Joomla releases patch for serious SQLi flaw

Joomla, a popular content management system, released patches on Thursday for a vulnerability that can allow an attacker to get full administrative access to a website.Joomla versions 3.2 through 3.4.4 are vulnerable, and the latest version is 3.4.5.The SQL injection flaw was found by Asaf Orphani, a researcher with Trustwave's SpiderLabs, and Netanel Rubin of PerimeterX.SQL injection flaws occur when a backend database executes a malicious query when it shouldn't. The type of vulnerability is one of the most prevalent ones within web applications.To read this article in full or to leave a comment, please click here

MacKeeper buyers ask for refunds in droves following lawsuit

Tens of thousands of people who bought MacKeeper have filed for refunds as part of a proposed class-action settlement against the application's former developer.The number of refund requests has far exceeded what is typical in these type of lawsuits, surprising even experienced class-action lawyers.But the unfortunate side effect of the robust response means those who've applied will probably get a smaller refund.The class-action suit was filed in May 2014 on behalf of Pennsylvania resident Holly Yencha, who contended that MacKeeper falsely flagged security and performance problems in order to coax consumers into paying US$39.95 for the full version.To read this article in full or to leave a comment, please click here

When it comes to spam, IBM’s SoftLayer is the host with the most

IBM may be the fastest-growing vendor in the worldwide security software market, but it's also the owner of the world's largest source of spam.That's according to a Wednesday report by security expert Brian Krebs, who called out the company's SoftLayer subsidiary for being "the Internet’s most spam-friendly" service provider.SoftLayer currently holds the top position on antispam nonprofit Spamhaus.org's list of the world’s worst spam support ISPs, which it defines as the ISPs with the worst abuse departments and "consequently the worst reputations for knowingly hosting spam operations."To read this article in full or to leave a comment, please click here

Chase’s tweet backing PIN credit cards was a mistake, bank says

JP Morgan Chase Bank tweeted in error that its chip credit cards would be getting PIN security, a bank spokesman confirmed Thursday.The tweet, posted mid-day on Wednesday by @ChaseSupport, said: "Your security is our priority! We're planning to add Chip and PIN to our credit cards in the near future.""That tweet was sent in error yesterday," said JP Morgan Chase Bank spokesman Paul Hartwick in an email to Computerworld. "At this time we do not have current plans to offer chip-and-PIN credit cards."MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords The bank, one of the nation's largest card issuers, has already distributed 64 million of the newer, more secure chip cards, he said. Of those, 51 million are credit cards and 13 million are debit cards. The vast majority are on Visa's network and some are on MasterCard's.To read this article in full or to leave a comment, please click here

Tech support scammers put Mac owners in crosshairs

Technical support scammers have begun targeting Mac owners, a security researcher said today, adding them to much larger pool of potential victims running Windows because Apple's operating system has been relatively untouched by malware."These scams aren't being done with cold calls, but by aggressive malvertising," said Jerome Segura, a senior security researcher with San Jose, Calif.-based Malwarebytes. In some cases, Segura said, legitimate online ad networks are being abused by criminals.Mac owners who browse to what Segura called "lower-quality websites" may encounter attack code or scripts that hijack the browser to display scary, but bogus, warnings that their machine is at risk, then offer a telephone number to call for technical assistance.To read this article in full or to leave a comment, please click here

Are wearables worth the cybersecurity risk in the enterprise?

The Internet of Things and wearable technology are becoming more integrated into our everyday lives. If you haven't already, now is the time to begin planning for their security implications in the enterprise. According to research firm IHS Technology, more than 200 million wearables will be in use by 2018. That's 200 million more chances of a security issue within your organization. If that number doesn't startle you, Gartner further predicts that 30% of these devices will be invisible to the eye. Devices like smart contact lenses and smart jewelry will be making their way into your workplace. Will you be ready to keep them secure even if you can't see them?To read this article in full or to leave a comment, please click here

HP just dropped out of the public cloud – now what?

While HP’s announcement that it will shutter its Helion Public Cloud early next year didn’t surprise those who watch the market closely, the move does raise questions about what’s next for HP and other cloud vendors.HP plans to focus on two major areas: Bringing efficiencies to customers’ on-premises environments, and arming its partners with HP hardware and software to build out hosted clouds.Analysts say HP is the latest example of a legacy IT vendor that has had to adjust its cloud ambitions in light of how dominant Infrastructure-as-a-Service players Amazon Web Services and Microsoft have become. The consolation prize is that there’s still plenty of opportunity left in the private, managed and hybrid cloud markets.To read this article in full or to leave a comment, please click here

Pressure grows to eradicate vile tech support scam

Despite aggressive law enforcement and Federal Trade Commission actions to battle it, the scourge known as the “Tech Support Scam” is growing – with older individuals a rising target.The tech support scam basically involves tricking people into believing their computer has problems, and then charging them hundreds of dollars for unnecessary, worthless, and in some cases destructive applications such as malware, spyware, adware, keystroke loggers, and other harmful applications.+More on Network World: What’s hot in driverless cars?+To read this article in full or to leave a comment, please click here

Car hacking is as fake as the moonlanding

How can the flag stay up? There's
no wind on the moon!! #fake
David Pogue at the Scientific American has an article claiming that hacking cars is "nearly impossible" and "hypothetical", using the same sorts of arguments crazies use trying to prove the moon landing was faked.

Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.

Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.

The Continue reading

7 big threats to innovation and how to overcome them

Innovation is the cornerstone of a successful business, so why is it so elusive to many companies? To determine the biggest roadblocks, consulting firm Imaginatik conducted a study of 200 professionals in its "State of Global Innovation" report. 35 percent of those surveyed were senior management, board members or C-Suite executives, and 76 percent of respondent's organizations had 1,000 employees or more. The results offer insight into what makes innovation stall at large companies.There's little doubt that business leaders see the value of innovation -- 95 percent of respondents say it's important enough to be a priority for C-level executives. However, while nearly every professional agreed that innovation was key, 44 percent reported that their business invested less than 2 percent of its annual operating budgets in innovation and 63 percent said their company didn't have a formal innovation-management structure in place.To read this article in full or to leave a comment, please click here

Technology Short Take #55

Welcome to Technology Short Take #55! Here’s hoping I’ve managed to find something of value and interest to you in this latest collection of links and articles from around the web on networking, storage, virtualization, security, and other data center-related technologies. Enjoy!

Networking

  • I recently came across Kuryr, an OpenStack project aimed at connecting Docker’s libnetwork efforts to OpenStack Neutron. The end result, as I understand it, would be to allow any Neutron plugin to be able to provide container networking functionality to Docker via libnetwork. This makes sense to me, although I think that network virtualization products are still going to need to integrate directly with libnetwork so that they can be used in environments outside of OpenStack. If you’re interested in getting more information on Kuryr, check out Gal Sagie’s post here or read this follow-up post on using Kuryr and OVN (Open Virtual Network) together.
  • Drew Conry-Murray has a post up on the Packet Pushers blog talking about the benefits and challenges of a single OS; specifically, the benefits and challenges pertaining to Arista and EOS. Lots of companies like to tout the “single OS” banner, but there can be value in having specialized OSes custom-built Continue reading

Red Hat and the Ansible Community

RH_-_blog-logo-header

Now that Ansible is a part of Red Hat, some people may wonder about the future of the Ansible project. Specifically, a few people have expressed concerns that Ansible may become more Red Hat-centric at the expense of other platforms or open source projects.  Here is the good news: the Ansible community strategy has not changed.

As always, we want to make it as easy as possible to work with any projects and communities who want to work with Ansible. Now that we have the resources of Red Hat behind us, we plan to accelerate these efforts. We want to do more integrations with more open source communities and more technologies.

One of the reasons that Red Hat purchased Ansible in the first place was because Red Hat understands the importance of a broad and diverse community. Google “Ansible plus <open source project>” for nearly any project and you will find Ansible playbooks and modules and blog posts and videos and slide decks and all kinds of other information, all intended to make working with that project easier.  We have thousands of people attending Ansible meetups and events all over the world.  We have millions of users.  We Continue reading

Appformix and Ansible: Product Deployments Made Simple

We began by searching for an orchestration and configuration management tool for our test lab, and we ended up with Ansible playbooks that we ship with our product.

Automation is a key tenet of our engineering team at AppFormix. Repetitive tasks are automated, such as those surrounding continuous integration, host configuration, maintenance, and backups. This saves time and allows us to document a task, which in turn enables others to understand, contribute, and use the automation. Our engineers spend their time creating our product that provides infrastructure performance optimization for cloud-based datacenters, leaving the mundane work to computers.

We began our automation with Python and Bourne shell scripts, since we were familiar with these languages. Such scripts worked great for a set of steps to perform on a single host, but become very complex when managing several hosts (like in a cloud). We used ssh, scp, and Fabric, but found it challenging to maintain configuration about every host and handle errors robustly.

As our engineering team and deployments grew in size, we needed a sustainable tool to configure our testbeds and deploy our software. We chose Ansible for a number of reasons, including: