Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Serious and easily exploited flaws in older Cisco IOS software. Commonly used, but old, switches used for Campus and SME Data Centres. Serious problem.

Thoughts:

  • Demonstrates how older Cisco devices are fundamentally insecure.
  • Cisco wasn’t focussed on security back then. They were happy if it even worked properly.
  • Cisco was slow to adopt SSH in IOS because customers weren’t asking for it. Microsoft should shoulder a lot of blame for not including an SSH client and we slowed operational adoption 1 (seriously, getting putty installed in many enterprises was a major problem)
  • Cisco has responded promptly and professionally to offer fix.
  • Customers should replace most of this kit, not fix it. You can expect many more security flaws in these NOS’s because security was a minor design issue for Cisco at that time.

The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors

  • The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and
  • The incorrect processing of malformed CMP-specific Telnet Continue reading

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated] | Ars Technica

Its become clear that the only way to improve security of certificate authorities is to follow through on threats. Symantec has been delinquent since 2012 in securing their processes and software. We have seen multiple instances of certificate falsely issued to domains (including Google’s domain). As the owner of Chrome browser, it has decided that Symantec is no longer fit to be considered a root authority for TLS (SSL) certificate.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.

This is necessary. Politically this is a sound move. Taking down a major company that is US-based following removed of Chinese and Eastern European CA root certificates sends a message of fairness and balance. The repeat Continue reading

Getting started with Kubernetes using Ansible

Some of you will recall that I had previously written a set of SaltStack states to provision a bare metal Kubernetes cluster.  The idea was that you could use it to quickly deploy (and redeploy) a Kubernetes lab so you could get more familiar with the project and do some lab work on a real cluster.  Kubernetes is a fast moving project and I think you’ll find that those states likely no longer work with all of the changes that have been introduced into Kubernetes.  As I looked to refresh the posts I found that I was now much more comfortable with Ansible than I was with SaltStack so this time around I decided to write the automation using Ansible (I did also update the SaltStack version but I’ll be focusing on Ansible going forward).

However – before I could automate the configuration I had to remind myself how to do the install manually. To do this, I leaned heavily on Kelsey Hightower’s ‘Kubernetes the hard way‘ instructions.  These are a great resource and if you haven’t installed a cluster manually before I suggest you do that before attempting to automate an install.  You’ll find that the Ansible role Continue reading

The Gearhead Toolbox: Dashboards and visualizations

In this issue of the Gearhead Toolbox I’m covering dashboards and visualizations. There are an incredible number of products and services in this domain and today I've chosen three particularly interesting projects ... Mark Gibbs Cachet: A Status Page SystemTo read this article in full or to leave a comment, please click here

43% off Caller-ID Call Blocker For Robo-calls, Telemarketers and Other Nuisances – Deal Alert

Just hit the big red "block now" button and say goodbye to robocalls, telemarketer calls, solicitor calls, elections calls, junk faxes or anyone else you'd prefer not to hear from. This small and discreet gadget can also block international and private numbers, as well as full area codes. It has a 1,000 number/area code memory with 200 numbers pre-programmed. The popular gadget averages 4.5 out of 5 stars from over 3,600 people on Amazon (73% rate 5 stars -- read recent reviews here), where its original list price is reduced 43% to $79.99. See the discounted 1,200 number call-blocker on Amazon.To read this article in full or to leave a comment, please click here

Consultant urges never pay ransomware demands

When ransomware criminals lock up files and demand payment to decrypt them, don’t pay, was the advice a consultant gave to a group at SecureWorld.When there’s no risk of losing crucial data, that’s easy to say, and to make is possible requires planning, says Michael Corby, executive consultant for CGI.“Plan to have data available in a form that won’t be affected by ransomware – encrypted and stored separately from the production network,” he says. “You need a clean copy of the data in a restorable form. Test that the backups work.”Restore and recover are the key words, and they should be done keeping in mind that the malware has to be removed before recovering.To read this article in full or to leave a comment, please click here

Consultant urges never pay ransomware demands

When ransomware criminals lock up files and demand payment to decrypt them, don’t pay, was the advice a consultant gave to a group at SecureWorld.When there’s no risk of losing crucial data, that’s easy to say, and to make is possible requires planning, says Michael Corby, executive consultant for CGI.“Plan to have data available in a form that won’t be affected by ransomware – encrypted and stored separately from the production network,” he says. “You need a clean copy of the data in a restorable form. Test that the backups work.”Restore and recover are the key words, and they should be done keeping in mind that the malware has to be removed before recovering.To read this article in full or to leave a comment, please click here

FedEx offering $5 and all you have to do is, gulp, reinstall or reactivate Flash

From time to time – very infrequently, to be more precise – I will ignore my better judgment and reenable Flash in Chrome so that I can watch a particularly enticing cat video or whatever.I would do this more often, however, if more companies followed the lead of FedEx and offered me $5 just for doing so. Really, look: FedEx OK, it’s $5 off a purchase of $30 or more, but still seems like a good deal … unless you forget to deactivate Flash when you’re done.To read this article in full or to leave a comment, please click here

Apple: Macs and iPhones are safe from newly revealed CIA exploits

The Mac and iPhone exploits described in new documents attributed to the U.S. Central Intelligence Agency were patched years ago, according to Apple.WikiLeaks released a new set of files Thursday that supposedly came from the CIA. They contain details about the agency’s alleged malware and attack capabilities against iPhones and Mac computers.The documents, dated 2012 and earlier, describe several “implants” that the CIA can install in the low-level extensible firmware interface (EFI) of Mac laptop and desktop computers. These EFI rootkits allow the agency's macOS spying malware to persist even after the OS is reinstalled.To read this article in full or to leave a comment, please click here

Apple: Macs and iPhones are safe from newly revealed CIA exploits

The Mac and iPhone exploits described in new documents attributed to the U.S. Central Intelligence Agency were patched years ago, according to Apple.WikiLeaks released a new set of files Thursday that supposedly came from the CIA. They contain details about the agency’s alleged malware and attack capabilities against iPhones and Mac computers.The documents, dated 2012 and earlier, describe several “implants” that the CIA can install in the low-level extensible firmware interface (EFI) of Mac laptop and desktop computers. These EFI rootkits allow the agency's macOS spying malware to persist even after the OS is reinstalled.To read this article in full or to leave a comment, please click here

IDG Contributor Network: 7 best practices for securing your cloud service

As enterprises move their applications and data to the cloud, executives increasingly face the task of balancing the benefits of productivity gains against significant concerns about compliance and security.Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.+ Also on Network World: The tricky, personal politics of cloud security + When leveraging cloud services, enterprises need to evaluate several key factors, including:To read this article in full or to leave a comment, please click here

IDG Contributor Network: 7 best practices for securing your cloud service

As enterprises move their applications and data to the cloud, executives increasingly face the task of balancing the benefits of productivity gains against significant concerns about compliance and security.Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.+ Also on Network World: The tricky, personal politics of cloud security + When leveraging cloud services, enterprises need to evaluate several key factors, including:To read this article in full or to leave a comment, please click here