OpenSSL fixes serious denial-of-service bug, 11 other flaws

The mystery high-severity flaw that people were expected to be fixed in OpenSSL is no Heartbleed, but it is serious and users should update.Earlier this week, the OpenSSL Project advised users that patches scheduled to be released Thursday will address several security flaws, one of which was classified as high severity. The announcement gave rise to speculation and some people thought the upcoming vulnerability might have wide-ranging impact, on par with the critical Heartbleed flaw disclosed last April, which affected Web servers, client software, mobile apps and even hardware appliances.To read this article in full or to leave a comment, please click here

Inside look at Google’s Android Auto in action

Today, Google and Pioneer announced three aftermarket stereo systems using Android 5.0 for entertainment, navigation, and communications. This partnership with Pioneer moves interaction with the mobile apps from the handheld smartphone to the dashboard display, with hopes of reducing car accidents from smartphone-induced driver distraction, which the National Safety Council recently estimated (PDF) causes one in four accidents.The announcement officially means Android Auto is out of beta and also foretells that smartphone-compatible cars will soon appear in car dealer showrooms. Hyundai announced at the LA Auto Show that it will deliver Android Auto on some of its 2015 model year cars, and Google has an extended list of car maker partners expected to introduce new 2016 model-year cars with Android Auto support.To read this article in full or to leave a comment, please click here

Net neutrality rules let FCC police future ISP conduct

The U.S. Federal Communications Commission’s new net neutrality rules allow the agency to police future network management practices and business models rolled out by broadband providers, raising concerns among critics that an activist commission will inject itself into ISP board rooms.The so-called future conduct standard in the FCC’s new rules leave questions about what ISP practices the agency will allow, critics say. Following the FCC’s publication of the new rules last week, the future conduct standard has raised perhaps the most objections, other than complaints about the agency’s decision to reclassify broadband as a regulated, common-carrier service.To read this article in full or to leave a comment, please click here

Net neutrality rules let FCC police future ISP conduct

The U.S. Federal Communications Commission’s new net neutrality rules allow the agency to police future network management practices and business models rolled out by broadband providers, raising concerns among critics that an activist commission will inject itself into ISP board rooms.The so-called future conduct standard in the FCC’s new rules leave questions about what ISP practices the agency will allow, critics say. Following the FCC’s publication of the new rules last week, the future conduct standard has raised perhaps the most objections, other than complaints about the agency’s decision to reclassify broadband as a regulated, common-carrier service.To read this article in full or to leave a comment, please click here

Tim Cook talks Apple Watch, Steve Jobs, and more

With about a month to before the Apple Watch launches, Apple CEO Tim Cook sat down with Fast Company for a wide-ranging interview that touched on a number of pertinent topics.When asked rather directly about the perception among many that the Apple Watch still lacks an overarching use case, Cook articulated that similar pessimism colored previous Apple product launches. With the iPod, the expectations for Apple itself at that time were very low. And then most people panned the iPod's price. Who wants this? Who will buy this? We heard all the usual stuff. On iPhone, we set an expectation. We said we'd like to get 1% of the market, 10 million phones for the first year. We put that flag in the sand, and we wound up exceeding it by a bit.To read this article in full or to leave a comment, please click here

Anti-censorship group in China faces DDoS attack

An activist group working to end China’s Internet censorship is facing an ongoing distributed denial of service (DDoS) attack that threatens to cripples its activities.GreatFire.org, a censorship watchdog based within the country, reported on Thursday that it had been hit with its first ever DDoS attack.Although it’s not known who is behind the attack, China has been suspected of using the tactic before to take down activist websites.DDoS attacks work by using an army of hacked computers to send an overwhelming amount of traffic to a website, effectively disabling it.To read this article in full or to leave a comment, please click here

Target to pay $10 million in proposed settlement for 2013 data breach

Target has agreed to pay US$10 million in a proposed settlement to a class-action lawsuit stemming from its massive 2013 data breach.The proposal, which requires U.S. federal court approval, calls for individual victims to receive up to $10,000. As many as 110 million people were affected by the attack, which occurred during the holiday shopping season.The proposed settlement includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota. Target must develop and test a security program for protecting consumer data and implement a process of monitoring and identifying security threats. The company must also provide its employees with security training around keeping consumer data safe. After the settlement’s approval, Target would have five years to implement these measures.To read this article in full or to leave a comment, please click here

IBM’s OpenPower project takes strides with first commercial server

An IBM project to expand the market for its Power processor is making headway, with new hardware announced Wednesday that aims to challenge Intel's dominance in the data center.IBM still has a lot of work to do, but the project it launched two years ago to open up the Power architecture for use by other hardware makers is gaining momentum. The idea is to lower the cost of Power-based systems so they can be sold into hyperscale data centers and high-performance computing environments, areas dominated today by x86 processors.Tyan, a server manufacturer in Taiwan, will deliver the first commercially available OpenPower server in the second quarter, a two-socket system aimed at hyperscale customers such as Internet service and cloud providers, IBM said.To read this article in full or to leave a comment, please click here

IBM: Mobile app security stinks

Major weaknesses in mobile application development make enterprise data vulnerable to attack.That was the major conclusion from an IBM/Ponemon study released today which found large companies, including many in the Fortune 500 aren’t properly securing mobile apps they build for customers nor their corporate and BYOD mobile devices. (Read the entire study.)+ More on Network World: The 10 most common mobile security problems and how you can fight them +To read this article in full or to leave a comment, please click here

Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone

Apple's iPhone and iPad long ago pushed out the BlackBerry as the corporate standard for mobile devices, in all but the highest-security environments. Google -- whose Android platform reigns outside the corporate world -- is now trying to push out Apple, with a new effort called Android for Work. And Samsung is upping the game with a new version of its own Android security suite, Knox.To read this article in full or to leave a comment, please click here(Insider Story)

OpenSSL Security Advisory of 19 March 2015

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault in ASN1TYPE Continue reading

Ansible Simplicity Keeps Shining

Less-but-better

When Ansible was first founded three years ago, the underlying premise was to simplify some of the complexity in the existing DevOps tools. The mere idea of needing a strong developer toolset to automate your IT infrastructure was an overwhelming concept for most. I believe this is one of the underlying reasons that the majority of the IT shops are still using home-crafted scripts to automate updates to their infrastructure and shying away from having to add more complexity to an already complex world.

The well known quote from, Dieter Rams, the famous industrial designer, saying: “Less but Better”, has become somewhat of a guiding principle for Ansible. Being able to achieve in few lines of YAML script, during lunch hour what you can’t do in days of writing code with others.  

In fact, not only do we apply that principle to our products in general, but to other operational things we do at Ansible, Inc. -  from our internal communication to the onboarding process of new employees to how we handle customer support tickets. We are building an organization and an enterprise product based on simplicity. In fact, I’ve become a strong believer in the notion that complex Continue reading

GoogleX exec: Where we went wrong with Glass

Google botched its wearable, Google Glass, and now the director of GoogleX labs is openly talking about it.Astro Teller, Google's director of its research arm, GoogleX, was speaking to an audience at the South by Southwest conference in Austin on Tuesday when he said the company made mistakes with Glass.MORE ON NETWORK WORLD: 12 most powerful Internet of Things companies Google, according to Teller, needs to work out its wearable's battery and privacy issues, and address miscommunications about the state of the project.To read this article in full or to leave a comment, please click here

Portable storage for the paranoid: We test two secure USB drives on keypad vs. software security

Congratulations: You’ve decided your data is sensitive enough (or you’re paranoid enough) to store it on a secure USB drive. Basically encrypted storage on a stick, these portable flash drives come with FIPS 140-2 level three validation, meaning the cryptographic module will be rendered inoperable if tampering is detected. It costs quite a bit to acquire validation, which is part of the reason for premium pricing of these drives.Most people administer and unlock secure USB drives using software apps, which run on the host machines to interact with the drive. That’s the approach taken by the Kingston Data Traveler 4000 G2 (second generation) USB 3.0 thumb drive that’s reviewed here.To read this article in full or to leave a comment, please click here

Making STIG Automation Possible: A Technical Deep Dive

Ansible architect and craft beer connoisseur Jonathan Davila played a critical role in working with our trusted security partner MindPoint Group to get our joint automated security baseline project off the ground. With our release this week of the DISA STIG for RHEL 6, we’ve immediately improved the lives of Government IT admins that struggle to ensure their systems are compliant.

Merely building the Ansible role for Red Hat Enterprise Linux 6 (And CentOS variants) STIG required more than writing and organizing a collection of playbooks. In order to ensure that the role actually achieved the remediation goal, we needed to validate and verify updates through a continuous integration testing process that leverages the DISA-provided SCAP/OVAL definitions.

You can learn more about the mechanics of how Jonathan and the MindPoint Group built the STIG Role, along with technical details about how to replicate this testing method in your own environment here.

Want to learn more about the how and why? Jonathan also penned a LinkedIn article with his own thoughts about why this is an important step in the right direction for any IT organization that’s concerned about automagically applying and validating security baselines.

Learn more about automated baseline testing.
Continue reading

Big network names oppose Title II regulations, with major exceptions

The FCC’s net neutrality decision last month that imposed stricter regulations on Internet Service Providers, under Title II of the Communications Act of 1934, has networking companies opposing each other even more fiercely than usual.The industry is split, though not evenly, between those that support the idea of stricter ISP regulation, re-imposing stricter net neutrality standards and treating the service providers more as public utilities, and those that oppose the measures.+ ALSO ON NETWORK WORLD: Microsoft's deal with Xiaomi over Windows 10 raises eyebrows | Top 11 oddball real-world tech job interview questions +To read this article in full or to leave a comment, please click here

Opera buys VPN service to help protect user privacy

Norwegian browser developer Opera Software has bought virtual private network service SurfEasy to help its users protect their privacy when accessing the Web from smartphones, tablets and computers.The acquisition of the Canadian company also appears to be the latest in the company’s strategy to expand into other products beyond the browser.SurfEasy offers applications to encrypt Internet traffic on Windows, Mac, iOS and Android devices as well as a password-protected USB plug-in that lets users browse securely from any computer or network, without leaving a trace.Opera bought SurfEasy because Internet users are increasingly looking for ways to securely access the Internet, the company said in a release announcing the deal. The financial terms of the deal were not disclosed.To read this article in full or to leave a comment, please click here

1 3,516 3,517 3,518 3,519 3,520 3,780