NetworkingNexus.net

Underhanded C contest winner’s code fools nuke inspectors into destroying fake nukes

What if Alice and Bob represented countries that agreed to a nuclear disarmament treaty, but neither trusted the other enough to scan a warhead and observe the test results because the scans revealed sensitive information about their nuclear program? In the end, the countries agree to build a fissile material detector that would output only a “yes” or “no” as to if each country dismantled real warheads and not fakes.In essence, that was the scenario for the annual Underhanded C Contest which tasked programmers with solving “a simple data processing problem by writing innocent-looking C code, while covertly implementing a malicious function. This type of malicious program, in the real world, could let states take credit for disarmament without actually disarming.”To read this article in full or to leave a comment, please click here

Healthcare CIO: Legal issues are most difficult cloud migration challenge

Boston healthcare organization CIO and longtime technology standards leader John Halamka has been quite open over the years about his organization's technology efforts and challenges. Back in 2002 he shared his hospital's 3-day struggle with network slowdowns. Last Year, the Beth Israel Deaconess Medical Center CIO sounded the alarm that an FDA warning about a compromised medical device wouldn't be the last.To read this article in full or to leave a comment, please click here

CSO Online’s 2016 data breach blotter

Another day, another data breachImage by ThinkstockThere were 736 million records exposed in 2015 due to a record setting 3,930 data breaches. 2016 has only just started, and as the blotter shows, there are a number of incidents being reported in the public, proving that data protection is still one of the hardest tasks to master in InfoSec.To read this article in full or to leave a comment, please click here

How to build your Property Management System integration using Microservices

This is a guest post by Rafael Neves, Head of Enterprise Architecture at ALICE, a NY-based hospitality technology startup. While the domain is Property Management, it's also a good microservices intro.

In a fragmented world of hospitality systems, integration is a necessity. Your system will need to interact with different systems from different providers, each providing its own Application Program Interface (API). Not only that, but as you integrate with more hotel customers, the more instances you will need to connect and manage this connection. A Property Management System (PMS) is the core system of any hotel and integration is paramount as the industry moves to become more connected.

To provide software solutions in the hospitality industry, you will certainly need to establish a 2-way integration with the PMS providers. The challenge is building and managing these connections at scale, with multiple PMS instances across multiple hotels. There are several approaches you can leverage to implement these integrations. Here, I present one simple architectural design to building an integration foundation that will increase ROI as you grow. This approach is the use of microservices.

What are microservices?

IDG Contributor Network: Drugs, guns, and hitmen more common on dark web than religious extremism

What many of us likely suspected, but possibly hadn't gone to the trouble—or had the inclination—of finding out for ourselves is that the dark web is full of illegal and dubious stuff, researchers have found. The researchers, who have been studying and writing about encryption policy, sniffed around with a Tor browser and found 1,547 out of 5,205 total websites live on the dark web engaging in illegal activity. Those illicit destinations, uncovered in early 2015, covered subjects relating to illegal drugs, money laundering, and "illegitimate" pornography, the Kings College London scientists write in their Cryptopolitik and the Darknet paper abstracted in Survival: Global Policy and Strategy, a journal.To read this article in full or to leave a comment, please click here

SAP slaps patch on leaky factory software

SAP's February round of critical software updates includes one for SAP Manufacturing Integration and Intelligence (xMII) that may be of interest to hackers and spies. The software is widely used in manufacturing industry, where it connects factory-floor systems to business applications for performance monitoring -- but a flaw in it meant that restrictions on who could see what were not enforced. The patch for xMII fixes a directory traversal vulnerability, SAP reported Tuesday in security note 2230978. The vulnerability could have allowed attackers to access arbitrary files and directories on an SAP fileserver, including application source code, configuration and system files and other critical technical and business-related information, security researchers at ERPScan said Wednesday.To read this article in full or to leave a comment, please click here

Worth Reading: WAN Technology is Changing

For many of us, the price of WAN connectivity is the price. Rotary shopping the few providers available for a given location isn’t going to net much difference. We have been trained for decades to simply hold our noses, eat what’s put on the plate in front of us and pretend we like it. Hybrid WAN technologies are changing this.

The post Worth Reading: WAN Technology is Changing appeared first on 'net work.

Security ‘net 0x1339ED2: Security begins with you

I’m a couple of days late with this post for Data Privacy Day,, but not too late for Data Privacy Month (February). I wanted to highlight it anyway (and maybe I’ll put it on my calendar so I don’t forget next year). The point, of course (“you don’t need to have a point to have a point”) is that each and every one of us—that’s you and I, in case you’ve not gotten it yet—need to take security seriously. Security begins with you. To this end, the Cloud Security Alliance has a good post up on what you can do to improve data privacy.

Why are end users so mistake-prone? Because, frankly, most don’t care. They think data security is IT’s problem—that if IT does its “job” and filters out the threats, they have nothing to worry about. Moreover, when they do something stupid, they think it’s IT’s job to come to the rescue. They don’t understand the risks they create for the company or the fact that once rung they can’t unring the bell. So, they go on ignoring security policies and finding creative workarounds for security measures that inconvenience them—such as utilizing “shadow IT.”

Microsoft fixes 36 flaws in IE, Edge, Office, Windows, .NET Framework

Microsoft released its second batch of security updates for this year, addressing a total of 36 flaws in Internet Explorer, Edge, Office, Windows and .NET Framework.The patches are covered in 12 security bulletins, five of which are rated critical. There is also a thirteenth bulletin, also critical, for Flash Player. Although it's maintained by Adobe, Flash Player is included with Internet Explorer 11 and Edge, so Microsoft is distributing Adobe's patches through Windows Update.Researchers from security vendor Qualys believe that MS16-022, the Flash Player bulletin, should be at the top of users' priority list this month because it contains fixes for 22 critical vulnerabilities that could give attackers complete control over computers. Flash Player is a frequent target for attackers and can be exploited by simply visiting a malicious or compromised website.To read this article in full or to leave a comment, please click here

IBM’s X-Force team hacks into smart building

As buildings get smarter and increasingly connected to the Internet, they become a potential vector for attackers to target.IBM's X-Force ethical hacking team recently ran a penetration test against a group of office buildings using building automation systems that controlled sensors and thermostats.In this particular case, a building management company operated more than 20 buildings across the United States, as well as a central server.Without any social engineering, or online data gathering about employees, the team targeted one building."We did it old-school, just probing the firewall, finding a couple of flaws in the firmware," said Chris Poulin, research strategist for IBM's X-Force. "Once we had access to that, we had access to the management system of one building."To read this article in full or to leave a comment, please click here

Setting up a Windows 10 picture PIN

How cool is it to draw on a picture to log into your Windows 10 PC? It's a lot cooler than remembering a bunch of letters and numbers. Here's how to set it up.

Data Center Interconnect Design Considerations

Avoid problems by taking these factors into account when designing Layer 2 DCIs.

Identity thieves obtain 100,000 electronic filing PINs from IRS system

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft.To read this article in full or to leave a comment, please click here

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]

Dumping Core: Analytical Findings on Trojan.Corebo

Download the full report here.

The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is nowhere close.

ASERT has been studying and monitoring Corebot since shortly after it was initially documented and an in-depth analysis of Corebot’s inner workings are provided in this threat intelligence report, including coverage of its cryptography, network behavior, and banking targets.

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here.

ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based network communications. A goal hypothesis is put forth – “The Big Bong Theory,” including some background on the South Korean banking infrastructure. This intelligence report will be of interest to security researchers, incident responders, and anyone interested in advanced malware analysis.

Stupid User Tricks: 8 Reasons You Gotta Love IT

Sometimes IT support means a whole lot more than troubleshooting hardware and software.

Retired IT specialist shares inside story of botched National Park Moose project

You might think that a niche conference on cabling design and installation held in Orlando in February would be a sleepy little affair, but I found just the opposite to be true. The table setter when I arrived was a humorous/informative look by Ekahau's Jussi Kiviniemi at designing Wi-Fi networks for high capacity. The presenter compared such network installation and design to that of setting up a bar, but also made pointed observations about the conference center’s own imperfect Wi-Fi installation history. The next presentation (“The Moose Project: What Went Wrong? An ICT Case Study from the National Park Service”) was as fiery a talk at a tech conference as I’ve ever heard. Recently retired National Park Service IT specialist Michael Thornton emphasized that he didn’t want to “bash anybody or point fingers” over what he described as a systemic problem with architectural, engineering and construction (AEC) projects, but at the same time he is urging fellow members of the information and communications technology field (ICT) to rise up and convince organizations that ICT pros need to be included in project plans from the start – or else risk botching those projects and wasting millions of dollars.To read this Continue reading

BGP or OSPF? Does Topology Visibility Matter?

One of the comments added to my Using BGP in Data Centers blog post said:

With symmetric fabric… does it make sense for a node to know every bit of fabric info or is reachability information sufficient?

Let’s ignore for the moment that large non-redundant layer-3 fabrics where BGP-in-Data-Center movement started don’t need more than endpoint reachability information, and focus on a bigger issue: is knowledge of network topology (as provided by OSPF and not by BGP) beneficial?