OpenSSL Vulnerability

• Two developers from the Google Security Team found a flaw in OpenSSL and contributed the fix
• The flaw affects all versions of OpenSSL before 1.0.1a, 1.0.0i or 0.9.8v
• Official Announcement
• Full Disclosure
• The vulnerability is in the way OpenSSL handles DER encoded data, which can cause a heap overflow and memory corruption
• CVE Entry

US Unhappy With Australians Storing Data On Australian Shores

• The US trade representatives specifically took issue with statements by the Australian Department of Defence, which has been making negative comments about various cloud providers based outside of Australia, implying that “hosting data overseas, including in the United States, by definition entails greater risk and unduly exposes consumers to their data being scrutinized by foreign governments.”
• The issues first arose when the AU government started considering storing data in the cloud
• The privacy commissioner raised many concerns about the security of the data in foriegn hands, and also the governments inability to legislate against foreign service providers

• More coverage
  *

  Cybercrime massively over reported, statistics totally unrealistic

• Some reports claim that losses due to cybercrime could be as much as $1 Trillion US Dollars
• Most cybercrime estimates are based on surveys of consumers and companies, and are very unreliable
• Normal statistical polling for opinion questions, such as seen with political polling works well, however the same method does not work for questions related to a value, because there are no negative values to cancel out the statistical outliers when then get extrapolated resulting in a large upward bias
• In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that, when extrapolated to the entire population, would have added $37 billion to the estimate, dwarfing that of all other respondents combined
• Numbers are also exaggerated by the same pool of gullible and unprotected users being repeatedly targeted, which leads to diminishing returns, however the unreliable statistical models do not take this into consideration

Feedback:

Q: Simon asks about running multiple servers behind a single IP address

A:

• NAT may be the best answer, especially if you need NAT anyway for the 3 servers to connect out to the internet in the first place
• You can forward the traffic using something like ‘balance’ or ‘HAProxy’, however the disadvantage to this over NAT is that the internal machines will see the source IP as the LAN IP of the internet facing machine, whereas with NAT they will see the original source IP address
• For web traffic HTTP (80) and HTTPS (443), you can use nginx, and apache mod_rpaf to pass the original source IP to the internal apache server(s)
• FreeBSD’s IPFW firewall has the ‘forward’ command, however this does not rewrite the headers of the packet, so the server that receives the forwarded packet needs to know what to do with it

War Story:

Mike sends in his own IBM war story:

After hearing so many war stories from the Other Other Alan, I decided to add one of my own IBM war stories.
I’ve been a contract employee from IBM since 1997. Early in 2000 I and 4 other guys were assigned to a new Network Operations Outsourcing Center. The basic idea was that we four would perform network operations for customers, small/medium businesses external to IBM. Our first customer was a textile company with facilities scattered across the continental US from Georgia to California. IBM sales sold the company a package of software, hardware and services which included IBM Tivoli and Netview monitoring that we were to use to do our monitoring and maintenance of their network.

So, as was always the case back then IBM had specialists who would go out in the field and perform installs and configuration for the customer (in this case us) and then we would be responsible for maintaining it. The initial install took nearly a week with a couple of days of training. Now imagine all the oohs and ahs as all this was running on three HUGE IBM Netfinity 5500 Quad PIII Beasts running Windows NT server and the technicians were explaining all the bells and whistles including event correlation and intelligent discovery. Two days after they left, the database crashed. Well we couldn’t be down with no method of monitoring the customer’s systems. So we took an old copy of “What’s up Gold” and installed it on the only spare hardware we had, a Thinkpad 765. So, as IBM repeatedly sent out technicians to fix one thing or another with the Tivoli environment, or the Oracle database from Hell, we chugged on for an entire year monitoring 40 odd NT servers and an equal amount of network hardware…from a little old pentium 166 laptop, while untold thousands of dollars worth of software and hardware sat almost unused until it was disassembled at the end of the contract.

Round-UP:

• New Draft Of CISPA Announced: Some Progress, Still Big Problems
  • Hilary Clinton to world governments: the world will divide into “open” and “closed” societies based on their Internet policies – Has she heard of SOPA and CISPA?
• Are wireless carries excessively capping LTE service to ensure users don’t drop their fixed line service?
• This Internet provider pledges to put your privacy first. Always.
• Oracle accidentally release MySQL DoS proof of concept
• Mechnical CPU clock provides insight in to all the basic building blocks of a CPU
• Netflix complains about Comcast’s net neutrality, specifically, watching TV via Comcast’s online competitor to netflix/hulu does not count against your data cap, but other services do
• Portugal is considering imposing a terabyte tax of between 0.025 and 0.05 euroes per gigabyte on new purchases of electronics and storage devices
• Iraq has started to emerge as a hub for telecommunications. With tension in Iran and Syria, Iraq provides key geographic access to the Gulf’s undersea cable system and provide additional capacity between Europe and Asia
• Are internet enabled TVs the next target for malware?