Data Protection Certification: Cloud Infrastructure Services Providers operating in Europe declare...
The Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud computing lea...
These security shortcomings create a means for hackers to seize administrative control of vulnerable devices, they claim. Harry Sintonen, senior security consultant at F-Secure, developed a proof-of-concept exploit to confirm the vulnerabilities. “Many of these types of vulnerabilities are not severe on their own.
But attackers able to put them together can cause a massive compromise,” according to Sintonen. Sintonen’s PoC begins when the device sends unencrypted requests for firmware updates back to the company.
This lack of encryption allows hackers to run man-in-the-middle attacks.
Sintonen says he took advantage of this weakness by serving the device with an exploit disguised as a firmware update. While the fake update is never actually installed, an exploit uses a flaw in the process to yield a full system compromise, he claims.
The one major limitation is that hackers would need to be in the position to intercept the update process before they can manipulate it, he added. That would be enough to frustrate remote hackers – though not miscreants already logged onto the same network as their intended target, he explained. F-Secure estimates that over 1.4 million devices running vulnerable firmware could be vulnerable.
The research was presented at the Disobey conference in Helsinki, Finland last week. El Reg invited QNAP Systems to comment on the research on Tuesday but we’ve yet to hear back from the storage tech supplier. We'll update if we hear more.
F-Secure said it notified QNAP last February. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
Destruction can happen quickly; look at what happened to Sony Pictures, Yahoo and dozens of other high-profile companies during the last few years.While we face technology job shortages and talent gaps, there are still plenty of opportunities for the U.S. to remain an innovation leader.
Silicon Valley certainly isn't going to shrink from these responsibilities, but it is also incumbent upon the federal and state governments to offer full-fledged support for these purposes whenever it is necessary.
This is all about protecting the public.To this end, eWEEK consulted with Lev Lesokhin, Executive Vice President for CAST.
CAST, based in New York and Paris, is a well-established independent software developer and an international market leader in enterprise software analysis, measurement and risk prevention. Here are Lesokhin's 10 policy suggestions for the new administration to improve the outlook for the U.S. tech sector in 2017 and beyond: Give the Federal Government's CTO More ResponsibilityWe need to more closely align the national chief technology officer with the U.S.
Cyber Security officer to increase visibility and transparency across the top leaders at the White House.
This will give the CTO a more visionary role and will ensure government technology adoption and advocacy is more secure and aligned with cyber policy.Appoint a Cyber Security Official Who Will Institute Effective PoliciesThese new policies should should always be based on industry best practices, such as CISQ (Consortium for IT Software Quality) standards.
It's clear that our administration needs to better understand cyber risks that lurk at home and abroad while developing effective strategies and practices for combating them.Create and Enforce Policy for Anyone Selling Software CommerciallyThis is needed so that commercial software no longer remains a black box full of potential threats but also that we know that the components inside are not dangerous.
This will become increasingly important as the Internet of Things and Machine to Machine communication grows. More connected devices mean more opportunity for disaster. We label our food to describe "what's inside"; why not do this with software? Bad software causes the U.S. government alone millions on reworking. Lead by ExampleDepending on the sector and the budget, a significant portion of government programs still run on legacy systems, holding the sector down in slow and outdated services. Why should public sector lag behind the technology industry it regulates? Our government must conduct system-level analysis and modernize its core systems to provide better services to tax payers and stay current on the biggest technology risks and challenges. Tax ReformThis is to encourage the technology companies with significant offshore income--including companies such as Apple, Microsoft and Google--to bring money back into the U.S., so they can carry out activities such as M&A to advance the state of tech in our country. Without reducing the negative financial consequences of repatriating money to the U.S., offshore cash levels will continue to rise and investment declines. Open Up More Visas for Top Technology Developer TalentWe also need to invest in more STEM (science, technology, engineering, mathematics) education and training to get young people interested in technology careers and comfortable with the complexity of the systems and tools.
The talent shortage is hurting America productivity, and visas are needed to keep the U.S. moving forward. With the shortage of tech workers, the need for foreign skilled workers will increase. Collaborate with Other Countries Leading in InnovationThese include countries such as Sweden, Germany, Finland and others.
The U.S. also needs to work closer with the world's biggest and fastest growing economies, such as China, India and the EU to establish effective learning opportunities and create coalitions that support talent sharing and the acceptance of global quality standards.
This will bring best practices to the home front while leaving the door open for IT sourcing agreements where it makes sense. Offer New Tax Incentives for Tight SecurityThese would be identified as those who institute a two-pronged technology security program: both perimeter and application security.
This will require companies to invest more in application security (to combat risks from cyber-attacks driven by digital business and IoT) while effectively maintaining their external defenses. Reform Regulation and Reporting RequirementsThis is necessary for enterprises to keep up with today's technology issues, putting a greater focus on cyber risk--both security and reliability.
The latter of which is estimated to cost the U.S. economy nearly $100 billion per year.
It's widely considered that the banking industry's position on security is still too reactive. Listed companies should be required to show that their most mission-sensitive IT systems are engineered according to the best-known standards of software practice in order to prevent security-related risks. Improve Software Engineering Education, CertificationSoftware engineering is the civil engineering of the 21st century.
It's one thing to train computer scientists, but the best engineering talent continues to be snapped up elsewhere, leaving the majority of the U.S. industry with moderately skilled workers. Much like civil engineers need to have P.E. (professional engineer) certification to design and supervise construction, software engineers who work on mission-critical systems should also be certified as competent on the latest standards of software engineering.
After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery.
And on Tuesday it did. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform.
DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members. Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account.
In many cases users choose to keep their email addresses private.
Facebook said it has implemented a fix to prevent the issue from being exploited. DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told Threatpost he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program. For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program.
The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone. Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.
SSH keys, the means of securing identification on a server through public-key cryptography, has remained largely "under the radar for many years," according to SSH Communications Security CEO Tatu Ylonen, but he said increased awareness in compliance and security across various verticals present opportunities for security solution providers.
SSH Communications Security, which has global corporate headquarters in Helsinki, Finland, but operates in the U.S. through its Massachusetts-based offices, is "present in over 90 percent of all data centers," and SSH is used "extremely widely," according to Ylonen.
“It’s pretty much everywhere -- half of the world's web services are using SSH,” he said.
In this age of seemingly endless data breaches, leaders in compliance and regulation in every industry from finance to health care have begun cracking down on boundary control and firewalls.
Solution providers can gain additional revenue implementing SSH on top of firewall integration, and deployment is simple.
"Just for controlling external access with SSH by vendors outsourcing partners – manufacturing vendors, IoT vendors – that can give 30 [percent] to 50 percent revenue for a firewall integrator on top of what they get from the firewall itself," Ylonen said.
"They can get that revenue from the existing customer base, giving them more value, giving more benefit to the customers," he added. "And, there’s also very interesting services opportunities around SSH key management."
Some were new entries, and others were for previously approved workers who were either renewing or updating their status. Of that number, 2,234 of the H-1B visa holders were from Pakistan, a country that might appear on a Trump list.
Another 1,102 approved visa holders were from Iran.
There were 658 H-1B visa holders from Egypt, and 256 were from Syria. (Article continues below chart.) Country of Birth for H-1B Visa Holders Country Frequency INDIA 262,730 CHINA 29,936 CANADA 7,653 PHILIPPINES 6,055 KOREA, SOUTH 5,024 UNITED KINGDOM 3,822 MEXICO 3,216 TAIWAN 2,785 FRANCE 2,570 JAPAN 2,268 PAKISTAN 2,234 NEPAL 1,997 GERMANY 1,895 TURKEY 1,850 BRAZIL 1,831 ITALY 1,497 COLOMBIA 1,491 RUSSIA 1,461 VENEZUELA 1,432 SPAIN 1,329 IRAN 1,102 NIGERIA 1,015 ISRAEL 949 IRELAND 932 KOREA 813 UKRAINE 795 ARGENTINA 778 MALAYSIA 771 SINGAPORE 755 VIETNAM 695 EGYPT 658 ROMANIA 648 BANGLADESH 647 INDONESIA 637 SRI LANKA 608 PERU 583 POLAND 576 AUSTRALIA 564 GREECE 556 SOUTH AFRICA 547 HONG KONG 503 BULGARIA 477 THAILAND 476 LEBANON 462 JAMAICA 461 KENYA 437 NETHERLANDS 432 JORDAN 415 CHILE 395 SWEDEN 374 NEW ZEALAND 353 GHANA 341 TRINIDAD AND TOBAGO 333 ECUADOR 302 SYRIA 256 PORTUGAL 253 SWITZERLAND 249 BELGIUM 238 DOMINICAN REPUBLIC 231 SAUDI ARABIA 205 ZIMBABWE 205 HUNGARY 203 Spain 189 AUSTRIA 179 UNKNOWN 179 DENMARK 174 HONDURAS 171 COSTA RICA 165 UNITED ARAB EMIRATES 155 BOLIVIA 150 CZECH REPUBLIC 149 GUATEMALA 149 EL SALVADOR 147 SERBIA AND MONTENEGRO 142 KUWAIT 141 MOROCCO 138 ETHIOPIA 133 CAMEROON 126 FINLAND 125 BAHAMAS 123 MOLDOVA 111 KAZAKHSTAN 108 SLOVAK REPUBLIC 103 CROATIA 102 NORWAY 102 ARMENIA 101 UZBEKISTAN 101 PANAMA 99 URUGUAY 94 ALBANIA 88 UGANDA 88 USSR 87 Serbia 86 LIBYA 84 MONGOLIA 83 TANZANIA 83 BURMA 76 NIGER 74 LITHUANIA 70 GEORGIA 66 GRENADA 58 SENEGAL 58 BARBADOS 57 MACEDONIA 56 LATVIA 54 AZERBAIJAN 52 BOSNIA-HERZEGOVINA 51 CYPRUS 51 ST. LUCIA 51 IRAQ 50 SLOVENIA 50 BELIZE 48 ICELAND 47 ZAMBIA 47 GUYANA 45 NICARAGUA 45 PARAGUAY 45 BAHRAIN 43 TUNISIA 43 ALGERIA 42 MAURITIUS 42 DOMINICA 40 USA 39 ESTONIA 35 KYRGYZSTAN 34 HAITI 30 RWANDA 28 BURKINA FASO 26 MACAU 25 TURKMENISTAN 25 CAMBODIA 24 COTE D'IVOIRE 24 TAJIKISTAN 24 CONGO 22 ST. KITTS-NEVIS 22 SUDAN 22 MALAWI 21 OMAN 21 ST.
VINCENT/GRENADINES 21 MALI 20 ANTIGUA-BARBUDA 19 BOTSWANA 18 IVORY COAST 18 BERMUDA 17 BENIN 16 AFGHANISTAN 15 Kosovo 15 QATAR 15 LUXEMBOURG 13 MADAGASCAR 13 Montenegro 13 YEMEN-SANAA 13 TOGO 12 SIERRA LEONE 11 YUGOSLAVIA 11 GABON 10 GAMBIA 10 NORTHERN IRELAND 10 MALTA 8 NAMIBIA 8 SURINAME 8 SWAZILAND 8 BHUTAN 7 FIJI 7 FRENCH POLYNESIA 7 MOZAMBIQUE 7 BURUNDI 6 CUBA 6 GUINEA 6 LIBERIA 6 BRUNEI 5 NETHERLANDS ANTILLES 5 ARUBA 4 ERITREA 4 KIRIBATI 4 LESOTHO 4 MALDIVES 4 MAURITANIA 4 ANGOLA 3 CAPE VERDE 3 CHAD 3 DEMOCRATIC REPUBLIC OF CONGO 3 SEYCHELLES 3 UNITED STATES 3 ANGUILLA 2 LAOS 2 SOMALIA 2 ARABIAN PENINSULA 1 CAYMAN ISLANDS 1 DJIBOUTI 1 GERMANY, WEST 1 GIBRALTAR 1 GUINEA-BISSAU 1 MARTINIQUE 1 MONACO 1 REUNION 1 Samoa 1 SAO TOME AND PRINCIPE 1 ST.
VINCENT-GRENADINES 1 STATELESS 1 TONGA 1 TURKS AND CAICOS ISLANDS 1 VANUATU 1 Source: USCIS data for approved applications in fiscal year 2014 Trump's plan to admit only people "who share our values and respect our people" didn't indicate how it would be applied.
It also didn't say whether all visa holders -- visitor, H-1B and green card -- would be subject to an ideological litmus test. And what is the correct answer to such a question about American values? "If you ask people born in this country what is an American ideology, I'm not quite sure that we would come out with one answer," said Jessica Lavariega-Monforti, a professor and chair of the political science department at Pace University in New York. "The immigration system, as it currently stands, could not process additional vetting without creating backlogs and increasing wait times for applicants.
At the same time, it is unclear how these policy changes would increase safety against a terrorist attack," said Lavariega-Monforti. John Lawit, an immigration attorney in Irving, Texas, said the U.S. already has a vetting process that begins as soon as someone applies for a tourist visa.
There are different levels of threat, such as being a citizen of Syria, that trigger a much higher level of vetting, he said. "There is a huge financial commitment that must be made in terms of human resources in order to carry on such a vetting program, and a huge, huge increase in fees,” Lawit said. Requiring oaths of some kind is "a lot of posturing with very little substance," he added, and are ineffective in improving security. Lawit said he once assisted H-1B workers who were employed in non-classified jobs at the Sandia and Los Alamos National Laboratories.
The processing time for security checks could run months.
That's an example of extreme vetting, while "extraordinary detailed security investigations are conducted," he said. This story, "Trump's 'extreme' anti-terrorism vetting may be H-1B nightmare" was originally published by Computerworld.
Give some people a small amount of money per month, no strings attached, for a year, and see what happens. With any luck, people will use it to lift themselves out of poverty. In this case, as Matt Krisiloff of Y Combinator Research (YCR) told Ars, that means spending about $1.5 million over the course of a year to study the distribution of "$1,500 or $2,000" per month to "30 to 50" people.
There will also be a similar-sized control group that gets nothing.
The project is set to start before the end of 2016. The notion of guaranteed minimum income has been kicking around globally for centuries, especially among 20th century thinkers (Martin Luther King, Jr. famously advocated for it).
But it’s only recently that extensive trials have begun in various places, including Canada, the Netherlands, Finland, and now in Oakland. (Another organization, called Give Directly, operates a similar program in Kenya.) Tapped to run the project is Elizabeth Rhodes, an academic who recently arrived in Oakland.
She says the project’s goal is "to empower people and give people the freedom to be able to meet their basic needs." But the details have yet to be fully worked out, and a lot of questions remain. How exactly will people be chosen? Will they come from a truly random sample of Oakland’s population? Will high-income people be automatically excluded? By what mechanism will people be notified? How will the money actually be transferred? Most of all, will it actually work? If Y Combinator's Basic Income project is successful, it would expand over the next five years to hundreds of citizens and perhaps include people beyond Oakland.
And it would make the Bay Area’s venture capitalist class feel good about helping the poor. "Overall the idea is to take money we make from YC [and], rather than all of the partners cashing out... putting it into research," Krisiloff told Ars. "I think that there’s a culture at YC that just making money isn’t that interesting. [YC president Sam Altman] really likes to talk about how the overarching mission of YC is to create the most innovative thing. Money is a vector for change, but money in and of itself isn’t that interesting." Wait and see? It’s obviously difficult to lift people out of poverty.
According to the White House, as of 2012 (decades after President Lyndon Johnson's "War on Poverty"), approximately 15 percent of Americans (or 49.7 million people, including 13.4 million children) live below the poverty line. Worse still, "only about half of low-income Americans make it out of the lowest income distribution quintile over a 20-year period." (As the old saying goes: "It’s expensive to be poor.") Here in Oakland, for all of its gentrification and new shiny downtown restaurants and cocktail bars, just under 20 percent of the population (specifically, 18.7 percent, or 71,599 people, as of 2010) live in poverty.
And yet, it has also become the fourth-most expensive rental market in the country, thanks to spillover from nearby San Francisco. Like many American cities, Oakland is divided along economic and racial lines, which also manifest themselves as large differences in access to quality education, public health, fresh produce, and more.
As Mayor Libby Schaaf herself put it in her October 2015 State of the City address: "It’s hard for us to celebrate the overall health of Oakland knowing that two people can live just one mile apart and be nearly twice as likely to be unemployed—and live 15 years less." As soon as YC announced its Basic Income plan, it got lots of support from the municipal government. Mayor Libby Schaaf instantly said on Twitter that she was "excited" that Oakland had been chosen. Public records show that Rep.
Barbara Lee (D-Oakland), loves it, too. However, some groups, including Causa Justa :: Just Cause, are skeptical that Y Combinator—an institution worlds away from the needs of working-class Oaklanders—is capable of managing such a project. Still, YC's Oakland project is in its very early and experimental stages. "Because the main goal of this pilot is to gather data, it’s a useful to run it in a socio-economically diverse city like Oakland," Matt Zwolinksi, a philosophy professor at the University of San Diego, told Ars. "That way we can see what differences there are in the responses of the wealthy and the poor, the educated and the uneducated, skilled and unskilled laborers, and so on.
And we can tweak future studies or the final public policy in light of that information."