Tag Archive for CSCO

| May 26, 2015
Comments Off on Another Hole in Internet Armor

Another Hole in Internet Armor

Another Hole in Internet ArmorAnother hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

Diffie-Hellman key exchangeResearchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

prime numberTo prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPN attackThere is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

patch for Firefox4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

  1. If you have a web or mail server, they recommend  – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
  2. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
  3. If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way. 

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| April 16, 2015
Comments Off on Wi-Fi Charges Up Ethernet

Wi-Fi Charges Up Ethernet

Wi-Fi Charges Up EthernetInformation Technology prognosticators Gartner (IT) predicts that 40% of enterprises will use Wi-Fi as the default connection for mobile and non-mobile devices by 2018 according to Fred Donovan at FierceMobileIT. The prediction says that typically fixed location devices like; desktops, desk phones, projectors, and conference rooms will use Wi-Fi as their primary connection replacing Ethernet.

Wi-FI logoGartner says Wi-Fi is facilitating BYOD. The enterprise Wi-Fi network now allows workers to choose any device and move anywhere in the workplace. Gartner argues that the introduction of security measures like 802.1X augmented with Advanced Encryption Standard (AES) encryption has lessened IT’s worry about security breaches involving the Wi-Fi infrastructure. Ken Dulaney, V.P. and distinguished analyst at Gartner said;

Ethernet cabling has been the mainstay of business workspace connectivity since the beginning of networking. However, as smartphones, laptops, tablets, and other consumer devices have multiplied, the consumer space has largely converted to a wireless-first world

Facilitating BYOD

As the first connection to the enterprise infrastructure, Wi-Fi brings workers the ability to choose any device and move anywhere without worry. VP Dulaney continued;

WI-FI certifiedAs bring your own device (BYOD) has increased in many organizations, the collision of the business and consumer worlds has changed workers’ demands

Furthermore, cabling systems or even peer-to-peer (P2P) wireless solutions using technologies that offer cable replacement have had to deal with a variety of connectors challenges, such as USB and micro-USB, as video systems move beyond Video Graphics Array (VGA). The market research firm also argues that MACD costs will decrease.

MACD costsAdditions, moves, and changes are costly inconveniences that waste time for enterprise IT organizations. A move can sometimes involve cabling changes that can cost as much as $1,000 … With Wi-Fi printers, desktops, and other devices, all that is required is a cable to the power source, leaving workers free to move themselves making reconfigurations of offices easier.

Because of the many benefits of Wi-FI, Gartner VP Dulaney predicts firms are going to change how they connect;

we expect many organizations to shift to a wireless-by-default and a wired-by-exception model.

New Ethernet specifications

In order to deal with the new wireless-by-default reality, changes are needed on the wired network.  at FierceCIO reports that the vendor community is working to address the Wi-Fi first world. Unfortunately, there are two industry groups pushing their own new Ethernet specifications. Mr. Mah says that new Ethernet standards are needed to work with Wave 2 of 802.11ac wireless access points (AP) with a theoretical maximum throughput of up to 3.5Gbps.

NCaptain Ethernetew standards are needed because the existing Gigabit Ethernet is a bottleneck and current alternatives are not attractive. First, link-aggregating two Gigabit Ethernet connections for each Wi-Fi AP would need additional cabling and more expensive managed switches to support it. Using 10GbE would be overkill. Upgrading to 10GbE is a significant investment that includes new Category 6a or Category 7 cables, more power, and more cabling.

One faction, the MGBase-T Alliance, was formed in June 2014 and includes; Avaya, Aruba Networks (ARUN), and Brocade (BRCD) as well as component vendors Broadcom (BRCM) and Freescale Semiconductor. The other group known as the NBase-T Alliance was formed in October 2014. This faction consists of Cisco (CSCO), Intel, Xilinx (XLNX), Freescale, and Aquantia, a company that’s already making 2.5G/5G components.

Little agreement on standards

At the moment, the only agreement between the two factions is that 2.5Gbps and 5Gbps speeds are needed. The IEEE 802 LAN/MAN Standards Committee has set up the P802.3bz 2.5/5GBase-T Task Force to address this issue. The 2015 Q1 CommScope Standards Advisor reports that the 802.3bz Ethernet cablescommittee has decided so far that:

  • 2.5 GBase-T option will run on Cat 5e (Class D) 4 pair UTP up to 100M, and
  • 5 GBase-T option will run on Cat 6 (Class E) 4 pair UTP up to 100M.
  • There is no release date yet

The concern, however, is that vendors could jump the gun by shipping pre-standard products ahead of standards rectification, complicating matters and slowing down the development of the pertinent standards.

rb-

Remember 802.11n? Pre-standard products? Given that there is no guarantee that systems built with components from the two groups will work together. Don’t jump the gun – waiting for the standard to solidify before buying into new 2.5G/5G Ethernet networking hardware.

For now, Dell’Oro Group analyst Alan Weckel told FierceCIO is that enterprises will probably be able to buy 2.5G/5G equipment starting in Q2 of 2015. 

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
| April 9, 2015
Comments Off on 802.3bt More Power to the People’s Devices

802.3bt More Power to the People’s Devices

802.3bt More Power to the People's DevicesPower over Ethernet (PoE) powers more than one million end devices today. To continue PoE’s success, the IEEE is answering the market’s demands for more power by developing 802.3bt the third generation of PoE.

The first generation of PoE (2003), 802.3af delivered 12.95 Watts. The second generation, 802.3at (2009) provides 25.5 Watts to the equipment. The new version of PoE will address the need for higher-power PoE. The IEEE has proposed a new standard, 802.3bt, which promises to double the power output of the current 802.3at standard. The new 802.3bt standard, scheduled to be released in 2017, will also adjust PoE to work with 10Gbase-T.

IEEE logoCabling Installation & Maintenance Magazine provides an excellent overview of the new standard. They report that the IEEE 802 LAN/MAN Standards Committee which develops and maintains networking standards like Ethernet, VLANs, and Wireless LAN, is developing the new standard. The DTE Power via MDI over 4-Pair Task Force is working to specify a set of next-generation PoE specifications, and the levels of power likely to be delivered ultimately via the 802.3bt standard will still work on twisted-pair cable, possibly as a four-pair PoE specification which could improve energy efficiency and offer greater power.

New POE Applications

IndustryApplicationTypical Power Consumption
HealthcareNurse call system30-50W
RetailPoint of sale system30-60W
BankingIP Turrets45W
Building ManagementVariable air volume controllers, Access controllers40-50W
Enterprise ITThin clients, Virtual desktop terminals50W
HospitalityPOE switches45-60W
Premise SecurityPTZ cameras30-60W
IndustrialBrushless drives, Motor control>30W
VariousDigital signage>30W
VariousMultichannel wireless access points>30W
via CommScope

The new PoE standard will support 10GBase-T. The 10GBase-T standard uses all 4 pairs to send data. These facts will force the IEEE 802.3bt committee to figure out how to keep the power from interfering with the data on the same wires to supply a minimum of 49 watts at the powered device. One of the key parameters the article mentions is to limit pair-to-pair current imbalance.

POE logoOther goals for the 802.3bt standard are: to be backward-compatible with “af” and “at.” and increased energy efficiency. According to the article, a global move to 4-pair POE systems would create potential energy savings of 60.8 million kilowatt-hours which would prevent greenhouse gasses from 66 million pounds of coal saved annually.

Paul Vanderlaan, technical manager of cable maker Berk-Tek – Nexans’ advanced design and applications lab and other cabling-industry technical experts believe that 802.3bt’s support of 10GBase-T means that the minimum twisted-pair cabling system requirement will increase.  In order to support 10GBase-T, it seems likely that a Category 6A system will be the recommendation. The author notes that the IEEE does not address cabling performance, that is the focus of groups like the TIA or ISO/IEC.

The transition to the new PoE standard will not be simple. CommScope published a white paper where they explain:

Category 6A cabling… Category 5e cabling only provides the minimum level of performance required. Therefore, it is recommended to use Category 6 or Category 6A cabling-preferably solutions … 

Berk-Tek’s Vanderlaan explained why Category 6A cabling is the preferred system. He summarizes the electrical-engineering calculations;

As a general rule, increased copper content, or larger gauge size, will aid in power delivery … when you migrate … you should see larger gauge sizes and more copper content.

system performance characteristicsUnder the new standard users will have to pay attention to new cabling-system performance characteristics like DC resistance unbalance and pair-to-pair resistance imbalance.  The higher wattage’s up to 1 full amp (1,00 milliamps) will present challenges to performance requirements. Mr. Vanderlaan told Cabling Installation & Maintenance Magazine:

For users, cable selection will be based not just on the speed that can be supported, but rather on speed as well as power delivery. What you simply plug in today, you may want to also power in the future.

A new challenge cable plant owners will have to consider is heat. CommScope explains that heat generated within bundles of cables supporting IEEE 802.3bt could rise enough to effect performance.

ambient temperature… the temperature of the cabling will rise due to heat generation in the copper conductors  … the temperature of the cable bundle higher than the ambient temperature of the surrounding environment … The IEEE 802.3bt four-pair PoE standard is expected to assume a maximum temperature rise of 10 degrees Celsius (50 degrees F) when all four pairs are energized … the ambient temperature should not exceed 50 degrees Celsius (122 degrees F) … CommScope recommends Category 6A cabling for four-pair PoE applications. Because increased thermal loading can also increase insertion loss, the maximum cable length should be de-rated for higher temperatures, per ANSI/TIA-568-C.2.

Several vendors have already released pre-standard device-powering systems to meet users’ current needs.

As in the pre-PoE standard days, Cisco (CSCO) has marketed proprietary PoE systems since 2011. Cisco’s Universal Power Over Ethernet (UPOE) technology, which delivers 60 watts of power to devices powered by the Catalyst 4500E; some of those devices include Cisco IP phones, personal telepresence systems, compact switches and wireless access points.

Also, the non-standard Power Over HDBase-T (POH) was introduced by the HDBase-T Alliance a trade group that promotes and standardizes HDBase-T technology for whole-home distribution of uncompressed high-definition (HD) multimedia content. This system delivers up to 100 watts of power to TVs and other devices over distances up to 100 meters/320 feet via one Category 5e or 6 cable with standard RJ45 connectors.

rb-

The new standard is a welcome addition to the toolkit. Cost savings is one of the appeals to PoE. On many projects, PoE low voltage contractors can do the work rather than electrical contractors. If the new system pushes the maximum rate to 75W at the devices as some predict, with there be a backlash from the EC’s and authorities having jurisdiction? Time will tell.

In the meantime, the article says owners and managers should check their current infrastructure with eyes toward how the next generation of devices might be powered via more-capable PoE technology.

Of course, it is always a good idea to pull out your acceptance documentation to understand the installed base of the cable and the likelihood that the cable has the electrical performance characteristics required to support the next generation of PoE.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| January 6, 2015
Comments Off on UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s EncryptThe University of Michigan is teaming up with leading Internet firms to help secure the web. UMichCisco (CSCO), Akamai (AKAM), Mozilla, the Electronic Frontier Foundation, and public key certificate authority IdenTrust, have launched a new free certificate authority (CA) called Let’s Encrypt.

The Let’s Encrypt CA, which will be available in the Summer of 2015. It aims to get people to encrypt their connections to their websites according to a recent GigaOM article. Let’s Encrypt goal is to make it easier to get a proper Secure Sockets Layer/Transfer Layer Security (SSL/TLS) certificate. That way the certs can be deployed to secure a Web server and its users.

Let’s Encrypt will help secure the Internet

Let’s EncryptAccording to the article Let’s Encrypt, comes as the tech industry scrambles to encrypt the web. This is more important after the mass surveillance revelations of NSA leaker Edward Snowden. The CA will aid other efforts to secure the Internet.

Let’s Encrypt is developing the Automated Certificate Management Environment or ACME protocol. The ACME protocol. will sit between Web servers and the CA. It includes support for new, stronger forms of domain validation.

University of MichiganLet’s Encrypt will serve as its own root CA. The nonprofit CA public benefit corporation, Internet Security Research Group (ISRG) will run the root CA. Josh Aas, the executive director of ISRG, explained securing the web is just not a simple thing to use Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL). He explains that getting, paying for, and installing a certificate is too hard for many network administrators.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Electronic Frontier FoundationAccording to the statement, Let’s Encrypt’s certificates will be free. It will have an automated issuance and renewal protocol – an open standard. A step to reduce the need for input from the domain holder’s side. According to an EFF blog post, “switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.”

Records of certificate issuance and revocation will be publicly available. The organizations behind Let’s Encrypt are stressing that the system won’t be under any one organization’s control.

The EFF has been working on helping users take advantage of HTTPS for a while. The EFF worked with the Tor Project, to create the HTTPS Everywhere extension for Firefox, Firefox for Android, Chrome, and Opera browsers.

The Let’s Encrypt project will use Internet-wide datasets of certificates to make higher-security decisions about when a certificate is safe to issue. The data will include the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google‘s (GOOG) Certificate Transparency logs.

In addition to the Let’s Encrypt project, some of the paths to secure the web include:

  • The next version of the HTTP protocol will likely be encrypted by default.
  • Mozilla and Firefox are collaborating with the EFF to bring Microsoft, Google, Opera, and others to add Let’s Encrypt to their list of valid CAs.
  • Google will rank up sites that use SSL/TLS encryption.
  • The content delivery and security outfit Cloudflare is offering free SSL encryption for millions of its customers.
  • And now Let’s Encrypt aims to equip websites with free certificates – the proof they need to tell users’ browsers that their public encryption keys are genuine and the connection is properly secured.

rb-

Many websites currently use the HTTP protocol, a standard that exposes site owners to a number of threats including cyber espionage, keyword-based censorship, account hijacking, and a host of web application attacks such as SQLi and XSS. Let’s Encrypt helps reduce these risks which I think it is a good step in the right direction.

argues on Wired that Let’s Encrypt does not go far enough. We want the project to not only encrypt data but also authenticate users. IMHO that is a pipe dream. Authentication will step on the toes of Symantec, Oracle, and other hugely funded firms that will squash anybody doing the right thing that threatens their profits.

Related Posts

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| December 23, 2014
Comments Off on Instagram Purge

Instagram Purge

Instagram PurgeJust in time for the holidays, online time-waster Instagram cleansed itself of several million fake followers. The photo-sharing service warned all of its “users” they were going to delete fake accounts and low-n-behold they actually did. The inevitable whining from the entitled generation ensured as their follower’s nee spambots were deleted one by one.

faux-lebritesThe moaning and wailing and gnashing of teeth that was coming for LA-LA land and its faux-lebrites whose “followers” disappeared overnight. According to the site 64px.com  (bravo sir!), the top biggest loser was Instagram itself which lost nearly 19 million fake followers. The biggest faux-lebrity losers (and click-bait) in the #InstagramRapture according to the site are:

RankAccountUsers disappeared% Users disappeared
1Instagram18,880,21129.44
2justinbieber
3,538,228
14.86
3arianagrande1,529,206
7.03%
4kimkardashian1,300,9635.53
5selenagomez1,116,032
5.70%
6kendalljenner
906,897
5.32%
7kyliejenner826,5295.28%
8beyonce
831,971
3.75
9khloekardashian
748,269
4.70%
10taylorswift725,3794.39%
11mileycyrus
711,898
5.03
12snookinic378,1167.2838%

Not only the denizens of LA-LA Land that were impacted by the Instagram purge, but several businesses also lost large numbers of bogus fans. Besides Instagram the biggest business loser include:

  • natgeo lost nearly 289,000 followers
  • nike lost over a quarter of a million spambots followers
  • forever21 lost 245,210 followers
  • nba account lost 195,531 fake fans and
  • louisvitton lost 106,740 bogus followers

rb-

I wrote about another social media “issue” when Cisco was reportedly buying followers on Twitter. Maybe Cisco has been selling its followers to the tweenies on Instagram.

We can hope that the #temperature teaches the entitled generation that life is not fair, especially when your friends are spambots. Go outside, talk to people, learn a programming language, stop supporting reality TV and porn actors.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »