NetWorks Group Blog

If you're a fan of delicious restaurants, awesome concert venues, Big 10 sports, or just a bike-friendly city, then you should probably be working with us in beautiful downtown Ann Arbor, Michigan. The team at NetWorks Group works at the corner of Main and Huron, a central-point to blocks of great places to shop, eat, and relax at. Located a short distance from the University of Michigan, NetWorks Group benefits from the feeling of both a college-town and an active business hub for southeastern Michigan. For a vibrant mixture of cultures, architecture, and activities, Ann Arbor is hard to beat!

At NetWorks Group, we put a lot of value in interacting in person with the various technology communities important to our team. More than that, we love to be able to meet with customers and people looking to find out more about what we do and how our team could help yours achieve tough goals.

Web applications continue to be an easy target for many attackers. There's generally a large attack surface, many best practices are often forgotten, and a single coding flaw can lead to a full compromise of the database or arbitrary code execution. Still, a quality Content Management System (CMS) can provide for a very functional web deployment and is hard to pass-up for many organizations.

The Certificate Authority (CA) system that currently handles how we publicly interact 'securely' with web sites, mail servers, and other services around the world can't catch a break. In the latest black-eye, an Entrust bulletin speaks about how a Malaysian CA called Digicert Malaysia recently issued 22 certificates with glaring CPS violations including the usage of 512-bit RSA keys. At this time, there's no suggestion of fraud or criminal activity being involved, but it's certainly confusing why this would have happened without it.

This is a first round of trying to provide community awareness of digital and social media that deserves a look (or listen). Today's post is a somewhat verbose listing of folks on Twitter I've found valuable over the years in the field of information security. Later blog posts will likely provide blog & news sites; podcasts; and other forms of media that give added value to your knowledge of the latest in information security. While this is just a short list, I hope some of them provide a guide to get to other talented people out there who may provide a bit more insight than you had before.

Fear, Uncertainty, and Doubt (FUD) are sadly a corner-stone of those who don't know enough to know better, or those that just don't care if they are wrong. When it comes to information technology, FUD is alive and well in 'cloud computing', at least from the perspective of those who want to make interesting headlines that will throw their readership into a tizzy.

If you're not already aware, October is National Cybersecurity Awareness Month! What may surprise some is that this designation is in its eighth year already and has really picked-up momentum among communities. Michigan is rather lucky to be holding the official national kick-off event on October 6th called the Michigan Cyber Summit. This event will bring in many notable government leaders such as Michigan Governor Rick Snyder and Secretary of the Department of Homeland Security, Janet Napolitano.

If you weren't paying attention during the early Summer months this year, you may have missed the overwhelming rate at which web sites were being publicly compromised and mocked. Often, these sites were prone to compromise due to SQL injection and other common web site vulnerability avenues. Even Barracuda Networks was compromised when apparently they took down their own security product for maintenance and were taken advantage of.

Aside from crisis situations involving now-defunct Certificates Authorities, other SSL news has been making waves in the security community the past week. The Browser Exploit Against SSL/TLS (BEAST) demonstrated by Juliano Rizzo and Thai Duong this past Friday was proof that under a complex set of circumstances, 'secure' information can, in fact, be decrypted by an attacker. While the complexities of this attack are likely to be prohibitive for just any attacker to leverage, the reality of its possibility is enough to take a deep breath and question "what's next?" in the litany of failures for our system of [supposedly] secure web browsing.

Not to be left in the dust for instances of confusingly-bad security practices by industry friends such as Citibank and Bank of America, American Express served up their own face-palm of security today. In this case, it appears that a breakdown between application developer ease-of-debugging didn't quite mesh-up with operations security and access restrictions. To summarize the link, American Express failed to effectively restrict a developer interface which provides debugging functionality for developers working on their web site. These sorts of administrative interfaces are certainly not uncommon, but they should be by design restricted to people with proper credentials or at least blocked from the public Internet for accessibility.