Verifying SSL Certificate Chains

Found this link very useful doing this:

http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html

Some useful commands:
Display a certificate:
openssl x509 -in test-cert-top.pem -noout -text

Display a certificate's issuer:
openssl x509 -in test-cert-top.pem -noout -issuer

Display a certificate's subject:
openssl x509 -in test-cert-top.pem -noout -subject

Verify a certificate:
openssl verify test-cert-top.pem

Verify a certificate chain with 3 certificates:
openssl verify -CAfile test-cert-bottom.pem -untrusted test-cert-middle.pem test-cert-top.pem
-CAfile keyword indicates which certificate is used as the root certificate, with the -untrusted option being set to validate the intermediate certificate in the chain

Verify a certificate chain with 2 certificates:
openssl verify -CAfile test-cert-bottom.pem test-cert-middle.pem


Dyreza malware steals IT supply chain credentials

Cyber-criminals using the Dyreza computer trojan appear to be shifting gears from online banking and moving into the industrial supply chain.New versions of Dyreza are configured to steal credentials for order fulfillment, warehousing, inventory management, e-commerce and other IT and supply chain services. This represents a deliberate strategy on the part of attackers to target new industries at all points across the supply chain, researchers from security firm Proofpoint said in a blog post."We suspect a financial motivation," they said. "Once an attacker has obtained login credentials for their targeted systems, the potential to harvest payment information, make fraudulent financial transfers, and even divert physical shipments is immense."To read this article in full or to leave a comment, please click here

Your Ansible Playbook for OpenStack Summit Tokyo

Openstack-Tokyo

The next OpenStack Summit is quickly approaching -- and the schedule is, as always, packed with great sessions, collaboration days, social events, get-togethers, and more.

If you’re joining the event in Tokyo, which runs from October 27-30, and you’re a fan of Ansible, you just might be thinking to yourself… “If only there was a playbook for this!”

Behold! My amazing psychic capabilities alerted me to this exact scenario. Okay, not really, but: in, ahem, "playbook-inspired" format, you’ll find a list of tasks for each type of role -- conference sessions, OpenStack projects using Ansible to know about, the Ansible Collaboration Day onsite at Summit, and how to stay up to date with Ansible-related happenings on-site and beforehand.

Not familiar with Ansible yet, or how it works with OpenStack? Here's the great news: There will be plenty of opportunities for you to learn all about it at OpenStack Summit. And just like Ansible makes it easy for you to deploy and operate your OpenStack cloud -- this blog post makes it easy for you to find the Ansible-related content to get you started on your path to Ansible+OpenStack cloud bliss.

All you have to do is decide which Continue reading

Cisco acquires security consultancy

Cisco this week said it intends to purchase Portcullis, a privately held cybersecurity consultancy based in the United Kingdom.Terms of the deal were not disclosed.+MORE ON NETWORK WORLD: Cisco security chief: 4 things CISOs need to survive+ Cisco James Mobley, Cisco vice president of security solutionsTo read this article in full or to leave a comment, please click here

Worth Reading: Antivirus and Zero Day

Deploying multiple AV products might expand the total number of known malware signatures in your AV armor, but this approach doesn’t combat the biggest flaw: new, zero-day malware that no AV product has ever encountered (and therefore can’t possibly recognize). Even with frequent updates to the signature database, AV software just can’t keep up. via the cloud security alliance

The post Worth Reading: Antivirus and Zero Day appeared first on 'net work.

IDG Contributor Network: Consumers ‘feeling vulnerable’ about smart home security, report says

While half of consumers polled in a recent survey think that they are "adequately" protected from online threats on their computers, tablets, and smartphones, only 37% think the same protection is in place for their connected-home devices, such as IoT, gaming consoles, smart TVs, and thermostats.DNS service provider Nominium commissioned the report from market researcher YouGov in July. Polling consisted of 1,106 consumers in the United States.Less secure "Consumers find their digital world expanding at an astounding pace with more and more Internet-connected 'things,'" Nominium says of the report.To read this article in full or to leave a comment, please click here

Measuring the Root KSK Keyroll

A little over five years ago the root zone of the DNS was signed with DNSSEC for the first time. At the time the Root Zone operators promised to execute a change of key in five years time. It's now that time and we are contemplating a roll of the root key of the DNS. The problem is that we believe that there are number of resolvers who are not going to follow the implicit signalling of a new key value. So for some users, for some domain names things will go dark when this key is rolled. Is there any way to predict in advance how big a problem this will be?

Prez: Candidate synchronization

So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.

The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.

Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.

Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. Continue reading

Thousands of medical devices are vulnerable to hacking, security researchers say

Next time you go for an MRI scan, remember that the doctor might not be the only one who sees your results.Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients, security researchers said this week.The risks arise partly because medical equipment is increasingly connected to the Internet so that data can be fed into electronic patient records systems, said researcher Scott Erven, who presented his findings with fellow researcher Mark Collao at the DerbyCon security conference.To read this article in full or to leave a comment, please click here

What will be hottest space research in next ten years?

With NASA spotting water flows on Mars this week, excitement abounds as to what might be the next big thing for astrobiologsts and space scientists in general.Interestingly a congressional hearing entitled “Astrobiology and the Search for Life Beyond Earth in the Next Decade” was on tap this week to take a look at what some key issues are as NASA and other space organization look toward the future.+More on Network World: NASA touts real technologies highlighted in imminent 'The Martian' flick+To read this article in full or to leave a comment, please click here

Assigning DMVPN tunnel interface addresses with DHCP

I posted previously about some of the inner workings of DHCP. The three key points from that post are critical building blocks for this discussion:
  • DHCP requests get modified in flight by the DHCP relay.
  • DHCP relay determines L2 destination by inspecting contents of relayed packets.
  • DHCP clients, relays and (sometimes) servers use raw sockets because the end-to-end protocol stack isn't yet available.
The basic steps to converting a DMVPN from static address assignment scheme to dynamic are:
  1. Configure a DHCP server. I'm using an external server1 in this example so that we can inspect the relayed packets while they're on the wire.
  2. Configure the hub router. There are some non-intuitive details we'll go over.
  3. Configure the spoke router. Ditto on the non-intuitive bits.
My DHCP server is running on an IOS router (because it's convenient - it could be anywhere) and it has the following configuration:
    1     no ip dhcp conflict logging  
    2     ip dhcp excluded-address 172.16.1.1  
    3     !  
    4     ip dhcp pool DMVPN_POOL  
    5      network 172.16.1.0 255.255.255.0

So, that's pretty straightforward.

The Hub Router has the following relevant configuration:
    1     ip dhcp support tunnel unicast  
    2     interface Tunnel0  
    3       Continue reading

Apple throws down the gauntlet with overhauled privacy policy

Apple is making it very clear how it uses your data with a revamp of its privacy policy, posted in full on the company’s website. In the process, Cupertino is also making it plain just how different it is from other tech companies.Apple affirmed its commitment to customer privacy a year ago, and Tuesday’s update covers everything new in iOS 9 and OS X El Capitan. The company isn’t just issuing platitudes about how great its privacy protections are—it dives into real detail about how its various services use and protect your data.To read this article in full or to leave a comment, please click here

A Linux botnet is launching crippling DDoS attacks at more than 150Gbps

A Linux botnet has grown so powerful that it can generate crippling distributed denial-of-service attacks at over 150 Gbps, many times greater than a typical company's infrastructure can withstand.The malware behind the botnet is known as XOR DDoS and was first identified in September last year. Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.The credentials are used to log into the vulnerable systems and execute shell commands that download and install the malicious program. To hide its presence, the malware also uses common rootkit techniques.To read this article in full or to leave a comment, please click here

1 3,315 3,316 3,317 3,318 3,319 3,853