Candlelites

Everything from Everywhere

eWeek

Latest headline news from eWeek with momentary update to provide the online news, world news, sports news, family news, health news, video news, national news, food news and politics news from eWeek.



cisco merges spark, webex collaboration apps to streamline meetings

daily video: cisco merges spark into webex for streamlined collaboration, and cloud foundry steps up as a de facto standard for cloud-native development.





sap at risk from configuration vulnerability, onapsis reports

sap users are being advised by security firm onapsis to review their software configuration settings to mitigate the risk of a default setting that could expose all sap implementations to exploitation by attackers.onapsis released a report on april 26 detailing the configuration vulnerability that impacts sap netweaver, which is a foundational component for running many sap applications, including erp and s/4 hana. according to onapsis, the default configuration for netweaver allows hackers to remotely attack a netweaver instance without authentication, gaining unrestricted access to all of the information on the system.in a video interview with eweek, juan perez-etchegoyen, cto of onapsis, discusses what the vulnerability is all about and why—despite his firm raising the alarm now—it's not a new issue.further readingaccording to perez-etchegoyen, the configuration issues his firm discovered were actually identified by sap in a series of security notes published in 2005. an sap security note is a document that includes recommended best practices for configuration and deployment. the problem is that even though sap documented the issue 13 years ago, it is not a default configuration and many organizations haven't made the change.in fact, according to onapsis' research conducted over the course of 2017, 90 percent of the sap systems surveyed were at risk from the netweaver configuration flaw.perez-etchegoyen said the configuration flaw is in the netweaver message server,...





seven must-haves for any enterprise sd-wan system

1 of 10seven keys to unleashing the full potential of an sd-wan system within two years, about 25 percent of users will manage their wide-area networks through software, creating a $1.3 billion market by 2020, gartner estimates. in turn, this is creating an sd-wan market that is crowded with vendors large and small, making it difficult for end users to determine which solution will deliver on the promised benefits of network agility and cost-savings. unfortunately, too many enterprises have had to revisit their choice of sd-wan vendor midway through deployment or have simply decided to go through the painful process of modifying their networks to accommodate their chosen sd-wan solution. to avoid these scenarios, eweek in this slide show offers industry advice from 128 technology’s co-founder and coo, patrick melampy, who tells organizations to check these sd-wan boxes.   2 of 10centralized policy management and orchestration an sd-wan solution needs to work across a hybrid network architecture consisting of global and regional networks, branch and remote offices, and clouds (aws, azure, gcp). it must be able to work across network boundaries, deal with firewalls, switch paths as needed and establish policies across various networks without requiring complex out-of-band routing protocols or involvement of a central controller every time. 3 of 10zero trust security secure networks are fundamental to a successful business operation; no user, tr...





gmail update helps protect businesses from malicious messages

the new release of gmail, which became available on april 25, is being aimed primarily at google’s g suite customers, but individuals with gmail accounts will see the same improvements. the changes include a refreshed interface along with side panels that offer access to other features, such as the calendar and a to-do list. other more important features aren’t so obvious. the new security features mostly run in the background and won’t appear until you need them. other features are less obvious because they’re not actually part of gmail yet. google said in its announcement that they will appear in the future. gmail users can take a look at the new features that are available now by going to gmail’s settings, and clicking on the trial of the new gmail.further readingthe most important features for business allow an email sender to control what happens to the message after it’s delivered. there’s an information rights management feature that allows the sender to prevent the email from being forwarded, printed, downloaded or copied. this effectively closes a significant security hole that affects gmail, as well as a number of other mail clients. also important are phishing protections that are intended to flag business email compromises (bec) as well as spoofing attacks. the updated gmail will also flag untrusted senders. suspected phishing emails are flagged with a prominent red notice that the email is suspicious. while such a notice won’t eliminate the nee...





apple patches ios, macos for multiple issues including qr code flaw

less than a month after its last set of security updates, apple released a new set of security patches for both ios and macos on april 24.for its ios mobile operating system, apple has released version 11.3.1; on the desktop, the update is identified as security update 2018-001 for macos high sierra 10.13.4. for ios, apple patched a total of four vulnerabilities, while patching two issues in macos, with an additional two patches in the safari 11.1 browser update.among the most impactful issues is one identified as cve-2018-4187, which is a flaw in the linkpresentation component in both ios and macos.further reading"processing a maliciously crafted text message may lead to ui spoofing," apple warns in its advisory. "a spoofing issue existed in the handling of urls. this issue was addressed with improved input validation."although apple's advisory provides few details, the actual spoofing issue was in the in qr code reader capabilities. on march 24, security researcher roman mueller publicly reported the flaw, which he labeled as a qr code url parser bug. according to mueller, both the url parser in ios and the one used in macos were able to be manipulated to show a different hostname in the notification window for a qr code scan than what actually is opened in safari.memory corruptionapple also patched multiple memory corruption issues that impact ios and macos. two of the memory corruption issues were reported to apple by security researchers from google's project zer...





cisco merges its spark, webex collaboration platforms

today’s topics include cisco merging spark into webex for streamlined collaboration, and cloud foundry stepping up as a de facto standard for cloud-native development.cisco systems announced last week that it is merging its spark and webex collaboration services to create a single offering.the merging of the two platforms means that users will have a single platform for all the collaboration needs that previously were split between the two, which cisco officials said will streamline meetings, making them easier to run and more secure.according to cisco fellow jonathan rosenberg, all meetings will leverage the webex backbone through servers housed both in cisco data centers and in the public cloud and the webex network. “this means that customers get the best quality, lowest latency experience possible,” he said.related readingthe merging of the products also improves security by ensuring that all webex teams users are all connected to a single, shared cloud instance without guest accounts.docker and kubernetes are well-known de facto standards for container formats and container orchestration in building and deploying modern cloud-native applications. however, there is a third de facto standard that is changing the future for a lot of enterprises moving to the cloud—open-source developer platform cloud foundry.at its fourth north american summit last week in boston, cloud foundry executives and partners talked up how fast the ecosystem is growing and about how much fa...





microsoft windows server 2019 test build offers more failover options

businesses that are planning to place critical workloads on windows server 2019 will have new ways of configuring their high-availability setups.in test build 17650 of the upcoming server operating system, microsoft has added a new capability that streamlines the process of migrating server clusters between domains. the system software is available now for evaluation and feedback purposes via the windows insider early-access program.enterprises are often forced to move clusters to another domain when one company acquires another, explained microsoft's dona sarkar, head of the windows insider program, and senior program manager brandon leblanc, in an april 24 blog. another typical scenario involves organizations that build their servers clusters in a main office and ship them to other locations.further reading"moving a cluster from one domain to another has always been a daunting task because you must destroy the cluster to move it," sarkar and leblanc said. "depending on the roles in the cluster, that role must also be removed and recreated."in windows server 2019, the powershell command-line tool will allow users to quickly move their clusters between domains in a much less destructive and time-consuming manner. using two new powershell commandlets, new-clusternameaccount and remove-clusternameaccount, administrators can complete the process in fewer steps. a commandlets, or cmdlet, is a lightweight command used to perform a single function in powershell.microsoft also ...





major gmail redesign includes new security, productivity features

google has introduced new security and productivity features in gmail as part of one of the most comprehensive updates ever to the popular email service. the updates include a brand new look for gmail on the web and a new feature called tasks for tracking deadlines, keeping on top of to-do lists and organizing work. for consumers and for the four million paying businesses that use gmail as part of their subscription to google's g suite, the biggest update is a new gmail confidential mode for protecting sensitive content. further readingconfidential mode gives gmail users a way to create expiration dates for email or to revoke previously sent email. in addition it gives users a way to require additional authentication—via text message—before a recipient can view certain emails. the feature ensures that emails containing sensitive data remain protected even if the recipient's email account has been compromised, google's vice president of product management david thacker wrote in a blog announcing the gmail redesign april 25. the newly updated gmail now also contains integrated information rights management controls that gives users a way to prevent sent emails from being forwarded, copied, downloaded or printed. the goal is to mitigate the risk of emails containing confidential information—such as social security numbers—of being accidentally or deliberately shared with those not authorized to view it. the newly redesigned gmail will also serve up bigger, bolde...





10 digital password managers that let you forget your app logins

1 of 1210 password managers to keep credentials out of hackers hands digital password managers have become a critical component in security management computer systems. with hackers targeting user credentials more than ever, internet users need to create strong passwords for all of their digital accounts. but remembering unique alphanumeric passwords featuring special characters for every account is nearly impossible. this makes digital password managers essential tools. they store all of a person’s hard-to-remember passwords in one place and make those credentials accessible with a single username-password combination. better yet, many of the services work on a variety of platforms, including desktops and mobile devices and will synchronize credentials across all of those devices.  2 of 121password with 1password, both consumers and corporate users have the ability to store passwords, credit card information, and secure notes inside the app’s vault. the service also includes a password generator, so users can create unique and hard-to-decipher credentials for all their accounts. for $2.99 per month, individuals can sign up and use 1password across mobile and the desktop systems. the family version costs $4.99 per month and corporate users can get access to 1password for as little as $3.99 per user per month. 3 of 12lastpass like many of the others, lastpass is available in both a personal and business version. the service works on desktop an...





malicious amazon alexa skills can record everything a user says

on april 25, security firm checkmarx publicly disclosed that it has found that a malicious developer can trick amazon's alexa voice assistant technology to record everything a user says.at this time, it's not clear if any hackers have ever exploited the flaw, which is not in the amazon echo hardware, but rather is an abuse of functionality in the alexa skills feature set. developers can extend alexa's technology by building skills that provide new functionality for end users. checkmarx found that there were several unbounded parameters that were available to alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device. "customer trust is important to us, and we take security and privacy seriously," an amazon spokesperson wrote in an email to eweek. "we have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do."further readingthis isn't the first time a security researcher has raised the alarm about the potential for using alexa-powered devices to eavesdrop. in august 2017, security researcher mark barnes with mwr labs released a report on a similar risk, although an attacker would need physical access to the device. in the checkmarx research, an attacker could manipulate an alexa skill, which can be installed by unsuspecting users and doesn't require any physical access or tampering with ...





juniper unveils platform to help businesses with multicloud management

juniper networks officials are looking to ease the path for enterprises adopting a future that involves running workloads on multiple cloud environments and are using their new contrail enterprise multicloud platform as a foundational element of that strategy.the platform is designed to give companies a single tool for orchestrating, managing and controlling workloads running in a broad array of scenarios, from physical and virtual environments within their data centers to multiple public clouds. with contrail enterprise multicloud, users can manage overlays and fabrics and orchestrate virtual machines (vms), containers, networking devices, security, public and private clouds, and bare metal servers.the product also offers analytics capabilities; infrastructure performance monitoring of data center networking systems, cloud infrastructures and applications; and the ability to predict and remediate issues in real time, according to officials.further reading“this means you can manage workloads on-premises and in the cloud,” bikash koley, executive vice president and cto at juniper, wrote in a post on the company blog. “in the public cloud, they can run on aws [amazon web services], azure and gcp [google cloud platform]. those workloads can run on vms or containers. and you can manage the overlay along with the underlay that might span juniper networks and other equipment. you can provision, execute workflows and monitor everything end-to-end, regardless of where the devic...





apple patches ios, macos for multiple issues including qr code flaw

less than a month after its' last set of security updates, apple released a new set of security patches for both ios and macos on april 24.for its mobile operating system, apple has released ios 11.3.1 and on the desktop the update is identified as security update 2018-001 for macos high sierra 10.13.4. for ios there are a total of four vulnerabilities being patched, while macos is getting two issues patched, with an additional two patches in the safari 11.1 browser update.among the most impactful issues is one identified as cve-2018-4187 which is a flaw in the linkpresentation component in both ios and macos.further reading"processing a maliciously crafted text message may lead to ui spoofing," apple warns in its advisory. "a spoofing issue existed in the handling of urls. this issue was addressed with improved input validation."though apple's advisory provides few details, the actual spoofing issue was in the in qr code reader capabilities. on march 24, security researcher roman mueller, publicly reported the flaw which he labelled as a qr code url parser bug. according to mueller, both the url parser in ios as well the one used in macos were able to be manipulated to show a different hostname in the notification window for a qr code scan, than what actually is opened in safari.memory corruptionamong the other issues patched by apple are multiple memory corruption issues that impact ios and macos. two of the memory corruption issues were reported to apple by securit...





how ibm views cyber-security and artificial intelligence

some companies have a single cto, but ibm isn't just any company. ibm has multiple ctos spread across its' organizational chart. among them is sridhar muppidi who serves as vp and cto ibm security.in a video interview with eweek, muppidi discusses what the role of cto entails at ibm security. he also provides insight into how cyber-security is viewed across ibm and what ibm security specifically is tasked with accomplishing."ibm security is a division that is focuses on keeping the bad guys out and good guys in, it's as simple as that," muppidi said.further readingmuppidi added that ibm security is also tasked with understanding different threats and the risks they present to organizations. the other component of ibm security is working to help enable business transformation to take place.while security can be a standalone product and it can also be a feature inside of a product, in muppidi's view, security is really about more than being either a product or a feature."it's a discipline," muppidi said about security. "it's a discipline that can be morphed into a program, a set of practises, solutions and products."artificial intelligenceibm security has been spending an increasing amount of time looking at artificial intelligence in recent months and the company discussed new adversarial ai research at the recent rsa conference event. muppidi said that there are a number of things that can be done to help improve the security of ai. having trusted data sources is...





percona launches updated mongodb server, bolsters mysql encryption

open-source server specialist percona is branching out yet again.after establishing a reputation for mysql server solutions, the raleigh, n.c., technology firm released in 2015 its percona server for the popular open-source mongodb database. the following year, it rolled the second version of its product for mongodb 3.2. today, the company is at it again with percona server for mongodb 3.6.on april 24, coinciding with the percona live conference in santa clara, calif. (april 23-25), the company announced the general availability of the solution featuring updates and enhancements found in mongodb community edition 3.6.further readingpercona's bet on mongodb appears to have paid off. two years ago, 30,000 users had downloaded percona server for mongodb since its initial launch in the fall of 2015. today, the company reported that the software had been downloaded 300,000 times.new features include retryable writes, which allow data to be written to the database when network issues crop up, and causal consistency capabilities that provide reliable read operations on secondary nodes. security gets an upgrade with updated access controls and improved network listening features.meanwhile, the company is also rolling out a new version of its mysql server product, with three new features that help safeguard business data. percona server for mysql 5.7.21 features encryption for innodb general tablespaces, binary log file encryption and a vault keyring plug-in."one of the key challeng...





how ibm views cyber-security and artificial intelligence

some companies have a single cto, but ibm isn't just any company. ibm has multiple ctos spread across its' organizational chart, among them is sridhar muppidi who serves as vp and cto ibm security.in a video interview with eweek, muppidi discusses what the role of cto entails at ibm security. he also provides insight into how cyber-security is viewed across ibm and what ibm security specifically is tasked with accomplishing."ibm security is a division that is focuses on keeping the bad guys out and good guys in, it's as simple as that," muppidi said.further readingmuppidi added that ibm security is also tasked with understanding different threats and what risks they represent to organizations. the other component of ibm security is working to help enable business transformation to take place.while security can be a standalone product and it can also be a feature inside of a product, in muppidi's view, security is really about more than being either a product or a feature."it's a discipline," muppidi said about security. "it's a discipline that can be morphed into a program, a set of practises, solutions and products."artificial intelligenceibm security has been spending an increasing amount of time looking at artificial intelligence (ai) in recent months and detailed new adversarial ai research at the recent rsa conference event. muppidi said that there are a number of things that can be done to help improve the security of ai. having trusted data sources is a co...





microsoft forges financial technology cloud partnership with saxo bank

microsoft and saxo bank, a copenhagen, denmark-based bank and financial technology (fintech) services provider, want to expedite wall street’s migration to cloud computing.the companies announced on april 24 the formation of a strategic partnership intended to accelerate cloud adoption in the financial services industry. as part of the deal, saxo bank plans to move its entire technology stack to microsoft's cloud, a major undertaking.more than 100 financial institutions use saxo bank's trading platforms, according to the so-called banking-as-a-service provider. the firm also maintains 120 white-label partnerships along with trading and investment technologies that offer banks and brokerage firms access to more than 35,000 financial instruments.further readinganticipating more clients, saxo bank appears ready to dispense with many of the burdens of managing one's own it services. "by leveraging the microsoft cloud, we can spend more time on developing technology and less time on running it, allowing us to continue to stay at the forefront of client-focused digitization and support our ambitious growth plans," commented kim fournais, founder and ceo of saxo bank, in an april 24 announcement.the partnership may also help improve cloud computing's standing in the eyes of regulators. fournais added that his company is looking forward to "working with key stakeholders such as regulators to ensure that cloud solutions continue to evolve and support the high regulatory stand...





silver linings and warnings to cyber-attackers headline rsa conference

1 of 13rsa conference 2018: finding the silver linings in cyber-security the annual rsa conference ran from april 16 to 20 in san francisco, filling the cavernous halls of the north, south and west buildings of the moscone center, as well as conference space at the nearby marriott marquis hotel. more than 42,000 attendees were at the event, which had over 550 sessions and 600 companies exhibiting across the show floors. rohit ghai, president of rsa, kicked of the conference with a keynote address in which he emphasized the "silver linings" in modern security. secretary of homeland security kristjen nielsen had a bit of a more sombre tone, warning adversaries that the united states would respond to any cyber-attacks. in this slide show, eweek looks at some of the highlights of the rsa conference 2018 event. 2 of 13moscone under construction once again, the rsa conference was held at the moscone center in san francisco, which remains under active construction. 3 of 13rsa president finds silver linings rsa president rohit ghai detailed in his opening keynote at the conference a number of silver linings in modern cyber-security that give defenders the advantage over attackers. 4 of 13dhs warns adversaries secretary of homeland security kristjen nielsen had a bit of a more sombre tone in her keynote, warning adversaries that the u.s. will respond to any cyber-attacks. 5 of 13cryptographers aren't optimistic those on the annua...





former us, israeli intelligence chiefs warn of nation-state threats

today’s topics include a discussion between former u.s. and israeli intelligence chiefs on cyber-security at the rsa conference, and microsoft welcoming red hat linux clusters to azure service fabric.former national security agency director general keith alexander and former commander of israel's 8200 intelligence unit nadav zafrir hosted a session on april 20 at the 2018 rsa conference. both were optimistic about cyber-security during the session despite the looming threat of nation-state attacks.alexander did express concern over russian cyber-attacks against infrastructure and warned that iran is already actively engaged in cyber-attacks in the middle east, and will attempt to attack the u.s. as well. he also warned that china is stealing intellectual property from american companies.zafrir warned that given the risks, we are now at a critical point in human history where the foundations of how modern civilization itself works is at risk, especially as attackers take aim at the electrical grid and financial markets.related readingmicrosoft is now allowing red hat enterprise linux users to create clusters for their scalable cloud applications on azure service fabric. this new capability is part of the april 19th version 6.2 update.subramanian ramaswamy, principal program manager of azure service fabric, said the update also gives customers more control and insight over their containers, including the ability to “auto scale services and container instances.”additional...





cilium 1.0 advances container networking with improved performance

for last two decades, the iptables technology has been the cornerstone of linux networking implementations, including new container models. on april 24, the open-source cilium 1.0 release was launched, providing a new alternative to iptables by using bpf (berkeley packet filter), which improves both networking and security.the cilium project's github code repository defines the effort as linux native, http aware network security for containers. cilium development has been driven to date by stealth startup covalent, which is led by ceo dan wendlandt, who well-known in the networking community for his work at vmware on software-defined networking, and cto thomas graf, who is a core linux kernel networking developer."i actually helped to develop a lot of the legacy networking tooling like iptables and routing, and at some point i realized that all of that doesn't really fit into this new world of microservices," graf said. "at the same time, the new technology that is bpf has been coming up, and i connected the dots and that's where cilium started two years ago."further readingbpf provides a low-level interface to enable data packet transmission and control and is already used in linux to enable security with the seccomp policy controls. for container deployments, there are already two core networking elements that have been used by organizations. for docker environments, docker includes the libnetwork stack, while kubernetes has the container networking interface (cni),...





why governments don’t like the telegram secure messaging service

1 of 13telegrammessagingwhy the telegram secure messaging service is grabbing world attention0 private messaging app telegram has come under fire in russia. the service, which is used by hundreds of millions of people, was founded by pavel durov, a russian entrepreneur to enable people to send messages more securely that most other services. telegram’s service became so popular in russia that the government there demanded the company turn over encryption keys to allow the federal security service to read user messages as needed. when telegram refused, the government blocked millions of ip addresses that communicate with the service, disrupting some business transaction channels. the move has also helped raise interest in the service around the world. this slide show will explain why telegram has become an attractive for personal and business communication.   2 of 13telegram works as personal or business messaging systems the uk-based telegram is best-known as a consumer-focused messaging service that encrypts connections from end to end. however, in an faq on the service’s website, it makes clear that telegram might also be an ideal solution for companies that need a safe and confidential platform to transmit sensitive messages and files. 3 of 13it supports text, video and audio messages telegram is designed to work securely with any type of messages. it supports text messages, of course, but users can also send video and audio messages secur...