Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples
Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples Athalye et al., ICML’18
There has been a lot of back and forth in the research community on adversarial attacks and defences in machine learning. Today’s paper examines a number of recently proposed defences and shows that most of them rely on forms of gradient masking. The authors develop attack techniques to overcome such defences, and 9 analyse defences from ICLR 2018 claiming to protect against white-box attacks. 7 of these turn out to rely on obfuscated gradients, and 6 of these fall to the new attacks (and the other one partially succumbs). Athalye et al. won a best paper award at ICML’18 for this work.
One of the great things about work on adversarial attacks and defences, as we’ve looked at before, is that they illuminate the strengths and weaknesses of current technology. Depending on the threat model you choose, for my own part I’m currently of the opinion that we’re unlikely to find a robust adversarial defence without a more radical re-think of how we’re doing image classification. If we’re talking about the task of ‘find an image that doesn’t fool a human, but Continue reading
IBM Hackers, Cloud Security Alliance Take On IoT at Black Hat
Armis surveyed security professionals at Black Hat and found 93 percent expect nation-states will target or exploit connected devices in the next year. So it really feels like an understatement to say IoT security was a hot topic at the event.
Exabeam Scores $50M From Lightspeed, Cisco, Security Investor Shlomo Kramer
“We are on track to overtake Splunk and be the next SIEM market leader,” says CEO Nir Polak.
Cisco Execs: Cryptomining, Election Security Threats Loom Large
When asked to rank U.S. election security preparedness, Cisco’s director of threat management and incident response said “little to none.”
Research: Are We There Yet? RPKI Deployment Considered
The Resource Public Key Infrastructure (RPKI) system is designed to prevent hijacking of routes at their origin AS. If you don’t know how this system works (and it is likely you don’t, because there are only a few deployments in the world), you can review the way the system works by reading through this post here on rule11.tech.
The paper under review today examines how widely Route Origin Validation (ROV) based on the RPKI system has been deployed. The authors began by determining which Autonomous Systems (AS’) are definitely not deploying route origin validation. They did this by comparing the routes in the global RPKI database, which is synchronized among all the AS’ deploying the RPKI, to the routes in the global Default Free Zone (DFZ), as seen from 44 different route servers located throughout the world. In comparing these two, they found a set of routes which the RPKI system indicated should be originated from one AS, but were actually being originated from another AS in the default free zone.
TLS 1.3 – Internet Security Gets a Boost
Today marks the formal publication of an overhaul of the Transport Layer Security (TLS) protocol. TLS is an Internet standard used to prevent eavesdropping, tampering, and message forgery for various Internet applications. It is probably the most widely deployed network security standard in the world. Often indicated by the small green padlock in a web browser’s address bar1, TLS is used in financial transactions, by medical institutions, and to ensure secure connections in a wide variety of other applications.
We believe the new version of this protocol, TLS 1.3, published as RFC 8446, is a significant step forward towards an Internet that is safer and more trusted.
Under development for the past four years and approved by the Internet Engineering Task Force (IETF) in March 2018, TLS 1.3 addresses known issues with the previous versions and improves security and performance, in particular it is able to establish a session more quickly than its predecessors. Because it is more efficient, TLS 1.3 promises better performance for the billions of users and organizations that use TLS every day. As with every IETF standard, TLS 1.3 was developed through open processes and participation, and included contributions from scores of individuals.
A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)
For the last five years, the Internet Engineering Task Force (IETF), the standards body that defines internet protocols, has been working on standardizing the latest version of one of its most important security protocols: Transport Layer Security (TLS). TLS is used to secure the web (and much more!), providing encryption and ensuring the authenticity of every HTTPS website and API. The latest version of TLS, TLS 1.3 (RFC 8446) was published today. It is the first major overhaul of the protocol, bringing significant security and performance improvements. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.
An evolution
One major way Cloudflare provides security is by supporting HTTPS for websites and web services such as APIs. With HTTPS (the “S” stands for secure) the communication between your browser and the server travels over an encrypted and authenticated channel. Serving your content over HTTPS instead of HTTP provides confidence to the visitor that the content they see is presented by the legitimate content owner and that the communication is safe from eavesdropping. This is a big deal in a world where online privacy Continue reading
H3C Among Top Data Center Ethernet Switch Vendors, Says IHS Markit
Respondents to IHS Markit’s survey indicated they expect a 1.5x increase in the average number of physical servers in their data centers by 2019.
Alphabet’s Chronicle Exec Talks IoT Security
The security company that spun out of Alphabet’s secretive X research lab in January still hasn’t set a release date for its analytics platform.
Short Take – Give The Monkey A Smaller Club
In this Network Collective Short Take, Russ White takes a look at the impact of abstraction, complexity, and scale as they relate to the size and scope of attack surfaces presented to attackers.
Russ White
The post Short Take – Give The Monkey A Smaller Club appeared first on Network Collective.
Are We Seeing SD-WAN Washing?
You may have seen a tweet from me last week referencing a news story that Fortinet was now in the SD-WAN market:
It came as a shock to me because Fortinet wasn’t even on my radar as an SD-WAN vendor. I knew they were doing brisk business in the firewall and security space, but SD-WAN? What does it really mean?
SD Boxes
Fortinet’s claim to be a player in the SD-WAN space brings the number of vendors doing SD-WAN to well over 50. That’s a lot of players. But how did the come out of left field to land a deal rumored to be over a million dollars for a space that they weren’t even really playing in six months ago?
Fortinet makes edge firewalls. They make decent edge firewalls. When I used to work for a VAR we used them quite a bit. We even used their smaller units as remote appliances to allow us to connect to remote networks and do managed maintenance services. At no time during that whole engagement Continue reading
Quality of Experience Is What Distinguishes SD-WAN Products, Says NSS Labs
Fortinet bragged today that it was the only vendor with security capabilities to receive an SD-WAN recommended rating in the first NSS Labs software-defined wide area networking test report.
Microsoft- and Facebook-Led Cybersecurity Tech Accord Tackles Router Security
On the sidelines at Black Hat, a Microsoft exec said the Tech Accord is an example of how the company works with other technology vendors to advance security.
Google’s Project Zero Chief: Stop Playing Security Whack-A-Mole
During the Black Hat Keynote, Google’s Parisa Tabriz, who manages the Project Zero bug hunting team, urged tech companies to build coalitions to solve complex security problems.
That XKCD on voting machine software is wrong
The latest XKCD comic on voting machine software is wrong, profoundly so. It's the sort of thing that appeals to our prejudices, but mistakes the details.
Accidents vs. attack
The biggest flaw is that the comic confuses accidents vs. intentional attack. Airplanes and elevators are designed to avoid accidental failures. If that's the measure, then voting machine software is fine and perfectly trustworthy. Such machines are no more likely to accidentally record a wrong vote than the paper voting systems they replaced -- indeed less likely. The reason we have electronic voting machines in the first place was due to the "hanging chad" problem in the Bush v. Gore election of the year 2000. After that election, a wave of new, software-based, voting machines replaced the older inaccurate paper machines.
The question is whether software voting machines can be attacked. Well, if that's the measure, then airplanes aren't safe at all. Security against human attack consists of the entire infrastructure outside the plane, such as TSA forcing us to take off our shoes, to trade restrictions to prevent the proliferation of Stinger missiles.
Confusing the two, accidents vs. attack, is used here because it makes the reader feel superior. We Continue reading
Capsule8 Rides 1.0 Platform Launch to $15M Series B Funding
The company's CEO said the firm was not looking just yet at a Series B, but that reception to its platform sped up the process.
Network Collective: Security and Analytics
In this community roundtable, Eyvonne and I talk to Eric Osterweil about the increasing reliance on analytics in the realm of security.
Transforming Security in a Cloud and Mobile World – Security Showcase Session
Over the last several years, VMware has been heavily investing in technology and solutions to transform security. Our goal has been simple; leverage the virtual and mobile infrastructure to build security in – making it intrinsic, simple, aligned to applications and data, and infinitely more effective.
5 years ago, with NSX, we introduced the concept of micro-segmentation, enabling organizations to leverage network virtualization to compartmentalize their critical applications at a network level.
Last VMworld, we introduced VMware AppDefense, to protect the applications running on that virtual infrastructure. This enabled organizations to leverage server virtualization to ensure the only thing running is what the application intended – flipping the security model to “ensuring good” versus “chasing bad”
Meanwhile, our Workspace ONE team has been steadily building out their platform that leverages user infrastructure, to ensure only legitimate users can get access to critical applications from devices we can trust.
The momentum for NSX, AppDefense, and Workspace ONE has been growing exponentially. And our product teams have not been standing still. They’ve been hard at work on some incredible innovations and integrations.
Transforming Security in a Cloud and Mobile World
In my security showcase session, Transforming Security in Continue reading
What the Caesars (@DefCon) WiFi situation looks like
So I took a survey of WiFi at Caesar's Palace and thought I'd write up some results.When we go to DEF CON in Vegas, hundreds of us bring our WiFi tools to look at the world. Actually, no special hardware is necessary, as modern laptops/phones have WiFi built-in, while the operating system (Windows, macOS, Linux) enables “monitor mode”. Software is widely available and free. We still love our specialized WiFi dongles and directional antennas, but they aren’t really needed anymore.
It’s also legal, as long as you are just grabbing header information and broadcasts. Which is about all that’s useful anymore as encryption has become the norm -- we can pretty much only see what we are allowed to see. The days of grabbing somebody’s session-cookie and hijacking their web email are long gone (though the was a fun period). There are still a few targets around if you want to WiFi hack, but most are gone.
So naturally I wanted to do a survey of what Caesar’s Palace has for WiFi during the DEF CON hacker conference located there.
Here is a list of access-points (on channel 1 only) sorted by popularity, the number of stations using Continue reading