Archive

Category Archives for "Networking"

What’s the deal with Apple-Cisco deal?

Apple earlier this week expanded its push into enterprises, announcing a partnership with Cisco to sell more iPads and iPhones to businesses.But unlike the deal Apple struck with IBM last summer, the partnership with Cisco was outlined in only the broadest terms. The vagueness put off one analyst.To read this article in full or to leave a comment, please click here

Black Hat survey reveals a disconnect between losses and security program focus

I started to review the recently published Black Hat Attendee Survey. This study primarily focused on the concerns of practitioners, including how they actually spent their times and the losses that they incurred. In another article, I will try to compare those concerns with the actual conference content. For now though, the most notable statistic is the prominence of awareness related concerns, as a pain point for security professionals. Clearly, the news media and study after study indicate that attackers target poor awareness on the part of end users and administrators. It has been reported that spearphishing was behind the Sony and TV5Monde attacks. The Sony results are well known. The TV5Monde attack was originally credited to ISIS sympathizers and the fact that TV5Monde actually televised many of their passwords while broadcasting an interview from their studios. Passwords were written on a white board in the background. Whether the attack was the result of televised passwords or spearphishing, it is still a result of user actions.To read this article in full or to leave a comment, please click here

The myth of the cybersecurity skills shortage

Everyone seems to think that there’s a lack of qualified security professionals, and that the reason is that there aren’t enough people entering the field with the required skills. There is a fallacy behind that thinking, though. People think that security is a stand-alone discipline, but it is actually a discipline within the computer field. Treating it otherwise is a mistake.Most of the people who have been in the security profession for more than a decade, including me, entered the field without a cybersecurity degree. We might have certifications, but we don’t claim that those certs are the source of any expertise we may have.My own experience is not atypical. In all of my years of working, as an employee or contractor, for the National Security Agency and other military and intelligence agencies, I never performed specifically what would be considered security work.To read this article in full or to leave a comment, please click here

Risky Business #381 — Samy Kamkar on his outlaw days

On this week's show we're chatting with hacker superstar and YouTube phenomenon Samy Kamkar. Samy is a security researcher of note -- his recent hardware hacks have been coming thick and fast. This week I spoke to him about his brush with the law following his unleashing of the Samy worm on MySpace a decade ago, some of his recent research and his plans for the future.

read more

How Complex Is Your Data Center?

Sometimes it seems like the networking vendors try to (A) create solutions in search of problems, (B) boil the ocean, (C) solve the scalability problems of Google or Amazon instead of focusing on real-life scenarios or (D) all of the above.

Bryan Stiekes from HP decided to do a step in the right direction: let’s ask the customers how complex their data centers really are. He created a data center complexity survey and promised to share the results with me (and you), so please do spend a few minutes of your time filling it in. Thank you!

Take the survey

For future wearables, the network could be you

People who wear networked gadgets all over their bodies may someday become networks themselves.Researchers at the University of California, San Diego, have found a way for wearables to communicate through a person's body instead of the air around it. Their work could lead to devices that last longer on smaller batteries and don't give away secrets as easily as today's systems do. The proliferation of smartphones, smart watches, health monitoring devices and other gear carried close to the body has led to so-called personal area networks that link the gadgets together and provide a path to the Internet through one that has a Wi-Fi or cell radio. Today, those PANs use short-range over-the-air systems like Bluetooth.To read this article in full or to leave a comment, please click here

8 in 10 Internet-connected baby monitors receive ‘F’ grade for security flaws

Despite the negative and wide spread publicity around baby monitor hacks, sadly you shouldn’t expect an end to baby cam hacker stories any time soon. Today Rapid7 publicly disclosed 10 new vulnerabilities in baby monitors made by nine different manufacturers. On a grading scale, eight of the 10 Internet-connected baby monitors scored an “F” and one received a “D” grade.If you were curious about some redactions in the slides during Mark Stanislav’s “The Hand that Rocks the Cradle: Hacking IOT Baby Monitors” presentation at Def Con’s IOT Village, it was due to several new vulnerabilities he uncovered. Stanislav and Tod Beardsley have published a hacking IOT case study on baby monitors (pdf).To read this article in full or to leave a comment, please click here

MPBGP Configuration

Hi everyone, JP here. You know as CCIE candidates, we are faced with one of the most difficult, and grueling, exams the networking world has to offer – the CCIE lab exam. As you may or may not be aware, Frame-Relay was replaced with L3VPN and DMVPN in the R&S Version 5 blueprint update. This means not only will we need to understand our IGP’s, MPLS, and VRF Lite, but we will need to fully understand how to configure MPBGP in order to transport our VPN labels and prefixes across the service provider’s network.

Using a topology from one of our mock labs, let’s have a look into the configuration of MP-BGP and make sure we understand it. Preview the diagram in HD here.

JP_Blog_082015_1

In a Layer 3 VPN we are driven by the need to advertise customer prefixes across a service provider network, while keeping these customers isolated from one another. To do this using L3VPN, we need to carry more than just the IPv4 unicast address, which is all standard BGP is capable of. Additional information like the MPLS label, VPN label, and route-distinguisher need to be carried from one point of the network to the other. Let’s Continue reading

The unintended consequences of a RASP-focused application security strategy

Runtime application self-protection (RASP) is a promising solution for strengthening the security posture of an application while supporting faster development, but RASP can introduce serious unintended risks, particularly if developers are not producing quality code from the start.

RASP is a technology approach being evangelized by Joseph Feiman, a research vice president and fellow at Gartner. Last fall, in a report entitled “Stop Protecting Your Apps: It’s Time for Apps to Protect Themselves,” Feiman noted that application self-protection must be a CISO’s top priority because “modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection.”

To read this article in full or to leave a comment, please click here

CIOs embrace hybrid cloud and software-defined data centers

SAN FRANCISCO – Companies building mobile and Web applications to support their digital businesses depend on a mix of private and public clouds to exchange data, said Bill Fathers, VMware's executive vice president and general manager of cloud services, at the company’s VMworld customer event here Monday. Fathers said companies are struggling to deal with a "fundamental shift in application deployment patterns,” That's forced CIOs to think about "network architecture and data residency." In short: how data is moving back and forth between various on-premises systems and cloud environments the apps connect to. VMware is aiming to address these challenges with its unified hybrid cloud, which includes server, storage and network resources designed to enable companies to run any application on any device. The company announced several new software products in support of this initiative.To read this article in full or to leave a comment, please click here

Despite reports of hacking, baby monitors remain woefully insecure

Disturbing reports in recent years of hackers hijacking baby monitors and screaming at children have creeped out parents, but these incidents apparently haven't spooked makers of these devices.A security analysis of nine baby monitors from different manufacturers revealed serious vulnerabilities and design flaws that could allow hackers to hijack their video feeds or take full control of the devices.The tests were performed by researchers from security firm Rapid7 during the first half of this year and the results were released Tuesday in a white paper. On a scale from A to F that rated their security functionality and implementation, eight of the devices received an F and one a D.To read this article in full or to leave a comment, please click here

The RMS Titanic and cybersecurity

Little known fact: Yesterday was the 30th anniversary of Bob Ballard’s discovery of the RMS Titanic, several hundred miles off the coast of Newfoundland Canada. I’ve recently done some research into the ship, its builders, and its ultimate fate and believe that lessons learned from Titanic may be useful for the cybersecurity community at large. The Titanic tragedy teaches us of: The dangers of technology hubris. The Titanic was designed with the latest technology at the time to withstand severe storms in the north Atlantic. Because of this, the shipbuilders at Harland and Wolff decided to market the ship as “unsinkable.” Likewise, our industry has this absolute love affair with technology. I’m constantly briefed on the latest and greatest prevention or detection engine designed to withstand anything hackers can throw at it. Like the “unsinkable” Titanic, this is nothing but hot air. Bad guys will find ways around all of our defenses over time. Strong security demands people, process, and technology so the industry love affair with technology alone is counterproductive and leaves us susceptible to a sea of cybersecurity icebergs. The need for organizational coordination. There were two inquiries into the Titanic disaster, one in the U.S. Continue reading

How to get security right when embracing rapid software development

Accelerated software development brings with it particular advantages and disadvantages. On one hand, it increases the speed to market and allows for fast, frequent code releases, which trump slow, carefully planned ones that unleash a torrent of features at once. Continuous release cycles also allow teams to fine-tune software. With continuous updates, customers don’t have to wait for big releases that could take weeks or months.

Embracing failure without blame is also a key tenet of rapid acceleration. Teams grow faster this way, and management should embrace this culture change. Those who contribute to accidents can give detailed accounts of what happened without fear of repercussion, providing valuable learning opportunities for all involved.

To read this article in full or to leave a comment, please click here

1 2,963 2,964 2,965 2,966 2,967 3,444