Technology and sport. A good thing?
While purpose built technology provides much higher levels of accuracy is it killing the excitement? Both tennis and cricket have adopted technology with little resistance. And, personally, I think it’s become an important part of the game. Referee accuracy pushes back on the sportsperson’s skill. On the other hand, football supporters have very different views and hating the Ref is part of the game.... what rhymes with GLTS (Goal Line Technology System)?. But for how long: BBC Sport – ‘Premier League could use goal-line technology in 2012-13 season’ http://bbc.in/zcWf6P This is a long debated topic but I write today after reading the following sky news article on a recent boxing match: http://bit.ly/AfVc2L In this circumstance technology wasn't officially an umpire but it has made for a stronger story. More than mere opinion. Now let me attempt a crude link back to data centre architecture. In essence, the uptake of technology in sport is edging forward to eliminate the guess work, the human error element. This is precisely what todays CIOs must consider to move to a next generation architecture. Tapping into available analytics for the purpose of decision making (spinning up new servers, lighting up cold or standby DC's etc.) improves reaction times to customer demands without the need to spec your environment for the worst case scenario, i.e. everything turned on, all the time, just in case. Use data centre technology that can referee data centre behaviour. The key to doing this successfully is down to interrogating the right metrics. A server’s CPU utilisation, for example, is not a measure of the end user experience. Neither is the response time from a server to the perimeter firewall. The users - the consumers of your data - are not in the data centre. More on Goal-line technology - Wikipedia, the free encyclopedia: http://bit.ly/xIKVhj
BYOD 2.0 – Separation of lives
The benefits of letting employees bring their own devices to work are clear and well documented – and about 60% of us do already (Ovum, November 2012), But that doesn’t stop it from being a personal and IT headache. Outside of the fact that the device is owned by the employee rather than the business, limiting what IT can do to ensure security policies are adhered to and that sensitive, business-related data is protected, often overlooked is the effect on our personal lives. People are mixing personal and business work on one device, with no separation between the two. If something goes wrong with the device and it has to be wiped then all data is gone. That might be valuable from a business point of view but it means a worker risks losing potentially years worth of photos, videos, emails, contacts and messages. Imagine losing pictures from your last holiday, or photographs of your children. If you don’t backup your mobile device (and many people do not) then that is a real possibility. It’s not just about securing the data that’s on the device. Being constantly in contact with the business through your own mobile device means the lines between work life and private life are blurring to the point of extinction. Weekends and holidays are no longer a chance to get away from work to recharge the batteries. Instead they become an extension of office hours, with workers picking up their mobile device to answer a couple of emails, or finish that piece of work that wasn’t done on Friday afternoon. The ideal of course is a separation between the corporate context and personal context of a mobile device, whether it is a smartphone, a tablet or a laptop. This means the device is still fully managed, with IT controlling which apps are downloaded and even restricting certain functions of the device that may not necessarily be conducive to productivity. This separation of the work and the personal also affects the mind-set of the user. When the user is operating the device for work purposes generally they are much more likely to think and act like a representative of the organisation, just like they would if they were sitting at their desk. This is likely to save the company from any embarrassing episodes, such as unsavoury Tweets sent in error that may reflect badly on the organisation. This approach to BYOD – at F5 we call it BYOD 2.0 - really gives businesses and workers exactly what they want. The freedom to use a single device of their choosing for work and pleasure, with a clear distinction between the two identities on the device, coupled with the knowledge that enterprise data is secure and that IT retains a measure of control.
Who am I and why am I blogging?
That is a very good question. I never considered blogging before, never thought anyone would be interested in what I have to say. Although just because I blog, does not mean that you will be interested in what I have to say... I have been working for F5 for 4 years now, mainly supporting our Channel and SI partners. These days I work directly with larger customers on a range of F5 specific solutions. I also look after customers in Ireland where I live. So in advance of March 17th, Happy St. Patricks Day! My focus has been mainly availability and security. As a CISSP and a member of OWASP, I have a keen interest in the latter and I guess this is the topic that excites me. When I say excites, I mean in a good way and a bad way, particularly when I see blatant flouting of basic security practice. I will have a rant here when something takes my fancy. Be forewarned I am grumpy and tend go off on one quite often. Gary Newe Technorati Tags: Application Security, ASM, Security, WAF, Web Application Firewall, f5
Will you be DDoS attacked?
The threat posed by DDoS attacks is ever-growing and something I have talked about a numerous occasions at security conferences this year. As it continues to be a topic which interests and concerns the industry as a whole, I decided to write down my predictions around what 2013 will carry with it and why I think DNS Reflection attacks (and other amplification attacks) will play a more predominant part of DDoS attacks in the future. For those of you I have spoken to on the topic before, it’s a theme I regularly stress. The major drive of these types of DNS attacks is the decreasing number of bots available for rent. One explanation is that the authorities have been more effective of closing down major botnets. With the decreasing number of bots now available, hactivists and other cyber criminals are now finding new ways in which to amplify their attacks. So how does a DNS reflection attack work? It actually quite simple, and is based around amplifying the data you generate by reflecting it via an open DNS resolver. Imagine that you send a DNS query with a packet size of 40 bytes to a DNS server and get back 2500 bytes in the DNS response. That sounds like a pretty good deal, right? Now, what if you spoofed the source IP to reflect the attack against your target/victim via the open DNS resolver? You can see where this is leading… The DNS resolver will generate a huge amount of data and send it to the spoofed IP address. Because DNS is using a stateless protocol called UDP there is really no source address verification. This means you can easily spoof the address and achieve the result of an amplified packet size in the attack. I believe DNS reflection attacks will be a preferred tool for three simple reasons: 1.) In the list of top ten AS numbers with most open DNS resolvers you find around~20 000 open DNS resolvers (*) 2.) You can amplify an attack with a factor of 250 and it requires little bandwidth from the cyber criminals. The more bots you are in control of, the bigger effect it can have 3.) As the attack is reflected, very often the open DNS resolver has little logging turned on so the cyber criminals can easily hide behind them Over the last two years, we have seen an increasing number of attacks using this technique and it has been very effective for cyber criminals. A few attacks have recorded speeds of up to 35 Gbps - more than enough to take out an average company’s internet connection. One thing to remember, however, is that very often the DDoS attack is just a smoke screen for a more sophisticated attack that can potentially cost the company even more money. The problem here is to find the needle in the haystack. How do your security products cope with the influx of traffic during a DDoS attack. More importantly, can they find things like SQL injection attacks in the storm of traffic? So how can you protect your business in the light of such threats? The approach is very often layered, which means that you need a combined defense for network layer DDoS attacks (L2-L4) with DDoS attacks on application layer (L5-L7). I believe that a combination of on-premise equipment for detecting network based DDoS attacks and attacks on the application level allows you to close the window for cyber criminals and more efficiently stop any attack on a network and application layer. To answer the question in the headline, the risk of being “DDoS attacked” has never been greater. DDoS attacks have become the de-factor standard for online protests and it will continue to be used by hacktivists to make themselves heard, whether for political, ideological, financial or religious reasons. Our job is to ensure we continue to build the best solutions to prevent such attacks. Feel free to reach out to discuss the best way to protect your business with any of our system engineers! References: * HostExploit’s – World hosts report Q3 2012BIG-IP Support for Morse Code Password Recovery Protocol
Good post by Bill Slawski of 'SEO by the Sea' yesterday coveringGoogles Patent application for Query-based User Groups - the dynamic creation of Google Circles based on what Google know's about you. Bill summarises, "A query-based social circle approach could potentially connect a lot of people who might otherwise not communicate, and there seems to be a lot of potential in enabling people to connect through circles like this.". Road testing the idea in the office this morning,I threw the question out to F5's Ellie Robson, Marketing Ops PM, who feels this is, "...far too stalkerish. I don't want strangers talking to me because of a false sense of familiarity derived from their'smart' phone". My inner geek tells me this is quite cool. Its using data sources already in existence, like location, personal preferences, habits, and its turning them into something meaningful. On the other hand, its using my location, personal preferences and habits - to reach out to strangers. Are we venturing dangerously close to Drew Carey's character in 'The Truman Show'- whereTruman thinks that he is an ordinary man with an ordinary life and has no idea about how he is exploited? And where would this work? I struggle to see it here in the UK where talking to another passenger on the train is strictly taboo; make eye contact at your own risk. Or, is this a generational thing? I, for one, can't help feeling that take up of such an experience is something a new generation needs to be born into. A generation with less of a sense of privacy. I like a bit of mystery, an element of surprise in my day. Of not knowing what could happen next. Curiosity didn't kill the cat. Curiosity gave it a reason to go outside and explore!R.I.P Barnaby Jack!
It's sad to hear that Barnaby Jack passed away just 35 years old. He was found dead in his apartment in San Francisco on the 25th of July. BJ was to me special in many ways and a person I happily followed in his works as a security expert / white hat hacker and a good source of inspiration. Born on the 22 of November 1977 in New Zealand he became known for many big discoveries in the industry, everything from making an ATM spitting out hundred dollar bills (http://www.youtube.com/watch?v=qwMuMSPW3bU) to how your remotely took over Dlink routers by modifying the binary firmware downloaded and injecting code for remote execution. This was when I first came to meet with him in person. In april 2008 in Mallorca, Spain. We both worked for for a different company at the time, BJ was presenting his latest research on the Dlink router for all the SE's at an European SE conference. Though this was something he discover on his spear time it really illustrated his passion and knowledge that he used in his everyday work trying to make sure that the product shipped was 99,9% secure and did not contain and flows in the hardware or software. For several years he now run his own security research company and focusing on security issues with medical equipment like insulin pumps and pacemakers. This Black Hat was going to be his show…. His latest research work was around pacemakers and their weaknesses. He was going to demonstrate how your remotely within 30 meters could turn one off. It's sad to say that I will not be able to listen to that presentation presented by him but hope his work lives on by someone else. You will be missed by the security community and this Black Hat will probably get dedicated to you at least in my mind.Keeping the data flowing in this mobile world
It seems to me that you cannot check any technology news website these days without being bombarded by news about mobility, bring your own device (BYOD) and the arrival of 4G networks, bringing superfast internet access to millions of mobile workers across the country. But while most users just care about getting the latest handset and being able to get a decent mobile connection when out and about, the service providers behind the scenes have a lot more to deal with. The increasing number of subscribers, the “always on” nature of today’s devices and the vast amount of data they create are causing headaches for service providers. It’s something we know all about here at F5. As the features available to mobile users become richer and more advanced, it places additional strain on the networks. The trouble is that many of the networks and the infrastructure they run on are old, built before these superfast networks and advanced mobile devices were available. This means that, sometimes, performance and security can be compromised. Some applications will not perform at their optimal speed if there is heavy traffic on the network while many applications from unofficial sources could pose a security threat to the user, the business and the service provider. That’s why we believe in an application-orientated approach to security and centralised management and policy controls. This means you can tailor policies and protection for each application to each individual organisation, while centralising the management means a reduction in time and money spent on configuring policies and pushing them out. Essentially, the key is to ensure that what goes on behind the scenes is seamless and easy to manage, so users get a fast, reliable and secure mobile service and providers don’t have to stress about ensuring they can deliver on those promises. Our latest developments in the firewall market can help mobile service providers; click here to find out how. http://www.f5.com/about/news/press/2013/20130619/Personal data management - whose data is it anyway?
IT Pro in the UK recently reported that Gartner is calling for tighter control over personal data management. We all know we should keep our personal and professional data separate and that we need to take the necessary measures to secure it, but many of us are guilty of leaving our data vulnerable to attack. According to a survey F5 carried out at Infosecurity Europe in April, 83 per cent of respondents said they were less than fully confident that their organisation has consistent security and availability policies across their entire IT infrastructure. It seems that many people doubt their data is safe in their company’s IT system, yet continue to leave it at risk. Gartner predicts that 90 per cent of organisations will have personal data stored on IT systems they don’t own or control by 2019. That is a vast amount of data which will be a very attractive proposition for cyber criminals who see personal data as valuable in its own right as well as being as a stepping stone to company data. Cyber criminals know that IT departments are tightening security measures on enterprise data and see access via personal data as an easy inroad. By introducing formal personal data management regulations, employees will know exactly what they can and can’t store on company IT systems, protecting their data as well as the business infrastructure. However, while personal data management regulations will doubtless improve the issue, combining this with a network that is contextually aware could help to solve it altogether. If a business network can identify the source of traffic geographically, by type of device and by authentication, it can make intelligent decisions based on this information. It will understand if an employee is accessing a personal email, company data or using an app – it could also recognise if it’s being intercepted by a cyber-criminal. If there was any question over the security of the connection or the device, the network could intelligently protect itself before any damage can be done. The network is secure and the right employees receive the right data, at the right time, allowing them to work efficiently without risk of coming under attack. Gartner claims that more companies are choosing to entrust external service providers with credit card data rather than having it on their own systems, and this could soon become the case for personal data. Drawing a strict line between personal and professional data is a step in the right direction but context should also play a key role in keeping both types of data secure and available. Technorati Tags: mobility,access,security,byod,sso,gartnerFirewalls for mobile networks - securing the future of communications
With the move towards 4G and LTE, many consumers have been unaware of the network risks that could slip into the mobile networks that they use every day. Mobile operators on the other hand are quite rightly concerned that the transition to IP based networks could open them up to a variety of attack vectors never experienced before by the industry. The rise of always-connected smart devices and the proliferation of mobile applications have led to increased demands around performance and scale, which can also affect reliability. Moreover, since subscribers now interact with a number of different types of networks (3G, 4G LTE) and protocols, centralised management for visibility and control throughout a provider’s mobile broadband network has become all the more essential. Attacks on the network can also affect, or even come from, end user devices – meaning that it’s urgent that service providers get a lid on the risk as quickly as possible. With DDoS on the rise and risks from malware, botnets and worms a growing concern as smartphones (effectively pocket PCs in technological terms) become increasingly prevalent, mobile operators need to start looking at the security products they may not have considered in the past. Attacks on networks are nothing new to the IT industry, in many ways it can be a whole new world for service providers. Fortunately, this is where F5 can come in: we recently announced the launch of our S/Gi Firewall product, designed to address exactly these issues and consolidate disparate security platforms across 3G and 4G networks. With our full proxy BIG-IP Advanced Firewall Manager and running off our VIPRION 4800 hardware, we are uniquely able to offer one system to manage mobile network security with the capacity to meet the demands of even the busiest service providers. Technorati Tags: mobile networks,security,ddos,ip,service providers
The Growth of the UK’s Government Digital Service (GDS)
The growth of the Government Digital Service (GDS) has been of great interest, and despite rumblings of concern from some quarters in government they are getting things done quickly and bringing some new ideas to the challenges of agile public service delivery. There are some interesting parallels to the BBC here which are worthy of note because if the government get this right we can expect a great deal of creative output that will enhance the citizen experience of government at a time when it needs it most. It is critical that the government can marry the individual skills sets and interests of the politicians, the civil servants and the new media people in the same way that the BBC has done so successfully over the years. The ability of these three diverse groups of people to work as a cohesive team to a common aim will be instrumental to the success of the Government Digital Service and the experience of the citizen in dealing with government as a whole. I once was the BBC Account Manager for a major US technology company during the Greg Dyke era and it was a time of considerable change with the rapid rise of the internet, changes from analogue to digital broadcasting, and significant cultural change at the corporation. I was lucky enough to host Greg and his Directors on a fact finding trip to the US looking at corporate culture and change. There were significant learnings that the BBC Directors took from the trip, not least that corporate culture is driven from the top and by example. However, what fascinated me more was the way the BBC themselves stimulated the collaboration of three distinct cultures in its output by valuing and leveraging the capabilities of each group. At the time we called these three cultures, The Luvvies, The Suits, and The Geeks, terms that were not intended to be derogatory in any way but did define some basic behaviours that are worth comparison. The Luvvies were the creative arts community focused on the production and delivery of world class material and they were interested in the high quality output of the corporation to the audience. The public sector comparison in current times is clearly The Politicians who are interested in the delivery of world class leading edge policies to their audience, the voting public. The Suits were the civil servants who managed the budgets, allocated resources, and operated the business side of the corporation that underpinned the work and the output of The Luvvies. They were strong business people focused on delivery but often constrained by rigid processes and procedures. The public sector comparison is clearly The Civil Servants, who manage the business of government for the politicians and deliver the policies. Interestingly, the BBC Head of IT at the time was the late and missed Philip Langsdale who worked incredibly hard at change at the corporation and had started to make a similar impact at the DWP. The Geeks were the creative technical community who invented, designed and deployed leading edge technical solutions that kept the BBC at the cutting edge of their industry despite substantial budgetary constraints. Mostly squirreled away at Kingswood Warren, they invented such things as Noise Cancelling Microphones, NICAM, and Digital Radio. More important in our context, they built BBC Internet Services to carry world class broadcast and online material. I remember watching the Twin Towers burning on BBC News and it was the only online news site that stayed up and functional during that terrible day, thanks to the skill of the Geeks. The public sector comparison to this group is the Government Digital Service team. Like The Geeks, the GDS as a media team are used to being very creative and agile, less constrained by process and dogma and in need of getting things done quickly. The pace of Gov.UK adoption is an example of its potential but their impact on public services could only just be starting. The point about the Luvvies, Suits and Geeks is that although they are distinct cultures within the BBC with very different characteristics, skillsets and ways of working, the corporation has found a way to get the best from each and to harness their combined expertise to deliver the world class content that defines the BBC. It’s a tripartite environment that works incredibly well because the BBC respects their individual identities and contribution and because the corporation harnesses their expertise to meet the corporations goals for distinct output. In a study from IBM's Institute for Business Value on 'Opening up government', one of the key areas requiring strategic investment is the Digital Platform, and so GDS is core to the coalitions' aim to make government more open and transparent, as well as to save considerable amounts of money. The debate and subsequent referendum on EU membership could be a defining moment for the GDS, proving its ability to have an impact on Open Government. Furthermore, the ability of the Cabinet Office to knit GDS into the fabric of The Politicians and The Civil Servants, so that their creativity is encouraged, channelled and developed, will be key to their ultimate success. I, for one, am intrigued to see how GDS will develop over the coming months and wish them well.