0

Weekend Reads 052518

Without adtech, the EU’s GDPR (General Data Protection Regulation) would never have happened. But the GDPR did happen, and as a result websites all over the world are suddenly posting notices about their changed privacy policies, use of cookies, and opt-in choices for “relevant” or “interest-based” (translation: tracking-based) advertising. Email lists are doing the same kinds of things. @Doc Searl’s Weblog

A newly-uncovered form of DDoS attack takes advantage of a well-known, yet still exploitable, security vulnerability in the Universal Plug and Play (UPnP) networking protocol to allow attackers to bypass common methods for detecting their actions. —Danny Palmer @ZDNet

Today, that’s coming in the form of imperceptible musical signals that can be used to take control of smart devices like Amazon’s Alexa or Apple’s Siri to unlock doors, send money, or any of the other things that we give these wicked machines the authority to do. That’s according to a New York Times report, which says researchers in China and the United States have proven that they’re able to “send hidden commands” to smart devices that are “undetectable to the human ear” simply by playing music. —Sam Barsanti @AVI News

In a paper we recently presented at the Passive Continue reading

0

Kip Compton’s Promotion Signals Bigger Cloud Strategy for Cisco

The cloud touches all parts of Cisco’s business making this an important investment area for the company.

0

Is There a Security Crisis in the Open Source Software Supply Chain?

Following the Equifax breach, which exploited an open source framework library, many organizations increased their security postures, but that doesn't mean that open source is safe to use again.

0

Nutanix CEO Talks ‘Sherlock’ Edge Platform, Blurred Lines Between Containers and VMs

Sherlock, a cloud-based platform-as-a-service, will target IoT use cases and verticals including retail, manufacturing, health care, and oil and gas.

0

Fortinet Security Fabric Connectors Automate Management for Multi-Vendor Environments

It does this through one-click integrations with partners including AWS, Cisco ACI, Google Cloud Platform, Microsoft Azure, and VMware NSX.

0

Podcast: Talking Data Privacy and GDPR with Todd M. Tolbert

“Let’s raise the bar on data privacy and make the Internet safer.”  With the imminent arrival of the EU’s General Data Protection Regulation (GDPR), this was one of the points raised by Todd M. Tolbert, our Chief Administrative Officer, in an episode of the Non-Profit Tech Podcast published yesterday. Hosted by fusionSpan’s Justin Burniske, the 35-minute episode covered a wide range of topics, including:

• the difference between data privacy and data protection
• Todd’s thinking about the value the GDPR brings in terms of thinking about data
• mistakes organizations make with regard to handling their data
• resources for organizations to do more
• how you can’t be liable for data that you don’t have in the first place
• asking the question… do you really need to keep those 700 email addresses that no longer work?

And, of course, Todd being who he is, there were some Texan things mixed in to the conversation as well. I very much enjoyed the episode and found it a useful contribution to the ongoing privacy discussions that tomorrow’s GDPR deadline has generated.

Some of the resources Todd shared included:

• Online Trust Alliance’s Online Trust Audit and Honor Roll
• Online Trust Alliance’s Cyber Incident Continue reading

0

FBI Takes On Russian Hackers, Seizes VPNFilter Malware Domain

The move essentially redirects the malware’s attacks to an FBI-controlled server.

0

The devil wears Pravda

Classic Bond villain, Elon Musk, has a new plan to create a website dedicated to measuring the credibility and adherence to "core truth" of journalists. He is, without any sense of irony, going to call this "Pravda". This is not simply wrong but evil.


Musk has a point. Journalists do suck, and many suck consistently. I see this in my own industry, cybersecurity, and I frequently criticize them for their suckage.

But what he's doing here is not correcting them when they make mistakes (or what Musk sees as mistakes), but questioning their legitimacy. This legitimacy isn't measured by whether they follow established journalism ethics, but whether their "core truths" agree with Musk's "core truths".

An example of the problem is how the press fixates on Tesla car crashes due to its "autopilot" feature. Pretty much every autopilot crash makes national headlines, while the press ignores the other 40,000 car crashes that happen in the United States each year. Musk spies on Tesla drivers (hello, classic Bond villain everyone) so he can see the dip in autopilot usage every time such a news story breaks. He's got good reason to be concerned about this.

He argues that autopilot is safer Continue reading

0

Cato Networks Adds Threat Hunting Capability To Its SD-WAN Service

Cato Networks adds a threat-hunting capability to its SD-WAN service to detect compromised devices on customer networks.

0

EMA Report: Network Management Teams Shift Focus to SD-WAN, SDN, and SDDC

SD-WAN is priority for enterprises that want to make their networks more automated.

0

Kata Containers 1.0 Launch Hones In On Security, Interoperability Fears

The project claims greater security than traditional containers by tapping into virtual machine schema but remains compatible with Docker and Kubernetes in the container ecosystem.

0

C is to low level

I'm in danger of contradicting myself, after previously pointing out that x86 machine code is a high-level language, but this article claiming C is a not a low level language is bunk. C certainly has some problems, but it's still the closest language to assembly. This is obvious by the fact it's still the fastest compiled language. What we see is a typical academic out of touch with the real world.

The author makes the (wrong) observation that we've been stuck emulating the PDP-11 for the past 40 years. C was written for the PDP-11, and since then CPUs have been designed to make C run faster. The author imagines a different world, such as where CPU designers instead target something like LISP as their preferred language, or Erlang. This misunderstands the state of the market. CPUs do indeed supports lots of different abstractions, and C has evolved to accommodate this.


The author criticizes things like "out-of-order" execution which has lead to the Spectre sidechannel vulnerabilities. Out-of-order execution is necessary to make C run faster. The author claims instead that those resources should be spent on having more slower CPUs, with more threads. This sacrifices single-threaded performance in exchange Continue reading

0

Cisco Warns Massive Russian Malware Attack Hit 500k Routers Globally

Security researchers tied the malware to a Russian group responsible for hacking incidents during the 2016 U.S. presidential campaign. 

0

Verizon Study: 15% of Enterprises Surveyed Are Deploying SDN

Many companies are looking at ways to accelerate their SDN adoption so they don’t risk falling behind.

0

Short Take: Security as a Tradeoff

We often treat security as an absolute, “that which must be done, and done perfectly, or is of no value at all.” It’s time to take this myth head on, and think about how we should really think about security.

0

Cato SD-WAN Hunts Down Threats With Zero-Footprint Data Aggregation

The company’s cloud-based SD-WAN platform upgraded its security offering by adding a threat hunting system that eliminates enterprises’ need to deploy data collection infrastructure and analyze raw data.

0

Securing the Multi-Cloud: It Takes a Village

Even enterprises not in a multi-cloud environment must begin making their security decisions with it in mind. If they don’t, they risk some of their decisions quickly becoming obsolete.

0

Spectre and Meltdown Chip Flaws Back From the Dead as ‘Variant 4’

Microsoft and Google security researchers disclosed the new bugs, which affect Intel, AMD, and ARM processors.

0

Lavelle Networks’ Shyamal Kumar Discusses SD-WAN and the Principles of B4

In this interview with Lavelle Networks CEO Shyamal Kumar he shares his views on SD-WAN and how Lavelle has incorporated some of the principles of B4 to create a pure networking software solution.

0

SafeKeeper: protecting web passwords using trusted execution environments

SafeKeeper: protecting web passwords using trusted execution environments Krawiecka et al., WWW’18

(If you don’t have ACM Digital Library access, the paper can be accessed either by following the link above directly from The Morning Paper blog site, or from the WWW 2018 proceedings page).

Today’s paper is all about password management for password protected web sites / applications. Even if we assume that passwords are salted and hashed in accordance with best practice (NIST’s June 2017 digital identity guidelines now mandate the use of keyed one-way functions such as CMAC), an adversary that can obtain a copy of the back-end database containing the per-user salts and the hash values can still mount brute force guessing attacks against individual passwords.

SafeKeeper goes a lot further in its protection of passwords. What really stands out is the threat model. SafeKeeper keeps end user passwords safe even when we assume that an adversary has unrestricted access to the password database. Not only that, the adversary is able to modify the content sent to the user from the web site (including active content such as client-side scripts). And not only that! The adversary is also able to read all Continue reading