Sunday, February 26, 2017

Cloudbleed: What it means for PacketTotal

On February 23, Cloudflare announced a bug that caused certain traffic sent through their servers to leak from memory, potentially exposing sensitive data. PacketTotal is a Cloudflare customer and uses their services to keep PacketTotal running smoothly and without interuption. 

This means that if you interacted with the PacketTotal website between February 10, 2017 and February 18, 2017, the associated activity could have leaked. However, PacketTotal does not currently allow for users to create user accounts or upload data that will be private to any specific user. This means that information that may have leaked should not result in any additional risk to PacketTotal users as the information is already publicly accessible on the PacketTotal site. Even though we believe there is no actionable risk to previous users, PacketTotal is dedicated to providing transparency into any known security issues identified with our service.

We are continuing to monitor the situation for any updates.

Friday, February 17, 2017

Hello World

Welcome to the PacketTotal development blog! PacketTotal launched February 10th, 2017 and is now one week old.

First, thank you to everyone who has given the engine a try, it has made all of the work that went into it worthwhile. This first week has been incredibly busy. I've patched around thirty minor bugs, scaled up the Elasticsearch backend, and begun laying the ground-work for some cool new analysis features.

So what's next for this project?

The main goal of PacketTotal has and will continue to be providing a framework for analysts and researchers to share malicious packet-captures.

Right now the tool does a decent job indexing packet metadata and making it available for search. This is fairly useful, because it allows you to search across all packets submitted, look for similar traffic, and grow your list of IOCs.

Right now the only way to correlate similar traffic between packet-captures is through the search UI. In the next couple of weeks I'll be adding similar functionality to the analysis console, providing the ability to pivot between packet-captures on a single IOC.

Suricata does an excellent job of identifying suspicious/malicious traffic, but does not tell you X traffic is associated with Y malware campaign (in most cases). I will be adding features into the analysis console to let users associate information like this to packet-captures. This information would then become searchable to the public and greatly improve he intelligence gathered from the tool.

From a usability standpoint I plan on tweaking the way that users submit packet-capture files. Specifically the logic that is used for determining whether or not a packet-capture file can be analyzed. The current code is over-engineered and borders on paranoia. I will be ripping out the custom header validation, and replacing it with a libmagic, reducing the number of "Invalid PCAP" errors for legitimate packet-captures.

Thanks again for giving PacketTotal a try, and as always I welcome any criticism/suggestions that will make the tool work better for you.