Archive for July 30, 2016

| July 30, 2016
Comments Off on More IRS Tech Troubles

More IRS Tech Troubles

More IRS Tech TroublesThe U.S. gooberment agency in charge of extorting collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

collecting taxes from citizens, but not businessThe latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

two factor authenticationThis is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. 

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seatvoice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Related articles
  • Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| July 23, 2016
Comments Off on Ethernet Marches On

Ethernet Marches On

Ethernet Marches OnIt has been a while since we talked about networking on the Bach Seat. So it is time to get back to my roots. Ethernet continues to dominate the world. The Institute of Electrical and Electronics Engineers (IEEE) 802.3 Ethernet Working Group, the group responsible for the Ethernet standard, recently ratified 4 new Ethernet-related standards. The committee approved IEEE 802.3bp, IEEE 802.3bq, IEEE 802.3br, and IEEE 802.3by.

IEEE 802.3br has implications for IoT and connected cars. This new standard addresses the needs of industrial control system manufacturers and the automotive market by specifying a pre-emption methodology for time-sensitive traffic. IEEE 802.3bp addresses how Ethernet operates in harsh environments found in automotive and industrial applications.

The 2 more interesting new standards to networkers are IEEE 802.3bq and IEEE 802.3by. These standards help define how 25 GB and 40 GB Ethernet will work and more importantly how products from multiple vendors should interoperate in the data center. For a summary of the rationale for the new standard here is the IEEE presentation  (PDF).

Data c enterIEEE 802.3bq, “Standard for Ethernet Amendment: Physical Layer and Management Parameters for 25 Gb/s and 40 Gb/s Operation, Types 25GBASE-T and 40GBASE-T“, opens the door to higher-speed 25 Gb/s and 40 Gb/s twisted pair solutions with auto-negotiation capabilities and Energy Efficient Ethernet (EEE) support for data center applications.

IEEE 802.3by, “Standard for Ethernet Amendment: Media Access Control Parameters, Physical Layers, and Management Parameters for 25 Gb/s Operation”, introduces cost-optimized 25 Gb/s PHY specifications for single-lane server and switch interconnects for data centers.

Siemon’s Standards Informant explains that 25GBASE-T will be backward-compatible with existing BASE T technology and both 25GBASE-T and 40GBASE-T are planned for operation over TIA category 8 cabling. The deployment opportunity for 25GBASE-T is aligned with 40GBASE-T and defined as the same 2-connector, 30-meter reach topology supporting data center edge connections (i.e., switch to server connections in row-based structured cabling or top of rack configurations).

The standard’s ratification comes shortly after the Telecommunications Industry Association (TIA) approved its standard specifications for Category 8 cabling, the twisted-pair type designed to support 25GBase-T and 40GBase-T.

Though 25 Gigabit Ethernet is only now becoming an official standard, Enterprise Networking Planet reports that multiple vendors already have technologies in the market. Among the early adopter of 25 GbE is Broadcom (AVGO) which announced back in 2014 that its StrataXGS Tomahawk silicon would support 25 GbE. In 2015, Arista (ANET) announced its lineup of 25 GbE switches. Cisco (CSCO) is also embedding 25 GbE support in some of its switches including the Nexus 9516 switch.

That is where 25-Gb/s Ethernet comes in. It uses the same LC fiber cables and the SFP28 transceiver modules are compatible with standard SFP+ modules. This means that data-center operators can upgrade from 10 GbE to 25 GbE using the existing installed optical cabling and get a 2.5X increase in performance.

The IEEE 25GbE standard seems to have come out of nowhere, (especially considering the L O N G D R A W N O U T 8 0 2 . 1 1 n process but the technology actually came into being as the natural single-lane version of the IEEE 802.3ba 100-Gb/s Ethernet standard. The 100-Gb/s Ethernet standard uses four separate 25-Gb/s lanes running in parallel, so defining a single lane makes it a straightforward and natural subset of the 100-Gb/s standard.

rb-

IEthernetEEE P802.3by and P802.3bq were initially targeted for server connections in mega data centers like Amazon, Facebook, and Google. In the next 5 years, 25G will be the next mainstream server upgrade from 10G, even for smaller data centers. SMB data centers will be facing a connectivity crisis in the future as the pace of virtualization increases.

According to IDC, the typical virtualized server supported about 10 virtual machines (VMs) in 2014 and will support in excess of 12 VMs by 2017. In many organizations, the majority of production workloads are already virtualized and almost all new workloads are deployed on virtualized infrastructure, placing inexorable stress on server connectivity.
In order to accommodate this growth Twinax copper and short-reach MMF are included in the “by” standard, while 25GBASE-T (twisted pair) was added to the existing 40GBASE-T “bq” project making 25G possible in smaller data centers without having to re-wire the data center.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 14, 2016
Comments Off on Data Center in Space

Data Center in Space

Data Center in SpaceCloud computing is old technology. An LA-based start-up wants to move your data beyond the cloud. Cloud Constellation wants to store your data in space. The firm is planning on building a satellite-based data center that will have room for petabytes of data and may start orbiting Earth as early as 2019 according to Computerworld.

spacebelt_logoCEO Scott Sobhani told the author Cloud Constellation is looking upward to give companies and governments direct access to their data from anywhere in the world. Its data centers on satellites would let users bypass the Internet and the thousands of miles of fiber their bits now have to traverse in order to circle the globe. And instead of just transporting data, the company’s satellites would store it, too.

The article describes the pitch like this – Data centers and cables on Earth are susceptible to hacking and to national regulations covering things like government access to information. They can also slow data down as it goes through switches and from one carrier to another, and all those carriers need to get paid.

petabytes of data orbiting EarthCloud Constellation’s system, called SpaceBelt, would be a one-stop-shop for data storage and transport. Need to set up a new international office? No need to call a local carrier or data-center operator. Cloud Constellation plans to sell capacity on SpaceBelt to cloud providers that could offer such services.

Security is another selling point. Data centers on satellites would be safe from disasters like earthquakes, tornadoes, and tsunami. Internet-based hacks wouldn’t directly threaten the SpaceBelt network. The system will use hardware-assisted encryption, and just to communicate with the satellites an intruder would need an advanced Earth station that couldn’t just be bought off the shelf, Mr. Sobhani told ComputerWorld.

How do you reboot a server in space?Cloud Constellation’s secret sauce is a technology that it developed to cut the cost of all this from US$4 billion to about US$460 million, Sobhani said. The network would begin with eight or nine satellites and grow from there. Together, the linked satellites would form a computing cloud in space that could do things like transcode video as well as storing bits. Each new generation of spacecraft would have more modern data center gear inside.

satelite network

The company plans to store petabytes of data across this network of satellites. Computerworld points out that the SpaceBelt hardware would have to be certified for use in space. Hardware in space is more prone to bombardment by cosmic particles that can cause errors. Most computer gear in space today is more expensive and less advanced than what’s on the ground, satellite analyst Tim Farrar of TMF Associates said.

satelliteTaneja Group storage analyst Mike Matchett told the author that the idea of petabytes in space is not as far-fetched as it may sound. A petabyte can already fit on a few shelves in a data center rack, and each generation of storage gear packs more data into the same amount of space. This is likely to get better even before the first satellites are built.

But if you do put your data in space, don’t expect it to float free from the laws of Earth. Under the United Nations Outer Space Treaty of 1967, the country where a satellite is registered still has jurisdiction over it after it’s in space, said Michael Listner, an attorney and founder of Space Law & Policy Solutions. If Cloud Constellations’ satellites are registered in the US, for example, the company will have to comply with subpoenas from the U.S. and other countries, he said.

United Nations Outer Space Treaty of 1967And while the laws of physics are constant, those on Earth are unpredictable. For example, the US hasn’t passed any laws that directly address data storage in orbit, but in 1990 it extended patents to space, said Frans von der Dunk, a professor of space law at the University of Nebraska. “Looking towards the future, that gap could always be filled.”

rb-

On the Bach Seat, we have covered different theories about data centers several times. These theories included manure, sewer gas, and used cars to power DC’s as well as proposed data centers underwater and at KMart. This one however seems the most unique, considering the start-up costs to build and launch satellites.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| July 9, 2016
Comments Off on Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann ArborNext time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

  1. open security camerasWalnut Creek, CA – 89.69 / 100,000 residents
  2. Richardson, TX – 72.74 / 100,000 residents
  3. Torrance, CA – 72.55 / 100,000 residents
  4. Newark, NJ – 38.07 / 100,000 residents
  5. Rancho Cucamonga, CA – 36.76 / 100,000 residents
  6. Corvallis, OR – 37.98 / 100,000 residents
  7. Ann Arbor, MI – 34.18 / 100,000 residents
  8. Orlando, FL – 34.05 / 100,000 residents
  9. Eau Claire, WI – 22.21 / 100,000 residents
  10. Albany, NY – 20.32 / 100,000 residents

using the manufacturer's default passwordOpen security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

distributed denial-of-service (DDoS)A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globeThe compromised CCTV cameras were located around the globe:

  • 24% originated from Taiwan,
  • 12% United States,
  • 9% Indonesia,
  • 8% Mexico,
  • and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

block or absorb malicious trafficTo protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 2, 2016
Comments Off on Independence Day 2016

Independence Day 2016

Independence Day is the time when Americans celebrate freedom from a tyrannical government in the 18th century. While gaining that freedom, the founding fathers used encryption. They used encryption while risking their lives to gain the freedom we celebrate on July 4th. The EFF documents how many of the Founding Fathers of the United States used encryption to secure our freedoms.

  • Thomas Jefferson Thomas Jefferson invented an encryption devicewas the principal author of the Declaration of Independence and the country’s third president. He is known to be one of the most prolific users of secret communications methods. He even invented his own cipher system—the “wheel cipher”  or the “Jefferson disk” as it is now commonly referred to. Mr. Jefferson also presented a special cipher to Meriwether Lewis for use in the Lewis and Clark Expedition.
  • George Washington was the first president of the United States. He frequently dealt with encryption and espionage issues as the commander of the Continental Army. He gave his intelligence officers detailed instructions on methods for maintaining the secrecy and for using decryption to uncover British spies.
  • John Adams was the second U.S. president. He used a cipher provided by James Lovell—a member of the Continental Congress Committee on Foreign Affairs. He was an early advocate of cipher systems—for correspondence with his wife, Abigail Adams while traveling.
  • James Madison was the author of the Bill of Rights and the country’s fourth president. He was a big user of enciphered communications. Numerous examples from his correspondence prove that. The text of one letter from Madison to Joseph Jones, a member of the Continental Congress from Virginia, dated May 2, 1782, was almost completely encrypted via cipher. And on May 27, 1789, Madison sent a partially encrypted letter to Thomas Jefferson describing his plan to introduce a Bill of Rights.

TechDirt correctly concludes that If encryption was good enough for the Founding Fathers to use in the 18th Century … it’s pretty ridiculous that we’re still having this debate now in this age of constant government monitoring, warrantless searches, corporate data aggregationdata sharing, and tools like IBM’s Non-Obvious Relationship Awareness software (NORA). The time is now to fight shortsighted “going dark” claims by the FBI and efforts by clueless politicians like Sen. Dianne Feinstein (D-CA) who have plans to ban encryption.

rb-

Seems to me that the biggest threat to America this Independence Day is the political ambitions of technically illiterate know-nothings in the gooberment. Be like the Founding Fathers and encrypt something start with HTTPS Anywhere from the EFF.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , , , , , , , , , , , , , , , , , ,