Weekend Reads 121820
This is a rather oversized edition of the weekend reads… because I seem to have saved up a lot more links than usual.
There comes a time in every developer’s life (or daily routine, we’re not here to judge) where they have to go and fix a bug. Back in the days when I used to be a developer, I distinctly remember how each time I would go face to face with a bug, my favorite method to fix it was to add log lines. I mean, why not, right?
Cybersecurity researchers on Thursday disclosed details of a previously undiscovered in-memory Windows backdoor developed by a hacker-for-hire operation that can execute remotely malicious code and steal sensitive information from its targets in Asia, Europe, and the US.
The PC revolution started off life 35 years ago this week. Microsoft launched its first version of Windows on November 20th, 1985, to succeed MS-DOS. It was a huge milestone that paved the way for the modern versions of Windows we use today. While Windows 10 doesn’t look anything like Windows 1.0, it still has many of its original fundamentals like scroll bars, drop-down menus, icons, dialog boxes, and apps like Notepad and MS paint.
Amazon Web Services (AWS) has explained the cause of last Wednesday’s widespread outage, which impacted thousands of third-party online services for several hours.
Cybersecurity may be far from many of our minds this year, and in light of a pandemic and catastrophic economic disruption, remembering to maintain our own personal privacy and security online isn’t necessarily a priority.
The Tor anonymity network has generated controversy almost constantly since its inception almost two decades ago. Supporters say it’s a vital service for protecting online privacy and circumventing censorship, particularly in countries with poor human rights records. Critics, meanwhile, argue that Tor shields criminals distributing child-abuse images, trafficking in illegal drugs, and engaging in other illicit activities.
Phishing websites rely on camouflage. They need to mimic the real websites as closely as possible, so they can trick people into providing their login information. But there are differences between genuine and fake websites, which can be used to detect them.
Juniper Threat Labs is seeing active attacks on Oracle WebLogic software using CVE-2020-14882. This vulnerability, if successfully exploited, allows unauthenticated remote code execution. As of this writing, we found 3,109 open Oracle WebLogic servers using Shodan.
Imagine someone hacking into an Amazon Alexa device using a laser beam and then doing some online shopping using that person account. This is a scenario presented by a group of researchers who are exploring why digital home assistants and other sensing systems that use sound commands to perform functions can be hacked by light.
Driven by PC gaming, pandemic upgrading and potentially cryptocurrency miners, GPU units hit a healthy 13.4-percent increase in sales over the previous quarter, respected graphics analyst firm Jon Peddie Research said in a report released Tuesday.
Let me be direct: We should be happy that this software, one of the worst ever to plague our lives from a security perspective, is going away, and at the same time, Flash was not a fluke. Security has come a long way, but the ecosystem that allowed Flash to become a software security serial killer still exists and is ready to let it happen again. This time, the stakes are infinitely higher.
The joys of researching and building computing systems are manifold and very individualized. They come at various stages of the whole process. The initial rush when you think you have the germ of a new idea. That rush is a tremendous rush, no matter how many times one has had it. The rumination of the idea adds to the joy … so it is not simply a momentary rush.
A pair of researchers will demonstrate at Black Hat Europe next week how they were able to bypass ML-based, next-generation anti-malware products. Unlike previous research that reverse-engineered the next-generation endpoint tool — such as Skylight’s bypass of Cylance’s endpoint product in 2018 — the researchers instead were able to cheat the so-called static analysis malware classifiers used in some next-gen anti-malware products without reverse engineering them.
Here’s the scenario: A state-sponsored attacker uses a zero day to breach the environment. This foothold lets him run previously unknown, fileless attacks originating from an exploited process. Fortunately, his evil plan is foiled by our next-generation, AI-powered security tool that detected and prevented it in nanoseconds!
In this post, we analyse the hardware that they use to connect to IXPs. We investigate 24 IXPs distributed across fifteen countries, from the EU, US, Africa and Brazil, which together interconnect more than six thousand IXP members. Our goal is to determine if there is market dominance by the some of the hardware vendors among IXP members.
First introduced back in 2005, SP 800-53 has gone through five revisions since its initial release. The fourth revision, released in 2013, featured updated security controls and focused on topics such as insider threats, software security, mobile devices, supply chain security, and privacy. Revision four also gave us the now familiar “eighteen control families,” which have been adopted by numerous federal agencies as well as the private sector.
Over the years, cybercriminals have grown more sophisticated, adapting to changing business practices and diversifying their approaches in non-traditional ways. We have seen security threats continue to evolve in 2020, as many businesses have shifted to a work from home posture due to the COVID-19 pandemic. For example, the phenomenon of “Zoom-bombing” video meetings and online learning sessions had not been a widespread issue until, suddenly, it became one.
When I started writing about science decades ago, artificial intelligence seemed ascendant. IEEE Spectrum, the technology magazine for which I worked, produced a special issue on how AI would transform the world. I edited an article in which computer scientist Frederick Hayes-Roth predicted that AI would soon replace experts in law, medicine, finance and other professions.
Because of the fact that even when all RTR servers die simultaneously we still fail safely (falling back to NotFound), a common misconception is that the entire software stack is completely fail-safe and no harm can be done when some of it fails. Because of this, a network operator may arrive at the erroneous conclusion that neither redundancy nor monitoring is really required (or a priority). Unfortunately, this is not true and other failure scenarios in the software stack have to be considered.
According to last year’s Gartner forecast, public cloud services are anticipated to grow to $USD 266.4 billion by the end of this year, up from $USD 227.8 billion just a year ago. Clearly, cloud computing is making its way to cloud nine, (See what I did there?) leveraging the sweet fruits of being in the spotlight for a decade. However, the threats to public cloud security are growing at the same rate.
Often in technology, we assume that everyone else is as excited about our product as we are. This tends to be a problem across the board in the tech sector (and even amongst teams, like security and developers, or operations and developers).
Developer mistakes and indirect dependencies are the two main sources of vulnerabilities in open source software projects, which together are expected to cause the majority of security alerts in the next year, according to GitHub’s annual Octoverse report, published today.
Edsger Dijkstra’s 1988 paper “On the Cruelty of Really Teaching Computer Science” (in plain text form here) is one of the most well-cited papers on computer science (CS) education. It’s also wrong. A growing body of recent research explores the very topic that Dijkstra tried to warn us away from — how we learn and teach computer science with metaphor.
As convenient as their technology is, the emergence of such dominant corporations should ring alarm bells—not just because they hold so much economic power but also because they wield so much control over political communication.
Nine-indicator standard aims to promote open source software, data, AI models, standards, and content for a more equitable world.
But as we recognized in the 2019 Global Internet Report, trends of consolidation in the Internet economy, particularly at the application layer and in web services, have spurred concerns and public debates on the need to regulate Big Tech. Among the proposed measures by policymakers, academics, and other thought leaders across the world is for software services and systems to be legally required to provide interoperability or open interfaces.