Brussels attacks reinforce that security is everybody’s problem

I’ve had some rather unusual security training over the years. One of my earliest jobs was in security and law enforcement, and my course of study in graduate and undergraduate school included covering some of the largest security disasters in corporate history. Oh, and I was an internal auditor leader for a time when we had a tight emphasis on security. And, I’ve actually been a body guard.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers One of the things I’ve learned is that security is as much a mindset as anything else. Whether you are talking about personal security or securing your firm or country it is a heads-up game. The most successful are those that are constantly looking for abnormalities and are willing to do what is necessary when they see one to discover if there is a problem. Those that simply depend on tools or others to keep them secure likely aren’t. While these folks may lead far less stressful lives, their sense of security is a sham.  To read this article in full or to leave a comment, please click here

Malware authors quickly adopt SHA-2 through stolen code-signing certificates

As the IT industry is working to phase out the aging SHA-1 hashing algorithm it's not just website owners and software developers who are scrambling to replace their digital certificates: Cybercriminals are following suit too.Researchers from Symantec have recently found new samples of the Carberp.B online banking Trojan that were digitally signed with not one, but two stolen certificates: one using a SHA-1 signature and one using a SHA-2 signature."It can be safely surmised that the malware author used certificates containing differing algorithms with the hope of thwarting detection," the Symantec researchers said in a blog post.To read this article in full or to leave a comment, please click here

France fines Google for not being forgetful enough

The French data protection authority has fined Google for failing to implement the so-called right to be forgotten as ordered.Last year, the French National Commission on Computing and Liberty (CNIL) decided that requests to have personal information delisted from search results should apply to all Google properties, not just those in European domains.Google had been removing results from searches performed on domains including google.co.uk and google.fr, but not from its main site, google.com, even though it is accessible from within the EU.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers The CNIL could have fined Google up to €300,000 (US$336,000) for failing to comply with its ruling, but in the end ordered the company to pay just €100,000.To read this article in full or to leave a comment, please click here

Why IT can’t handle data breaches alone

In his keynote address at the CIO Perspectives event in Dallas last month, attorney Matthew Karlyn instructed the crowd about what CIOs and other business leaders need to know about the laws surrounding data breaches and preparing for the worst before a breach happens.Karlyn also addressed some of the myths surrounding security, including the suggestion that companies should “just let the IT department handle it.”“Does human resources have a role to play in information security? Of course they do - they’re storing the most sensitive data on all of your employees," said Karlyn. "Does finance have a role to play in information security? Of course they do - they’re funding the IT infrastructure. If they don’t understand what they’re funding, they’re going to say no… Does legal have a role to play in information security? Of course they do. No, it’s not just an IT department issue.”To read this article in full or to leave a comment, please click here(Insider Story)

Microservices Infrastructure using Mantl

Mantl is an Open source project from Cisco and it provides an integrated solution to deploy distributed Microservices. Any company deploying Microservices has to integrate different components before the solution becomes production ready. Mantl makes it easier by integrating the different components and providing the glue software that integrates the components. In this blog, I … Continue reading Microservices Infrastructure using Mantl

Docker Swarm on AWS using Docker Machine

In this post I’m going to talk about how to use Docker Machine to build a Docker Swarm cluster on Amazon Web Services (AWS). This post is an adaptation of this Docker documentation post that shows how to build a Swarm cluster using VirtualBox.

This post builds on the earlier post I wrote on using Docker Machine with AWS, so feel free to refer back to that post for more information or more details anywhere along the way.

At a high level, the process looks like this:

  1. Obtain a Swarm cluster token.
  2. Provision the Swarm master.
  3. Provision the Swarm nodes.

Let’s take a look at these steps in a bit more detail.

Obtain a Swarm Cluster Token

There’s at least a couple ways to do this, but they pretty much all involve a Linux VM using the Swarm Docker image. It’s up to you exactly how you want to do this—you can use a local VM, or you can use an AWS instance. The Docker documentation tutorial uses a local VM with the VirtualBox driver:

docker-machine create -d virtualbox local
env $(docker-machine env local)
docker run swarm create

The first command above creates a VirtualBox VM (named “local”) and Continue reading

iBGP for PE-CE

I’ve worked on many large-scale MPLS VPN solutions, some with as many as 20k-30k managed CPEs, and as everybody knows – where you run BGP with this sort of setup. It’s almost always eBGP with a single AS across all sites using AS-override, or each site gets a different AS number, to get around the age-old eBGP loop prevention mechanisms which tend to get in the way when we use L3VPNs.

Recently I came across RFC 6368 which describes how iBGP can actually be used as a PE-CE protocol, in order to make the provider network more transparent from a BGP perspective. Usually there’s no problem running eBGP and 99% of networks seem to operate perfectly fine with it, however if the customer CE routers have a large BGP element behind them, the provider’s AS numbers and interactions with the BGP updates can in some cases cause problems.

Recently Cisco added support to run iBGP for PE-CE with the addition of a new command placed under the VRF – “neighbor <x.x.x.x> internal-vpn-client” in JUNOS the command is “independent-domain” which goes under the routing-options for the routing-instance.

For this configuration, consider the following basic topology:

Untitled-2

CE-1 and CE-2 Continue reading

Verizon’s breach experts missed one right under their noses

Verizon Enterprise, a bulwark against cyberattacks at many large organizations, has suffered a security breach itself.A flaw in the company's systems allowed an attacker to steal contact information on Verizon Enterprise customers, the company acknowledged Thursday. Verizon said it has fixed the flaw and is notifying those users, but it hasn't disclosed how many were affected. The intruder couldn't get to any customer proprietary network information, Verizon said, referring to data such as call records and billing information.The breach came to light Thursday in a post on the blog Krebs on Security. Krebs reported the hacker stole contact information for about 1.5 million Verizon Enterprise customers and offered it for sale for US$100,000 on a cybercrime forum. Because the data was offered for sale in the MongoDB format, among others it's likely the attacker forced a MongoDB database at Verizon to dump its contents, the blog said.To read this article in full or to leave a comment, please click here

I’m skeptical of NAND mirroring

Many have proposed "NAND mirroring" as the solution to the FBI's troubles in recovering data from the San Bernadino shooter's iPhone. Experts don't see any problem with this approach, but that doesn't mean experts know it will work, either. There are problems.

The problem is that iPhone's erase the flash after 10 guesses. The solution is to therefore create a backup, or "mirror", of the flash chips. When they get erased, just restore from backup, and try again.

The flaw with this approach is that it's time consuming. After every 10 failed attempts, the chips need to be removed the phone, reflashed, and reinserted back into the phone. Then the phone needs to be rebooted.

For a 4-digit passcode, this process will need to be repeated a thousand times.This is doable in a couples of days. For a 6-digit passcode that is standard on iOS 9, this needs to be repeated 100,000 times, which will take many months of nonstop effort 24-hours a day. Presumably, you can make this more efficient by pipelining the process, using multiple sets of flash chips, so that a new fresh set can be swapped in within a few seconds, but it still takes Continue reading
1 3,018 3,019 3,020 3,021 3,022 3,779