BrandPost: Moving to the Cloud? SD-WAN Matters!

This is the first in a two-part blog series that will explore how enterprises can realize the full transformation promise of the cloud by shifting to a business first networking model powered by a business-driven SD-WAN. The focus for this installment will be on automating secure IPsec connectivity and intelligently steering traffic to cloud providers. Over the past several years we’ve seen a major shift in data center strategies where enterprise IT organizations are shifting applications and workloads to cloud, whether private or public. More and more, enterprises are leveraging software as-a-service (SaaS) applications and infrastructure as-a-service (IaaS) cloud services from leading providers like Amazon AWS, Google Cloud, Microsoft Azure and Oracle Cloud Infrastructure. This represents a dramatic shift in enterprise data traffic patterns as fewer and fewer applications are hosted within the walls of the traditional corporate data center. To read this article in full, please click here

Stopping SharePoint’s CVE-2019-0604

Stopping SharePoint’s CVE-2019-0604

On Saturday, 11th May 2019, we got the news of a critical web vulnerability being actively exploited in the wild by advanced persistent threats (APTs), affecting Microsoft’s SharePoint server (versions 2010 through 2019).

This was CVE-2019-0604, a Remote Code Execution vulnerability in Microsoft SharePoint Servers which was not previously known to be exploitable via the web.

Several cyber security centres including the Canadian Centre for Cyber Security and Saudi Arabia’s National Center put out alerts for this threat, indicating it was being exploited to download and execute malicious code which would in turn take complete control of servers.

The affected software versions:

  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

Introduction

The vulnerability was initially given a critical CVSS v3 rating of 8.8 on the Zero Day Initiative advisory (however the advisory states authentication is required). This would imply only an insider threat, someone who has authorisation within SharePoint, such as an employee, on the local network could exploit the vulnerability.

We discovered that was not always Continue reading

Tower Workflow Convergence

Ansible-Blog-Tower-Workflow-Convergence

In Red Hat Ansible Tower 3.1 we released a feature called Workflows. The feature, effectively, allowed users to compose job templates into arbitrary graph trees. A simple workflow we saw users creating was a linear pipeline; similar to the workflow below.

image4-1

The workflow feature also allowed branching. Each branch can run in parallel.

image1-2

But something was missing. The ability to wait for previous parallel operations to finish before proceeding. If this existed, you could simplify the above workflow (see below).

image3-2

In Red Hat Ansible Tower 3.4 the above workflow is now possible with the introduction of the Workflow Convergence feature.

For you computer sciencey folks, workflows are no longer restricted to a tree, you can create a DAG. More simply, we call this convergence; two nodes are allowed to point to the same downstream node. The concept is best shown through an example. Above, we have a workflow with 3 nodes. The first two job templates run in parallel. When they both finish the 3rd downstream, convergence node, will trigger.

In this blog post we will cover the changes to workflow failure scenarios, how workflow node failure and success propagate, how this affects the runtime graph and how Continue reading

Orange Matter: Automating the Automators

Orange Matter Logo

I’ve been blogging for Solarwinds recently, posting on Orange Matter, with a cross-post to the Thwack Geek Speak forum. APIs are critical to operating infrastructure programmatically, but ultimately we need to add one or more layers of API-based middleware to make the solution usable and flexible.

This post appeared on Orange Matter as “Automating The Automators“, but I’m also linking to the version posted on Thwack, mainly because that format allows me to use more images and be slightly more irreverent; you don’t want to miss the great artwork on this one.

I’d love it if you were to take a moment to visit and read, and maybe even comment!

If you liked this post, please do click through to the source at Orange Matter: Automating the Automators and give me a share/like. Thank you!

IDG Contributor Network: Managed WAN and the cloud-native SD-WAN

In recent years, a significant number of organizations have transformed their wide area network (WAN). Many of these organizations have some kind of cloud-presence across on-premise data centers and remote site locations.The vast majority of organizations that I have consulted with have over 10 locations. And it is common to have headquarters in both the US and Europe, along with remote site locations spanning North America, Europe, and Asia.A WAN transformation project requires this diversity to be taken into consideration when choosing the best SD-WAN vendor to satisfy both; networking and security requirements. Fundamentally, SD-WAN is not just about physical connectivity, there are many more related aspects.To read this article in full, please click here

Your Voice Matters: The World Can Learn from Canada’s Inclusive Solutions to Make Citizens Safer Online

Andrew Sullivan presenting at the Canadian IoT event

Canada has shown great leadership in its innovative approach to secure our connected future by drawing on the diverse strengths, backgrounds, and perspectives our country has to offer.

While the wrap up of a collaborative effort to produce policy recommendations to keep us safe online is definitely worth celebrating, the real work for Canadians has just begun.

The Internet has profoundly changed the way we do things, expanding opportunity as it shrinks distances between people, cultures, and ideas. With connected devices hitting the shelves of major Canadian retailers like never before, the Internet of Things (IoT) is adding countless facets to a new era of human potential.

It has also brought new and complex challenges in areas such as privacy and security.

Many of us worry about our security when we log on. Despite recent calls by governments around the world to create regulation to keep citizens and information safe online, it is critical to consider that not one person or government can solve these issues alone.

If there’s anything the world of Internet governance has shown us, it’s that we get better answers to tough questions when a range of experts and interests can meaningfully take part in the Continue reading

Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708)

Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.

To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.

This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.

Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a Continue reading

CheriABI: enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment

CheriABI: enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment Davis et al., ASPLOS’19

Last week we saw the benefits of rethinking memory and pointer models at the hardware level when it came to object storage and compression (Zippads). CHERI also rethinks the way that pointers and memory work, but the goal here is memory protection. The scope of the work stands out as particularly impressive:

We have adapted a complete C, C++, and assembly-language software stack, including the open source FreeBSD OS (nearly 800 UNIX programs and more than 200 libraries including OpenSSH, OpenSSL, and bsnmpd) and PostgreSQL database, to employ ubiquitous capability-based pointer and virtual-address protection.

The protections are hardware implemented and cannot be forged in software. The process model, user-kernel interactions, dynamic linking, and memory management concerns are all in scope, and the protection spans the OS/DBMS boundary.

The basic question here is whether it is practical to support a large-scale C-language software stack with strong pointer-based protection… with only modest changes to existing C code-bases and with reasonable performance cost. We answer this question affirmatively.

That ‘reasonable’ performance cost is a 6.8% slowdown, significantly better than e. Continue reading

Huawei flap should prompt supply chain scrutiny

Aggressive efforts to keep China-based telecom vendor Huawei out of the U.S. market by the Trump administration have thrust a slow-burning debate in the networking space about the security implications of using Chinese-made technology into the limelight over the last two weeks, yet the real-world implications for business users are less than apocalyptic.The basics of the administration's case against Huawei are simple. The company’s close ties to the Chinese government, coupled with China’s history of industrial and political espionage against the U.S., means that its products can’t be trusted not to slip important information back to Beijing. The current crisis is only two weeks old, but  these concerns about Huawei and other China-based tech vendors date back years.To read this article in full, please click here

A lesson in journalism vs. cybersecurity

A recent NYTimes article blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmstr , ... It's not as if these people are hard to find, it's that the story's authors didn't look.


The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.

The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph:


That link is a warning from last July about the "Emotet" ransomware and makes Continue reading

The Week in Internet News: Broadband Goes to Space

The final countdown: After two delays, SpaceX has launched a rocket containing 60 satellites designed to deliver broadband to Earth-bound people, Marketwatch reports. SpaceX plans to eventually deploy up to 12,000 satellites in an effort to provide broadband service across the globe. SpaceX sees the satellite network as a way to fund future Mars missions.

Banning rural broadband: Moves by U.S. President Donald Trump’s administration to ban products from Chinese telecom hardware company Huawei may hurt rural broadband access, Phys.org says. Many small broadband and mobile providers serving rural areas use inexpensive telecom equipment from Huawei and other Chinese companies.

The (un)connected tractor: Meanwhile, the U.S. is far from the only country facing challenges with rural broadband. Farmers in Brazil often lack access, Reuters reports. Even as many pieces of new farm equipment require Internet access, less than 10 percent of Brazilian farms are connected, according to one estimate.

Dividing line: The Internet is dividing between a Chinese and a Western view of how it should operate, says ABC.net.au. And Chinese companies, aided by their government, are spreading their technologies and philosophies across the globe, the story suggests.

Expensive bugs: An 11-year-old laptop loaded with Continue reading

1 1,224 1,225 1,226 1,227 1,228 3,841