IPMI runs regardless of the underlying operating system and operates on UDP port 623 through a server’s network port or its own Ethernet port. It runs continuously, Farmer said, unless the plug is literally pulled. Moore’s scan pulled up 230,000 responses over port 623, an admittedly tiny slice of the overall number of implementations. Yet Farmer concludes that 90 percent of BMCs running IPMI could be compromised because of default or weak passwords or weaknesses in the protocol, not only implicating the host server but others in the same management group because, as he discovered, some vendors share common passwords.
via Dan Farmer Presents Research on IPMI Vulnerabilities | Threatpost | The first stop for security news.
BMC = Baseboard Management Controller, a separate device attached to motherboards for management purposes. This isn’t the first article to point out vulnerabilities in IPMI. It has been noted that IPMI should run on its own intranet and not the public internet. Providing another layer of security to this interface may mitigate any problems. IPMI can’t be any less secure than SNMP.
oVirt is an open source alternative to VMware vSphere, and provides an excellent KVM management interface for multi-node virtualization.
To find out more about features which were added in previous oVirt releases, check out the oVirt 3.3 release notes, oVirt 3.2 release notes and oVirt 3.1 release notes. For a general overview of oVirt, read the oVirt 3.0 feature guide and the about oVirt page.
via oVirt 3.4 Release Notes.
To fix this issue, the GSMA has developed a non-removable SIM that can be embedded in a device for the duration of its life, and remotely assigned to a network. This information can be subsequently modified over-the-air, as many times as necessary.
The GSMA says its new SIM can reduce ongoing operational and logistical costs. Replacing one SIM is not going to break the bank, but replacing a few million could make a dent in any budget, it reckons.
via GSMA Creates Remotely Managed SIM For M2M Applications.
Today, a quarter of all broadband lines on the planet are managed by TR-069 and its management of devices has been expanded in line with changes in the type of devices needing to be managed (many devices can be managed from gateways to VoIP devices to set-top boxes). And the complexity you now see in the connected home environment in terms of technology (and the protocols used) is just not an issue for the continually evolving TR-069, as non-TR-069 devices can be proxy managed.
via TR-069: Still Sexy After All These Years | Light Reading.
Frontview is the ReadyNAS web management interface; the vulnerability allows command injection and fails to validate or sanitize user input and can be triggered without authentication, Young said.
“The consequence is that an unauthenticated HTTP request can inject arbitrary Perl code to run on the server,” Young wrote on the Tripwire blog. “Naturally, this includes the ability to execute commands on the ReadyNAS embedded Linux in the context of the Apache web server.”
via Critical NETGEAR ReadyNAS Frontview security vulnerability | Threatpost | The First Stop For Security News.
The threat stems from baseboard management controllers that are embedded onto the motherboards of most servers. Widely known as BMCs, the microcontrollers allow administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. But serious design flaws in the underlying intelligent platform management interface, or IPMI, make BMCs highly susceptible to hacks that can cascade throughout a network, according to a paper presented at this week’s Usenix Workshop on Offensive Technologies.
via “Bloodsucking leech” puts 100,000 servers at risk of potent attacks | Ars Technica.
The chief architect behind Netflix’s cloud and OSS strategy is Adrian Cockcroft, a former distinguished engineer at eBay and Sun, who says Netflix has many agendas in developing OSS. For one, it’s working to establish Netflix’s process as a best practice way of operating in the public cloud. Doing so allows the company to benefit from the knowledge of the broader open source community who recommend improvements. Furthermore, it helps Netflix hire and retain top engineering talent all while building up the company’s technology brand.
via Why Netflix is one of the most important cloud computing companies – Network World.
Puppet Labs’ IT automation software enables system administrators to deliver the operational agility and efficiency of cloud computing at enterprise-class service levels, scaling from handfuls of nodes on-premise to tens of thousands in the cloud. Puppet powers thousands of companies, including Twitter, Yelp, eBay, Zynga, JP Morgan Chase, Bank of America, Google, Disney, Citrix, Oracle, and Viacom.
via Puppet Labs: The Leading Open Source Data Center Automation and Configuration Management Tool | Puppet Labs.
In the same way AT&T has started loosening up its network-based application programming interfaces (APIs) for mobile developers, the operator is giving these solutions providers its APIs to let them manage, troubleshoot, provision network services, etc. on AT&T’s network.
via Light Reading – AT&T Opens Up for Partner Program.