Posts Tagged ‘tips’

Black Hat 2011 has kicked off in steamy Las Vegas (highs over 100 this week!). But Black Hat isn’t about the weather, it’s about the hacking. And there will be hacking. ZDNet has already rounded up this year’s “10 can’t miss hacks and presentations.” Among those that made our ears perk up, are Moxie Marlinspike’sSSL And The Future Of Authenticity” and Jerome Radcliffe’s “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System.” Of course, if you’re worried about being hacked, Network World’s Tim Greene has published a checklist on “How to Survive Black Hat and Defcon without getting hacked – maybe” – love the caveat.

On that note, today we continue our conversation Travis Carelock, technical director for Black Hat, to get his thoughts on the show’s online safety.

VPN Haus: Because so many people are doing demos of hacks at Black Hat, should attendees take more precaution in protecting their data and VPN networks, than they would at a show like, say, Interop?

Travis Carelock: To be honest the demos on stage are the least of the attendee’s concerns.  The Black Hat speakers generally do a very good job displaying and demo’ing their PoC(Proof of Concept) in responsible ways.  I have never heard of an attendee compromised because of a demo onstage.  However, I have heard of an attendee compromised because of the attendee sitting to their right.  One of the primary things that differentiate Black Hat from a show like Interop is our average attendee.  Over 6,000 cutting‐edge security experts (with average cost of $3000, most companies don’t send their junior squad) will be in attendance, each smarter than the next, each with a complete hacking tool set updated, locked, loaded and ready to go, and most with a hacker’s mindset.  So, yes taking more precautions at Black Hat is always good.

VPN Haus: How is Black Hat Las Vegas different than the DC, the Abu Dhabi, and the Europe show?

Carelock: Black Hat USA is our flagship event.  It is several times bigger than our other events and serves as the yearly round up for the entire security community.  The previous year’s trends are analyzed, predictions about the next year are made, awards are given based on community response and voting.   In general, the community comes together to swap stories, techniques, and network.  Our other events are more targeted affairs, in which we try to serve some of the specific concerns of the regions in which they are held.  At all our events we try to bring the latest offensive and defensive security presentations and techniques, the smaller events merely allow Black Hat to tailor what can be.

 Here’s to a great show – and stay safe, everyone. See part one of our conversation with Travis Carelock here.

Remote AccessAs part of an ongoing series, VPN Haus is asking average users about their frustrations with remote access. Most people we speak to attest that remote access has offered remarkable flexibility that simply wasn’t possible before. But as remote access has become more ubiquitous, so has confusion and annoyance.

“You can use SSL which is much simpler to manage and more bandwidth friendly. It is also easier on the end user. They don’t need to remember to connect the VPN first,” says Justin Fox an IT administrator for a small business.

We completely sympathize with Fox’s vexation – but SSL isn’t necessarily a catch-all. SSL is fine for intermittent remote access, but for those who need to connect remotely regularly, SSL is, well, hopelessly underwhelming. So, what’s this newer, faster, better alternative to SSL? IPsec VPN. Yes, you read that right. There’s a new crop of VPN options that are redefining the very idea of “ease of use.”

Case in point, Die Mobiliar*, the oldest private Swiss insurance company, recently updated its VPN solution. Understandably, the company was worried about usability for its end-users – but ultimately, it found a remote access technology with a simple, graphical user interface for end-users and a one-click central management for the IT department. Who says you can’t please everyone?

Readers, what are your thoughts on the new generation of VPN solutions?

*Full disclosure, Die Mobiliar is an NCP customer.

VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”

VPN Haus: Impressively, the Android Security Team responded within 20 minutes of your notifying them. But despite this quick response, you have concerns on how quickly users will get the patch since Android OS updates typically come through OEMs and carriers. Do you think there should be some kind of industry standard to expedite patches for mobile devices, as OEMs or carriers are typically involved?

Thomas Cannon: If we look at the desktop computing industry we can see an industry standard for patching just hasn’t happened, and I feel it is unlikely to happen on mobile devices either. What would be the incentive? It would require the public to care enough about security – to hold their carrier, manufacturer or OS provider accountable for timely fixes. We see usability, features, marketing, design and fashion win out over security in consumer devices. Being secure can be a unique selling point, one that RIM has used to dominate the business and government markets. As we see the push to introduce other mobile devices into the business by tech savvy staff, we are seeing companies like Apple respond by introducing enhanced security so that they become more acceptable to the business. When using security as a selling point, you don’t want to follow an industry standard; you want to be better than your competition.

VPN Haus: Do you think Android being an open platform can make developing a patch and maintaining the software a tricky business?

Cannon: I don’t agree that being open means developing a patch is tricky. Being open allows more people to understand the code and the patch. I don’t think being open is the cause of software maintainability issues either. That said, in the case of Android it has enabled OEMs and carriers to modify the OS, and if they don’t invest in maintaining their version of the OS then that causes maintainability issues. It is similar to Desktop Linux – some vendors maintain their distributions very well, others don’t. You can of course get an Android device that gets updates directly from Google, in the same way the iOS devices get updates directly from Apple.

Next week, we’ll conclude this conversation with Cannon, talking about the Android’s future in the enterprise and key security concerns around open devices.

Info Security, ZeuS Now Targeting Enterprise Access Gateways
InfoWorld, End-Users With Admin-Level Access Put Your Network Security at Risk
PC World, Lock Down Your Android Devices
Tech Republic, Five Tips for Remotely Administering Desktops
ZDnet, Use IPv6 in Windows 7 Today

CIO Insight, Tips for Managing Your Mobile Workforce
CSO, Survey: Business Continuity Plans Still Need Work
Dark Reading, Two Ways For SMBs To Secure Their Home Workers
Entrepreneur, Starbucks Free Wi-Fi Opens the Door for Hackers and Crackers, New Verizon Report Connects PCI Non-Compliance and Data Breaches