A new WordPress plug-in exploit endangers thousands of websites

Over the past few days, attackers have been exploiting an unpatched vulnerability in WP Mobile Detector, a WordPress plug-in installed on over 10,000 websites.The plug-in's developer fixed the flaw Tuesday in version 3.6, but in addition to updating immediately, users should also check if their websites haven't already been hacked.The vulnerability is located in a script called resize.php script and allows remote attackers to upload arbitrary files to the Web server. These files can be backdoor scripts known as Web shells that provide attackers with backdoor access to the server and the ability to inject code into legitimate pages.The flaw was discovered by WordPress security outfit PluginVulnerabilities.com after it observed requests for the wp-content/plugins/wp-mobile-detector/resize.php even though it didn't exist on its server. This indicated that someone was running an automated scan for that specific file, likely because it had a flaw.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Measurement is key to cloud success

When I think about the Internet, I think about the General Motors bankruptcy of 2009. Okay, maybe it’s not the first thing that pops to mind. But there’s a lesson in it for builders of networks.It is hard not to draw an analogy between the rise of North American car culture and the development of the Internet. In the earliest days of car culture, it was a lot of work to use a car. You needed to be a pretty reasonable mechanic, and you were using a mode of transportation that was just as uncomfortable as any other one, but that was unreliable and experimental as well. But this didn’t matter, because other enthusiasts like you were trying out the same things, and if the new technology turned out to work it would be a really big deal. Similarly, in the earliest days of the network, the users were mostly also developers of the technology. Only pretty geeky people could have thought of telnet or FTP as user-friendly.To read this article in full or to leave a comment, please click here

Internet of Things (IoT) telemetry

The internet of things (IoT) is the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. - ITU

The recently released Raspberry Pi Zero (costing $5) is an example of the type of embedded low power computer enabling IoT. These small devices are typically wired to one or more sensors (measuring temperature, humidity, location, acceleration, etc.) and embedded in or attached to physical devices.

Collecting real-time telemetry from large numbers of small devices that may be located within many widely dispersed administrative domains poses a number of challenges, for example:
  • Discovery - How are newly connected devices discovered?
  • Configuration - How can the numerous individual devices be efficiently configured?
  • Transport - How efficiently are measurements transported and delivered?
  • Latency - How long does it take before measurements are remotely accessible? 
This article will use the Raspberry Pi as an example to explore how the architecture of the industry standard sFlow protocol and its implementation in the open source Host sFlow agent provide a method of addressing the challenges of embedded device monitoring.

The following steps describe how to install the Host sFlow Continue reading

IDG Contributor Network: IoT will overtake smartphones in 2018

The Internet of Things will become a bigger connected-device category than smartphones in 2018, telco equipment maker Ericsson says in its latest report.The Swedish company reckons that IoT will grow globally at a CAGR of 23 percent during the period 2015 to 2021, it says on its website.CAGR, or Compounded Annual Growth Rate, is the annual growth rate over the period.That would make IoT a 16 billion unit player by 2021. For comparison, the entire smorgasbord of connected devices will number 28 billion by then, Ericsson says in the report (PDF), published this week.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How to control the stealth IoT invasion

IoT devices are invading the enterprise, often by stealth.  Groups and departments are selecting devices such as door locks, air quality monitors, security and control systems which require connection to the enterprise WLAN and the Internet, but with no IT input into the purchase decision.  This creates headaches for the network engineer, but they are manageable:  a basic enterprise IoT management solution requires just a handful of functions. IoT is one of the first systems built in the cloud era, and many – if not most – IoT devices are designed to work with Internet-based cloud services (the remainder will need network-specific configuration to connect to inside-the-firewall services).To read this article in full or to leave a comment, please click here

Using Macvlan and Ipvlan with Docker on Software Gone Wild

A few weeks after I published Docker Networking podcast, Brent Salisbury sent me an email saying “hey, we have experimental Macvlan and Ipvlan support for Docker” – a great topic for another podcast.

It took a while to get the stars aligned, but finally we got Brent, Madhu Venugopal, John Willis and Nick Buraglio on the same Skype call resulting in Episode 57 of Software Gone Wild.

Land O’Lakes maps out farming’s future with Google cloud

Farmers looking for ways to increase their crop output are using more technology and relying a little less on intuition.Farmers associated with Land O'Lakes, a dairy-focused, agricultural cooperative in Minnesota, are using online tools and apps to visualize their fields and to analyze the data in such areas as water management, seed placement and crop diseases.To do that, Land O'Lakes, known for producing the top butter brand in the U.S., has turned to Google's public cloud. The company is involved in a $3.5 million project with Google and expects to see a payback on it in two to three years.To read this article in full or to leave a comment, please click here

8 reasons why your security awareness program sucks

As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing. I have to admit that it is frustrating to have to argue with people who claim that awareness is always bad. They argue that since there will always be a single failing, then it is not worth the effort to have an awareness program in the first place. Of course, I vehemently disagree. However to debate people, and address their points, at least in the eyes of decision makers, you need to understand the foundation of their arguments and accept the premises that are true.To read this article in full or to leave a comment, please click here(Insider Story)

8 reasons why your security awareness program sucks

As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing.To read this article in full or to leave a comment, please click here(Insider Story)

Human error biggest risk to health IT

In the race to digitize the healthcare industry, providers, insurers and others in the multi-layered ecosystem have failed to take some of the most basic steps to protect consumers' sensitive health information, a senior government official is warning.Servio Medina, acting COO at the Defense Health Agency's policy branch, cautioned during a recent presentation that too many healthcare breaches are the product of basic mistakes, ignorance or employee negligence.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords "These are things that could be prevented," Medina said. "Today's training and awareness efforts that we provide currently are simply not effective. They are not enough. We have to do something radically more and different."To read this article in full or to leave a comment, please click here

Human error biggest risk to health IT

In the race to digitize the healthcare industry, providers, insurers and others in the multi-layered ecosystem have failed to take some of the most basic steps to protect consumers' sensitive health information, a senior government official is warning.Servio Medina, acting COO at the Defense Health Agency's policy branch, cautioned during a recent presentation that too many healthcare breaches are the product of basic mistakes, ignorance or employee negligence.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords "These are things that could be prevented," Medina said. "Today's training and awareness efforts that we provide currently are simply not effective. They are not enough. We have to do something radically more and different."To read this article in full or to leave a comment, please click here

Top Raspberry Pi news of the week: Magic mirror; Micro:Bit gets real; more on Android

This week for our Raspberry Pi roundup, we check out a little bit of magic, check in on the competition and follow up on some exciting Android-related buzz.Magic mirror – from Microsoft? Raspberry Pi Foundation official blog The magic mirror is a popular Raspberry Pi project, combining relative ease of construction with a pretty eye-catching result – who wouldn’t want a mirror that shows you the weather, your appointments and maybe the news when you look into it in the morning?To read this article in full or to leave a comment, please click here

Micro-segmentation Defined – NSX Securing “Anywhere”

The landscape of the modern data center is rapidly evolving. The migration from physical to virtualized workloads, move towards software-defined data centers, advent of a multi-cloud landscape, proliferation of mobile devices accessing the corporate data center, and adoption of new architectural and deployment models such as microservices and containers has assured the only constant in modern data center evolution is the quest for higher levels of agility and service efficiency. This march forward is not without peril as security often ends up being an afterthought. The operational dexterity achieved through the ability to rapidly deploy new applications overtakes the ability of traditional networking and security controls to maintain an acceptable security posture for those application workloads. That is in addition to a fundamental problem of traditionally structured security not working adequately in more conventional and static data centers.

Without a flexible approach to risk management, which adapts to the onset of new technology paradigms, security silos using disparate approaches are created. These silos act as control islands, making it difficult to apply risk-focused predictability into your corporate security posture, causing unforeseen risks to be realized. These actualized risks cause an organization’s attack surface to grow as the adoption of new compute Continue reading

Useful Utilities

Troubleshooting and managing a network is much easier when you have the proper tools. Anybody who has been in the IT world for a time likely has a stash of small, portable, and often free programs they use to help in this area. Here is a list of my most-used utilities. To skip the descriptions […]

The post Useful Utilities appeared first on Packet Pushers.