Risky Business #384 — Mark Dowd talks AirDrop pwnage, XCode iOS scandal

We've got a great show for you this week. Mark Dowd drops by to talk about the recent spate of Trojaned iOS apps that made it into Apple's China App Store. We also talk to him about his awesome AirDrop bug. How did it work?

This week's sponsor segment is actually a real cracker. Context IS consultant David Klein tells us how he owned an entire cloud platform by enumerating some shitty 90s-style bugs in some third party libraries they were using. It's comedy gold. This cloud platform that uses security at a selling point. It's bad.

read more

Apple lists 25 apps impacted by XcodeGhost

Apple has identified 25 apps on its stores that had used a rogue version of its Xcode development tool, and advised users to update the affected apps to fix the issue on their devices.Figuring in the list are the WeChat app from Tencent and the Didi ride-hailing app, which had been identified earlier as affected. Other apps included in the list released by Apple on its China website include local chatting tool Encounter, the app for Baidu Music and China Unicorn's customer service app.To read this article in full or to leave a comment, please click here

Networking Field Day 10 – Arista

I finally had the chance to finish watching all of the Arista videos from Networking Field Day 10.  They did quite a few presentations and if you haven’t watched them yet I would recommend you do…

EOS Evolution and Quality

EOS SDK Demo

CloudVision Overview

7500 Series Architecture

Leaf SSU Demo

While the bulk of the videos talked about Arista platforms or features, Ken Duda’s presentation (EOS Evolution and Quality) really struck a chord with me.  Early in the presentation Ken summarizes the problem by saying “when the network ain’t working, ain’t nothing working”.  The software powering your network just has to work and it has to work consistently.  Ken then goes into where he thinks quality should come from breaking it into 3 pieces.

Culture – It’s obvious from Ken’s talk that Arista legitimately cares about software quality.  While I don’t think this is unique to Arista, I think it’s something they’ve fully embraced because they can.  Arista was born out of the commodity network era.  When you are working with commodity chips, the real differentiator becomes software.  This puts them at a unique position compared to other traditional vendors who Continue reading

Using Docker Machine with OpenStack

In this post, I’m going to show you how to use Docker Machine with OpenStack. This is something I’ve been interested in testing for a while, and now that I finally have my test lab back up and running, I was able to spend some time on this. I’ll spend some time later in the post covering my reasons for wanting to look at this, but I’ll start with the technical content of how it works.

I tested this setup with the following components:

  • The client system was running OS X 10.9.5 with the Docker 1.8.2 client binary and Docker Machine 0.4.1.
  • The OpenStack cloud was running the Juno release on Ubuntu 14.04 LTS, KVM hypervisors, and VMware NSX for networking.

There are (at least) two approaches to using Docker Machine and OpenStack together:

  1. You can use Docker Machine’s generic driver to consume already-provisioned OpenStack instances. This is, in large part, very similar to what I covered here, but I’ll cover it in this post just for the sake of completeness.
  2. You can use Docker Machine’s openstack driver to automatically provision and configure new instances on an OpenStack cloud. This is the Continue reading

A Quick Reference to Adding New Storage with LVM

This post walks through the process of adding storage capacity to a Linux server using LVM. There’s nothing new, revolutionary, or cutting-edge about this post—honestly, it’s really more for my own reference than anything else. Adding logical volumes is something that I do so infrequently that it’s hard to remember all the commands, so I’m recording them here for when I need them next time.

First, list the physical disks in the system (all commands should be prefaced with sudo or run as a user with the appropriate permissions):

fdisk -l

This will help you identify which (new) disk needs to be added. In my examples, I’ll use /dev/sdb.

Start partitioning the new disk (replace /dev/sdb with the appropriate values for your system):

fdisk /dev/sdb

I’m assuming that this isn’t a boot drive and that whatever logical volumes you create will take up the entire disk. Once you get into fdisk, follow these steps:

  1. Enter n to create a new partition.
  2. Enter p to make this a primary partition.
  3. Enter 1 to make this the first partition on the disk.
  4. Press enter twice to accept default start and end cylinders (unless you know you need to change them).
  5. Enter Continue reading

Opengear Saves the Day from 35K Feet

On Tuesday, I was boarding a flight heading to the west coast and realized I had 3 switches powered down in the colo that I needed for a presentation and demo on Wednesday. Not a good feeling.

We have an IP enabled PDU that I usually connect to with no issues from the office and home office since we also have an SD-WAN deployed using Viptela. The only issue — there is not a way to VPN into the colo (yes, that’s my fault).

As it turns out, I had exposed the Opengear console server, that we used for all out of band access, to the Internet a few months prior. On a flight that I was only planning to do offline work, I was forced to purchase Wifi…from there, the fix was pretty simple.

I SSH’d into the Opengear console server, got access to the Juniper SRX perimeter FW, and then added a temporary NAT configuration that exposed the PDU to the Internet. I was able to now access the PDU directly from 35K feet in the air, get the devices powered up, and have some peace that they could be used in the demo. Sure, I could have Continue reading

Datiphy tracks what data is up to for security, auditing purposes

Datiphy, a service provider founded in Taiwan, has bundled its technology for sale as a software package to make inroads in the U.S. as a security/data auditing tool that detects and reports suspicious access to databases.The company has been selling its service in Asia-Pacific since 2011 but has decided to improve the user interface and give it natural-language search to make it more attractive in the U.S. where the large enterprises it seeks as customers want to have an on-premises platform, says Mike Hoffman, executive vice president of sales and marketing.Datiphy has also gotten a financial shot in the arm, pulling down $7 million from Highland Capital Partners in its first round of institutional funding that it will use in part to hire staff to pursue partnerships so data gathered by the platform can be shared with other security products.To read this article in full or to leave a comment, please click here

DerbyCon: Former BlueHat prize winner will bypass Control Flow Guard in Windows 10

Windows 10, and even Windows 8.1 Update 3, uses Control Flow Guard (CFG) to protect against memory-corruption attacks. Close to the end of last year, Microsoft said the CFG security feature could "detect attempts to hijack your code" and stop executing the code "before the hijacker can do damage to your data or PC."This summer at Black Hat, Yunhai Zhang showed how to "Bypass Control Flow Guard Comprehensively" (pdf). And at DerbyCon on Friday, Jared DeMott and Rafal Wojtczuk will present "Gadgets Zoo: Bypassing Control Flow Guard in Windows 10."To read this article in full or to leave a comment, please click here

Book Report: Future Crimes

Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes.  In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.Fair warning to prospective readers: the story isn’t pretty. The author starts with a wake-up call about data privacy and how a plethora of companies like Facebook, Google, and OkCupid, and the $150 billion dollar data broker industry regularly collect, sell, and abuse user data.  Future Crimes also explores the current derelict world of cyber peeping toms, bullies, revenge porn, and extortion. While these crimes are already rampant today, Goodman theorizes that things will get worse with the proliferation of surveillance cameras, geo-location services, RFID tags, and wireless networking technology. The point is crystal clear: each technology innovation increases the attack surface, and cybercriminals are only too happy to exploit these vulnerabilities for profit.To read this article in full or to leave a comment, please click here

Tower 2.3 Has Arrived

Ansible-Tower-Official-Logo-Black
We’re happy to announce the release of Ansible Tower 2.3, our console and service that brings control, security, and delegation to your Ansible deployments.

Historically Tower has been installed with a simple setup playbook that you run with the Ansible you already have to download and install Tower. But not everyone has the luxury of access to the internet at all times.

Starting with Tower 2.3, we now offer a bundled installer for Red Hat Enterprise Linux and CentOS systems. This all-in-one installer contains everything you need to get Tower started in one bundle, including bootstrapping of Ansible for you as needed. All you need is a Red Hat or CentOS machine with access to the vendor OS repositories - no other external access required. The playbook installer is still available as well, and Tower is also still available via Vagrant image or AMI if you’d prefer to try it via that method.

As usual, this release of Tower includes a variety of bug fixes as well, including performance improvements around listing jobs and job templates.

For more information on Tower 2.3, check the release notes at: http://docs.ansible.com/ansible-tower/latest/html/installandreference/release_notes.html

To try Ansible Tower 2.3 Continue reading

OPM underestimated the number of stolen fingerprints by 4.5 million

The number of people whose fingerprints have been stolen as a result of the high-profile hack into the computer systems of the U.S. Office of Personnel Management earlier this year is now 5.6 million.The agency revised its original estimate of 1.1 million Wednesday after finding fingerprint data in archived records that had previously not been taken into account.This does not change the overall number of 21.5 million former, current and prospective federal employees and contractors whose Social Security numbers, personal information and background investigation records were exposed in the breach.The OPM announced in June that it was the target of a cybersecurity breach that resulted in the theft of personnel data including full names, birth dates, home addresses, and Social Security numbers of 4.2 million current and former government employees.To read this article in full or to leave a comment, please click here

OPM breach: 4.5 million more individuals open to future fingerprint abuse

Now the federal Office of Personnel Management says the number of individuals whose fingerprints were stolen is 5.6 million – up from 1.1 million – and that they can look forward to having those prints misused as criminals get better at exploiting them.OPM says, “an interagency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”To read this article in full or to leave a comment, please click here

Technology Short Take #54

Welcome to Technology Short Take #54! In this episode, I’ve gathered an odd collection of links and articles about key data center technologies. Without further ado, let’s get to the content.

Networking

  • Not sure if this link belongs in Networking or in Virtualization, but we’ll stick it here since it talks about VMware NSX. Here’s a three-part series on running VMware NSX on vSphere on AWS via Ravello Systems (part 1, part 2, and part 3). This is a great way to get your feet wet with NSX without having to invest in a home lab.
  • This is a bit of an older post, but I really appreciated Bob McCouch’s post on building tools versus “programming.” I think Bob really hit the nail on the head when he said that the real goal is working efficiently with high quality and low error rates. If this means you need to learn to write a script, then so be it. If it means it needs to be manual, then so be it (but please, please, do take the time to document it!).
  • Dan Conde of ESG has a write-up on the role of NSX in Continue reading

How will new memory technologies impact in-memory databases?

This is a guest post by Yiftach Shoolman, Co-founder & CTO of redislabs. Will 3D XPoint change everything? Not as much as you might hope...

Recently, investors, analysts, partners and customers have asked me how the announcement from Intel and Micron about their new 3D XPoint memory technology will affect the in-memory databases market. In these discussions, a common question was “Who needs an in-memory database if all the non in-memory databases will achieve similar performance with 3D XPoint technology?” Well, I think that's a valid question so I've decided to take a moment to describe how we think this technology will influence our market.

First, a little background...

The motivation of Intel and Micron is clear -- DRAM is expensive and hasn’t changed much during the last few years (as shown below). In addition, there are currently only three major makers of DRAM on the planet (Samsung Electronics, Micron and SK Hynix), which means that the competition between them is not as cutthroat as it used to be between four and five major manufacturers several years ago.

DRAM Price Trends

1 3,311 3,312 3,313 3,314 3,315 3,842