Hard-coded credentials make it simple to steal millions of sensitive records from apps

During a Black Hat Europe talk about (In)Security of Backend-as-a-Service, researchers warned that thousands of popular mobile apps have hard-coded backend credentials which could allow anyone to access millions of sensitive records. “Attacks are free, effortless, and simple,” they warned.Siegfried Rasthofer and Steven Arzt, PhD students at TU Darmstadt in Germany, focused on apps that use Backend-as-a-Service (BaaS) frameworks from the providers Amazon Web Services, CloudMine and Parse.com, which is owned by Facebook. This is the “first comprehensive security evaluation of several popular BaaS providers and APIs as well as their use in real-world Android and iOS applications.”To read this article in full or to leave a comment, please click here

Organizations sloppy about securing privileged accounts

Companies' haphazard processes for managing administrative or other privileged accounts are putting them at risk of security breaches, according to a new global security survey.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords The survey, conducted by Dimensional Research and sponsored by Dell, found that 83 percent of respondents face numerous challenges with managed privileged accounts and administrative passwords. That's not to say they lack procedure for securing them — nearly 80 percent say they have a defined process for managing them — but they're not diligent about it.To read this article in full or to leave a comment, please click here

New Docker tool removes a big barrier for enterprises

Making containers enterprise-ready has been a theme at this week's DockerCon EU conference in Barcelona, and on Tuesday Docker itself launched a new tool with that goal in mind.Aiming to give companies operational control while maintaining developers' productivity, Docker Universal Control Plane runs on-premises and is designed to help deploy and manage Dockerized distributed applications in production on any infrastructure."Portability has always been one of the premier attractions of modern application containers such as Docker, so it's no surprise to see the company and community focused on enhancing and extending that portability," said Jay Lyman, a research manager with 451 Research.To read this article in full or to leave a comment, please click here

4 ways bimodal IT accelerates innovation

Innovation is the cornerstone for sustained business success, and given how much innovation relies on technology these days, IT has to play a vital role in making it happen. Even so, Brocade's 2015 Global CIO Study found that more than half of CIO respondents spent around 1,000 hours a year reacting to unexpected problems such as data loss, network downtime and application access. With that much time spent fighting fires, how is the average CIO supposed to find the time to innovate?

To read this article in full or to leave a comment, please click here

Microsoft touts new, holistic approach to enterprise security

Microsoft is putting a lot of effort and money into building a holistic security platform that combines the attack protection, detection and response features built into Windows 10, Office 365, Azure and the Microsoft Enterprise Mobility Suite to help companies safeguard their data regardless of where it resides.Talking at the Microsoft Government Cloud Forum in Washington, D.C., Tuesday, Microsoft CEO Satya Nadella said that the company is spending more than  $1 billion a year in research and development to build security into its products, because "security has to be core to the operational systems used by enterprises."To read this article in full or to leave a comment, please click here

New Microsoft Azure cloud security tools will work on prem, in Amazon’s cloud too

Microsoft on Tuesday unveiled tools that protect not only cloud-based workloads in the company's Azure IaaS public cloud, but those on customers’ premises and even in competing clouds, such as those from Amazon Web Services.Microsoft CEO Satya Nadella gave a keynote address at a Government Cloud Forum in Washington, D.C. this morning in which he talked about his company’s broad security efforts. Microsoft spends $1 billion annually in research and development to improve security across the company’s three major products: Windows 10, Office 365 and Azure. “We don’t think of security as being a separate piece of technology,” Nadella said. “It has to be core to the operational systems that you use, where your data resides, where your most critical application usage is.”To read this article in full or to leave a comment, please click here

Copenhagen, Denmark: CloudFlare’s 65th data center

To get the week started it's our distinct pleasure to introduce CloudFlare's latest PoP (point of presence) in Copenhagen, Denmark. Our Copenhagen data center extends the CloudFlare network to 65 PoPs across 34 countries, with 17 in Europe alone. The CloudFlare network, including all of the Internet applications and content of our users, is now delivered with a median latency of under 40ms throughout the entire continent—by comparison, it takes 300-400ms to blink one's eyes!

Danish traffic, previously served from Stockholm and Amsterdam, shifts into Copenhagen

As can be seen above, traffic has already started to reach Copenhagen, with steady increases over the course of the day (all times in UTC). The new site is also already mitigating cyber attacks launched against our customers. The spike in traffic around 08:46 UTC is a modest portion of a globally distributed denial of service (DDoS) attack targeted at CloudFlare. By distributing the attack across an ever growing footprint of data centers, mitigation is made easy (and our site reliability engineers can sleep soundly!).

The week's not over

In December 2014 we announced our intention to launch one data center per week throughout 2015. It's an ambitious goal, but we're well on Continue reading

Unikernels, meet Docker!

Today, unikernels took to the stage at DockerCon EU in Barcelona!

As part of the Cool Hacks session in the closing keynote, Anil Madhavapeddy (MirageOS project lead), showed how unikernels can be treated as any other container. He first used Docker to build a unikernel microservice and then followed up by deploying a real web application with database, webserver and PHP code all running as distinct unikernel microservices built using Rump Kernels. Docker managed the unikernels just like Linux containers but without needing to deploy a traditional operating system!

This kind of integration helps put unikernels into the hands of developers everywhere and combines the familiar tooling and real-world workflows of the container ecosystem with the improved security, efficiency and specialisation of unikernels. We’ll finish off this post with details of how you can get involved — but first, before we go into Anil’s demonstration in more detail, some background about why unikernels matter, and why it makes sense to use Docker this way.

Why Unikernels?

As companies have moved to using the cloud, there’s been a growing trend towards single-purpose machine images, but it’s clear that there is significant room for improvement. At present, every VM has to Continue reading

A community site for Unikernels

community

Word about unikernels is spreading and more people are trying to learn about this new approach to programming the cloud. This community site aims to collate information about the various projects and provide a focal point for early adopters to understand more about the technology and become involved in the projects themselves.

Image Credit: Blake Thomson from Noun Project

Worth Reading: Smarter than our tech

It’s fine to be a gamer or a social media enthusiast, but if you need a smart watch to tell you when it’s time to get up and walk around so you don’t end up with a pulmonary embolism, something’s very wrong. … The smarter technology becomes, the smarter we need to become – not so much to know how and when to use it, but to know how and when not to use it. via Fox

The post Worth Reading: Smarter than our tech appeared first on 'net work.

Watchdogs detail Federal security tribulations

Security issues continue to confound many Federal agencies keeping tons of sensitive information at risk of unauthorized disclosure, modification, or destruction.That was one of the main conclusions of yet another Government Accountability security assessment, which focused on the Department of Education but included information about other agencies, to congress this week. Since fiscal year 2006, the number of reported information security incidents affecting federal systems has steadily increased, rising from about 5,500 in fiscal year 2006 to almost 67,200 in fiscal year 2014, the GAO noted.To read this article in full or to leave a comment, please click here

Watchdogs detail Federal security tribulations

Security issues continue to confound many Federal agencies keeping tons of sensitive information at risk of unauthorized disclosure, modification, or destruction.That was one of the main conclusions of yet another Government Accountability security assessment, which focused on the Department of Education but included information about other agencies, to congress this week. Since fiscal year 2006, the number of reported information security incidents affecting federal systems has steadily increased, rising from about 5,500 in fiscal year 2006 to almost 67,200 in fiscal year 2014, the GAO noted.To read this article in full or to leave a comment, please click here

How to deal with the blind spots in your security created by SSL encrypted traffic

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

SSL/TLS encryption is widely used to secure communications to internal and external servers, but can blind security mechanisms by preventing inspection of network traffic, increasing risk. In fact, Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls.

With attackers preying on the security gaps created by encrypted traffic, let’s examine the five most common network traffic inspection errors made today:

To read this article in full or to leave a comment, please click here

Reaction: Anonymity isn’t a bug

Despite the bad rap it sometimes gets, anonymity – and anonymity technology – is used all the time by everyday people. Think about it: just walking in a park without being recorded or observed or “going off the grid” are common examples of people seeking to disconnect their identity from their activities. via the center for democracy and technology

The problem with anonymity and the modern Internet is we tend to think of being anonymous as either “on” or “off” all the time. The only real reason we can think of to want to be anonymous is to do something evil, to hurt someone, to steal something, or to do something else considered anti-social or wrong.

But there’s a problem with this thinking — it’s much like pitting “the rich” against “the poor,” or any other time bound classification. There are times when I want to be anonymous, and there are times when I don’t care. It’s not a matter of doing that which is nefarious. It’s more about expressing opinions you know people won’t agree with, but which the expression of could cause you material harm, or about being able to investigate something without telling anyone about the situation. Continue reading

New Dell partnership throws doubt on traditional antivirus programs

A partnership announced by Dell on Tuesday shows how cybersecurity defenses are evolving, which could have wide-ranging effects on vendors like Symantec, McAfee and Trend Micro.The PC giant has partnered with Cylance, an Irvine, California-based company that specializes in detecting and blocking attacks on endpoint computers.Early next year, Dell will wrap Cylance's Protect product in its Data Protection Endpoint Security Suite, said Brett Hansen, Dell's executive director of data security solutions. The suite is an integrated package with encryption capabilities, authentication features and malware detection.To read this article in full or to leave a comment, please click here

Book Review: Design For How People Learn

Design For How People Learn, by Julie Dirksen (ISBN 978-0321768438)

Design_for_how_people_learn

I saw the title for this book roll across my Twitter feed — can’t remember from who, sorry — from someone who had a blog and was advocating for other bloggers to check this book out. When I read the abstract for the book, I immediately added it to my reading list.

“Whether it’s giving a presentation, writing documentation, or creating a website or blog, we need and want to share our knowledge with other people. But if you’ve ever fallen asleep over a boring textbook, or fast-forwarded through a tedious e-learning exercise, you know that creating a great learning experience is harder than it seems.”

Continue reading

Don’t fall for drone registration scams, warns FAA

The U.S. Federal Aviation Administration hasn't revealed its plans for drone registration yet, but that hasn't stopped at least one company from trying to make a buck from confusion about the rules.In early November, the FAA and Department of Transportation said they intend to set up a registry that will likely cover many small consumer drones, but it's yet to happen. A task force established to propose registration rules is due to deliver its findings on Friday, but even then the FAA will have to come up with formal rules and propose them.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords "Owners should wait until additional details about the forthcoming drone registration system are announced later this month before paying anyone to do the work for them," the FAA said on Monday.To read this article in full or to leave a comment, please click here

1 3,210 3,211 3,212 3,213 3,214 3,809