Polylithic, vendor-neutral, platform agnostic. Microsoft may not exactly come to mind when hearing these descriptors, but it will soon enough—if recent developments are any indication. And despite the software behemoth's DevOps zeitgeist purveyance as of late, open source initiatives have always been alive and well inside Redmond’s hallowed walls.
At the start of the year, the FBI issued an alert warning internet users about the rising threat of ransomware, detailing its dramatic increase in both frequency and sophistication. Looks like the feds were on point: as it stands, 2015 has turned out to be a record year for data hostage-taking. So what can be done to defend oneself against this new insidious threat to data sovereignty?
There's a classic line (one out of many) in the movie Casino by DeNiro's character Ace Rothstein:
"Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all.”
By now, you've probably heard of software-defined networking (SDN): the emerging IT paradigm that abstracts networking hardware into programmable components for unprecedented data center agility and flexibility. In the same vein, parallel infosec developments currently underway are transforming rigid and complex physical security architectures into highly-adaptable, easily-managed, and ubiquitous mechanisms for IT security. This is software-defined security (SDSec)—a new model of infosec that just might save us from digital armageddon.
Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
ScriptRock's platform for integrity monitoring can exorcise your vulnerability demons automatically and painlessly. Try it on us this Halloween-- no money, crucifixes, holy water, wooden stakes or garlic cloves required.
The Network Time Protocol (NTP) has been seeing quite a bit of publicity this year, starting with the NTP Leap Second Bug in June promising—but greatly under delivering—digital calamity of Y2K proportions. Ultimately, the fallout resulted in little more than sporadic Twitter interruptions, but last week newly discovered critical vulnerabilities in the timeworn clock synchronization protocol have increased the urgency of recent NTP-hardening projects like NTPSec.
It's practically a national tradition that Americans collectively spend about one year out of every four obsessing over the group of people who are in the running for a job which is undoubtedly awful to actually have. Every part of their campaign is put under heavy scrutiny—their clothes, their hair, their past, their associations—and today, their websites. Let's examine how candidates are fairing online using data from tools such as BuiltWith, Alexa, Google and Twitter.
Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?
Technology conference season is in full swing, with so many events going on that even large ones like PuppetConf and Amazon Re:Invent have been forced to overlap. While part of the ScriptRock team traveled to Las Vegas, two of us stayed in San Francisco for a different style of conference. Far from the madding crowds of general interest vendor-backed extravaganzas, we presented at FinDEVr, a conference with a few hundred people and a sharp focus: improving the technology of financial services.