Microsemi builds better security into network time appliance

Keeping accurate time has never been more important. Inaccurate time can cause servers and applications to go awry, causing service disruptions.For example: As fighter Manny Pacquiao was ready to square off against Floyd Mayweather in May 2015, the fight was delayed due to a technical problem with pay-per-view orders. More than 4.4 million U.S. customers shelled out $100 to watch the fight but had trouble accessing it. The fight was delayed 45 minutes. It turns out the trouble was a problem with time. A time server was so far out of sync that people were disqualified from watching the fight because of a discrepancy with the time stamps.To read this article in full or to leave a comment, please click here

Rovnix malware shifts focus to Japan, says IBM

After a stint focusing on the Netherlands, a group using the Rovnix Trojan has updated it and repackaged it to steal from the bank accounts of victims in Japan, according to IBM X-Force.The malware in this exploit, which has persisted in various forms for about five years, has been augmented to avoid being detected, dodge bank security and convincingly mimic bank websites, says Etay Maor, a senior cybersecurity strategist for IBM.It’s pretty clear from the malware samples IBM X-Force has examined that the Rovnix group in question studied Japanese banks closely and came up with a user interface that closely mimics those of specific banking sites. It’s not just a generic key-logger that steals information and hopes for the best, Maor says.To read this article in full or to leave a comment, please click here

Are Unnumbered Interfaces Harmful?

A few weeks ago I got into an interesting discussion about the potential harm caused by unnumbered IPv4/IPv6 interfaces.

Ignoring for the moment the vendor-specific or media-specific implementation details, these two arguments usually pop up in the first 100 milliseconds (assuming engineers involved in the discussion have some hands-on operational experience):

Read more ...

Mozilla Persona login system to shut down end November

Mozilla's login system Persona will be shut down on Nov. 30 as its usage is low and has not grown over the last two years.The foundation's decision to take persona.org and related domains offline follows a move in March 2014 to transition the running of the project from full-time developers to a community of long-time volunteers and former paid contributors.Mozilla said at the time that it had no plans to decommission the little-known service, which allowed users to sign in to websites that support Persona using their verified email ids.  The key attraction of the service, according to Mozilla, was that users didn't have to trust a website with their password, preventing its theft if one of the websites got hacked.To read this article in full or to leave a comment, please click here

Powerball lessons for infosec

"Powerball" is a 44-state lottery whose prize now exceeds $1 billion, so there is much attention on it. I thought I'd draw some lessons for infosec.

The odds of a ticket winning the top prize is 1 in 292-million. However, last week 440-million tickets were purchased. Why did nobody win?

Because most people choose their own numbers. Humans choose numbers that are meaningful and lucky to them, such as birthdays, while avoiding meaningless or unlucky numbers, like 13. such numbers clump. Thus, while theory tells us there should've been at least one winner if everyone chose their number randomly, in practice a large percentage of possible numbers go unchosen. (Letting the computer choose random numbers doesn't increase your odds of winning, but does decrease the odds of having to sharing the prize).

The same applies to passwords. The reason we can crack passwords, even the tough ones using salted hashes, is because we rely upon the fact that humans choose passwords themselves. This makes password guessing a tractable human problem, rather than an intractable mathematical problem.

The average adult in lottery states spends $300 a year on the lottery. The amount spent on lotteries is more than sports, movies, music, Continue reading

Trend Micro flaw could have allowed attacker to steal all passwords

A discovery by a well-known Google security researcher provides further proof how antivirus programs designed to shield computers from attacks can sometimes provide a doorway for hackers. Tavis Ormandy, an information security engineer with Google, wrote he found bugs in Trend Micro's antivirus product that could allow remote code execution by any website and steal all of a users' passwords. The security firm has confirmed it has released an automatic update that fixes the problems. "As part of our standard vulnerability response process we worked with him to identify and address the vulnerability," wrote Christopher Budd, global threat communications manager at Trend Micro, in an email on Monday. "Customers are now getting protections through automatic updates."To read this article in full or to leave a comment, please click here

2015 in review and 2016 goals

Last year I started writing down my goals for each year.  My thought was that writing them down would be more meaningful than just thinking “I should try and do X this year”.  So I want to take a quick look at how I did and talk about 2016 as well. 

2015 Goals

Run a marathon
I signed up for, and attempted to run, the Twin Cities Marathon this fall.  I knew going into it that I wouldn’t run the whole thing.  My training schedule fell apart after the first month.  While I could list all of the reasons why (Our 2nd kid was on the way, work was crazy, etc) there really are no excuses.  In the month before the marathon I seriously picked up training again but it wasn’t enough.  My new goal became to run half which I was able to do and I considered it a huge win for me.  Having never run a race that big, I was a little hesitant about it but the experience was AWESOME and I’m definitely keeping this one on the goal list for 2016.

Start work on finishing my basement
Continue reading

Should the US change metal coins?

It may be time for the United States to rethink how the smallest parts of its monetary system -- the penny, nickel and dime – are made.According to a report this week from watchdogs at the Government Accountability Office, since 2006 the prices of metals used in coins have risen so much that the total production unit costs of the penny and nickel exceed their face value resulting in financial losses to the U.S. Mint. In fact such a change could potentially save between $8 million and $39 million per year by changing the metal composition of the nickel, dime, and quarter.+More on Network World: 20 years ago: Hot sci/tech images from 1995+To read this article in full or to leave a comment, please click here

Should the US change metal coins?

It may be time for the United States to rethink how the smallest parts of its monetary system -- the penny, nickel and dime – are made.According to a report this week from watchdogs at the Government Accountability Office, since 2006 the prices of metals used in coins have risen so much that the total production unit costs of the penny and nickel exceed their face value resulting in financial losses to the U.S. Mint. In fact such a change could potentially save between $8 million and $39 million per year by changing the metal composition of the nickel, dime, and quarter.+More on Network World: 20 years ago: Hot sci/tech images from 1995+To read this article in full or to leave a comment, please click here

CES 2016 takeaways: IoT could be the death of your security

For the most part, the CES 2016 show was largely a yawner—maturation rather than innovation. Yes, there was a lot of interesting stuff outside of IT gear—and the IT gear could be as fun as a 200-node Raspberry Pi cluster running hadoop or wicked-fast IEEE 802.11ac wireless hubs that do endless if secure tricks.The damage, the damnation, the truculent total churl of the event was this: all of the new Interent of Thingies/IoT/KewlGear has no cohesive security strategy. It's a mosh pit of certificates, easy-auth, Oh! Let's Connect Our Gear Together! (add breathy sigh!) meaninglessness.Let's now take this in the curmudgeonly risk-averse cloud space, bit by bit:To read this article in full or to leave a comment, please click here

How Forbes inadvertently proved the anti-malware value of ad blockers

A few months back I postulated that Adblock Plus and other ad blocking software could act as protection against malware because they kept embedded malware in web pages from ever loading in your browser. Now, Forbes has proven me right.Forbes has taken an aggressive line against ad blockers. When it detects one running on your system, it denies you access to the content until you turn off the ad blocker. Needless to say, this hasn't gone over very well with some people.Forbes included a prominent security research in an article called "The Forbes 30 Under 30," which drew a number of other security researchers to check out the article. After disabling Adblock Plus, they were immediately served with pop-under malware. Security researcher Brian Baskin was the first to tweet about it and included a screen grab of the pop-under.To read this article in full or to leave a comment, please click here

IS-IS vs. OSPF Part II:  Small steps make steady progress

IS-IS Subnetwork Independent Operation

Continuing our journey through the land of IS-IS and hoping to reach the point where we get to understand how it actually works and the differences between it and OSPF, let’s focus today on how IS-IS is configured and why it uses both Levels and Areas.

So far, we’ve got some things cleared, as to where that odd node addressing scheme for the routers comes from, what is CLNS and CLNP and a few words on the hierarchy that IS-IS employs. To further things out, let’s go a bit deeper into the structure of the protocol itself.

The thing with IS-IS is that is Network layer independent, though the first thing we tend to do when configuring it is jump to the IP addressing. Consequently, today we’ll see how the OSI IS-IS works without configuring a single IP address, and then if we get to understand this, we can move on to the Integrated IS-IS operation

From a really high level, IS-IS operates as follows:

  • Routers running IS-IS will send hello packets out all IS-IS-enabled interfaces to discover neighbors and establish adjacencies.
  • Routers sharing a common data link will become IS-IS neighbors if their hello packets Continue reading
1 3,186 3,187 3,188 3,189 3,190 3,840