Weekend Reads 081420

The CIS Top 20 Critical Security Controls give you a set of steps. Start from the top, and work your down the list, adding layers of security along the way. They start with the basics. Knowing what is changing in your environment and how things are configured are two very basic parts of the 20 Controls.

I have a system with c servers, each of which can only handle a single concurrent request, and has no internal queuing. The servers sit behind a load balancer, which contains an infinite queue. An unlimited number of clients offer c * 0.8 requests per second to the load balancer on average.

Security researchers have discovered more than 400 pieces of vulnerable code inside the Qualcomm Snapdragon digital signal processor (DSP) chip that powers millions of high-end smartphones from Google, Samsung, LG, Xiaomi, OnePlus, and other device manufacturers.

The fundamental technologies for creating digital clones of people — text, audio, and video that sound and look like a specific person — have rapidly advanced and are within striking distance of a future in which digital avatars can sound and act like specific people, Tamaghna Basu, co-founder and chief technology officer of neoEYED, a behavioral analytics firm, told attendees at the virtual Black Hat conference on Aug. 6.

But, at least according to the specifications for the next two speed bumps on the PCI-Express roadmap, things are starting to look up on the peripheral bandwidth front and a much shorter two-year cadence is now possible, at least for the next several years.

It turns out that the root cause behind several previously disclosed speculative execution attacks against modern processors, such as Meltdown and Foreshadow, was misattributed to ‘prefetching effect,’ resulting in hardware vendors releasing incomplete mitigations and countermeasures.

In March, OneWeb filed for Chapter 11 restructuring when it was clear that the company could not raise enough cash to continue the research and development of the satellite product. In July, a bankruptcy court in New York approved a $1 billion offer to take over the company filed jointly by the British Government and Bharti Airtel.

Although the specific issues outlined in this blog have since been resolved, the underlying concerns regarding privacy and safety in the industry still remain. The purpose of this article is to bring awareness to the issues surrounding Internet-connected devices and the centralized cloud computing that drives IoT.

IXPs are not so difficult to set up. All that is needed is a secure location to host it — usually this is a data centre that is easy to run fibre access lines to and offers 24/7 access to members, which typically are Internet Service Providers (ISPs), content providers (such as Facebook) and Content Distribution Networks (CDNs).

We’ve conventionally used the term governance to describe the relationship between citizens and the state, or more generally between a social group and its leaders. It’s intended to relate to the processes of decision making that reinforce societal norms and nurture a society’s institutions. Much has been said about the processes of governance, its accountability, its effectiveness and the ways in which it can degenerate and be abused. But I’m still somewhat challenged when I try to apply this governance concept to the vague and insubstantive digital environment.

The number of network layer–distributed denial-of-service (DDoS) attacks — like almost every other threat category in recent months — doubled last quarter compared with the previous three months.

Anycast depends on Border Gateway Protocol (BGP) routing to map users to PoPs. Therefore, its efficiency depends on both the CDN operator and the routing policies of ISPs on the path. Such a distributed environment makes detecting and diagnosing inefficiency challenging.

The network perimeter does not have the same impact and importance anymore, the modern perimeter is the identity. Remember, you do not trust anything, not the user, the device, the network, the application before they have proven to be trustworthy.

Having a solid foundation in Networking is essential to becoming a good penetration tester. After all, the internet is a bunch of complex networks that communicate with each other. If you are new to Networking, I recommend this playlist by Network Direction.

Security researchers have outlined a new technique that renders a remote timing-based side-channel attack more effective regardless of the network congestion between the adversary and the target server.