NetworkingNexus.net

Critical flaws in ImageMagick library expose websites to hacking

A tool used by millions of websites to process images has several critical vulnerabilities that could allow attackers to compromise Web servers. To make things worse, there's no official patch yet and exploits are already available.The vulnerabilities were discovered by Nikolay Ermishkin from the Mail.Ru security team and were reported to the ImageMagick developers who attempted a fix in version 6.9.3-9, released on April 30. However, the fix is incomplete and the vulnerabilities can still be exploited.Furthermore, there is evidence that people aside from security researchers and ImageMagick developers know about the flaws, which is why their existence was publicly disclosed Tuesday. The flaws can be exploited by uploading specially crafted images to Web applications that rely on ImageMagick to process them.To read this article in full or to leave a comment, please click here

Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13.

It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the “old days”, it has no name except CVE-2016-2107. (I call it LuckyNegative20¹)

It’s a wonderful example of a padding oracle in constant time code, so we’ll dive deep into it. But first, two quick background paragraphs. If you already know all about Lucky13 and how it's mitigated in OpenSSL jump to "Off by 20" for the hot and new.

If, before reading, you want to check that your server is safe, you can do it with this one-click online test.

TLS, CBC, and Mac-then-Encrypt

Very long story short, the CBC cipher suites in TLS have a design flaw: they first compute the HMAC of the plaintext, then encrypt plaintext || HMAC || padding || padding length using CBC mode. The receiving end is then left with the uncomfortable task of decrypting the message and checking HMAC and padding without revealing the padding length in any way. If they do, we call Continue reading

iPaaS: What this cloud technology is and why it’s important

GameStop operates more than 4,000 stores in the U.S. and another 2,000 abroad. Between paying monthly rent, managing leases and searching for new properties, there’s a lot to keep track of for the company’s commercial real estate team.A few years ago GameStop began using a real estate management software as a service (SaaS), but Vice President of Enterprise Architecture Mark Patton says there was a problem. The software needed data from many of GameStop’s other business apps: ERP systems, financial platforms, etc.“We needed a way to glue these things together,” he says. “You need to be able to get data into and out of apps quickly.”Traditionally, the answer to this problem has been to use integration software on premises. In recent years a market has emerged in the cloud called integration Platform as a Service, or iPaaS, which offers a hosted integration platform that can be a central cloud for connecting many apps and cloud services together. Gartner estimates it could be a $1 billion industry in a few years.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How much will you trust your robot?

Robots will be managed and run by humans, at least to begin with, according an automation expert.And if you're the one controlling them, it begs questions such as how are you going to get along with these contraptions? It also prompts concerns such as how one stops the machine from misunderstanding, says Thomas B. Sheridan, a professor at the Massachusetts Institute of Technology who studies humans and automation.Researchers need to become more active in addressing these kinds of questions rather than skimming over potential challenges, says Sheridan. He’s been reading up on the scientific consensuses on the subject and says his peers aren't doing enough research.To read this article in full or to leave a comment, please click here

On Star Wars Day, Japan’s ANA gives new flight to franchise’s iconic theme song

Star Wars Day – May 4th – brings out the creative sides of those who love the cinematic series and marketers who recognize a viral opportunity when they see one.Today, Japan’s ANA (All Nippon Airways) joins the fun with an innovative rendition of the classic opening theme song. A site called Luxury Launches (new to me) offers this description: As seen in the video below it is a very thoughtful and beautiful compilation of sights and sounds which includes take offs, printing of the boarding pass, luggage on the conveyor belt, engine coming to life, air hostesses on the moving walkway and more of the typical activities you and me face and see on a flight. There is also a guest appearance by the newest member of the franchisee the BB-8 robot. The video is shot across 10 locations which include Tokyo’s Narita airport, maintenance centers, hangars and training facilities of ANA.To read this article in full or to leave a comment, please click here

Sci-Fi Wars: May The 4th Be With You

In honor of Star Wars Day, we asked speakers at Interop Las Vegas about their favorite sci-fi flicks.

4 IT companies allowed to use commercial drones

The Federal Aviation Administration has granted approval for more than 5,000 so-called Section 333 exemptions to operate commercial drones over the past year, and among those getting the go ahead are familiar names in the enterprise IT and networking market. Apple, Microsoft, Motorola Solutions and Qualcomm are among those tech vendors we found in the approved petitions database, with stated operations/missions for commercial drones -- also known as unmanned aircraft systems (UAS) or unmanned aerial vehicles (UAV) -- that include photography/videography, aerial mapping/surveying, research and development, and security.To read this article in full or to leave a comment, please click here

Infographic: Commercial drones by the numbers

Here are the latest numbers on commercial drones, including FAA Section 333 exemptions and venture funding. Thanks to CB Insights for its data. MORE: Coolest drone projects from big enterprise IT players | Commercial drones gaining altitude with enterprise IT vendors | Meet Cisco's go-to guy on commercial dronesTo read this article in full or to leave a comment, please click here

Meet Cisco’s go-to guy on commercial drones

Cisco’s Biren Gandhi hasn’t played around with drones as much as he’d like to, but it looks as though he’s going to have lots of chances to do so given the company’s growing interest in these high-flying Internet of Things devices. Cisco increasingly has made its presence felt within the commercial drone/unmanned aerial vehicle (UAV)/unmanned aircraft system (UAS) community, with Gandhi and others speaking at and attending industry conferences such as InterDrone (see video below) and NASA events. The company is also working with startups, carriers and others making up the burgeoning commercial drone ecosystem, and of course has been pushing hard into the broader Internet of Everything, such as through its $1.4B purchase of Jasper Technologies. Gandhi, a distinguished engineer & strategist within Cisco’s Corporate Strategic Innovation Group who early in his career worked as an R&D engineer at the Indian Space Research Organization, has also blogged about Cisco’s beliefs about drones over the past year.To read this article in full or to leave a comment, please click here

Coolest drone projects at big enterprise IT companies

High flying ideas Drone-related projects by enterprise IT and networking vendors are all over the map, which isn’t surprising since unmanned aerial vehicles (UAV) are so useful for flying from here to there. Here’s a whirlwind tour of commercial drone-related projects discussed publicly by familiar enterprise IT and networking vendors.RELATED: Commercial drones gaining altitude with enterprise IT vendorsTo read this article in full or to leave a comment, please click here

4 IT companies allowed to use commercial drones

Commercial drones gaining altitude with top IT vendors

Google, Verizon and others are partnering with NASA on an Unmanned Aircraft System (UAS) traffic management scheme. Microsoft has been working with universities on drone-enabled mosquito traps in an effort to stall infectious diseases from spreading. Cisco has shown off drones whose cameras feed into the company’s collaboration technologies. And AT&T, IBM and Intel have all demonstrated advanced drone-based research.All of this activity by enterprise IT vendors in the commercial drone field is a far cry from what was being done -- or at least being publicly discussed -- back in late 2014, when our efforts to get such vendors to share their ambitions largely went unheeded. To read this article in full or to leave a comment, please click here

Commercial drones gaining altitude with top IT vendors

SDN is an Iteration that will Lead Innovations

I have stumbled upon a recent post from Greg Ferro on Ethrealmind, the post is titled SDN is not an innovation, it’s an iteration. I actually wanted to share this post because it kind of puts things into prespective. The word innovate refers to creating something that is new and disruptive. Innovations needs to come …

The post SDN is an Iteration that will Lead Innovations appeared first on Networkers-online.com.

Vulns are sparse, code is dense

The question posed by Bruce Schneier is whether vulnerabilities are "sparse" or "dense". If they are sparse, then finding and fixing them will improve things. If they are "dense", then all this work put into finding/disclosing/fixing them is really doing nothing to improve things.

I propose a third option: vulns are sparse, but code is dense.

In other words, we can secure specific things, like OpenSSL and Chrome, by researching the heck out of them, finding vulns, and patching them. The vulns in those projects are sparse.

But, the amount of code out there is enormous, considering all software in the world. And it changes fast -- adding new vulns faster than our feeble efforts at disclosing/fixing them.

So measured across all software, no, the secure community hasn't found any significant amount of bugs. But when looking at critical software, like OpenSSL and Chrome, I think we've made great strides forward.

More importantly, let's ignore the actual benefits/costs of fixing bugs for the moment. What all this effort has done is teach us about the nature of vulns. Critical software is written to day in a vastly more secure manner than it was in the 1980s, 1990s, or even the Continue reading

Software-Defined Security and VMware NSX Events

I’m presenting at two Data Center Interest Group Switzerland events organized by Gabi Gerber in Zurich in early June:

In the morning of June 7th we’ll talk about software-defined security, data center automation and open networking;
In the afternoon of the same day (so you can easily attend both events) we’ll talk about VMware NSX microsegmentation and real-life implementations.

I hope to see you in Zurich in a bit more than a month!

Overheard At Interop, Day 2

Observations and highlights from the second day of Interop Las Vegas 2016.

Sharepoint is going mobile this year with a new app

SharePoint is going mobile in a big way. Microsoft announced a new app for its content management and collaboration platform on Tuesday, which will give workers a way to access content from their smartphones and tablets on the go. The app, called SharePoint Mobile, will be coming to iOS by the end of June, and is one of dozens of new features for the platform that Microsoft announced alongside the general availability of SharePoint Server 2016. Other capabilities include redesigned team sites that make it easier to see relevant files that people are working on and a hybrid search functionality that works across cloud and on-premises versions of SharePoint. To read this article in full or to leave a comment, please click here

Securing Data Center Fabric, one SDN Pod at a time

Building a VMware-Formatted Cumulus VX Vagrant Box

In this post, I’m going to walk you through the process I used to build a Vagrant box for Cumulus VX that will work with VMware desktop hypervisors (like VMware Fusion or VMware Workstation). Although Cumulus Networks offers several different versions of Cumulus VX to download, they do not (strangely enough) offer a Vagrant box that will work with VMware’s desktop hypervisors.

If you’re not familiar with Cumulus VX, it’s a virtual appliance version of Cumulus Linux. This allows you to test Cumulus Linux without needing compatible network hardware. This is really handy for testing configuration management tools against Cumulus Linux, for testing complex topologies before you implement them in production, or just for getting a feel for how Cumulus Linux works.

Naturally, this sounds like a perfect fit to use with Vagrant, so if you’re interested—as I am/was—in running Cumulus VX with Vagrant using a VMware desktop hypervisor, then the process described below should get you all fixed up.

First, you’ll want to get a hold of the VMware version of Cumulus VX. Navigate over to the Cumulus VX download page (a free registration is required), and download the VMware version. This will download an OVA file. Don’t Continue reading

« Previous 1 … 2,918 2,919 2,920 2,921 2,922 … 3,766 Next »

TLS, CBC, and Mac-then-Encrypt

Related posts: