Archive

Category Archives for "Security"

Leverage Micro-Segmentation to Build a Zero Trust Network

Applications are a vital component of your business…but are your applications and data safe?  Have you considered implementing a Zero Trust model at your organization to protect your vital resources?  Join this hour-long webcast on Tuesday, September 29, 2015 at 11:00 AM PST / 2:00 PM EST to find out how to leverage micro-segmentation to build a true Zero Trust data center network.

Join our guest speaker, John Kindervag, VP and Principal Analyst at Forrester Research, as he discusses the results of the August 2015 commissioned research study, “Leverage Micro-segmentation To Build A Zero Trust Network”, conducted on behalf of VMware. Kindervag will cover Forrester’s three key findings from the study:

  • Security gaps and disconnects are the unfortunate norm across Enterprises today.
  • Network virtualization helps to reduce risk and supports a higher-level security strategy.
  • Micro-segmentation provided through network virtualization paves the way for implementing a Zero Trust model.

Protecting your data doesn’t have to be difficult! Reserve your spot for this webcast today.

Micro-Segmentation and Security at Tribune Media

And to learn more about how other leading organizations are using micro-segmentation to build a Zero Trust Model, watch the video below from David Giambruno, CIO of Continue reading

Information wants to be protected: Security as a mindset

George-Orwell-house-big-brotherI was teaching a class last week and mentioned something about privacy to the students. One of them shot back, “you’re paranoid.” And again, at a meeting with some folks about missionaries, and how best to protect them when trouble comes to their door, I was again declared paranoid. In fact, I’ve been told I’m paranoid after presentations by complete strangers who were sitting in the audience.

Okay, so I’m paranoid. I admit it.

But what is there to be paranoid about? We’ve supposedly gotten to the point where no-one cares about privacy, where encryption is pointless because everyone can see everything anyway, and all the rest. Everyone except me, that is—I’ve not “gotten over it,” nor do I think I ever will. In fact, I don’t think any engineer should “get over it,” in terms of privacy and security. Even if you think it’s not a big deal in your own life, engineers should learn to treat other people’s information with the utmost care.

In moving from the person to the digital representation of the person, we often forget it’s someone’s life we’re actually playing with. I think it’s time for engineers to take security—and privacy—personally. It’s time Continue reading

What’s that drama?

The infosec community is known for its drama on places like Twitter. People missing the pieces can't figure out what happened. So I thought I'd write up the latest drama.

It starts with "Wesley McGrew" (@McGrewSecurity), an assistant professor at Mississippi state. He's been a frequent source of infosec drama for years now. Since I, myself, don't shy away from drama, I can't say that he's necessarily at fault, I'm just pointing out that he's been involved in several Big Infosec Drama Blowups.

Then there is "Adrian Crenshaw" (@irongeeek_adc) (aka. "Irongeek") who maintains a website http://irongeek.com, which hosts a lot of infosec videos. He'll work with conferences to make sure talks get recorded and uploaded to his site. A lot of smaller cons host their video there. If you frequently watch infosec videos, then you know the site.


I think this specific drama started back in April, when Irongeek made this April Fool's joke:
https://twitter.com/McGrewSecurity/status/583250910387789824

Many, most especially McGew, criticized Irongeek for this, claiming it was an "unfunny slap to women in security".

I don't know when it happened, but Irongeek punished McGrew by blocking students from McGrew's university, Mississippi State. This was noticed last week.

https://twitter. Continue reading

Some notes on satellite C&C

Wired and Ars Technica have some articles on malware using satellites for command-and-control. The malware doesn't hook directly to the satellites, of course. Instead, it sends packets to an IP address of a known satellite user, like a random goat herder in the middle of the wilds of Iraq. Since the satellites beam down to earth using an unencrypted signal, anybody can eavesdrop on it. Thus, while malware sends packets to that satellite downlink in Iraq, it's actually a hacker in Germany who receives them.

This is actually fairly old hat. If you look hard enough, somewhere (I think Google Code), you'll find some code I wrote back around 2011 for extracting IP packets from MPEG-TS streams, for roughly this purpose.

My idea was to use something like masscan, where I do a scan of the Internet from a fast data center, but spoof that goat herder's IP address. Thus, everyone seeing the scan would complain about that IP address instead of mine. I would see all the responses by eavesdropping on that satellite connection.

This doesn't work in Europe and the United States. These markets use more expensive satellites which not only support encryption, but also narrow "spot Continue reading

Organizations Can Be Twice As Secure at Half the Cost

Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his Cyber-Security-King_Blogkeynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.

We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).

Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers.  Here’s what we found:

  1. 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
  2. Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never Continue reading

Help a refugees would enrich ourselves

This website is for those who want to share their apartment with a refuge. You don't even have to pay -- refugee organizations will pay their share of the rent. This is frankly awesome.

I grew up around refugees. Our neighbors were refugees from south Vietnam. They flew out with the fleeing American troops as the South Vietnamese government collapsed. They got onto an overloaded helicopter that had barely enough fuel to reach the aircraft carrier off the coast. That helicopter was then dumped overboard, to make room for more arriving refugees and American troops.

Because my father was a journalist reporting on El Salvadoran refugees, we became life-long friends with one of those families. She was a former education minister, he was a former businessman. It was "suggested" that she resign from government. One night, while driving home, a paramilitary roadblock stopped them. Men surrounded the car and pointed guns at them. The leader then said "wait, they've got children in the back", at which point the men put down their guns and fled. In other words, they should be dead. They fled to the United States soon after, and hid in a church basement. Since El Salvador was Continue reading

Review: Rick and Morty

The best sci-fi on television right now is an animated series called Rick and Morty on the Cartoon Network.

You might dismiss it, as on the surface it appears to be yet another edgy, poorly-drawn cartoon like The Simpsons or South Park. And in many ways, it is. But at the same time, hard sci-fi concepts infuse each episode. Sometimes, it's a parody of well-known sci-fi, such as shrinking a ship to voyage through a body. In other cases, it's wholly original sci-fi, such as creating a parallel "micro" universe whose inhabitants power your car battery. At least I think it's original. It might be based on some obscure sci-fi story I haven't read. Also, the car battery episode is vaguely similar to William Gibson's latest cyberpunk book "The Peripheral".

My point is this. It's got that offensive South Park quality that I love, but mostly, what I really like about the series is its hard sci-fi stories, and the way it either parodies or laughs at them. I know that in next year's "Mad Kitties" slate, I'm definitely going to write in Rick and Morty for a Hugo Award.

Why licensing wouldn’t work

Would you allow an unlicensed doctor to operate on you? Many argue that cybersecurity professionals, and even software programmers, should be licensed by the government similar to doctors. The above question is the basis for their argument.

But this is bogus. The government isn't competent to judge doctors. It licenses a lot of bad doctors. It'll even give licenses to people who plainly aren't doctors. For example, in the state of Oregon, "naturopaths" (those practicing "natural", non-traditional medicine) can be licensed to be your primary care provider, prescribe medicines, and so on. Instead of guaranteeing "good" professionals, licensing gives an official seal of approval to "bad" practitioners. Naturopathy is, of course, complete nonsense, and Oregon politicians are a bunch of morons. (See the Portlandia series -- it's a documentary, not fiction).

Professions like licensing not because it improves the quality of the profession, but because it reduces competition. The steeper the licensing requirements, the more it keeps outsiders out. This allows the licensed to charge higher fees. This is why even bogus occupations like "hairdressers" seek licensing -- so they can charge more money.

Since different states license different occupations, we have nice experimental laboratory to measure Continue reading

Yes, they just droned a hacker

Many are disputing the story about a recent story about a drone strike that targeted the hacker TriCk from Anonymous group TeaMp0isoN. They claim instead that the guy, Junaid Hussain, was targeted because he was a major recruiter for ISIS/Daesh. There is some truth to this criticism, but at the same time, the hacker angle cannot be removed from this story.

The Pentagon has confirmed that one reason they targeted Junaid Hussain was his hacking activities. The AP story quotes the Central Command as saying:
"This individual was very dangerous. He had significant technical skills."
The truth of the matter is more complicated. It's unlikely Junaid Hussain actually had "significant technical skills". He was probably a "script kiddy", one of the many low-skilled hackers that form the bulk of Anonymous-style hacking groups. The actual hacks were minor. He may have hacked the CENTCOM Twitter accounts, but it's unlikely he actually hacked anything of military consequence.

Like many in Anonymous, his primary skills were propaganda and mastery of social media. He was in contact with one of the "Mohamed Cartoon" killers in Texas, for example. According to news reports, it was his use of social media in "inspiring" others Continue reading

Cross vCenter Networking & Security with VMware NSX

NSX 6.2 was released on August 20, 2015. One of the key features in NSX 6.2 is Cross vCenter Networking and Security. This new capability scales NSX vSphere across vCenter boundaries. Now, one can span logical networking and security constructs across vCenter boundaries irrespective of whether the vCenters are in adjacent racks or across datacenters (up to 150ms apart). This enables us to solve a variety of use cases including:

  • Capacity pooling across vCenters
  • Simplifying data center migrations
  • Cross vCenter and long distance vMotion
  • Disaster recovery

With Cross vCenter Networking & Security one can extend logical switches (VXLAN networks) across vCenter boundaries enabling a layer 2 segment to span across VCs even when the underlying network is a pure IP / L3 network. However, the big innovation here is that with NSX we can also extend distributed routing and distributed firewalling seamlessly across VCs to provide a comprehensive solution as seen in the figure below.

Cross vCenter-Networking-and-Security

Of course, there are a more details behind how this feature works and how we solve some really cool challenges in a simple elegant manner with network virtualization which we will cover  at VMworld 2015 in the session NET5989. In the meanwhile if Continue reading

VMware NSX 6.2: Enterprise Automation, Security and Application Continuity

VMworld 2015 in San Francisco marks the two-year anniversary of the launch of VMware VMware NSX LogoNSX. Since we originally launched, we have taken the promise of NSX and turned it into a platform that customers around the world are using to transform the operations of their data center networks and security infrastructure – in fact, more than 700 customers have chosen NSX. We also have more than 100 production deployments, and more than 65 customers have invested more than $1M of their IT budgets in NSX. We’ve trained more than 3,500 people on NSX, and we have more than 20 interoperable partner solutions generally available and shipping today.

Perhaps what’s most exciting is that at this year’s show, we will have more than two dozen NSX customers represented in various forums throughout the event. Organizations such as Baystate Health, City of Avondale, ClearDATA, Columbia Sportswear, DirecTV, FireHost, George Washington University, Heartland Payment Systems, IBM, IlliniCloud, NovaMedia, Rent-A-Center, Telstra, Tribune Media, United Health Group, University of New Mexico…the list goes on.

And as the capstone, we get to debut VMware NSX 6.2 at the show. So let’s take a deeper look at what we’ve learned from our customers and what’s new Continue reading

About the systemd controversy…

As a troll, one of my favorite targets is "systemd", because it generates so much hate on both sides. For bystanders, I thought I'd explain what that is. To begin with, I'll give a little background.

An operating-system like Windows, Mac OS X, and Linux comes in two parts: a kernel and userspace. The kernel is the essential bit, though on the whole, most of the functionality is in userspace.

The word "Linux" technically only refers to the kernel itself. There are many optional userspaces that go with it. The most common is called BusyBox, a small bit of userspace functionality for the "Internet of Things" (home routers, TVs, fridges, and so on). The second most common is Android (the mobile phone system), with a Java-centric userspace on top of the Linux kernel. Finally, there are the many Linux distros for desktops/servers like RedHat Fedora and Ubuntu -- the ones that power most of the servers on the Internet. Most people think of Linux in terms of the distros, but in practice, they are a small percentage of the billions of BusyBox and Android devices out there.

The first major controversy in Linux was the use of Continue reading

No, this isn’t good code

I saw this tweet go by. No, I don't think it's good code:




What this code is trying to solve is the "integer overflow" vulnerability. I don't think it solves the problem well.

The first problem is that the result is undefined. Some programmers will call safemulti_size_t() without checking the result. When they do, the code will behave differently depending on the previous value of *res. Instead, the code should return a defined value in this case, such as zero or SIZE_MAX. Knowing that this sort of thing will usually be used for memory allocations, which you want to have fail, then a good choice would be SIZE_MAX.

The worse problem is integer division. On today's Intel processors, integer multiplication takes a single clock cycle, but integer division takes between 40 and 100 clock cycles. Since you'll be usually dividing by small numbers, it's likely to be closer to 40 clock cycles rather than 100, but that's still really bad. If your solution to security problems is by imposing unacceptable tradeoffs, then you are doing security wrong. If you introduced this level of performance Continue reading
1 158 159 160 161 162 177