SPIFFE, SPIRE Join Cloud Native Computing Foundation Sandbox

The open source workload identity framework projects are modeled after similar systems at Google, Netflix, and Twitter.

Hybrid Cloud Security 101: What IT Leaders Need to Know

Hybrid cloud environments present a revolutionary change in how organizations store and manage their data. But what happens if access to the cloud is compromised or interrupted?

Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit

Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit

VMware Buys Second Security Startup, E8 Security

The virtualization giant will add E8 Security’s user and entity behavior analytics technology to its digital workspace platform.

McAfee Drops New SOCs, Netskope Takes CASB Beyond Cloud Apps

McAfee opened new security operations centers in Plano, Texas, and Cork, Ireland. Also today Netskope expanded its cloud security platform to include web access.

Kubernetes 1.10 Release Hits Storage, Security, and Networking

The latest release continues the string of recent updates that while important are becoming more "boring" by design as the platform gains further maturity.

A Solution to Compression Oracles on the Web

CC 3.0 by Jean-Jacques MILAN

This is a guest post by Blake Loring, a PhD student at Royal Holloway, University of London. Blake worked at Cloudflare as an intern in the summer of 2017.

Compression is often considered an essential tool when reducing the bandwidth usage of internet services. The impact that the use of such compression schemes can have on security, however, has often been overlooked. The recently detailed CRIME, BREACH, TIME and HEIST attacks on TLS have shown that if an attacker can make requests on behalf of a user then secret information can be extracted from encrypted messages using only the length of the response. Deciding whether an element of a web-page should be secret often depends on the content of the page, however there are some common elements of web-pages which should always remain secret such as Cross-Site Request Forgery (CSRF) tokens. Such tokens are used to ensure that malicious webpages cannot forge requests from a user by enforcing that any request must contain a secret token included in a previous response.

I worked at Cloudflare last summer to investigate possible solutions to this problem. The result is a project called cf-nocompress. The Continue reading

London & Barcelona developers, we want to meet you this week

Are you based in London or Barcelona? Drop by the Cloudflare London office to meet Kenton Varda, lead architect of Cloudflare Workers, front end developers Marta Bondyra and David Sancho from Typeform, or drop by the Typeform office in Barcelona to hear from Jason Harmon, Typeform’s Chief Platform Officer. My Developer Relations teammates and I are visiting these cities over the next two weeks. We’d love to meet you and invite you to the three events we’re hosting.

Our first stop is the Cloudflare London office. Developers from our Cloudflare Apps partner, Typeform, are leading a talk on Tuesday, March 27th. The lead architect of Cloudflare Workers, Kenton Varda, is going to lead a follow-up talk about edge computing on Wednesday, March 28th.

Event #1: Building for a tech audience: Great dev lessons for adventurous makers

Tuesday, March 27th: 18:00-20:00

Location: Cloudflare London - 25 Lavington St, Second floor | SE1 0NZ London

Creating software from scratch, although fun, can be time consuming and expensive. Marta and David, both developers at Typeform, will tell you why their teams built tools to make the lives of developers a little easier and what they learned along the way.

Continue reading

How NSX Is Tapping into the Human Element Behind Network Virtualization

Virtualization can be a tricky concept for some people to wrap their heads around. Trying to explain the functionalities and benefits of technology like VMware NSX can quickly devolve into techno-babble. With that said, we’re trying to take another approach—a more human approach. Below are three customer stories that emphasize a human-interest element behind network virtualization and showcase the power of technologies like NSX to better human lives.

NSX Powers a ‘Classroom in the Cloud’ for Illinois Students

 When the technology leaders of Bloomington’s public schools started looking for a way to make advanced, enterprise-level computing and Internet services affordable to students, they went the co-op route and turned to IlliniCloud. IlliniCloud has proven to be a game-changer for a public education system in crisis. The co-op is transforming the technology infrastructures of not just Bloomington’s public school district, but every school district in Illinois with an affordable and efficient model that results in major cost savings for schools, along with upgrades in technology and aging infrastructures.

VMware is the backbone of IlliniCloud and a natural fit, according to Jason Radford, CTO of IlliniCloud: “VMware believed in the IlliniCloud. They gave us the tools that were Continue reading

Should Bug Bounty Programs Pay Hackers Millions to Find Bugs?

Netflix it the latest company taking its bug bounty payouts public with Bugcrowd. But there’s more to fixing security vulnerabilities than simply doling out cash.

Introducing Certificate Transparency and Nimbus

Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services:

• Nimbus: A free and open certificate transparency log
• Merkle Town: A dashboard for exploring the certificate transparency ecosystem

In this blog post we’ll explain what Certificate Transparency is and how it will become a critical tool for ensuring user safety online. It’s important for website operators and certificate authorities to learn about CT as soon as possible, because participating in CT becomes mandatory in Chrome for all certificates issued after April 2018. We’ll also explain how Nimbus works and how CT uses a structure called a Merkle tree to scale to the point of supporting all trusted certificates on the Internet. For more about Merkle Town, read the [follow up post] by my colleague Patrick Donahue.

Trust and Accountability

Everything we do online requires a baseline level of trust. When you use a browser to visit your bank’s website or your favorite social media site, you expect that the server on the other side of the connection is operated by the organization indicated in Continue reading

Symantec Security Report: Cryptojacking Attacks Increased 8,500% in 2017

Cryptojacking exploded last year, according to Symantec’s latest annual security threat landscape report. It found detections of cryptocurrency coin miners grew by a whopping 8,500 percent in 2017.

The real cause of large DDoS – IP Spoofing

Good summary of DDOS using IP Spoofing

Google Cloud Security Blitz Attacks Email Phishing, Improves Visibility

Google unleashed more than 20 cloud security updates including better visibility across cloud services and potential threats and beefed up security against email phishing attacks.

Microsoft and OCP Friends Push Open Hardware Security Standard

Microsoft is working with Intel, Facebook, and Google to implement Project Cerberus security architecture. It plans to contribute the open hardware security specs to OCP.

IETF 101, Day 4: The Brass Tacks about DNS and Routing

This week is IETF 101 in London, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. And Thursday is probably the busiest day for us, covering the whole range of our interests.

ROLL has its first of two sessions starting at 09.30 GMT/UTC; continuing on Friday morning. There are several drafts being discussed dealing with the issues of routing over resource constrained networks where limited updates are possible.

NOTE: If you are unable to attend IETF 101 in person, there are multiple ways to participate remotely.

There’s a choice between a couple of working groups after lunch, starting at 13.30 GMT/UTC.

DOH was chartered to create a single RFC, so clearly the draft DNS queries over HTTPS is going to be the primary focus of discussion. However, there will also be updates on the practical implementation work, and a discussion about possible future work if there is a decision to re-charter the group.

6LO runs in parallel and has a fairly busy agenda with Registration Extensions for 6LoWPAN Neighbor Discovery, and Address Protected Neighbor Discovery for Low-power and Lossy Networks having received feedback from the IESG. Continue reading

Security for Public Clouds (AWS) with vRealize Network Insight

Enterprise IT needs visibility into the network and security status of their workloads, whether hosted on premises, or within AWS. While many AWS workloads are sandboxes for application development teams (DevOps), it is important to analyze these workloads. Increasingly, public cloud workloads are also fulfilling mission-critical production needs for many organizations. Enterprise IT must be ready to determine the best location, security posture, and bandwidth allocation when deploying workloads. Having traffic pattern details as well as security analysis and recommendations readily available, helps organizations make the ideal hosting decisions to meet their business needs.

vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) Public Cloud. The vRNI traffic monitoring features provide visibility into native AWS constructs such as Virtual Private Clouds, VMs, Security Groups, firewall rules, and tags. vRNI also analyzes AWS traffic flows to provide security and micro-segmentation views of cloud workloads. This means you’ll be able to plan micro-segmentation and understand traffic patterns using data collected from your AWS instances.

Let’s review a simple Amazon Web Services (AWS) VPC setup to articulate the value vRealize Network Insight can offer from a Day 1 Day 2 perspective.

1. We have an on-premise instance of vRealize Network Insight managing AWS.
2. Continue reading

CA Veracode Validates Application Security, DevOps Processes

Eighty-four percent of software buyers include security requirements in new vendor contracts.

Side Channel Attacks in the Wild: The Smart Home

Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren’t familiar with the concept, it might be worth watching that video (a little over 4 minutes) before reading this post.

Side channel attacks are more common, and more dangerous, than many engineers understand. In this post, I’ll take a look at a 2017 research paper that builds and exploits a side channel attack against several smart home devices to see how such a side channel attack plays out. They begin their test with a series of devices, including a children’s sleep monitor, a pair of security cameras, a pair of smart power plugs, and a voice based home assistant.

The attack itself takes place in two steps. The first is to correlate individual traffic flows with a particular device (where a traffic flow is a 5 tuple. The researchers did this in three different ways. First, they observed the MAC address of each device talking on the network, comparing the first three octets of this address to a list of known manufacturers. Most home device manufacturers use a Continue reading