IBM: Mobile app security stinks

Major weaknesses in mobile application development make enterprise data vulnerable to attack.That was the major conclusion from an IBM/Ponemon study released today which found large companies, including many in the Fortune 500 aren’t properly securing mobile apps they build for customers nor their corporate and BYOD mobile devices. (Read the entire study.)+ More on Network World: The 10 most common mobile security problems and how you can fight them +To read this article in full or to leave a comment, please click here

Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone

Apple's iPhone and iPad long ago pushed out the BlackBerry as the corporate standard for mobile devices, in all but the highest-security environments. Google -- whose Android platform reigns outside the corporate world -- is now trying to push out Apple, with a new effort called Android for Work. And Samsung is upping the game with a new version of its own Android security suite, Knox.To read this article in full or to leave a comment, please click here(Insider Story)

OpenSSL Security Advisory of 19 March 2015

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault in ASN1TYPE Continue reading

Ansible Simplicity Keeps Shining

Less-but-better

When Ansible was first founded three years ago, the underlying premise was to simplify some of the complexity in the existing DevOps tools. The mere idea of needing a strong developer toolset to automate your IT infrastructure was an overwhelming concept for most. I believe this is one of the underlying reasons that the majority of the IT shops are still using home-crafted scripts to automate updates to their infrastructure and shying away from having to add more complexity to an already complex world.

The well known quote from, Dieter Rams, the famous industrial designer, saying: “Less but Better”, has become somewhat of a guiding principle for Ansible. Being able to achieve in few lines of YAML script, during lunch hour what you can’t do in days of writing code with others.  

In fact, not only do we apply that principle to our products in general, but to other operational things we do at Ansible, Inc. -  from our internal communication to the onboarding process of new employees to how we handle customer support tickets. We are building an organization and an enterprise product based on simplicity. In fact, I’ve become a strong believer in the notion that complex Continue reading

GoogleX exec: Where we went wrong with Glass

Google botched its wearable, Google Glass, and now the director of GoogleX labs is openly talking about it.Astro Teller, Google's director of its research arm, GoogleX, was speaking to an audience at the South by Southwest conference in Austin on Tuesday when he said the company made mistakes with Glass.MORE ON NETWORK WORLD: 12 most powerful Internet of Things companies Google, according to Teller, needs to work out its wearable's battery and privacy issues, and address miscommunications about the state of the project.To read this article in full or to leave a comment, please click here

Portable storage for the paranoid: We test two secure USB drives on keypad vs. software security

Congratulations: You’ve decided your data is sensitive enough (or you’re paranoid enough) to store it on a secure USB drive. Basically encrypted storage on a stick, these portable flash drives come with FIPS 140-2 level three validation, meaning the cryptographic module will be rendered inoperable if tampering is detected. It costs quite a bit to acquire validation, which is part of the reason for premium pricing of these drives.Most people administer and unlock secure USB drives using software apps, which run on the host machines to interact with the drive. That’s the approach taken by the Kingston Data Traveler 4000 G2 (second generation) USB 3.0 thumb drive that’s reviewed here.To read this article in full or to leave a comment, please click here

Making STIG Automation Possible: A Technical Deep Dive

Ansible architect and craft beer connoisseur Jonathan Davila played a critical role in working with our trusted security partner MindPoint Group to get our joint automated security baseline project off the ground. With our release this week of the DISA STIG for RHEL 6, we’ve immediately improved the lives of Government IT admins that struggle to ensure their systems are compliant.

Merely building the Ansible role for Red Hat Enterprise Linux 6 (And CentOS variants) STIG required more than writing and organizing a collection of playbooks. In order to ensure that the role actually achieved the remediation goal, we needed to validate and verify updates through a continuous integration testing process that leverages the DISA-provided SCAP/OVAL definitions.

You can learn more about the mechanics of how Jonathan and the MindPoint Group built the STIG Role, along with technical details about how to replicate this testing method in your own environment here.

Want to learn more about the how and why? Jonathan also penned a LinkedIn article with his own thoughts about why this is an important step in the right direction for any IT organization that’s concerned about automagically applying and validating security baselines.

Learn more about automated baseline testing.
Continue reading

Big network names oppose Title II regulations, with major exceptions

The FCC’s net neutrality decision last month that imposed stricter regulations on Internet Service Providers, under Title II of the Communications Act of 1934, has networking companies opposing each other even more fiercely than usual.The industry is split, though not evenly, between those that support the idea of stricter ISP regulation, re-imposing stricter net neutrality standards and treating the service providers more as public utilities, and those that oppose the measures.+ ALSO ON NETWORK WORLD: Microsoft's deal with Xiaomi over Windows 10 raises eyebrows | Top 11 oddball real-world tech job interview questions +To read this article in full or to leave a comment, please click here

Opera buys VPN service to help protect user privacy

Norwegian browser developer Opera Software has bought virtual private network service SurfEasy to help its users protect their privacy when accessing the Web from smartphones, tablets and computers.The acquisition of the Canadian company also appears to be the latest in the company’s strategy to expand into other products beyond the browser.SurfEasy offers applications to encrypt Internet traffic on Windows, Mac, iOS and Android devices as well as a password-protected USB plug-in that lets users browse securely from any computer or network, without leaving a trace.Opera bought SurfEasy because Internet users are increasingly looking for ways to securely access the Internet, the company said in a release announcing the deal. The financial terms of the deal were not disclosed.To read this article in full or to leave a comment, please click here

Opera buys VPN service to help protect user privacy

Norwegian browser developer Opera Software has bought virtual private network service SurfEasy to help its users protect their privacy when accessing the Web from smartphones, tablets and computers.The acquisition of the Canadian company also appears to be the latest in the company’s strategy to expand into other products beyond the browser.SurfEasy offers applications to encrypt Internet traffic on Windows, Mac, iOS and Android devices as well as a password-protected USB plug-in that lets users browse securely from any computer or network, without leaving a trace.Opera bought SurfEasy because Internet users are increasingly looking for ways to securely access the Internet, the company said in a release announcing the deal. The financial terms of the deal were not disclosed.To read this article in full or to leave a comment, please click here

Huawei multiplies partnerships with software and service providers

Chinese telecommunications and networking equipment giant Huawei Technologies is partnering left, right and center at Cebit as it seeks to more firmly establish itself in Europe.Huawei derives around one-tenth of its revenue from enterprise products, with the bulk of the rest coming from mobile phones or carrier networking equipment. But the company has bigger ambitions for this segment.Germany is still a major manufacturing power, and one of the focuses of the Cebit trade show is the modernization of its industries through what the Germans call “Industry 4.0,” a move to increase interoperability and real-time monitoring in manufacturing and distribution systems.To read this article in full or to leave a comment, please click here

VCDX-NV Interview: Chris Wahl

Chris Wahl is a Senior Solutions Architect at Ahead, located in Chicago, Ill.  He has more than 14 years of experience as an IT Pro. Chris originally went to school for networking, and has a bachelor’s degree in networking and communications chris-wahl-redmanagement. More recently he’s been doing sys admin work in sys admin engineering, architecture, and data center focused projects. His certifications include VMware VCDX #104, Cisco CCNA data center and CCNP router and switch certifications for which he also teaches classes, and several other VMware, Cisco, Microsoft, and HP certifications. He is also one of the first VCDX-NV certified professionals

What excites you about network virtualization?

I spent quite a few of years managing every type of virtualized infrastructure you can imagine, ranging from very small and medium sized businesses, to a 16,000 person enterprise with over 1,000 virtual machines. In every instance, the roadblock was always the network to the point where in the large deployment that I managed, we would just plan that any network change would take three weeks even if it was just a VLAN on a port. We could pretty much guarantee that it would be about two weeks to make Continue reading

Microsoft to release lowest-priced Lumia smartphone yet

Building on the launch earlier this year of two low-cost Lumia phones, Microsoft has taken the price down even further for its latest smartphone.Also targeted at emerging markets, the Lumia 430 will be priced at US$70 before taxes, when bought without carrier subsidies, and represents Microsoft’s most affordable Lumia smartphone yet.In January, the U.S. tech giant unveiled the Lumia 435 and the Lumia 532 that are priced just a notch higher.Although limited in specs, the three phones strengthen Microsoft’s product offerings for a market segment in which low-cost Android handsets are dominant. Globally, Microsoft’s Windows Phone OS only had a 2.8 percent market share in last year’s fourth quarter, according to research firm IDC.To read this article in full or to leave a comment, please click here

March Madness 2015: Cool apps, alternative brackets, and tools to win your pool

Sports!The 2015 NCAA tournament kicks off in earnest today, now that the play-in rounds are complete and the final 64 teams are set. There are more ways to keep up with the action now than ever before. Here are the video streaming options, mobile apps, and other tools to help you stay informed and up-to-date with the action.Obligatory streaming slideGone are the days of digging through message boards and clicking on suspicious URLs to try to find a live stream of NCAA tournament games while at work. The NCAA streams all of the action through its March Madness Live app, available on the web as well as on iOS and Android. And for those watching at work, March Madness Live has the "Boss Button," which, when clicked, opens a fake PowerPoint-style document complete with nonsense bar graphs that will make you look like you're actually being productive when your boss happens to walk by. Genius.To read this article in full or to leave a comment, please click here

Yahoo exits China, closing R&D center

Yahoo is closing its only remaining office in China and laying off between 200 and 300 employees there, news reports said on Wednesday.The moves are part of CEO Marissa Mayer’s efforts to rein in costs at the aging Internet company. Yahoo’s office in Beijing, the company’s only physical presence in mainland China, has housed an R&D center employing engineers.“We will be consolidating certain functions into fewer offices, including to our headquarters in Sunnyvale, California,” a Yahoo representative told the Wall Street Journal.To read this article in full or to leave a comment, please click here

1 3,521 3,522 3,523 3,524 3,525 3,785