Configuration errors in Intel workstations being labeled a security hole

Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.Last June, researchers at F-Secure found a flaw in Intel’s Active Management Technology (AMT), a feature used to perform remote updates to advanced desktops using Intel vPro or workstation platforms using Core desktop chips and certain Xeon CPUs. Xeon is primarily a server processor but there are some low-end chips used in high-performance workstations, such as those used in a CAD environment.To read this article in full, please click here

Configuration errors in Intel workstations being labeled a security hole

Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.Last June, researchers at F-Secure found a flaw in Intel’s Active Management Technology (AMT), a feature used to perform remote updates to advanced desktops using Intel vPro or workstation platforms using Core desktop chips and certain Xeon CPUs. Xeon is primarily a server processor but there are some low-end chips used in high-performance workstations, such as those used in a CAD environment.To read this article in full, please click here

Build oVirt Reports Using Grafana

Grafana, The open platform for beautiful analytics and monitoring, recently added support for PostgreSQL.

It in now possible to connect Grafana to oVirt DWH, in order to visualize and monitor the oVirt environment.

Grafana dashboard example

If you wish to create dashboards to monitor oVirt environment, you will need to install Grafana.

Grafana automatically creates an admin user and password.

You will need to add a PostgreSQL data source that connects to the DWH database.

For example:

You may want to add a read only user to connect the history database - Allowing read only access to the history database

Now you can start creating your dashboard widgets.

Go to Dashboards -> + New.

Graph panel example:

To add a Graph type panel, on the left side you have the Row controls menu. Go to the + Add Panel, and pick Graph.

Query example for the - Five Most Utilized Hosts by Memory / CPU:

SELECT DISTINCT
    min(time) AS time,
    MEM_Usage,
    host_name || 'MEM_Usage' as metric
FROM (
    SELECT
        stats_hosts.host_id,
        CASE
            WHEN delete_date IS NULL
                THEN host_name
            ELSE
                host_name
                ||
                ' (Removed on '
                ||
                CAST ( CAST ( delete_date AS date ) AS varchar )
                 Continue reading

Experimenting with Azure

I’ve been experimenting with Microsoft Azure recently, and I thought it might be useful to share a quick post on using some of my favorite tools with Azure. I’ve found it useful to try to leverage existing tools whenever I can, and so as I’ve been experimenting with Azure I’ve been leveraging familiar tools like Docker Machine and Vagrant.

The information here isn’t revolutionary or unique, but hopefully it will still be useful to others, even if only as a “quick reference”-type of post.

Launching an Instance on Azure Using Docker Machine

To launch an instance on Azure and provision it with Docker using docker-machine:

docker-machine create -d azure \
--azure-subscription-id $(az account show --query "id" -o tsv) \
--azure-ssh-user azureuser \
--azure-size "Standard_B1ms" azure-test

The first time you run this you’ll probably need to allow Docker Machine access to your Azure subscription (you’ll get prompted to log in via a browser and allow access). This will create a service principal that is visible via az ad sp list. Note that you may be prompted for authentication for future uses, although it will re-use the existing service principal once it is created.

Launching an Instance Using the Azure Provider Continue reading

Event-Driven Automation on Building Network Automation Solutions Online Course

Most engineers talking about network automation focus on configuration management: keeping track of configuration changes, generating device configurations from data models and templates, and deploying configuration changes.

There’s another extremely important aspect of network automation that’s oft forgotten: automatic response to internal or external events. You could wait for self-driving networks to see it implemented, or learn how to do it yourself.

On March 20th live session of Building Network Automation Solutions online course David Gee will dive deeper into event-driven network automation. As he explains the challenge:

When it comes to running infrastructure and infrastructure services, a lot of the decision making is human based. Someone reads a ticket, someone decides what to do. Someone gets alerted to an event and that someone does something about it. This involvement causes friction in the smooth-running nature of automated processes. Fear not! Something can be done about it.

We all know the stories of ITIL and rigid process management and David will show you how event-driven automation could be made reality even with strict and rigid controls, resulting in an environment that reacts automatically to stimuli from your services and infrastructure. We will discuss what events are, when they're important, how Continue reading

The Overoptimization Meltdown

In simple terms Meltdown and Spectre are simple vulnerabilities to understand. Imagine a gang of thieves waiting for a stage coach carrying a month’s worth of payroll.

There are two roads the coach could take, and a fork, or a branch, where the driver decides which one to take. The driver could take either one. What is the solution? Station robbers along both sides of the branch, and wait to see which one the driver chooses. When you know, pull the resources from one branch to the other, so you can effectively rob the stage. This is much the same as a modern processor handling a branch—the user could have put anything into some field, or retreived anything from a database, that might cause the software to run one of two sets of instructions. There is no way for the processor to know, so it runs both of them.

To run both sets of instructions, the processor will pull in the contents of specific memory locations, and begin exexuting code across these memory locations. Some of these memory locations might not be pieces of memory the currently running software is supposed to be able to access, but this is not Continue reading

Worth Reading: When writing code is a waste of time

I have spent many years architecting and developing enterprise software. I cut my teeth with an internship at HP and survived a harrowing stint at an imploding start-up before moving on to a more stable career track. I spent several years working at Stanford University and have since become the Assistant Director of Architecture at UCLA Research Information Systems. —Jonathan Solórzano-Hamilton @ Free Code Camp

Can IPv4 Networks Be Compromised via IPv6?

The Fox-IT International Blog recently published an article on how IPv4 networks can be compromised via IPv6. The attack vector relies on the default IPv6 configuration in the Windows operating system to spoof DNS replies by acting as a malicious DNS server to redirect traffic to an attacker-specified endpoint. The Windows Proxy Auto Discovery (WPAD) feature can also be exploited in order to relay credentials and authenticate to various services within the network, using a tool called called mitm6 created by Fox-IT.

Fox-IT is recommending that IPv6 is disabled when it is not being used, as disabling Proxy Auto Detection. This of course means that Windows-based hosts are unable to switch preference to IPv6 when it is available (which all versions since Windows Vista will do), and that IPv6 would need to be explicitly re-enabled on hosts.

The article makes some important points, but IPv4 and IPv6 are fundamentally incompatible on a wire level and it needs to be understood they can’t communicate with each other except through translation devices. There are a number of known issues (including this one) with the security of automatic configuration mechanisms running on Local Area Networks, both under IPv6 and IPv4, but these require physical access to Continue reading

1 1,796 1,797 1,798 1,799 1,800 3,877