Posted by: psilva | May 3, 2016

The Visible Data of the Invisible User


walkerlableAs the march to connect each and every noun on this planet continues with a blistering pace, the various ways, contraptions and sensors used to collect data is greatly expanding. What once was a (relatively) small collection of fitness trackers, smartwatches, thermostats, automobiles and surveillance cameras has grown into a an industry where shirts, shoes, sleeping bags and even liquor bottles want to gather your info. And most of these devices monitor silently without you even knowing. According to Ryan Matthew Pierson over at Readwrite.com, ‘The strength of IoT is in its ability to be invisible to the user.

In addition, the mad dash to simply insert a chip, beacon and software into everyday objects is slowly graduating to era where user experience, privacy and security are becoming critically important for mass adoption. In 2014 Gartner released a report saying the typical family home could have as many as 500 smart devices by 2022. The Consumer Technology Association (CTA) notes that 20% of US households now own an activity tracking wearable device, two-times the households that owned one last year. And Nielsen reported that smartphone penetration has reached 82% in the U.S.

Interacting and engaging with the customer in real time is a desire of many organizations.

From media and entertainment, to appliances, to transport technologies, to security and environmental controls, along with healthcare and fitness equipment almost every ‘thing’ around us will track something. Or as Dr. Nick Riviera sings, ‘The knee bone’s connected to the something. The something’s connected to the red thing. The red thing’s connected to my wrist watch… Uh oh.’

And it is not only consumer items.

farmappThe Industrial IoT is helping farmers with connected tractors, soil sensors, crop health apps and the like. There are HVAC systems that are managed by sensors; Streetlights, utilities, parking and traffic in a connected city; and even sports teams are using wearable tech to gain a competitive advantage. And according to Research and Markets, wearable tech in schools is set to surge over the next 5 years.

With the IoT growth comes threats, along with resources to reduce the risks. In Gartner’s latest forecast, IoT security spending is set to nearly double between 2014 and 2018, growing from about $232 million to almost $550 million. Nearly $350 million will go into securing IoT this year alone. They also predict that there will be 6.4 billion connected devices in use worldwide this year, up 30% from 2015.

The security investment is good news since according to Spiceworks and Cox Business, the flood of IT devices entering the market does create security and privacy issues in the workplace. 84% of their survey-takers named the growing number of entry points into the network as a major concern. Number two on the list, at 70% of respondents, was insufficient security measures on the part of IoT manufacturers.

But soon we might be able to solve some of the challenges with our Brain.

There are some very smart research brains out there that have come up with a way to identify you by your brain waves with 100% accuracy. This is your Brainprint. A team of researchers at Binghamton University, recorded the brain activity of 50 people wearing an electroencephalogram headset while they looked at a series of 500 images. The pictures were designed specifically to elicit unique responses from person to person. Images included things like pizza, a boat, certain words, celebrities and so forth. They found that participants’ brains reacted differently to each image, enough that a computer system was able to identify each volunteer’s ‘brainprint’ with 100% accuracy.

According to researchers, brain biometrics are appealing because they are cancellable and cannot be stolen by malicious means like a fingerprint or retina scan. The results indicate that brainwaves could be used by security systems to verify a person’s identity. This could be key since our personal data and pattern of life seems to be more valuable now than a silly, worthless credit card number.

Brain & Invisibility: Activate!

   << signed ‘ps’ in Invisible Ink

Related:

Posted by: psilva | April 28, 2016

You Never Know When…


An old article gets new life. #TBT

Back in 2012 I wrote an article titled Bait Phone. It was about cops dropping mobile phones with a tracking device and following the stealing culprit for an arrest. Like Bait Car but with a smartphone.

Over the weekend, I noticed that the article was blowing up but couldn’t figure out why:

428bait

I even tweeted out on Monday:

baittweet

At the time, I didn’t realize something else was at play.

Then I decided to do a twitter search:

bait tw

And found that a video with the same name as my blog post was trending: Bait Phone 2 – basically a stun gun with a remote. Over 2.2 million YouTube views in less than a week. It’s a prank video where they have a remote zapper to sting the culprits when they grab & walk away with the phone. One guy – who had it in his pocket – denied taking it until he was personally shocked.

When I did a Google search over the weekend, my article was still at the top but now the article is like #13 listed (maybe even lower) and the video has taken the top spot.

But you never know when an old article might pop due to some other circumstances. At least folks are reading it and not totally bailing!

Fun stuff.

ps

Posted by: psilva | April 26, 2016

The Dangerous Game of DNS


credit-card-perspectiveThe Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

And because of that, DNS is a precious target and only lags behind http as the most targeted protocol.

DDoS-ing DNS is an effective way to make the service unavailable. As the flood of malicious DNS requests hit the infrastructure, the service can become unresponsive if there is not enough capacity. Organizations can add more servers or turn to their cloud-based security provider for help. One of the strategies cloud-based security providers use to shield DNS is DNS redirection. Cloud providers will divert incoming traffic to their own infrastructure, which is resilient enough to detect and absorb these attacks. The success of this strategy however depends on how well the website’s original IP address can be shielded. If the bad guy can find that IP address, then they can get around the protection.

So is DNS redirection effective? Researchers decided to find out.

Scientists from KU Leuven in Belgium built a tool called CLOUDPIERCER, which automatically tries to retrieve websites’ original IP address, including the use of unprotected subdomains. Almost 18,000 websites, protected by five different providers, were part to the team’s DNS redirection vulnerability tests. In more than 70% of the cases, CLOUDPIERCER was able to retrieve the website’s original IP address – the precise info needed to launch a successful attack.

Researchers did share their findings with those cloud-based providers and have made CLOUDPIERCER freely available for organizations to test their own DNS infrastructure.

In another DNS scam, a new version of the NewPosThings PoS (point of sale, not…) malware is using DNS rather than http/https/ftp to extract data from infected PoS terminals. This is an interesting twist since most security solutions monitor http/https traffic for suspicious activity. Anti-virus doesn’t necessarily watch DNS and admins cannot simply turn off DNS since they need it to resolve hostnames and domains. Seems like a clear shot.

The newest version of NewPoSThings is nicknamed MULTIGRAIN and it only targets (and infects) one specific type of PoS platform: The multi.exe process, specific to a popular electronic draft capture software package. If the multi.exe process is not found the malware moves on. Once inside, the malware waits for the Track 2 credit card data and once it has the data, it encrypts and encodes it before sending to the bad guy via a DNS query.

The use of DNS for data exfiltration on PoS devices is not new and shows not only how attackers can adjust to different environments but also, that organizations need to be more aware of their DNS traffic for potential anomalies.

BIG-IP could also help in both instances.

For the redirection issue, BIG-IP or our Silverline Managed Service offers Proxy mode with DNS redirection. With Routed Mode, we offer BGP to Silverline then Generic Routing Encapsulation (GRE) tunnels or L2VPN back to the customer to mask the original IP address.

For the PoS malware, BIG-IP can utilize a DNS response policy zone (RPZ) as a firewall or outbound domain filtering mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain and each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist or return a response that directs the user to a walled garden.

rpz1

BIG-IP returns NXDOMAIN response to DNS query for malicious domain

rpz2

BIG-IP forwards DNS query for malicious domain to walled garden

DNS is one of those technologies that is so crucial for a functioning internet, especially for human interaction. Yet is often overlooked or seems to only get attention when things are broken. Maybe take a gander today to make sure your DNS infrastructure is secure, scalable and ready to answer each and every query. Ignoring DNS can have grave consequences.

ps

Related:

Posted by: psilva | April 20, 2016

You’re Getting Under My (e)-Skin


utokyoImagine if the temporary tattoos that come in a box of Cracker Jack (if you’re lucky) had an electronic display logo that lights up when you put it on. Or a fitness tracker that you tape to yourself rather than wearing it around your wrist. Or a watch so thin that it lights the time while blending into your skin. Or even, a sensor that can be applied directly to an organ to determine health.

This is the future for electronic skin. Yup, I said it: E-Skin.

Researchers in Japan have developed an ultra-thin and ultra-stretchy material that can mimic the flexibility of human skin. Ultraflexible organic photonic skin is an organic polymer with light-emitting diodes (PLEDs) or small sheets of energy-efficient lights that are laminated right on the skin. These are intended to equip the human body with electronic components for health-monitoring and information technologies. These are transparent but when powered with electrical pulses, it’ll emit a colored light, number or letter depending on the implementation. The arrangement of PLEDs can also display more complex information. They also report that this PLED film produced less heat and consumed less power than previous e-skin samples.

The interesting thing here is that they used organic materials, added an extra layer of film to protect it from oxygen and water, so it lasted several days. Past organic efforts lasted less than a day due to air exposure. Today, non-organic materials used to make super-thin tattoo-like monitoring devices can last weeks or longer.

These advancements will only fuel the health care wearable market which is growing exponentially.

HCW-16-chartResearch firm Tractica released findings from its report ‘Wearable Devices for Healthcare Markets’ that show worldwide shipments of healthcare wearables will increase from 2.5 million in 2016 to 97.6 million in 2021…or $17.8 Billion in yearly revenue. The general wearable device market will increase from 85 million units in 2015 to 559.6 million units by 2021 – a compound annual growth rate of about 37%.

If you thought the influx of data center and cloud traffic from mobile was big, just wait until all our body vitals start hitting the wire. Add that to all the other IoT initiates, like home/automotive, big data suddenly turns into ginormous data.

While we may instantly think about the fitness trackers and smartwatches that garner our bodies, the health care industry is also looking at the treatment of chronic diseases, wellness programs, remote patient monitoring and physician use. And there are other devices like posture monitors, connected wearable patches and pain management wearables that are gaining ground.

I can already hear the posture sensor barking, ‘Stop Slouching!‘ and a pain patch that actually works instead of those menthol smelling globs – great idea!

ps

Related

Posted by: psilva | April 13, 2016

Let the Training Begin!


A few weeks ago I mentioned that I was on a journey to getting properly trained and reacquainted with the more technical nuances of F5 solutions with the goal of achieving F5 Professional Certification sometime this year. In fact, most of F5’s DevCentral team is also shooting for certification and we’ve set up our study path.

As a refresher, F5 has a number of educational programs to help you get acquainted, get fully trained or become a Certified Professional with F5 gear. From free online courses to instructor led classroom seminars to challenging your knowledge with a certification, F5 can help you, as it is helping me, understand the inner workings of BIG-IP. I began at F5 University with the Getting Started series and was able to get through a number of modules at my own pace.

This week, the DC team is in Seattle at the Mother Ship and we decided to kick off our study prep while we’re together. This is for the initial 101-Application Delivery Fundamentals exam and we’re using Eric Mitchell’s excellent Study Guide as our guide. There is also an Exam Blueprint available that goes through the objectives of each section and gives examples of the types of questions asked. Um, what’s the purpose and functionality of MTU and MSS again?

osiThe 101-Application Delivery Fundamentals test is the first exam required to achieve F5 Certified BIG-IP Administrator status. All candidates must take this exam to move forward in the program. Successful completion of the 101 exam acknowledges the skills and understanding necessary for day-to-day management of Application Delivery Networks (ADNs). The 101 exam is not so much, how do you do this on a BIG-IP but more about the basics of the OSI model, networking, protocols, common traffic management/load balancing concepts, cryptographic services and application delivery platforms in general. The essential knowledge needed to deploy any application delivery controller.

We’ve decided to each take and prepare a section of the study guide and present to the team. We’ve set up weekly meetings and each week is an exam section. This week is the OSI model and (theoretically) in 5 weeks, we should be ready to take the exam. If you are prepping or planning to get certified at our Agility event in Chicago this summer, you and your team may want to consider that approach. All the learning benefits, with slightly less stress.

So that’s our most recent update as we continue on the certification path. If you’d like a step-by-step guide, including how to register and schedule your exam, check out Austin Geraci’s article Becoming F5 Certified – BIG-IP Administrator Certification – 101 & 201 Exams and/or join the F5 Certified! Professionals group on LinkedIn. Good stuff.

ps

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Posted by: psilva | April 5, 2016

Plugging Data Leaks


dataharvestWhether intentional or accidental, data leaks are a huge concern for organizations. And it has been for years. Going back to a 2004 survey from an IT security forum hosted by Qualys, found that 67% of security executives do not have controls in place to prevent data leakage, A December 2006 survey, Boston-based researchers Simon Management Group noted that some 78% of respondents said they were "very concerned" about data exposure. A 2010 article published by Trustwave on CSOonline.com said that 65% of leakage occurs due to the following combined methods: Microsoft SMB sharing, Remote Access Applications, and Native FTP clients.

And a recent informal survey conducted by the Avast Mobile Enterprise team at two healthcare technology events shows that Data Leakage (69%) was the greatest security concern of Healthcare CISOs. Insider threats (34%) and Malware (28%) got silver and bronze.

Information seems to be the gold standard in today’s digital society and it comes in many forms. It can be personally identifiable information (PII) of customers or employees; it can be corporate or financial info; it can be litigation related; it can also be health care related and really, any data that should be kept secret…except from those who are authorized to view it.

According to Cisco, some risky behavior by employees can aggravate the situation. Areas included:

  • Unauthorized application use: 70% of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies’ data loss incidents.
  • Misuse of corporate computers: 445 of employees share work devices with others without supervision.
  • Unauthorized physical and network access: 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
  • Remote worker security: 46% of employees admitted to transferring files between work and personal computers when working from home.
  • Misuse of passwords: 18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

How can you reduce and mitigate some data leakage risks? BIG-IP Application Security Manager (ASM) of course.

The overall category of Data Loss Prevention (DLP) is a multi-faceted area of security that encompasses securing data storage, data transmission, and data in-use. Primarily, BIG-IP ASM focuses on the protection of data in-flight. For instance, ASM’s DataGuard is a method of protecting against SSN or CC# information from leaking out of back-end databases but ASM’s benefits in a DLP strategy extend well beyond that. DLP is concerned with unauthorized access to any private data, whether confidential personal or corporate information. ASM provides comprehensive protection against unauthorized back-end database access, by preventing the exploit of well-known vulnerabilities such as XSS, SQL-injection, cookie poisoning, etc. If you can’t even reach the info, less likelihood of it leaking.

No single product is going to provide a comprehensive, all inclusive DLP solution. HIPAA, PCI, and other regulatory standards are focused almost entirely on DLP. BIG-IP ASM, as a WAF, provides a vital part of any overall DLP solution in today’s security-conscious environment.

ps

Related:

Posted by: psilva | April 1, 2016

The Land of the Partially Connected


Greetings from Ottertail County

Last week my family visited some relatives in Minnesota. Fergus Falls and Clitherall to be exact. Both are situated in Ottertail County – about half way up the state toward the Fargo, North Dakota side. While Fergus has a population of around 13,000, Clitherall claims 112 people and much of the area is farms, lakes, woods, nature and many of the locals are hunters, ice-fishers, farmers and people who love the great outdoors…even during the long, demanding winters. In the summer it is a quaint little resort town. There is a dirt road to get to my wife’s dad’s house and we even saw a couple eagles engaged in a talon lock while we were there. We always enjoy our stays.

A decade ago, cell phone coverage was spotty but it has gotten better, albeit 2/3G in some areas, and most have access to the internet either by cable or satellite. But the internet, for some folks, is not as important or critical like it is for many of us ‘connected’ beings. Poppa Maggie’s house on Mallard Bay can get internet access but he doesn’t want it. I’m sure many of you have experienced remote areas of the country where the grid is available but people choose not participate or simply use their mobile device for the few things that they need.

mallard bay

At one of the family gatherings – on a farm in a log cabin – our cousins were wide-eyed about all the ‘technology’ stuff we knew. While I asked about the family history and why they originally settled in that location, soon the discussion turned to wearables, data breaches, encryption and even the Fed’s iPhone situation. I remember Cousin Patty saying, ‘I’m just a simple farm girl and really don’t know anything about the internet or technology.’

I was a little jealous.

Granted, many of the large farms in America do use technology to track the herd, measure moisture/water schedules, check soil conditions, maneuver tractors, check grain silos and so forth. But these were small family farmers and didn’t have large contracts with nationwide distributors. Often, their crop is to simply feed the family and stock for the year and/or sell at local markets.

I told Patty that I was a bit envious of her situation and knowing all the ins and outs of technology can sometimes be stressful, anxiety filled and a burden. Always worried about being a target; insight on how cyber-crime works; knowing that nothing is totally secure until you unplug or disconnect it. I felt safer surrounded by trees, lakes, deer, bear, geese, and ducks…and with no computer connection. Add to that, they got me beat hands down for survival skills. They are craftsman, cooks, hunters, builders, agriculturalists, environmentalists, conservationists and hard working, good people.

BREAKING NEWS: It was tranquil and relaxing.

Like many of you, technology is part of my life, how I make a living and I’m not looking to hang up my RJ-45s any time soon. I have a great interest in how it is shaping our society and love exploring and explaining how a lot of it works. However, it is also important, to unplug every once in a while and experience some technology-free time. It clears the mind, slows you down and you might get to see the flirtatious free fall (or epic battle) of a truly majestic creature.

ps

Posted by: psilva | March 30, 2016

Get Smart with IP Intelligence


ip intel scanThere are always threats out there on the big bad internet. The majority of breaches happen at the application layer and many OWASP Top 10s like SQL injection are still malicious favorites to gain entry. Add to that the availability of DDoS tools, anonymous proxies and the rise of hacktivism means networks and systems are bigger targets than ever. Threat detection today relies on a couple elements: Identifying suspicious activity among the billions of data points and refining a large set of suspicious incidents down to those that matter.

Today’s cyber-criminals use various techniques to hide their identities and activity. Keeping them out of your systems requires constant vigilance. Every packet that transverses the internet has a source IP address so disabling inbound communications from known malicious IPs can be highly effective.

You may not know but F5 offers IP Intelligence Services which provides the functionality to block known malicious IP addresses. It is a layer of IP threat protection and an additional way to allow BIG-IP customers to defend against malicious activity and infrastructure attacks. The IP Intelligence service is offered on several BIG-IP platforms. With IP Intelligence, BIG-IP AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

BIG-IP AFM determines reputation using two methods. One is a continuous feed of known or suspected malicious IP addresses provided by a third-party service Webroot BrightCloud. You can also create custom feed lists that specifies IP addresses that have been blacklisted or whitelisted by the organization. The BrightCloud feed is updated every 5 minutes by default and custom feed lists are unique to the AFM and are polled at intervals of your choosing.

These two methods are jointly referred to as IP Intelligence and can be used independently or in tandem to filer traffic on the BIG-IP systems. The BrightCloud option is licensed separately through F5 and requires internet connectivity and DNS resolution from your BIG-IP system. Custom feed lists do not need connectivity since it is local to the BIG-IP.

afm feeds

IP Intelligence can be applied via AFM firewall policy to the Route Domain or Virtual Server. Once enabled, it will affect all traffic that arrives on your BIG-IP system no matter the access point.

The IP Intelligence data is organized into categories that help you differentiate between types of listed IP addresses. There are 11 pre-defined categories including botnets, scanners, infected sources, illegal websites and more. These correspond to the categories in the BrightCloud feed. You can also create up to 51 custom categories to meet your own specific needs.

Networks, infrastructures, systems and applications are all under attack these days. While you can do your best at securing your data, sometimes a little call blocking can go a long way in ensuring these known rascals cannot get through.

Peace of mind is always a secure feeling.

ps


unpwRecently I changed some of my passwords. Some due to typical rotation time and a couple due to potential breaches and encouragement from the affected site. No, I’m not going to tell you which ones or how I go about it but I noticed that it took about 3 days for my fingers to key the correct combination.

This has probably happened to you too, where after changing a password, you inadvertently enter the old password a number of times since that is what the fingers and hands remember. Yes, I’m sure many of you have password keepers (which have also been breached) locked by a master and I use one too, but for many of my highly sensitive passwords, I keep those in my head.

As I continued to enter the old password for a couple days only to correct myself, I started thinking about habits and muscle memory. Some adages talk about it taking about 30 days to either pick up or drop a habit if done daily. Want to keep an exercise routine? Do it daily for a month and you are more than likely to continue…barring any unforeseen circumstances.

And then there’s muscle memory. Things like riding a bike, signing your name, catching a ball or any repetitious, manual activity that you complete often. Your muscles already know how to do it since they’ve been trained over time. You do not need to think about, ‘OK, as it gets closer, bring your hands together to snag it from the air,’ it just happens. This is one of the reasons why people change or update certain exercise or resistance routines – the muscles get used to it and need a different approach to reach the next plateau.

I wondered if anyone else had thought of this and a quick search proved that it is an actual technique for password memory. Artists like musicians use repetitive practice for scale patterns, chords, and melodic riffs and this trains the muscles in the fingers to ‘remember’ those patterns. It is the same notion with passwords. Choose a password that alternates between left and right hands that have some rhythm to it. After a bit, the hands remember the cadence on the keyboard and you really do not need to remember the random, committed numbers, letters or Shift keys pounced while typing your secret. This is ideal since only your fingers remember not necessarily your mind.

Granted, depending on how your mind works this technique might not work for everyone but it is still an interesting way to secure your secrets. And you can brag, ‘Go ahead, water board me, my fingers have no vocal chords.’

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]  o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Posted by: psilva | March 15, 2016

Jumping on the Rails of the Technical Train


cert hat

I used to be technical, highly technical. You know the kind…more comfortable with CLI rather than GUI, limited use of CAPS at the beginning of sentences and proficient at configuring & troubleshooting a slew of devices from multiple vendors. But after a couple role changes over the years, my technical acumen has slightly diminished. Again, you probably know the drill that if you’re not tapping away at it daily, some of those skills dwindle. Plus, with new technology replacing the stuff you knew 10 years ago, it often feels like starting over.

But don’t fret! As with anything, you can regain some prowess and learn new tricks with a bit of training. Get on that bike and ride!

That’s what I’m going through now.

When I joined the DevCentral team, I quickly realized that our community is much smarter than I when it comes to the intricacies of our solutions. My initial reaction to many of the questions that get posted on DevCentral sound like the ‘Aaaaaahhhhhh, Ahhhhhh,’ from Bevis and Butthead. I have no idea. I’ll Alt-Tab to the AskF5 Knowledge Base to check if there is already an answer and often there is. But when it is a unique situation or something with iRules, I look blankly at the screen and wonder, ‘How can I help, when I don’t even know.’

One of the great things about working at F5 is that they allow us to take whatever training is needed to be proficient at our job. Over the last couple weeks I’ve been doing just that – initially digging in to F5’s free Web Based Training.

F5 has a number of educational programs to help you get acquainted, get fully trained or become a Certified Professional on F5 Solutions. From free online courses to instructor led classroom seminars to challenging your knowledge with a certification, F5 can help you, as it is helping me, understand the inner workings of BIG-IP. I began at F5 University with the Getting Started series and was able to get through a number of modules at my own pace. We have programs for both partners and customers and is a great way to learn the fundamentals of the BIG-IP system.

f5 certNext for me, will probably be some classroom training with hands on configuration and the entire DevCentral team will embark on a path to F5 Certification. Hear that Ken? We’re coming for ya!! We’re going to start a mini-study group using many of the resources available and chronicle our progress. The idea is that we’re like you – we know a lot already but want to get deeper in our understanding and for me, better at providing the details of our technical solutions.

Join us over the next bunch of months as we share our experiences of becoming an F5 Certified Professional.

ps

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.

Join 90 other followers