Follow by Email

Saturday, December 26, 2015

what are you doing to secure yourself By 2020 5 in 1 people will be hit by a data breach

In a world where it seems like a new data breach is announced every other day, there are still plenty of people who don’t think it’ll happen to them. They read about the 15 million or so T-Mobile customers who were hit by the Experian data breach and are thankful that they weren’t a customer. If they evaded the Anthem data breach, they count themselves lucky and believe they’ve beaten the odds.
If you belong to the club of ‘fortunate’ people who’ve still not faced the brunt of a data breach, here’s some news that should make you think. IDC predicts that around one quarter of the world’s population will be affected by a data breach by 2020.
Each data breach is a huge learning in itself and many organizations are investing money to improve their own IT security posture. They are plugging gaps, improving security awareness amongst employees and deploying end-to-end IT security solutions securing users, devices, data and servers alike.
Data breaches are an expensive proposition and with more stringent data protection laws coming into play, no organization would want to lose sensitive customer data. Under the new EU data protection laws, for example, companies could face massive fines of up to 4% of their global annual turnover.
So, why are we staring at more data breaches in the future?
We are living in an increasingly connected world. Mobile, broadband and wireless use is still rising and it is estimated there will be nearly 3.1 billion connections to the Internet of Things (IoT) by 2019. Attack surfaces are growing and so is the sophistication of cyberattacks.
The question is – How do you as an individual, protect your data? Or are you staring at a lost cause?
The answer lies in ‘choice’. Choose to share sensitive information of a personal nature with only those organizations who have a stringent and legally compliant privacy policy which contains explicit information on how they plan to protect your data. If you are concerned about the data safeguards in place, reach out to the company directly and clarify them.
Let’s be very honest here. How many of us actually go through the privacy policy page? There are plenty of people, who don’t know what a privacy policy is. The time has come to take ownership of your data’s security. Do not take it lightly.
Make sure you are doing your bit to keeping your data secure. Using strong, unique passwords for each online account and making sure you back up your files (a solution for ransomware attacks) is a good start.
You also need to guard against social engineering attacks, such as phishing. These types of attacks aim to fool you into handing over confidential or sensitive data. So, the next time you receive an email or other communication that asks you to share sensitive information, or click on a link, think ‘security’ before you do so.
Yes, data breach incidents may go up in the future, but so should your resolve to protect your data.

Tuesday, December 15, 2015

Joomla Sites can be Hijacked Via User-Agent Strings

Joomla just issued a emergency security patch after Sucuri observed a large number of attacks on Joomla sites using malicious user-agent strings. Attackers were adding malicious code to custom-made user-agent strings, which were not sanitized and stored in the database. These allowed attackers to trigger remote code on the site and grant them a backdoor into targeted websites. Even if Joomla doesn't care about older versions, the bug was so critical that it issued security patches even for EOL versions going back to 1.5.x.

Saturday, December 12, 2015

Internet's Backbone withstand huge DDoS attack

DNS is short for Domain Name System, the online service that converts server names into network numbers. Without it, you wouldn’t be able to refer to a server called – you’d have to remember instead. Actually, it’s even worse than that, because busy websites like don’t have just one server ip.

How to secure an interesting article

Big web properties may have racks and racks of customer-facing servers in operations centres all over the world, giving them a wide variety of network number ranges on a wide variety of different networks.
Busy sites typically use DNS to direct you to a specific server based on load levels, maintenance schedules, your current location, and so on, in order to improve speed, spread load and avoid bottlenecks.
In other words, DNS is extremely important, to the point that the internet would be unusable without it.
For that reason, DNS is implemented as a hierarchical, distributed global database, which is a fancy way of saying that no one DNS server holds the entire database, and no one server is critical to the operation of all the others.

Root server operators have already highlighted one problem that makes such attacks possible: the failure of large numbers of ISPs to implement network ingress filtering, which limits the ability to spoof internet traffic and so carry out DDoS attacks. That said, one analysis shows that 82 per cent of the internet's traffic is now not spoofable thanks to the broad implementation of the BCP 38 standard.
Another solution put forward by the former operator of the F-root server, Paul Vixie, is to develop a liability model that would penalize network operators that allow attack traffic to flow across their networks.
"In the world of credit cards, ATM cards, and wire transfers, state and federal law explicitly points the finger of liability for fraudulent transactions toward specific actors," Vixie wrote in a post last month.
"And in that world, those actors make whatever investments they have to make in order to protect themselves from that liability, even if they might feel that the real responsibility for preventing fraud ought to lay elsewhere."
"We have nothing like that for DDoS. The makers of devices that become part of botnets, the operators of open servers used to reflect and amplify DDoS attacks, and the owners and operators of networks who permit source address forgery, bear none of the costs of inevitable storms of DDoS traffic that result from their malfeasance."

For example, to figure out where lives, your own company’s (or ISP’s) DNS server takes a top-down approach:
  • Ask the so-called root servers, “Who looks after the .COM domain name data?”
  • Ask the .COM part of the hierarchy, “Who is officially responsible for DNS for SHAM ?”
  • Ask the SHAM name servers, “Where do I go to read SHAM ?” 
Each DNS reply contains a Time To Live number, or TTL, that says how long to remember the answer, typically somewhere from 1 minute to 1 hour, after which the result is thrown away.
That greatly reduces the number of times a full, top-down hierarchical query is needed, while ensuring that the system can recover automatically from incorrect or outdated answers.
As you can imagine, the root servers are the key to the entire DNS service, because all as-yet-unknown answers must be requested by starting at the top.

So there are 13 root servers, prosaically named A to M, operated by 12 different organisations, on 6 different continents.
In fact, each “server” actually consists of a server farm of many physical servers in multiple locations, for reliability.
Server L, for example, is mirrored in 128 locations in 127 towns and cities (San Jose, California, hosts two instances) in 68 countries, from Argentina to Yemen.

Because you need to consult a root server by number to look up where the root servers are by name, DNS servers themselves keep a static numeric list of all the root servers.
Generally speaking, only one root server IP number ever changes at a time, and such changes are rare, so even an old root server list will work, at least to start with.
A DNS server with an outdated list can try each of the 13 roots in turn, until it figures out where to update to the latest list.
In short: DNS is surprisingly resilient, by design, and DDoSing it is correspondingly hard.

Unsurprisingly, however, the root servers do get DDoSed from time to time, sometimes on an astonishing scale.
Indeed, the Root Server Operators recently reported a DDoS on the last day of November 2015, and the first day of December, that reached 5,000,000 bogus requests per second per root server letter.

 The total attack time was just under four hours, so the DNS root servers would have experienced close to 1 trillion (1012) bogus requests during the two attack windows.

Simply put, the DNS root servers took an unprecendented hammering, but nevertheless stood firm, keeping the global DNS fully functional throughout.

For defense: it's long past time to implement source address validation in the DNS system.

Wednesday, December 9, 2015

IBM acquires cloud video firm Clearleap

IBM continues to bolster its cloud technology portfolio.The Duluth, Geo. firm developed a platform for online video services for HBO, the NFL, Verizon and other content providers.
Video has become a growing part of the data that IBM customers need managed. Clearleap's technology will become part of IBM's Cloud platform to make it easier to deliver and monetize video online and on mobile devices, the company says.
The acquisition also helps IBM in its attempt to address the "dark data" dilemma. Computer systems are unable to handle about 80% of the world's data, and much of that is video, IBM says.

Terms of the deal were not released. IBM shares were down about 1% to $138.93.

Last month, IBM acquired software developer Cleversafe, which creates tools for the storage and management of such unstructured data. Coupled with its 2014 acquisition Aspera and Clearleap, IBM says it plans to make it easier for customers to store, index and retrieve video content in the cloud.
“With consumer demand for video growing exponentially, the business of creating compelling and personalized video experiences is booming,” said Clearleap CEO Braxton Jarratt in a statement. “As a part of IBM, we can extend the capabilities and global reach of the Clearleap innovations to grow and scale like never before.”

Encryption in Israel

Interesting essay about how Israel regulates encryption:
...the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel's system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber developments and position the government to engage effectively with the private sector when national security risks are identified.
Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability. The fact that pretty much everyone in IT security has served in an offensive cybersecurity capacity for the Israeli army helps. As does the fact that the country is so small, making informal deal-making manageable. It doesn't scale.
Why is this important?
...companies in Israel, a country comprising less than 0.11% of the world's population, are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies for 2014.

Monday, November 23, 2015

US and China to sign a space treaty

Washington and Beijing have established an emergency 'space hotline' to reduce the risk of accidental conflict. Several international initiatives are already in train to seal a space treaty to avoid a further build-up of weapons beyond the atmosphere. However, security experts say the initiatives have little chance of success. A joint Russia-China proposal wending its way through the UN was not acceptable to the US. An EU proposal, for a "code of conduct" in space, was having diplomatic "difficulties" but was closer to Washington's position.

Monday, November 2, 2015

Splitting into two HP Tale

If Hollywood wanted a script about the inexorable decline of a corporate icon, it might look to Hewlett-Packard for inspiration. Once one of Silicon Valley's most respected companies, HP officially split itself in two on Sunday, betting that the smaller parts will be nimbler and more able to reverse four years of declining sales. HP fell victim to huge shifts in the computer industry that also forced Dell to go private and have knocked IBM on its heels. Pressure from investors compelled it to act. But there are dramatic twists in HP's story, including scandals, a revolving door for CEOs and one of the most ill-fated mergers in tech history, that make HP more than a victim of changing times.

Saturday, October 24, 2015

High-speed public Wi-Fi in 400 train stations across India.

In collaboration with railtel the initiative is started.

HP callof its openstack based public cloud

Hewlett-Packard, which has been backing off on ambitious public cloud plans for a year, is now calling it quits, sunsetting HP Helion Public cloud in January 2016. in a buzzword-laden blog post, the company says its building out support for interoperability with Amazon and Microsoft public cloud offerings to provide options for customers who require such functionality. "HP’s decision is the latest milestone in what has been a slow fade for the company’s public cloud ambitions. It has become increasingly clear that there are three, maybe four companies that can support (at scale) the massive shared computing, networking, and storage infrastructure necessary for a public cloud. ... HP will continue pushing its private and hybrid cloud.

Tuesday, October 13, 2015

Its official Dell merge with EMC

Dell Inc. and private-equity firm Silver Lake will buy data-storage company EMC Corp for roughly $67 billion in cash and stock, marking the biggest technology-industry takeover ever.
The $33.15-a-share price tag represents a 28% premium over EMC’s closing price states Wall street journal.

VMware, a pioneer in virtualization software in which EMC owns about an 80% stake, will remain a publicly traded company with Dell as controlling shareholder.  Hope the pending deal of  Broadcom Corp by Chip maker Avago Technologies Ltd. for $37 billion agreement will happen soon
Its twice as biggest than whatsapp acquisition also bigger than Compaq-HP deal

The common point is DELL, EMC, VMWARE is betting upon the same technology. "Virtualization"
This will add value and make some changes in this space. Added RSA a premier Infosec product also add value since RSA is one of the leader in GRC space.

Whats the next game changing plan DELL ??