Tag Archive for 2018

| April 16, 2018
Comments Off on DUO Expands Into Detroit

DUO Expands Into Detroit

-Updated 08/02/2018 – Lumbering behemoth Cisco (CSCO) is buying Duo for $2.35B in cash. Hopefully, it will go better for Duo, Ann Arbor and Detroit than Cisco’s other purchase Flip and Linksys.

DUO Expands Into DetroitThe Ann Arbor Michigan-based cybersecurity tech company DUO Security continues to grow. The start-up has grown so much that they are moving part of their operation from Ann Arbor to Detroit Michigan. MLive reports that DUO will move 30 staff members into a shared workspace at Bamboo Detroit in the Madison Building at 1420 Washington Blvd. Employees moving to Detroit include those working in Duo’s engineering, information services, and product teams, the statement said.

DUO SecurityAt least 350 of Duo’s 500 employees work at Michigan locations, including two in Ann Arbor, where the company was founded in 2010. Duo Security CEO and co-founder Dug Song told MLive, “We are exploring options for how we continue to grow, but we’re committed to Michigan … We intend to stay here in Ann Arbor.”

To better support, its customer base Duo Security plans to expand its Detroit footprint by the end of 2018. The cybersecurity firm plans to occupy a 9,000-square-foot suite on the Madison Building’s sixth floor. DUO’s customer base includes over 10,000 companies like Facebook (PDF), Etsy, Toyota, the University of Michigan, Yelp, and Zillow.

Duo’s software-as-a-service (SaaS) secures more than 300 million logins a month. Xconomy Detroit explains that the heart of Duo’s business-to-business technology is two-factor authentication (2FA). 2FA is a method of confirming the identity of a user by sending a code to the user’s device, usually their phone. Duo’s software can also check the health of its customers’ devices, and block access to those deemed risky.

Jon Oberheide, Duo’s co-founder and CTO, told Xconomy, the Duo platform ensures that only trusted users and devices can access protected applications. Implementation of the system takes less than a week for 75% of Duo’s customers. Mr. Oberheide explains why DUO is so successful,

An organization’s physical perimeter used to be its four walls, but that has really dissolved with VPNs (virtual private networks). You have some people using their own devices, some using company devices, and people working in different locations. A security program in that environment looks really different—it becomes really important to protect single log-ins.

CEO Song told MLive the move is an opportunity to build on Detroit’s history of innovation,

Detroit MichiganDetroit has always moved the world, both in body and soul, through its industry and art … We are proud to help invest in the historic resurgence of Detroit, excited to learn and grow together, and committed to a success much greater than ourselves.

Duo currently sponsors events like Detroit Startup Week and Techweek Detroit. They plan to continue their tech advocacy with new programs like Tech Talks featuring local and global experts.

rb-

I like what DUO is doing in Michigan. We use their product and it works great! We have been using DUO for over 2 years now. I get very little push back from 3rd party vendors when I require them to use DUO to log in remotely.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

 

Category: Uncategorized | Tags: , , , , , , , , , , ,
| April 10, 2018
Comments Off on IRS Systems Oldest in Federal Gov

IRS Systems Oldest in Federal Gov

As is often attributed to Benjamin Franklin, who wrote in 1789 that “nothing can be said to be certain, except death and taxes.” The taxman is coming again on April 17th, 2018. Despite Trump’s Uncle Sam‘s latest tricks to take more of our money the Internal Revenue Service’s (IRS) systems are the oldest running in the U.S. Government. Nextgov reports that one of the IRS’ most important tax-processing applications is old enough to be a grandparent, and officials warn a failure during tax season could have dire economic ramifications or delay tax refunds for 100 million Americans.

Internal Revenue ServiceReports from the General Accounting Office, the IRS’ Individual Master File (IMF), and its sister system, the Business Master File (BNF) are the two oldest tech systems in all the federal government at about 58 years old. The next oldest tech system identified is the Defense Department’s Strategic Automated Command and Control System, which helps coordinate U.S. nuclear forces, which was developed 55 years ago (rb- Thanks reassuring).

The IMF and BMF are relics of the early days of computing itself. In 1960, an IRS report announced plans to install computers to automate tax processing at a facility in Martinsburg, West Virginia. Today, almost 60 years later, the IRS is still using the same systems to process the nation’s tax returns.

data from 1 billion taxpayer accountsThe Individual Master File is a massive application written in the antiquated and low-level Assembly programming language. It runs on an IBM mainframe and holds the data from 1 billion taxpayer accounts going back decades. IMF is chiefly responsible for receiving individual taxpayer data and dispensing refunds.

Despite hundreds of millions in spending, plans to fully modernize the application are more than six years behind schedule, and in a statement to Nextgov, IRS revised its new timeline for a modernized IMF to 2022.“To address the risk of a system failure, the IRS has a plan to modernize two core components of the IMF by 2021, followed by a year of parallel validation before retiring those components in 2022.”

DelayedThe timeline could slip further. The article says the IRS will need the authority to hire at least 50 more employees—and backfill any losses—and receive an extra $85 million in annual non-labor funding for the next five years. Trump’s fiscal 2018 budget request would cut IRS funding by $239 million.

In the statement, IRS said IMF “is antiquated, with an architecture and design that dates back to the 1960s,” and admitted fewer programmers understand the old Assembly code. Auditors at the GAO have said IRS has more than 20 million lines of Assembly code.

The IRS’ main efforts to replace the IMF is the Customer Account Data Engine, which was canceled in 2009, and the next modernization effort CADE 2. Nextgov reports that plans to fully deploy CADE 2 and replace IMF have slipped, even as each company working on the project has earned as much as $290 million in revenue from IRS.

Contracting data obtained by Nextgov indicates contractors Deloitte, CSRA, Northrop Grumman, and MITRE Corporation all earned more than $60 million through fiscal 2017 through CADE or CADE 2 task orders.

In the meantime, IRS runs its legacy systems like IMF on newer hardware, though GAO’s latest audit stated 64 percent of the agency’s hardware is aged. Dave Powner, GAO’s director of IT management issues, said before the House Committee on Ways and Means in October. “But relying on these antiquated systems for our nation’s primary source of revenue is highly risky, meaning the chance of having a failure during the filing season is continually increasing.”

Such a failure would be “catastrophic,” according to former IRS Commissioner John Koskinen.

“If this failure were to occur during the filing season, we could be looking at a lengthy interruption in processing returns and issuing refunds … This could have a devastating effect on more than 100 million taxpayers waiting on their refunds as well as the nation’s economy, which sees some 275 billion dollars of refunds each winter and spring.”

Mr. Koskinen told Nextgov that work on CADE 2 stalled “because of the budget crunch of the past year or two, along with the critical need to protect taxpayers against identity theft.” IRS diverted resources toward partnerships with private companies and state and local tax agencies to battle identity theft. The agency spends $2.7 billion annually on IT.

“Victims of identity theft dropped by two-thirds, after years of barely being able to hold our own,” he said. “It was the appropriate decision to protect accounts against identity theft, but it has meant that other critical information technology programs have gone more slowly.”

rb-

The government’s technology woes are worse than you think. Over 80% $90 billion federal IT budget goes toward outdated, legacy IT systems, leaving little leftover innovation commonplace in the private sector.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

 

Category: Uncategorized | Tags: , , , , , , , , ,
| April 3, 2018
Comments Off on Michigan Leader In Tech Jobs

Michigan Leader In Tech Jobs

Michigan Leader In Tech JobsThe latest CyberStates report from CompTia ranks Michigan 3rd nationally when it comes to growing tech jobs. According to the report (PDF), Michigan added 13,160 new tech jobs during 2017. Michigan ranks 9th overall in net tech employment.

The 404,300 tech workers in CompTIA CyberState reportMichigan include tech industry workers in technical and non-technical positions, technical workers in other industries, and self-employed tech workers according to CompTia. In addition to added jobs, the Cyberstates report shows Michigan’s tech sector is responsible for an estimated $34.7 billion of the overall state economy.

The CompTIA report also ranked Metro Detroit 11th for increases in tech employment with 8,700 new tech jobs in 2017. Metro Detroit out-paced, traditional tech hot-spots like Atlanta, Boston, Dallas, and LA in tech job growth. The top CyberCities by net tech employment job gains were:

1. San Francisco +20,000
Made in Detroit2. San José +12,600
3. New York City +10,200
4. Seattle +8,800
5. Detroit +8,700
6. Dallas +7,400
7. Boston +7,100
8. Los Angeles +5,700
9. Atlanta +5,300
10. Denver +5,100

The Cyberstate report also found there was a 43.4% increase in the number of job postings related to emerging technologies, such as the Internet of Things, smart cities, drones, artificial intelligence, machine learning, virtual reality, and augmented reality and blockchain.

Michigan’s leading tech occupations include software and web developers, computer support specialists, and computer system and information security analysts.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| March 28, 2018
Comments Off on Password Bracketology

Password Bracketology

Password BracketologyThe University of Michigan Basketball Wolverines, the Hockey team, and the Debate team all have made it into the NCAA Final Four. Along the way, the Wolverines busted a few brackets. In keeping with the March bracket madness, Keeper Security ran an analysis they’ve called “Password Madness”. In Password Madness, they developed their own bracketology of bad passwords. During Password Madness, the publisher of password manager software ran an analysis on 1.4 billion clear-text passwords 4iQ found on the dark web for sports team mascots used as passwords.

University of MichiganFollowers of Bach Seat already know that passwords suck and there is a long list of passwords like “password” and “123456” that should be banned from use. According to a statement from Keeper Security, of all the passwords looked at, those containing “Tiger” and its variations (such as “T1ger”, “T1g3r”, etc.) appeared 187 percent more often than passwords containing variations of “Eagle,” the second-most common password set found, and nearly 850 percent more than the least common password, which was “Bluejay” and its variations.

The not so élite eight passwords on their list are:

  • PasswordCowboy
  • Eagle
  • Hurricane
  • Irish
  • Pirate
  • Spartan
  • Tiger
  • Trojan

This is bad, as I have pointed out, many people re-use the same password on nearly every online account. This behavior opens up hundreds of thousands of credentials to speedy hacking. Keeper Security recommends rather than using their favorite sports team as a password hoops fans, instead concentrate on using unique, high-strength, passwords for each login. Strong passwords contain at least eight random characters of upper and lower-case letters, numbers, and symbols.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| March 24, 2018
Comments Off on Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This TimeOne event at CES 2018 that was overlooked by many people was the Wi-Fi Alliance announcement of WPA3, a long overdue update to Wi-Fi Protected Access (WPA). This increases the strength of a security protocol that hasn’t been updated in 14 years.

Wi-Fi AllianceThe Wi-Fi Alliance says Wi-Fi carries more than half of the internet’s traffic, so improvements to WPA are good news. The WPA3 update is a response to the evolution of Wi-Fi usage and WPA2 vulnerabilities. There are four improvements to Wi-Fi Protected Access via WPA3 over the current standard (WPA2).

Stronger passwords

WPA3 gets a new layer of protection so its security is not contingent on passwords (as followers of the Bach Seat know, passwords suck). WPA3 is an improvement on WPA2’s largest vulnerability the handshake when the key is being exchanged. KRACK (Key Reinstallation Attack) is a major vulnerability discovered in 2017 in WPA2 and WPA. It exploits the Wi-Fi handshake. KRACK allows attackers to snoop on encrypted data being transferred between computers and wireless access points (WAP).

WPA2 uses a four-way handshake mechanism, starting with a nonce provided by the access point.Brute force “dictionary attacks” are the backbone of the KRACK attack. WPA3 implements IEEE 802.11s, Simultaneous Authentication of Equals (SAE) to provide protection against this flaw. SAE is also known as the Dragonfly protocol. The Internet Engineering Task Force (IETF) describes Dragonfly,employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.

This improvement will offer better security even if poor passwords are used. This feature is very useful since we know that users have difficulties creating strong and hard-to-guess passwords. The Wi-Fi Alliance claims WPA3 makes it almost impossible to breach a Wi-Fi network using the current dictionary and brute-force attacks.  Mathy Vanhoef, the security researcher who discovered KRACK, appears very enthusiastic about the security improvements in WPA3.

Secure public Wi-Fi

Secure public Wi-FiWPA3 secured open networks will offer more privacy than ever before. Everything transmitted over today’s open Wi-Fi networks at airports, coffee shop, libraries, are sent in plain text that people can intercept. WPA3 will apply encryption to each user on the public Wi-Fi to eliminate clear text with “individualized data encryption”.

Malwarebytes Lab speculates that WPA3 will include Opportunistic Wireless Encryption. OWE enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), allowing them access to a data stream. OWE implements a Diffie-Hellman key exchange during network sign-on and uses the resulting secret for the 4-way 802.11 handshake and not the shared, public Pre-Shared Key (PSK) that can be easily exploited. WPA3 will be more difficult for people to snoop on your web browsing without actually cracking the encryption while you’re at Starbucks.

Stronger encryption

WPA3 will use stronger cryptographic algorithms. The new security protocol will use the  Commercial National Security Algorithm (CNSA) 192-bit encryption mandated by the U.S. government for secure Wi-Fi networks. Experts speculate WPA3 will use a 48-bit initialization vector to support backward compatibility with WPA and WPA2  The 192-bit encryption will make WPA3 compliant with the highest security standards and fit for use in networks with the most stringent security requirements. (rb- Ironic – Go to the CNSA site and get an invalid cert warning in Chrome) The CNSS is part of the US National Security Agency.

Easier IoT security

The WPA3 update simplifies setting up secure Wi-Fi connections for devices that don’t have a graphical user interface. This is critical the secure the 30.7 billion IoT devices that will be on the network by 2020. The new protocol will add Device Provisioning Protocol (DPP) which sets up a simple, secure and consistent method for securing devices with limited or no display. NetworkWorld reports that You will be able to tap a smartphone against a device or sensor and then provision the device on the network.

What happens to WPA2 devices

So far, most manufacturers have been quiet about legacy device support. We do know that future W-Fi certified WPA3 routers will be backward compatible to support WPA2. The question remains whether current WPA2 devices will be capable of connecting to WPA3.

WPA2 devices are not immediately obsolete. The Wi-Fi Alliance explained that current WPA2 devices will be able to connect with WPA3 hardware. The Alliance also announced that it will continue to do security tests on WPA2 to further protect wireless networks. WPA3 is not an immediate replacement for WPA2

Even after you get a WPA3 enabled router, you’ll need WPA3 compatible client devices—your laptop, phone, refrigerator, security camera, industrial temperature sensor, or anything that connects to Wi-Fi—to fully take advantage of the WPA3 features. The good news is that shiny new router will accept both WPA2 and WPA3 connections at the same time.

Even when WPA3 is widespread, expect a long transition period where some devices are connecting to your router with WPA2 and others are connecting with WPA3. Once all your devices support WPA3, you should disable WPA2 connectivity on your router to improve security.

rb-

I am suspicious about the NSA link to the new WPA3 encryption. The NSA has introduced weaknesses in other encryption protocols.

Until we get our hands on real hardware, it is safe to speculate that like all things Wi-Fi, backward compatibility will cost your performance. What will the impact of one legacy device have on the capabilities of the WAP? Have a pair and turn off 802.11, 802.11b, WEP, and WPA connections on your current router.

It’s about time to update WPA. But as the 802.11n process proved, if you want to get nothing done, turn it over to an industry consortium. Andy Patrizio at NetworkWorld explained that’s where standards go to die because everyone wants their IP used so they make money off every sale. The end result is nothing gets done.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »