Opera warns 1.7 million Opera Sync users of breach, forces password reset

About 350 million people use the Opera browser. Of those, 1.7 million received an email from Opera, warning that attackers breached Opera’s cloud Sync service server. Even if a person didn’t check their email, they would have known something was up since Opera forced a password reset for Sync users.Opera announced the breach on Friday. The company said it detected and then “quickly blocked” an attack last week, but “some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”To read this article in full or to leave a comment, please click here

Building a Raspberry Pi-powered Barkometer, Part 1

I recently had a visit from my local animal control department. A youthful, uniformed guy rang the doorbell and handed me a letter. He told me that there had been a complaint from a neighbor (he, of course, was not at liberty to reveal the identity of the neighbor) about my dog barking. This was unexpected because my dog, Harvey (he’s an Australian Shepherd), doesn’t bark that much and when he does, it’s usually just a couple of midrange yelps. He mostly barks when he exits the back door (he always assumes that there’s some critter that needs to be dealt with) and occasionally, if the birds dare to land on our trees, he'll shout a few times but even then, it’s a brief protest rather than a drawn out rager. I’d argue that other neighbors' dogs are far noisier than my dog.To read this article in full or to leave a comment, please click here

Connecting Python To Slack For Testing And Development

The scripting language Python can retrieve information from or publish information into the messaging app Slack. This means you can write a program that puts info into Slack for you, or accepts your queries using Slack as the interface. This is useful if you spend a lot of time in Slack, as I do.

The hard work of integrating Slack and Python has been done already. Slack offers an API, and there are at least two open source Python libraries that make leveraging these APIs in your Python code a simple task. I chose slacker after a bit of googling, but it’s not a preference borne of experience. The community seems to be behind slacker as opposed to Slack’s own python-slackclient, so I went that direction.

Steps

  1. I’ll assume you’ve got Python installed already. My environment is Ubuntu Server 16.04 with Python 2.7.12.
  2. Install the python package manger pip, if you don’t already have it.
    sudo apt install python-pip
  3. Install the slacker python library.
    pip install slacker
  4. Generate a testing and dev token at the Slack API web site.
    https://api.slack.com/web
    Slack_Web_API___Slack
  5. The token will be everything required for authentication to your Slack group. Protect it Continue reading

It takes a village: Change management with Office 365

One of the key benefits of leveraging Office 365 for your SharePoint solutions is that you will be able to take advantage of all of the latest and greatest advances in the platform as they are launched. This means that you don’t have to worry about managing upgrades and fixes – and this should save time and resources associated with platform management. But, it also means that you have less control over when changes happen in your environment – and that means you need to stay on top of what Microsoft is planning. Successful change management is a lot about managing expectations. When people are fully informed and aware of changes to the software they use every day, the changes can be easier to accept – especially if you have evaluated the impact of these changes in advance. To ensure that your continuously evolving Office 365 environment is not disruptive to your users, you need to monitor what is happening with the platform with a multi-faceted “lens” – looking at upcoming changes from multiple perspectives. For that, it takes a village.To read this article in full or to leave a comment, please click here

Unregenerate 20160827 – The Week Gone By or To Come

Looking backward at last week or forward into next week.  unregenerate – adj. not reformed, unreconstructed, obstinate, stubborn —- Current Status Arrived in Las Vegas VMworld early for Vmworld as press/media. I’m presenting on the big stage at Future:Net – an [invitation only conference on the future of networking – on Thursday Morning “Breakfast With […]

The post Unregenerate 20160827 – The Week Gone By or To Come appeared first on EtherealMind.

Notes on that StJude/MuddyWatters/MedSec thing

I thought I'd write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].


The story so far

tl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stock

St Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide "smart" pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, "Merlin@Home", then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father's does, although his is from a different vendor).

MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker. Despite Muddy Waters garbling the research, there's no reason to doubt that there's quality research underlying all this.

Continue reading

Medical device security ignites an ethics firestorm

One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.To read this article in full or to leave a comment, please click here

Medical device security ignites an ethics firestorm

One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.To read this article in full or to leave a comment, please click here

Weekly Roundup: Top 5 Docker Articles for this week

Here’s the buzz from this week we think you should know about! We shared a preview of Microsoft’s Docker container monitoring, reviewed the Docker Engine security feature set, and delivered a quick tutorial for getting 1.12.1 running on Raspberry Pi 3. As we begin a new week, let’s recap our top five most-read stories for the week of August 21, 2016:

 

43c0a3aa-5abd-4ec8-ae52-80a3cb61d837.jpg
 

  • Docker security: the Docker Engine has strong security default for all containerized applications.
  • Securing the Enterprise: how Docker’s security features can be used to provide active and continuous security for a software supply chain.
  • Container Monitoring: Microsoft previews open Docker container monitoring. Aimed at users who want a simplified view of containers’ usage, to diagnose issues whether containers are running in the cloud or on-premises by Sam Dean.  

Weekly roundup: Top 5 #Docker stories of the week
Click To Tweet

The post Weekly Continue reading

Debunking the most common big data backup and recovery myths

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.Big data has become a priority for most organizations, which are increasingly aware of the central role data can play in their success.  But firms continue to struggle with how to best protect, manage and analyze data within today's modern architectures. Not doing so can result in extended downtime and potential data loss costing the organization millions of dollars.Unlike traditional data platforms (Oracle, SQL*Server, etc.), which are managed by IT professionals, big data platforms (Hadoop, Cassandra, Couchbase, HPE Vertica, etc.) are often managed by engineers or DevOps groups and there are some common misconceptions around big data backup and recovery that need to be cleared up.  To read this article in full or to leave a comment, please click here

Fake resumes, jobs, lead to real guilty plea in H-1B fraud case

A Virginia couple has pled guilty to H-1B fraud charges in a scheme that made them millions, the U.S. Department of Justice announced Thursday.A married couple -- Raju Kosuri, 44, and Smriti Jharia, 45 -- created a visa-for-sale system involving some 900 H-1B visa petitions over a multi-year period, according to the U.S. attorney in the Eastern District of Virginia.Court records detail an elaborate operation that required a series of fictions to pull off.Through a series of shell companies that purported to provide IT staffing and services to corporate clients, the defendants H-1B visa petitions on behalf of workers. These workers had to pay the visa fees, legal and administrative costs -- as much as $4,000 -- in violation of the visa program's rules.To read this article in full or to leave a comment, please click here

Worth Reading: Is Openstack becoming Trumpstack?

Tired of hearing about Pets vs. Cattle? Most of us are. The underlying concept is important. While OpenStack, and most private and public cloud platforms, is geared towards workloads that have resiliency build into the application, many of the folks in the industry just aren’t there yet. The question comes to OpenStack advocates now: Should we push away potential adopters of the platform because they may have workloads that aren’t entirely appropriate for a typical “cloud” infrastructure? —DiscoPosse

LinkedInTwitterGoogle+Facebook

The post Worth Reading: Is Openstack becoming Trumpstack? appeared first on 'net work.

Got big data? Check out these 100 best practices for keeping it secure

Big data is best known for its volume, variety, and velocity -- collectively referred to as the "3 Vs" -- and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance on Friday released a new report offering 100 best practices.As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; corporate members include VMware, Microsoft, AWS, and Red Hat. In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe.To read this article in full or to leave a comment, please click here

Got big data? Check out these 100 best practices for keeping it secure

Big data is best known for its volume, variety, and velocity -- collectively referred to as the "3 Vs" -- and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance on Friday released a new report offering 100 best practices.As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; corporate members include VMware, Microsoft, AWS, and Red Hat. In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe.To read this article in full or to leave a comment, please click here

BrandPost: Bringing flexibility to the WAN

MPLS (multi-protocol label switching) VPNs (Virtual Private Network) have long been recognized as a preferred option for dedicated, high performance connectivity over a wide area network (WAN), such as linking data centers or branch offices that require high volume and reliability. Often these MPLS VPNs would use a broadband internet connection, either DSL, Cable or LTE, as a backup option.  It has become more common recently to leverage that broadband for internet offload.  In fact, the broadband internet is also being used as the primary VPN link for many locations and is even being combined with single user remote access options.  Regardless of the use case for the broadband VPN, it uses the IPSec protocol to encrypt the VPN traffic to keep it secure. To read this article in full or to leave a comment, please click here

Distil Networks uses device fingerprints to detect malicious web bots

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  Who's that coming to your website? Is it friend or foe? Is it a customer wanting to buy your products, or someone or something wanting to steal your web content? Is it a community member that wants to post a relevant comment, or a spammer intent on planting junk links and content in your open comments section? Is it a real person clicking on an ad, or a web bot driving up fraudulent clicks?Web applications are increasingly being subjected to automated threats such as click fraud, comment spam, content scraping, abusive account creation, and more. These and other illicit or unwanted activities are described in detail in the OWASP Automated Threat Handbook for Web Applications.To read this article in full or to leave a comment, please click here

1 2,690 2,691 2,692 2,693 2,694 3,818