By Year: 2015 - 35 items

Dec. 9, 2015 tags:  SSL-TLS cryptography infosec security-week

Paris Attacks: What kind of Encryption Does the PlayStation 4 Use, Anyway?

This is is one of my favorite articles. There was a crazy rumor going around after the Paris attacks that the terrorists were using Sony PlayStations to communicate with each other. And that the PS4 encryption was hiding their communications from Europol. So I decided to find out what kind encryption the PS4 uses. And how resistant would it be to surveillance.

Dec. 8, 2015 tags:  SSL-TLS cryptography infosec

Implementing Light-Weight East-West Firewalls with F5

East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have.

Nov. 30, 2015 tags:  cryptography in-the-news infosec

Predictable SSH Host Key Flaw Affects Raspberry Pi Devices

SecurityWeek article quotes me about entropy.

Nov. 12, 2015 tags:  SSL-TLS cryptography infosec security-week

In Memoriam: Goodbye to RC4, an Old Crypto Favorite

My love letter to my favorite algorithm of all time, RC4.

Oct. 28, 2015 tags:  SSL-TLS cryptography infosec security-week

What's the Disconnect with Strict Transport Security?

Strict Transport Security is a simple but very powerful security fix. So why does no-one use it? I explore the topic in this piece for SecurityWeek.

Sept. 24, 2015 tags:  SSL-TLS cryptography infosec security-week

How "Let's Encrypt" Will Challenge The CA Industry

My third piece in the trilogy of articles I've written about the open CA "Let's Encrypt" for SecurityWeek. This one is a more measured look at how LE might impact Internet Security.

Sept. 15, 2015 tags:  SSL-TLS cryptography infosec

How much of my traffic is still SSLv3?

When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%. Here's an article that shows you how to tell how much of your traffic is still SSLv3.

Sept. 15, 2015 tags:  SSL-TLS cryptography

Preparing your F5 for new TLS requirements in Apple iOS 9 and OS X 10.11

Here's one that came right from the field - we knew that iOS9 was coming, and was going to include changes for cryptography. Here's my write-up of what knobs everyone was going to have to turn to be compatible.

Sept. 15, 2015 tags:  in-the-news infosec

IT Teams Question Security of App Containers: Survey

A mention in SecurityWeek article about container security.

Sept. 9, 2015 tags:  infosec hackers security-week

Should You Be Worried About BGP Hijacking your HTTPS?

A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” Here's my take on it.

Sept. 1, 2015 tags:  SSL-TLS cryptography infosec

The SSL Recommended Practices Guide

Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.

July 30, 2015 tags:  SSL-TLS cryptography infosec security-week

Stack Ranking SSL Vulnerabilities for the Enterprise

Not all SSL vulnerabilities are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.

July 8, 2015 tags:  infosec hackers security-week

Hacker Search Engine Becomes the New Internet of Things Search Engine

I first ran into the hacker search Shodan engine at Defcon over a decade ago. It's still around; I saw its creator, John Matherly, giving a talk about it in Amsterdam's Hack-in-the-Box conference. My summary for SecurityWeek.

June 15, 2015 tags:  SSL-TLS cryptography travel in-the-news

Polish TV: Hackers and Banks and Stuff

Banki coraz cz??ciej atakowane przez hakerów

Ataki na banki zdarzaj? si? wsz?dzie. Banki na ca?ym ?wiecie s? zaniepokojone hakerami i kradzie?? pieni?dzy.

Here's a 3 minute interview with yours truly in Warsaw, Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.

June 13, 2015 tags:  SSL-TLS cryptography infosec

Remediating Logjam: an iRule Countermeasure

An in-depth piece about the SSL Logjam vulnerability. How vulnerable are you, and here's how to mitigate it if you are.

June 4, 2015 tags:  ddos infosec hackers security-week

Three Reasons Mobile DDoS Never Materialized

A deeper dive in to the theoretical topic of mobile malware.

June 3, 2015 tags:  in-the-news infosec

InfoSecurity Europe 2015 - David Holmes

TechWeekEurope's Michael Moore speaks to David Holmes, Senior Security Evangelist for F5 Networks, at InfoSecurity Europe 2015

June 1, 2015 tags:  ddos

F5 DDoS Protection Volume 2 - Recommended Practices

This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.

May 24, 2015 tags:  ddos hackers

F5 SilverLine DDoS

A launch blog for the SilverLine DDoS Protection service.

May 19, 2015 tags:  infosec

My Three Favorite Security Podcasts

It takes effort to stay informed about the information security industry. The #infosec landscape changes incredibly fast. Security researchers and adversarial attackers generate a constant stream of vulnerabilities and other threat vectors. Keeping abreast of it all is a constant challenge. One great way to stay informed is to listen to a selection of security-themed podcasts. Podcasts keep your brain engaged when you’re multitasking some menial physical task like cleaning or driving or walking Roy, the Wonder Dog. Here are three security-themed podcasts that provide a pulse on infosec.

May 17, 2015 tags:  ddos infosec security-week

Where is the Android DDoS Armageddon?

I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!

May 6, 2015 tags:  SSL-TLS cryptography

BIG-IP SSL Cipher History

A tiny blog explaining this awesome graphic.

April 23, 2015 tags:  SSL-TLS cryptography

RSA2015 – SSL Everywhere

This was a great interview, got lots of coverage. Good chemistry between myself and the awesome Pete Silva. F5 Worldwide Security Evangelist, David Holmes, talks about why the internet is going SSL Everywhere. He explains why there’s been a surge in encrypted traffic and reveals some interesting statistics from his ongoing research on the SSL protocol. Always an engaging guest, David takes us through Forward Secrecy, Strict Transport Security and SSL v3. What they solve and how they are being used in the wild.

April 15, 2015 tags:  infosec security-week

Disrupting the Disruptor: Security of Docker Containers

In 1897, physiologist René Quinton completely replaced the blood of a live, abandoned dog with seawater in an experiment to prove the theory that the chemistry of mammalian blood is formulated from ocean water, with which it shares many properties including salinity and acidity. Sound interesting? It is! A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"

April 10, 2015 tags:  SSL-TLS cryptography infosec

Generational Whitehat Deficit will drive Silverline WAF

F5 launched a new web application firewall (WAF) in the cloud service. Here's my take on why it will succeed.

March 17, 2015 tags:  ddos infosec hackers security-week

Why do Bulldozers Incite DDoS Attacks?

Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.

Feb. 24, 2015 tags:  infosec

Is the Security Skills Shortage Real?

A deeper look into the security skills shortage. What can be done?

Feb. 17, 2015 tags:  SSL-TLS cryptography security-week

Why "Let's Encrypt" Won't Make the Internet More Trustworthy

I submitted this piece with multiple possible titles. This was one that got chosen - the most inflammatory. But hey, strong opinions sell, I get it. Read the piece and see if it stands on its own, title notwithstanding.

Feb. 15, 2015 tags:  SSL-TLS cryptography infosec security-week

How to Tap the Hardware Random Number Generator in Your Load Balancer

I was born to write this article. It was floating around in my head for years and years, and finally came together. I've delivered a talk about the topic of RNG to dozens of audiences around the world, and the best parts of that talk are summarized in this SecurityWeek piece.

Feb. 10, 2015 tags:  SSL-TLS cryptography hackers security-week

Was SSL3 killed by a POODLE? Surveys says…Maybe!

I've been scanning the SSL universe since the summer of 2014, so I was able to see the effects of the POODLE vulnerability. Here's the writeup I did on both for SecurityWeek.

Feb. 9, 2015 tags:  SSL-TLS cryptography infosec

Why You Should Tap the Hardware Random Number Generator (RNG) in your BIG-IP

This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!

Jan. 30, 2015 tags:  in-the-news infosec

DarkReading: How the Skills Shortage is Killing Defense-in-Depth

One of my favorite pieces, and one of the most high-profile as well. Lots of great discussion around this.

Jan. 25, 2015 tags:  SSL-TLS infosec

The Expectation of SSL Everywhere

Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.

Jan. 9, 2015 tags:  SSL-TLS cryptography infosec

2014: The Year of the Infrastructure Vulnerability?

An article I did for DataCenterKnowledge. A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece. License for the xkcd image:

Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.