Are you overlooking tokenization as a data security measure?

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  As a security technology that obfuscates clear text data, tokenization is the red-headed stepchild compared to encryption. That's changing, however, as tokenization has a key role in enabling mobile payment systems such as Apple Pay, Samsung Pay and Android Pay. If you use any of these smartphone-based payment applications, tokenization is already at work for you.Unless you're in the payments industry, you might not even know what tokenization is, or how it can protect sensitive data. Yes, there are uses for the technology beyond securing payment data. I'll talk use cases in a minute, but first let me explain what tokenization is.To read this article in full or to leave a comment, please click here

Large scale BGP hijack out of India

BGP hijacks happen every day, some of them affect more networks than others and every now and then there’s a major incident that affects thousands of networks. Our monitoring systems keep an eye out for our users and if you would like to have a general idea of what’s going on in the world of BGP incidents, keep an eye on BGPstream.com. Earlier today we detected one of those major incidents that affected thousands of networks.

Starting at 05:52 UTC, AS9498 (BHARTI Airtel Ltd.) started to claim ownership for thousands of prefixes by originating them in BGP. This affected prefixes for over two thousand unique organizations (Autonomous systems).

Our systems detected origin AS changes (hijacks) for 16,123 prefixes. The scope and impact was different per prefix but to give you an idea, about 7,600 of these announcements were seen by five or more of our peers (unique peers ASns) and 6,000 of these were seen by more than 10 of our peers.

One of the reasons this was so widespread is because large networks such as AS174 (Cogent Communications) and AS52320 (GlobeNet Cabos Submarinos VZLA) accepted and propagated these prefixes to their peers and customers.

The BGPplay visualization Continue reading

Android security update focuses on media files

In light of Android's mediaserver issues, Google’s latest Android security update focused on flaws related to the operating system's treatment of media files. Android’s current flaws are similar to problems that cropped up with Windows more than a decade ago.Google addressed seven vulnerabilities as part of this month’s Android security update, released this week. Of the critical vulnerabilities, one was in the libutils component (CVE-2015-6609) near where Stagefright flaws were found over the summer, and the other was in the Android mediaserver component (CVE-2015-6609). They were rated as critical, as they could allow remote code execution when handling malformed media files.To read this article in full or to leave a comment, please click here

Cox to pay $595,000 for Lizard Squad data breach

Cox Communications has agreed to pay US$595,000 and submit to seven years of computer security compliance monitoring by the Federal Communications Commission to settle an investigation into whether the cable TV and Internet operator failed to safeguard the personal information of its customers.The investigation relates to a hack of Cox in 2014 by "EvilJordie," a member of the "Lizard Squad" hacker collective, and is the FCC's first privacy and data security enforcement action against a cable operator.The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a Cox customer service representative and contractor to enter their account IDs and passwords into a fake website, the FCC said Thursday.To read this article in full or to leave a comment, please click here

EU tells US it must make next move on new Safe Harbor deal

The European Union put the onus firmly on the U.S. to make the next move in negotiating a replacement for the now-defunct Safe Harbor Agreement on privacy protection for transatlantic personal data transfers. "We need a new transatlantic framework for data transfers," said Vĕra Jourová, the European Commissioner for Justice and Consumers, emphasizing the urgency of the situation. However, she said at a news conference in Brussels on Friday, "It is now for the U.S. to come back with their answers." EU law requires that companies guarantee the same privacy protection for the personal information of EU citizens that they hold, wherever in the world they process it.To read this article in full or to leave a comment, please click here

Video: Control Plane Protocols in OpenFlow-Based Networks

One of the typical questions I get in my SDN workshops is “how do you run control-plane protocols like LACP or OSPF in OpenFlow networks?”.

I wrote a blog post describing the process two years ago and we discussed the details of this challenge in the OpenFlow Deep Dive webinar. That part of the webinar is now public: you’ll find the OpenFlow Use Cases: Control-Plane Protocols video on the ipSpace.net Free Content web site.

Watch the video

Stuff The Internet Says On Scalability For November 6th, 2015

Hey, it's HighScalability time:


Cool geneology of Relational Database Management Systems.

  • 9,000: Artifacts Uncovered in California Desert; 400 Million: LinkedIn members; 100: CEOs have more retirement assets than 41% of American families; $160B: worth of AWS; 12,000: potential age of oldest oral history; fungi: world's largest miners 

  • Quotable Quotes:
    • @jaykreps: Someone tell @TheEconomist that people claiming you can build Facebook on top of a p2p blockchain are totally high.
    • Larry Page: I think my job is to create a scale that we haven't quite seen from other companies. How we invest all that capital, and so on.
    • Tiquor: I like how one of the oldest concepts in programming, the ifdef, has now become (if you read the press) a "revolutionary idea" created by Facebook and apparently the core of a company's business. I'm only being a little sarcastic.
    • @DrQz: +1 Data comes from the Devil, only models come from God. 
    • @DakarMoto: Great talk by @adrianco today quote of the day "i'm getting bored with #microservices, and I’m getting very interested in #teraservices.”
    • @adrianco: Early #teraservices enablers - Diablo Memory1 DIMMs, 2TB AWS X1 instances, in-memory databases and analytics...
    • @PatrickMcFadin: Average DRAM Contract Price Continue reading

ProtonMail recovers from DDoS punch after being extorted

The last few days have not been easy for ProtonMail, the Geneva-based encrypted email service that launched last year. Earlier this week, the service was extorted by one group of attackers, then taken offline in a large distributed denial-of-service (DDoS) attack by a second group that it suspects may be state sponsored. ProtonMail offers a full, end-to-end encrypted email service. It raised more than US$500,000 last year after a blockbuster crowdfunding campaign that sought just $100,000.  Now, it bills itself as the largest secure email provider, with more than 500,000 users. Creating an account is free, although ProtonMail plans to eventually introduce a paid-for service with additional features.To read this article in full or to leave a comment, please click here

How a mobile app company found the XcodeGhost in the machine

Nick Arnott couldn't figure out recently why Apple kept rejecting an update to a mobile app his company developed.It turned out the problem was a ghost in the machine.His company, Possible Mobile, is well versed in the App Store submission rules and has built apps for JetBlue, Better Homes & Gardens and the Major League Soccer.The rejection came after it was discovered in mid-September that thousands of apps in the App Store had been built with a counterfeit version of an Apple development tool, Xcode.The fake version, dubbed XcodeGhost and probably developed in China, had been downloaded by many developers from third-party sources, apparently because getting the 4GB code from Apple took too long.To read this article in full or to leave a comment, please click here

007 Tips for keeping your business as secure as MI6

As James Bond has shown, even a sophisticated MI6 operative with a nearly limitless budget and an array of hi-tech gadgets has to take into account existing security measures when formulating a plan to infiltrate a building or system. And while online criminal organizations don’t have Bond’s resources, they are sophisticated and well funded, which means you have to continually up your efforts to reduce the threat surface of your business.As you begin planning for 2016, here are 007 tips for bringing your business closer to an MI6 level of security, without a nation-state budget:1. Auto expiring credentials for new recruits: While we hope your corporate hiring process isn’t as intense as that of a secret agent, at the end of the day not everyone who signs up ends up making the final cut. To minimize your risk of rogue access, implement a policy that requires system admins to always create expiring credentials for new hires. It’s best practice to implement this for any temporary hires, but if your company offers an employment grace period, consider applying the expiration for the end of that time period, just in case. It’s always easier to re-implement than revoke once things Continue reading

Worth Reading: Alphabet and Anti-trust

What we have learned in the last two months is that Google is much more worried than it says about the risks it faces from a variety of real structural changes it may have to make in its core business overseas in the months and years ahead — where the vast majority of Google’s users are, and from where over 50% of its revenues come. Google apparently foresees a coming brand winter of antitrust/privacy structural enforcement actions hanging over Google around the world. via somewhat reasonable

The post Worth Reading: Alphabet and Anti-trust appeared first on 'net work.

Five things you should know about unlicensed LTE

1. It's the spectrum that's unlicensed, not the LTE.The acronyms are flying: LTE-U, LAA, MuLTEfire. They're all forms of LTE tweaked to send signals over unlicensed frequencies, which are open to Wi-Fi, Bluetooth, and any other technology that plays fair. Carriers could use it as soon as 2016 to add frequencies without spending billions to license them. At first, unlicensed LTE will only be used to supplement a carrier's own bands to make downloads faster. Later, it might send traffic both directions and even be used by enterprises that have no licensed spectrum.To read this article in full or to leave a comment, please click here

Five things you should know about unlicensed LTE

Here are five things you should know about unlicensed LTE, the concept of sending 4G cell traffic over channels also used by Wi-Fi and other networks.1. It's the spectrum that's unlicensed, not the LTE.The acronyms are flying: LTE-U, LAA, MuLTEfire. They're all forms of LTE tweaked to send signals over unlicensed frequencies, which are open to Wi-Fi, Bluetooth, and any other technology that plays fair. Carriers could use it as soon as 2016 to add frequencies without spending billions to license them. At first, unlicensed LTE will only be used to supplement a carrier's own bands to make downloads faster. Later, it might send traffic both directions and even be used by enterprises that have no licensed spectrum.To read this article in full or to leave a comment, please click here

14 strange but true tech facts you (probably) don’t know

Hardly trivialImage by Mahender G/FlickrAs computers grow ever more powerful, we humans have to figure out where we still remain superior. Here's one suggestion: although the Internet is full of endless reams of data, it takes a human mind to suss through it all and determine what qualifies as interesting to other humans. Thus, we at ITworld present you with the following anecdotes about technology and the Internet, guaranteed to have been selected by the human hand and eye to pique your interest. Hopefully robots won't take this job for another few years.To read this article in full or to leave a comment, please click here

1 3,189 3,190 3,191 3,192 3,193 3,773