the Chinese government. The FBI and several Dutch and international security companies have investigated the attack. The researchers attribute the attack to a Chinese hacker group that earlier in the US and Europe business networks penetrated. It concerns likely to PLA Unit 61486, Chinese hacking unit according to security companies struck years tech companies. Among them were European organizations in the field of aerospace and satellite technology.


ASML makes machines for chip production. The company from Veldhoven is the market leader in this field and customers of the company include Samsung, Intel and TSMC. The company is the central link in maintaining Moore’s law and thus the progress of the faster, more efficient and cheaper chips.


According to one source in the attack information on the operation of EUV technology captured. EUV technology is used for the latest generation of lithography machines. Currently, the small details on chips by means of lithography using light having a wavelength of 193 nm arranged. In order to make chips with even smaller details, the newest machines from ASML with extreme ultraviolet, with a wavelength of 13,5nm. The technology for making the EUV machines is very valuable for ASML, and thus for the tech industry. Chip manufacturers like Samsung, GlobalFoundries and TSMC for their future chip products to a large extent dependent on ASML.

Last week it was announced that the French-Dutch Gemalto was Hacked . This time it  were not Chinese government hackers, but the intelligence agencies GCHQ and NSA would have stolen the encryption keys of SIM cards. Gemalto denies himself that the services have succeeded, though critics doubt that claim.

Thx to

Remo Hardeman

CEO Omerta Information Security

So whats up for 2015?

Omerta information Security –  Rotterdam,The Netherlands


This year we witnessed a series of high-profile security breaches, from the aftermath of the Target and Home Depot fiascos, to a number of attacks on other national retailers, including Michaels, Goodwill and Neiman Marcus. Then there was the massive breach at JP Morgan Chase, which compromised personal information of more than 83 million households and businesses, and finally over 100 terabytes of internal files and films recently stolen from Sony.

Nobody was safe in 2014. In addition to large retailers, media companies and financial institutions, technology companies like eBay and Snapchat were hacked, too, and so were government organizations and healthcare institutions. Also this year, massive Internet infrastructure vulnerabilities were discovered, including Shellshock, Heartbleed and POODLE.

Of course, these publicized events are only a fraction of the overall exposure to losses emanating from cyber incidents, which in 2014 we estimate to be well into the hundreds of billions of dollars. Hence, many firms have dramatically increased their cybersecurity budgets for 2015, and we project that these budget allocations will continue to rise.

Here are five of the most prominent cybersecurity market trends that we believe will define the sector next year:

The Rise of Automated Incident Response

Today, enterprises must not only detect and prevent potential threats; they must also be prepared to react quickly when breaches occur. Enterprises like Target are successfully being sued by banks for failing to act on security alerts. Incident Response solutions counter the aftermath of a breach, allowing businesses to limit damages and reduce recovery time.

Intrusion Detection/Prevention Systems (“IDS/IPS”) strengthen the organization’s security posture, however highly targeted attacks do penetrate eventually. Determined hackers find their way into the network, despite the various IDS/IPS systems that generate an increasing number of alerts for the security operations team to handle. It is now only a matter of time – how long before a breach is reacted upon and remediated?

One of the clear lessons from Target’s attack is that the traditional Incident Response process, which is mostly based on manual processes, is broken. Reducing the time from detection to remediation could dramatically minimize an attack’s damage.

That’s where Automated Incident Response solutions come in – they don’t leave alerts unhandled, and can react instantly (much faster than humans) when bad scenarios unfold. Enterprises, with their limited human resources, face escalating liabilities for failing to adequately respond to detected threats. Expect chief information security officers (“CISOs”) to turn to Automated Incident Response solutions in 2015.

Cloud Security Becomes a Shared Responsibility

Enterprise IT departments are generally behind in keeping the cloud secure, heavily relying on security features provided by cloud vendors. Most of the SaaS vendors in particular don’t have security as first priority, and so they fail to provide sufficient data governance, control and compliance. In 2014, many CIOs and CISOs have realized that maintaining enterprise-grade security in cloud application usage is a shared responsibility, and we expect that in 2015 they will act on that.

A new crop of startups provides deeper visibility into cloud usage, unique threat analysis and proactive enforcement of cloud application security policies. These startups enable employees to enjoy all of the cloud’s advantages securely. There are so many great cloud applications out there, and CIOs desire to be business enablers rather than blockers. That’s what makes this sector so exciting. Expect CIOs and CISOs to allocate meaningful budgets to it in 2015.

Advanced Persistent Threats Surge

In 2015, cybersecurity departments should be particularly careful about advanced persistent threats (APTs). These attacks are stealthy as they target a specific entity and secretly penetrate the network over weeks or months, waiting for the right moment to make their move and exfiltrate valuable data from the enterprise. Credit card numbers will still be valuable to hackers throughout 2015 because the deadline for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards is not until October 2015, and we foresee this deadline being extended.

To carry out APTs, custom malicious code gets installed on one or multiple hosts to perform specific tasks while remaining undetected for the longest possible time. Sometimes these attacks are financially driven; in other cases, government or corporate-sponsored hackers are after intellectual property. In the long run, APTs can sever national security and economic stability of nations.

According to the Ponemon Institute, the average cost of a data breach in 2014 was .5 million, while Target optimistically projected more than 8 million in damages. Accurate detection is the necessary first step toward threat remediation. There are various methods to detect an ongoing cyber attack, and we feel that the ones that are focused on the late stages of the cyber kill chain, post-infection, will be the most interesting in the near future.

“Cloud-first” detection solutions that leverage multiple sources of threat intelligence (for example: botnet interception + log analysis + sandboxing) and are easy for enterprises to deploy will be the most successful in 2015.

Cybersecurity Vendors Become Frenemies

The constant formation of new cyber-threat categories results in the nonstop introduction of startups that are working on new solutions. Managing multiple point solutions is nontrivial for CISOs. For example, there are various vendors that detect malware in the enterprise network, in the data center, on employees’ PCs and mobile devices. Some of these are signature-based, others use machine-learning algorithms, and some use big-data analytics. Buyers find themselves perplexed with the plethora of offerings.

Rather than manage all of these processes separately, CISOs prefer to deploy comprehensive solutions that integrate well with one other, and create a synergetic security posture. This past year we noticed increasing security vendor collaboration. For example, Fortinet, McAfee, Palo Alto Networks, and Symantec founded the Cyber Threat Alliance. Check Point created an alliance with several threat intelligence vendors to merge their feeds. Increased collaboration among cybersecurity vendors is key to helping CISOs fight cybercrime more effectively, and this trend will accelerate in 2015.

Mergers & Acquisitions on the Rise

Now more than ever, most cybersecurity innovation is carried out by small teams working within startups. The large vendors are always on the lookout to acquire new products to complement their existing portfolios, fully realizing that customers seek comprehensive (rather than point) solutions.

Two of the most notable acquisitions in 2014 were FireEye’s purchase of Mandiant and Palo Alto Networks acquiring Cyvera. Generally this past year, large security vendors acquired companies with capabilities outside of their core business, with intention to expand their offerings and gain competitive advantage. Thus, now FireEye offers professional services powered by Mandiant, complementing its core detection products, and Palo Alto Networks released TRAPS, an endpoint protection product powered by Cyvera, complementing its Next-Generation Firewall.

We project an active M&A scene in cybersecurity in 2015. Expect to see large vendors acquiring more high-tech startups to strengthen their core competencies and rapidly expand their offering.

The Venture Capitalist’s Perspective

In 2014, most mid-to-large enterprises experienced a sharp increase in cyber-attacks, both in breadth and sophistication. Awareness for potential damages is high at boards of directors and management teams of the Fortune 1000. Gartner estimates that the global cybersecurity market will grow from billion in 2013 to billion in 2017.

According to CB Insights, in 2013 venture capital firms invested an all-time record of .4 billion in 239 cybersecurity companies. During just the first six months of 2014, cybersecurity investments already totaled 4 million. We expect this upward trend to continue in 2015, as demand for innovation in this category stays high.

We are ever more enthusiastic about the cybersecurity sector. Enterprises require advanced solutions to combat ever-more-sophisticated adversaries. Incumbent security vendors need new bleeding-edge technology. The venture capital industry is eager to back the entrepreneurs that can deliver outstanding solutions in 2015 and beyond.


Remo hardeman

CEO Omerta Information Security