“Taking Precautions at Black Hat is Always Good”

Black Hat 2011 has kicked off in steamy Las Vegas (highs over 100 this week!). But Black Hat isn’t about the weather, it’s about the hacking. And there will be hacking. ZDNet has already rounded up this year’s “10 can’t miss hacks and presentations.” Among those that made our ears perk up, are Moxie Marlinspike’s “SSL And The Future Of Authenticity” and Jerome Radcliffe’s “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System.” Of course, if you’re worried about being hacked, Network World’s Tim Greene has published a checklist on “How to Survive Black Hat and Defcon without getting hacked – maybe” – love the caveat. On that note, today we continue our conversation Travis Carelock, technical director for Black Hat, to get his thoughts on the show’s online safety. VPN Haus: Because so many people are doing demos of hacks at Black Hat, should attendees take more precaution in protecting their data and VPN networks, than they would at a show like, say, Interop? Travis Carelock: To be honest the demos on stage are the least of the attendee’s concerns.  The Black Hat speakers generally do a very good job displaying and demo’ing their PoC(Proof of Concept) in responsible ways.  I have never heard of an attendee compromised because of a demo onstage.  However, I have heard of an attendee compromised because of the attendee sitting to their right.  One of the primary things that differentiate Black Hat from a show like Interop is our average attendee.  Over 6,000 cutting‐edge security experts (with average cost of $3000, most companies don’t send their junior squad) will...

What Annoys You About Remote Access? Part 2

As part of an ongoing series, VPN Haus is asking average users about their frustrations with remote access. Most people we speak to attest that remote access has offered remarkable flexibility that simply wasn’t possible before. But as remote access has become more ubiquitous, so has confusion and annoyance. “You can use SSL which is much simpler to manage and more bandwidth friendly. It is also easier on the end user. They don’t need to remember to connect the VPN first,” says Justin Fox an IT administrator for a small business. We completely sympathize with Fox’s vexation – but SSL isn’t necessarily a catch-all. SSL is fine for intermittent remote access, but for those who need to connect remotely regularly, SSL is, well, hopelessly underwhelming. So, what’s this newer, faster, better alternative to SSL? IPsec VPN. Yes, you read that right. There’s a new crop of VPN options that are redefining the very idea of “ease of use.” Case in point, Die Mobiliar*, the oldest private Swiss insurance company, recently updated its VPN solution. Understandably, the company was worried about usability for its end-users – but ultimately, it found a remote access technology with a simple, graphical user interface for end-users and a one-click central management for the IT department. Who says you can’t please everyone? Readers, what are your thoughts on the new generation of VPN solutions? *Full disclosure, Die Mobiliar is an NCP...

Conversation with Thomas Cannon on Android Security, Part 2

VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.” VPN Haus: Impressively, the Android Security Team responded within 20 minutes of your notifying them. But despite this quick response, you have concerns on how quickly users will get the patch since Android OS updates typically come through OEMs and carriers. Do you think there should be some kind of industry standard to expedite patches for mobile devices, as OEMs or carriers are typically involved? Thomas Cannon: If we look at the desktop computing industry we can see an industry standard for patching just hasn’t happened, and I feel it is unlikely to happen on mobile devices either. What would be the incentive? It would require the public to care enough about security – to hold their carrier, manufacturer or OS provider accountable for timely fixes. We see usability, features, marketing, design and fashion win out over security in consumer devices. Being secure can be a unique selling point, one...

What We’re Reading, Week of 11/15

Info Security, ZeuS Now Targeting Enterprise Access Gateways InfoWorld, End-Users With Admin-Level Access Put Your Network Security at Risk PC World, Lock Down Your Android Devices Tech Republic, Five Tips for Remotely Administering Desktops ZDnet, Use IPv6 in Windows 7...

What We're Reading, Week of 11/15

Info Security, ZeuS Now Targeting Enterprise Access Gateways InfoWorld, End-Users With Admin-Level Access Put Your Network Security at Risk PC World, Lock Down Your Android Devices Tech Republic, Five Tips for Remotely Administering Desktops ZDnet, Use IPv6 in Windows 7...