Weekend Reads 101521

Russia is the source of the lion’s share of nation-state cyberattacks Microsoft has observed in the past year (58%), followed by North Korea (23%), Iran (11%), China (8%), and South Korea, Vietnam, and Turkey all with less than 1% representation, a new pool of data reveals.

Equinix has been testing the use of liquid cooling in its data centers, and hopes to use the technology in its Equinix Metal service to create a high-density, energy efficient computing platform.

As a rule, the English term “computer” and the equivalent German term “Rechner” describe calculating machines. But until the middle of the 20th century, computers were, in fact, humans who performed calculations.

The job-killing robots are almost at the door, we are told, mere moments away from replacing the last traces of human inefficiency and heralding the dawn of a world without work.

The technological breakthroughs and intelligence superiority of the Israel Defense Force’s Unit 8200 position it, and Israel, as a world leader, at the same level as the United States, Russia, or China.

New PCIe 6.0 technology is in the works, and according to nonprofit electronics industry consortium PCI-SIG, it’s in the final draft stages.

Recently I was asked by a customer how they can easily set up rollback capabilities on the endpoints in their corporate network.

An industry group calling itself 5G Americas has published a whitepaper that touts the advantages of a smart auto grid powered by 5G and the C-V2X technology.

It’s coming towards the end of 2021 already, which means it’s nearly time again for one of my favourite Internet quirks: A DNSSEC Key Signing Key (KSK) Ceremony, number 43 to be exact.

Across every industry, competition, reputation and customer satisfaction are all impacted by experience. And for most organizations, the network plays a significant role in determining the level and type of service that they can provide.

Thunderbolt 4 technology is still relatively new, but Intel is already working on its successor: Thunderbolt 5 (or whatever Intel decides to call it).

For years, it restricted its G-Sync variable refresh rate technology to monitors that included a dedicated (and costly) proprietary module, instead of adopting the open-source FreeSync developed by AMD.

The important thing to understand about a certificate graph is that the boxes represent entities (meaning an X.500 Distinguished Name and public key).

Despite a dramatic increase in ransomware attacks, enterprise storage and backup environments have a dangerously weaker security posture than the compute and network layers of the IT infrastructure, new research shows.

On Sept. 30, a root certificate provided by digital certificate authority (CA) Let’s Encrypt expired, meaning that the tens of millions of websites and devices that used the cert had to have updated to a new root before then — or run into problems.

Weekend Reads 100821

first, a few interesting stories on the facebook outage

Facebook says that a configuration error broke its connection to a key network backbone, disconnecting all of its data centers from the Internet and leaving its DNS servers unreachable, the company said.

Following the Facebook outage that took place on 4 October, we saw people looking to BGPlay to get a better view of what went on. Here’s a look at what the RIPEstat visualisation has to show us about the event in question.

On October 4th Facebook managed to achieve one of the more impactful of outages of the entire history of the Internet, assuming that the metric of “impact” is how many users one can annoy with a single outage. In Facebook’s case the 6-hour outage affected the services it provides so some 3 billion users, if we can believe Facebook’s marketing hype.

But surely the bigger lesson is that we are all too dependent on too few Really Big providers. EU Competition Commissioner told Reuters “Facebook’s (FB.O) six-hour outage the previous day shows “the repercussions fn relying on just a few big players and underscores the need for more rivals.”

and other stories, as usual

Email is the most popular vector through which to initiate successful cyberattacks. Statistics indicate that anywhere between 90% and 95% of all such attacks involve email, whether to deliver malware, to hoodwink a user into visiting a website from which ransomware will be downloaded, or simply to imitate a CEO or CFO and demand that a multimillion-dollar payment be expedited forthwith.

It looked like a calculator app. But it was actually spyware recording my every keystroke — the type of data that would give a stalker unfettered access to my private life.

Many organizations lag in patching high-severity vulnerabilities, according to a new study that reveals more than 50% of servers scanned have a weak security posture weeks and months after a security update is released.

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords.

Nvidia revealed a new feature coming to RTX 2000 and RTX 3000 graphics cards called DLAA.

Bad actors have accelerated their purchase of domains that look similar to the brands of the largest 2,000 companies in the world, with 60% of such domains registered to risky third parties, not the companies themselves,.

By declaring that they are in line with the chosen security standard, businesses can demonstrate much higher credibility when faced with stakeholders, insurance providers, potential clients, and potential partners. This is just one of many benefits that come with achieving standards.

On Tuesday, D-Wave released its roadmap for upcoming processors and software for its quantum annealers. But D-Wave is also announcing that it’s going to be developing its own gate-based hardware, which it will offer in parallel with the quantum annealer.

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years.

While domain cyber risk is rising, the level of action being taken by Forbes Global 2000 companies to improve their domain security posture has remained unchanged, leaving these companies exposed to even more risk.

Most people only ever give common vulnerabilities and exposures (CVEs) a passing glance. They might look at the common vulnerability scoring system (CVSS) score, determine whether the list of affected products is a concern for them, and move on.

Weekend Reads 100121

Bowles is showing off her whatever-it-takes strategy for narrowing the digital divide between people with reasonably speedy internet access and those without.

Articles 33 and 34 outline the requirements for breach notification; however, most businesses are still unaware of their responsibilities. Details such as what an organization should report, when, to whom it should be reported, and what should be included in the breach notification are some of the major aspects that businesses overlook.

The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt.

Air is an absolutely terrible medium with which to move or remove heat from a system, but it sure is a lot easier and cheaper (well, at least in terms of the cost of goods sold sense) than adding some sort of liquid cooling to a system.

The EU aims to have a common charging port for mobile phones, tablets, and headphones under a European Commission proposal presented on Thursday in a world first, with the move impacting iPhone maker Apple more than its rivals.

As we head toward the annual Supercomputing Conference season we wanted to take a moment for a level-set on exascale.

One noteworthy element of the National Institute of Standards and Technology’s recent Recommended Minimum Standard for Vendor or Developer Verification of Code is the prominence given to threat modeling.

Could domain and subdomain monitoring help in detecting Internet properties that could hint at illegitimate releases?

Networking equipment maker Cisco Systems has rolled out patches to address three critical security vulnerabilities in its IOS XE network operating system that remote attackers could potentially abuse to execute arbitrary code with administrative privileges and trigger a denial-of-service (DoS) condition on vulnerable devices.

I’ve always been intrigued by the history of technology, and I think a lot of that is due to having almost everything computer-related happen during my lifetime. I missed a tech anniversary earlier this year when email turned 50.

Open source software projects – the underpinnings of the global software ecosystem – are getting better at more quickly updating vulnerable dependencies, but at the same time they face more cyberattacks and a significant volume of critical vulns.

On Sept. 28, as part of requiring every major voice provider in the states — including phone companies AT&T, Verizon and T-Mobile — to start using Stir/Shaken technology, companies need to inform the FCC of their plans to combat spam calls or carriers will have to stop accepting calls from those providers.

Presumably, the screens either have identity embedded in them, whereby they will only work with the original phone.

Not that long ago the talk was all about 10nm and 7nm. The latest “nm” to enter the game is 5nm, which is already in use in some devices and is heading to PCs in the near future.

There are certain phrases and motifs that get repeated in software efforts. I’ve encountered a few particularly problematic ones with such regularity that I’ve catalogued them, and I’ve additionally collected counter-quotes for use as spot treatments as well as an inoculation against future ill-formed thinking.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

Controversial Reads 092521

Apple then made public what was private. The company, under CEO Tim Cook’s leadership, had actually been consulting the FBI on various methods for hacking the phone. In fact, the FBI had botched one of the suggested techniques after a mistake. The agency wasn’t willing to risk another gaffe.

Software locks, API restrictions, legal threats, forced downgrades and more – these are why Big Tech stays big.

Megan Borovicka joined Facebook in 2013 and then forgot she even had an account. But Facebook never forgot about her.

On May 27, 2020, in the French National Assembly, Cédric O, the French Secretary of State for Digital Economy, forcibly expressed his government’s frustration with Apple and Google in terms more appropriate to a cold war confrontation between superpowers.

Almost everything we do online today is designed to be addictive. The average American spent more than two hours a day on social media in 2020.

Gary Gensler, Joe Biden’s deeply establishmentarian SEC head, has dropped a bomb on the crypto community with his sudden attack on Coinbase, the leading crypto platform.

As the data these devices collect is sold and shared—and hacked—deciding what risks you’re comfortable with is a necessary part of making an informed choice. And those risks vary widely, in part because there’s no single, comprehensive federal law regulating how most companies collect, store, or share customer data.

There are more federal facial recognition technology (FRT) systems than there are federal agencies using them, according to the U.S. General Accounting Office.

Technologists and law enforcement have been arguing about cryptography policy for about 30 years now. People talk past each other, with each side concluding the other side are unreasonable jerks because of some fundamental incompatible assumptions between two conceptual worlds in collision.

The Phorpiex botnet has been operating for years now. It first focused on distributing old-school worms that spread via infected USB drives or through chats that relied on the Internet Relay Chat (IRC) protocol.

The recent IP address crisis involving Africa’s regional internet registry (Afrinic) and Cloud Innovation has shaken up the internet industry, also raising the long-standing question if RIR’s IP asset governance policies are sustainable for long-term network growth.

Privacy-preserving DNS protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ) have been around since 2014 but they have only recently been brought to the attention of the general public following Firefox’s announcement to make DoH a default.

As the United States pulled its troops out of Afghanistan after a 20-year occupation, byproducts of the prolonged deployment took on new meaning and represented a new chapter of danger for the Afghan people.

In what appears to be a “throw spaghetti on the wall approach” to stopping antitrust reform targeting Big Tech, a few Members of Congress and a range of former military and intelligence officials wrote a letter asserting that these companies need to be protected for national security.

Yet his tone resonates with a growing unease within the US and elsewhere over the extraordinary rise of these technology giants, not just in monetary terms but in terms of their social power as well.

Commentators on the recent district court’s order for a preliminary injunction in Netchoice, LLC v. Ashley Brooke Moody et al. have focused on social media’s victory against the State of Florida, celebrating the court’s opinion that Google, YouTube, and Facebook are private companies beyond the reach of Gov. Ron DeSantis and the Florida legislature’s newest rules restricting Silicon Valley’s ability to censor, deplatform and block users. These writers have neglected the tone of irresolution in this and similar cases decided in favor of Big Tech, however.

Apple has long been seen as a champion of security and privacy in a tech industry consumed with vacuuming up consumer data. Two recent events, however, have raised questions about whether the iPhone maker’s reputation is losing its luster.

Anyone who spends a decent amount of time online knows what happens when you shove a bunch of strangers into the same place. We replicate existing power dynamics, we form groups, we troll, we project our biases, we yell until only the most extreme voices are the ones that get heard.

Tech’s market concentration—summed up brilliantly by Tom Eastman, a New Zealand software developer, as the transformation of the Internet into “a group of five websites, each consisting of screenshots of text from the other four”—has aroused concern from regulators around the world.

At the center of debate regarding regulation of social media and the Internet is Section 230 of the U.S. Communications Decency Act of 1996. This law grants immunity to online platforms from civil liabilities based on third-party content.

Google has been so successful in its execution and protection of its brand that we culturally understand that to “Google” something is to conduct an internet search, despite the existence of alternative search engines.

Weekend Reads 092421

Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch Tuesday updates that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems.

To meet current demands, as well as those of the next normal and an unpredictable future, retailers are now adopting software-driven strategies to deliver connected retail experiences and operations, ultimately resulting in the software-defined store.

Network measurement techniques have been mostly developed independently from protocols and, therefore, typically build upon externally visible semantics. One example of this is TCP sequence numbers and acknowledgements, which can be used to derive a flow’s round-trip time (RTT).

Ordinarily, when developing something, you start with a set of requirements or goals. But DNSSEC was a research project, so in place of requirements, developers set expectations of what needed to be done and what could be done to solve the DNS security problem.

Open-source M1-style chips may be in our future, according to a reverse-engineering document released online, Tom’s Hardware reports.

But how can they know that the plan they have is efficient enough to alleviate future cyber incidents? By using a cyber crisis tabletop exercise (CCTE), organizations can test or rehearse the emergency preparedness plan before a crisis occurs.

In a previous blog, we discussed how Paragon Pathfinder (formerly known as NorthStar Controller) greatly increases the level of automation in networks.

More than 20 years ago, the historical rate of shrinking transistors to improve speed, density, power consumption, and cost became impossible to maintain. Even with slower physical scaling, however, electronics manufacturers steadily improved their products by exploiting new materials, new device and circuit designs, and faster communication between chips.

South Korean chipmaker Samsung Electronics aims to be first to adopt a new form of transistor that should allow Moore’s Law to continue for another decade when it puts into production its 3nm semiconductor process toward the end of 2022.

The Roman historian Tacitus (55 A.D.–120 A.D.) once said “the desire for safety stands against every great and noble enterprise.”

The European Processor Initiative (EPI) has pinned its hopes on RISC-V as the path to European semiconductor independence.

Networking equipment company Netgear has released patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.

After every major hurricane, like the category 4 Ida that recently hit Louisiana, there is talk in the telecom and power industries about ways to better protect our essential power and communication grids.

This comprehensive research into BulletProofLink sheds a light on phishing-as-a-service operations. In this blog, we expose how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale.

The CMMC offers five tiers of conformity against two separate columns of achievements. To clarify, processes and practices are matched to higher compliance levels.

Weekend Reads 091721

Relationships also evolved during this uprooting of typical routines. Pandemic “pods” helped some Americans maintain connection, but they complicated relationships and family dynamics at the same time.

Attackers are actively exploiting a Microsoft remote code execution vulnerability using malicious Office files, the tech giant has warned.

“When you have a high percentage of all AI activity in Bay Area metros, you may be overconcentrating, losing diversity, and getting groupthink in the algorithmic economy. It locks in a winner-take-most dimension to this sector, and that’s where we hope that federal policy will begin to invest in new and different AI clusters in new and different places to provide a balance or counter.”

Email isn’t just a communication tool; it’s also an identifier and a security measure. Companies use it to create profiles of you when you start accounts with them and it often doubles as your username.

However, it looks like most phishing emails could be used to obtain user credentials according to the 2021 Annual State of Phishing Report by Cofense. After analyzing millions of emails, Cofense found that 57% are credential phishing emails.

Computer programmers are a pretty predictable bunch. Every time they approach legacy code, the gut reaction is “let’s rewrite this from scratch.” The reaction is understandable for many reasons.

Perhaps an all-purpose tablet that you must care for like a new pet, remembering to not leave it unattended, or forgetting it on a mass-transit system. Then, there is the login process.

Whereas years ago different threat actors focused on specific sectors, nowadays the same techniques, tactics, and procedures (e.g., how the perimeter is penetrated, which tools are used for lateral movement) are consistently applied regardless of company size, location, or industry.

The Hafnium attacks targeting Microsoft Exchange Server vulnerabilities triggered several cybersecurity investigators and researchers to hunt for other threat actors that use similar attack methods. Among them is the Cybereason News Network.

Despite being built on the same OS, Microsoft has said that Windows 11 will feature various optimizations, and now, we know what those optimizations are.

In this article, you’ll discover of the power of graphs by working with a small movie data set. It is based on the built in dataset and guide available on the Neo4j Sandbox.

Without evidence of wrongdoing, neither public agents nor private companies should be rifling through the photos on your personal devices.

The evolution of the workloads that we use every day to stay productive has fundamentally changed. New requirements around efficiency and using space wisely mean that leaders in the technology space need to look at cooling differently.

Napier’s rods, also called Napier’s bones (see Figure 1), were invented at the beginning of the 17th century. They have been used for multiplications and divisions until the 19th century.

Weekend Reads 090321

In our professional practice, we are often called to perform rapid, approximate calculations without a calculator. Any available scrap of paper such as an envelope will do to scribble on.

The wireless carrier initially confirmed 47.8 million former, prospective and existing customers were impacted, but found the data of an additional 5.3 million customers was compromised.

A recent measurement study suggests that BBR is already being deployed by 22% of the Alexa Top 20k websites on the Internet.

Zero trust improves the security of IT environments as demonstrated over time by reduced attacker dwell time. The challenge many people face is understanding where to begin.

In recent months, we’ve been sharing information collected by APNIC honeypots with our community at several conferences, seminars, and workshops. ‘Information’ here basically means observations from the logs/traffic, as well as artefacts collected (such as scripts and binaries).

The Internet plays a crucial role in our increasingly digital daily lives. But who shapes and governs the patchwork that enables this essential utility? And how do their actions bear on the rights and interests of users all over the world?

We are facing the same paradox with respect to privacy and influence on the Internet. There are information items that we clearly want to protect, such as credit-card numbers. When such sensitive information is stolen via a cybersecurity breach, we clearly feel our privacy has been violated.

Graphs are, by nature, ‘unifying abstractions’ that can leverage interconnectedness to represent, explore, predict, and explain real- and digital-world phenomena.

Since 2014, IT employee turnover has been on the rise—9% in 2014, 8.6% in 2015, 8% in 2016, 7.3% in 2017, and 8.2% in 2018, with 69.9% of those being voluntary.

Network Function Virtualization (NFV) is being touted as a key component of 5G technology, with its ability to offload network functions into software that runs on industry-standard hardware and can be managed from anywhere.

By the 1990s, the orthodox view of antitrust went like this: horizontal monopolies are bad, but vertical monopolies are efficient. In other words, it was bad for consumers when one company was the single source for a good or service, but if a company wanted to own every step in the chain, that was fine. Good, even.

Microsoft is warning of a widespread credential phishing campaign that leverages open redirector links in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software.

If you are a designer of chips that are based on the most advanced processes available from Taiwan Semiconductor Manufacturing Company and your roadmap is based on the company’s continuing progress and prowess in pushing Moore’s Law to the limit, then not only is the future in your roadmaps being pushed out, but now you are going to have to pay more for whatever chips you are making now and, we suspect, the chips you are depending on for your business in the future.

The requirements are less strict now, technically, though nowhere near on the level I hoped for or expected. That includes the TPM requirement, which Microsoft is holding firm on.

SIDN Labs’ research is aimed at improving the security, stability, and resilience of the Internet infrastructure. In that context, Machine Learning plays an increasingly important role.