Windows Secure Boot: Insecure by design and mostly likely can’t be fixed

Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” which can unlock Windows devices allegedly protected by Secure Boot.The researchers sounded the alarm, saying Microsoft messed up and accidentally leaked the security key which is supposed to protect Windows devices from attackers as a box boots up. This same flaw could be used by the machine’s owner to jailbreak a locked box and run a different OS like Linux – anything really, so long as it is cryptographically signed.To read this article in full or to leave a comment, please click here

Windows Secure Boot: Insecure by design and mostly likely can’t be fixed

Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” which can unlock Windows devices allegedly protected by Secure Boot.The researchers sounded the alarm, saying Microsoft messed up and accidentally leaked the security key which is supposed to protect Windows devices from attackers as a box boots up. This same flaw could be used by the machine’s owner to jailbreak a locked box and run a different OS like Linux – anything really, so long as it is cryptographically signed.To read this article in full or to leave a comment, please click here

Raspberry Pi roundup: Keys to Pi foundry changing hands; Pi in the ocean, sky

One reason the Raspberry Pi’s runaway success has been a fun story to cover is that it’s very non-corporate – there’s relatively little branding silliness or careful PR stage management involved, and journalists like me instead get to write about an inventive little tool that is letting normal people around the world accomplish interesting and creative things.Yet the business side does, occasionally, rear its ugly head – late last month, U.S.-based electronics vendor Avnet purchased Premier Farnell, one of two licensed manufacturers of the Raspberry Pi, for about $900 million.+ ALSO ON NETWORK WORLD: How a 96-year-old company modernized its infrastructure by embracing innovation | Oracle says it didn’t ask employee to cook cloud accounts+To read this article in full or to leave a comment, please click here

DC Fabric Segment Routing Use Case (3)

In the second post in this series, we considered the use of IGP-Prefix segments to carry a flow along a specific path in a data center fabric. Specifically, we looked at pulling the green flow in this diagram—

—along the path [A,F,G,D,E]. Let’s assume this single flow is an elephant flow that we’re trying to separate out from the rest of the traffic crossing the fabric. So—we’ve pulled the elephant flow onto its own path, but this still leaves other flows to simple ECMP forwarding through the fabric. This means some number of other flows are still going to follow the [A,F,G,D,E] path. The flows that are randomly selected (or selected by the ECMP has) to follow the same path as the elephant flow are still going to contend with the elephant flow for queue space, etc.

So we need more than just a way to pull an elephant flow onto a specific path. In fact, we also need a way to pull a specific set of flows off a particular path in the ECMP set. Returning to our diagram, assume we want all the traffic other than the elephant flow to be load shared between H and B, and Continue reading

Using Machine Learning To Extend Life Of Flash Storage

Disable WPAD now or have your accounts and private data compromised

The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.To read this article in full or to leave a comment, please click here

Disable WPAD now or have your accounts and private data compromised

The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.To read this article in full or to leave a comment, please click here

Disable WPAD now or have your accounts and private data compromised

The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.To read this article in full or to leave a comment, please click here

Worth Reading: Exploiting man in the middle against HTTPS

A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren’t visible to attackers who may be monitoring an end user’s network traffic. Now, researchers have devised an attack that breaks this protection. The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. —ARS Technica

The post Worth Reading: Exploiting man in the middle against HTTPS appeared first on 'net work.

Four things to consider before upgrading your data center net to 25G

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Hyperscale public cloud providers and social media giants have already made the jump to 40Gbps Ethernet for their server and storage connectivity for lower total cost of ownership (TCO) and operational efficiency, and now they are migrating to 50 and 100Gbps Ethernet.Forward thinking enterprises are looking at these hyperscale giants and trying to understand how to achieve Webscale IT efficiencies on an enterprise scale IT budget. Rather than bolting from 10Gbps server connectivity straight to 100Gbps, many are considering 25Gbps as an affordable and less disruptive step that will still provide significant performance improvements.To read this article in full or to leave a comment, please click here

Four things to consider before upgrading your data center net to 25G

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Hyperscale public cloud providers and social media giants have already made the jump to 40Gbps Ethernet for their server and storage connectivity for lower total cost of ownership (TCO) and operational efficiency, and now they are migrating to 50 and 100Gbps Ethernet.Forward thinking enterprises are looking at these hyperscale giants and trying to understand how to achieve Webscale IT efficiencies on an enterprise scale IT budget. Rather than bolting from 10Gbps server connectivity straight to 100Gbps, many are considering 25Gbps as an affordable and less disruptive step that will still provide significant performance improvements.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Measure cloud performance like a customer

When businesses hire outside contractors for a job, they always try to ensure that there are clear measures of whether the contractor is doing the job. Whether it be expanding office space, ensuring the office is cleaned regularly, having the bookkeeping up to date or reviewing HR procedures, any sound management decision always depends on independently measurable performance goals. Otherwise, you're just hiring someone with the conditions, "It's OK, we trust you."+ Also on Network World: Measurement is key to cloud success +To read this article in full or to leave a comment, please click here

IDG Contributor Network: Computers to diagnose supervisors’ emotions, fatigue

Will we be able to take a nap behind the wheel of a future autonomous car? Probably not. Autopilots and other automated machinery require forms of human-operator supervision.Autonomy, for example, is dependent on chips and sensors, such as GPS for position and magnometers for directional bearing, among others. That tech, at least in the near-term, has to be monitored by humans in real time in case the sensors become glitchy.+ Also on Network World: Self-driving warehouse robots give Giant Eagle a lift +To read this article in full or to leave a comment, please click here

When dolphins attack… iPads

It's for times like this that you really wish Apple would waterproof its iPads (and iPhones). Don't be surprised if a competitor works out something with the video creator here to use this footage of a dolphin snagging a women's iPad at SeaWorld Orlando in a marketing campaign... In case you didn't know, animals have quite a long track record of playing with iPads. This includes everything from penguins...to cats...To read this article in full or to leave a comment, please click here

How to prevent millennials from burning out at work

Millennials have been typecast as lazy, entitled and unwilling to work -- but the rate at which these young professionals burn out suggests otherwise. According to the American Psychology Association, 39 percent of millennials say their stress increased last year, 52 percent report lying awake at night from stress at some point in the past month and 44 percent report feeling irritability or anger because of their stress.James Goodnow, attorney at Fennemore Craig, P.C., dubbed "America's Techiest Lawyer," is known for his quick rise in the business world as a millennial. He's spoken extensively on the topic of millennials at work, and has insights into why this generation is burning out. Goodnow says he sees a trend with millennials where they're simply "driven by different goals than workers from other generations."To read this article in full or to leave a comment, please click here

How underemployment contributes to the STEM skills gap

While unemployment remains low, underemployment is a severely underrated problem in today's economy, and it's contributing to the IT skills gap across the board, according to a new report from cloud compensation and benchmarking services provider PayScale.The report, The War on the American Worker: The Underemployed, surveyed 962,956 U.S. workers between March 26, 2014 and March 26, 2016, and found that almost half, 46 percent, of workers feel they are underemployed, which PayScale defines as working part-time when you'd rather be working full-time, or not using your education and training in your current role.To read this article in full or to leave a comment, please click here

How to block phishers when they come a knockin’

Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network. Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says. According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.To read this article in full or to leave a comment, please click here

How to block phishers when they come a knockin’

Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network. Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says. According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.To read this article in full or to leave a comment, please click here

Networking Needs Information, Not Data

Networking Field Day 12 starts today. There are a lot of great presenters lined up. As I talk to more and more networking companies, it’s becoming obvious that simply moving packets is not the way to go now. Instead, the real sizzle is in telling you all about those packets instead. Not packet inspection but analytics.

Tell Me More, Tell Me More

Ask any networking professional and they’ll tell you that the systems they manage have a wealth of information. SNMP can give you monitoring data for a set of points defined in database files. Other protocols like NetFlow or sFlow can give you more granular data about a particular packet group of data flow in your network. Even more advanced projects like Intel’s Snap are building on the idea of using telemetry to collect disparate data sources and build collection methodologies to do something with them.

The concern that becomes quickly apparent is the overwhelming amount of data being received from all these sources. It reminds me a bit of this scene:

How can you drink from this firehose? Maybe you should be asking if you should instead?

Order From Chaos

Data is useless. We need to perform analysis Continue reading

Microsoft patches 27 flaws in Windows, Office, IE, and Edge

Microsoft released another batch of security patches Tuesday, fixing 27 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and its new Edge browser.The patches are organized in nine security bulletins, five of which are rated critical and the rest important, making this Microsoft patch bundle one of the lightest this year in terms of the number of patches.All of the issues resolved this month are in desktop deployments, but Windows servers might also be affected depending on their configuration."For example, Windows servers running Terminal Services tend to act as both desktop and server environments," said Tod Beardsley, security research manager at Rapid7, via email. However, the majority of Windows server admins out there can roll out patches at a fairly leisurely pace, he said.To read this article in full or to leave a comment, please click here