14.1 C
London
Thursday, November 23, 2017
Home Tags Inside Out

Tag: Inside Out

A boy searches for music in the land of the dead in a plot twistier than a telenovela.
With the head of Samsung Group facing prison time, CEO calls for company to "start anew."
$399 bundles will also include motion controllers.
Itrsquo;s a Rift-only alpha and lacks comfort features, but it works very, very well.
Expanded gameplay comes with additional grind, which isnrsquo;t actually that bad.
The NutriBullet Rx’s 1700-watt motor uses hands-free SMART Technology to run at the perfect speed for the exact amount of time needed to break down even the most difficult foods, creating silky-smooth NutriBlast smoothies that nourish your system from the inside out.

The machine also features a 7-Minute Heating Cycle, which transforms raw vegetables, nuts, seeds, fruits, and spices into warm, hearty puréed soups, sauces, dips, and beverages.

All units include the Nature’s Prescription recipe book to instruct and inspire you on your quest towards optimum health.
Its typical list price of $149.99 has been reduced 30%, for now, to just $105.29 for the 10-piece set.

A very reasonable price and a solid consideration for the upcoming Mother & Father's day holidays.
See this deal now on Amazon.To read this article in full or to leave a comment, please click here
Google first announced its plan to become a top cloud provider for the enterprise in June 2012. But turning an inward-focused, engineering-driven company inside out to cater to enterprise customers has been a struggle. By most estimates, Google Cloud remains a distant No. 3 behind AWS and Microsoft Azure.Last week’s Google Cloud Next conference may mark a turning point. At 10,000 attendees, the three-day event was more than four times the size of last year’s conference. A change in tone emerged: Google spent more time actively reaching out to enterprises than it did flogging its technical superiority.Instead of SnapChat or Evernote, real enterprise customers waltzed across the stage, including Colgate, Disney, HSBC, Schlumberger, and Verizon. Plus Google announced a partnership with the fusty enterprise software vendor SAP, which will run its in-memory HANA analytics database on Google Cloud.To read this article in full or to leave a comment, please click here
Apply best routing practices liberally. Repeat each morning Solve the DDoS problem? No problem. We’ll just get ISPs to rewrite the internet.
In this interview Ian Levy, technical director of GCHQ’s National Cyber Security Centre, says it’s up to ISPs to rewrite internet standards and stamp out DDoS attacks coming from the UK.
In particular, they should change the Border Gateway Protocol, which lies at the heart of the routing system, he suggests. He’s right about BGP.
It sucks.

ENISA calls it the “Achilles’ heel of the Internet”.
In an ideal world, it should be rewritten.
In the real one, it’s a bit more difficult. Apart from the ghastly idea of having the government’s surveillance agency helping to rewrite the Internet’s routing layer, it’s also like trying to rebuild a cruise ship from the inside out. Just because the ship was built a while ago and none of the cabin doors shut properly doesn’t mean that you can just dismantle the thing and start again.
It’s a massive ship and it’s at sea and there are people living in it. In any case, ISPs already have standards to help stop at least one category of DDoS, and it’s been around for the last 16 years.

All they have to do is implement it. Reflecting on the problem Although there are many subcategories, we can break down DDoS attacks into two broad types.

The first is a direct attack, where devices flood a target with traffic directly. The second is a reflected attack. Here, the attacker impersonates a target by sending packets to another device that look like they’re coming from the target’s address.

The device then tries to contact the target, participating in a DDoS attack that knocks it out. The attacker fools the device by spoofing the source of the IP packet, replacing their IP address in the packet header’s source IP entry with the target’s address.
It’s like sending a letter in someone else’s name.

The key here is amplification: depending on the type of traffic sent, the response sent to the target can be an order of magnitude greater. ISPs can prevent this by validating source addresses and using anti-spoofing filters that stop packets with incorrect source IP addresses from entering or leaving the network, explains the Mutually Agreed Norms for Routing Security (MANRS).

This is a manifesto produced by a collection of network operators who want to make the routing layer more secure by promoting best practices for service providers. Return to sender One way to do this is with an existing standard from 2000 called BCP 38. When implemented in network edge equipment, it checks to see whether incoming packets contain a source IP address that’s approved and linked to a customer (eg, within the appropriate block of IPs).
If it isn’t, it drops the packet.
Simple.

Corero COO & CTO Dave Larson adds, “If you are not following BCP 38 in your environment, you should be.
If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.” There are other things that ISPs can do to choke off these attacks, such as response rate limiting.

Authoritative DNS servers are often used as the unwitting dupe in reflection attacks because they send more traffic to the target than the attacker sends to them.

Their operators can limit the number of responses using a mechanism included by default in the BIND DNS server software, for example, which can detect patterns in incoming traffic and limit the responses to avoid flooding a target. The Internet of Pings We’d better sort this out, because the stakes are rising.

Thanks to the Internet of Things, we’re seeing attackers forklift large numbers of dumb devices such as IP cameras and DVRs, pointing them at whatever targets they want. Welcome to the Internet of Pings. We’re at the point where some jerk can bring down the Internet using an army of angry toasters.

Because of the vast range of IP addresses, it also makes things more difficult for ISPs to detect and solve the problem. We saw this with the attack on Dyn in late October, which could well be the largest attack ever at this point, hitting the DNS provider with pings from tens of millions of IP addresses.

Those claiming responsibility said that it was a dry run. Bruce Schneier had already reported someone rattling the Internet’s biggest doors. “What can we do about this?” he asked. “Nothing, really.” Well, we can do something. We can implore our ISPs to pull their collective fingers out and start implementing some preventative technology. We can also encourage IoT manufacturers to impose better security in IoT equipment. Let’s get to proper code signing later, and start with just avoiding the use of default login credentials first. When a crummy malware strain like Mirai takes down half the web using nothing but a pre-baked list of usernames and passwords, you know something’s wrong. How do we persuade IoT vendors to do better? Perhaps some government regulation is appropriate.
Indeed, organizations are already exploring this on both sides of the pond. Unfortunately, politicians move like molasses, while DDoS packets move at the speed of light.
In the meantime, it’s going to be up to the gatekeepers to solve the problem voluntarily. ® Sponsored: Want to know more about PAM? Visit The Register's hub
'Please dont tell my wife about this' says one, as arcs thrill Kiwi crowds Kiwicon Not every demo at security cons goes off without a hitch: Badass hackers Ryan and Jeremy electrocuted themselves when building what could have been the first device capable of wirelessly exploiting door-opening push buttons. The pair demonstrated the trial and terror process of building the box at the Kiwicon hacking event in New Zealand last Friday. Before its insides dissolved due to extreme heat, the device it was capable of activating the push buttons that open doors to allow egress from secure buildings - but from the outside of that building. Ryan and Jeremy's beefed-up electromagnet is the latest in a niche line of research which would allow attackers to enter buildings by using the devices to unlock the push-button door controls. "I guess they really are touch-to-enter buttons," Jeremy told the 2,000 laughing hackers at the Michael Fowler centre, Wellington. "Should you be worried about this? Ehh probably not." Ryan (left) and Jeremy.
Image: Darren Pauli, The Register. The pair chalked their work up as a failed-but-fun experiment, but in reality it was something more akin to success. Others interested in the field could leverage their work, as Ryan and Jeremy did others, to build a more stable device. If that were to happen, scores of buildings would be at risk of break and entry. Right now, penetration testers on red teaming assignments rely on extendable sticks to shove between automatic doors.
Such rigs allow them to physically depress the buttons in a much more obvious attack. Ryan explained one beefed-up prototype that used ignition coils bought from car parts chain Supercheap Auto: "Instead of driving that small coil, it drives this massive coil, which goes into an even bigger coil which generates a large voltage which then jumps the spark gap and, instead of igniting fuel, it hits the touch-to-exit button," he says. "The air is literally conducting electricity, it's scary stuff." 'It was just a tickle'. During the testing process his mobile phone stopped working. The pair, who again requested photographic anonmity, then increased the amount of electrons running through their prototype. The current hopped across the helping hands and through Jeremy; "it was just a tickle" he says, asking delegates to please not inform his wife. Several pieces of equipment melted including a high current motor driver which blew up instantly in a puff of blue smoke.

Another piece of kit became so heated its solder melted. A prototype. They reworked some existing research which failed to open the push-to-exit buttons building an electromagnetic interference fuzzer which used a scripting language and a VLSI interface into testing equipment, plus a microphone used to detect if the contraption worked. Lab gear. The lab gear helped the pair better understand the right frequencies required to interfere with the push-to-exit button.

They found that lots of noise forces the exit buttons to reduce sensitivity, and that suddenly removing that noise causes buttons to unlock. "Some of these devices implement frequency-shifting so they are trying to evade interference like that," Ryan says. The final prototype: A microcontroller taped to a battery, taped to a resonance circuit, taped to more batteries. RIP. A final balled-up and taped device proved able to unlock the devices through a glass door, meaning attackers could use it to enter locked buildings, but it soon melted. "Forunately for us the frequency intereference doesn't have to come from directly in front of the reader, and can come from the sides," Ryan says. "The range wasn't great though, and then we realised we were only using a fourth of the power, so we increased it." "The hole in the middle?" he says, pointing to a burnt-out integrated circuit; "not meant to be there." "We're good at prototypes." ® Sponsored: Customer Identity and Access Management
Time to turn security model inside out, conference hears Versus16 It's a computer security truism that human beings are the biggest network threat. Sysadmins have always assumed that means users, but it may be time to take a long, hard look in the mirror. At the Versus conference in San Francisco on Thursday – a conference that its organizers say they set up to challenge the security status quo – a number of speakers argued that it's time to turn the traditional security model inside out – and that means pulling out more humans. "The perimeter is dying," exclaimed chief commercial officer of Illumio, Alan Cohen. The traditional model of a corporate network that is carefully protected from intruders by security staff is being blown to pieces by the explosion in cloud computing and extremely fast networks. "We run our computing wherever we want – the traditional boundaries have gone away." Worse, he argued, corporate security comprises layers of technology built on top of one another, some going back decades. "These layers are not well related to one another," he notes, giving an example of one client who has no fewer than 7.5 million security rules covering their network. As each new layer of security is added, more rules are created. "Every day we add more security and that simply creates more rules and so more ways in." If you assume that just five per cent of those rules have errors in them – thanks to the "human middleware" who developed them – that client is looking at 375,000 potential errors and hence entry points into their system. The answer is to step away from the idea of security as preventing anything from entering and look at monitoring what is going on inside your network to look for anything unusual. And that means automating security, and letting your machines protect themselves in much the same way that your body's immune system works. Dev, no dev Unsurprisingly, this is what Illumio's product does – it allows you to tag applications and machines in a variety of ways – dev, test, production, live; location; and type – web server, etc – and then the system watches all the interactions between your machines, flagging anything that looks unusual or breaks with high-level policies written on top of it (like dev machines only talking to other dev machines). Cohen told us later than one client he had – a large bank – was amazed to find that in its environment of 125,000 servers there were 3,000 dev servers that were talking directly to production servers. That's something that even the most hard-working sysadmin is going to be hard pressed to discover. Continuing on in this theme of turning the security model inside out, a number of other speakers including the CSO of Okta David Baker, the CEO of Vera – the conference organizer – Ajay Arora, and the CEO of New Context, Daniel Riedel, all spoke about how the assumption for the future needed to be that your systems will be hacked and your data taken, rather than continuing to spend more and more time and money trying to prevent any entry. "You need to assume a breach," argued Baker, and work from the inside out. Arora agreed: "Every approach to security has also been very reactive – it has to become proactive." There are numerous advantages that come from that approach, but it will require a big shift in both mindset and resources, all agreed. "Cybersecurity is an economy," said Riedel. "We need to make it more expensive – or cost inefficient – for people to attack us." He also argued that there needs to be much more sharing of security breaches between organizations so the information and knowledge is spread, making it much harder for malicious actors or hackers to use the same approach over and over again. Arora posited the idea of making it technologically possible to prevent stolen data from being used by others. If you take the assumption that people will get at your valuable data – and in recent years the number of huge breaches from every industry shows that this is rapidly becoming a new normal – then designing systems to make that data effectively useless is the logical route to protecting your company and your users. Attribution All the speakers also agreed that figuring out new ways to provide attribution for attacks was going to be a critical aspect to work on. The recent high-profile hacks of the Democratic Party's email servers and the inability to pin the attack squarely on the Russian government was one example, discussed in some depth. Or the Sony hack and – possibly – North Korea. Without attribution, it becomes harder to apply pressure and pin people down, and to recognize patterns. Highlighting the issue of both the need for a new approach to security and the resistance to change, Arora gave a personal example for the recent DNC hack. When at a Democratic event much earlier in the election season, the political party was handing out updated information on USB sticks. Asked about that approach by a reporter, Arora said – and was then quoted in a news report – that it was "borderline stupidity to give them out to people, or for people to even think of using them." He added that no one in the tech industry was "dumb enough to do this anymore." None other than the DNC director of communications was unimpressed with this, telling all staff that Arora's comments were the dumb ones and assuring everyone that the DNS had excellent cybersecurity. How did Arora find out about the DNS comms director's view of his comments? He read the all-staff email on Wikileaks. ® Sponsored: Customer Identity and Access Management
Developers who focus on secure development skills find themselves in high demand. Developers who choose to augment their knowledge with secure development skills will find themselves in the most in-demand career field as the growth in cyberattacks forces organizations and governments to strengthen their cyber war chests with more advanced tools, increased budgets, and larger teams. A quick glance at the astronomical budgets that governments and Fortune 100 companies are allocating toward cybersecurity provides a glimpse into the extreme challenges organizations face because of the increase in cyberattack sophistication and volume.  J.P. Morgan has increased its 2016 cybersecurity budget to $500 million, up from $250 million in 2015, and its general counsel for intellectual property and data protection says that the company "still feels challenged" by cyberattacks.

Bank of America CEO Brian Moynihan has said that when it comes to cybersecurity, there are no budget constraints.

At the federal level, President Obama has increased cybersecurity spending to $19 billion in 2017, up from $14 billion in 2016. But even with massive budgets being earmarked to protect against cyberattacks, it's difficult for organizations to fill all their open cybersecurity positions.
In 2015, more than 200,000 cybersecurity job positions went unfilled, a shortfall that is on track to increase to 1.5 million by 2019, according to Symantec CEO Michael Brown. For developers passionate about securing code and willing to invest the time needed to add security to their IT skills, when it comes to career advancement, there are many opportunities.  How Can Developers Choose "Secure Development"?At the top of the pyramid when it comes to cybersecurity certifications is the Certified Information Systems Security Professional (CISSP); however, it requires years of prior experience in information security.  For developers looking to boost their secure development knowledge by attaining a security certification, an ideal place to start your research is "10 Security Certifications To Boost Your Career" in order to find the certification that matches your goals and current qualifications.  When it comes to pinpointing which pathway best suits your cybersecurity career goals, there are numerous routes to take.  Developers who have a passion for policy enforcement, incident response, auditing, or user awareness and are interested in providing a security perspective on third-party products can head in the direction of enterprise IT security. Compliance-minded developers with experience developing applications with PCI-DSS, MISRA, FIPS, and other policy certifications can find roles available as security or compliance consultants, or as internal or external auditors.  Other routes include jobs in wireless security, network security, cryptography, risk management, identity architects, and many others.

According to the U.S.

Department of Labor, the most sought-after job titles in cybersecurity include security engineer, security analyst, information security analyst, network security engineer, and information technology security analyst.  5 Top Security Careers, Job Descriptions & SalariesHigher salaries are the most obvious benefit for developers who decide to enhance their cybersecurity knowledge and move into secure development roles. Roles in cybersecurity can pay up to 9% more on average than IT jobs outside of the security realm. Note: Salary statistics taken from PayScale, job description information from Cyber Degrees. Security EngineerSecurity engineers build and maintain IT security solutions within organizations.

They perform vulnerability testing, risk analyses, and security assessments while creating innovative ways to solve existing production security issues. Requirements: Degree in computer scienceMedian Salary: $88,777  Security AnalystSecurity analysts are in charge of the detection and prevention of cyberthreats against an organization through an ongoing analysis of the company's IT infrastructure.

Tasks include the planning and implementation of security measures and controls, data maintenance and the monitoring of security assets, in-house security awareness training, and more. Requirements: Between one and five years of cybersecurity experience is needed.Median Salary: $66,787 Penetration TesterPenetration testers are legal hackers who help organizations find security threats in applications, networks, and systems.

They're also known as pentesters.

They test applications by simulating cyberattacks that have been found in the wild. Requirements: Unlike other cybersecurity, many openings for pentesters don't require a degree; however, your abilities will be under constant scrutiny, so some formal education is recommended. Median Salary: $77,774 Security ConsultantSecurity consultants design and implement innovative security solutions.
Since security consultants are relied upon by numerous different departments to guide and implement long-term cybersecurity strategy, extensive industry experience is required.

For developers who are new to security, starting as a pentester or security analyst is recommended, although after proving themselves in other security roles for between three to five years, and understanding the industry inside out, aspiring security analysts could find themselves relevant for this role. Requirements: A degree in computer science and between three and five years of experience in cybersecurity are needed. Median Salary: $80,763 Incident ResponderIncident responders, also known as CSIRT engineers, or intrusion analysts, investigate and limit the damage from cyberattacks that have occurred while working closely with the security team to prevent further attacks from taking place.
Incident responders monitor their organization's networks and systems for threats while performing audits, risk analysis, and malware assessments. Requirements: Like pentesters, incident responders don't necessarily have to have a specific degree, although a cybersecurity certification or specialization is helpful.Median Salary: Around $60,000 Don't WaitWhile security analysts and security engineers must have a degree and extensive experience, there are options for developers who want to turn their security passions into a profession in roles such as incident responders and pentesters, with less-intensive requirements.
If you're a developer, don't wait — start working on enhancing your career in cybersecurity now. Related Content: Paul is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. With a background in mobile applications, Paul brings a passion for creativity to investigating the trends, news and security issues ...
View Full Bio More Insights
Today BioConnect announces the successful deployment of its BioConnect Identity Platform and Suprema biometric hardware for access control at Netwise Hosting Ltd, a leading provider of data centre colocation in London, UK.

BioConnect provides identity solutions, with a special focus on data centre colocation customers.

BioConnect offers a unique approach which removes the need to manage point-to-point integrations as it couples Suprema biometric readers with over 20 of the leading access control system providers. Netwise Hosting’s primary focus and fundamental values are speed, security, and stability as they deliver enterprise-level hosted environments to a wide and varied customer-base, working closely with clients all around the world.

As Netwise Hosting looked to expand their offering with the development of an additional 11,000 sq. ft. data centre in London, they chose BioConnect to fulfill their security requirements to identify a more fully- featured access control system that checked all the boxes.

They saw BioConnect as a leader, with its understanding of specific data centre colocations customer needs – shared spaces of sensitive data require assurance of identity throughout the facility and to be most effective, a standardized way of deploying biometrics coupled with enterprise level support are needed. “BioConnect really set themselves apart from the competition when it comes to support; they have a small team of highly experienced individuals who know the product and the associated software inside out,” says Matthew Butt, Netwise Hosting Ltd., Managing Director, “We really cannot recommend this aspect of their offering high enough!” Netwise compared their previous vendor installations and decided on the following requirements: They needed a solution that would allow them to incorporate a clearer view of identity with a multi-authentication biometric solution that would seamlessly integrate into Paxton Net2.

The main driver, in addition to finding the correct physical product, was to avoid having duplicate systems and information for access control. Suprema biometric devices provided and supported by the BioConnect team now cover all high-security ingress and egress locations throughout the data centre facility.

These readers provide the highest level of identity authenticity and provide flexibility in indoor/outdoor placement and multifactor authentication with card and fingerprint support.

The BioConnect Identity Platform incorporates an advanced plugin architecture to connect directly into Netwise Hosting’s preferred access control software, Paxton Net2.

Therefore, in addition to finding the correct physical product, Netwise was able to avoid having duplicate systems and information for access control between their biometric and non-biometric devices running on Paxton Net2. The addition of BioConnect identity platform meant that Netwise didn’t have to make a tradeoff between software and hardware that would meet their needs – they now have their preferred access control system and multi-authentication biometrics in one single interface for the creation, removal and administration of all users and access zones. “We chose BioConnect for several reasons, primarily the ability to integrate their system seamlessly with Paxton Net2, but closely followed up by their feature set and quality of the readers themselves,” said Matthew Butt, Managing Director, “The almost immediate availability of the product – coupled with their excellent support – meant they really did stand out from the competition.” To read the full case study on this deployment, visit www.bioconnect.com/case-studies Visit BioConnect and Suprema June 21-23 during this month’s IFSEC conference at ExCel London, UK in Stand E1400. About BioConnectBioConnect is on a Quest – for Rightful Identity. Why? To empower people to use their unique biometric credentials (their Rightful Identity) in their everyday lives – delivering greater security, assurance and convenience along the way.

BioConnect revolutionized the physical access control market with its industry-first identity platform that enables the integration of biometric technology with the industry’s leading access control solutions.

And as a representative of the world leader in biometrics and security, Suprema, BioConnect provides and supports the implementation of the top-rated biometric hardware devices (finger, face, card and PIN) and IP access control solutions in select markets. Learn more at http://www.bioconnect.com/. About Netwise Hosting Ltd.The Netwise Hosting team take great pride in their ability to offer truly high-end services, without the excessive and restrictive barriers that regularly force businesses out to countryside data centres - many miles from the nearest major business and trading hubs.

Access to London data centre space is no longer reserved for firms with enormous IT budgets.
SME’s can at last rub shoulders with much larger businesses, deploying their online services from a facility they can really boast about - all managed by a company with core values in line with their own.

For more information, visit http://www.netwisehosting.co.uk/.