Don’t let DROWN get you down

drown-blogpost.jpg

If you’re maintaining services on the internet, you know about the importance of keeping up to date with security patches as they come available. Today is no exception with the release of  CVE-2016-0800, describing the ‘DROWN’ vulnerability in OpenSSL.

The key points of DROWN are that it can allow for passive decryption of encrypted traffic, via vulnerabilities in the obsolete SSLv2 protocol. Merely using SSLv2 for one service could cause the compromise the traffic of other services, even if they aren’t using SSLv2. More information can be found at http://www.drownattack.com/.

The Red Hat specific announcement can be found in the  Red Hat Knowledgebase.

Obviously, this is a big deal, but patching your systems for DROWN doesn’t have to be a big deal, thanks to Ansible.

Here’s a sample playbook for Red Hat/Fedora/CentOS and Debian/Ubuntu systems (link to source):

- hosts: all
  gather_facts: true
  sudo: true
  tasks:
	- name: update openssl from apt if available
  	  apt: name=openssl state=latest update_cache=yes
  	  when: ansible_os_family == 'Debian'
  	  notify: restart_system
  
	- name: update openssl from yum if available
  	  yum: name=openssl state=latest update_cache=yes
  	  when: ansible_os_family == 'RedHat'
  	  notify: restart_system

   Continue reading

Fibre Channel is still alive and kicking

In 1897 the great American author, Mark Twain was rumored to have stated, “the reports of my death are greatly exaggerated”. In the tech industry, Fibre Channel could make the same statement. It seems that for years, the death of Fibre Channel has been speculated, as Fibre Channel over Ethernet (FCoE) or even IP networks would be the death knell for the more traditional storage protocol.However, Fibre Channel is still alive and kicking. It’s certainly not the high growth market it once was but the market has maintained about a $2 billion run rate over the past few years. The big driver for the continued investment has been the rise of flash-based storage. The value proposition of flash is speed so it makes sense to deploy a storage network that is as fast as possible.To read this article in full or to leave a comment, please click here

Announcing Docker Cloud

Today we are proud to announce the immediate general availability of Docker Cloud. And we are excited to invite and welcome everyone of you to try it out. Docker Cloud is the name of the new cloud service by Docker … Continued

Staying afloat: the DROWN Attack and CloudFlare

CloudFlare customers are automatically protected against the recently disclosed DROWN Attack. We do not have SSLv2 enabled on our servers.

We publish our SSL configuration here so that others can use it. We currently accept TLS 1.0, 1.1 and 1.2.

We are proactively testing our customers' origin web servers to detect vulnerable servers and will be reaching out to any that have a server that is vulnerable to DROWN.

In the interim, ensure that SSLv2 is fully disabled and/or that private keys are not shared with servers that still need to have SSLv2.

Microsoft unveils Windows 10 feature to stymie advanced hack attacks

Microsoft wants to help protect companies from hack attacks, and it's introducing a new Windows 10 feature soon to improve the operating system's security capabilities.Windows Defender Advanced Threat Protection is aimed at helping businesses deal with serious threats by using machine learning to protect Windows 10 devices. The feature builds a profile of how a computer behaves, and then alerts IT managers if it starts acting in a way that's indicative of a security breach. If the system detects an attack, it will provide administrators with recommended steps to remediate it.That's supposed to help IT managers sleep a bit better at night when facing threats powered by undisclosed "zero-day" vulnerabilities, along with social engineering attacks that take advantage of users making mistakes.To read this article in full or to leave a comment, please click here

Hot security products at RSA 2016

bugBlast Next-gen AppSec PlatformKey features – bugBlast correlates results from vulnerability testing tools with real-time threat intel for a single view of an application’s security; can massively scale to test mega-apps for software, Web and mobile. More info.To read this article in full or to leave a comment, please click here

Does your Wave2 AP need NBase-T?

Cisco recently launched the 2800 and 3800 series 802.11ac wave-2 access points. The 3800 Datasheet quotes a theoretical maximum throughput of 5.2Gbps when operating in Dual 5GHz radio mode (2 x 2.6Gbps). If you ran two cables to your AP you could use the second ethernet port to create a 2 x 1Gbps LAG. However there is still some debate about whether 2Gbps of throughput is sufficient for a single-radio Wave2 AP.
Some companies may not be willing to invest the time and expense to swap out their copper for fiber or run yet more copper to their APs. The NBase-T standard 802.3bz provides an alternative approach, promising speeds of 2.5Gbps or 5Gbps over Cat5e cabling over 100 Meter runs.

Peter Jones from Cisco is the chair of the NBase-T alliance and presented to us in Tech field day on the new 802.3bz standard and the technology behind it. Cisco terminology for NBase-T-like functionality is ‘MultiGigabit Ethernet’. Currently the Cisco Catalyst 2k, 3K, and 4K switching line have specific models or line cards which support a number of combined UPoE/MultiGig ports. The reason for new hardware is that new digital signal processors (DSPs) are required to achieve the 2.5Gbps Continue reading

Simplifying Deployment of Packet Broker

In my last blog, I have discussed how a software defined visibility network could open up exciting applications for mobile operators. In this post, I would like to touch upon some typical operational challenges faced by implementation engineers and network operations staff when deploying and supporting network packet brokers. Operators often have a high-level understanding... Read more →

Kubernetes with SaltStack revisited

I thought it would be a good idea to revisit my last Kubernetes build in which I was using Salt to automate the deployment.  The setup worked well at the time, but much has changed with Kubernetes since I initially wrote those state files.  That being said, I wanted to update them to make sure they worked with Kubernetes 1.0 and above.  You can find my Salt config for this build over at Github…

https://github.com/jonlangemak/saltstackv2

A couple of quick notes before we walk through how to use the repo…

-While I used the last version of this repo as a starting point, I’ve stripped this down to basics (AKA – Some of the auxiliary pods aren’t here (yet)).  I’ll be adding to this constantly and I do intend to add a lot more functionality to the defined state files.
-All of the Kubernetes related communication is unsecured.  That is – it’s all over HTTP.  I already started work on adding an option to do SSL if you so choose. 

That being said, let’s jump right into how to use this.  My lab looks like this…

image 
Here we have 3 Continue reading

Surveillence outfit Hacking Team may have released a new piece of OS X malware

Security researchers have identified a new piece of OS X malware that may come from Hacking Team, the controversial Italian company that sells surveillance software to governments.The malware is a "dropper," which is used to plant other software onto a computer. In this case, it appears intended to install Hacking Team's Remote Control System (RCS)."The dropper is using more or less the same techniques as older Hacking Team RCS samples, and its code is more or less the same," wrote Pedro Vilaca, an OS X security expert with SentinelOne, on his blog.To read this article in full or to leave a comment, please click here

Understand MTU and MRU – The Full Story

MTU or Maximum transmission unit is a topic that pops up every once in a while in different discussions. Although it’s a simple concept, it causes a lot of confusion specially for those who are new to the field. MTU typically becomes an issue of concern during network changes, like adding new vendors equipment or […]
Related posts:
  1. The endless story of OSPF vs IS-IS – Part 4 “The Inside Out”
  2. The endless story of OSPF vs IS-IS – Part 3 “Packets and Database”
  3. OSPF RID Story
YARPP powered by AdBistro
Powered by

Gmail for Work gets improved digital loss protection features

Google has expanded the digital loss protection features in Gmail for Work, to help ensure that employees don't share confidential information outside the company they work for. The service can now use optical character recognition on attachments, so administrators can ensure that employees aren't sharing mounds of confidential data in images (whether intentionally or not). That adds to existing features such as the ability to look inside common attachment types, including documents and spreadsheets. The OCR capabilities integrate with content detectors, so administrators can do things like prevent members of the accounting department from sending an email with a credit card number in it to someone outside the organization. It's a key feature for businesses worried about confidential information leaving the company, even if employees don't mean to do anything wrong.To read this article in full or to leave a comment, please click here

1 3,080 3,081 3,082 3,083 3,084 3,805