Archive

Category Archives for "Security"

Not Your Mama’s Security Architecture (Thwack)

It puts a firewall at the edge of the network or it gets the hose again. Think that’s still how security works? I don’t think so, my friend.

On the Solarwinds Thwack Geek Speak blog I look at how security architectures have changed from when our Mama used to create them, and I even take a moment to mention Greg Ferro (because, well, why not). Please do take a trip to Thwack and check out my post, “Not Your Mama’s Security Architecture“.

Not Your Mama's Security Architecture

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at Not Your Mama’s Security Architecture (Thwack) and give me a share/like. Thank you!

Nuage Networks Q&A: Automated Analytics and Remediation for Cloud-based Security Services

Thanks to all who joined us for the Nuage Networks 2017 SDx Infrastructure Security Report Webinar, Automated Analytics and Remediation for Cloud-based Security Services. During the webinar Nuage Networks discussed how their VSP delivers an SDN solution with built-in security capabilities that combines scale, performance and flexibility in a single, boundary-less platform without compromising security or... Read more →

CYA! Cover Your Assets (By Securing Them) (Thwack)

Still using local accounts for device access? Don’t know what a Term Process is? You need to CYA!

On the Solarwinds Thwack Geek Speak blog I looked at a variety of security (and related) features which should be configured on all devices. Please do take a trip to Thwack and check out my post, “CYA! Cover Your Assets (By Securing Them)“.

CYA! Cover Your Assets (By Securing Them)

 

Please see my Disclosures page for more information about my role as a Solarwinds Ambassador.

If you liked this post, please do click through to the source at CYA! Cover Your Assets (By Securing Them) (Thwack) and give me a share/like. Thank you!

Microcell through a mobile hotspot

I accidentally acquired a tree farm 20 minutes outside of town. For utilities, it gets electricity and basic phone. It doesn't get water, sewer, cable, or DSL (i.e. no Internet). Also, it doesn't really get cell phone service. While you can get SMS messages up there, you usually can't get a call connected, or hold a conversation if it does.

We have found a solution -- an evil solution. We connect an AT&T "Microcell", which provides home cell phone service through your Internet connection, to an AT&T Mobile Hotspot, which provides an Internet connection through your cell phone service.


Now, you may be laughing at this, because it's a circular connection. It's like trying to make a sailboat go by blowing on the sails, or lifting up a barrel to lighten the load in the boat.

But it actually works.

Since we get some, but not enough, cellular signal, we setup a mast 20 feet high with a directional antenna pointed to the cell tower 7.5 miles to the southwest, connected to a signal amplifier. It's still an imperfect solution, as we are still getting terrain distortions in the signal, but it provides a good Continue reading

Micro-segmentation of the Epic Electronic Health Records System with VMware NSX

authors – Geoff Wilmington, Mike Lonze

Healthcare organizations are focusing more and more on securing patient data.  With Healthcare breaches on the rise, penalties and fines for lost or stolen PHI and PII data is not only devastating to the patients, but to the Healthcare organization as well.  The Ponemon Institute Annual Benchmark Study on Privacy & Security of Healthcare Data has shown that nearly 50 percent of Healthcare organizations, up 5 percent from a previous study, that criminal attacks are the leading cause of Healthcare breaches.  [1]  With breaches on the rise and Healthcare organizations feeling the pain, how can we help Healthcare start layering security approaches on their most critical business applications that contain this highly critical data?

The principle of least privilege is to provide only the necessary minimal privileges for a process, user, or program to perform a task.  With NSX, we can provide a network least privilege for the applications that run on the vSphere hypervisor using a concept called Micro-segmentation. NSX places a stateful firewall at the virtual network card of every virtual machine allowing organizations to control very granularly how virtual machines communicate or don’t communicate with each Continue reading

Down the Rabbit Hole: The Making of Cloudflare Warp

Down the Rabbit Hole: The Making of Cloudflare Warp

In the real world, tunnels are often carved out from the mass of something bigger - a hill, the ground, but also man-made structures.

Down the Rabbit Hole: The Making of Cloudflare WarpCC BY-SA 2.0 image by Matt Brown

In an abstract sense Cloudflare Warp is similar; its connection strategy punches a hole through firewalls and NAT, and provides easy and secure passage for HTTP traffic to your origin. But the technical reality is a bit more interesting than this strained metaphor invoked by the name of similar predecessor technologies like GRE tunnels.

Relics

Generic Routing Encapsulation or GRE is a well-supported standard, commonly used to join two networks together over the public Internet, and by some CDNs to shield an origin from DDoS attacks. It forms the basis of the legacy VPN protocol PPTP.

Establishing a GRE tunnel requires configuring both ends of the tunnel to accept the other end’s packets and deciding which IP ranges should be routed through the tunnel. With this in place, an IP packet destined for any address in the configured range will be encapsulated within a GRE packet. The GRE packet is delivered directly to the other end of the tunnel, which removes the encapsulation and forwards the original Continue reading

Can IoT platforms from Apple, Google and Samsung make home automation systems more secure?

In August 2017, a new botnet called WireX appeared and began causing damage by launching significant DDoS attacks. The botnet counted tens of thousands of nodes, most of which appeared to be hacked Android mobile devices.

There are a few important aspects of this story.

First, tracking the botnet down and mitigating its activities was part of a wide collaborative effort by several tech companies. Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. This is a great example of Collaborative Security in practice.

Second, while researchers shared the data, analysed the signatures, and were able to track a set of malware apps, Google played an important role in cleaning them up from the Play Store and infected devices.

Its Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion instances of installed applications and scans around 400 million devices per day.

In the case of WireX, the apps had previously passed the checks. But thanks to the researcher’s findings, Google Continue reading

Browser hacking for 280 character tweets

Twitter has raised the limit to 280 characters for a select number of people. However, they left open a hole, allowing anybody to make large tweets with a little bit of hacking. The hacking skills needed are basic hacking skills, which I thought I'd write up in a blog post.


Specifically, the skills you will exercise are:

  • basic command-line shell
  • basic HTTP requests
  • basic browser DOM editing

The short instructions

The basic instructions were found in tweets like the following:

These instructions are clear to the average hacker, but of course, a bit difficult for those learning hacking, hence this post.

The command-line

The basics of most hacking start with knowledge of the command-line. This is the "Terminal" app under macOS or cmd.exe under Windows. Almost always when you see hacking dramatized in the movies, they are using the command-line.

5 years with home NAS/RAID

I have lots of data-sets (packet-caps, internet-scans), so I need a large RAID system to hole it all. As I described in 2012, I bought a home "NAS" system. I thought I'd give the 5 year perspective.


Reliability. I had two drives fail, which is about to be expected. Buying a new drive, swapping it in, and rebuilding the RAID went painless, though that's because I used RAID6 (two drive redundancy). RAID5 (one drive redundancy) is for chumps.

Speed. I've been unhappy with the speed, but there's not much I can do about it. Mechanical drives access times are slow, and I don't see any way of fixing that.

Cost. It's been $3000 over 5 years (including the two replacement drives). That comes out to $50/month. Amazon's "Glacier" service is $108/month. Since we all have the same hardware costs, it's unlikely that any online cloud storage can do better than doing it yourself.

Moore's Law. For the same price as I spent 5 years ago, I can now get three times the storage, including faster processors in the NAS box. From that perspective, I've only spent $33/month on storage, as the remaining third still has value.

Ease-of-use: The Continue reading

5 Reasons Why Attending the Transform Security Track at vForum Online is a Must

If you’ve been working in IT for the past few years, you know how much the security landscape has changed recently. Application infrastructures — once hosted in on-premises data centers — now sit in highly dynamic public and private multicloud environments. With the rise of mobile devices, bring-your-own-device (BYOD) policies, and Internet of Things (IoT), end-user environments are no longer primarily about corporately managed desktops. And attackers are growing more sophisticated by the day.

In such an atmosphere, traditional network perimeter security ceases to provide adequate protection.

That’s where the VMware solutions come in. At the heart of the solutions is a ubiquitous software layer across application infrastructure and endpoints that’s independent of the underlying physical infrastructure or location. To really understand how it works, you need to experience it for yourself. And the Transform Security track at vForum Online Fall 2017 on October 18th is the perfect opportunity. As our largest virtual conference, vForum Online gives IT professionals like yourself the chance to take a deep dive into VMware products with breakout sessions, chats with experts, and hands-on labs — all from the comfort of your own desk.

With this free half-day event just weeks away, it’s time to Continue reading

Geo Key Manager: How It Works

Today we announced Geo Key Manager, a feature that gives customers unprecedented control over where their private keys are stored when uploaded to Cloudflare. This feature builds on a previous Cloudflare innovation called Keyless SSL and a novel cryptographic access control mechanism based on both identity-based encryption and broadcast encryption. In this post we’ll explain the technical details of this feature, the first of its kind in the industry, and how Cloudflare leveraged its existing network and technologies to build it.

Keys in different area codes

Cloudflare launched Keyless SSL three years ago to wide acclaim. With Keyless SSL, customers are able to take advantage of the full benefits of Cloudflare’s network while keeping their HTTPS private keys inside their own infrastructure. Keyless SSL has been popular with customers in industries with regulations around the control of access to private keys, such as the financial industry. Keyless SSL adoption has been slower outside these regulated industries, partly because it requires customers to run custom software (the key server) inside their infrastructure.

Standard Configuration

Standard Configuration

Keyless SSL

Keyless SSL

One of the motivating use cases for Keyless SSL was the expectation that customers may not trust a third party like Cloudflare with their Continue reading

Introducing the Cloudflare Geo Key Manager

Introducing the Cloudflare Geo Key Manager

Introducing the Cloudflare Geo Key Manager

Cloudflare’s customers recognize that they need to protect the confidentiality and integrity of communications with their web visitors. The widely accepted solution to this problem is to use the SSL/TLS protocol to establish an encrypted HTTPS session, over which secure requests can then be sent. Eavesdropping is protected against as only those who have access to the “private key” can legitimately identify themselves to browsers and decrypt encrypted requests.

Today, more than half of all traffic on the web uses HTTPS—but this was not always the case. In the early days of SSL, the protocol was viewed as slow as each encrypted request required two round trips between the user’s browser and web server. Companies like Cloudflare solved this problem by putting web servers close to end users and utilizing session resumption to eliminate those round trips for all but the very first request.

Expanding footprint meets geopolitical concerns

As Internet adoption grew around the world, with companies increasingly serving global and more remote audiences, providers like Cloudflare had to continue expanding their physical footprint to keep up with demand. As of the date this blog post was published, Cloudflare has data centers in over 55 countries, and we continue Continue reading

A Day in the Life of a Docker Admin

About two months ago, we celebrated SysAdmin Day and kicked off our learning series for IT professionals. So far we’ve gone through the basics of containers and how containers are delivering value back to the company through cost savings. Now we begin the next stage of the journey by introducing how to deploy and operate containerized applications.

For the next few weeks, we are going to relate typical IT administrative tasks that many of you are familiar with to the tasks of a Docker admin. In the end, containerized applications are still applications and it is still primarily the responsibility of IT to secure and manage them. That is the same regardless of if the application runs in a container or not.

In this “A Day in the LIfe of a Docker Admin” series, we will discuss how common IT tasks translate to the world of Docker, such as:

  • Managing .NET apps and migrating them off Windows Server 2008
  • How networking with containers work and how to build an agile and secure network for containers
  • How to achieve a secure and compliant application environment for any industry
  • Integrating Docker with monitoring and logging tools

As a first step, let’s make Continue reading

People can’t read (Equifax edition)

One of these days I'm going to write a guide for journalists reporting on the cyber. One of the items I'd stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasn't explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didn't explicitly write it. Other times, though the imagined subtext is not what the writer intended at all.


A good example is the recent Equifax breach. The original statement says:
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.
The word consumers was widely translated to customers, as in this Bloomberg story:
Equifax Inc. said its systems were struck by a cyberattack that may have affected about 143 million U.S. customers of the credit reporting agency
But these aren't the same thing. Equifax is a credit rating agency, keeping data on people who are not its own customers. It's an important difference.


Another good example is yesterday's quote "confirming" that Equifax is confirming the "Apache Struts" vulnerability was to blame:
Equifax has been intensely Continue reading
1 115 116 117 118 119 181