Millions of embedded devices use the same hard-coded SSH and TLS private keys

Thousands of routers, modems, IP cameras, VoIP phones and other embedded devices share the same hard-coded SSH (Secure Shell) host keys or HTTPS (HTTP Secure) server certificates, a study found.By extracting those keys, hackers can potentially launch man-in-the-middle attacks to intercept and decrypt traffic between users and millions of devices.Researchers from security firm SEC Consult analyzed firmware images for over 4,000 models of embedded devices from more than 70 manufacturers. In them they found over 580 unique private keys for SSH and HTTPS, many of them shared between multiple devices from the same vendor or even from different ones.To read this article in full or to leave a comment, please click here

Another Year of Thankfulness

By the time you read this, I’ll be down at Oak Island on the North Carolina Coast, where my wife will be getting the turkey ready, and making a white chocolate cheesecake. No, I won’t tell you the address, but I will tell you this.

I’m thankful for this year.

I’m thankful for my family. For my wife and kids who put up with me and my insane schedule.

I’m thankful for my friends (I would list them all, but I’d probably forget someone, which would hurt feelings; it just doesn’t seem right to hurt anyone’s feelings today). Across the years, I’ve been taught so much about networking and engineering in the last 20+ years, from working on RADAR systems to large scale data centers. I’ve been given so many opportunities to write and speak, and been shown how to be just a better person.

I’m thankful that God has opened a door into a top notch PhD program, the support structure every PhD student needs to succeed, and two great mentors (more than anyone could ask for).

I know it’s not Thanksgiving in every country in the world. But there’s never a bad day to give thanks for what Continue reading

Thank you for your trust!

Wow, another year swooshed by. I can’t believe it’s almost gone. Maybe it’s all the travels I had throughout the year, and I MUST start with a huge THANK YOU to whoever is watching after me – there wasn’t a single major SNAFU.

Next, I’d like to thank the people who caused all that travel: attendees of my workshops.

Read more ...

Risky Business #391 — Dell fails hard

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.

If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview.

read more

Microsoft beefs up security products to block adware

Microsoft is adding a new opt-in defense for enterprises to block adware, which is often sneakily wrapped into free downloads.Adware is often classified as a potentially unwanted application, or PUA, an industry term for applications that aren't necessarily malware but could be a security or performance risk."These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications," according to a Microsoft blog post.To read this article in full or to leave a comment, please click here

Dridex spam campaigns target the US, UK and France

The Dridex botnet, which targets financial credentials, appears to be gaining steam again, striking computers in the U.S., U.K. and France.Trend Micro is the latest security vendor to say it is seeing Dridex activity after the U.S. Department of Justice said last month it had significantly disrupted it in a joint action with the U.K. Sometimes referred to as Cridex or Bugat, Dridex is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts.Trend has seen multiple spam campaigns sending out malicious attachments, such as Excel or Word documents, that could install Dridex, wrote Ryan Flores, a threat research manager.To read this article in full or to leave a comment, please click here

Networking Field Day 10 – Big Switch

Last night I finally finished watching all of the Big Switch Networking field day 10 videos.  If you haven’t seen them yet, I’d recommend taking a look out at them out on YouTube…

Big Switch Networks – Overview

Big Switch Networks – Why SDN Fabrics?

Big Switch Networks – Big Cloud Fabrics

Big Switch Networks – Big Cloud Fabric GUI demo

Big Switch Networks – Big Cloud Fabric for VMWare

Big Switch Networks – Monitoring Fabric

All of the presentations were awesome and well worth your time especially if you’re new to their products. 

If you haven’t looked at Big Switch before, their name sort of says it all.  Their base concept is disaggregating a standard chassis switch into individual components.  The breakdown would look something like this…

image 
As you can see, each component of a standard data center chassis switch has a similar component in the Big Cloud Fabric.  Leaf switches are the new line cards, spine switches the fabric modules or backplane, and the Big Cloud controller is the supervisor. Big switch then uses a standard IP management network to connect all of their components together.  This isn’t a very big Continue reading

Lenovo patches serious vulnerabilities in PC system update tool

For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs.Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.One of the vulnerabilities is located in the tool's help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That's because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.To read this article in full or to leave a comment, please click here

SAFECode: How to ensure you’re buying safe software

It’s hard to figure out how secure software is but the Software Assurance Forum for Excellence in Code (SAFECode) has issued guidelines to make it easier, especially for businesses trying to decide which products to buy.The industry group published a white paper, “Principles for Software Assurance Assessment”, that recommends questions corporate software buyers should ask their suppliers beforehand so they wind up with products less likely to be riddled with security flaws.One of the big problems these buyers may face is that they don’t know the relevant questions to ask, says Eric Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.To read this article in full or to leave a comment, please click here

Criminalize websites that refuse to delete terrorist content, say MEPs

Companies that host or operate websites should be held criminally liable if they fail to remove content that incites terrorism, members of the European Parliament voted Wednesday. But they also want these companies to voluntarily cooperate with governments to promote "anti-radicalization messages."MEPs voted on a report written by former French Minister of Justice Rachida Dati for Parliament's Civil Liberies, Justice and Home Affairs Committee (LIBE), which included a chapter on preventing online terrorist radicalization.While it might look like a knee-jerk reaction to the terrorist attacks in and around Paris on Nov. 13, the report is actually -- as Dati herself explained -- a response to the attack on the office of satirical magazine Charlie Hebdo in January.To read this article in full or to leave a comment, please click here

Ethernet Checksums Are Not Good Enough for Storage (Updated)

A while ago I described why some storage vendors require end-to-end layer-2 connectivity for iSCSI replication.

TL&DR version: they were too lazy to implement iSCSI checksums and rely on Ethernet checksums because TCP/IP checksums are not good enough.

It turns out even Ethernet checksums fail every now and then.

2015-12-06: I misunderstood the main technical argument in Evan’s post. The real problem is that switches recalculate CRC, so the Ethernet CRC is no longer end-to-end protection mechanism.

Read more ...

After a lapse, Intel looks to catch up with Moore’s Law again

For Intel, the temporary inability to keep pace with Moore's Law -- the foundation of its business -- was a bit of an embarrassment, but the company is trying hard to catch up.Moore's Law is an observation that has led to faster, cheaper and smaller computers, and a concept that Intel has followed for decades. It states that the density of transistors doubles every two years, while cost per transistor declines.Until recently, the company released chips every two years like clockwork. But making smaller chips is becoming challenging and more expensive, said Bill Holt, executive vice president and general manager for Intel's Technology and Manufacturing Group, during the company's annual investor day last week.To read this article in full or to leave a comment, please click here

1 3,166 3,167 3,168 3,169 3,170 3,773