Tag Archives: development

My latest Gartner research: Vendor Rating: Huawei

Huawei has established itself as a solid provider of ICT infrastructure technologies across consumer, carrier and enterprise markets worldwide. CIOs and IT leaders should utilize this research to familiarize themselves with Huawei’s “all-cloud” strategy and ecosystem development….

Gartner subscribers can access this research by clicking here.




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Smartwatches a new frontier for cyber attack, HP study shows

http://www.computerweekly.com/news/4500250398/Smartwatches-a-new-frontier-for-cyber-attack-HP-study-shows By Warwick Ashford Security Editor ComputerWeekly.com 23 Jul 2015 Smartwatches with network and communication functionality represent a new and open frontier for cyber attack, according to a study by HP Fortify. The study revealed that 100% of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns. The study report entitled Internet of things security study: Smartwatches makes recommendations for secure smartwatch development and use in home and work environments. As the internet of things (IoT) market advances and smartwatches become more mainstream, they will increasingly store more sensitive information, such as health data, the report said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The FBI’s Stance on Encrypted Communications

http://blogs.wsj.com/experts/2015/04/20/the-fbis-stance-on-encrypted-communications/ By Amy Hess Executive Assistant Director of the Federal Bureau of Investigation. Apr1l 20, 2015 {This post is in response to the article, Should Law Enforcement Have the Ability to Access Encrypted Communications} AMY HESS: Imagine an America where federal, state, and municipal law enforcement agencies cannot access critical communications, even when legally authorized to do so. Imagine a time when the police cannot pursue logical leads in electronic data to rescue a missing child, identify the co-conspirators of a massive fraud scheme, or obtain relevant evidence of an elected official’s public corruption. Imagine the injustice if a suspected criminal can hide incriminating communications without fear of discovery by the police, or if information that could exonerate an innocent party is inaccessible. With the move to ubiquitous encryption, that time is closer than you think. Increasingly, law enforcement investigations require some degree of access to encrypted communications—whether stored on a computer or mobile device, or transmitted over a communication service provider’s network—and that access is increasingly limited. The FBI firmly supports the development and adoption of robust encryption as a key tool to strengthen cybersecurity, secure commerce and trade, safeguard private information, and promote free expression and association. However, absolute encryption does not mean absolute safety. Terrorists and other criminals also use encryption to conceal and facilitate their crimes. No one in this country should be beyond the law. The notion that electronic devices and communications could never be unlocked or unencrypted – even when a judge has decided that the public interest requires accessing this data to find evidence — is troubling. It may be time to ask: Is that a cost we, as a society, are prepared to pay? […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Will China and America Clash in Cyberspace?

http://www.nationalinterest.org/feature/will-china-america-clash-cyberspace-12607 By Jon R. Lindsay, Tai Ming Cheung, Derek Reveron The National Interest April 12, 2015 The information revolution has been a mixed blessing for China and the world. On one hand, computer networks enhance economic productivity, national security, and social interaction. On the other, valuable information infrastructure provides lucrative targets for thieves, spies, and soldiers. Nearly every type of government agency, commercial firm, and social organization benefits from information technology, but they can also be harmed through cyberspace. Not a week goes by where a major hack is not reported in the media or countries chastise each other for cyberespionage. In the absence of shared norms or even concepts, cybersecurity discourse becomes mired in competing morality tales. Chinese hackers are pillaging intellectual property and creating asymmetric threats. The National Security Agency (NSA) is jeopardizing civil liberties and weakening the Internet. Communist censorship is undermining the democratic promise of information technology, even as American firms unfairly dominate its development. Cybercrime is costing everyone trillions of dollars. There is a grain of truth in all of these claims, which means that the phenomenon as a whole must be more complicated than any one suggests. China both generates and experiences serious cyber threats, shaped by a combination of bureaucratic politics and economic policy, domestic security imperatives, military modernization, and ambitions for international influence. Nevertheless, the United States and China both have far more to gain than lose through their digital interdependence. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] US Used Zero-Day Exploits Before It Had Policies for Them

http://www.wired.com/2015/03/us-used-zero-day-exploits-policies/ By Kim Zetter Security Wired.com March 30, 2015 AROUND THE SAME time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation. The document, found among a handful of heavily redacted pages released after the civil liberties group sued the Office of the Director of National Intelligence to obtain them, sheds light on the backstory behind the development of the government’s zero-day policy and offers some insight into the motivations for establishing it. What the documents don’t do, however, is provide support for the government’s assertions that it discloses the “vast majority” of zero-day vulnerabilities it discovers instead of keeping them secret and exploiting them. “The level of transparency we have now is not enough,” says Andrew Crocker a legal fellow at EFF. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.” The timeframe around the development of the policy does make clear, however, that the government was deploying zero-days to attack systems long before it had established a formal policy for their use. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Where the Military’s Smartest Hackers Aren’t Human at All

http://www.defenseone.com/technology/2015/03/where-militarys-smartest-hackers-arent-human-all/108562/ BY ALIYA STERNSTEIN NEXTGOV MARCH 26, 2015 Next month, unmanned computers all over the globe will face off in a dress rehearsal for a Las Vegas hacking tournament run by the U.S. military. The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel. During the 2016 finals in Vegas, the humans who built these cyberbots might as well go play blackjack. At stake in the cyber challenge is a chunk of change and perhaps societal gratitude. That’s because the research and development gleaned during the two-year competition could lay the groundwork for a world where machines are in charge of cybersecurity. At least, that’s the hope of many of the contestants and the Defense Advanced Research Projects Agency, the Pentagon component leading the program. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The marriage between DevOps & SecOps

http://www.idgconnect.com/blog-abstract/9656/the-marriage-devops-secops By IDG Connect March 24 2015 This is a contributed article by Tim Prendergast, Founder & CEO of Evident.io The rise of cloud computing brings many exciting changes to the technology industry: elastic scalability of resources, commodity pricing, freedom to experiment, and a newfound love for agile philosophies. Thankfully, the cloud is leaving behind the constraints and practices of the legacy security industry. Here lies an exciting opportunity: with the rise of DevSecOps, we get to truly redefine how operations, engineering, and security can be brought together in harmony to achieve unparalleled success. In the past, organizations kept the domains of engineering, operations, and security separate for scalability and accountability reasons. Preventing engineering and operations from intermixing guaranteed that production environments were held to a higher standard of reliability, resiliency and consistency than that of engineering environments like those used for development and testing. However, in the last few years, the evolution of DevOps philosophies has really taken the industry by storm. DevOps is not exactly new


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The new MacBook’s single port comes with a major security risk

http://www.theverge.com/2015/3/16/8226193/new-apple-macbook-usb-type-c-security-risk-badusb By Russell Brandom The Verge March 16, 2015 After years of development, USB Type-C is making a very big debut. Last week, Apple announced its new MacBook would come with just a single Type-C plug for both power and data, a move that allowed for the slimmest MacBook ever. A few days later, Google unveiled the new version of its flagship Chromebook Pixel with the same Type-C port. To the extent that hardware components can have a moment, USB Type-C is having one. But while the new port is powerful, it also comes with serious security problems. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack, and researchers are also concerned about other attacks that piggyback on the plug’s direct memory access. None of these vulnerabilities are new, but bundling them together with the power cord in a single universal plug makes them scarier and harder to avoid. On a standard machine, users worried about USB attacks could simply tape over their ports, but power is the one plug you have to use. Turning that plug into an attack vector could have serious security consequences. The biggest concern is the BadUSB vulnerability, first published last year. The attack lives in the firmware of a USB device and infects computers during the earliest stages of the connection, long before users get a chance to see what’s on the device or decide whether to open it up. We know how to protect peripherals against the attack — certain USB sticks have already built in protections against firmware infections — but computers are much harder to secure. USB is built for compatibility, so there are very few peripherals a computer won’t accept, even if the peripheral ends up spreading malware. Apple’s reportedly allowing for third-party chargers and battery packs under its Type-C implementation, opening even more vectors for infection. (Apple did not respond to a request for comment.) In the case of BadUSB, that means it’s easy for a bad actor to put together a USB device that will spread the virus every time it’s plugged in. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail