The Weekend of Discontent

This past weekend, like many of you, I started getting the blood curdling password resets from a bunch of OpenSSL affected sites. I also got a few emails from sites indicating that I had nothing to worry about. Bad news, good news. Probably the biggest security story thus far for 2014 is Heartbleed, the OpenSSL vulnerability which potentially allows attackers to extract 64 kilobyte batches of memory at random without being noticed and leaving no trace. Sounds like the perfect crime.

It also got me thinking.

First, I wondered if this was a new era of security by force. The vulnerability and the totality of the hole forced many of us to change passwords on many sites. What a pain. It was a huge reminder that no matter how many 'experts' urge regular password rotation, it is a real time consuming, frustrating task. It's no wonder that so many keep the same password for years or use the same password across multiple sites. With so many sites requiring some authentication or verification for either resources or customization, people can have hundreds username/password combinations. Sure there are password keepers but part of me is reluctant to put all my web identities with one entity. What if that gets hit? There are just some sites that I chose not to save and auto-fill but enter it every time. Then, of course, I'm susceptible to key loggers. Great.

Then there are the developers. I imagine that this past weekend was the most worked ever by the entire coding community. Administrators across many sectors were working to patch vulnerable systems all over the globe to reduce the security threat. A massive undertaking to help fix over two-thirds of the internet. The weekend work of many fingers plugging dikes was probably only surpassed by the marketers and PR folks maneuvering their stories around what it is, what's at risk, what you should do and other FAQs surrounding this security superstar. @LanceUlanoff speculated on twitter, 'Is Heartbleed the first Internet bug with its own Web site? http://t.co/M9u976X9ui'

With so many sites and so many people affected along with the massive media coverage, will things change? Or will this be like Y2K with a bunch of dire warnings only to have nothing major occur? Is this a wake up call or will it dissolve into yesterday's news as new 'breaking' stories grab our attention? I think (and hope) that this is so critical that many organizations will be taking a more detailed look at their security infrastructure even if they are not vulnerable to Heartbleed. It forces many, if not all internet users, including the administrators themselves, to take a look at how we are protecting ourselves. It'll be interesting to see if '12345678' or 'qwertyui' or even 'password' continues to be the most popular pass codes after this massive reset.

If you need assistance with your Heartbleed crisis, click here to learn how F5 can help.

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



The DNS of Things

Hey DNS - Find Me that Thing!

There's a new craze occurring in homes, highways, workplaces and everywhere imaginable - the Internet of Things or as I like to call it, The Internet of Nouns. Sensors, thermostats, kitchen appliances, toilets and almost every person, place or thing will have a chip capable of connecting to the internet. And if you want to identify and find those things with recognizable words instead of a 128-bit IP address, you're going to need DNS.

DNS translates the names we type into browser or mobile app into an IP address so the services can be found on the internet. It is one of the most important components of the internet, especially for human interaction. With the explosion of mobile devices and the millions of apps deployed to support those devices, DNS growth has doubled in recent years. It is also a vulnerable target.

While the ability to adjust the temperature of your house or remotely flush your toilet from around the globe is cool, I think one of the biggest challenges of the Internet of Nouns will be the strain on DNS. Not only having to resolve the millions of additional 'things' getting connected but also the potential vulnerabilities and risks introduced when your washing machine connects to the internet to find the optimal temperature and detergent mix to remove those grass, wine and blood stains.

Recent research suggests that the bad guys are already taking advantage of these easy targets. Arstechnica reports that the malware that has been targeting routers has now spread to DVRs. Not my precious digital video reorder!! Last week, Sans found a Bitcoin mining trojan that can infect security camera DVRs. As they were watching a script that hunted the internet for data storage devices, they learned that the bot was coming from a DVR. Most likely, they say, it was compromised through the telnet defaults.

In another report, ESET said it found 11 year old malware that had been updated with the ability to compromise a residential broadband router's DNS settings. The malware finds a vulnerable router and changes the default DNS entries to either send the person to a rogue site to install more malware (join the bot, why don't ya) or to just redirect them to annoying sites. Imagine if the 50+ connected things we will soon have in our homes also joined the bot? Forget about needing compute and bandwidth from machines around the globe, you can zero in on a neighborhood to launch an attack.

Nominum research shows that DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers all over. A simple attack can create tens-of-gigs of traffic to disrupt networks, businesses, websites, and regular folks anywhere in the world. More than 24 million home routers on the Internet have open DNS proxies which expose ISPs to DNS-based DDoS attacks and in February 2014 alone, more than 5.3 million of these routers were used to generate attack traffic. These are especially hard to track since it is difficult to determine both the origination and target of the attack.

Lastly, Ultra Electronics AEP says 47% of the internet remains insecure since many top level domains (TLDs) have failed to sign up to use domain name system security extensions (DNSSEC). These include heavy internet using countries like Italy (.it), Spain (.es) and South Africa (.za), leaving millions of internetizens open to malicious redirects to fake websites. Unless the top level domain is signed, every single website operating under a national domain can have its DNS spoofed and that's bad for the good guys.

We often don't think about the Wizard behind the curtain until we are unable resolve an internet resource. DNS will become even more critical as additional nouns are connected and we want to find them by name. F5 DNS Solutions can help you manage this rapid growth with complete solutions that increase the speed, availability, scalability, and security of your DNS infrastructure.

And I do imagine a time when our current commands could also work on, for instance, the connected toilet: /flushdns.

Just couldn't let that one go.

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Interop 2014: F5 Interop NOC Stats

Posted in security, f5, big-ip, availability, silva, video, interop, infrastructure by psilva on April 9th, 2014

We visit with Ken Bocchino and Joe Wojcik of F5 Professional Services again to get some insight on the Interop.net network stats for the week. We talk DNS (15 million DNS lookups, half via BIG-IP recursion), SPDY and IPv6 along with a little insight on some of the overall traffic and the attack mitigation that occurred for the World’s Largest Temporary Network.



Watch Now:



Interop 2014: F5 Synthesis Whiteboard (feat Wagner)

Posted in security, f5, big-ip, silva, video, optimization, control, interop, infrastructure by psilva on April 2nd, 2014

Synthesis in the Wild! Tim Wagner, Manager, Field Systems Engineering, shows how he whiteboards the F5 Synthesis story to help organizations understand the value of SDAS – Software Defined Application Services. He discusses SDN and how that works within a Layer 2/3 environment and the power of SDAS for Layers 4-7 with its ability to apply important services to the applications that need it…all on a single platform. Interesting discussion on how marketing visions translate into real customer solutions available today.

Interop 2014: F5 Synthesis Whiteboard by f5dotcom

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Interop 2014: F5 in the NOC (feat Bocchino & Wojcik)

Posted in f5, big-ip, acceleration, silva, video, application delivery, infrastructure, spdy, trade show by psilva on April 1st, 2014

Principal Services Architect, Ken Bocchino and F5 Consultant Joe Wojcik visit to show and tell us how F5 is integral to the Interop.net infrastructure – the world’s largest temporary network. Ken gives a brief whiteboard of the architecture, Joe talks about how we’ve enabled SPDY to help accelerate content to attendee’s browsers and we visit the equipment rack to hear the hum of the F5 2400s.

Interop 2014: F5 in the NOC by f5dotcom

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Interop 2014: Find F5 Pop Up Edition

Posted in f5, silva, video, application delivery, interop, trade show by psilva on April 1st, 2014

In a little twist for April 1, I welcome you to Interop 2014 with a fun Pop Up version of how to find F5 Booth 2227. Reporting from Mandalay Bay in Vegas!

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Watch Now:



Malware costs $491 Billion in Perspective

A recent joint study from IDC and the National University of Singapore (NUS) predicts that companies around the globe will spend around $491 billion in 2014 for fixes and recovery from data breaches and malware. The sponsor, Microsoft, also noted that pirated software tweaked with intent is a common method of getting inside. Consumers will likely spend $25 billion as a result of those security threats. $491 billion is a lot of change and in the spirit of Mobile Threats Rise 261% in Perspective, I wanted to know what else costs $491 billion.

Apparently, quite a few things!

U.S. motorists may spend a record $491 billion for gasoline this year. Expensive oil and increased exports have kept our fuel prices high this year. We are still under the 2008 average gas price record but we will still spend more due to gas going up sooner in the year and staying high longer. I know I've seen $4.11 here in California where the average is $3.94. While the winter blend production does bring some relief, don't expect major drops due to higher global demand along with the various feuds in the world.

Back in 2005, the US House of Representatives passed a $491 billion defense bill. This was when we were still in Iraq and the only reason I find this interesting is that the cyber-war can now cost as much as real wars. Not really apple to apples admittedly, but I often talk about how our digital worlds are colliding integrating with our physical lives. Either way, the costs can be very real.

Now at the 3 year mark of the Fukushima meltdown, property damage so far has been assessed at approximately US$200 billion but some estimates show that the total burden will be $491 billion. While one could never put a price on the 19,000 people lost from the earthquake and tsunami, it is kinda spooky that breaches and malware are on par with nuclear disasters.

According to the Global Business Travel Association (GBTA) Foundation business travel was responsible for about 3% of U.S. GDP in 2012 or $491 billion. Essentially, every dollar of business travel spending generated about $1.28 in GDP. Of the $491 billion total, $208 billion accrued directly to businesses that served travelers or meeting attendees.

In 2011 the European chemical industry contributed to 20.9% of the world’s chemical sales valued at €2353 billion, generating € 491 billion of revenues and employing 1.16 million people.

In 2012-13, India's total imports was $491 billion according to their Finance Minister.

And finally, the Earth is 491 billion feet from sun, give or take.

The malware market is on par with the likes of defense budgets, nuclear disasters, overall energy consumption and an entire country's import bill. It is often hard to quantify such large dollar amounts but when compared to the other $491 billion items, you can get a real sense of the magnitude.

ps

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Infrastructure as a Journey

I see and read a lot of IT articles almost demanding that organizations must do certain things to ensure that some piece of their infrastructure is secure, highly available, fault tolerant, agile, flexible, scalable, recoverable, cloud'able, whatever the silo needs or face the dire circumstances. I'm guilty of it too over the years. Organizations must have a WAF for PCI compliance or Remote employees need to have an encrypted tunnels to the corporate network or any other command pertaining to the health of your infrastructure.

Life is a Journey, Faith is a Journey and by golly, Business is a Journey. IT is tasked with supporting the business objectives, so why not Infrastructure as a Journey? We've seen part of this journey play out over the last 5 years as organizations first tried to understand the cloud, it's various definitions/deployment models and the true business benefits. The cloud journey continues as more organizations test the waters, so to speak, and distribute their content over a hybrid infrastructure.

Workplace mobility is and continues to be a journey for many organizations. This started over 10 years ago with the first bricks, Palms and Blackberry's making their way into employees hands. iPhones and Androids later, VDI, MDM, MAM and a host of other infrastructure solutions have come along to help with the mobile BYOx journey.

Security has always been a journey. Assessing, managing and mitigating the risk to the business. Security is probably an area that gets the most insistence to do something. For years the ever popular Fear, Uncertainty and Doubt has been used to urge companies to protect something in a certain way. With all the media coverage of data breaches and the reported mistakes (intentional or not) made along the way, it is easy to jump on the 'you must do' bandwagon. But all companies are different.

Also, organizations might not be able to obey all the mandates and accomplish everything they must. They might have tight budgets, limited staff, different priorities, varying risk or other variables that could prevent complete infrastructure  bliss. And over the next 5 years, there will probably be even more change that adds even greater hills and valleys to navigate. Just like life. I can also guarantee that your infrastructure will probably look nothing like it does today.

Your body's infrastructure is what keeps us humans going day to day and your IT infrastructure is what keeps the business going. The infrastructure journey to a high performance, flexible, agile, application focused fabric with the ability to apply services across that fabric and the tools to manage it, is just beginning.

I realize there is incredible pressure to do more with less and have it done yesterday on top of dealing with the daily fires. Much easier said than done, but if you can think of your infrastructure as a journey, it might help prioritize the needs of your business and see what forks in the road are approaching rather than scrambling when the big one hits.

Journeys can take you to some interesting places as you progress from one stage to another. You try stuff, make mistakes, learn and make adjustments to address those and hopefully come out better on the other side. Just always remember to exhale and smile when you get there.

ps

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



The Applications of Our Lives

The Internet of Things will soon become The Internet of Nouns

There are a few 'The ______ of Our Lives' out there: Days. Time. Moments. Love. They define who we are, where we've been and where we are going. And today, many of those days, times, moments and loves interact with applications. Both the apps we tap and the back end applications used to chronicle these events have become as much a part of our lives as the happenings themselves.

The app, Life.

As reported on umpteen outlets yesterday, Twitter went down for about an hour. As news broke, there were also some fun headlines like, Twitter goes down, chaos and productivity ensue, Twitter is down. NFL free agency should be postponed, Twitter is down, let the freak-out commence and Twitter goes down, helps man take note it’s his wife’s birthday. It is amazing how much society has come to rely on social media to communicate. Another article, Why Twitter Can’t Keep Crashing, goes right into the fact that it is globally distributed, real-time information delivery system and how the world has come to depend on it, not just to share links and silly jokes but how it affects lives in real ways.

Whenever Facebook crashes for any amount of time people also go crazy. Headlines for that usually read something like, 'Facebook down, birthdays/anniversaries/parties cease to exist!' Apparently since people can't tell, post, like, share or otherwise bullhorn their important events, it doesn't actually occur. 'OMG! How am I gonna invite people to my bash in two weeks without social media?!? My life is over!' Um, paper, envelopes, stamps anyone?

We have connected wrist bracelets keeping track of our body movements, connected glasses recording every move, connected thermostats measuring home environments and pretty much any other 'thing' that you want to monitor, keep track of or measure. From banking to buying, to educating to learning, to connecting to sharing and everything in between, our lives now rely on applications so much so, that when an application is unavailable, our lives get jolted. Or, we pause our lives for the moment until we can access that application. As if we couldn't go on without it. My, how application availability has become critical to our daily lives.

I think The Internet of Things will soon become The Internet of Nouns since every person, place or thing will be connected. I like that. I call 'The Internet of Nouns' as our next frontier!

Sorry adverbs, love ya but you're not connected.

ps

Related

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



So Where Do We Go From Here?

Posted in security, f5, silva, privacy, banking, cybercrime, identity theft, malware, breach by psilva on March 5th, 2014

If you are who you say you are.

I've been travelling the last few weeks shooting some videos for VMware PEX and RSA. When that happens, my browser tabs get crowded with the various stories I'm interested in but will read later. This time they all seemed to hover around Identity Theft. When I got home, in my awaiting physical mail was a letter from Target. I also returned something to a national hardware store and the cashier tried to crumple my credit-card-info-having receipt into a trash can. Kismet.

Let's take a look...

The FTC recently announced that Identity Theft is the #1 complaint in 2013, for the 14th consecutive year. Is that a record? While down slightly from 2012, it still accounted for 14% of the 2 million overall complaints. This is down from 18% in 2012. Florida, followed by Georgia and California were the worst hit states for ID theft. The IRS has also named Identity Theft as their #1 Dirty Dozen Tax scam for 2014.

Speaking of California, 7.5 million of the over 110 million breached Target accounts were Californians. California is one of the few states that require disclosure when more than 500 accounts are compromised. The first year California required reports, 2012, there were 131 breaches reported...in 2013 that rose to 170. The other interesting thing about California breaches is that many target smaller companies. In 2012, half of the reported breaches came from companies with fewer than 2500 employees and almost a third were businesses with less than 250 employees. Being small and relatively unknown is no shield.

Also in Southern California, the Feds busted a couple guys running a Tijuana-based identity theft ring. These dudes broke into a U.S. based mortgage broker's servers and siphoned off mortgage applications which included most of the borrower's personal info: name, birthday, SSN, DL number, tax info, the works. They then used that info to open credit lines and, with the info they had, were able to change access to the people's brokerage accounts. From there, transferring money to other accounts was a snap. From Dec 2012 thru June 2013 they stole personal data on 4200 individuals.

Javelin Strategy and Research released their annual 2014 Identity Fraud Study stating that in 2013, a new instance of identity fraud occurred every 2 seconds. 1 Mississippi, 2 Mississippi. Another. There was 13.1 million identity fraud victims on 2013. While the people number is going up, the actual money stolen, according to Javelin, in going down. They estimated that the total cost of identity fraud in 2013 to be around $18 billion, more than $3 billion less than 2012. 2004 holds the record at $48 billion. Attackers are now focusing on opening new accounts rather than piggy backing existing credit cards. Account take-over's, particularly for utilities and mobile phones are the new free-bees. Most of the stolen info appears to be from corporate breaches and about 1/3 of those who receive a breach letter actually becomes a theft victim. Your debit card also seems more valuable than your social security number. 46% of consumers with breached debit cards became victims verses only 16% of breached SSNs.

And in an interesting twist, the top complaint against debt collectors is mistaken identity. Trying to collect a debt from the wrong person was by far, the most common complaint to the Consumer Financial Protection Bureau (CFPB). I know this all too well since over the last 3+ years, we've been getting debt collection calls looking for a certain person. We tell them that we've had our phone number for years and stop calling. Few months go by, the debt gets sold to another collector and we get calls again. It got so bad that this person's own mother called to tell her son that the dad was in the hospital and probably wouldn't make it. About 2 weeks later we got a call from another family member looking to talk about the father's death. This guy was running from debt so much so, that his own mother couldn't get a hold of him when dad was on his death bed. Now that's bad.

So where do we go from here? Will we all need that personal chip installed on our left earlobe to verify identity? The payment terminal says, 'Please listen for verification.' Riff-raff will then be all like, 'Oh, listen to this cool song,' as they plug the bud into your ear only to suck the data off your PID chip. You didn't hear? That's our IPv6 Personal Identity Chip inserted into every newborn starting in 2025.

Oh, it will happen.

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]




« Previous entries ·