Context, Visibility and Containment – NSX Securing “Anywhere” Part V

window-1231894_1280Welcome to part 5 of the Micro-Segmentation Defined– NSX Securing “Anywhere”  blog series. Previous topics covered in this series includes

In this post we describe how NSX micro-segmentation enables fundamental changes to security architectures which in turn facilitate the identification of breaches:

  • By increasing visibility throughout the SDDC, eliminating all blind spots
  • By making it feasible and simple to migrate to a whitelisting / least privileges / zero-trust security model
  • By providing rich contextual events and eliminating false positives to SIEMs
  • By providing inherent containment even for Zero Day attacks

Threat analysis is the new trend of the security landscape and established vendors as well as startups are proposing many tools to complement the current perimeter logging approach.  The attraction for these tools is based on the assumption that by correlating flows from different sources within a perimeter, threat contexts will emerge and compromised systems will be uncovered.  Currently, these systems go unnoticed for long periods of times because the suspicious traffic moves laterally inside the perimeter and does not traverse a security device: you can’t Continue reading

Evenly Distributed Future

Traveling back and forth between the UK and US I often find myself answering the question “What does CloudFlare do?”. That question gets posed by USCIS on arrival and I’ve honed a short and accurate answer: “CloudFlare protects web sites from hackers, makes web sites faster and ensures they work on your computer, phone or tablet.

CC BY 2.0 image by d26b73

If anyone, border agents or others, wants more detail I usually say: “If you run a web site or API for an app and you are Amazon.com, Google, Yahoo or one of a handful of major Internet sites you have the expertise to stay on top of the latest technologies and attacks; you have the staff to accelerate your web site and keep it fully patched. Anyone else, and that’s almost every web site on the Internet, simply will not have the money, people, or knowledge to ‘be a Google’. That’s where CloudFlare comes in: we make sure to stay on top of the latest trends in the Internet so that every web site can ‘be Google’."

The author William Gibson has said many times: “The future is already here Continue reading

Growing Hyperconverged Platforms Takes Patience, Time, And Money

In this day and age when the X86 server has pretty much taken over compute in the datacenter, enterprise customers still have their preferences and prejudices when it comes to the make and model of X86 machine that they deploy to run their applications. So a company that is trying to get its software into the datacenter, as server-storage hybrid Nutanix is, needs to befriend the big incumbent server makers and get its software onto their boxes.

This is not always an easy task, given that some of these companies have their own hyperconverged storage products or they have a

Growing Hyperconverged Platforms Takes Patience, Time, And Money was written by Timothy Prickett Morgan at The Next Platform.

10 sci-fi technologies we are close to having

10 of the coolest sci-fi tech that are almost a realityScience fiction TV shows and movies are filled with cool technology. From Star Trek and its transporter and food replicator—to name just a couple of things—to The Minority Report and its air touch displays and jet packs.Some of that futuristic technology has arrived. For examples, “push to talk” mobile devices are very close to Star Trek like communicators. And the video conferencing depicted in The Jetsons is now available on nearly every home computer.To read this article in full or to leave a comment, please click here

Networking Is Infrastructure – Get Used to It

Jeff Sicuranza left a great comment to one of my blog posts:

Still basically the same old debate from 25 years ago that experienced Network Architects and Engineers understood during technology changes; "Do you architect your network around an application(s) or do you architect your application(s) around your network"

I would change that to “the same meaningless debate”. Networking is infrastructure; it’s time we grow up and get used to it.

Read more ...

Windows 10 browser beatdown: Who’s got the edge?

Not all web browsers are created equal. In fact, it might startle you a little to realize how diverse the range of top-end browser software has become, if you came of age in the era of “Internet Explorer or go home.” With about a third of all Windows traffic on the web coming from Windows 10 installs, according to figures from U.K.-based analytics firm GoSquared, and with Microsoft distancing itself from Internet Explorer in favor of the Edge just as fast as it can, it seems like as good a time as any to survey a few of the best browsing options for Windows 10 users. A word on methodology – I ran each contestant here through three benchmarks (higher scores are better in all of them – see graphic below) to give a broad sense of overall performance, and put each of them through their paces by using them for both work and play. With the exception of the benchmarks, what follows are the subjective opinions of a working reporter who nevertheless does a great deal of web browsing. The five browsers – note that Apple Safari isn't a real option on Win10 -- are Continue reading

ARM has a new weapon in race to build world’s fastest computers

ARM conquered the mobile market starting with Apple's iPhone, and now wants to be in the world's fastest computers.A new ARM chip design being announced on Monday is targeted at supercomputers, a lucrative market in which the company has no presence. ARM's new chip design, which has mobile origins, has extensions and tweaks to boost computing power.The announcement comes a few weeks after Japanese company Softbank said it would buy ARM for a mammoth US$32 billion. With the cash, ARM is expected to sharpen its focus on servers and the internet of things.To read this article in full or to leave a comment, please click here

A lesson in social engineering: president debates

In theory, we hackers are supposed to be experts in social engineering. In practice, we get suckered into it like everyone else. I point this out because of the upcoming presidential debates between Hillary and Trump (and hopefully Johnson). There is no debate, there is only social engineering.

Some think Trump will pull out of the debates, because he's been complaining a lot lately that they are rigged. No. That's just because Trump is a populist demagogue. A politician can only champion the cause of the "people" if there is something "powerful" to fight against. He has to set things up ahead of time (debates, elections, etc.) so that any failure on his part can be attributed to the powerful corrupting the system. His constant whining about the debates doesn't mean he'll pull out any more than whining about the election means he'll pull out of that.

Moreover, he's down in the polls (What polls? What's the question??). He therefore needs the debates to pull himself back up. And it'll likely work -- because social-engineering.

Here's how the social engineering works, and how Trump will win the debates.

The moderators, the ones running the debate, will do their best Continue reading

Researchers create 3D faces from online photos to defeat face authentication systems

Security researchers continue to find ways around biometric-based security features, including a new attack which can defeat face authentication systems.You might be careful about posting photos of yourself online, either refraining from it or setting the images to private, but your “friends” might post pictures of you online. It wouldn’t matter if those pictures of you are low quality or there were as few as three publicly available photos of you, researchers from the University of North Carolina have developed a virtual reality-based attack that can reproduce your face well enough to trick face authentication systems.In “Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos” (pdf), the researchers called “the ability of an adversary to recover an individual’s facial characteristics through online photos” an “immediate and very serious threat.” The team devised an attack which can bypass “existing defenses of liveness detection and motion consistency.”To read this article in full or to leave a comment, please click here

Researchers create 3D faces from online photos to defeat face authentication systems

Security researchers continue to find ways around biometric-based security features, including a new attack which can defeat face authentication systems.You might be careful about posting photos of yourself online, either refraining from it or setting the images to private, but your “friends” might post pictures of you online. It wouldn’t matter if those pictures of you are low quality or there were as few as three publicly available photos of you, researchers from the University of North Carolina have developed a virtual reality-based attack that can reproduce your face well enough to trick face authentication systems.In “Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos” (pdf), the researchers called “the ability of an adversary to recover an individual’s facial characteristics through online photos” an “immediate and very serious threat.” The team devised an attack which can bypass “existing defenses of liveness detection and motion consistency.”To read this article in full or to leave a comment, please click here

12% off Amazon Tap Alexa-Enabled Portable Bluetooth Speaker – Deal Alert

Amazon is currently discounting its Tap speaker by 12% to $114.99. It averages 4 out of 5 stars from 2,545 customers (read reviews). The Tap is a more portable version of their popular Echo speaker. The tap lasts for up to 9 hours on a single charge and is Alexa-Enabled, so you just "tap" and ask it to play your favorite music from most streaming music services, check sports scores, request an Uber, order a pizza, and much more. Learn more about the discounted Tap and explore buying options now on Amazon.To read this article in full or to leave a comment, please click here

Bugs don’t come from the Zero-Day Faerie

This WIRED "article" (aka. thinly veiled yellow journalism) demonstrates the essential thing wrong with the 0day debate. Those arguing for NSA disclosure of 0days believe the Zero-Day Faerie brings them, that sometimes when the NSA wakes up in the morning, it finds a new 0day under its pillow.

The article starts with the sentences:
WHEN THE NSA discovers a new method of hacking into a piece of software or hardware, it faces a dilemma. Report the security flaw it exploits to the product’s manufacturer so it gets fixed, or keep that vulnerability secret—what’s known in the security industry as a “zero day”—and use it to hack its targets, gathering valuable intelligence.
But the NSA doesn't accidentally "discover" 0days -- it hunts for them, for the purpose of hacking. The NSA first decides it needs a Cisco 0day to hack terrorists, then spends hundreds of thousands of dollars either researching or buying the 0day. The WIRED article imagines that at this point, late in the decision cycle, that suddenly this dilemma emerges. It doesn't.

The "dilemma" starts earlier in the decision chain. Is it worth it for the government to spend $100,000 to find and disclose a Cisco 0day? Continue reading

IoT Engineering Tip: Simplifying SSH Host ECDSA Key Checking

Those of you new to Internet of Things (IoT) engineering and using boards such as the Raspberry Pi will probably have come across an irritation: Every time you wipe the operating system on your IoT device and then try to use the Secure Shell (SSH) to access it, SSH will complain with something along the lines of:RedQueen:~ mgibbs$ ssh [email protected]@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @To read this article in full or to leave a comment, please click here

QoS? Really?

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.”  That was something like 6 weeks ago now. What a loser I am.

Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

I was honored to be invited to Tech Field Day Extra this morning while I’m at Cisco Live.  If you don’t know about TFD, you’re missing out.  A group of influencers gather in a room and get very deep and very technical presentations from vendors.  Today, Cisco came and talked about a couple of topics including branch security and QoS.  Obviously, the QoS was the big hitter for me.

Tim Szigeti (@tim_szigeti) kicked off the QoS conversation by talking about some of the recent advancements in QoS in both hardware and software. In hardware, he discussed the programmability of the new ASICs that Cisco is using in their switches and routers.  These ASICs are dumb out of the box, but they are very willing to learn.  Want it Continue reading

Machine learning and forgery

There’s no doubt that pretty much everything humans do can be sliced, diced, and replicated by algorithms so it’s not surprising that recent work by Tom S. F. Haines, Oisin Mac Aodha, and Gabriel J. Brostow, researchers at University College London, has resulted in the fall of yet another bastion of being human: Handwriting. How did they do it? Machine learning.Their paper, called "My Text in Your Handwriting," describes software that semi-automatically analyzes a sample of a handwriting, then generates whatever text you want in what looks like the identical style of the original handwriting sample. UCL’s press release explains:To read this article in full or to leave a comment, please click here

Google is killing Chrome apps on Mac, Windows and Linux

Three years after introducing special apps that run inside the Chrome browser, Google announced Friday that it will be removing them from Windows, Mac and Linux by early 2018. Google introduced those apps in 2013 as a way to offer new functions that weren't otherwise available on the web. Chrome browser apps also gave developers a way to write one app that would run across Windows, Mac, Linux and Chrome OS.The apps come in two flavors: Hosted Apps, which are essentially installable web apps, and Packaged Apps, which are closer to a traditional app like those you might find in the iOS App Store or Google Play Store. To read this article in full or to leave a comment, please click here

Weekly Roundup: Top 5 Docker articles of the week

 

This week, we announced the launch of the Docker Scholarship program, got to know our featured Docker Captains, and aired the first #Dockercast episode. As we begin a new week, let’s recap our top 5 most-read stories for the week of August 14, 2016:

 

5 #docker stories you don’t want to miss this week cc @chanwit @vfarcic @idomyowntricks Continue reading

1 2,732 2,733 2,734 2,735 2,736 3,844