VMware AppDefense Introduces Least Privilege Security for Containerized Applications
Summary: VMware AppDefense continues to advance with new capabilities, new partnerships, international expansion, and increasing customer adoption
As worldwide spending on IT security continues to climb, the odds of falling victim to a data breach have risen to 1 in 4. Despite a multitude of security products on the market and large budgets to purchase them, businesses are not significantly safer. The commoditization of cyber crime has made it possible for virtually anyone with a computer to launch a sophisticated attack against a company and new attacks are being developed every day. This means the continued focus on chasing threats remains relatively ineffective to stamping out the broader challenges facing IT security.
This is a scary prospect for CISOs who are faced with securing the applications and data living in increasingly dynamic, distributed IT environments. And as more businesses embrace modern, agile application development processes, the problem of implementing security at the speed of the business is exacerbated – security is often seen as an obstacle to progress.
We created VMware AppDefense to address these very issues, with a unique approach that leverages the virtualization layer to protect applications by “ensuring good” rather than “chasing bad”. AppDefense leverages VMware’s Continue reading
Microsoft Turns to Former Foe Linux to Secure IoT Devices
The Azure Sphere technology includes a thumbnail-sized micro-controller unit, a Linux-based operating system, and a cloud-based security service.
BlueData Sees Kubernetes as a Bridge to Big Data
The company is looking to support unmodified big data software in containers so data scientists can spend their time analyzing data rather than fighting hardware and drivers.
ZTE Forbidden From Buying U.S. Components for 7 Years
A U.K. government agency is also recommending that telcos not purchase equipment from ZTE.
IBM Injects Double AI Dose Into Security Platform, Managed Services
An IBM security report found a 424-percent jump in breaches related to misconfigured cloud infrastructure in 2017, largely due to human error.
Woot Woot! 16 Weeks of Security Learning!! — SECURITY ZERO-TO-HERO
Just signed up last week for the Micronic’s “Security Zero-to-Hero” class. I am beyond stoked and excited! I have been searching for awhile now for a class to take to help me really “go to the next level” in Security. But I just wasn’t finding the kind of class I was looking for. Every class I saw offered was either focused on one narrow aspect of the security landscape OR focused on helping people pass the CCIE Security. Neither or which matched what I was searching for.
The class I was hoping to find would be structured more like a semester long college class with real world production discussions and also hands on labs. A class where … over weeks of learning and labbing in my personal time… the learning would just continue to seep deeper and deeper and the “aha” moments would just keep coming. There were lots of one week classes to choose from. But, for me, I just don’t see a one week class as a great “immersive” experience into the complex landscape of the world of Security. There is a “learning limit”, for me, as to how much my brain can retain Continue reading
At RSA USA 2018 in San Francisco this week? Join the IoT Security conversation on Tuesday, April 17
Are you attending the RSA USA 2018 Conference this week in San Francisco? If so, please plan to join this panel session happening Tuesday, April 17, 2018, from 3:30 – 4:14pm (PDT):
IoT Trust by Design: Lessons Learned in Wearables and Smart Home Products
Moderated by my colleague Jeff Wilbur, Director of the Online Trust Alliance (OTA), the panel abstract is:
The world has awakened to the need for tighter security and privacy in consumer-grade IoT offerings. This panel will present a trust framework for IoT, and wearable and smart home experts will discuss top attack vectors, typical vulnerabilities in devices, apps and systems, common reasons for design compromise, the evolution of security and privacy in IoT and where it needs to go.
They will be discussing the OTA’s IoT Trust Framework, as well as some new mechanisms available to help enterprises understand the risks associated with IoT devices.
If you believe securing the Internet of Things is a critical step to having a secure Internet, please join Jeff and his panelists to learn more.
Unfortunately there appears to be no live stream available but they do seem to be recording many of the sessions. If Jeff’s Continue reading
Notes on setting up Raspberry Pi 3 as WiFi hotspot
I want to sniff the packets for IoT devices. There are a number of ways of doing this, but one straightforward mechanism is configuring a "Raspberry Pi 3 B" as a WiFi hotspot, then running tcpdump on it to record all the packets that pass through it. Google gives lots of results on how to do this, but they all demand that you have the precise hardware, WiFi hardware, and software that the authors do, so that's a pain.I got it working using the instructions here. There are a few additional notes, which is why I'm writing this blogpost, so I remember them.
https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md
I'm using the RPi-3-B and not the RPi-3-B+, and the latest version of Raspbian at the time of this writing, "Raspbian Stretch Lite 2018-3-13".
Some things didn't work as described. The first is that it couldn't find the package "hostapd". That solution was to run "apt-get update" a second time.
The second problem was error message about the NAT not working when trying to set the masquerade rule. That's because the 'upgrade' updates the kernel, making the running system out-of-date with the files on the disk. The solution to that is make Continue reading
Cisco Ramps Up RSA Conference Security Services Roll Out
It added new email security services, visibility and malware protection features, and managed security offerings through IT services company ConnectWise.
My letter urging Georgia governor to veto anti-hacking bill
February 16, 2018Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334
Re: SB 315
Dear Governor Deal:
I am writing to urge you to veto SB315, the "Unauthorized Computer Access" bill.
The cybersecurity community, of which Georgia is a leader, is nearly unanimous that SB315 will make cybersecurity worse. You've undoubtedly heard from many of us opposing this bill. It does not help in prosecuting foreign hackers who target Georgian computers, such as our elections systems. Instead, it prevents those who notice security flaws from pointing them out, thereby getting them fixed. This law violates the well-known Kirchhoff's Principle, that instead of secrecy and obscurity, that security is achieved through transparency and openness.
That the bill contains this flaw is no accident. The justification for this bill comes from an incident where a security researcher noticed a Georgia state election system had made voter information public. This remained unfixed, months after the vulnerability was first disclosed, leaving the data exposed. Those in charge decided that it was better to prosecute those responsible for discovering the flaw rather than punish those who failed to secure Georgia voter information, hence this law.
Too many security experts oppose Continue reading
Let’s stop talking about password strength
 |
| Picture from EFF -- CC-BY license |
Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.
On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.
Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).
To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it Continue reading
Symantec Shares Its Own Internal Threat Detection Tools for Targeted Attacks
This technology uncovered last year’s Dragonfly 2.0 attacks targeting energy companies to gain access to the power grid.
Join NSX at RSA, Dell Technologies World, and Interop Conferences
Conference season is upon us, and the NSX team will be out in full effect. Join us at any of the following events to get a demo, ask us questions, and hear us wax poetic about all things security and network virtualization!
RSA Conference
April 16–20, 2018
Moscone Center
San Francisco, CA
Booth #4101, North Hall
NSX is delighted to attend everyone’s favorite security conference, RSA. This year’s theme is “Now Matters,” aptly named in time with the astounding number of threats to cybersecurity and data breaches we’ve collectively seen in the news this year. That said, don’t miss a great talk on how app architecture “now matters” when it comes to transforming security by Tomrn, Senior Vice President and General Manager, Security Products, VMware. His session will be on April 17 from 1:00pm–1:45pm. The team will also be doing demos at the VMware booth (#4101 in the North Hall) – so be sure to swing by and chat with us about our offerings.
VMware Speaking Sessions at RSA Conference:
NSX Mindset Reception:
Join us for a NSX Mindset reception with VMware Continue reading
Zededa Wants to Use the Cloud to Power IoT at the Edge
The company is building a software platform that can be deployed on virtually any edge device in support of IoT. This involves a lightweight software stack that can adapt to different deployment models.
Four Security Myths You Need to Shake
In this zero-trust world, no data is safe. In order to tighten security in cloud-based environments, enterprises must embrace the truth about security.
Security Research is Critical to Protect the Open Internet
On, April 10, 2018 I joined over fifty like-minded individuals signing a letter emphasizing the importance of security research. The letter renounces a number of recent lawsuits, such as Keeper v. Goodlin and River City Media v. Kromtech, against security researchers and journalists and highlights the importance of the work they are doing to defend against a rapidly increasing number of security threats.
Security research, sometimes called white-hat hacking, is a practice by ethical hackers whereby they legally find flaws in information systems and report them to the creators of those systems. The ability to find and report these vulnerabilities before other bad actors can manipulate them has become increasingly important, especially in the context of the Internet of Things (IoT).
As we discussed at Enhancing IoT Security in Ottawa, Canada this week, Internet-connected devices offer great promise, but they can also create a host of security issues. It is crucial that we continue to encourage individuals to seek out and correct flaws in these devices as their application and use grows.
As Olaf Kolkman, Chief Internet Technology Officer at the Internet Society, wrote recently, security researchers are helping to make the Internet more secure. Collaboration between those Continue reading
Successful First Event in the Canadian Multistakeholder Process – Enhancing IoT Security Series
On April 4, 2018, over 80 individuals met in Ottawa and virtually via livestream for the first event in the Canadian Multistakeholder Process – Enhancing IoT Security series. Participants represented a wide-range of stakeholder groups, including government, academia, public interest, and industry representatives. Two Internet Society Organization Members, the Canadian Internet Registration Authority and CANARIE, as well as Innovation, Science and Economic Development Canada and the Canadian Internet Policy and Public Interest Clinic were partners for this event. IoT security is a complex issue that requires all stakeholders to cooperate and participate in the development of solutions, and we were pleased to have such truly multistakeholder representation.
The event kicked off with an interactive presentation from Larry Strickling, Executive Director of the Collaborative Governance Project. Strickling provided an overview of the multistakeholder process and facilitated a discussion among participants to determine ground rules and define what constitutes consensus. Participants, both those remote and in person, outlined over a dozen rules and three key metrics for determining consensus, which will be used throughout the entirety of the project.
In the morning, participants heard from a series of speakers who presented on IoT security and risk, the balance between IoT’s technological Continue reading
HyTrust, Twistlock Bolster Broad Focus on VM, Container Security
Both firms continue to tout their broader cloud security platforms as superior to more focused efforts or those from large cloud providers.
Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
There was an important development this month with the launch of Cloudflare’s new 1.1.1.1 DNS resolver service. This is a significant development for several reasons, but in particular it supports the new DNS-over-TLS and DNS-over-HTTPS protocols that allow for confidential DNS querying and response.
Why 1.1.1.1?
Before we get to that though, Cloudflare joins Google’s Public DNS that uses 8.8.8.8 and Quad9 DNS that uses 9.9.9.9, by implementing 1.1.1.1 as a memorable IP address for accessing its new DNS service. IP addresses are generally not as memorable as domain names, but you need access to a DNS server before you can resolve domain names to IP addresses, so configuring numbers is a necessity. And whilst a memorable IP address might be cool, it’s also proved important recently when DNS resolvers have been blocked or taken down, requiring devices to be pointed elsewhere.
The 1.1.1.1 address is part of the 1.1.1.0 – 1.1.1.255 public IP address range actually allocated to APNIC, one of the five Regional Internet Registries, but it has been randomly used as an address for Continue reading
Introducing Spectrum: Extending Cloudflare To 65,533 More Ports
Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.
DDoS Protection
The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.
One of Spectrum's earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be - uh, passionate - they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services & techniques Continue reading