Security Benefits of Open Source and Open Development

Gregory Pickett of Hellfire Security reached out to me last Wednesday about some interesting research he is presenting tomorrow at Black Hat USA. There are two parts to his research: a security bug in Cumulus Linux (that we already patched) and other network operating systems, and a serious design issue with how all network switches are designed and built.

The security bug was the easy part: it is not exploitable in our default configuration, and Gregory politely gave us a heads up well ahead of time, so we put the fix out last Friday to protect customers who have modified their sudoers configuration in a way that exposed them to the vulnerability. You can see the details in our security fix announcement from last Friday. (If you’re interested in being notified about future security fixes in Cumulus Linux, please sign up for our security mailing list.)

The much more serious issue he will present is the exploitability of firmware in all network switches. This same exploitability has been known about in servers, laptops and PCs for years (and in some cases mitigated with technologies like Trusted Platform Modules), but its application to networking devices is new.

This issue means Continue reading

China to plant Internet police in top online firms

China’s control over the Internet is set to expand. In a bid to better police local websites, the country’s security forces are establishing offices at the biggest online firms in the country.The country’s Ministry of Public Security announced the new measures on Tuesday, at a time when authorities have been increasingly concerned also about cyberthreats.Websites based in China already have to abide by strict provisions for online censorship, and will often delete any content deemed offensive by government censors.To read this article in full or to leave a comment, please click here

Apple computers vulnerable to ‘Thunderstrike 2’ firmware worm

An improved attack on the firmware in Apple computers makes them vulnerable to hard-to-detect malware without even being connected to a network, according to a Black Hat conference presentation due to be given later this week.The new research highlights ongoing weaknesses in the low-level software that runs on every computer before an operating system is loaded.It comes from researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments. They showed earlier this year how they could infect a Mac’s firmware with malware by connecting malicious devices to them using Thunderbolt, Apple’s high-speed data transfer interface. The attack was dubbed Thunderstrike.To read this article in full or to leave a comment, please click here

IBM launches new services to help enterprises embrace Macs

IBM's year-long partnership with Apple took a new turn on Wednesday with the PC giant's announcement of new cloud services designed to help large companies incorporate Macs into their IT infrastructures.With the new offering, which is part of IBM's MobileFirst services portfolio, clients can order Macs and have them delivered directly to their employees without the need for any additional setup, imaging or configuration. Employees can then quickly and securely gain network access, connect to email and download business applications, IBM said.The services can also accommodate employees' own, personal Macs in corporate "bring-your-own-device" settings. They are delivered via the cloud as a software-as-a-service (SaaS) product but are also available on-premises in clients' data centers.To read this article in full or to leave a comment, please click here

Hardware issue blamed for wireless and Internet outage in Southeast

A cell phone and Internet outage Tuesday evening in several Southeastern states was caused by a hardware problem, AT&T reported."Wireless and wireline service has been restored for all customers in parts of the Southeast affected by a hardware-related network issue," AT&T said in a statement Tuesday. "Our engineers completed repairs and service is running normally. We apologize for any inconvenience."AT&T would not describe the nature of the hardware problem, and said it only could speak about service for its own customers.MORE: 10 mobile startups to watch However, the outage was reported on social media and other sources to have affected thousands of customers for all the major carriers, lasting from about 4 p.m. to 8 p.m. ET Tuesday. It hit customers in parts of Tennessee, Kentucky, Indiana, Alabama, Georgia and Missouri, and possibly other states.To read this article in full or to leave a comment, please click here

Tweaks to Windows 10 settings for privacy

For as cool as it might be to use Microsoft's virtual assistance Cortana, she is also a big reason why the Windows 10 settings are so unfriendly to privacy. Start typing in the "Search Windows" box on the taskbar and Cortana wants to help…or to be turned on. It may be a bummer to lose so many features in Windows 10, but you have to choose if you want as much privacy as possible or if you want as many Windows 10 features as possible. Sorry, but you can't have both. Settings>Privacy>To read this article in full or to leave a comment, please click here

See Video: Sysadmins take wild ride in contraption made of iMac boxes

And there I was, thinking I was making the most of my MacBook Air box by using it as a stand for my laptop rather than forking over the money for a fancier stand. But the IT department at George Fox University in Oregon easily has me beat with its human transport wheel, made from 36 trapezoid-shaped iMac boxes. They took out the computers and styrofoam, and built the 120-pound iWheel. According to the school's blog, sysadmin Mike Campadore had been plotting the iWheel for more than a year, initially estimating he'd need 38 boxes. He joined with colleague Rich Bass this past Friday (SysAdmin Day, as it turns out) and gave the taped-together box wheel a big old spin across campus. To read this article in full or to leave a comment, please click here

See Video: Sysadmins take wild ride in giant iMac wheel

And there I was, thinking I was making the most of my MacBook Air box by using it as a stand for my laptop rather than forking over the money for a fancier stand.But the IT department at George Fox University in Oregon easily has me beat with its human transport wheel, made from 36 trapezoid-shaped iMac boxes. They took out the computers and styrofoam, and built the 120-pound iWheel.According to the school's blog, sysadmin Mike Campadore had been plotting the iWheel for more than a year, initially estimating he'd need 38 boxes. He joined with colleague Rich Bass this past Friday (SysAdmin Day, as it turns out) and gave the wheel a big old spin across campus. To read this article in full or to leave a comment, please click here

FBI warns businesses of spike in email/DDOS extortion schemes

The FBI said there has been a significant uptick in the number of businesses being hit with extortion schemes where a company receive an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom, usually in varying amounts of Bitcoin.The report comes from the FBI’s partner, the Internet Crime Complaint Center (IC3) which stated that victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.“Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, Wordpress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit,” the IC3 stated in the warning.To read this article in full or to leave a comment, please click here

Qualys offers free IT asset management service for enterprises

IT security firm Qualys has unveiled a free inventory service that can help organizations keep track of all their computers and virtual machines.The service, called Qualys AssetView, provides an inventory of an organization’s computers and their software.Administrators can use the service to run reports that compile asset information, or to run search queries to find out which of their computers are running outdated or unlicensed software, for instance.Qualys AssetView gives IT and security staff a “simple and quick way” of figuring out what assets they have and what software is on them, said Sumedh Thakar, Qualys chief product officer.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Fueling the need for speed, Fastly raises $75 million

Fastly has a plan. And that plan revolves around unseating traditional content distribution network (CDN) vendors. For those unaware, CDNs are a critically important, but largely invisible (at least to end users), part of the infrastructure of the web. Quite simply, CDNs introduce locations close to consumption where content can be cached. What that means is that if you're in Timbuktu and trying to reach a website hosted in Outer Mongolia, rather than having to pull down all those pages all the way between the two points, you can leverage a CDN located near you to reduce page load times.And in a word where empirical data has shown massive revenue gains from even tiny increments in page load speed, every microsecond counts. Enter Fastly, a CDN vendor founded in 2011 that has built a significant presence and already powers such web properties as Twitter, the Guardian, Gov.UK, GitHub and Pinterest. Funded by a bevy of top-tier investors, including Amplify Partners, August Capital, Battery Ventures, ICONIQ Capital, IDG Ventures, and O’Reilly AlphaTech Ventures, Fastly is today announcing another raise, this time $75 million by way of a Series D round.To read this article in full or to leave Continue reading

Review: The Craft of Research

craft-of-researchThe Craft of Research
Booth, Colomb, and Williamns

Engineers don’t often think of themselves as researchers. After all, what does writing a bit of code, or building a network design, have to do with research? Isn’t research something academic type folks do when they’re writing really long, and really boring, papers that no-one ever reads? If that’s what you really think, then you’ve come to the wrong blog this week. :-) In fact, I’d guess that a good many projects get off track, and a good number of engineering avenues aren’t explored, because people just don’t know how to — or don’t enjoy — research. Research is at the very heart of engineering.

Even if it’s never published, writing a research style paper can help you clarify and understand the issues you’re facing, and think through the options. Reading IETF drafts, software design specs, and many other documents engineers produce is depressing some times.

Can’t we do better? Of course we can. Read this book.

This book, while it does focus on the academic side of writing a research paper, is also a practical guide to how to think through the process of researching a project. The authors begin with a Continue reading

FREE COURSE: Hack yourself first (before the bad guys do)

If you can't think like a hacker, it's difficult to defend against them. Such is the premise of this free, nine-part online course, presented by Computerworld and training company Pluralsight, about how to go on the cyber-offensive by using some of the same techniques and tools the bad guys do.This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks -- and now you can learn how they go about it. This approach helps IT managers and staffers, developers and others to begin immediately assessing their applications even when the apps are already running in a live environment without access to the source. After all, that's what the attackers are doing.To read this article in full or to leave a comment, please click here(Insider Story)

SDN switches aren’t hard to compromise, researcher says

Software-defined switches hold a lot of promise for network operators, but new research due to be presented at Black Hat will show that security measures haven't quite caught up yet.Gregory Pickett, founder of the Chicago-based security firm Hellfire Security, has developed several attacks against network switches that use Onie (the Open Network Install Environment).Onie is a small, Linux based operating system that runs on a bare-metal switch. A network operating system is installed on top of Onie, which is designed to make it easy and fast for the OS to be swapped with a different one.To read this article in full or to leave a comment, please click here

Worth Reading; The Great Man Theory

This matters because the great-man narrative carries costs. First, it has helped to corrode the culture of Silicon Valley. Great-man lore helps excuse (or enable) some truly terrible behavior. … And finally, technology hero worship tends to distort our visions of the future. via MIT

A note to remember — I don’t agree with everything I put up as a worth reading article. There are some good things here, and some bad. Watermelon seeds are meant to be spit out, though, not eaten with the sweet red stuff. And don’t even get into the rind.

The post Worth Reading; The Great Man Theory appeared first on 'net work.

Worth Reading: Toxic Employees

A clear disconnect is occurring at organizations across the U.S. when it comes to employee satisfaction, according to a new study released by Fierce, Inc., leadership development and training experts. The survey found that four out of five employees believe a toxic employee is extremely debilitating to team morale, while the same number agreed that their organizations are somewhat or extremely tolerant of these individuals. via fierce

The post Worth Reading: Toxic Employees appeared first on 'net work.

1 3,364 3,365 3,366 3,367 3,368 3,836