Archive

Category Archives for "Security"

Huawei Q&A: Paving a Trusted Way for Cloud-based Transformation

Paving a Trusted Way for Cloud-based Transformation Q&A Thanks to all who joined us for the Huawei 2017 Infrastructure Security Report Webinar: Paving a Trusted Way for Cloud-based Transformation. During the webinar, Huawei discussed a fresh approach when it comes to your cloud journey that is characterized by the transition to cloud computing, mobile Internet, Big Data, and virtual networks. After the webinar, we... Read more →

Live Today : HPC, Machine Learning, And Security – Can HPC Be Self Healing?

SPONSORED WEBCAST

Today at 10 am Eastern / 15:00 UK this free webcast will broadcast live.

In this webcast, we learn from Nick Curcuru, vice president of the big data practice at MasterCard, about what needs to be in place both technically and in terms of management models and processes so that the benefits can be fully achieved.

High performance computing, long the domain of research centers and academia, is increasingly becoming a part of mainstream IT infrastructure and being opened up to a broader range of enterprise workloads, and in recent years, that includes big data analytics and machine

Live Today : HPC, Machine Learning, And Security – Can HPC Be Self Healing? was written by Matt Proud at The Next Platform.

Real world use cases for NSX and Pivotal Cloud Foundry

Pivotal Cloud Foundry (PCF) is the leading PaaS solution for enterprise customers today, providing a fast way to convert their ideas from conception to production. This is achieved by providing a platform to run their code in any cloud and any language taking care of all the infrastructure “stuff” for them.

From building the container image, compiling it with the required runtime , deploying it in a highly available mode and connecting it to the required services, PCF allows dev shops to concentrate on developing their code.

While the platform is providing developers with the most simplified experience conceivable, under the hood there are many moving parts that make that happen and plumbing all these parts can be complex. That’s where customers are really enjoying the power of VMware’s SDDC, and the glue between the PaaS and SDDC layers is NSX, it is the enabler that makes it all work.

In this blog post I detail some of the main uses cases customers have already deployed NSX for PCF on top of vSphere and how PCF and NSX are much better together in the real world.

The use cases customers are deploying with NSX for PCF are varied and ill Continue reading

NSX Real World Use Cases for Pivotal Cloud Foundry

Pivotal cloud foundry is the leading PaaS solution for enterprise customers today, providing a fast way to convert their ideas from conception to production. This is achieved by providing a platform to run their code in any cloud and any language taking care of all the infrastructure stuff for them.

From building the container image, compiling it with the required runtime, deploying it in a highly available mode and connecting it to the required services, PCF allows dev shops to concentrate on developing their code.

While the platform is providing developers with the most simplified experience conceivable, under the hood there are many moving parts that make that happen and plumbing all these parts can be complex. That’s where customers are really enjoying the power of VMware’s SDDC, and the glue between the PaaS and SDDC layers is NSX, it is the enabler that makes it all work.

In this blog post, I detail some of the main uses cases customers has already deployed NSX for PCF on top of vSphere and how PCF and NSX are much better together in the real world.

The use cases customers are deploying with NSX for PCF are varied and ill divide them Continue reading

KRACK proves we need more encryption on the Internet

A serious weakness in Wi-Fi security was made public earlier today. The Key Reinstallation Attack (KRACK) can break Wi-Fi encryption, opening your data up to eavesdropping. This, combined with issues in Linux and Android, make it possible for attackers to change websites you view. This is a serious problem for Wi-Fi Protected Access 2 (WPA2), a protocol used in millions of networks worldwide.

Luckily, the use of Transport Layer Security (TLS) is on the rise. Mozilla’s data shows that over 60% of pages loaded in Firefox use TLS. More and more companies are using encryption for all traffic and removing the ability to connect to unencrypted versions of their sites. When connecting to these sites, KRACK isn’t as big of a deal, because the data is encrypted before it’s sent across Wi-Fi. Even if WPA2 is broken, the data is still secure.

Unfortunately there are still millions of sites that don’t provide this security. Their users are vulnerable to eavesdropping, fake content, malware injection, and more. We need more companies and operators to use TLS and HTTP Strict Transport Security (HSTS) to mitigate the potential impact of KRACK.

Internet traffic exists in layers, which makes it possible to use more Continue reading

KRACK proves we need more encryption on the Internet

A serious weakness in Wi-Fi security was made public earlier today. The Key Reinstallation Attack (KRACK) can break Wi-Fi encryption, opening your data up to eavesdropping. This, combined with issues in Linux and Android, make it possible for attackers to change websites you view. This is a serious problem for Wi-Fi Protected Access 2 (WPA2), a protocol used in millions of networks worldwide.

Luckily, the use of Transport Layer Security (TLS) is on the rise. Mozilla’s data shows that over 60% of pages loaded in Firefox use TLS. More and more companies are using encryption for all traffic and removing the ability to connect to unencrypted versions of their sites. When connecting to these sites, KRACK isn’t as big of a deal, because the data is encrypted before it’s sent across Wi-Fi. Even if WPA2 is broken, the data is still secure.

Unfortunately there are still millions of sites that don’t provide this security. Their users are vulnerable to eavesdropping, fake content, malware injection, and more. We need more companies and operators to use TLS and HTTP Strict Transport Security (HSTS) to mitigate the potential impact of KRACK.
Internet traffic exists in layers, which makes it possible to use more Continue reading

Some notes on the KRACK attack

This is my interpretation of the KRACK attacks paper that describes a way of decrypting encrypted WiFi traffic with an active attack.

tl;dr: Wow. Everyone needs to be afraid. It means in practice, attackers can decrypt a lot of wifi traffic, with varying levels of difficulty depending on your precise network setup. My post last July about the DEF CON network being safe was in error.

Details

This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug).

When a client connects to the network, the access-point will at some point send a random "key" data to use for encryption. Because this packet may be lost in transmission, it can be repeated many times.

What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the "keystream" back to the starting conditions. The obvious patch that device vendors will make is to only accept the first such packet it receives, ignore all the duplicates.

At this point, the protocol bug becomes a crypto bug. We know how to break crypto when we have two keystreams from the same starting position. It's not always reliable, but Continue reading

On Approaches to Internet Security, Cybersecurity, and the Path Forward

On 5 October, I had the pleasure of speaking at the New York Metro Joint Cyber Security Conference, which brings together a community of security practitioners from the New York Metro area. Two talks stood out for me. First, the keynote by Maria Vullo, Superintendent Financial Services for the state of New York, who explained her drivers for regulating cybersecurity requirements for the Financial Sector [link to the presentation]. Second, a presentation by Pete Lindstrom from IDC, who, in a presentation on how perimeter security needs a thorough rethink, kept returning to the economics of security.

The reason I refer to these two talks is because I can appreciate them for their own, almost diametrical approaches for improving security. Pete Lindstrom making a strong economic and risk-based approach, questioning whether patching every vulnerability that comes along makes any sense from an economic risk and scale analysis. Maria Vullo, on the other hand, using capacity-based regulation to incentivise stronger security controls.

Those two points resonate strongly with what I was trying to get across: There is no magic security bullet, there is no security czar, and maintaining trust needs an active approach from all stakeholders.

Starting off with how our Continue reading

Least Privilege Container Orchestration

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.

container orchestrator

Orchestrators are responsible for critical clustering and scheduling tasks, such as:

  • Managing container scheduling and resource allocation.
  • Support service discovery and hitless application deploys.
  • Distribute the necessary resources that applications need to run.

Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.

Motivation and threat model

One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.

In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to  the information and resources that are necessary for its legitimate purpose. No Continue reading

“Responsible encryption” fallacies

Deputy Attorney General Rod Rosenstein gave a speech recently calling for "Responsible Encryption" (aka. "Crypto Backdoors"). It's full of dangerous ideas that need to be debunked.

The importance of law enforcement

The first third of the speech talks about the importance of law enforcement, as if it's the only thing standing between us and chaos. It cites the 2016 Mirai attacks as an example of the chaos that will only get worse without stricter law enforcement.

But the Mira case demonstrated the opposite, how law enforcement is not needed. They made no arrests in the case. A year later, they still haven't a clue who did it.

Conversely, we technologists have fixed the major infrastructure issues. Specifically, those affected by the DNS outage have moved to multiple DNS providers, including a high-capacity DNS provider like Google and Amazon who can handle such large attacks easily.

In other words, we the people fixed the major Mirai problem, and law-enforcement didn't.

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn't have the FBI investigate the attacks from Russia likely because they didn't want the FBI reading all their files, finding wrongdoing by the Continue reading

“Keep those eyebrows up!” – Cybersecurity at the Global Women’s Forum

News of cyberattacks is slowly becoming a new normal. We are still at a stage where high-profile cases, like the recent attack against the American credit reporting company Equifax, in which 145.5 million users had their personal information compromised, raise eyebrows. But we need those eyebrows to stay up because we should never accept cyber threats as the new normal.

This week in Paris, hundreds of leaders met at the Women’s Forum to discuss some of the key issues that will shape the future of a world in transition, including cybersecurity. But this topic is not just a concern for the experts – it’s a concern to all men and women leading any business today.

New risks on the horizon

A recent report by the Internet Society, “Paths to Our Digital Future”, points out that now is a big moment for the Internet. The revolution we already see could accelerate in the coming years, not only due to the increasing digitalization of services and businesses, but also through the expansion of objects being connected to the Internet – the Internet of Things (IoT). By 2020 more than 20 billion “things” could be connected.

Suddenly it’s not only Continue reading

IPv6, DNSSEC, Security and More at ION Malta

The Deploy360 team is back from ION Malta, which took place on 18 September alongside an ICANN DNSSEC Training Workshop. We again thank our sponsor Afilias for making this possible, and are now working toward our final ION Conference of the year, ION Belgrade in November. All the presentations from ION Malta are available online.

I opened the event with an introduction to Deploy360 and an invitation for everyone to get involved with the Internet Society’s 25th anniversary the next day. We also heard from Jasper Schellekens, the president of the ISOC Malta Chapter about their activities and how to get more involved. They have a small but mighty presence in Malta and are looking forward to getting more members and increasing their activity.

Next, Nathalie Trenaman from RIPE NCC gave a fascinating presentation on the status of IPv6 in Malta. Unfortunately, IPv6 penetration in Malta is extremely low, but ISPs are transferring IPv4 address space around and, interestingly, have purchased over 30,000 IPv4 addresses from Romania. She encouraged ISPs to begin moving to IPv6 now, as RIPE NCC estimates that full transition takes about 2.5 years to complete.

Next up, Klaus Nieminen from the Finnish Communications Continue reading

1 110 111 112 113 114 177