Insecurity Guards

Pick a random headline related to security today and you’ll see lots of exclamation points and dire warnings about the insecurity of a something we thought was inviolate, such as Apple Pay or TLS. It’s enough to make you jump out of your skin and crawl into a dark hole somewhere never to use electricity again. Until you read the article, that is. After going through a couple of paragraphs, you realize that a click-bait headline about a new technology actually underscores an age-old problem: people are the weakest link.

Engineered To Be Social

We can engineer security for protocols and systems until the cows come home. We can use ciphers so complicated that even Deep Thought couldn’t figure them out. We can create a system so secure that it could never be hacked. But in the end that system needs to be used by people. And people are where everything breaks down.

Take the most recent Apple Pay “exploit” in the news that’s been making all the headlines. The problem has nothing to do with Apple Pay itself, or the way the device interacts with the point-of-sale terminal. It has everything to do with enterprising crooks calling in to Continue reading

Show 228 – Standards Bodies vs. Open Source with Dave Ward & Lauren Cooney

Cisco's Dave Ward and Lauren Cooney join Packet Pushers' co-hosts Greg Ferro and Ethan Banks for a discussion on the value of standards bodies in the age of open source software.

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks

TwitterGoogle+LinkedIn

The post Show 228 – Standards Bodies vs. Open Source with Dave Ward & Lauren Cooney appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Pleasure

Deploying VMware NSX with Horizon

As part of the recent launch of Horizon 6, Tony Paikeday, senior product line manager, End-User Computing, VMware, takes a look at the value proposition of deploying the VMware NSX network virtualization platform together with Horzon.

Deploying VMware NSX with Horizon

VMware NSX, deployed with Horizon, offers a better alternative to securing east-west traffic between VMs, turning data center security from a perimeter-centric view to one that gives each individual desktop VM its own virtual network container – creating if you will, a network of “one.” This approach, also known as micro-segmentation, has been an ideal for network teams, but traditionally unachievable due to the cost, and the operational complexity involved. With the number of user VM’s introduced by desktop virtualization, and the sprawl of firewall rules needing to be manually added, deleted or modified every time a new VM is introduced, this has been untenable in the past. With VMware NSX, we have a completely new model for networking and security, delivering virtualization of the network, much as we did for server virtualization – reproducing it in software, with a logical library of networking elements and services including switches, routers, firewalls, load-balancers and more that can Continue reading

Microsoft blacklists fraudulently issued SSL certificate

Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.The improperly issued certificate could be used to spoof content, launch phishing attacks, or perform man-in-the-middle HTTPS interception against the live.fi and www.live.fi Web properties, Microsoft said in a security advisory Monday.The company updated the Certificate Trust List (CTL) included in Windows in order to blacklist the fraudulent certificate. Systems running Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2 will receive the update automatically and transparently.To read this article in full or to leave a comment, please click here

Using local tcpdump for transit traffic

Using local tcpdump for transit traffic

Evaluation Guide: Encryptors for Metro and Carrier Ethernet

Christoph Jaggi, the author of Metro Ethernet and Carrier Ethernet Encryption Market Overview published an awesome follow-up document: an evaluation guide that lists most of the gotchas one has to be aware of when considering encryption gear, from deployment scenarios, network overhead and key exchange details to operational considerations. If you have to deal with any aspect of network encryption, this document is a must-read.

Xiaomi’s fitness tech to help power smart shoes

After releasing a fitness smartband, China’s Xiaomi is helping to bring the technology to smart shoes.Chinese athletic footwear maker Li-Ning is tapping into Xiaomi’s ecosystem by using the smartphone company’s mobile exercise app on two of its running shoe products. Li-Ning is also working with Huami Technology, a Xiaomi-invested company that designed its fitness smartband, to develop the shoes.Unveiled back in July, the “Mi Band” can synch with Android phones, and tracks exercise stats, such as steps taken, calories burnt, and hours slept. But perhaps its major draw is its cheap price, at about US$13.To read this article in full or to leave a comment, please click here

OpenSSL mystery patches due for release Thursday

New versions of OpenSSL will be released on Thursday to patch several security vulnerabilities, one of which is considered highly serious, according to the OpenSSL Project Team.An advisory published on Monday did not give further details of the vulnerabilities, presumably so as to not tip off hackers and perhaps to give some organizations time to patch in the meantime.The updates will be included in OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf, the advisory said.A number of serious problems have been found over the last year in OpenSSL, which is widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol, a cornerstone of Web security.To read this article in full or to leave a comment, please click here

Researchers find same RSA encryption key used 28,000 times

What if the key to your house was shared with 28,000 other homes?That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”Revealed on March 3, the FREAK flaw can let an attacker weaken a connection that uses the SSL/TLS (Secure Sockets Layer/Transport Security Layer) protocol, making it much easier to break the encryption and view the traffic. It was the latest in a string of flaws found over the last year in widely used open-source software.To read this article in full or to leave a comment, please click here

What, me worry? Despite Snowden leaks, Americans’ use of the ‘Net largely unchanged

Don’t worry, be happy. That seems to be the attitude most Americans have toward widespread government snooping on their Internet activities.Numerous leaks illuminating the massive scale of government surveillance programs have not rattled Americans. Relatively few people have made major changes to better secure their online communications and activities, even after the alarming revelations in Edward Snowden’s leaked NSA documents, according to the results of a Pew Research Center survey published Monday.Snowden, a former contractor for the NSA, blew the lid off government monitoring programs starting in mid-2013, leaking documents that reportedly showed how the U.S. government monitored and collected people’s personal data held by Internet and telecom companies.To read this article in full or to leave a comment, please click here

Intel doesn’t want Curie wearable computer making fashion statements

Intel wants wearable device technology to be inconspicuous, so it’s making its Curie wearable computer available through a button-sized board or as part of a chip package. The Curie, slated to ship in the second half of the year, was first shown at CES in the form of a button-sized computer on Intel CEO Brian Krzanich’s suit. The almost invisible Curie had technology that could read heart rates, and transfer the data wirelessly using Bluetooth. Blending technology discreetly into wearables is Intel’s goal with Curie, which will go into a wide range of tiny coin battery devices that can run for days and months without a recharge. The wearable computer is for non-technical customers, such as companies outside of the IT industry, that want to plug and play technology into devices, clothes and accessories.To read this article in full or to leave a comment, please click here

BlackBerry teams with Samsung on locked-down, high-priced tablet

This past weekend, at the CeBIT show in Hannover, Germany, BlackBerry announced its next tablet computer ... sort of. The Secusmart SecuTABLET is a customized version of Samsung's popular Galaxy Tab S 10.5 Wi-Fi + LTE tablet, with secure software from Secusmart and IBM. BlackBerry acquired Secusmart, a company that makes software and services for secure communications, last July.To read this article in full or to leave a comment, please click here

State Dept. expects email back online later Monday

The U.S. Department of State expects its main unclassified email system to be back in operation later Monday after security upgrades, but wider Internet access could take longer to get back online.The department, which says it fights off “thousands” of hacking attacks each day, took its system offline over the weekend “to ensure the integrity” of the network.“It was about further enhancing our security capabilities,” State Dept. spokeswoman Jen Psaki said at a regular briefing on Monday.She said it would take some time for the entire Internet system to be back online at the government department, but email would be the first step and is expected to return on Monday night.To read this article in full or to leave a comment, please click here

Microsoft Dynamics CRM gets an analytics-infused update

Following the launch of Dynamics CRM 2015 last November, Microsoft on Monday announced a Spring update to the software that promises new social, mobile and analytics capabilities along with closer integration with Office 365.On the social front, for instance, the Spring ‘15 release of Microsoft’s customer relationship management suite offers a new social center where marketing, sales and service teams can monitor social topics and engage directly with communities. Companies can create end-to-end customer engagements from social posts, while social analytics tools now offer text mining, cloud visualization and a social activity map. Tying it all together, Microsoft said, is a redesigned user interface.To read this article in full or to leave a comment, please click here

Integrating FortiOS (Fortigate VM64/VM32) into GNS3

VMware opens up on Cisco

As Cisco and VMware run virtually neck-and-neck in the SDN market, the two continue the war of words on the mindshare battlefield. Cisco posted another blog item last month which included points critical of VMware’s NSX network virtualization platform -- Cisco believes VMware imposes restrictions on which version of Open vSwitch to use with the product and limits VTEP integration:To read this article in full or to leave a comment, please click here

Networking’s open at last. Now what?

Networking hardware and spontaneous applause don’t often go together, but Facebook’s Omar Baldonado set off a round of cheering this week when he told engineers there’s finally an open-source hardware design that they can use to build switches.It was a goal the Open Compute Project had been working toward since mid-2013, and though the breakthrough happened late last year, Baldonado’s speech at the organization’s summit in San Jose, California, was a occasion for line-rate, no-packets-barred celebration.OCP had done the same thing for networking that it did for computing: Make hardware designs openly available, so vendors can build lots of different boxes easily and cheaply, and promote open software development to give IT teams a choice of what to deploy.To read this article in full or to leave a comment, please click here

Apple Watch app development pales in comparison to Android Wear

When compared side-by-side, the Apple Watch and Android Wear platforms have some similarities, but not many. A look at Apple's WatchKit, the programming tools used to create apps, gives a first impression that the Apple Watch's capabilities are currently limited.The first release of Google Glass gave developers limited access for building their apps, which captured developers' imaginations. Nine months later, Google released a comprehensive software development kit (SDK.) After listening to Augmate senior engineer Mike DiGiovanni's talk comparing WatchKit and Android Wear at the Wearable Tech Conference, the Apple Watch-like early Google Glass appears incomplete, and will likely get a comprehensive SDK update after Apple has field-tested WatchKit with its developer community.To read this article in full or to leave a comment, please click here