A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.
As The Register reported on the SSL bug:
Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.
“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”
The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.
Harvard Business has an interesting post by Michael Schrage on how to deal with BlackBerry junkies and other techno abusers, pointing the finger at two pilots who allegedly lost track of their current flight while scheduling future flights via their laptops.
IT is supposed to be about enabling the business, but what happens when it has users hell bent on using good technology to their own or corporate detriment? It’s not a new question: Enabling Internet browsing alone has caused innumerable productivity drains, from hours lost to cat videos and Facebook to more serious corporate threats like making data leakage as simple as sending an e-mail to a personal account.
How much of policing this double-edged sword is IT’s job, and how much is it up to management, HR and other departments? Have you ever had a case where you pushed back? I’d love to hear your thoughts at Michael@ITknowledgeExchange.com.
This is a guest post by Claude Roeltgen, author of the book IT’s Hidden Face. His book tackles the communications gulf between IT … and the rest of the world. Interested in being a guest blogger on the IT Watch Blog? E-mail Michael@ITKnowledgeExchange.com. -MM
“Why?” is the most frequently asked question by people when something goes wrong in real life. Not so in IT – Users never ask this question when something happens. They say “Fix it” and “I don’t want to know what happened.”
Business users like to reproach us IT guys with sitting in an ivory tower using strange gobbledygook. But, let’s face it, they are happy enclosing us there and do nothing to understand the hidden world of IT in a company. “IT” and “problem” are synonyms, and for the vast majority of users, that’s as far as it goes. The public knows more about the biology of deep sea fish than about the internal mechanics of an IT department.
Even the best CIOs get into a defensive position all the time. “Be faster”, “be cheaper”, “reduce complexity”, “you need to understand the business better”, “why doesn’t this work for us?”, “why are we over budget and time?” are heard all the time, but are generally poorly answered. Users tell us “I install software in 10 minutes on my PC at home, why do you need so long?” Defensive fights all the time.
What should we do then to make things better? Well, there are a lot of things we can do. We have to tell the realities of our world in words that every business user will understand, and, no doubt, there’s a lot we can talk about. Like the fact that there are no two identical IT-biotopes and therefore they all have their own specific set of problems. Or that we have to deal with an incredibly immature software industry that delivers new software containing thousands of errors. Let’s tell them that software providers have outsourced quality assurance to their customers. Or that systems presented by providers can sometimes be called more accurately “cheatware” than “software”. We can write newsletters to our users giving them background information in their words about what is happening – we need to have a constant dialogue with our users and we need to be patient with them. We need to explain why we say “no” sometimes. We must become good in marketing ourselves. Today, we leave marketing IT to consultants. And this is not good for us!
Not enough ghosts and goblins running around for you? Just wait: News that Time Warner Cable has deployed a dual Wi-Fi router/cable modem with a gaping security hole should send chills up the most hardened IT professional’s spine.
David Chen exposed the hole, which allows an attacker to remotely log in to a router’s administrative interface and possibly intercept traffic. Since being exposed by Chen, the story has been picked up by Wired’s Threat Level, CNET’s InSecurity Complex, and ITKnowledgeExchange’s own Sister CISA CISSP. The latter noted another particularly spooky aspect of the tale in a follow-up post on the Time Warner security hole:
Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.
(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)
Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.
It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.
Boo! And while it would be easy to respond that users have a responsibility to change their default passwords (they do!), the story goes a little deeper: This is putting sensitive corporate data at risk.
With more and more companies pushing for remote working both as a Swine Flu precaution and a way to cut office costs, an insecure router being pushed out could easily expose data that isn’t properly secured to all sorts of attackers, even those just trolling for random open vulnerabilities, like Chen did.
Fortunately, he also provided some quick fixes as Time Warner Cable works on a fix to push out (or not). Modify slightly and pass on to your users if your employees are working in a Time Warner Cable subscription area:
- Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption. It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
- Disable access to the router’s web admin page from outside IPs. The options are in the router (see below), a simple config change would block access to the router from the internet.
- Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level. This of course should be a temporary fix until the hardware can be replaced with something more secure.
- Of course the best idea would be to immediately recall those routers and issue your [users] real cable modems and decent wifi routers with good security.
Have a happy Halloween!
Caroline Bender has a wonderful post on the somewhat snarkily titled Business Women’s Finishing School & Social Club about “Youthful Management.” Really, it’s about bridging the generation gap, particularly for those who find themselves employed by younger, perhaps less tactful if more energetic, bosses:
The young must lead because their skills are current, and the mature must advise them based on their experience, because their training is no longer applicable.
This can be unsettling for both parties, who are in such different stages of human development, much less career development, that the gap widens. It can be difficult for report to someone your daughter’s age; it can be even harder to motivate a staffer who has clocked 25 years already.
Ouch, but often too applicable in the often fast-moving world of IT (the COBOL Y2K Renaissance aside). Bender offers some great advice for how older workers can mesh with younger executives, ranging from knowing when to stop trying too hard to fit; to toeing the line on corporate outings.
Have you found your own job role transitioning due to generational differences, either as a Boomer or a Gen Xer or even a Gen Yer? I’d love to hear what you’ve seen in the workplace, either in the comments or at Michael@ITKnowledgeExchange.com, or @Morisy on Twitter.
Juniper’s currently unveiling their ‘New Network Initiative,’ and there’s no lack of interest. As the normally staid Tom Nolle blogs at Uncommon Wisdom:
We can’t apologize for the characterization here; Juniper announced a radical combination of an extensive service-layer software system and a new semiconductor architecture, taking the most profound step the company has taken since it was founded.
The new chip is a family, the first member of which is Trio. It is based on a “Network Instruction Set Processor” model that builds software on the device using instructions customized for network behavior control rather than general-purpose instructions, as NPs do. In this respect, the chip is almost like an ASIC, but unlike an ASIC it’s programmable at the primitive NISP-instruction level, so new features can be added right down to the instruction level.
That’s the tech speak, but Juniper Networks is using the launch as a chance to re-brand, with a new logo, a flashy advertising campaign and a jettisoning of the “high performance” slogan for a focus on being “the new network”:
[kml_flashembed movie="http://www.youtube.com/v/pb48EBFXjys" width="425" height="350" wmode="transparent" /]
And it’s certainly earned the company its share of buzz, including some strong Twitter chatter and the chance to ring the NYSE opening bell. If you’re quick, you can still catch some of the announcement which is being broadcast here. Let me know what you think, either in the comments or at Michael@ITKnowledgeExchange.com. Is this truly a networking revolution?
The latest and greatest Google Android device, the Motorola Droid from Verizon, is coming, and Verizon hasn’t made any bones about what it’s targeting with the high-profile launch: Apple and AT&T’s Apple marketshare, which has skyrocketed to 30% in the past few years. If they’re successful, it will be one more device IT must learn to manage, along with BlackBerry, Windows Mobile, the iPhone …
No wonder the Droid promotional images look so menacing.
Just in time for Halloween, it looks like Nokia Siemens Networks is trying to re-animate the vision of Microsoft’s decrepit Passport single sign-on system, but this time in the hands of telecom companies. The times sure have changed, but will users be spooked by having their data in the hands of Verizon, AT&T and other service providers?
Out at SuperComm, Nokia Siemens Networks invited me over to hear the latest about its One-NDS subscriber data management platform. One-NDS is in version 8.0, and as the NSN representatives explained it, it has ambitious plans for when it finally grows up: Provide a single sign-on service, managed and maintained by telecoms.
The Nokia Siemens representatives told me the service could allow a user to access the same services, with a single sign-on, from, for example, a home computer, their cell phone and a TV, and pointed to services like Google Apps, Amazon and Yahoo! as potential tie-ins. Eventually, Nokia Siemens hopes, carriers will hold and control all aspects of the “digital self,” giving users a central, secure way to control how their information is being used online, and who’s allowed to use it.
When I asked them why NSN and telecoms would succeed here when Microsoft struggled so mightily, they pointed to a recent global survey they took: 82% of the 9,200 respondents said privacy is an important topic, while 45% responded that they felt like they lack control over their personal data.
But why telecoms? Nokia Siemens had a survey for that, too: They didn’t say that telecoms were trusted or loved by users, but that they were at least more trusted than other industries, including insurance companies, loyalty card providers and the government.
While it’s certainly no small feat to rank better in a survey than an industry satirized for Mafioso shake-downs, I have to wonder if users will really trust an industry that considers nickel-and-diming them standard operating procedure with their most sensitive data in what will likely be a proprietary platform.
Even Microsoft Passport’s descendant, Microsoft Live ID, seems to have learned a lesson in the intervening years: It’s announced support for OpenID, which drops the centralized control in favor of a more open, diverse ecosystem of authenticators and which lately seems to have actually gained some traction as more major online destinations announce their own support for the protocol.
As previously noted, few things besides Net Neutrality can bring AT&T and Verizon together, but President Barack Obama proved he could turn the tables again and again at last week’s SuperComm telecom conference in Chicago.
Even on opening day, two of SuperComm’s three keynote Q&A panelists were pulled by Obama for “pressing business” in Washington, according to a source: Jonathan Adelstein, administrator of Rural Utilities Service, and Larry Strickling, Assistant Secretary for Communications and Information for the NTIA. That left only Blair Levin, an executive director at the FCC, to try and talk up all the great grant money the government’s hoping to inject into the telecom industry
But as AT&T’s Jim Cicconi said during an earlier panel, there’s been a whole lot of loud non-interest in this stimulus funding, since the major telecoms are passing it based on what they say are too many strings attached, particularly since it’s only a hair over $7 billion distributed across 50 states, mere chump change for major telecom players. While smaller ventures are eagerly bidding away, none of the major service providers have touched the stimulus funds (I would also wager it’s because these major providers generally avoid the rural, low-ARPU areas the stimulus targets like the plague to begin with).
So that left the major carriers and the industry that supports them (hardware manufacturers, consultants, integrators … the list goes on) to bemoan the drafting of net neutrality regulations every chance they get. It dominated every panel it could work its way in to, from ones specifically about rural initiatives to a talk on DRM and digital media distribution.
So what’s next?
Well, despite a surprisingly conciliatory joint statement between Verizon and Google just days after Verizon’s CEO blasted net neutrality, this fight is far from over for either side. It was one of big telecom’s biggest lobbying efforts ever, and SuperComm attendees seemed geared up to keep fighting. Even if regulations do come through, for example, they are largely expected to end up with a large legal loophole along the lines of “reasonable network maintenance.” This was the grounds on which Comcast swatted down BitTorrent sharing, and unless the regulations are worded quite carefully, service providers might find plenty of avenues to stop competing voice and video services from denting their revenues.
With 1/6th of U.S. jobs tied to America’s Internet infrastructure, Net Neutrality backers puts too much at risk just as the economy recovers, warned Jim Cicconi, AT&T’s senior executive vice president of external and legislative affairs.
Cicconi’s blistering attack makes the 2012 trailer look like a playdate compared to what could happen if the net neutrality backers win: Short-term job losses, the degradation of Internet infrastructure, even Internet blackouts. No YouTube, Priceline or ITKnowledgeExchange? I’ll take the riots, earthquakes and John Cusak, thank you very much.
[kml_flashembed movie="http://www.youtube.com/v/Hz86TsGx3fc" width="425" height="350" wmode="transparent" /]
“It’s very easy for people to make decisions involving other people’s jobs,” Cicconi said at the SuperComm opening panel that was slated to cover stimulus dollars but largely focused on the FCC’s new net neutrality guidelines draft, which is slated to be made public tomorrow. The panel, made up largely of executives from both service providers and equipment vendors, largely concurred with Cicconi’s sentiments (The FCC’s John Horrigan, consumer research director for the Omnibus Broadband Initiative, largely stayed out of that particular fray).
Very often, it’s the creation of jobs that net neutrality backers point to, such as the Open Internet Coalition’s open letter to Congress:
A competitive marketplace creates jobs, helps the American consumer, fosters innovation, and drives economic growth. We must aspire to achieve the world’s most advanced communications networks, building on the tradition of American policy and innovation that created the open Internet. We must maximize competition on next generation networks by guaranteeing access and by ensuring that all networks interconnect and interoperate.
But Cicconi took time to take aim at groups like this and others that are producing favorable net neutrality reports:
I think it is a dangerous illusion for anyone in government to think that more regulation will provoke more investment, not less. There are reports coming out, but these reports … are written by groups that have never run a network, nor do they have discernable investment experience.
The FCC is playing a very dangerous game if it listens to any advice of this nature.
[Net Neutrality] is an important reality check for government: You’re pushed to achieve a Utopian end people have dreamed up, but that’s not how government works. Government works to solve problems … and nobody has made a convincing case that there is a problem here that needs the government to step in.
And this was all what Cicconi publicly said: One can only image what he and Tom Tauke told the private luncheon for telecom decision makers earlier in the day.