OpenSSL fixes serious flaw that could enable man-in-the-middle attacks

A flaw in the widely used OpenSSL library could allow man-in-the-middle attackers to impersonate HTTPS servers and snoop on encrypted traffic. Most browsers are not affected, but other applications and embedded devices could be.The OpenSSL 1.0.1p and 1.0.2d versions released Thursday fix an issue that could be used to bypass certain checks and trick OpenSSL to treat any valid certificates as belonging to certificate authorities. Attackers could exploit this to generate rogue certificates for any website that would be accepted by OpenSSL.“This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim,” said Tod Beardsley, security engineering manager at Rapid7, via email. “This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways.”To read this article in full or to leave a comment, please click here

United fiasco prompts networking confessions

Yesterday’s grounding of the United Airlines fleet, which the company has blamed on a routing mishap of some kind, has prompted readers of Reddit’s section devoted to networking to share their worst workplace screw-ups and the consequences of same.  There are almost 200 tales and comments, but there is one that stands out from the rest: We were removing old trading workstations in the Chicago pits during a Globex/Dealing upgrade. We were told to just use snips to cut the towers free. I cut the wrong damn line. An entire wall of stations and displays went down including the big index board. Commodities quotes from NY went dead. Trading was halted at CME/CBOE for 3 f***ing hours. I single handedly caused the most expensive technical market glitch in Chicago exchange history up to that point. I halted an estimated $3b in trades.To read this article in full or to leave a comment, please click here

Verifying TDD Scenarios

Now that Ansible has done all the information gathering for us it’s time to finally make use of it. In this post I will show how to use Ansible to run traceroutes from and to the hosts defined in a test scenario and perform verification of the results of those tests. Should any of those tests fail, Ansible will provide a meaningful description of what exactly failed and why. While doing all this I’ll introduce a couple of new Ansible features like conditional looping and interactive prompts.

Continue reading

The Upload: Your tech news briefing for Thursday, July 9

NYSE halts trading as IT systems go down... but it’s no cyberattackTrading on the New York Stock Exchange halted for over three hours Wednesday due to unspecified computer problems. The exchange quickly ruled out a cyberattack, which means there are likely to be red faces in the NYSE IT department when the cause is uncovered.Microsoft lays off 7,800 staff as it dials down its smartphone ambitionsA little over a year after buying Nokia’s smartphone division, Microsoft is laying off all but one-sixth of the division’s staff, and writing off $7.6 billion, almost all of its purchase price. CEO Satya Nadella reportedly never liked the acquisition, set in motion by his predecessor Steve Ballmer, and now plans to slim down the bewildering array of Lumia phones the company makes, more tightly integrating them with Windows 10.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Thursday, July 9

NYSE halts trading as IT systems go down... but it’s no cyberattackTrading on the New York Stock Exchange halted for over three hours Wednesday due to unspecified computer problems. The exchange quickly ruled out a cyberattack, which means there are likely to be red faces in the NYSE IT department when the cause is uncovered.Microsoft lays off 7,800 staff as it dials down its smartphone ambitionsA little over a year after buying Nokia’s smartphone division, Microsoft is laying off all but one-sixth of the division’s staff, and writing off $7.6 billion, almost all of its purchase price. CEO Satya Nadella reportedly never liked the acquisition, set in motion by his predecessor Steve Ballmer, and now plans to slim down the bewildering array of Lumia phones the company makes, more tightly integrating them with Windows 10.To read this article in full or to leave a comment, please click here

Apple drops Recovery Key in new two-factor authentication for El Capitan and iOS 9

In early June, Apple said two-factor authentication would be tightly integrated into OS X 10.11 El Capitan and iOS 9, but provided little detail as to what that means. The current setup is scattered across sites and methods in order to deliver a second one-time use, time-limited code or other method of verification when a user logs in to an Apple site or on an Apple device with an Apple ID set up for it.Apple today posted a detailed explanation about how two-factor authentication works starting with the public betas of iOS 9 and El Capitan.6 simple tricks for protecting your passwords Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.To read this article in full or to leave a comment, please click here

IBM has first 7nm chip and leapfrogs over competitors

IBM says it has produced the world's first 7nm (nanometer) chip, arriving well ahead of competitors, thanks to advances in its chip technology.Chip makers are now producing 14nm processors, and the next big project for Intel and other chip makers has been the 10nm chip. IBM, in its announcement today, has upended the chip industry's development path.A 7nm chip will hold about four times as many transistors in the same area as a 14nm chip, said Richard Doherty, research director of Envisioneering, a technology assessment and market research firm. In terms of chip development, IBM has "moved the field goal out," he said.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers "For IBM to conquer 7nm without stopping at the 10nm that Intel is supposedly tackling, means that IBM has secured the future two steps out," Doherty said.To read this article in full or to leave a comment, please click here

Despite warnings, majority of firms still run some Windows Server 2003

Enterprises are still heavily dependent on Windows Server 2003 even though there were plenty of warnings that support is coming to an end on July 14 -- and this opens them up to security, compliance and operational risks.According to a June report covering 200 enterprise data centers totaling more than 90,000 servers, only 7 percent of enterprises were completely free of Windows Server 2003, according to Softchoice, a technology services company.During the first half of 2015, 21 percent of servers scanned were still running on that operating system, down from 32 percent in 2014 and 43 percent the year before that.[ ALSO ON CSO: Windows vulnerability can compromise credentials ]To read this article in full or to leave a comment, please click here

Emergency Flash Player updates fix vulnerability used in widespread attacks

Adobe Systems was forced to rush the release of a Flash Player update after an exploit for a previously unknown vulnerability was leaked on the Internet and quickly adopted by cybercriminals.Users are advised to upgrade to the newly released Flash Player 18.0.0.203 for Windows and Mac, Flash Player 11.2.202.481 for Linux, or Flash Player 13.0.0.302, if they’re on the extended support channel.The Flash Player plug-in bundled with Google Chrome and Internet Explorer on Windows 8.x will be automatically updated.The company also released version 18.0.0.180 of the AIR runtime, AIR SDK and AIR SDK & Compiler, because these products also bundle Flash Player.To read this article in full or to leave a comment, please click here

Some Ridiculous SD-WAN Claims

SDx Central is usually a pretty good web site that I love to read, but even they occasionally manage to publish a gem like this one:

The problem with MPLS and similar technologies is that they weren’t designed with today’s business challenges in mind. Today, a company may need to launch an overseas R&D office overnight, or it may acquire a startup and want to immediately network with offices in distant regions and countries. Older technologies just don’t have the flexibility to do this on the fly.

Not surprisingly, the above paragraph triggered a severe case of Deja-Moo.

Read more ...

Risky Business #373 — Hacking Team gets owned. Quite a lot.

Obviously the Hacking Team breach is the big story of the week and we'll be jumping right into that.

It's a jam packed podcast this week -- we check in with Dave Aitel of Immunity to talk about the impending Wassenaar Arrangement disaster about to hit America. We're also joined by Claudio Guarnieri.

Claudio has spent years tracking Hacking Team's malware to the darkest regions of the planet. For a long time he's been claiming Hacking Team were up to no good, now we know he was right. We get him on to the show for a well-earned gloat.

read more

Hacking Team claims terrorists can now use its tools

Hacking Team has warned that a devastating data breach it suffered will allow its spying tools to be used by criminals and terrorists.The Milan-based security company, which develops surveillance tools for mostly government clients, saw more than 400GB of internal data released on Sunday, including emails, clients lists, financial information and source code.“Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” wrote Hacking Team spokesman Eric Rabe in a news release on Wednesday. “We believe this is an extremely dangerous situation.”To read this article in full or to leave a comment, please click here

United’s woes show what’s hard about networking

United Airlines grounded its planes for about an hour on Wednesday, reportedly because of a router failure. That’s a wide path of destruction for one piece of equipment, but it’s the kind of hazard that comes with networking, where each piece is always linked to everything else.The grounding, which started around 8:30 a.m. Eastern time, caused delays across United’s routes and stranded passengers. It came on the same day that a computer-related outage halted trading on the New York Stock Exchange, and just weeks after another technology-related service interruption at United.To read this article in full or to leave a comment, please click here

United’s woes show what’s hard about networking

United Airlines grounded its planes for about an hour on Wednesday, reportedly because of a router failure. That’s a wide path of destruction for one piece of equipment, but it’s the kind of hazard that comes with networking, where each piece is always linked to everything else. The grounding, which started around 8:30 a.m. Eastern time, caused delays across United’s routes and stranded passengers. It came on the same day that a computer-related outage halted trading on the New York Stock Exchange, and just weeks after another technology-related service interruption at United.To read this article in full or to leave a comment, please click here

United’s woes show what’s hard about networking

United Airlines grounded its planes for about an hour on Wednesday, reportedly because of a router failure. That’s a wide path of destruction for one piece of equipment, but it’s the kind of hazard that comes with networking, where each piece is always linked to everything else. The grounding, which started around 8:30 a.m. Eastern time, caused delays across United’s routes and stranded passengers. It came on the same day that a computer-related outage halted trading on the New York Stock Exchange, and just weeks after another technology-related service interruption at United.To read this article in full or to leave a comment, please click here

Big Flowering Thing

This is a rant. It borrows emotional (and some verbal) inspiration from Lewis Black’s “Big F**king Thing” bit. However, in order to keep things light and professional, I will be using the term “flower” in lieu of the four-letter word that I am using in my head. It’s not unreasonable that ongoing operations for existing applications, and as a result, remaining profitable, have been and always will be the priority.

Big Flowering Thing

This is a rant. It borrows emotional (and some verbal) inspiration from Lewis Black’s “Big F**king Thing” bit. However, in order to keep things light and professional, I will be using the term “flower” in lieu of the four-letter word that I am using in my head. It’s not unreasonable that ongoing operations for existing applications, and as a result, remaining profitable, have been and always will be the priority.
1 3,371 3,372 3,373 3,374 3,375 3,808