Thursday, December 14, 2017
Home Tags The Jump

Tag: The Jump

A nice place to visit, but I'm not sure about spending 100 hours.
For those of us who have made our careers in IT and technology, the cost savings and performance benefits of cloud computing are obvious.
In some ways, itrsquo;s a no-brainer to make the transition. Yet, at the same time, the jump to the cloud can sometimes feel less like a standard technology migration and more like an enormous leap of faith.Thatrsquo;s because in IT our natural desire is to own and control.
It has been our modus operandi for decades. We have always been able to point to what we own with pride.Embracing the cloud requires us to give up that feeling of access and control.

This is a huge cultural and emotional shift, especially if you grew up in hardware as I did. With the cloud, practically all of the things wersquo;ve known and believed to be true of technology are in the past. Now, software sits squarely between you and the infrastructure, and it is a bit unnerving at times.To read this article in full or to leave a comment, please click here
Samsung's newest flagship adds dual cameras and a slightly bigger screen.
New evidence suggests that animal life got a jumpstart from Snowball Earth.
New design coming sometime in 2018, along with a new Apple-made external display.
"Ultra Accessory Connector" is Apple's name for an obscure but already-existent port.
Doing our part to push the encrypted-by-default vision of the Web.
Advantech makes surprise debut on vulnerability list at number two, right behind Adobe Like rules, records were made to be broken, and the security industry's largest-ever vulnerability reporting and remediation didn't disappoint, with 674 total advisories in 2016 - eight more than the year before, according to a report this week from the Zero Day Initiative. ZDI, launched in 2005, encourages responsible reporting of zero-day vulnerabilities to affected vendors by financially rewarding researchers, and protecting customers while the affected vendor creates, tests, and delivers a patch. ZDI paid out nearly $2 million in rewards in 2016, the group reported this week. As for the bigger software vulnerability picture, Adobe products accounted for 149 of advisories, or 22% of the ZDI total, same as in 2015.

Adobe Reader, Acrobat, and Flash were the main culprits, and ZDI expects the trend to continue as more browsers block Flash by default.
In addition, Adobe doesn't operate its own bounty program for bugs and vulnerabilities, unlike Microsoft and Apple.

And Adobe is already off to an auspicious start in 2017; ZDI communications manager Dustin Childs tells Dark Reading his organization just notified the vendor of eight new vulnerabilities. Microsoft fell to number three on ZDI's 2016 list and it had a lower percentage of published ZDI advisories - 11% - down from the previous year's 17%.

But those numbers don't tell the whole story, since Microsoft itself published more security bulletins in 2016 than ever before. Microsoft's biggest problem was the continued targeting of browsers; while its Edge browser was supposed to be much more secure than Internet Explorer, almost two-thirds (64%) of Microsoft-related ZDI advisories were related to browsers. Advisories for Apple products made a significant jump in 2016.

There were 61 ZDI advisories posted for the vendor's products in 2016, or 9% of the total, more than what it posted in 2014 and 2015 – 4% both years.

The jump isn't completely surprising to Childs, who notes Apple's more pervasive presence with desktop computing, not to mention its smartphone dominance.

The installed base of OSX and iOS combined is larger than Windows, Childs adds, and predicts more Apple vulnerabilities in 2017 through ZDI and Apple's own bug bounty program. Trend Micro, which owns ZDI, also predicts the percentage of Microsoft advisories will continue to drop in 2017 while Apple's increase.  Industrial computing vendor Advantech made its debut on the ZDI list at number two with 112 advisories published – 17% of the published advisories. "This doesn’t necessarily mean this vendor has a wide surface attack area," Childs writes in a ZDI blog post. "All of these cases came in through the same anonymous researcher, meaning the researcher found a specific type of bug prevalent in their systems," Childs says, adding that the same researcher reported no bugs from any other vendor in 2016. While Advantech's issues were a surprise, Childs says he also expected to see more enterprise software cropping up on the 2016 list from vendors like HP, Dell, or Oracle. "There's a bunch of enterprise software that hasn't been closely looked at, so there's a lot of bugs for researchers to find," he says.

And though browsers have become well-trod territory, this business middleware market is mostly untouched. Nonetheless, infosec professionals and executives should be careful with lists like these, since looking at the numbers without much context doesn’t make for better security decisions in the future, warns Jeremiah Grossman, a security researcher and chief of security strategy at SentinelOne. "These figures see significant and subjective variation in what’s included, how things are counted, and more, which can largely throw off the numbers from one year to the next," he tells Dark Reading in an email. "And of course cybercriminals really don’t care how many reported vulns a particular product has, mostly because they only need one (or maybe a small handful) that’s wired into their exploitation tools for easy deployment." Childs counters that it's important to understand how ZDI's list get compiled. "It's important to see how the list is created - these are the bugs coming through our program," he says. "They may not be representative of all the research going on… we don't do anything with mobile yet, for example.

But if you look back at the last couple years, you can definitely see some trends," like Adobe's recurring presence. Related Content:   Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ...
View Full Bio More Insights
Credit it to mass-produced malware and better detection through machine learning. Antivirus provider Kaspersky Lab has revealed that around 323,000 new malware files are being identified each day by its product as opposed to 70,000 files per day in 2011.

This, it claims, is an increase by 13,000 per day when compared to last year. The jump is seen partly because cybercriminals have turned sophisticated and are offering “mass production of malware and tailored cybercriminal services.”  Another reason, says Kaspersky, is the improvement in the quality and technique of automated malware analysis technologies which successfully detects all malware types, both existing and unknown. Kaspersky claims to have a billion malicious malware in its cloud database now.
It gives credit for this to its machine-learning based malware analysis system Astraea which, it says, has been increasingly active in detecting malware – from 7.5% in 2012 to 40.5% in December 2016. Click here to read more threat statistics. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights
95,000 subs left after hack – 94,000 joined in last six months TalkTalk has unveiled a healthy jump in post-tax profits on the same day a 17-year-old boy pleaded guilty to hacking the British telco. This morning the teenager, who because of his age cannot be named, pleaded guilty at Norwich Youth Court to seven charges under the Computer Misuse Act. He will be sentenced on 13 December, according to Sky News. The youth was arrested in November last year by detectives from the Metropolitan Police's Cyber Crime Unit, who obtained a search warrant for his Norwich home. Meanwhile, TalkTalk boasted that its profits jumped by £22m in the first half of this financial year, up from £11m in the six months ending September 2015 to £33m in the same period this year. The jump in profits came in spite of the telco shedding 30,000 fixed-line broadband customers between the first half of fiscal year 2016 and H1 FY2017 as it enjoyed a net rise of 94,000 mobile subscribers, giving it a combined total of 4.76 million customers. Perhaps TalkTalk's cheesy telly ads showing a Gogglebox-style family streaming videos on their tablets are working after all. Chief exec Dido Harding gave London business freesheet City AM a hair-shirt interview this morning, boasting of how the company has improved since the teenage hacker and his alleged accomplices walked off with the personal details and banking information of up to four million customers. "We also learnt that if you're open and honest with your customers everything works out alright," she said. "They think, in adversity, we tried our damnedest to look after them." TalkTalk’s revenues dipped by 1.1 per cent to £902m for the half-year, which the firm said was "as expected".
It has previously admitted that the major October hack cost it 95,000 customers and around £45m in extra security and service restoration costs. ® Sponsored: Customer Identity and Access Management
Branch buffer shortcoming allows hackers to reliably install malware on systems US researchers have pinpointed a vulnerability in Intel chips – and possibly other processor families – that clears the way for circumventing a popular operating-system-level security control. ASLR (address space layout randomization) is widely used as a defense against attempts by hackers to exploit software vulnerabilities to take control of computers. By randomising the locations of kernel and application components in memory, ASLR limits the ability for evil code, injected into a system, to reliably exploit programming flaws to hijack the attacked application or operating system. Hackers need to know where key components lie in memory in order to successfully exploit a bug, a process that ASLR frustrates. For example, take a booby-trapped PNG file that exploits a bug in an image editor. The software opens the PNG and is tricked into handing control of the processor to code smuggled within the picture – but the exploit code is now running blind. It cannot assume the location of key components that are needed to pivot from basic exploitation to a full compromise of the application and, next, the whole system. ASLR has juggled the libraries and other dependencies around at random, so an algorithm is needed to work out where things have been hidden. The Intel chip flaw can be abused by hackers to bypass this protection, thus ensuring their attacks are much more effective. In order to pull off this technique, miscreants must be able to at least start running their malicious code within an application or operating system on the target machine – this isn't a remote attack, it's a local attack. The hack takes advantage of the CPU's branch target buffer, a mechanism present in many microprocessor architectures including Intel Haswell CPUs. Exploiting the buffer was demonstrated by the researchers on a Haswell-powered PC running Linux, and this attack is potentially effective against other platforms. The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not. If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay. By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application's vital components. It takes a few tens of milliseconds to perform, we're told. The eggheads says this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.” Their research, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, by boffins at State University of New York at Binghamton and the University of California, Riverside, can be found here [PDF]. Alfredo Pironti, senior security consultant at IOActive, said the vulnerability shows that the security of physical IT (including chips) needs to considered alongside more commonplace and less esoteric software flaws. “Software isn’t always the easiest point of entry, particularly for those hackers that have a deeper knowledge of hardware and its vulnerabilities,” said Pironti, who added that the ASLR bypass attack is an example of a hardware side-channel attack, an already recognised class of assault. “These attacks are often more expensive and time consuming to conduct, compared to classical software attacks,” Pironti explained. “Usually they also have stricter conditions, such as running a specific software on the victim’s machine and being able to collect CPU metrics. However, this doesn’t mean that we shouldn’t be vigilant. Cybercriminals are more sophisticated, well-funded and – worst of all – patient than ever before, and are always looking for new and surprising ways to infiltrate. “This is why it is vital that companies have their chips pen-tested during the development stage, as the cost and complexity of re-mediating an attack of this kind is enormous,” Pironti concluded. ®
Enlarge / Moxie Marlinspike is the founder of Open Whisper Systems.Knight Foundation reader comments 45 Share this story The American Civil Liberties Union announced Tuesday that Open Whisper Systems (OWS), the company behind popular encrypted messaging app Signal, was subpoenaed earlier this year by a federal grand jury in the Eastern District of Virginia to hand over a slew of information—"subscriber name, addresses, telephone numbers, email addresses, method of payment"—on two of its users. Further, OWS was prevented for at least several months from publicly disclosing that it had received such an order until the ACLU successfully challenged it. While details of the case remain sealed, the ACLU published a number of partially redacted court documents, including its initial response to the FBI. Through its ACLU attorney Brett Max Kaufman, OWS noted that “only one of the two listed numbers is associated with a Signal account,” so the company couldn’t provide any further details. For the other number, however, the company said that it keeps minimal records about its users. All Signal messages and voice calls are end-to-end encrypted using the Signal Protocol, which has since been adopted by WhatsApp and other companies. However, unlike other messaging apps, OWS makes a point of not keeping any data, encrypted or otherwise, about its users. (WhatsApp, by contrast, keeps encrypted messages on its own servers—this allows for message history to be restored when users set up a new device.) “The only information responsive to the subpoena held by OWS is the time of account creation and the date of the last connection to Signal servers,” Kaufman continued, also pointing out that the company did in fact hand over this data. Signal's "privacy by design" was quickly applauded by National Security Agency whistleblower Edward Snowden. The FBI came after #Signal, only to find they log only account creation date & last login time. @Google, take note. — Edward Snowden (@Snowden) October 4, 2016 In the same letter, Kaufman also notified the FBI of his intention to fight the gag order. In a blog post, he wrote: To its credit, the government quickly agreed with us that most of the information under seal could be publicly disclosed. But the fact that the government didn't put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it. OWS immediately recognized that even though the government required some secrecy over the subpoena, it did not need, nor could it justify, total secrecy. So OWS came to us, and we went to the government, which agreed to reverse its original demand for secrecy—and now OWS’s customers and the broader public can see for themselves just how wildly overbroad the government’s gag order was from the jump. And while this—the only one ever received by OWS—is now public, there are many more like it, hiding in the filing cabinets in the U.S. attorney’s offices across the country. Across the country, two Stanford researchers are attempting to get years’ worth of surveillance orders released by the federal court in the Northern District of California, where OWS and many other tech firms are based.