Archive for RB

| October 20, 2019
Comments Off on VC Buys Sophos – Start of Bubble?

VC Buys Sophos – Start of Bubble?

Cyber-security firm SophosVC Buys Sophos - Start of Bubble? has been acquired by private equity firm Thoma Bravo for $3.9 billion. The firms disclosed the deal on Oct 14, 2019. Sophos Group (SOPH.L) was founded in 1985 and is a FTSE 250 company. The cybersecurity firm is based in Abingdon near Oxford and employs 3,400 people. Sophos has 400,000 clients around the world including Pixar, Ford, Under Armour, Northrop Grumman, and Toshiba.

Sophos logoThe Sophos board accepted the deal and would unanimously recommend the offer from Thoma Bravo. The deal is subject to shareholder approval. Some speculate that the timing of the deal is to take advantage of the pound’s weakness around BREXIT.

The deal continues Thoma Bravo’s buying spree gathering technology companies that offer cybersecurity and business management tools. Thoma Bravo also has ownership stakes in cyber-security firms Barracuda Networks, Imperva, McAfee, and Veracode and remote managing and management (RMM) firms ConnectWise, Continuum, SolarWinds, and LogRhythm, among others. It is the first acquisition outside the U.S. for the Chicago-based buyout firm.

Thoma Bravo logoThe Sophos acquisition is one of many transactions affecting the endpoint security market, which is consolidating. Rik Turner, the principal analyst at Ovum, told Dark Reading, “There are probably too many vendors coming at this market in different ways, so a degree of simplification is in order.

Among some of the notable endpoint deals thus far are VMware‘s acquisition of Carbon Black, Blackberry‘s purchase of Cylance, and HP’s acquisition of Bromium, for example.

Bubble burstSo the question is the cybersecurity space in a bubble? Have valuations and VC investments grown too rich? TechCrunch recently wrote that security may be in a bubble, but it is not about to burst. Here are the arguments they laid out.

TechCrunch explains the bubble part of the equation is building:

The landscape of cybersecurity solutions and services is strikingly saturated. Still, this busy frontier continues to attract founders and investors alike, with 300+ new startups launching every year and VCs investing in cybersecurity at a record high of $5.3 billion in 2018. Further, many cybersecurity startups are able to raise large rounds of funding, with exceedingly high valuations, despite having little market traction.

However, the demand side of the equation is also growing and shifting according to TechCrunch:

The global cybersecurity market is booming: Cybersecurity-related spending is on track to surpass $133 billion in 2022, and the market has grown more than 30x in 13 years. Moreover, security is often integrated into new business initiatives and used as a competitive advantage.

rb-

The dot bomb eraI wonder what the looming Trump trade-war-induced recession will do to the cyber-security bubble. We know that consolidator means job losses and recessions men more jobs are lost. To quote the great American philosopher Yogi Bera – It’s déjà vu all over again for those of us who lived thru Webvan and dot-bomb.

Related articles
  • What Happens To Enterprises If the Cybersecurity Bubble Pops? (ITSP Magazine)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| October 11, 2019
Comments Off on How Secure are Your Printers?

How Secure are Your Printers?

How Secure are Your Printers?Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.

Vulnerabilities in printers

NCC Group logoThe research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:

  • Denial of service attacks that could crash printers;
  • The ability to add back-doors into printers to maintain attacker persistence on a network.
  • The ability to spy on every print job sent to vulnerable printers.
  • The ability to forward print jobs to an external internet-based attacker.

Matt Lewis, research director at NCC Group told  ComputerWeekly,

Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.

Who to blame

There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.

Finger point for printer vulnerabilitesBuilding security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.

End-users have to take some of the blame as well according to NCC Group

Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.

Impacted printer models

The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.

The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.

HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.

Lexmark logoThe vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.

NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.

The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.

https://www.xerox.comNCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| October 7, 2019
Comments Off on Quantum Supremacy

Quantum Supremacy

Quantum SupremacyThere are reports are that Google (GOOG) has demonstrated quantum supremacy. In quantum computing, quantum supremacy means that a quantum computer is able to perform a calculation that is practically impossible for a classical computer. Before we fear and weep for the western dream, ScienceAlert explains that we can’t be sure of the claim.

Shortly after the research article was uploaded to the NASA site it was withdrawn for unknown reasons. The news was originally broken by the paywalled Financial Times, which reported both seeing the paper and also that it was subsequently taken down. Now there are only copies of the original paper available online. Further, Google has not officially explained to anybody what’s going on, sparking no end of speculation online about what has or hasn’t happened.

Assuming the briefly released paper, is real – why is this important? Wired explains that the Google researchers used a quantum processor called Sycamore, with 54 qubits. It tackled a random sampling problem – that is, checking that a set of numbers has a truly random distribution. ScienceAlert says the experimental quantum processor took about 200 seconds to solve a particular computational problem.

As part of the experiment, they set a version of the same challenge to some powerful Google server clusters, as well as to the current world’s fastest supercomputer, the IBM-built Summit supercomputer at Oak Ridge National Lab. The state-of-the-art supercomputer would require approximately 10,000 years to perform the same task.

According to copies (PDF) of the vanished report,

This dramatic speedup relative to all known classical algorithms provides an experimental realization of quantum supremacy on a computational task and heralds the advent of a much-anticipated computing paradigm

Summit SupercomputerIn the Wired article, John Preskill, the Caltech professor who coined the term “quantum supremacy,” calls the breakthrough, if accurate, ”truly impressive achievement in experimental physics.” But he and other experts, and even Google’s own paper, caution that the result doesn’t mean quantum computers are ready for practical work. Professor Preskill explains, “The problem their machine solves with astounding speed has been very carefully chosen just for the purpose of demonstrating the quantum computer’s superiority.

Professor Preskill told Wired,  it’s unclear how long it will take quantum computers to become commercially useful; breaking encryption—a theorized use for the technology—remains a distant hope. “That’s still many years out,” says Jonathan Dowling, a professor at Louisiana State University and New Scientist said although that is impressive, there is no practical use for it.

Will Oliver, a quantum specialist at MIT, told Technology Review, the computing milestone is similar to the first flight of the Wright brothers at Kitty Hawk in aviation. He said it would give added impetus to research in the field, which should help quantum machines achieve their promise more quickly.

1904 Wright Flyer

New Scientist says there are plenty of hurdles left to overcome before quantum computing hits the big time. The author cites a number of steps:

For a start, the processors need to be more powerful. Google’s Sycamore quantum computer, consisted of only 54 qubits. For quantum computers to really come into their own, they will probably need thousands. Scaling up the number of qubits won’t be easy. Qubits must be isolated from vibrations as they can be easily disturbed.

Next quantum computers need error-correcting codes. Classical computers have mechanisms to make sure that when little mistakes happen they are automatically rectified.

The same will be needed for quantum computers, especially considering the delicate nature of qubits. The challenge now is to build a quantum computer that has quantum supremacy, as well as error-correcting codes.

The final, biggest step is to actually do something useful. Google’s quantum computer tackled a task specifically tailored  to prove quantum supremacy, not do anything useful.

New Scientist called the achievement impressive, there is no practical use for it. Ciarán Gilligan-Lee at University College London said, “We shouldn’t get too carried away with this … but there’s still a long way to go.

rb-

This bench-marking task is a proof of concept. SkyNet is not coming –  yet.

Combining quantum with machine learning and AI may be a different story. But for a year or so we are probably safe. Unless of course, some TLA that is already using quantum computing made the paper disappear.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| September 28, 2019
Comments Off on Data Privacy End Run

Data Privacy End Run

Data Privacy End RunIn an attempt to end-run stricter data privacy regulation the Business Roundtable, an association of CEOs of America’s largest companies, sent an open letter to the U.S. House and Senate urging the politicians to pass a comprehensive national data privacy law. According to CircleID, the heart of the letter is the creation of federal privacy laws that the companies argue should replace various state-level laws that have already been passed.

CEOs of America's largest companiesThe CEOs want one law that governs all user privacy and data protection across the U.S., which would simplify their lives. From the letter:

Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws.

Among the items hidden deep in the CEO’s “consumer privacy framework [more here]” are some onerous provisions.

  • Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.
  • Potential pay-for-privacy schemes and
  • Overriding existing state data privacy protections already signed into law.

The Data Privacy Blog points out that in 2019, a number of states passed new and expanded data breach notification laws, including:

  • California.
  • data breach notification lawsIllinois,
  • Maine,
  • Maryland,
  • Massachusetts,
  • New Jersey,
  • New York,
  • Oregon,
  • Texas, and
  • Washington.

Also, since July 1, 2019, Delaware, New Hampshire, and Connecticut have enacted laws imposing new cybersecurity requirements on insurance companies.

ZDnet points out that many privacy advocates (and even some tech CEOs) believe the CEOs aren’t really looking after users’ interests, but their own. There’s a belief that companies are trying to aggregate any privacy lawmaking in Congress, where lobby groups can water down any meaningful user protections that may impact bottom lines. Open Secrets reports that the Business Roundtable has spent over $6.6M lobbying in D.C. so far in 2019. As followers of the Bach Seat know, money talk and citizens walk in D.C.

Among the CEOs who were involved in the end run included;

The Data Privacy Blog points out the coincidence that the CEO’s framework comes just months before the California Consumer Protection Act is set to go into effect in 2020.

throw money at the politiciansFollowers of the Bach Seat know many companies make money by selling customers’ personal or device-usage data. Privacy policies with too many teeth could prevent companies from selling your data to pay the CEO’s average salary of $17.2M. The LA Times reports that compensation for American chief executives increased by 940% from 1978 to 2018, while pay for the average worker rose only 12% over the same 40-year period.

rb-

Seems to me that the goal of this proposal of the leading CEO’s is not to protect our privacy. Their goal is to centralize the rule-making in the D.C. swamp and throw money at the politicians to do the Business Roundtable’s bidding. Then the CEOs will be able to maintain the status-quo and normalize the existing digital surveillance system that serves them well.

LobbyingThe CEO’s sudden interest in data privacy has more to do with the growing wave of real reform at the state level and the calculation that Trump will be booted from office and less business-friendly POTUS will take his place in 2020. And little to do with citizen’s privacy.

The digital rights organization Electronic Frontier Foundation supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.

The EFF wrote the best way to protect ordinary people’s privacy is action.

It is not enough for government to pass laws that protect consumers from corporations … to ensure companies do not ignore them … empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.

Signatures from Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook were notably absent from the list although both have, in the past, supported a comprehensive federal privacy law.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 19, 2019
Comments Off on Out of This World Ethernet

Out of This World Ethernet

Out of This World EthernetA while ago I wrote about Ethernet marching on. The IEEE had ratified the IEEE 802.3bp Ethernet standard which addresses how Ethernet operates in harsh environments. Now Ethernet has been installed in the harshest environment where we live, the International Space Station. During an April 2019 Extravehicular Activities (EVA), U.S. astronaut Anne McClain and Canadian astronaut David Saint Jacques upgraded the International Space Station’s communication systems by installing Ethernet cables.

Cabling Install and Maintenance reports that during a six-plus-hour spacewalk the astronauts installed Ethernet cables on the exterior of the space station to upgrade the wireless communication system and to improve its hard-wired communication system.

CBS News says the spacewalker’s connected Ethernet cabling at the forward end of the station’s  U.S.’s primary research laboratory for U.S. payloads module (Destiny module) that will extend wireless connectivity for science instruments mounted outside the space station.

NASA Tweeted a video clip of the cable installation during which the narrator explained, “... They’ll be de-mating and mating some cables to provide additional Ethernet to the International Space Station.

rb-

Pulling more cable to expand wireless coverage – nice to know some things are truly universal. Whether you call it cable pulling, or mating cables, the truck-roll cost to the ISS must be pretty steep. At least NASA installers don’t need ladders.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »