0

Short Take – The Diminishing Returns of Harder Passwords

The post Short Take – The Diminishing Returns of Harder Passwords appeared first on Network Collective.

0

Volta Charging Deploys Netsurion SD-WAN Across Its Electric Car Station Network

Netsurion, a newcomer to the SD-WAN market, has found its niche in the market as it builds its SD-WAN as integrated secure connectivity service.

0

Security Is Bananas

I think we’ve reached peak bombshell report discussion at this point. It all started this time around with the big news from Bloomberg that China implanted spy chips into SuperMicro boards in the assembly phase. Then came the denials from Amazon and Apple and event SuperMicro. Then started the armchair quarterbacking from everyone, including TechCrunch. From bad sources to lack of technical details all the way up to the crazy conspiracy theories that someone at Bloomberg was trying to goose their quarterly bonus with a short sale or that the Chinese planted the story to cover up future hacking incidents, I think we’ve covered the entire gamut of everything that the SuperMicro story could and couldn’t be.

So what more could there be to say about this? Well, nothing about SuperMicro specifically. But there’s a lot to say about the fact that we were both oblivious and completely unsurprised about an attack on the supply chain of a manufacturer. While the story moved the stock markets pretty effectively for a few days, none of the security people I’ve talked to were shocked by the idea of someone with the power of a nation state inserting themselves into the supply chain Continue reading

0

IBM Protests Pentagon’s JEDI, Still Plans to Bid for the $10B Deal

“No business in the world would build a cloud the way JEDI would and then lock in to it for a decade,” IBM's Sam Gordy says.

0

Google Bumps Up Enterprise Cloud Networking

Google is pulling out all the stops to bring more enterprise customers to its cloud.

0

What’s More Beneficial to CIOs: Containers or the Container Management System?

Perhaps the biggest benefit of containers is that they can be managed by Kubernetes, which is a pre-defined operational model.

0

Carbon Black Adds Threat Hunting to Its Security Cloud

The new service, called Cb ThreatHunter, is essentially a cloud-delivered version of the company’s on-premises endpoint detection and response device.

0

Will Cloud Security Expansion Lift Symantec Back Into the Black?

After a disappointing first quarter Symantec needs these cloud security updates to boost its bottom line and clout with enterprise customers. 

0

Microsoft Boosts Government Cloud Support as JEDI Looms

The company currently supports 50 services at the FedRAMP Moderate level with plans to push that to the FedRAMP High level by year-end.

0

Google Won’t Compete for Pentagon’s $10B JEDI Cloud Deal

Google on Monday also said it would shut down its Google+ social network after a vulnerability exposed the personal data of approximately 500,000 users.

0

Setting the Record Straight on Multi-Cloud Security

Before deploying a multi-cloud strategy, there are four myths about multi-cloud security that need debunking.

0

CloudHealth Founder Talks VMware Acquisition, Cloud’s Next Phase

CloudHealth CTO and co-founder Joe Kinsella says VMware plans to target managed service providers with its new multi-cloud management product line.

0

Leave your VPN and cURL secure APIs with Cloudflare Access

We built Access to solve a problem here at Cloudflare: our VPN. Our team members hated the slowness and inconvenience of VPN but, that wasn’t the issue we needed to solve. The security risks posed by a VPN required a better solution.

VPNs punch holes in the network perimeter. Once inside, individuals can access everything. This can include  critically sensitive content like private keys, cryptographic salts, and log files. Cloudflare is a security company; this situation was unacceptable. We need a better method that gives every application control over precisely who is allowed to  reach it.

Access meets that need. We started by moving our browser-based applications behind Access. Team members could connect to applications faster, from anywhere, while we improved the security of the entire organization. However, we weren’t yet ready to turn off our VPN as some tasks are better done through a command line. We cannot #EndTheVPN without replacing all of its use cases. Reaching a server from the command line required us to fall back to our VPN.

Today, we’re releasing a beta command line tool to help your team, and ours. Before we started using this feature at Cloudflare, curling a server required me to Continue reading

0

Bloomberg China Chip-Hack Controversy Highlights Fake News, National Security Fears

By now the story and resulting controversy is as much about media credibility as it is about cyber — and national — security.

0

Gravitational Draws Kubernetes Into Its Secure Credential Sphere

The update allows for the management of glass of credentials using both Kubernetes and secure socket shell for multiple infrastructure environments.

0

The Why of Security

Security is a field of questions. We find ourselves asking
all kinds of them all the time. Who is trying to get into my network? What are
they using? How can I stop them? But I feel that the most important question is
the one we ask the least. And the answer to that question provides the
motivation to really fix problems as well as conserving the effort necessary to
do so.

The Why’s Old Sage

If you’re someone with kids, imagine a conversation like
this one for a moment:

Your child runs into the kitchen with a lit torch in their hands and asks “Hey, where do we keep the gasoline?”

Now, some of you are probably laughing. And some of you are
probably imagining all kinds of crazy going on here. But I’m sure that most of
you probably started asking a lot of questions like:

• – Why does my child have a lit torch in the house?
• – Why do they want to know where the gasoline is?
• – Why do they want to put these two things together?
• – Why am I not stopping this right now?

Usually, the rest of the Five Ws follow Continue reading

0

Nation-States Attack MSP Networks, DHS Security Alert Warns

Managed service providers' customers — especially IT, energy, healthcare, communications, and manufacturing companies — are the end target for these attacks.

0

Are you ready? How to prepare for the DNSSEC Root KSK Rollover on October 11, 2018

Are you ready? Are your systems prepared so that DNS will keep functioning for your networks?  One week from today, on Thursday, October 11, 2018, at 16:00 UTC ICANN will change the cryptographic key that is at the center of the DNS security system – what we call DNSSEC. The current key has been in place since July 15, 2010. This is a long-planned replacement.

If everything goes fine, you should not notice and your systems will all work as normal. However, if your DNS resolvers are not ready to use the new key, your users may not be able to reach many websites, send email, use social media or engage in other Internet activities!

This change of this central security key for DNS is known as the “Root Key Signing Key (KSK) Rollover”. It has been in discussion and planning since 2013. We’ve written many articles about it and spoken about it at many conferences, as have many others in the industry. ICANN has a page with many links and articles at:

• https://www.icann.org/kskroll

But here we are, with only a few days left and you may be wondering – how can I know if my systems Continue reading

0

Notes on the Bloomberg Supermicro supply chain hack story

Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.


The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:

a person briefed on evidence gathered during the probe says

That means somebody not even involved, but somebody who heard a rumor. It also doesn't the person even had sufficient expertise to understand what they were being briefed about.

The technical detail that's missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.

What happens is that other companies make clones that are cheaper and lower quality. They are just good enough to pass testing, but fail in the real world. They may not even be completely fake chips. They may be bad chips the original manufacturer discarded, or chips the night shift at the factory secretly ran through on the Continue reading

0

National Cybersecurity Awareness Month = International IoT Security and Privacy Month

October is National Cybersecurity Awareness Month, and as part of our work with the Online Trust Alliance and our Internet of Things (IoT) campaign, we think October also deserves another label… International IoT Security and Privacy Month. There are a number of significant activities and developments related to security and privacy. Here are a few highlights of what’s happening, how we are participating, and how you can get involved.

• The “How to Make Trustworthy #IoT” Workshop – (Oct. 8) This year’s Internet Society Chapterthon is focused on IoT, and we are excited to see how all 43 participating Chapters raise awareness of the privacy and security issues surrounding IoT. On Monday, 8 October, Jeff Wilbur and Megan Kruse from the Online Trust Alliance be in New York City with the Internet Society New York Chapter (ISOC-NY) and IoTNation holding a workshop on ‘How to Make Trustworthy IoT’ – an IoT Privacy & Security Workshop. If you’ll be in New York City on Monday, please consider registering for the event, or watching the livestream starting at 2PM.
• Comments due for NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks – (Oct. 24) The report by Continue reading