Archive for ‘Misc’

15/04/2014

The Heartbleed vulnerability: how does it apply to you?

heartbleed-locked-down-9c5683e0.jpg

We live in a world where technical vulnerabilities can sometimes be a dime a dozen. Let’s face it, what with Microsoft’s Patch Tuesday, the latest stream of Adobe threats, and the problems with Java and Javascript, it can be overwhelming to keep up on the latest big risks in IT and whether they really apply to your environment. This is compounded by the fact that many well-publicized vulnerabilities may not always have a visible impact, making us a bit lackadaisical or blasé.

heartbleed-1.pngHowever, if you work in technology, your job is to not be lackadaisical; it’s your responsibility to take each risk seriously and give it your utmost attention since security is everyone’s problem. Critical Internet Explorer flaws might not mean much if your users are all on Firefox, but what about the home machines they use to connect to the company? We’re all in the same swimming pool when it comes to security.

With that in mind, a vulnerability known as Heartbleed (or CVE-2014-0160) was recently discovered in the OpenSSL 1.01 and 1.02 beta product. This is used on web servers, email servers, virtual private network (VPN) systems and some client applications, proving how widespread this threat can be.

Heartbleed hysteria went violently viral in a span of literal hours, kicking off on Monday, April 7. Just a few days later it grew bigger than the Super Bowl. As a system administrator I can state that I have rarely – if ever – seen a threat like this gain so much press so quickly. CNET has posted several articles on the topic, including Heartbleed bug also affects Cisco and Juniper equipment, while ZDNet covered How to protect yourself in Heartbleed’s aftershocks andHeartbleed’s engineer: It was an ‘accident’.

What is Heartbleed?

The technical description states that “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”

Essentially, it’s a flaw in a product called OpenSSL which, ironically enough, is supposed to secure web traffic through encryption. This flaw is based on a “keep-alive” setting which can provide malicious attackers the ability to obtain up to 64 KB of unencrypted sensitive data from the memory space of a vulnerable OpenSSL server or client. It can expose passwords, emails and financial information or get private keys used for encryption – any of which could produce devastating results. The full technical details are here.

The technology-oriented comic strip XKCD summed it up nicely:

heartbleed-2.png

Anything running OpenSSL 1.0.1 through 1.0.1f is vulnerable to the Heartbleed threat. An advisory site called heartbleed.com designates these operating systems as being “potentially vulnerable”:

On the same note, the site says these operating systems are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Don’t conclude only Linux servers are at risk; Windows servers may also susceptible to this condition if they happen to be using IIS with the wrong kind of OpenSSL.

This threat is not theoretical; this is really happening. It has impacted Yahoo, for instance (and they have scrambled to correct it). Google, Amazon and Facebook have also addressed the subject; Google claims they “fixed this bug early” and Amazon stated the same, claiming that their sites are no longer affected by it. However, Netcraft.com states that ” Half a million widely trusted websites vulnerable to the Heartbleed bug. ” To put it another way, Kelly Jackson Higgins of Darkreading.com wrote that ” 17 percent of SSL-secured websites [are affected].”

Many websites your users connect to might be vulnerable – and worse, your systems might be compromised as well. Cue the scary horror movie bass.

Why is this suddenly a big deal?

The crazy thing about this one is that the vulnerability has existed since the end of 2011 and has been escalating for two years. The term “security through obscurity” may have applied before now since it wasn’t well-known but, simply put, now it’s a big deal since the bad guys have hopped on the train and are scanning servers looking for an opportunity to exploit them.

Furthermore, it’s a special kind of threat because it consists of a double-whammy: both your clients and servers may be at risk. Last but not least, there is no way to tell whether your data or credentials have been affected, until they are misused by someone else.

What can we do to protect our systems and our customers/users/selves?

It seems everyone in the IT industry is weighing in on the topic. Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack Security, said:

“If a server administrator is running 1.0.1 or 1.0.2-beta of OpenSSL, they should upgrade as soon as possible. The vulnerability has been fixed in OpenSSL 1.0.1g, however, if they cannot upgrade to the patched version, they can disable heartbeat support, which is where the vulnerability exists. If a company has been running with one of the vulnerable versions of OpenSSL for a decent amount of time, they should assume that their certificates and keys have been compromised. They should begin the process of replacing these keys and certificates, particularly if the server in question contained sensitive data. Additionally, companies running the vulnerable versions of OpenSSL should advise their customers to change their passwords. Administrators can upgrade their version of OpenSSL by visitinghttps://www.openssl.org/source.

If the server is running an older version of OpenSSL such as 0.9.8, they do not need to upgrade, as this bug was not found in this version. Additional information regarding the vulnerability (CVE-2014-0160) can be found here: https://www.openssl.org/news/secadv_20140407.txt….

“This bug is serious and you need to worry about it – whether you are a user or a systems administrator,” said Gary McGraw, CTO of software security firm Cigital and speaker at Rock Stars of Cybersecurity. “If you are a user, change your passwords on all the websites you use. Really. Do it now. If you are a sys admin, see if you are vulnerable with tests athttp://filippo.io/Heartbleed/ or https://www.ssllabs.com/ssltest/index.html. Upgrade your server software. Retest. Generate a new SSL/TLS key and get a certificate for the new key. Revoke your old certificate. Have your users change their passwords.”

The bug has existed for two years and it allows attackers to steal the keys that protect communication, user passwords, stored files, bank and financial information, and even social security numbers, in a way that goes unnoticed without leaving any trace. Some web sites have already announced they have fixed the problem, but it’s difficult to know what data has been compromised.”

With this advice in mind, I’ll break the recommended action items down to two categories: systems and users.

Here’s what you need to do for your systems

Look for what you need to patch

Since anything running OpenSSL might be at risk, you need to be aware of your environment and check all servers, devices or applications for anything running OpenSSL 1.0.1 through 1.0.1. This should apply to both internal and external-facing systems; don’t assume a server to which only your local users have access is safe. You can check public websites for the Heartbleed vulnerability using this test page: http://filippo.io/Heartbleed/

Checking physical devices is likely going to be the easy part. It will be more of a challenge to figure out which applications are affected. Vulnerable applications might include programs like wget, curl, lynx, and perhaps other third party command line apps. According to security.stackexchange.com, these programs were found vulnerable to Heartbleed:

  • MariaDB 5.5.36
  • wget 1.15 (leaks memory of earlier connections and own state)
  • curl 7.36.0
  • git 1.9.1 (tested clone / push, leaks not much)
  • nginx 1.4.7 (in proxy mode, leaks memory of previous requests)

Since every company is different, ultimately this comes down to looking at where certificates are used. Redirect IT staff from other projects if necessary until you’ve got a list in your hand.

Assess the impact

Before you go charging off with a fire hose, take a few moments to figure out what this means for your company. Was a public-facing server at risk? You’ll need to involve your customers. Was your VPN system in harm’s way? Your local and remote workers are now part of this plot. Perform a risk assessment to determine what information may have been accessible in a potential attack, and what you might need to do beyond technical measures to remediate this situation. For instance, were trade secrets kept on a Sharepoint site accessible via the internet? Involve the departmental manager and begin a dialogue to assess what might happen if those secrets were accessed.

Notify, notify, notify

If you found affected systems in your company which are accessed by customers and users, keep them in the loop on what you’re doing. Put up a notice on your website, send out emails, and make phone calls where necessary. Let them know you will need to patch these systems (and perhaps reboot them, involving downtime unless you have redundancy), reissue certificates and change passwords – all in that order. Advise them that patching must come first to block the threat, and advise them to hold off on changing passwords until further notice (since they’ll just have to do it again after the patch work is finished).

Establish timelines as to when this will be done and keep them in the loop throughout the process.

Apply applicable patches/fixes

Update the appropriate systems to OpenSSL 0.9.8, 1.0.0 or 1.0.1g. An advisory site calledheartbleed.com recommends that: “If an upgraded package is not yet available for your OS, software developers can recompile OpenSSL with the handshake removed from the code by compile time option ‘-DOPENSSL_NO_HEARTBEATS’”

Internal or external-facing systems should be patched with equal priority, but I recommend starting with the external-facing ones.

Replace certificates on any impacted systems

It’s very simple (in theory): any systems you patched should now have certificates reissued with new keys, whether from an inside or outside certificate authority. This includes both server and client certificates. This is an excellent reason why inherent familiarity with your certificates and how they work will be an asset whether on quiet or chaotic days.

Change passwords on any impacted systems

You may be tempted to take this step first, but don’t – it’s of no value until the affected servers are patched. Once this has been done and the certificates replaced, then you should proceed with password resets.

Here’s what you need to do for your customers/users

Let your customers know your status

All patched and cleaned up? Explain to your customers what else you’re doing to ensure the security of their accounts and data. Even if you didn’t find any systems vulnerable to Heartbleed, you should still communicate your status to them since they’ll likely have heard of this threat and want to know whether your company – and therefore their information – was at risk.

Provide guidelines to advise users what to do about external systems

Even though some say there’s nothing users can do until the servers are patched , there are still some precautions you can provide to your users (and which you should follow as well) in their approach to outside systems out of your control.

Advise them to review this list provided by Mashable and this list provided by CNET to see which popular public sites and email services may have been impacted (note that none of the banking sites on the list appear to have been affected). Also have them check this ” Top 10K vulnerable site list” to see if anything they use appears there. Have them manually check websites for the Heartbleed vulnerability using this test page: http://filippo.io/Heartbleed/.

If users access systems which are (or were) vulnerable – or there is any doubt – advise them to not to access these systems until they are clean (the CNET list will be continuously updated, and of course any reputable companies will notify them of their status as well), and the SSL certificates involved have been changed. Users should then change their passwords on these systems.

It’s critical to emphasize that even sites that are now clean aren’t necessarily off the hook; if there was a period of time when these were vulnerable that means data or credentials could have been harvested – and therefore the risk is not yet mitigated until these are replaced.

Yes, advising people to change passwords on what could be dozens of websites is sure to elicit groans of dismay. But regardless of what the latest vulnerability of the day might be, a thorough password change process should be familiar to any user or administrator. Password management utilities such as LastPass, SplashID, KeePass and Password Safe can help keep track of this and also enact strong, secure passwords.

Finally, instruct users not to use command-line tools to access untrusted systems across the internet, and to be prepared for this issue to go on for some time – it won’t be fixed in a day or even a week. Like an unwelcome visit from an in-law, Heartbleed is going to be a topic on our minds for quite some time to come. In the end it may be proclaimed the single biggest system vulnerability of all time.

Chatting with an expert

I was fortunate enough to be able to talk about Heartbleed with an expert named Justin Morgan, the information security officer at Litle & Co., a Vantiv company. Even though some of these points have been covered here already, Morgan fielded some of my questions on the topic with additional insights.

Scott Matteson: What is unique about Heartbleed, and how did this get so big, so fast?

Justin Morgan: “What makes Heartbleed unique is that it is a very small bug that has gigantic ramifications. Previous attacks on SSL/TLS have often been cryptographic in nature, meaning some aspect of the SSL/TLS security model was broken, whereas the Heartbleed bug is a simple bounds checking error. What makes it big is unlike previous attacks, which reduced the security of encrypted data in transit, Heartbleed exposes memory on the compromised host itself (both servers and clients). This means that an attacker could potentially read the contents of other web sessions in memory, or even the keys to the kingdom–the SSL certificate’s private key.”

SM: What operating systems are most affected by Heartbleed?

JM: “Primarily Unix-like systems, including Linux. Apple OS X, iOS, and Microsoft Windows are not affected. However, it’s important to realize that these systems may have third party software installed that has packaged the OpenSSL library.”

SM: I know that impacted systems should be patched to a later version of OpenSSL. Which version is safe?

JM: “Only OpenSSL 1.0.1 through 1.0.1f; 0.9.8 and 1.0.0 branches are not vulnerable (1.0.2 beta is vulnerable as well). It’s an interesting phenomenon to keep in mind: a critical vulnerability was introduced with new feature code (the TLS heartbeat extension, or RFC 6520). Adopting the bleeding edge version of critical security libraries will always have this risk.”

SM: Can you elaborate on the changing of SSL certificates; should any and all public-facing certificates be regenerated or are there certain stipulations involved?

JM: “Any certificate that was ever hosted on an internet-facing vulnerable version of OpenSSL should be revoked and replaced. The cost of exhaustively evaluating whether a certificate was in jeopardy is almost certainly going to be higher than the cost of simply replacing the certificate. This is also a good opportunity to make sure that your certificate key length and signature algorithms are ‘up to code.’”

SM: Is it safe to assume that ALL passwords on external sites should be changed?

JM: “Not necessarily. The exploit can only access data that is resident in memory, which is going to be a subset of all the information stored and transmitted by the vulnerable system. However, any application or site a user may have entered their credentials on in the last two years should be updated (and that’s probably most of them). As a side note, key-based authentication to vulnerable systems is not particularly compromised (i.e. you do not need to replace your SSH keys that you may have used to access vulnerable systems, but you should still rotate them periodically anyway).”

SM: How likely is it that this vulnerability has been exploited on a large scale prior to discovery of the bug on April 7?

JM: “It’s hard to say. It certainly wouldn’t be the first time a vulnerability had been discovered and exploited prior to a fix being developed. However, a successful exploit is difficult to detect even with active monitoring, and nearly impossible retroactively. Given that the bug is over two years old, my gut tells me that large scale use of an exploit would have been detected, but there’s no way to know for sure.”

SM: How would you recommend system admins best evaluate their environment to determine which devices are vulnerable to Heartbleed; security scans, manual check or something different?

JM: “If an organization has a mature configuration management database, the fastest way to take a first pass would be to pull a list of all the installed versions and compare it against the list of vulnerable versions. It’s also important to keep in mind some distribution ecosystems maintain separate versioning through backports, so administrators should consult their distribution-specific documentation.

Online scanners can potentially identify vulnerable servers, and there are a few that have recently popped up. However, it’s important to keep in mind that the vulnerability affects SSL/TLS clients as well, which would not get picked up in a scan.

Finally, library version checking and online scanning may not capture third party software that has packaged up vulnerable OpenSSL libraries. Even Windows administrators could be running third party software that is vulnerable, so it’s important to inventory your software and review the security bulletins issued by vendors.”

14/04/2014

Invitation to ‘Cloud IaaS-Smarter Outsourcing’ Webinar

10/04/2014

More Than A Half-Million Servers Exposed To Heartbleed Flaw

The newly exposed Heartbleed bug plaguing some 17 percent of SSL-secured websites as well as various VPN products has caused a massive case of Internet heartburn over the past 48 hours as companies rushed to confirm their exposure and lock down their SSL/TLS software. But just how bad is it?

Errata Security CEO Robert Graham scanned the Net for machines vulnerable to the implementation flaw in the so-called Heartbeat function of TLS, and discovered some 600,000 affected out of 28 million SSL machines. He estimates that some one-third of SSL machines had been patched with the update to the buggy OpenSSL library. Netcraft, meanwhile, says the buggy Heartbeat extension is enabled on 17.5 percent of SSL sites, which include close to a half-million digital certificates at risk of theft and spoofing from the attack.

Heartbleed may be one of the biggest Internet security events since security expert Dan Kaminsky found and helped coordinate a fix for the massive Domain Name Service (DNS) caching vulnerability in 2008. Bruce Schneiergives Heartbleed an 11 rating on an ascending scale of 1 to 10, and security companies and experts are issuing warnings of the severity of the bug. The flaw, a two-year old implementation bug in the open-source OpenSSL, has been fixed with the new OpenSSL 1.0.1g, but experts say to assume it’s already been abused by nation-states or cyber criminals given the two years it wasn’t publicly known.

Fixing Heartbleed isn’t cheap. The estimated cost to remedy the flaw is hundreds or thousands of dollars per server or application, according to Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security. That adds up to more than a billion dollars in overall labor and certificate renewal costs worldwide, Ylonen says.

The bug, in Versions 1.0.1 and 1.0.2 beta, leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data and the SSL server’s private key. While there have been reports of Yahoo passwords exposed by the bug and massive nefarious scanning for the flaw on the Net and signs of attacks since Heartbleed was revealed late Monday, there’s still debate over just how easily exploitable the bug really is.

“Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation,” Schneier says.

Carrying out an attack using this flaw is not for script kiddies, experts say. It would take a nation-state or organized crime organization. “There are not enough skilled attackers with non-attributable networks to safely carry out large-scale collection efforts using this vulnerability,” says security expert Ralph Logan, CEO of Kiku Software, a large data analytics software firm. For example, “In order to collect mail.yahoo.com uid:pass pairs using this vulnerability, you would need a giant non-attributable network larger than TOR, but TOR won’t work in this case because we all know that it’s attributable.

“Joe Hacker/single actor in the .ru still has to have a non-attributable network to infiltrate and exfiltrate large amounts of data across the web.”

But the bad news now that the cat’s out of the bag is that proofs-of-concept are out

06/04/2014

HP-VMware Networking Solution

hpvmwr

HP and VMware are jointly announcing a new software-defined networking (SDN) and network virtualization solution. A collaboration to deliver the industry’s first interoperable SDN and network virtualization solution to provide customers unified automation and visibility of the physical and virtual data center networks, enabling business agility and improving business continuity.

The solution combines HP Virtual Application Networks SDN controller and VMware NSX network virtualization platform through federation APIs to deliver SDN automation and agility across physical and virtual data center networks.
Key components of the solution include:
• HP Virtual Application Networks SDN Controller
• HP ConvergedControl SDN application
• HP FlexFabric 5930 Top-of-Rack Switch
• VMware NSX network virtualization platform
The federated solution integrates with orchestration tools to provide cloud automation and agility.
Additionally HP Intelligent Management Center (IMC) with SDN Manager and integrated VMware vCenter plug-in provide a single pane-of-glass management for both virtual and physical networks.

As companies embrace cloud and mobility, manual network configuration has proven time and resource intensive, as well
as error prone. SDN virtual-only solution for network virtualization offers a centralized control plane, but does not
automate configuration and provisioning of network devices. Virtual networks also lack visibility of the underlying physical
infrastructure, which results in blind spots that can impact business continuity and force manual remediation.
Today’s network virtualization and SDN controller solutions lack interoperability. The HP-VMware Networking solution is the
industry’s first multivendor east-west federation to deliver interoperability and openness.

Unifies automation, visibility and control of the complete data center network improving agility, monitoring and
troubleshooting.
• Delivers open, interoperable network virtualization and SDN solution across physical and virtual networks
The HP-VMware Networking solution eliminates manual configuration of both the physical and virtual data center networks
through interoperable automated orchestration of policies and creates a single view of the network – both physical and
virtual.

The HP-VMware Networking solution federates the HP Virtual Application Networks SDN Controller and the VMware NSX
network virtualization platform through Federation APIs.
NSX communicates with the VAN SDN Controller using the Open vSwitch Database (OVSDB) management protocol which is
supported by the VAN SDN Controller via the federation APIs.
This allows NSX to share virtual tunnel state information with the VAN SDN centralized control plane and deliver virtual
network tunnel endpoints on physical network devices such as the HP FlexFabric 5930 Switch with VXLAN support.
In addition, the VAN SDN Controller also integrates with NSX via the federation API to deliver SDN applications across virtual
networks.
Together, the HP VAN SDN Controller and VMware NSX network virtualization platform unify virtual and physical networking
while providing SDN agility.

The complete HP-VMware Networking solution will be available worldwide in 2H 2014. Key components will be available
on the following timeline:
• HP ConvergedControl SDN Application, 2H 2014
• HP FlexFabric 5930 Switch, December, 2013
• HP Virtual Application Networks SDN Controller, Q4 2013

HP and VMware continue to be strong partners across many technologies. From a networking standpoint, this new solution adds to existing collaborative efforts including:
• HP Intelligent Management Center (IMC) and vCenter integration
• HP Advanced Services zl Module and MSR OAP Module with VMware vSphere
• HP FlexFabric Virtual Switch 5900v for VMware ESXi

HP Virtual Application Networks deliver SDN automation and agility. This new joint solution extends the ecosystem and builds upon the open, interoperable approach of HP VAN to deliver SDN applications across physical and virtual networks.

Network virtualization combines network resources, both hardware and software, into a single virtual network

Virtual network refers to a virtual network tunnel that runs across physical infrastructure. The virtual network generally is created via encapsulation at the source endpoint and de-encapsulated at the destination.

Physical network refers to the physical network infrastructure that virtual network tunnels traverse from one endpoint to another.

VXLAN or Virtual Extensible LAN is an encapsulation protocol for running virtual networks across layer 3 networks. VXLAN adds a 24-bit segment ID to the Ethernet frame allowing up to 16 million virtual networks across a common layer 3 infrastructure.

The Open vSwitch Database management protocol which is a protocol used to manage Open vSwitch instances. The protocol manipulates a set of tables representing switch configuration data.

To learn more, visit http://www.hp.com/networking/hvns

 

03/04/2014

eHosting DataFort Awarded 2014 Best Managed Service Provider

eHosting DataFort Awarded ‘Best Managed Service Provider of the Year’ at Network World Middle East Awards 2014

Beats Tough Competition From Top Players; Win Reaffirms Company’s Top Position in Enterprise

15740-ehosting_article.jpg

1.jpg

eHosting DataFort (eHDF), the region’s leading Managed Hosting and Cloud Infrastructure services provider and a member of TECOM Investments, was awarded ‘Managed services provider of the year’ at the fifth annual Network World Middle East Awards held on 24th March 2014. eHDF beat contenders including top local, regional and multinational players to win the award for the second year running.
eHDF was recognized for delivering successful and complex technology implementations that have brought outstanding value to its customers. eHosting DataFort demonstrated a successful track record of complex and cutting edge technology deployments for a diverse portfolio of customers such as Geotab ME, Tejuri.com, Dubai Financial Market amongst others.

The judging panel consisting of senior IT professionals – Arun Tewary, CIO and Vice President of IT, Emirates Flight Catering; Douglas Ian Wakeford, Senior Advisor with the Experton Group; Benvir Padda, Director of IT, Legatum and U V Krishnakumar, Founder of Prescience UAE selected a total of 17 winners for the ‘end-user’ and ‘vendors’ awards categories.

The awards were presented during a gala ceremony held at Godolphin Ballroom in the Emirates Towers. The CPI Network World Middle East Awards has established itself as the major networking awards evening in the regional IT calendar. Recognising both ‘users’ and ‘vendors’, the awards rewarded innovative networking projects and technology providers behind them.

Commenting on the award win Yasser Zeineldin, CEO, eHosting DataFort said: “The win reaffirms our top position in providing Managed Hosting and Cloud Infrastructure services in the region. It is a testament to our continued commitment in delivering tailor made and customer focused services to address highly demanding and complex technology projects.”

“2014 looks very promising with the strong uptake that we are seeing for cloud infrastructure services. We have invested heavily in our data centres this year and we will soon be launching new services for the SMB segment. I would like to thank our customers for their continued support and look forward to sustaining this successful momentum in the years ahead.”

This award marks an additional milestone for eHDF adding to the collection of accolades received over the years. In 2013 eHosting DataFort won the ‘Best Managed Service Provider of the Year’ at the ACN Arab Technology Awards, ‘Best Managed Service Provider of the Year’ in the enterprise category at the Integrator Middle East Awards and ‘Managed Service Provider of the Year’ at the Network World Middle East awards. Prior to that, eHosting DataFort has been recognized year-on-year as the ‘Best Managed Services Provider of the Year’ across the Middle East since 2008.

eHosting DataFort owns and operates world-class data centres in Dubai with resilient and scalable infrastructure and round-the-clock managed operations offering customers the advantage of hosting all data within the UAE. It offers a comprehensive portfolio of services including managed hosting, disaster recovery and private and public cloud infrastructure services.

02/04/2014

‘Significant’ solar flare may affect communications, GPS on Wednesday

Solar flare

The sun emitted what NASA is calling a “significant” solar flare on Saturday that could affect communications systems on Earth on Wednesday.

The National Weather Service’s Space Weather Prediction Center is calling the eruption a radio blackout event. The center reported that the solar flare could affect satellites and cause GPS errors. Electrical power lines could be hit by extra current, and high frequency communications could be blocked when the radiation hits Earth.

Solar flares are powerful bursts of radiation, according to NASA, but the harmful radiation from a flare cannot pass through the Earth’s atmosphere to physically hurt humans. However, powerful flares can affect the Earth’s atmosphere in the layer where GPS and communication signals travel.

NASA categorized Saturday’s flare as an X1-class eruption. X-class solar flares are the most intense eruptions. The number adds more information about its strength. An X2, for instance, is twice as intense as an X1.

Last fall, the sun emitted a series of intense solar flares that caused radio blackouts and affected GPS systems.

Between Oct. 23 and Oct 30, the sun emitted four X-class solar flares.

Scientists said they weren’t surprised to see an increase in solar flares since the sun is approaching the peak of the its normal 11-year activity cycle.

The largest flare in this current cycle was emitted on Aug. 9, 2011. That flare was an X6.9.

01/04/2014

SDN changing the shape of networking, IT careers

ai-800-shutterstock-97434221.jpg

Cisco recently announced new certifications for its Application Centric Infrastructure (ACI) programmable networking initiative, its response to software-defined networking. The certifications are designed to tailor new roles for IT practitioners looking to transition their company’s infrastructures to programmable, application policy driven, SDN-type environments.

Such certifications are expected to be the norm industrywide as SDN takes hold.

“If programmable network infrastructure is a strategic direction for (vendors) and their customers, when is the vendor going to include it in their training programs?” asks Andre Kindness, an analyst at Forrester Research. “Otherwise I’m not sure how networking personnel are supposed to take advantage of the vendors’ SDN solutions. Fundamentally, vendors should enhance their training programs at the same time they come out with new technology.”

6.png

+MORE ON NETWORKWORLD: What is software defined networking (SDN)? +

“The need for new professional certifications and training programs for networking professionals is directly related to technology advances and market dynamics that are reordering IT as a whole,” says IDC analyst Brad Casemore. “The network and the professionals who run it must evolve. They can’t be Luddites; that would not end well for them.”

Several career considerations are at play as SDN infiltrates enterprises and service provider networks. There’s the issue of who in the data center or IT shop actually owns the virtual infrastructure and the policies that orchestrate it.

Server administrators have been steeped in virtualization for many years. Would they then be likely to take on administration of the virtual network? Or would network administrators, with decades of knowledge and experience in allocating physical network resources, now also learn and assume the added role of allocating virtual network resources to those mobile and dynamic workloads? If the server professionals end up owning network virtualization as well, where does that leave the network administrators? If the network admins end up owning the virtual as well as physical network, are the server admins left out?

So the SDN impact on IT may come down to an operational and organizational personnel decision. Does SDN offer opportunities to create cross-functional teams between separate server, storage, application and networking administrators?

Many IT operations now siloed will have to meld, says Robert Cannistra, a computer science and IT professor at Marist College.

“We’re still going to have niche guys but also people with a large-scale view,” Cannistra said at last fall’s Interop conference in New York. “Those are going to be your powerhouse guys and girls in the enterprise.”

At the same conference, Bloomberg R&D Network Architect Truman Boyes said SDN will be organizationally disruptive within his company.

“We’re trying to address it at an organizational level by rocking the boat,” he said. “We’ve put together a cloud team to straddle both worlds, jump start the rest of the organization. That will help us with time to market.”

1-3_Fig1.jpg

31/03/2014

WD releases Thunderbolt drive with selectable RAID settings

WD

Western Digital (WD) has announced a new portable hard drive with Thunderbolt 20Gbps connectivity that can be configured with various RAID schemes.

My Passport Pro comes with hard disks and features user-selectable RAID; the drive can be configured for redundancy in RAID 1, which creates a mirror of your data, or RAID 0, which stripes data across both drives to increase performance.

The My Passport Pro is only for Mac systems. It is available in 2TB and 4TB capacities with a retail price tag of $299.99 and $429.99, respectively.

Consisting of two 2.5-inch hard drives in an aluminum enclosure, My Passport Pro has been shock-tested by WD.

WD claims the My Passport Pro is the only dual-drive that doesn’t need to be plugged into an outlet to work; the drive is powered using a computer’s bus-system, like a USB-powered device.

The My Passport Pro comes with an integrated Thunderbolt cable and has performance speeds of up to 233MBps.

The Thunderbolt technology of the My Passport Pro allows a 22GB high-definition video file to be copied in half the time typically required by a USB 3.0 drive working in RAID 0 format.

“WD’s My Passport Pro enhances the workflow of mobile creative professionals by providing fast transfers and data protection for the large amounts of digital content they generate outside the studio,” Jim Welsh, executive vice president of branded products and worldwide sales, said in a statement. “From photographers, videographers and musicians to graphic designers and architects, people who depend on portable storage for their livelihood will find My Passport Pro defines a new level of performance, reliability and especially portability.”

31/03/2014

HP iris networking online Configurator

iris

 

Click here

Requires IE6+

 

The HP Networking Online Configurator enables you to quickly and easily create quotations of HP Networking products using your web browser.

30/03/2014

إطلاق مايكروسوفت أوفيس للآيباد

This graphic is published with the permission of GRAPHIC NEWS Read full story

March 28, 2014 — Under the stewardship of new CEO Satya Nadella, Microsoft has finally released its Office suite for iPad.

29/03/2014

Xtouch X3 smartphone

Sent iPadn Ť€©ћ№©¶@τ

27/03/2014

12,000 Phishing sites hosted on compromised WordPress installs

Stats compiled by Netcraft show that 12,000 WordPress installations were compromised in February and used in Phishing campaigns that targeted Apple customers and PayPal users. In addition, compromised WordPress installations were also the source of a significant amount of Web-based malware during the month.

Pulling the stats, more than 7 percent of all Phishing attacks blocked by Netcraft during the month were hosted on compromised WordPress domains, which translates into 11 percent of the unique IP addresses wrapped-up in the scams. Further, 8 percent of the malware URLs blocked by Netcraft during the month (representing 19 percent of all unique IP addresses) were serving malware to unsuspecting victims.

Of the sites referenced in the Netcraft study for the month, 17 percent of them targeted Apple customers, and 25 percent of them focused on PayPal.

WordPress is the content platform for nearly 30 million domains, favored for its easy installation, functionality, plug-and-play enhancements from a strong plug-in developer community, and affordability. WordPress itself costs nothing, but organizations pay a fee to host WordPress installations, and pay for additional developments such as themes and plug-ins.

However, like most Web-based development platforms, WordPress requires a level of management most passive webmasters and organizations cannot provide. Security updates are automatic now, since the 3.7 release, but that wasn’t always the case. Even with automatic updates, plug-ins and themes still need to be maintained on some levels, and the code that goes into homegrown developments isn’t always perfect.

Still, even the stable core code can cause problems.

An example of core code causing problems was observed recently when 162,000 WordPress domains were hijacked and used to initiate a DDoS attack. In 2012, poorly protected WordPress installs were blamed for the rapid spread of the Flashback Trojan. That same year, 30,000 WordPress installs were compromised and used to spread Rogue Anti-Virus.

Even developers and active administrators can inadvertently expose WordPress-based projects to malicious acts, such as those who expose database backups to Google indexing. Or the TimThumb.php problem that impacted every WordPress installation that was online at the time.

The findings from Netcraft aren’t shocking. Attacking WordPress or any other CMS platform for a Phishing campaign or drive-by-malware attack allows the criminal(s) behind the scheme to leverage an important object – trust.

Just last week (March 19), EA, one of the world’s largest gaming companies, had one of their servers compromised and two of their domains used to initiate a Phishing attack against Apple customers.

The number of victims in this recent Phishing attack isn’t known, and EA fixed the problem in less than a day. However, the point is, EA is a trusted brand, and the attack was sure to fool someone, and given the Origin (no pun intended gamers) of the attack, EA’s domains are likely to be allowed to bypass most reputation filters. 

27/03/2014

Cisco cloud computing network CCCN

FILE – This Wednesday, May 9. 2012, file photo, shows an exterior view of Cisco headquarters in Santa Clara, Calif. Cisco Systems Inc., reports quarterly eanrings on Wednesday, Nov. 13, 2013. Cisco says Monday, March 24, 2014, it plans to spend more than $1 billion over the next two years to build up its cloud computingnetwork. Cisco plans to use the money to expand its data centers for the new service to be called Cisco Cloud Services. (AP Photo/Paul Sakuma, File)

19/03/2014

How to Get a Verified Account on Twitter

Wouldn’t it be cool if you had that white check mark in a blue cloud on your Twitter profile? If you get one, it means you hold a “verified account.” Twitter uses verification to establish the authenticity of tweeters, and does so proactively—they concentrate on “highly sought users in music, acting, fashion, government, politics, religion, journalism, media, advertising, business, and other key interest areas.” If you (or your boss/client) fit the bill, here is how to go about getting your Twitter account verified.
Get a Verified Account on Twitter Step 6.jpg

Part 1 of 3: Understanding the Verification Process

1

Determine if you qualify for a verified Twitter account. Twitter verifies as few accounts as possible and only for legitimate reasons.

  • Reasons for verification include being a highly recognizable public figure (musicians, actors, athletes, artists, public officials, public or government agencies, etc.), or if your name and likeness is parodied or impersonated on multiple Twitter accounts, leading to identity confusion.[1]
  • Twitter will not consider you for verification based on your number of followers. Twitter urges Tweeters to “Please note that follower count is not a factor in determining whether an account meets our criteria for verification.”[1] Similarly, the number of tweets you post irrelevant.
  • For more information, read the Verified Account terms. These terms explain what a verified account is, what it means to be verified, who has the verified badge, identifying a verified account, etc. They can be found here.

2

Ask nicely. Although Twitter do not officially accept requests for verification, you may be able to speed up the verification process by sending a message to them directly (but only if you meet the criteria outlined above). Send a direct message to this address, making sure to include the following information:

  • Account name
  • Full name
  • Location
  • Official website (you will be given a suggestion to put the Twitter logo or badge on your official website to speed up verification)
  • Bio information (information about yourself in fewer than 160 characters)
  • Primary contact name (referring to the individual who manages the account)
  • Additional Contact Information

3

Wait for Twitter to respond. If you don’t get a reply shortly, you can contact Twitter by snail mail or through Twitter. Keep in mind that Twitter deals with a high volume of verification requests, and that it focuses first on the most “highly sought users.”[1]

4

Follow Twitter’s instructions for verifying your account. If Twitter decides that you qualify for a verified account, they will reach out to you via direct message. Click the link in the direct message to be taken to finish the process.

5

The final part of the process has 3 parts: (1) Learn how to Tweet effectively, (2) Connect with other Interesting Twitter Users, and (3) Protect your Account.[2]

  1. Learn how to Tweet effectively gives you a choice between 2 tweets and asks you to choose which one is better. It has the form of a quiz, but there will be no negative effects if you do not answer correctly.[3]
  2. Connect with other Interesting Twitter Users gives you the option to follow other verified accounts. Twitter believes that this gives you more legitimacy as a verified user.[4]
  3. Protect your Account asks you to enter a phone number that Twitter can call if there are any problems with your account. Once you have completed this step, your account will be verified.

6

Do not change your account information. Once you have received a verification badge, it is important to keep your account information the same. Changing information, such as your profile image, can cause Twitter to remove the badge, forcing you to contact them again.

Get a Verified Account on Twitter Step 4.jpg

Part 2 of 3: Maximizing Your Chances

1

Be an exemplary Twitterer. Although Twitter claims that the number of tweets a user posts does not affect their decision to verify an account, being an active and engaged Twitter-user cannot hurt. Post frequently, be interesting and topical, use tags, ask questions and reply to your followers, never troll, and follow other verified accounts.

2
Hire an agent. Most celebs don’t petition Twitter for a verified badge by themselves; they have an agent do it for them. Hiring an agent will lend your “public figure” status more legitimacy, especially if you can find an agency with prior connections to Twitter.

3

Buy advertising. Though Twitter does not have an official stance on this, several Twitter-verified companies have indicated that spending $5000/month on Twitter advertising will also get (and keep) your account verified.

4

Get your fans to campaign for you. If you have a large follower base, you could consider asking your fans to do your dirty work for you. If they inundate the @Verified page with enough pleas for your immediate verification, Twitter might just give in.

5

Get a job in a high-profile company. Some high-profile companies (such as Buzzfeed) have a deal with Twitter whereby all of their top-ranking employees are automatically granted verified accounts. This may not be the easiest option, but it’s something to think about.

Get a Verified Account on Twitter Step 5.jpg

Part 3 of 3: Considering the Alternatives

1

Embed a “Follow” button on your website. Twitter recommends embedding a Twitter “Follow” button on your official website as the best alternative to verification. You can learn how to do this here. This allows you to obtain followers directly from your official site, which is very helpful if there are multiple Twitter accounts that use your name.

2
Provide a link to your official website on your Twitter account. Twitter also recommends including a link to an official website as an alternative to verification.

3

Hack it. If you’re really desperate, you can strategically copy and paste an image of the verified badge onto the background of your profile page. To the undiscerning eye, this will make it look like your account is verified. However, it is important to be aware that Twitter takes this type of behavior very seriously, so you could end up being banned from the site entirely if you choose to go down this route.

Tips

  • We all want a verified badge but, let’s face it, they are not going to give badges to just anyone. So don’t bother hassling them with requests unless you absolutely know you would be seriously considered for a badge.
  • If you do not qualify for a verified Twitter account, the best way to prove that your Twitter is the “real” you is to include a link to your page on an official website.

Warnings

  • Having a verified Twitter account does not stop others from creating parody/impersonation accounts of you.
  • Applying for a verified account is no guarantee that Twitter will respond to you.
  • After your account has been verified, you may notice that some of your followers have been removed.
Follow

Get every new post delivered to your Inbox.

Join 191 other followers