0

Senate Bill Would Ban Hard-Coded Passwords in IoT Devices

Devices purchased by the U.S. government would have to comply with new security rules.

0

Talari Adds WAN Opt and Bolsters SD-WAN Security

Talari inherited its WAN optimization technology by acquiring an unknown vendor.

0

The Network at the Heart of Data Center Modernization

The hybrid cloud sits at the core of compute and storage efforts.

0

Top 10 Most Obvious Hacks of All Time (v0.9)

For teaching hacking/cybersecurity, I thought I'd create of the most obvious hacks of all time. Not the best hacks, the most sophisticated hacks, or the hacks with the biggest impact, but the most obvious hacks -- ones that even the least knowledgeable among us should be able to understand. Below I propose some hacks that fit this bill, though in no particular order.

The reason I'm writing this is that my niece wants me to teach her some hacking. I thought I'd start with the obvious stuff first.

Shared Passwords

If you use the same password for every website, and one of those websites gets hacked, then the hacker has your password for all your websites. The reason your Facebook account got hacked wasn't because of anything Facebook did, but because you used the same email-address and password when creating an account on "beagleforums.com", which got hacked last year.

I've heard people say "I'm sure, because I choose a complex password and use it everywhere". No, this is the very worst thing you can do. Sure, you can the use the same password on all sites you don't care much about, but for Facebook, your email account, and your bank, Continue reading

0

Container Developers Viewed as New Security Attack Targets

A shadow container attack on Docker was used as an example.

0

Cato Adds Security to its SD-WAN Cloud

Cato's security services sit in the cloud, rather than an appliance.

0

Is DefCon Wifi safe?

DEF CON is the largest U.S. hacker conference that takes place every summer in Las Vegas. It offers WiFi service. Is it safe?

Probably.

The trick is that you need to download the certificate from https://wifireg.defcon.org and import it into your computer. They have instructions for all your various operating systems. For macOS, it was as simple as downloading "dc25.mobileconfig" and importing it.

I haven't validated the DefCon team did the right thing for all platforms, but I know that safety is possible. If a hacker could easily hack into arbitrary WiFi, then equipment vendors would fix it. Corporations widely use WiFi -- they couldn't do this if it weren't safe.

The first step in safety is encryption, obviously. WPA does encryption well, you you are good there.

The second step is authentication -- proving that the access-point is who it says it is. Otherwise, somebody could setup their own access-point claiming to be "DefCon", and you'd happily connect to it. Encrypted connect to the evil access-point doesn't help you. This is what the certificate you download does -- you import it into your system, so that you'll trust only the "DefCon" access-point that has Continue reading

0

Fortinet Posts Solid Q2, Stock Sags as Investors Wanted More

Stock price has sunk nearly 8 percent since results were released.

0

Gigamon Revenue is Down, But It’s Bullish on New Products

The new products have boosted the company's outlook.

0

Are Hosted Orchestration Platforms More Secure Than Going it Alone?

Docker Swarm seen as the "gold standard" in terms of security and simplicity.

0

Big Switch Networks Closes $30.7M in Funding

The company plans to double its headcount by the end of the year.

0

Latest OpenFlow Combo with Open vSwitch Shows Security Chops

Test results indicate SDN controllers can enhance network security.

0

Facebook CSO Lobbies for InfoSec Compassion, Diversity at Black Hat

Stamos said public cloud security research likely hindered uptake.

0

Slowloris all the things

At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB -- SMBloris. I thought I'd write up some comments.


The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely. Moreover, this also consumes a lot of CPU resources -- every time Slowloris dribbles a few more bytes on the TCP connection is forces the CPU to walk through a lot of data structures to handle those bytes.

The thing about Slowloris is that it's not specific to HTTP. It's a principle that affects pretty much every service that listens on the Internet. For example, on Linux servers running NFS, you can exploit the RPC fragmentation feature in order to force the server to allocate all the memory in a box waiting for fragments that never arrive.

SMBloris does the same thing for SMB. It's an easy attack to carry out in general, the only question is how much resources are required Continue reading

0

Lacework Bolsters Cloud Security Platform, Adds Docker Support

Docker security tracks all container runtime activity.

0

Partnering with an MSSP for a More Secure Digital Business

Using an MSSP means that organizations don’t have to hire security manpower

0

Big Data Provider Cloudwick Launches Security Analytics Platform

Intel helped fund the security product development.

0

Defending anti-netneutrality arguments

Last week, activists proclaimed a "NetNeutrality Day", trying to convince the FCC to regulate NetNeutrality. As a libertarian, I tweeted many reasons why NetNeutrality is stupid. NetNeutrality is exactly the sort of government regulation Libertarians hate most. Somebody tweeted the following challenge, which I thought I'd address here.

@ErrataRob I'd like to see you defend your NN stance in this context.https://t.co/2yvwMLo1m1https://t.co/a7CYxd9vcW

— Tanner Bennett (@NSExceptional) July 21, 2017

The links point to two separate cases.

• the Comcast BitTorrent throttling case
• a lawsuit against Time Warning for poor service

0

Cisco Security Report: 34% of Service Providers Lost Revenue from Attacks

Beware of destruction of service (DeOS) attacks.

0

Transforming IT Security in Three Key Steps

Several years ago, the CEO of a Fortune 100 company remarked: “If you went to bed last night as an industrial company, you’re going to wake up this morning as a software and analytics company.”

Today, these words are more true than ever—but so is the reality that the digital transformation in business has also given rise to significant changes across the IT landscape and, in turn, significant new challenges for IT security.

As people, devices, and objects become more connected, protecting all these connections and environments has become a top priority for many IT organizations. At the same time, it’s also become one of their biggest challenges. Securing each and every interaction between users, applications, and data is no easy feat—especially when you consider that securing these interactions needs to be done across environments that are constantly changing and increasingly dynamic.

So how do you mitigate risk in a world where IT complexity and “anytime, anywhere” digital interactions are growing exponentially? For organizations that are embracing cloud and virtualized environments, three common-sense steps—enabled by a ubiquitous software layer across the application infrastructure and endpoints that exists independently of the underlying physical infrastructure—are proving to be key for providing Continue reading