Attackers could use Internet route hijacking to get fraudulent HTTPS certificates

Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.The Border Gateway Protocol (BGP), which is used by computer network operators to exchange information about which Internet Protocol (IP) addresses they own and how they should be routed, was designed at a time when the Internet was small and operators trusted each other implicitly, without any form of validation.If one operator, or autonomous system (AS), advertises routes for a block of IP addresses that it doesn’t own and its upstream provider passes on the information to others, the traffic intended for those addresses might get sent to the rogue operator.To read this article in full or to leave a comment, please click here

Android device makers to release monthly security fixes

Google, Samsung and LG will start to issue monthly security patches for Android devices, taking a cue from the PC industry after critical vulnerabilities put hundreds of millions of smartphone users at risk.Security experts have warned for years that Android devices receive critical updates from manufacturers either too slowly or not at all. Phones and tablets have been increasingly targeted by hackers looking to steal data or defraud users.Google’s Nexus devices will get monthly over-the-air security patches, said Adrian Ludwig, lead engineer for Android security, at the Black Hat security conference in Las Vegas.“Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability, or 18 months from last sale of the device via the Google Store, he wrote in a blog post.To read this article in full or to leave a comment, please click here

Reddit bans racist communities, ‘quarantines’ other offensive talk

Reddit is removing several racist communities from its website, as well as other offensive discussion topics, part of an ongoing effort to clean up the most toxic content on its site.Among those now banned are the subreddits /r/CoonTown and /r/bestofcoontown—as well as others with even more racist names—and also content related to “animated” child pornography, said Steve Huffman, Reddit’s chief executive, in a post on Wednesday.Reddit is trying to strike a balance between honoring its heritage as a place for free-wheeling free speech while also restricting hateful or harassing content. It’s a tough balance, though, and some of its longtime users have criticized what they see as censorship of the site.To read this article in full or to leave a comment, please click here

IBM launches new services to help enterprises embrace Macs

IBM's year-long partnership with Apple took a new turn on Wednesday with the PC giant's announcement of new cloud services designed to help large companies incorporate Macs into their IT infrastructures.With the new offering, which is part of IBM's MobileFirst services portfolio, clients can order Macs and have them delivered directly to their employees without the need for any additional setup, imaging or configuration. Employees can then quickly and securely gain network access, connect to email and download business applications, IBM said.The services can also accommodate employees' own, personal Macs in corporate "bring-your-own-device" settings. They are delivered via the cloud as a software-as-a-service (SaaS) product but are also available on-premises in clients' data centers.To read this article in full or to leave a comment, please click here

Security Benefits of Open Source and Open Development

Gregory Pickett of Hellfire Security reached out to me last Wednesday about some interesting research he is presenting tomorrow at Black Hat USA. There are two parts to his research: a security bug in Cumulus Linux (that we already patched) and other network operating systems, and a serious design issue with how all network switches are designed and built.

The security bug was the easy part: it is not exploitable in our default configuration, and Gregory politely gave us a heads up well ahead of time, so we put the fix out last Friday to protect customers who have modified their sudoers configuration in a way that exposed them to the vulnerability. You can see the details in our security fix announcement from last Friday. (If you’re interested in being notified about future security fixes in Cumulus Linux, please sign up for our security mailing list.)

The much more serious issue he will present is the exploitability of firmware in all network switches. This same exploitability has been known about in servers, laptops and PCs for years (and in some cases mitigated with technologies like Trusted Platform Modules), but its application to networking devices is new.

This issue means Continue reading

China to plant Internet police in top online firms

China’s control over the Internet is set to expand. In a bid to better police local websites, the country’s security forces are establishing offices at the biggest online firms in the country.The country’s Ministry of Public Security announced the new measures on Tuesday, at a time when authorities have been increasingly concerned also about cyberthreats.Websites based in China already have to abide by strict provisions for online censorship, and will often delete any content deemed offensive by government censors.To read this article in full or to leave a comment, please click here

Apple computers vulnerable to ‘Thunderstrike 2’ firmware worm

An improved attack on the firmware in Apple computers makes them vulnerable to hard-to-detect malware without even being connected to a network, according to a Black Hat conference presentation due to be given later this week.The new research highlights ongoing weaknesses in the low-level software that runs on every computer before an operating system is loaded.It comes from researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments. They showed earlier this year how they could infect a Mac’s firmware with malware by connecting malicious devices to them using Thunderbolt, Apple’s high-speed data transfer interface. The attack was dubbed Thunderstrike.To read this article in full or to leave a comment, please click here

IBM launches new services to help enterprises embrace Macs

IBM's year-long partnership with Apple took a new turn on Wednesday with the PC giant's announcement of new cloud services designed to help large companies incorporate Macs into their IT infrastructures.With the new offering, which is part of IBM's MobileFirst services portfolio, clients can order Macs and have them delivered directly to their employees without the need for any additional setup, imaging or configuration. Employees can then quickly and securely gain network access, connect to email and download business applications, IBM said.The services can also accommodate employees' own, personal Macs in corporate "bring-your-own-device" settings. They are delivered via the cloud as a software-as-a-service (SaaS) product but are also available on-premises in clients' data centers.To read this article in full or to leave a comment, please click here

Hardware issue blamed for wireless and Internet outage in Southeast

A cell phone and Internet outage Tuesday evening in several Southeastern states was caused by a hardware problem, AT&T reported."Wireless and wireline service has been restored for all customers in parts of the Southeast affected by a hardware-related network issue," AT&T said in a statement Tuesday. "Our engineers completed repairs and service is running normally. We apologize for any inconvenience."AT&T would not describe the nature of the hardware problem, and said it only could speak about service for its own customers.MORE: 10 mobile startups to watch However, the outage was reported on social media and other sources to have affected thousands of customers for all the major carriers, lasting from about 4 p.m. to 8 p.m. ET Tuesday. It hit customers in parts of Tennessee, Kentucky, Indiana, Alabama, Georgia and Missouri, and possibly other states.To read this article in full or to leave a comment, please click here

Tweaks to Windows 10 settings for privacy

For as cool as it might be to use Microsoft's virtual assistance Cortana, she is also a big reason why the Windows 10 settings are so unfriendly to privacy. Start typing in the "Search Windows" box on the taskbar and Cortana wants to help…or to be turned on. It may be a bummer to lose so many features in Windows 10, but you have to choose if you want as much privacy as possible or if you want as many Windows 10 features as possible. Sorry, but you can't have both. Settings>Privacy>To read this article in full or to leave a comment, please click here

See Video: Sysadmins take wild ride in contraption made of iMac boxes

And there I was, thinking I was making the most of my MacBook Air box by using it as a stand for my laptop rather than forking over the money for a fancier stand. But the IT department at George Fox University in Oregon easily has me beat with its human transport wheel, made from 36 trapezoid-shaped iMac boxes. They took out the computers and styrofoam, and built the 120-pound iWheel. According to the school's blog, sysadmin Mike Campadore had been plotting the iWheel for more than a year, initially estimating he'd need 38 boxes. He joined with colleague Rich Bass this past Friday (SysAdmin Day, as it turns out) and gave the taped-together box wheel a big old spin across campus. To read this article in full or to leave a comment, please click here

See Video: Sysadmins take wild ride in giant iMac wheel

And there I was, thinking I was making the most of my MacBook Air box by using it as a stand for my laptop rather than forking over the money for a fancier stand.But the IT department at George Fox University in Oregon easily has me beat with its human transport wheel, made from 36 trapezoid-shaped iMac boxes. They took out the computers and styrofoam, and built the 120-pound iWheel.According to the school's blog, sysadmin Mike Campadore had been plotting the iWheel for more than a year, initially estimating he'd need 38 boxes. He joined with colleague Rich Bass this past Friday (SysAdmin Day, as it turns out) and gave the wheel a big old spin across campus. To read this article in full or to leave a comment, please click here

FBI warns businesses of spike in email/DDOS extortion schemes

The FBI said there has been a significant uptick in the number of businesses being hit with extortion schemes where a company receive an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom, usually in varying amounts of Bitcoin.The report comes from the FBI’s partner, the Internet Crime Complaint Center (IC3) which stated that victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.“Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, Wordpress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit,” the IC3 stated in the warning.To read this article in full or to leave a comment, please click here

Qualys offers free IT asset management service for enterprises

IT security firm Qualys has unveiled a free inventory service that can help organizations keep track of all their computers and virtual machines.The service, called Qualys AssetView, provides an inventory of an organization’s computers and their software.Administrators can use the service to run reports that compile asset information, or to run search queries to find out which of their computers are running outdated or unlicensed software, for instance.Qualys AssetView gives IT and security staff a “simple and quick way” of figuring out what assets they have and what software is on them, said Sumedh Thakar, Qualys chief product officer.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Fueling the need for speed, Fastly raises $75 million

Fastly has a plan. And that plan revolves around unseating traditional content distribution network (CDN) vendors. For those unaware, CDNs are a critically important, but largely invisible (at least to end users), part of the infrastructure of the web. Quite simply, CDNs introduce locations close to consumption where content can be cached. What that means is that if you're in Timbuktu and trying to reach a website hosted in Outer Mongolia, rather than having to pull down all those pages all the way between the two points, you can leverage a CDN located near you to reduce page load times.And in a word where empirical data has shown massive revenue gains from even tiny increments in page load speed, every microsecond counts. Enter Fastly, a CDN vendor founded in 2011 that has built a significant presence and already powers such web properties as Twitter, the Guardian, Gov.UK, GitHub and Pinterest. Funded by a bevy of top-tier investors, including Amplify Partners, August Capital, Battery Ventures, ICONIQ Capital, IDG Ventures, and O’Reilly AlphaTech Ventures, Fastly is today announcing another raise, this time $75 million by way of a Series D round.To read this article in full or to leave Continue reading

Review: The Craft of Research

craft-of-researchThe Craft of Research
Booth, Colomb, and Williamns

Engineers don’t often think of themselves as researchers. After all, what does writing a bit of code, or building a network design, have to do with research? Isn’t research something academic type folks do when they’re writing really long, and really boring, papers that no-one ever reads? If that’s what you really think, then you’ve come to the wrong blog this week. :-) In fact, I’d guess that a good many projects get off track, and a good number of engineering avenues aren’t explored, because people just don’t know how to — or don’t enjoy — research. Research is at the very heart of engineering.

Even if it’s never published, writing a research style paper can help you clarify and understand the issues you’re facing, and think through the options. Reading IETF drafts, software design specs, and many other documents engineers produce is depressing some times.

Can’t we do better? Of course we can. Read this book.

This book, while it does focus on the academic side of writing a research paper, is also a practical guide to how to think through the process of researching a project. The authors begin with a Continue reading

1 3,369 3,370 3,371 3,372 3,373 3,841