Keeping IT Up With The Joneses

 

Keeping-Up-With-The-Joneses

We’ve all been in that meeting. We’re learning the important facts about a company and their awesome technology. We think we’ve got a handle of the problem they’re solving and how we can apply it to our needs. And then…BAM! Our eyes are assaulted by a billboard full of company logos. We’re told how every one of these companies think that this product or solution is awesome. And because they think it’s awesome and bought it, you should think it’s awesome as well and buy it too.

Do As They Do

This particular exchange in a presentation has a term: the NASCAR slide. When I came up with the term years ago during a Tech Field Day presentation, I referred to the fact that the slide was covered by all of the logos of customers and sponsors, not unlike the side of a NASCAR race car or the coveralls worn by the drivers. It turned the presentation into a giant neon sign signaling all the companies that bought the solution.

Vendors love to tell you who their customers are. They love holding those solution bidding wins over their competitor’s heads and informing the populace that a company like Victoria’s Continue reading

The Juniper VPN backdoor: buggy code with a dose of shady NSA crypto

Security researchers and crypto experts have spent the last few days trying to figure out the details of a recently announced backdoor in Juniper NetScreen firewalls that could allow attackers to decrypt VPN (Virtual Private Network) traffic. They believe that they found the answer: a combination of likely malicious third-party modifications and Juniper's own crypto failures. According to experts, Juniper was using a known flawed random number generator called Dual_EC_DRBG as the foundation for cryptographic operations in NetScreen's ScreenOS, but believed it was doing so securely because of additional precautions it had taken. It turns out those safeguards were ineffective.To read this article in full or to leave a comment, please click here

Why it’s harder to forge a SHA-1 certificate than it is to find a SHA-1 collision

It’s well known that SHA-1 is no longer considered a secure cryptographic hash function. Researchers now believe that finding a hash collision (two values that result in the same value when SHA-1 is applied) is inevitable and likely to happen in a matter of months. This poses a potential threat to trust on the web, as many websites use certificates that are digitally signed with algorithms that rely on SHA-1. Luckily for everyone, finding a hash collision is not enough to forge a digital certificate and break the trust model of the Internet.

We’ll explore how hash collisions have been used to forge digital signatures in the past. We’ll also discuss how certificate authorities can make this significantly harder for attackers in the future by including randomness in certificate serial numbers.

Digital signatures are the bedrock of trust

The Internet relies on trust. Whether it’s logging in to your bank or reading Reddit, HTTPS protects you by encrypting the data you exchange with a site and authenticating the site's identity with a digital certificate. Browsers visually display the added security of HTTPS as a padlock in the address bar.

HTTPS can prove a site’s authenticity to a browser when a Continue reading

Acacia’s $125M IPO filing a rarity among networking firms in 2015

Acacia Communications, an optical networking company that boosts bandwidth for cloud and other service providers, Monday filed for an IPO -- a rarity during a year in which the number of tech companies going public is at its lowest since 2009, the year Acacia launched.The $125M filing to go public comes during a year when the rise of the Unicorn, private companies with valuations of $1 billion or more, has blown away the tech IPO market. Tech IPOs this year have included those by First Data, Rapid7 and Pure Storage.To read this article in full or to leave a comment, please click here

Acacia’s $125M IPO filing a rarity among networking firms in 2015

Acacia Communications, an optical networking company that boosts bandwidth for cloud and other service providers, Monday filed for an IPO -- a rarity during a year in which the number of tech companies going public is at its lowest since 2009, the year Acacia launched.The $125M filing to go public comes during a year when the rise of the Unicorn, private companies with valuations of $1 billion or more, has blown away the tech IPO market. Tech IPOs this year have included those by First Data, Rapid7 and Pure Storage.To read this article in full or to leave a comment, please click here

About those unsecured security cameras in the U.S. without password protection

As for why the U.S. has the most cameras connected to the Internet that have no unique passwords to protect them, could it be that all those cameras are not actually located in the U.S.? For example, there was a camper with icicles that appeared to be about a foot long hanging off of it as a deep snow covered the ground, but it was tagged as being located in Ocala, Florida. A quick search revealed the temperature to be 80 degrees, and that didn’t come close to matching the real-time image.To read this article in full or to leave a comment, please click here

About those unsecured security cameras in the US without password protection

As for why the U.S. has the most cameras connected to the Internet that have no unique passwords to protect them, could it be that all those cameras are not actually located in the U.S.? For example, there was a camper with icicles that appeared to be about a foot long hanging off of it as a deep snow covered the ground, but it was tagged as being located in Ocala, Florida. A quick search revealed the temperature to be 80 degrees and that didn’t come close to matching the real-time image.To read this article in full or to leave a comment, please click here

Oracle settles FTC dispute over Java updates

Oracle promises to give customers tools that easily uninstall insecure older versions of Java SE that may still lurk as vulnerabilities within Web browsers.That promise comes in a consent decree with the Federal Trade Commission that is currently up for public review before taking effect in January.+More on Network World: After Juniper security mess, Cisco searches own gear for backdoors+To read this article in full or to leave a comment, please click here

Can collaborative security work?

At a web conference meeting with IT security professionals in early December, IT advisory services firm Wisegate polled the small group about how comfortable they were with sharing cyberthreat information with industry peers and with government agencies.When “sharing” included giving information to the government, about half of the group thought it was a bad idea. But when 'government' was taken out of the sharing equation, some 80 percent of respondents were at least 'somewhat comfortable' with sharing their knowledge.[ ALSO ON CSO: Silicon Valley wary of U.S. push for cyber security info sharing ]To read this article in full or to leave a comment, please click here

After Juniper security mess, Cisco searches own gear for backdoors

While it says it has no reason to think there are backdoors in any of its products, Cisco has started an additional code review looking for “malicious modifications” after Juniper’s announcement that its ScreenOS operating system has been vulnerable for years. Anthony Greico “Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience,” according to the Cisco Security blog written by Anthony Grieco, senior director of the company’s Security and Trust Organization. The company says it will release its findings in accordance with its security vulnerability policy.To read this article in full or to leave a comment, please click here

Python script to generate RADIUS users

Just for future reference, I wrote this quick script using python to generate RADIUS users in the Freeradius /etc/raddb/users file.  Makes light work of what I used to do rather painfully in Excel:

 

__author__ = 'amulheirn'

# Create lots of radius users for /etc/raddb/users file

interface = 'ge-0/2/0'        # Local source interface
ipaddr = '89.20.80.'          # First three octets of IP addr
startuser = 1                 # Start of the user range
enduser   = 20                # End of the user

for i in range (startuser, enduser):
    print 'user%[email protected]     Cleartext-Password := "password"' % (i)
    print '                        Service-Type := "Framed-User",'
    print '                        Framed-Protocol := "PPP",'
    print '                        Framed-IP-Address := "%s%d",' % (ipaddr, i)
    print '                        Context-Name := "tuk_llu",'

    
print "======[END]====="

What’s in a Name?

What’s the difference between .local and .here? Or between .onion and .apple? All four of these labels are capable of being represented in the Internet’s Domain Name System as a generic Top Level Domains (gTLDs), but only two of these are in fact delegated names while the other two cannot be delegated. It seems that Internet no longer has a single coherent name space, but has developed a number of silent and unsignalled fracture lines, and instead of being administered by a single administrative body there are a number of folk who appear to want to have a hand on the tiller! How have we managed to get ourselves into this somewhat uncomfortable position?
1 3,216 3,217 3,218 3,219 3,220 3,854