Archive for the ‘latest news’ Category

Marking #20yearsofwifi

Thursday, May 23rd, 2019

During the past two decades, Wi-Fi has connected billions of people around the globe and helped improve countless lives. As the Wi-Fi Alliance notes, Wi-Fi’s inherent strengths have made the ever-evolving IEEE 802.11 one of the greatest success stories of the technology era. Indeed, according to Kevin Robinson, VP of marketing at the WiFi Alliance, Wi-Fi has contributed approximately $2 trillion to the world’s economy – with more than 13 billion Wi-Fi devices in active use worldwide. Moreover, Wi-Fi is the primary medium for global Internet traffic, as more than 80% of traffic on the average smartphone is transferred via Wi-Fi.


Wi-Fi 6 (802.11ax)

The latest iteration of the wireless standard – Wi-Fi 6 – offers up to a four-fold capacity increase over its Wi-Fi 5 (802.11ac) predecessor. As we’ve previously discussed on The Ruckus Room, the very first Wi-Fi 6 access points (APs) and client devices hit the market only recently. Nevertheless, IDC analysts see Wi-Fi 6 (802.11ax) deployments ramping significantly throughout 2019 and becoming the dominant enterprise Wi-Fi standard by 2021. Meanwhile, Christian Kim, Senior Analyst IoT, Connectivity and Telecom Electronics at IHS Markit, estimates that total Wi-Fi 6 (802.11ax) device shipments will increase to 58 million units in 2021.

Aside from offering a four-fold capacity increase over its predecessor, Wi-Fi 6 enables multiple APs deployed in dense device environments to collectively deliver required quality-of-service (QoS) to more clients with more diverse usage profiles. This is made possible by a range of technologies that optimize spectral efficiency, increase throughput and reduce power consumption. These include Multi-User Multiple Input Multiple Output (MU-MIMO)Target Wake Time (TWT)Orthogonal Frequency-Division Multiple Access (OFDMA)BSS Coloring and 1024-QAM.

The Ruckus R730 Wi-Fi 6 Access Point

In addition to implementing the above technologies, Ruckus’ R730 Wi-Fi 6 AP supports a range of supplemental technologies that go well beyond the 802.11ax standard, including:

  • Airtime decongestion — Increases average client throughput in heavily congested environments by using patent-pending techniques to reduce unnecessary management traffic.
  • Transient client management — Maintains throughput levels for priority clients in high transient-client environments such as transportation hubs by using advanced techniques to delay AP association with low-priority transient clients.
  • BeamFlex+ antennas — Improves AP coverage and capacity by continuously optimizing antenna patterns on a per-device, per-packet basis.

Embedded BLE and Zigbee

The R730 also packs embedded Bluetooth Low Energy (BLE) and Zigbee radios – and can be augmented with Ruckus IoT modules to support additional physical layer protocols such as LoRa. Using the Ruckus IoT controller, these separate networks and the IoT endpoints associated with them can be managed, coordinated and connected to IoT cloud services as part a single, converged IoT access network.

WPA3 wireless security protocol

On the security side, the R730 supports the WPA3 protocol and Wi-Fi Enhanced Open certification. Users with compatible devices will benefit from significant security enhancements, including protection against brute-force dictionary attacks through the use of a new key exchange protocol known as a simultaneous authentication of equals handshake. As well, users with compatible devices will be protected against traffic-sniffing attacks common to unauthenticated networks associated with public venues.

Additional information about Wi-Fi’s 20th anniversary can be found on the Wi-Fi Alliance page and the R730 product page.

You can visit the original blog on Ruckus’ website here.

How does ransomware work (and is it still a threat)?

Tuesday, May 14th, 2019

Threats come and go, but one thing remains the same: the ability of cybercriminals to adapt to circumstances. A brief decline of interest in ransomware as criminals focused their attention on cryptojacking during the previous year appears to have come to an end, and ransomware attacks are once again escalating.

In this post, we’ll explain what ransomware is, how it spreads, how prevalent it is and what you can do to protect yourself against it.

What is Ransomware?

As the name implies, ransomware is a kind of malware that demands some form of payment from the victim in order to recover control of their computer and/or data. Within that broad definition, there are a few twists and turns that are worth noting.

First, there are variants with regard to exactly what the victim is being held to ransom for. Typically, the attacker encrypts personal files on the victim’s computer in such a way that they cannot be opened unless the victim has a decryption key. Access to the decryption key is what the attacker wants the victim to pay for.

Encryption ransomware has been seen on the mobile platform, too, with SimpleLocker reportedly infecting over 150,000 Android devices.

In other cases, depending on the target, the attacker may threaten to publicise or leak sensitive information found on the victim’s device, giving rise to the names “leakware” and “doxware” for this kind of attack. That could be personally compromising photos or emails, but more likely in the case of targeted attacks against businesses it may be data the company wouldn’t want made public. That could be anything from client data to a movie script.

In a leakware attack seen just this past week, criminals targeted developers and threatened to make the hijacked code public or “otherwise use” the developer’s intellectual property if the victim did not pay the ransom.

Other forms of ransomware such as the infamous WinLock malware from all the way back in 2010 are a form of denial-of-service attack, only in this case the service being denied is access to the victim’s own device. Such “blocking” attacks have found a new outlet on the iOS and Android mobile platforms. On Apple devices, for example, the technique tries to leverage compromised iCloud credentials to lock users out of their devices unless they pay a ransom.

In the more common case where the ransomware has encrypted a user’s files, what happens next is some form of demand accompanied with a threat. Usually, but not always, the demand comes in the form of a ransom note that appears on the screen. This tells the victim what has happened, how much they have to pay, and how they can pay it. Ransom notes themselves can range from simple text files with multiple spelling and grammar errors to graphical layouts with icons designed to ease and encourage the steps necessary for payment:

In a recent case of targeted ransomware, rather than asking for a fixed amount, the criminals chose to vary the amount of ransom depending on their attacker’s assessment of the victim’s financial worth.

How Does Ransomware Spread?

You might wonder just where all these ransomware attacks are coming from and how they get on to victims’ machines.

Ransomware isn’t especially complicated to code. The encryption functions exist natively on both Windows and Unix-based machines like macOS and Linux. Some attackers choose to package their own encryption framework to avoid detection by AV software, but there are plenty of open source projects for attackers to choose from. What’s more, with the appearance of Ransomware-as-a-Service such as Cerber RaaS and Shifr Raas, attackers can simply buy off-the-shelf malware to distribute to victims. Reports indicate that portals for accessing these kinds of services are even breaking out of exclusive Dark Net forums to open websites that any would-be hacker can access.

Once an attacker has a ransomware project in hand, they only need to decide how to distribute it. As with other forms of malware, typical infection vectors rely on socially engineering victims into downloading an infected file either from a website or via a phishing email. Often, an MS Office attachment or a malicious PDF file is used which, upon being opened, executes hidden code that in turn downloads the malware payload. In other cases, the ransomware could be the payload delivered by a script on a maliciously-crafted website or downloaded by a fake software installer.

It’s important to note that once the victim has opened the malicious file and given authorisation, everything else happens invisibly behind the scenes. The unsuspecting victim may not know for some minutes, hours or even days that they have been infected, depending on when the malware is coded to trigger the encryption and announce its presence.

In the first ever recorded case of ransomware the program was not set to activate until the victim’s machine had been booted 90 times. Creating a delay between infection and encryption is intended to help cover the attacker’s tracks and make it harder for security researchers to find the infection vector. Criminals are usually in it for the long haul, and they don’t mind waiting for the payday if it helps ensure greater returns.

However, not all ransomware requires user interaction. The SamSam ransomware that was prevalent in 2016 targeted weak passwords on connected devices once it got a foothold on an initial device. In a recent case, a zero-day vulnerability in the popular Oracle WebLogic Server allowed attackers to send ransomware directly to computers and execute itself without any user interaction at all.

Is Ransomware On the Rise?

Yes, it is. As we noted at the beginning of this post, throughout 2018 most threat intel reports were seeing a marked drop-off in ransomware attacks as criminals made a move to cryptojacking. Both web-based and malware-based cryptominers had offered criminals a digital gold mine with virtually no risk. Unlucky for them, with the demise of CoinHive, cryptojacking has been crippled to the point of unprofitability, at least for the time being.

Cue a corresponding uptick in ransomware, with LockerGoga, Troldesh, Golang Shifr and Sad ransomware all making an impact in recent months, hitting infrastructure companies like Norsk Hydro, developers and ordinary end users alike.

Even in the latter half of last year while cryptojacking was in full swing, ransomware never really went away. New variants of Ryuk and KeyPass came to light, the latter coming with features such as manual parameter settings, suggesting that the ransomware could be dropped and tailored to a specific victim by a remote hacker.

How To Defend Against Ransomware

As we’ve seen, reports of ransomware’s untimely demise were overly exaggerated! That means users and enterprise need to be on guard to avoid being infected to start with and to have a response plan if they are.

Backups are a good first line of defense, so long as you backup regularly and rotate backups so that at least one recent backup is offline at all times. Be sure not to rely on Windows built-in Shadow copies, as deleting these is one of the first things most ransomware does.

Secondly, use a security solution that is ransomware-proof. For enterprise, the best defense against ransomware is to use an automated endpoint solution like SentinelOne that can not only block threats on execution, but can also rollback any attacks that do get through without needing to rely on backups.

For users caught out by ransomware with no way to restore or rollback, you are left with some unenviable options. If you are in luck, you may find a public decryptor that will help you to restore your files. If you are not, your choices are accept the data loss, or risk paying off the criminals. Of course, no one wants to reward crime, and there’s no guarantee that the criminals will uphold their end of the deal. In some cases of ransomware, the attackers did not even keep a copy of a decryption key and any victims who had paid up would have been both out of pocket and unable to recover their data.


Ransomware offers an easy pay-day for criminals with low chance of getting caught. It also represents one of the most devastating attacks for victims, who can potentially lose everything from personal data to the very infrastructure that their business relies on. NotPetya and WannaCry remain the two most devastating attacks we’ve seen so far, but there’s every likelihood those will be eclipsed by something worse if businesses don’t learn the lessons of automated protection sooner rather than later. If you would like to see how SentinelOne’s autonomous endpoint solution can protect your business from ransomware, contact us for a free demo.

View the original post by SentinelOne.

All Layers Are Not Created Equal

Tuesday, May 14th, 2019

By John Kindervag

How the Principles of Journalism Help Define Zero Trust Policy

Everyone knows that in order for a news article, blog post or white paper to have any credibility, a writer needs to cover the “who, what, where, when, why and how” of the topic. Without covering these things, the reader is left with a partial story. We can credit Rudyard Kipling for clearly defining these journalistic essentials for us:

I keep six honest serving-men

(They taught me all I knew);

Their names are What and Why and When

And How and Where and Who.

-Rudyard Kipling, Just So Stories, 1902

However, the usefulness of this “Kipling Method” extends far beyond journalistic best practices. For years, I have used the Kipling Method to help companies define policy and build Zero Trust networks. It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach. Given that the first design principle of Zero Trust is to focus on business objectives, this method is particularly useful.

Policy at Layer 3 vs. Policy at Layer 7

In order to actually apply the Kipling Method and build a real Zero Trust architecture, you need to understand why it cannot be done with Layer 3 technologies.

First, what is the difference between Layer 3 and Layer 7? Layer 3 is the layer where information is evaluated based only on IP address, port or protocol. It is severely limited by the lack of information that can be seen. IP addresses can be spoofed. Simple port scans will uncover all the open ports so that the attacker can encapsulate stolen data and exfiltrated across the open port, and the protocol is really just a metadata tag to help the administrator understand the type of traffic that is supposed to be traversing a specific port. Most importantly, ALL adversaries know how to bypass Layer 3 controls. You need to be able to define things with higher fidelity to keep your company secure.

Layer 7 is much more specific. It is where information is evaluated based on the actual application that’s being used (for example, defining Facebook as a unique application rather than traffic running across ports 80 and 443). While at Forrester, I created a five-step methodology to a Zero Trust network. The fourth step states that you need to write policy rules for your segmentation gateway based on the expected behaviour of the data and the user or applications that interact with that data. This is what the Palo Alto Networks Next-Generation Firewall, serving as a segmentation gateway in a Zero Trust environment, allows you to do, and due to the granularity of the policy, it can only be done at Layer 7.

Applying the Kipling Method Using the Palo Alto Networks Next-Generation Firewall

Here’s how you can apply the Kipling Method when deploying the Palo Alto Networks Next-Generation Firewall, using our revolutionary User-ID, App-ID and Content-ID technologies:

User-ID becomes a WHO statement: “Who is accessing a resource?”

User-ID is a Layer 7 instantiation of the approximation given by the source IP address. For example, we can grab OUs from Active Directory to pull domain users into a custom User-ID. We can then add things like multifactor authentication (MFA) or the Host Information Profile (HIP) from our GlobalProtect client to enrich the fidelity of the “Who” statement. We can also add MFA to a User-ID and an additional attribute for more granular control.

App-ID becomes a WHAT statement: “What application is being used to access the resource?”

Palo Alto Networks currently has more than 2800 published App-IDs (visit Applipedia to see the growing list) to be used in building these rules. This means that attackers can no longer use a generic application, such as web services (HTTP/HTTPS), to bypass the security control.

Content-ID becomes a HOW statement: “How should the User-ID and App-ID traffic be allowed to access a resource?”

Content-ID includes Threat Prevention rules, our advanced intrusion prevention capability; SSL Decryption so that malicious traffic and stolen data can’t hide inside of encrypted tunnels; URL Filtering so that users don’t go to malicious or phishing domains; WildFire, our state-of-the-art sandbox technology that redefines the way malware is stopped; and our new DNS Security service, which applies predictive analytics for automated protections to thwart attacks that use DNS.

With these three technologies defining WHO, WHAT and HOW statements, a basic Kipling Method Layer 7 rule can be easily defined and then implemented using our Panorama management system. Additionally, PAN-OS has the ability to add a WHEN statement (a time delineated rule); a WHERE statement, which is the location of the resource (this can often be automatically pulled into Panorama via an API); or a WHY statement by reading metadata from a data classification tool and using that in the rule.

The Kipling method has been designed to help both business leaders and security administrators define granular, Layer 7 policies using the simple who, what, when, where, why and how methodology given to us by Rudyard Kipling. Individuals who have never considered writing firewall policy can easily understand this methodology and help define the criteria necessary to create a rule set for your segmentation gateway.

View the original post by John Kindervag, Palo Alto Networks.

Meet our New Starters

Monday, April 29th, 2019

Net-Ctrl has recently expanded and taken on three new starters to join our growing team.

In our sales and project management team, we have James and Kieran who join us, and in our technical engineering team, we have Patrick.

We’re very excited to have them join Net-Ctrl and looking forward to seeing what they can bring to our team.

Below is a short introduction about each of them.

Kieran Howard 

Job Title: Junior Sales Executive

About me: I have lived in Ipswich all my life, currently finishing my studies at Suffolk one, and then looking to join Net-Ctrl full time. I love my music and have a few favourite bands one of which is ELO. Favourite food is most likely a good burger.

What do you enjoy doing in your spare time:

  • Playing football
  • Going to the cinema
  • Playing video games on my gaming PC

Top 3 items on your bucket list:

  1. Visit the Amazon Rainforest
  2. Complete a marathon
  3. Experience zero gravity

Patrick Bell

Job Title: Junior Support Technician

About me: Irish born, Suffolk raised, 10+ years working in Customer Services, Complaint Management and Product Support.

What do you enjoy doing in your spare time:

Spare time is spent hosting, managing and administrating game servers or working the family allotment

Top 3 items on your bucket list:

  1. Learn to fly a helicopter
  2. Visit Bora Bora
  3. Build a house out of shipping containers

James Ranson

Job Title: Business Development Sales Executive

About me: I am 38 years of age and grew-up in Felixstowe/Ipswich.  After further education, and subsequent employment in the shipping industry, I spent time working from London before relocation to Liverpool with the A.P.Moller Group.  Having spent +10 years in Liverpool, I then moved to Manchester before returning to the South East of England in 2018. 

What do you enjoy doing in your spare time – I enjoy socialising, sporting events and spending time with my 2 year old daughter.

Top 3 items on your bucket list: 

  1. Go back to Egypt and see the pyramids
  2. Cage dive with great white sharks 
  3. To perform in a triathlon

Ruckus Unleashed Promotion for Primary Schools

Thursday, April 18th, 2019

Ruckus Unleashed is a cost-effective and powerful managed WiFi solution and for a short period of time, we’re running discounted pricing across the Unleashed portfolio.

Ruckus Unleashed provides you with scalability allowing up to 50 APs on the network and 1,000 concurrent clients. Ruckus requires less APs than competitive products meaning less port requirement and cheaper installation costs.

The Unleashed APs deliver Ruckus’ patented technologies including; BeamFlex+—Adaptive Antenna Technology. ChannelFly—Machine Learning Auto Channel Selection. SmartMesh—Self-Forming, Self-Healing Mesh. Zero Touch Mesh – Form mesh connections over the air.

You get all of this whilst being able to take advantage of the Unleashed controller-less architecture meaning your schools can save on the cost of a controller, whilst still getting super-fast and reliable WiFi.

Unleashed Promotion

We’re currently offering schools a special discounted rate for the newly released R320 Access Point. This is an indoor 802.11ac wave 2 2×2:2 Access Point.

For a limited time, you can get the Ruckus Unleashed R320 (RRP £314.00) for £175.00 per AP.

We have been extremely impressed with this AP. It has a concurrent client count of 256. It’s Wave 2 AC and is extremely capable to deliver great WiFi.

Net-Ctrl Approach to Delivering WiFi

Net-Ctrl will take away all the stress of the installation utilising a consultative approach. We will run a free-of-charge predictive survey so you know how many APs your site requires and where they would be located. We are able to cable and hang APs, and provide on-going engineer support for your deployment giving you peace of mind if any issues occur.

This pricing is only available for a limited period of time whilst stocks last.

If you have any questions, please submit a contact form.

Thales Completes Acquisition Of Gemalto To Become A Global Leader In Digital Identity And Security

Tuesday, April 16th, 2019
  • Thales (Euronext Paris: HO) has today completed the acquisition of Gemalto (Euronext Amsterdam and Paris: GTO), creating a global leader in digital identity and security.
  • With Gemalto, Thales will cover the entire critical decision chain in a digital world, from data generation via sensors, to real-time decision support.
  • This acquisition increases Thales’s revenues to €19 billion and self-funded R&D to €1 billion a year, with 80,000 employees in 68 countries.

Completed in 15 months, the acquisition of Gemalto by Thales for €4.8 billion creates a Group on a new scale and a global leader in digital identity and security employing 80,000 people. The larger Thales will master all the technologies underpinning the critical decision chain for companies, organisations and governments. Incorporating the talent and technologies of Gemalto, Thales will develop secure solutions to address the major challenges faced by our societies, such as unmanned air traffic management, data and network cybersecurity, airport security or financial transaction security.

This combination creates a world-class leader with an unrivalled portfolio of digital identity and security solutions based on technologies such as biometry, data protection, and, more broadly, cybersecurity. Thales will thus provide a seamless response to customers, including critical infrastructure providers such as banks, telecom operators, government agencies, utilities and other industries as they step up to the challenges of identifying people and objects and keeping data secure.

Research and development: inventing the world of tomorrow

Thales and Gemalto share a passion for the advanced technologies that serve as a common foundation and focus for their 80,000 employees. Research and development (R&D) is at the core of the new Group, with its 3,000 researchers and 28,000 engineers dedicated to R&D. Thales has been developing state-of-the-art technologies to meet the most demanding requirements of customers around the world for decades. Today the Group has become a giant laboratory inventing the world of tomorrow, with a portfolio of 20,500 patents, of which more than 400 new ones were registered in 2018.

Technological synergies

The new Thales will cover the entire critical decision chain in an increasingly interconnected and vulnerable world, with capabilities spanning software development, data processing, real-time decision support, connectivity and end-to-end network management.

With €1 billion a year devoted to self-funded R&D, the Group will continue to innovate in its key markets, drawing in particular on its world-class digital expertise in the Internet of Things, Big Data, artificial intelligence and cybersecurity.

The first illustrations are as wide as the Group’s portfolio:

  • Banking: Big Data analytics
  • Defence: biometrics
  • Aerospace: unmanned traffic management
  • Ground transportation: Internet of Things •
  • Space: Internet of Things •
  • Telecommunications: Big Data analytics

An extended global footprint

Following this acquisition, Gemalto will form one of Thales’s seven global divisions, to be named Digital Identity and Security (DIS). Gemalto will interact with all of the Group’s civil and defence customers and will significantly strengthen its industrial presence in 68 countries. Thales will considerably expand its operations in Latin America (2,500 employees, up from 600), triple its presence in Northern Asia (1,980, from 700), Southeast Asia (2,500, from 800) and India (1,150, from 400) and North America (6,660 employees, up from 4,600).

“With Gemalto, a global leader in digital identification and data protection, Thales has acquired a set of highly complementary technologies and competencies with applications in all of our five vertical markets, which are now redefined as aerospace; space; ground transportation; digital identity and security; and defence and security. These are the smart technologies that help people make the best choices at every decisive moment. The acquisition is a turning point for the Group’s 80,000 employees. Together, we are creating a giant in digital identity and security with the capabilities to compete in the big leagues worldwide.” Patrice Caine, Chairman and CEO, Thales.

About Thales

The people who make the world go round – they rely on Thales. Our customers come to us with big ambitions: to make life better, to keep us safer. Combining a unique diversity of expertise, talents and cultures, our architects design and deliver extraordinary high technology solutions. Solutions that make tomorrow possible, today. From the bottom of the oceans to the depths of space and cyberspace, we help our customers think smarter and act faster – mastering ever greater complexity at every decisive moment along the way. Thales generated revenues of €19 billion in 2018 with 80,000 employees in 68 countries.

Click here to view the Thales Group’ website.

Privacy 2019: TOR, MEEK and the rise and fall of domain fronting

Tuesday, April 16th, 2019

This post is the first in a series covering privacy, anonymity and security on the internet in recent times, with a focus on real issues affecting people in the real world. Censorship and pervasive state-sponsored surveillance is a daily reality for hundreds of millions of people around the world.

Privacy: 2019

Surveillance and censorship on the internet is a day-to-day reality in many countries. There are some well-known examples such asChinaRussia and Iran, but these countries are not the only countries employing censorship. And there are indications that it is becoming more common, especially with software solutions that enable turn-key censorship being a commodity such as Symantec BlueCoat.

Whilst surveillance is definitely more difficult to measure and estimate, and often based on whistleblowers and information leaks, censorship can be felt in many countries very directly, with some of the most common sites on the internet completely blocked off in various regions of the world. In an attempt to beat censorship, many have turned to the Tor Project.

The Tor Project

The Tor Project promotes and develops software to protect the privacy and anonymity of online users. They manage the Tor network, which allows volunteers to run a relay on their device, allowing it to transport multi-hop, encrypted and anonymized traffic of users in the network.

In order to detect and monitor censorship on the internet, Tor also runs the Open Observatory of Network Interference project. Probes are run by volunteers and attempt to access blocked websites, at some risk to those running the probes. They have no real anonymity in-front of their respective ISP or any surveillance technology possibly deployed against them. Such exposure is unavoidable as the intention is primarily to test whether normal internet user traffic and protocols, chiefly DNS, HTTP and HTTPS traffic, are blocked.

The data collected by OONI leaves no margin for speculation: censorship is real, it is widespread and it affects a great deal of people in a major way. Tor provides free plug-and-play tools such as the Tor Browser Bundle, which includes a browser with privacy extensions and optimal configurations pre-loaded. The browser is configured to attempt to leak as little information as possible (such as DNS) outside the encrypted, anonymized Tor tunnel.

The Importance of TLS & SNI

TLS, the successor to SSL, is a cryptographic protocol designed to provide integrity and privacy between applications. The most common usage of TLS is within HTTPS, which is HTTP over TLS (or SSL). With TLS, two endpoints can establish communication over the internet that prevents eavesdroppers from observing, modifying or spoofing messages between them.

TLS is also used in QUIC, a protocol originally designed by Google in 2012 and still under development, which is planned to replace HTTP/HTTPS. QUIC doesn’t rely on TCP for the transport layer but opts to use UDP instead.


The latest version of the TLS protocol is TLS 1.3, which was approved in 2018. TLS 1.3 contains very important changes; most importantly it removes old, deprecated and insecure cryptographic suites that should not be in use in 2018, and it also comes with speed-up features, such as TLS False start and 0-RTT. It also makes mandatory an extension known as Server Name Indication (SNI), one of the original proposed extensions from RFC4366, which was written all the way back in 2006.

There are real, solid reasons for why SNI is required, but there is also a major downside to SNI. SNI leaks the hostname on establishment of every TLS 1.3 connection. There is more to be said about SNI and how to fix it, and this will be addressed more fully in a post of its own; for now, note that the IETF Survey of Worldwide Censorship Techniques (draft 07) has been marking it as an Achilles heel for years.


Pluggable Transports and Censorship

Multiple countries have been documented attempting to both monitor and block Tor traffic, and incorrect usage of Tor has led to the documented downfall of multiple users over the years. One example is that connecting to the Tor network without a bridge is easily detectable, and can be used for attribution or creating a small target group.

China has been attempting to block Tor at least partially since 2008Venezuela began blocking Tor in 2018, and Russia passed a bill in 2017 forbidding the use of proxies and Tor specifically.

Tor’s cat and mouse against censors and monitoring led to the development of bridge relays, which rely on various techniques and protocols to bypass censorship. These techniques are called pluggable transports.

One crucial pluggable transport is meek, and to explain what meek is, we first need to explain domain fronting, the technique meek leverages to provide privacy.

What is Domain Fronting?

Domain fronting is a technique to obfuscate the SNI field of a TLS connection, effectively hiding the target domain of a connection. It requires finding a hosting provider or CDN which has a certificate that supports multiple target domains (known as SAN’s, subject alternative names). One of the domains will be a common one which the client wants to pretend to be targeting in the connection establishment in the SNI field, and the other domain is the actual target of the connection and the following HTTP request.

The following image shows an example of the certificate, which has many SAN domains, among them *


Once that’s done, domain fronting can be attempted. A quick test to see if domain fronting works for a pair of domains is to use cURL, sending the hidden host ( in this case) as an HTTP header and specifying the target as the domain we’re hiding behind ( in this case). cURL will specify that domain in the SNI field.


And here is another demonstration of the flow that hopefully makes it a bit clearer.

Pluggable Transports: meek

On the 14th of August 2014, the Tor Project announced the release of the meek pluggable transport. Meek uses domain fronting to hide the target bridge relay behind a very popular domain. For example, it could use as a cover for

This allowed the creation of meek bridge relays on large clouds such as Google App Engine, Amazon CloudFront/EC2 and Microsoft Azure, hiding the actual target hostname behind domains such as, or various static asset CDNs.

Domain fronting was nothing short of revolutionary for Tor users in high-risk countries.

  1. It made Tor traffic look exactly the same as normal HTTPS (with some caveats, bad usage can still make connections stand out).
  2. The side effect of blocking meek is very expensive to most censors, blocking Akamai/Amazon/Google either partially or completely in a country is not an act that goes unnoticed.

Meek is not a silver bullet as there are scenarios such as China blocking access to Google; regardless, meek still had huge impact and utility, and more providers were being discovered and researched. It was not unrealistic to expect a situation where blocking all meek bridges completely would require blocking a large chunk of the internet.

Domain fronting was adopted by other privacy-seeking service providers, notably Signal and Telegram, and proved itself when Signal was blocked in Egypt, Oman, Qatar and the UAE. Signal was still accessible thanks to domain fronting on Google App Engine due to these countries not being willing to go as far as blocking access to just to block these services.

Malicious Use of Domain Fronting: APT29

Domain fronting isn’t only used for good purposes; unfortunately, hiding the target domain is also a valuable tool for attackers looking to hide connections to their command and control servers and other assets, as was the case with the hacking group APT29, also known as Cozy Bear and The Dukes.

On March 27th, 2017 Mandiant/FireEye reported they had detected the Russian nation-state backed APT29 group employing domain fronting for at least two years. Domain fronting received quite a lot of attention around this time from the hype created in the cybersecurity community.

The Demise of Domain Fronting

On April 14th, 2018 a bug report was opened on the Tor bug tracker regarding breakage in the meek-google transport.

It was quickly discovered that Google’s infrastructure began responding with an HTTP Error 502 with the message “This HTTP request has a Host header that is not covered by the TLS certificate used. Due to an infrastructure change, this request cannot be processed”.

Google thus silently killed off domain fronting on its infrastructure. Two weeks later, Amazon followed suit blocking domain fronting and posting a blog post on the subject.


The use of domain fronting peaked in late April 2018. Amazon announced the blocking of domain fronting on April 27th. The same week of Amazon’s announcement, Signal announced their Amazon CloudFront account was frozen. Amazon pointed to Signal’s blog and Github account as proof of the alleged violation of Amazon’s ToS.

Signal had never attempted to conceal its usage of domain fronting, as it had announced the featurefor users in Egypt and UAE in 2016. Telegram also took a major hit, especially in Russia, where a ban on the app was upheld in court, affecting 15 million Telegram users at the time.

A week after Amazon had joined Google in blocking domain fronting, the Tor Project published “Domain Fronting is Critical to the Open Web”, a treatise on the importance of domain fronting to internet privacy, and detailing the move to Microsoft Azure.

As of April 2019, domain fronting still works on Microsoft Azure and serves as a critical lifeline for those relying on meek. While Microsoft’s cloud is smaller than those of either Amazon or Google, the effect of blocking it entirely would be immense for most censors. Blocking access to Azure would affect first-party cloud services owned by Microsoft such as Office 365 and Outlook, and even possibly disrupt vital services such as Windows update. On top of that, there is an unknown (but definitely large) amount of legitimate 3rd-party services hosted on Azure that would also take a hit.

Closing Thoughts on Vendor Responsibility

In closing, we would like to say we do not think Google or Amazon dropping domain fronting should be seen as an attempt by them to harm privacy on the internet. Domain fronting is an awkward but clever trick to side-step a flaw (or lack of feature) of the TLS protocol. As there has also been malicious usage of domain fronting, the most prominent one being APT29, it is certainly a liability in some respects. It has been suggested that political pressure may have been applied on these companies to phase out domain fronting; however, neither Google nor Amazon have commented on such speculation.

Also, as we will cover in our next post, Google is one of the vendors working on solving this issue, along with Cloudflare, Fastly, Apple and other members of the TLS working group that are involved with eSNI.

It is commendable in our eyes that Microsoft continues to provide domain fronting on Azure. There is no doubt that it is crucial to meek and other services that use the technique to protect the privacy of their users.

Click here to view the original post on SentinelOnes’ website.

How to configure Ruckus Unleashed in 5 minutes or less

Tuesday, April 16th, 2019

Over 30 billion connected “things” are expected by 2020, while applications such as 4K video are projected to drive internet traffic to 278,108 petabytes per month by 2021 – with users generating a staggering 163 zettabytes of data on an annual basis by 2025. Clearly, consumer-grade Wi-Fi routers are no longer capable of meeting the needs of small and medium businesses (SMBs).

These days, even smaller businesses are demanding fast, reliable, always-on connectivity for dozens or hundreds of connected devices. This is precisely why we are making Wi-Fi easy for SMBs with Ruckus Unleashed. Our controller-less, high-performance and affordable portfolio of access points (APs) can be up and running in five minutes or less. In addition, Ruckus Unleashed enables anyone to manage their network from an intuitive Unleashed mobile app for Android and iOS or website browser

Ruckus Unleashed Mobile App

In this video, we will demonstrate how easy it is to install and manage a Ruckus Unleashed network using your smartphone

First, let’s briefly review the installation process. Simply connect to the ‘configure me’ network and open the Ruckus Unleashed mobile app. Then follow the on-screen instructions to install the access point (AP). Once your Unleashed access point is up and running, there are several things you can do with your mobile app:

  • You can be notified of any changes on your network like an unresponsive access point.
  • Restart your AP from the Ruckus Unleashed mobile app.
  • Get a quick snapshot about clients connected to the network, WLANs and access points in your network through the dashboard.
  • Quickly add a new WLAN just by clicking on the plus button over the total WLAN dashboard icon.
  • Touch on the client symbol to learn about all the clients connected to your network.
  • Rename a client to easily identify the connected device and mark it as a favorite to receive instant notifications about that client.

If you run into any trouble, Ruckus can jump in to assist you using our remote management system. For additional information about Ruckus Unleashed and SMB Wi-Fi, please check out some of our previous articles:

Click here to view the original post on Ruckus’ website

Why Wi-Fi 6 is a breakthrough technology for the IoT

Tuesday, April 16th, 2019

Tom Soderstrom, the IT Chief Technology and Innovation Officer at NASA’s Jet Propulsion Laboratory (JPL), recently wrote an article titled “The Next Computing Wave: Ultra Powerful, Ultra-Accelerated, Ultra Connected.” The article, published on MeriTalk, touches on a number of topics, including Wi-Fi 6 (802.11ax), 5G, quantum computing, and the Cloud.


Wi-Fi 6 & the IoT

As Soderstrom observes, Wi-Fi 6 is nothing less than a “breakthrough technology” in the wireless arena.

“It’s coming soon, and it’s built for IoT. It will connect many, many more people to mobile devices, household appliances, or public utilities, such as the power grid and traffic lights,” he states. “The transfer rates with Wi-Fi 6 are expected to improve anywhere from four times to 10 times current speeds, with a lower power draw, i.e. while using less electricity.”

According to Soderstrom, IoT devices (aka sensors) will create and store massive amounts of data in the Cloud – all the time. 

“The flexibility of the Cloud allows service providers and developers at home and in enterprises to modify applications in near-real time,” he explains. “In fact, almost all AI-based applications or machine learning programs will be built in the Cloud, including the wireless apps used in retail, manufacturing, transportation and more.”

Wi-Fi 6 & Increased Power Efficiency

As Soderstrom succinctly notes, Wi-Fi 6 is more power-efficient than its predecessors. As we’ve previously discussed here at The Ruckus Room, this is made possible by a technology known as Target Wake Time (TWT). Essentially, TWT enables devices to determine when and how frequently they will wake up to send or receive data. In real-world terms, this allows wireless Wi-Fi 6 access points (APs) to increase device sleep time and significantly conserve battery life, a feature that is particularly important for the IoT. In addition to saving power on the client device side, Target Wake Time enables wireless access points and devices to negotiate and define specific times to access the medium. This helps optimize spectral efficiency by reducing contention and overlap between users.

The Origins of Target Wake Time

The Target Wake Time mechanism first appeared in the IEEE 802.11ah “Wi-Fi HaLow” standard. Published in 2017, the low-power standard is specifically designed to support the large-scale deployment of IoT infrastructure – such as stations and sensors – that intelligently coordinate signal sharing. The TWT feature further evolved with the Wi-Fi 6 standard, as stations and sensors are now only required to wake and communicate with the specific beacons transmitting instructions for the TWT broadcast sessions they belong to. This allows the wireless Wi-Fi 6 standard to optimize power saving for many devices, with more reliable, deterministic and LTE-like performance.


Wi-Fi 6 is the latest generation of Wi-Fi that bridges the performance gap towards ten gigabit speeds. It delivers faster network performance, connects more devices simultaneously and effectively transitions Wi-Fi from a best-effort endeavor to a deterministic wireless technology that is now the de-facto medium for internet connectivity. Deployed in dense device environments – such as those created by the IoT – Wi-Fi 6 supports higher service-level agreements (SLAs) to more concurrently connected users and devices with more diverse usage profiles. This is made possible by a range of features that optimize spectral efficiency, increase throughput and reduce power consumption. In addition to TWT, these include Multi-User Multiple Input Multiple Output (MU-MIMO)Orthogonal Frequency-Division Multiple Access (OFDMA)BSS Coloringand 1024-QAM.

Click here to view the original post on Ruckus’ website.

New ESG webinar discusses risk areas for BYOD and guest access

Wednesday, April 10th, 2019

A while back, Ruckus Networks sponsored a white paper from Enterprise Strategy Group (ESG) titled “Does Your Method for BYOD Onboarding Compromise Network Security?” This thought-leadership piece did a great job of calling attention to the security flaws in the ways organizations typically get BYOD and guest users connected to the network.

We’d like to share with you a brand new on-demand ESG webinar published under the same title featuring Senior Analyst and Practice Director Bob Laliberte. No registration is required to view the webinar. As much as we like white papers, hearing Bob cover this subject matter in webinar form really brings it to life. You can think of the white paper and webinar as companion pieces that reinforce one another. The webinar builds upon the white paper content to reach new heights of insight. Even if you have read the white paper, the webinar is well worth viewing.

What does the new ESG webinar cover?

As you probably know, ESG is a highly regarded and influential IT industry analyst firm with practice areas that include networking and IT security. Many IT professionals look to them to provide insights into trends in the world of IT. Those of us on the vendor side also follow them to keep tabs on what’s going on in the broader IT landscape. You can check out some of ESG’s videos on their YouTube channel and follow them on the major social media platforms.

The new ESG webinar contains a little over 34 minutes of great content from Bob Laliberte, placing network access security in the broader context of industry topics like digital transformation and IoT adoption. It argues that the attack surface for potential data compromise is growing and suggests some root causes for that dynamic. Bob goes on to cite several drivers for making IT purchase decisions, referencing ESG research to back up his assertions.

Then things really get going as he delves into the core of the subject matte — how commonly used methods for getting BYOD and guest users connected to the network can leave you vulnerable to data and network compromise. (This is something we at Ruckus have been trying to raise awareness about for some time, so it’s great to have ESG validate that perspective.) Bob covers some questions you should ask yourself in relation to network access security. He also makes specific recommendations about how IT teams can improve security in this area.

The Ruckus take on secure network access

Since this is a vendor-sponsored webinar, you probably expect that Ruckus will have something to say on the subject matter, as well. If so, you are correct. Please note that we don’t claim the lion’s share of the airtime though—less than half of the time that Bob spends presenting. The focus here is on his thought-provoking and educational content.

We do take some time at the end to discuss our take on how to plug the security holes inherent to the default methods for getting users and devices connected to the network. This may be giving too much away about the ESG webinar content, but Cloudpath Enrollment System, our SaaS/software for secure onboarding, has security features that address precisely the issues discussed in the webinar.


We’ll wrap up this blog by inviting you again to watch the new on-demand webinar featuring ESG, and reiterate that you don’t need to provide any contact details to view it. It’s a great resource to learn more about network access security issues and how to address them. It can also be a good place to refer others in your organization, who may influence IT strategy, to help them understand the issues. You can also access the companion white paper, either in the form of a dynamic website or a PDF. After that, feel free to check out other resources on the Cloudpath product page. You can even request a live online demo there when you’re ready for a closer look at the product.

Click here to view the original post on Ruckus’ website.