Apple’s top counsel to tell Congress, ‘Encryption is a necessary thing’

Apple’s refusal to help the FBI brute-force the iPhone 5c passcode of the San Bernardino shooter will most likely play out in the courts—the first hearing is scheduled for March 22 in Riverside, California. But Congress has a role to play too.On Tuesday, Apple Senior Vice President and General Counsel Bruce Sewell will testify before the House Judiciary Committee, stressing that while Apple does respect and assist law enforcement, what the FBI wants this time simply goes too far.One of Apple’s strategies is to argue that Congress should pass legislation to cover cases like this, instead of using the more broad All Writs Act, which was first passed in 1789 and last updated in 1946. Apple thinks a more modern statute like the Communications for Assistance for Law Enforcement Act (CALEA) would be more appropriate, although the Department of Justice disagrees that it’s applicable here.To read this article in full or to leave a comment, please click here

Cyber security tools tend to pile up. Here’s how to rationalize them

Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.

It’s a cliché, but “change is the only constant.”  Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.

Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.

To read this article in full or to leave a comment, please click here

Cyber security tools tend to pile up. Here’s how to rationalize them

Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.It’s a cliché, but “change is the only constant.”  Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.To read this article in full or to leave a comment, please click here

Juniper Introduces Software-Defined Secure Networks, Integrating Threat Detection & Adaptive Policy Control for Network Wide Enforcement

juniper-channel1-02-29-2016 Traditional perimeter-based approaches to security are not enough to protect against increasingly sophisticated attacks that engineer their way into internal networks. Juniper introduces software-defined secure networks, a new model that integrates adaptive policy detection and enforcement into the entire network.

A Journey Through How Zapier Automates Billions of Workflow Automation Tasks

This is a guest repost by Bryan Helmig, ‎Co-founder & CTO at Zapier, who makes it easy to automate tasks between web apps.

 

Zapier is a web service that automates data flow between over 500 web apps, including MailChimp, Salesforce, GitHub, Trello and many more.

Imagine building a workflow (or a "Zap" as we call it) that triggers when a user fills out your Typeform form, then automatically creates an event on your Google Calendar, sends a Slack notification and finishes up by adding a row to a Google Sheets spreadsheet. That's Zapier. Building Zaps like this is very easy, even for non-technical users, and is infinitely customizable.

As CTO and co-founder, I built much of the original core system, and today lead the engineering team. I'd like to take you on a journey through our stack, how we built it and how we're still improving it today!

The Teams Behind the Curtains

It takes a lot to make Zapier tick, so we have four distinct teams in engineering:

  • The frontend team, which works on the very powerful workflow editor.
  • The full stack team, which is cross-functional but focuses on the workflow engine.
  • The Continue reading

CTB-Locker ransomware hits over 100 websites

A new malicious program that encrypts files on Web servers has affected at least 100 websites over the past few weeks, signaling a new trend in ransomware development.The program, which is written in PHP, is called CTB-Locker, a name also used by one of the most widespread ransomware programs for Windows computers. It's not clear though if there's a relationship between this new Web-based ransomware and the Windows version.Once installed on a Web server, the program replaces the site's index.php and creates a directory called Crypt that contains additional PHP files. It starts to encrypt all the files in the server's Web directory when it receives a specifically crafted request from an attacker.To read this article in full or to leave a comment, please click here

Glitch in Hive smart thermostat sends temperatures soaring to nearly 90 degrees

You may have seen movies which feature some evil house that is out to get the occupants, but those usually aren’t smart homes. In real life if you use connected devices to make your home “smart,” then you might expect potential security flaws, but you don’t expect those IoT devices to act like they are possessed and to negatively control your house on their own.While you don’t want to freeze in the winter, there’s a big difference between being toasty in your home and being roasted alive. Yet some British Gas customers who have adopted Hive smart thermostats were at the mercy of the devices which sent temperatures soaring to nearly 90 degrees Fahrenheit (89.6). After the Hive thermostat, which has an app that works as the “remote control,” completely glitched out, some users took to Twitter to express their displeasure.To read this article in full or to leave a comment, please click here

UC Berkeley makes third data breach disclosure in past 15 months

UC Berkeley on Friday revealed that it has alerted 80,000 current and former faculty, staff, students and vendors in the wake of a late December "criminal cyberattack" that could have compromised Social Security and bank account numbers. We're not talking an epic breach possibly affecting millions of people as did last year's Anthem and Ashley Madison compromises. But the revelation still must be unsettling for an institution that prides itself on cutting-edge cybersecurity research. UC Berkeley was among several big-name schools to receive millions from the Hewlett Foundation for cybersecurity policy research, and the school last year established the Center for Long-Term Cybersecurity.To read this article in full or to leave a comment, please click here

Gigamon brings big data analytics to security

The IT security environment has changed significantly over the past decade. Ten years ago, network security was certainly challenging but straightforward. Most organizations had a single network ingress/egress entry point and protected it with a high performance firewall. Today, the environment is completely different. Technologies like Internet of Things, cloud computing, software defined networking, BYOD and mobility have made IT much more complicated than ever before. The increase in IT complexity means more attack surfaces and more entry points that need to be protected. IT is now facing an asymmetric challenge where the security team must protect dozens or even hundreds of entry points where hackers merely have to find one way in. Putting a firewall at every possible entry point, which includes branch offices, wireless access points, consumer devices and IoT endpoints would be prohibitively expensive and complicated to manage.To read this article in full or to leave a comment, please click here

New firmware analysis framework finds serious flaws in Netgear and D-Link devices

A team of security researchers has found serious vulnerabilities in over a dozen wireless routers and access points from Netgear and D-Link with the help of an open-source framework that can be used to perform dynamic security analysis on embedded firmware.Called FIRMADYNE, the framework automatically runs Linux-based firmware designed for embedded devices in an emulated environment and then performs a variety of security tests, including checks on known exploits that exist in penetration testing tools.The framework was built by Daming Chen, Maverick Woo and David Brumley from Carnegie Mellon University and Manuel Egele from Boston University. It was released last week as an open source project along with an accompanying research paper.To read this article in full or to leave a comment, please click here

How to avoid common travel and vacation scams

As usual, winter's been bleak. You're ready to go ... anywhere else. Somewhere warmer, brighter, more fun. And someone else is there waiting and ready to steal your information — and your money — in the process. Travel scams are ripe and ripening as the days grow longer, in some high and very low tech ways. + ALSO ON NETWORK WORLD IRS Scam: 5,000 victims cheated out of $26.5 million since 2013 +"The really staggering message that came through in 2015 was that it was the year attackers spent a lot less time and energy on really sophisticated technology intrusions and instead spent the year exploiting us," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint. To read this article in full or to leave a comment, please click here

Pica8 scales OpenFlow 1,000x

White box switching company Pica8 this week enhanced its operating system software to overcome limitations in OpenFlow switching. Pica8 is adding Table Type Patterns (TTP) to PicOS so it can scale to 2 million flows with Cavium’s XPliant switch ASIC, and to 256,000 flows with Broadcom’s StrataXGS Tomahawk switch ASIC. This will enable larger data center build-outs, Pica8 says, because typical TCAM flow capacity in the top-of-rack installed base today is between 1,000 and 2,000 flows. +MORE ON NETWORK WORLD: Crossroads for OpenFlow?+To read this article in full or to leave a comment, please click here

A tale of a DNS exploit: CVE-2015-7547

This post was written by Marek Vavruša and Jaime Cochran, who found out they were both independently working on the same glibc vulnerability attack vectors at 3am last Tuesday.

A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous as it affects any platform with recent GNU libc—CPEs, load balancers, servers and personal computers alike. The big question is: how exploitable is it in the real world?

It turns out that the only mitigation that works is patching. Please patch your systems now, then come back and read this blog post to understand why attempting to mitigate this attack by limiting DNS response sizes does not work.

But first, patch!

Man in the middle attack (MitM)

Let's start with the PoC from Google, it uses the first attack vector described in the vulnerability announcement. First, a 2048-byte UDP response forces buffer allocation, then a failure response forces a retry, and finally the last two answers smash the stack. 

$ echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
$ sudo python poc. Continue reading
1 3,134 3,135 3,136 3,137 3,138 3,858