CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit
Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to
support DDoS attacks are in more and more demand by cybercriminals -- and are
increasingly exploited. "The ability to use a Palo Alto Networks firewall to
perform reflected and amplified attacks is part of an overall trend to use
amplification to create massive DDoS attacks," he says. "Google's recent
announcement of an attack which peaked at 46 million requests per second, and
other record-breaking DDoS attacks will put more focus on systems that can be
exploited to enable that level of amplification." The speed of weaponization
also fits the trend of cyberattackers taking increasingly less time to put newly
disclosed vulnerabilities to work — but this also points to an increased
interest in lesser-severity bugs on the part of threat actors. "Too often, our
researchers see organizations move to patch the highest-severity vulnerabilities
first based on the CVSS," Terry Olaes, director of sales engineering at Skybox
Security, wrote in an emailed statement.
Kestrel: The Microsoft web server you should be using
Kestrel is an interesting option for anyone building .NET web applications. It’s
a relatively lightweight server compared to IIS, and as it’s cross-platform, it
simplifies how you might choose a hosting platform. It's also suitable as a
development tool, running on desktop hardware for tests and experimentation.
There’s support for HTTPS, HTTP/2, and a preview release of QUIC, so your code
is future-proof and will run securely. The server installs as part of ASP.NET
Core and is the default for sites that aren’t explicitly hosted by IIS. You
don’t need to write any code to launch Kestrel, beyond using the familiar
WebApplication.CreateBuilder method. Microsoft has designed Kestrel to operate
with minimal configuration, either using a settings file that’s created when you
use dotnet new to set up an app scaffolding or when you create a new app in
Visual Studio. Apps are able to configure Kestrel using the APIs in
WebApplication and WebApplicationBuilder, for example, adding additional ports.
As Kestrel doesn’t run until your ASP.NET Core code runs, this is a relatively
easy way to make server configuration dynamic, with any change simply requiring
a few lines of code.
Private 5G networks bring benefits to IoT and edge
Private 5G's potential in enterprise use cases that involve IoT and edge
computing is not without challenges that the industry must address; a
production-level system requires many touchpoints. Private 5G networks must be
planned, deployed, verified and managed by service providers, system integrators
and IT teams. Edge computing is a combination of hardware and software. Each of
these elements can fail, so they must be maintained and upgraded practically
without any downtime, especially for real-time, mission-critical applications.
Admins must manage edge deployments with containers or VM orchestration. Both
public cloud vendors and managed open source vendors are addressing this space
by providing a virtual edge computing framework for application developers.
Public cloud vendors have also started to provide out-of-the-box edge
infrastructure that runs the same software tools that run on their public cloud,
which can make it easier for developers. For private 5G, IoT and edge to be
successful, the industry must develop an extensive roadmap. Many of these
solutions require long-term maintenance and upgrades.
Google is exiting the IoT services business. Microsoft is doing the opposite
Google will be shuttering its IoT Core service; the company disclosed last week.
Its stated reason: Partners can better manage customers' IoT services and
devices. While Microsoft also is relying heavily on partners as part of its
IoT and edge-computing strategies, it is continuing to build up its stable of
IoT services and more tightly integrate them with Azure. CEO Satya Nadella's
"intelligent cloud/intelligent edge" pitch is morphing into more of an
intelligent end-to-end distributed-computing play. ... Among Microsoft's current
IoT offerings: Azure IoT Hub, a service for connecting, monitoring and managing
IoT assets; Azure Digital Twins, which uses "spatial intelligence" to model
physical environments; Azure IoT Edge, which brings analytics to edge-computing
devices; Azure IoT Central; Windows for IoT, which enables users to build edge
solutions using Microsoft tools. On the IoT OS front, Microsoft has Azure RTOS,
its real-time IoT platform; Azure Sphere, its Linux-based microcontroller OS
platform and services; Windows 11 IoT Enterprise and Windows 10 IoT Core -- a
legacy IoT OS platform which Microsoft still supports but which hasn't been
updated substantially since 2018.
Twitter's Ex-Security Chief Files Whistleblower Complaint
Zatko's complaint alleges that numerous security problems remained unresolved
when he left. It also alleges that Twitter had been "penetrated by foreign
intelligence agents," including Indian government agents as well as another,
unnamed foreign intelligence agency. A federal jury recently found a former
Twitter employee guilty of acting as an unregistered agent for Saudi Arabia
while at the company. In his February final report to Twitter, Zatko alleged
that "inaccurate and misleading" information concerning "Twitter's information
security posture" had been transmitted to the company's risk committee, which
risked the company making inaccurate reports to regulators, including the FTC.
According to his report, the risk committee had been told that "nearly all
Twitter endpoints (laptops) have security software installed." But he said the
report failed to mention that of about 10,000 systems, 40% were not in
compliance with "basic security settings," and 30% "do not have automatic
updates enabled."
Announcing built-in container support for the .NET SDK
Containers are an excellent way to bundle and ship applications. A popular way
to build container images is through a Dockerfile – a special file that
describes how to create and configure a container image. ... This Dockerfile
works very well, but there are a few caveats to it that aren’t immediately
apparent, which arise from the concept of a Docker build context. The build
context is a the set of files that are accessible inside of a Dockerfile, and is
often (though not always) the same directory as the Dockerfile. If you have a
Dockerfile located beside your project file, but your project file is underneath
a solution root, it’s very easy for your Docker build context to not include
configuration files like Directory.Packages.props or NuGet.config that would be
included in a regular dotnet build. You would have this same situation with any
hierarchical configuration model, like EditorConfig or repository-local git
configurations. This mismatch between the explicitly-defined Docker build
context and the .NET build process was one of the driving motivators for this
feature.
The Quantum Computing Threat: Risks and Responses
Asymmetric cryptographic systems are most at risk, implying that today’s public
key infrastructure that form the basis of almost all of our security
infrastructure would be compromised. That being said, the level of risk may be
different depending on the data to be protected – for instance, a life insurance
policy that will be valid for many years to come; a smart city that is built for
our next generation. Similarly, the financial system, both centralized and
decentralized, may have different vulnerabilities. For this reason, post-quantum
security should be addressed as part of an organization’s overall cybersecurity
strategy. It is of such importance that both the C-suite and the board should
pay attention. While blockchain-based infrastructures are still considered safe,
being largely hash-based, transactions are digitally signed using traditional
encryption technologies such as elliptic curve and therefore could be
quantum-vulnerable at the end points. Blockchain with quantum-safe features will
no doubt gain more traction as NFTs, metaverse and crypto-assets continue to
mature.
‘Post-Quantum’ Cryptography Scheme Is Cracked on a Laptop
It’s impossible to guarantee that a system is unconditionally secure. Instead,
cryptographers rely on enough time passing and enough people trying to break the
problem to feel confident. “That does not mean that you won’t wake up tomorrow
and find that somebody has found a new algorithm to do it,” said Jeffrey
Hoffstein, a mathematician at Brown University. Hence why competitions like
NIST’s are so important. In the previous round of the NIST competition, Ward
Beullens, a cryptographer at IBM, devised an attack that broke a scheme called
Rainbow in a weekend. Like Castryck and Decru, he was only able to stage his
attack after he viewed the underlying mathematical problem from a different
angle. And like the attack on SIDH, this one broke a system that relied on
different mathematics than most proposed post-quantum protocols. “The recent
attacks were a watershed moment,” said Thomas Prest, a cryptographer at the
startup PQShield. They highlight how difficult post-quantum cryptography is, and
how much analysis might be needed to study the security of various systems.
Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits
Under normal operations, once the microcontrollers activate, the security engine
loads its firmware. In this motherboard hack, attackers attempt to trigger an
error condition by lowering the voltage. The resulting glitch gives attackers
the opportunity to load malicious firmware, which provides full access to
information such as biometric data stored in trusted platform module circuits.
The tunable replica circuit protects systems against such attacks. Nemiroff
describes the circuit as a countermeasure to prevent the hardware attack by
matching the time and corresponding voltage at which circuits on a motherboard
are activated. If the values don't match, the circuit detects an attack and
generates an error, which will cause the chip's security layer to activate a
failsafe and go through a reset. "The only reason that could be different is
because someone had slowed down the data line so much that it was an attack,"
Nemiroff says. Such attacks are challenging to execute because attackers need to
get access to the motherboard and attach components, such as voltage regulators,
to execute the hack.
Why Migrating a Database to the Cloud is Like a Heart Transplant
Your migration project’s enemies are surprises. There are numerous differences
between databases from number conversions to date/time handling, to language
interfaces, to missing constructs, to rollback behavior, and many others. Proper
planning will look at all the technical differences and plan for them. Database
migration projects also require time and effort, according to Ramakrishnan, and
if they are rushed the results will not be what anyone wants. He recommended
that project leaders create a single-page cheat sheet to break down the scope
and complexity of the migration to help energize the team. It should include the
project’s goals, the number of users impacted, the reports that will be affected
by the change, the number of apps it touches, and more. Before embarking on the
project, organizations should ask the following question: “How much will it cost
to recoup the investment in the new database migration?” Organizations need to
check that the economics are sound, and that means also analyzing the
opportunity cost for not completing the migration.
Quote for the day:
"Do not follow where the path may lead.
Go instead where there is no path and leave a trail." --
Muriel Strode
No comments:
Post a Comment