Smart machines: Is full automation desirable?

By 2020, smart machines will be a top five investment priority for more than 30 percent of CIOs, according to Gartner. With smart machines moving towards fully autonomous operation for the first time, balancing the need to exercise control versus the drive to realize benefits is crucial.

Brian Prentice, research vice president at Gartner, said Google’s self-driving car project is a perfect example of why pursuing full autonomy may be neither possible nor desirable in smart machines.

“Human beings are still required as the final point of redundancy in an autonomous vehicle, so a fully autonomous car requires a steering wheel should a driver be required to take control,” said Mr. Prentice. “But putting a steering wheel in an autonomous car means a fully licensed, sober driver must always be in the car and prepared to take control if necessary. Not only does this destroy many of the stated benefits of autonomous vehicles, but it changes the role of the driver from actively controlling the car to passively monitoring it for potential failure.”

According to Gartner, the Google Steering Wheel Dilemma is representative of a challenge all smart machine initiatives must face.

“Smart machines respond to their environment. But what is the environment that the smart machine is responding to? Environments that are largely uncontrollable are not amenable to smart machine projects because it is difficult, if not impossible, to model accurately,” said Mr. Prentice. “The trick then is to figure out what is actually controllable and limit smart machines to that which can be accurately modeled and managed.”

Mr. Prentice said that major unresolved problems in machine learning solutions, such as how to ensure learning data is fully representative and how to avoid “reward hacking,” need to be addressed before any autonomous machine that continues to learn from its environment can be deployed as a mass-market solution to a real-world problem.

“The vision of the fully autonomous vehicle will not become reality, for any car manufacturer, in a time frame that doesn’t fall into the realm of science fiction,” said Mr. Prentice. “The failure of this vision will be set against the backdrop of advances in smaller, more pragmatic applications of machine learning in automobiles that will improve safety and driver experience.”

According to Gartner, CIOs seeking to maximize the benefits of smart machine solutions must:

• Plan to deliver smart machine-enabled services that assist and are overseen by humans to achieve maximum benefit in the next three to five years, rather than those that are fully autonomous.
• At the beginning of any project aiming to make use of smart machine technologies, identify and analyze the constraints within the environment — in law and in public attitudes — that the eventual solution will face.
• Design any smart machine solution outward from constraints identified in the key areas of user experience, information asymmetry and the business model to hit the sweet spot for smart machine-enabled solutions, and maximize the benefit the technology will provide.

from Help Net Security http://ift.tt/2fc4vn5

Improving business intelligence: The key catalyst is governance

While Business Intelligence (BI) is yielding important benefits for the vast majority of surveyed companies, most feel there is more to come, according to Qlik and Forbes Insights.

There is room for significant improvement

The survey of more than 400 senior IT and business professionals showed that 45% of respondents rate their BI program as yielding “very significant” benefits, while a further 36% rated the benefits as “significant.” Even so, issues such as less-than-optimal adoption rates, lingering silos, multiple “versions of the truth” and data security mean that only 48% felt they had achieved the full potential benefits of their BI programs.

The solution identified by the survey is better governance to ensure consistent, reliable and optimized results. This governance includes such key points as standardizing definitions and formulas, improving data security and enabling secure access. Through these measures, better governance can actually empower individuals within the firm to utilize data independently to achieve their goals.

Key findings include:

• Four out of five organizations (81%) report that they are experiencing “very significant” (45%) or “significant” (36%) business benefits from their BI programs. These findings are consistent across different industries and geographies
• Three out of four respondents (76%) said the benefits of BI are a mix of tangible and intangible, but are always substantial. Specific benefits include improved customer metrics, accelerated time to market, stronger product and service mixes, enhanced brand valuation and recognition, and higher profitability
• Executives recognize the importance of governance in BI, as over three quarters (78%) say data governance is either vital or important to their BI operations, and two-thirds (65%) say governance is a useful means to empower end-users to uncover new insights.

Companies are taking important steps in governance

Going forward, the structure of BI will feature:

• Less IT control
• An increase in standalone, independent BI functions
• Greater structure, planning, and governance; fewer ad hoc characteristics
• A greater mix of centralized/decentralized approaches.

from Help Net Security http://ift.tt/2eWlydL

The Mobile Bicycle Repair Box

Nomad's Rugged New Cable Has Micro-USB, Lightning, and USB-C

Why You Should Never Freeze Soup with Pasta In It

Remains of the Day: Twitter to Let You Mute Specific Words

How Sex and Masturbation Affects Your Workouts

Choose a New Career You'll Care About With the "Cloud Technique"

Why You Usually Shouldn't Apply to Multiple Jobs at One Company and What to Do Instead

Boost the Flavor of Store-Bought Broth With a Little Miso

How to Disable Pocket's New Tab Page Display

Bracing for Impact Really Does Help Keep You Safe in a Crash

How to Avoid Kidnapping Children on Halloween

Add Vibrancy and Warmth to Photos With Light Bleeding

Sometimes it takes more than simple color correction to make a good photo into a great photo. If you have a scenic picture that could use just a little more warmth to make it pop, try adding some extra light in Photoshop with “light bleeding.”

Writer and photographer Jimmy McIntyre shares his technique for adding warmth to images in this video. Light bleeding, in this case, doesn’t refer to light leaks (unwanted light exposing film in unintended ways); rather he’s adding hazy highlights based on the color of the light source in the picture. It’s very simple: He selects the color of the lightest part of the sky, and then uses a very large brush with a very soft edge to add some light to the darker parts of the image. And the layer blending mode should be set to “soft light.”

Subtly is key. Bathing the whole image in digital light would just look fake, so you want to be selective when adding highlights. McIntyre focuses on the sides of the mountains in the picture that are already facing the sun so it visually makes sense. The resulting image is slightly more vibrant, warmer, and more evocative of a real sunset—even if the light isn’t quite real.

Quick Photoshop Secrets 14: Light Bleeding For Warmer Images | Jimmy McIntyre

from Lifehacker http://ift.tt/2f68MtH

Use This Formula to Figure Out About How Much Candy It Would Take to Kill You

A High-End Card-Reading Device

An impressive Chinese device that automatically reads marked cards in order to cheat at poker and other card games.

from Schneier on Security http://ift.tt/2dVJb9k

Avoid the Phrase “I Need” in a Salary Negotiation

What's Your Favorite Bath Mat?

Don’t Apologize Just to Be Forgiven

How to Limit How Much Candy Your Kids Eat Without Ruining Halloween

Scary security: Halloween costume ideas from the EFF and us

The Retailers That Reward You for Recycling Your Unwanted Junk

Why did WhatsApp change its mind over privacy? The EU wants answers

Today's Best Deals: Contigo Mugs, Gucci Watches, iFixit Toolkit, and More

Can we extinguish the Mirai threat?

The recent massive DDoS attack against DNS provider Dyn has jolted (some of) the general public and legislators, and has opened their eyes to the danger of insecure IoT devices.

It is clear by now that it will take joint action by all stakeholders – users, manufacturers, the security industry, ISPs, law enforcement and legislators – to put an end to this particular problem, but it will take quite some time.

Theoretical stopgap solutions

In the meantime, quick solutions that could prevent Mirai-infested devices from participating in DDoS attacks are being sought.

A day after the attack, Invincea Labs’ Research Director Scott Tenaglia published research into the Mirai source code, and revealed the existence of a buffer overflow vulnerability that can be exploited to crash the devices (i.e. stop them from participating in the attack).

He even provided an exploit for it, which could be used by DDoS mitigation services to perform the action, but noted that it would work only for stopping HTTP flood attack (the attack against Dyn was DNS-based). Also, the exploit does not clean the devices of the malware.

Tenaglia says he and his colleagues are “not advocating counterattack, but merely showing the possibility of using an active defense strategy to combat a new form of an old threat.”

Software engineer Leo Linsky has set up a GitHub repository with the Mirai source code and is apparently working on a proof of concept nematode (i.e. a beneficial worm) that would plug the vulnerabilities (default telnet credentials) exploited by the Mirai malware.

“The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random,” he explained. Unfortunately, that could also lock out the legitimate owners.

Linsky made sure to note that the repository is for academic purposes only, and the work he’s doing is meant to be tested only in closed research environments – not on live devices, and especially not on devices one does not own.

He invited other developers to contribute to the effort.

from Help Net Security http://ift.tt/2dVcyIP

Did You Complete October’s Money Challenge?

Why It's So Hard To Open Up to People We Love When We’re Upset with Them

Repair Your Favorite Gadgets With This $15 iFixit Toolkit

iFixit, the people that rip apart brand new electronics to show you how to fix them, makes its own toolkit, and you can get it for $15 today.

Here’s what that gets you:

• 26 Bit Driver Kit - see complete list of bits below
• 2x Plastic Opening Tool Sets - soft plastic prying tools
• Small Suction Cup - suction cup for holding onto things lacking handles
• Plastic Spudger - handy ESD-safe tool for poking, prying, and opening
• iFixit Metal Ruler - steel ruler for easily measuring parts
• Anti-Static Wrist Strap - protect components and yourself from ESD
• 6x iFixit Opening Picks - use for prying, sliding, separating and air guitaring
• iFixit Tool Pouch - hold everything together in a sturdy zippered pouch

Just don’t go voiding your warranties unless you know what you’re doing.

http://ift.tt/2dUToTx

More Deals

http://ift.tt/1EnrHUs

---

Commerce Content is independent of Editorial and Advertising, and if you buy something through our posts, we may get a small share of the sale. Click here to learn more, and don’t forget to sign up for our email newsletter. We want your feedback.

from Lifehacker http://ift.tt/2e4W2Bh

Will It Sous Vide? Let's Pick Another Topic!

Halloween Special: three zombie security myths that just won’t die

Work Out Like Benedict Cumberbatch Did For Doctor Strange to Boost Endurance

Grab a Popular Contigo Travel Mug Starting Under $10, Today Only

Money Can Buy Happiness, But Only If You Know What Makes You Happy

Espionage group uses cybersecurity conference invite as a lure

A cyber espionage group that has been targeting organizations in Southeast Asia for years is misusing a legitimate conference invite as a phishing lure to trigger the download of backdoor malware.

The APT in question is Lotus Blossom, and the security conference is Palo Alto Networks’ CyberSecurity Summit that is scheduled to take place in Jakarta, Indonesia, on November 3.

About Lotus Blossom

Lotus Blossom is a group that has been operating at least since 2009, and possibly even earlier. Their predilection for spear-phishing emails with an ever-changing array of lures is well-known. They usually deliver custom Trojan backdoors (Elise, Emissary) to the target system.

Over the years, the group has been linked to a variety of targets in Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia.

The effectiveness of their approach is evident – they wouldn’t continue using spear-phishing emails if they didn’t work.

About the newest campaign

“Palo Alto Networks hosts cyber security summits all over the world, and in many cases we send invitations via email to individuals we believe would be interested in attending,” Palo Alto Networks’ researchers Robert Falcone explained.

It’s possible and likely that the Lotus Blossom team had access to an inbox that received the invite via email, or that they received the email themselves.

They took a screenshot of the image in the legitimate invite’s message body, a screenshot of the summit’s agenda, and combined the two images into a decoy Word document named [FREE INVITATIONS] CyberSecurity Summit.doc.

The researchers weren’t able to get a look at the attack emails, but believe the document is delivered as an attachment. Once opened, it shows the decoy Word document while attempting to exploit an old MS Office vulnerability (CVE-2012-0158) to deliver the backdoor Trojan in the background.

By analyzing the decoy document, the researchers discovered some things about the system on which the attackers created it.

“The threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese. The ‘CH’ icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese,” Falcone shared.

“Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.”

At the moment, it’s impossible to known how effective this spear-phishing campaign was, but Palo Alto Networks has temporarily suspended the sending of email invites for the summit.

They also advised recipients of previous and future related emails to scrutinize them to determine if they were sent by the Lotus Blossom threat actors.

from Help Net Security http://ift.tt/2eTyDV7

Improve Your Creative Writing By Practicing the Art of the Dirty Joke

Monday review – the hot 21 stories of the week

From fake blue screens of death to how hackers broke into John Podesta's emails and more, catch up with all the news from the past seven days
from Naked Security http://ift.tt/2fw6aZ9

10 Internet Safety Rules to Teach Children Before They Go Online

Free download – SysAdmin Magazine: Tools & Tips for Security Admins

Every day security administrators monitor networks, support security tools, establish security requirements, perform vulnerability assessments, and much more. SysAdmin Magazine offers a wide range of helpful and time-tested tips and tools every security administrator will find useful.

The October edition of SysAdmin Magazine offers a wide range of helpful and time-tested tips and tools for IT security heroes. The contents of this issue include:

• IT risks infographics
• Group policy troubleshooting techniques
• Office 365 password policy rules
• How-tos and technical guides.

from Help Net Security http://ift.tt/2e4zLUk

A Haunted Hotel You Can Stay In, Endangered Dog Breeds, and Why Movie Ads are Called "Trailers"

Most unpatched Joomla sites compromised in latest wave of attacks

If you run a Joomla-based website and you haven’t implemented the latest security release of the CMS, your site has been almost surely compromised.

According to Sucuri CTO Daniel Cid, every Joomla site on the company’s network was hit with exploitation attempts within three days after the release of the update (v3.6.4), and he assumes that other Joomla-based sites suffered the same fate.

The security update in question fixed three critical flaws that allow attackers to create accounts on Joomla sites, to elevate those accounts’ privileges (make them admin accounts), and to modify existing users accounts.

The first two issues, CVE-2016-8870 and CVE-2016-8869, were flagged by researcher Demis Palma and Joomla Security Strike Team member Davide Tampellini, respectively.

No details about the vulnerabilities were shared when the update was released but attackers know how to reverse-engineer the patch and ferret them out.

“Less than 24 hrs after the initial disclosure, we started to see tests and small pings on some of our honeypots trying to verify if this vulnerability was present,” Cid noted. “In less than 36 hrs after the initial disclosure, we started to see mass exploit attempts across the web.”

The exploitation attempts came from various sources, and the initial ones targeted some of the most popular Joomla sites out there. But after that, the attackers stopped discriminating, and targeted every vulnerable site that could be found.

If you’re a Joomla site admin, check your site dashboard for new user accounts that you don’t remember setting up. If you find some, it’s high time to do some cleaning up, and finally implement the update.

Finally, let this be a lesson for the future: implement future fixes as soon as they are released.

from Help Net Security http://ift.tt/2e4kySQ

Building the IoT monster

When Mary Shelley wrote Frankenstein, she imagined the misguided doctor assembling his creature from dead body parts, who instead of elevating science, created something dark and terrible. A modern day Mary might well imagine the monster being assembled, not from arms and legs, from nanny-cams, door locks, and DVRs.

It would be hard to miss the events of the past few weeks. In September, security reporter Brian Krebs was hit by a massive DDoS attack. Within a few days, hosting company OVH was hit with an even larger DDoS attack, peaking around 1Tbs.

What marked these attacks as especially worrying was the use of a relatively small number of compromised IoT devices (around 150,000) to generate such a significant attack. The source code for the software used, Mirai, is already in the public domain (here’s a snippet):

typedef uint8_t ATTACK_VECTOR;

#define ATK_VEC_UDP 0 /* Straight up UDP flood */
#define ATK_VEC_VSE 1 /* Valve Source Engine query flood */
#define ATK_VEC_DNS 2 /* DNS water torture */
#define ATK_VEC_SYN 3 /* SYN flood with options */
#define ATK_VEC_ACK 4 /* ACK flood */
#define ATK_VEC_STOMP 5 /* ACK flood to bypass mitigation devices */
#define ATK_VEC_GREIP 6 /* GRE IP flood */
#define ATK_VEC_GREETH 7 /* GRE Ethernet flood */
//#define ATK_VEC_PROXY 8 /* Proxy knockback connection */
#define ATK_VEC_UDP_PLAIN 9 /* Plain UDP flood optimized for speed */
#define ATK_VEC_HTTP 10 /* HTTP layer 7 flood */

When considering the potential here, remember that at around 1Gbps, most organizations struggle to stay online, according to security firm Arbor Networks. A 1Tbs is, obviously, a thousand times bigger than that – something even a specialist hosting company struggled to manage.

And now, within a few weeks, an even larger DDoS attack appears to have taken place, also using IoT devices, impacting household names such as Netflix, Twitter, and Amazon, amongst others. Estimates vary wildly, from around half a million devices to potentially several million, but in the end, it doesn’t matter how many devices were hit because if a well-coordinated attack using 150,000 devices can crank out a 1Tbs DDoS, (and one presumes 500,000 can hit significantly higher numbers) then we’ve barely begun to feel the potential of this style of attack.

Remember, we’re talking the IoT here. That means, not hundreds of thousands, or even millions of devices. The IoT will be measured in BILLIONS.

And sure, most of those will be safe and secure – or at least many of them – but take just five percent of, a conservative, 6 billion devices, and you end up with thousands of botnets capable of taking down pretty much anything you aim them at.

Enable those “things” to be controlled by an unfriendly nation state and you could see a massive impact on the US or global economy. Put them in the hands of professional hackers and criminal gangs and you have a death-star sized gun pointed at the head of every online business on the planet (and an upgrade from the traditional Low Orbit Ion Cannon).

We have a window of opportunity, a small one, to define security standards for IoT devices, to force manufacturers to adhere to them, and to name and shame those that don’t. Specifically we should be looking at the kinds of safety certifications we already have for consumer devices, electrical goods, and other components, such as provided by UL (safety organization) or a similar body.

Consumers will likely be the first (and possibly last) line of defense against the widespread hijacking of the IoT to conduct assaults like DDoS attacks (and others); therefore they will need to be able to make intelligent, informed purchasing decisions. Flooding the market with poorly secured IoT devices could cause serious damage and, as we’ve seen, the IoT is already fertile ground for creative attackers.

As is usual in these cases, the window for implementing these standards is finite, and never lasts as long as we might hope. If we miss it, then the early days of the World-Wide-Wait will seem like a fond golden age. If we fail to force security as a primary attribute of the IoT, the world’s most powerful high-tech toolset could turn it into very, very fallen angel indeed.

from Help Net Security http://ift.tt/2f48vr2

What can we do about the critical cybersecurity skills shortage?

Tech-savvy youth could plug a widening skills gap as employers seek to combat the growing threat of cybercrime and avert mass disruption to public and private lives. But the industry is failing to provide a clear path for young people to find work, hone their skills, and serve society. Instead, they are being tempted to exacerbate cybercrime, rather than prevent it.

In a wide-ranging new survey of 12,000 consumers and IT professionals from across the US and Europe, Kaspersky Lab found under-25s, highly skilled and highly impressionable, are already inured to the shock of large-scale cyber hacks. Their concern only marginally outruns their curiosity, and even regard, for these types of crimes. In fact, 57% of under-25s consider hacking to be an ‘impressive’ skill and only 35% of all respondents feel uncomfortable about people who have the skills to hack. Many are already adept at blurring the lines, with a third of under 25s (31%) able to hide their IP address, for example.

And while one in four (27%) have considered a career in cybersecurity, with many (47%) regarding it as a good use of their talent, many others admit an inclination to engage in more questionable activity. Only half (50%) of under-25s would actually join the fight against cybercrime; a significant number would use their skills for fun (17%), secretive activities (16%), and financial gain (11%) instead.

“Industry and education must do more to recruit the younger generation of cyber professionals and the warning signs are clear. The frequency and profile of teenage cyberattacks is growing with each generation’s competency, as well as with the ready availability of ‘malware as a service’,” said Eugene Kaspersky, Chairman and CEO of Kaspersky Lab.

Whether masterminds of these exploits or foot soldiers in the pay of criminal gangs, teenager hackers have been linked with a myriad of high profile cybercrimes in recent years – including attacks on US entertainment firm Sony, US retailer Target, UK parenting site Mumsnet, and UK broadband provider TalkTalk. Even agencies tasked with stopping them have come under fire, with both the CIA and the Serious Organized Crime Agency (SOCA) targeted by teenage hackers in the UK in 2012.

Kirill Slavin, General Manager, UK and Ireland at Kaspersky Lab says: “Organised cybercrime is no longer just a boardroom headache; it’s increasingly a very personal one, which threatens to disrupt, and potentially embarrass, private individuals in their homes. As recent attacks on Sony Entertainment and Ashley Madison highlight, where very private data was made public, cybercrime threatens to tear at the heart of both public and private life if it is not addressed. Yet, our research demonstrates three things: (i) a desperate skills shortage in information security, (ii) the ability of young people to step into the breach, and (iii) a failure of industry to let those young people take those first steps.”

Today’s young IT enthusiasts could hold the key to plugging the widening cyber skills gap, but they need to be encouraged to use their skills in the fight against cybercrime. Frost and Sullivan’s latest Global Workforce Survey predicts a shortage of 1.5 million information security professionals by 2020, on current trends. The survey reveals 93% recognize the profession needs to evolve with the landscape and 87% believe that it is important that young people join the cybersecurity war.

As it stands, employers are failing to channel young people’s interests and talent in the field. Many do not have any entry-level cybersecurity roles; most promote from within (72%), providing internal training as necessary, and recruit externally (53%) for seasoned security professionals.

According to the IT industry, the education system has a key part to play in encouraging young talent into the profession and equipping it with the necessary skill levels, with 62% of IT professionals claiming education should be responsible for training up new generations of cybersecurity professionals.

Work has started in the education sector already. President Obama pledged $4 billion for computer science in US schoolrooms in January. The UK Government has just announced a ‘Post-16 Skills Plan’ to put focus on digital skills in higher education. In Europe, The European Commission has set out steps to improve digital skills in Europe, as part of its journey towards a Digital Single Market.

To solve the problem, Kaspersky Lab believes more should be done at an employer-level to encourage young people to enter cybersecurity careers as well. Even among IT security professionals, 27% admit organizations themselves must do more to offer training and graduate schemes.

“There is a skills gap that needs to be addressed by both industry and education if we are to enthuse young people about entering the cybersecurity workplace. This generation is closer to technology than any before, and will run rings around the industry soon enough, escalating the threat of cybercrime if they are not brought onside and given opportunities to blossom. Their talent should be harnessed and nurtured for society’s good,” concludes Eugene Kaspersky.

from Help Net Security http://ift.tt/2eq2wM8

Healthcare industry lacks basic security awareness among staff

SecurityScorecard released a comprehensive analysis exposing cybersecurity vulnerabilities across 700 healthcare organizations including medical treatment facilities, health insurance agencies and healthcare manufacturing companies.

Security breaches in this industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.

Among all industries, healthcare ranks 15th out of 18 in social engineering, suggesting a security awareness problem among healthcare professionals, putting millions of patients at risk. The Verizon Data Breach Report ranks social engineering as the third most common cause for breaches.

“The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient,” said Alex Heid, Chief Research Officer at SecurityScorecard. “Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks. For a hacker, it only takes one piece of information such as learning the email structure of an organization to exploit an employee into divulging sensitive information or providing an access point into that organization’s network.”

Another risk is the array of devices with wireless capabilities such as IoT devices, wireless medical devices and tablets, which have paved the way for medical advances benefiting hospitals and patients. However, their speedy delivery and implementation has resulted in subpar security setups.

“As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn’t only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device. If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization’s primary network,” continued Mr. Heid.

Key findings

• Over 75% of the entire healthcare industry has been infected with malware over the last year
• 96% of all ransomware targeted medical treatment centers
• Healthcare manufacturing nearly reaches a 90% malware infection rate
• 63% of the 27 biggest US hospitals have a C or lower in patching cadence, which measures an organization’s ability to implement security software patches in a timely fashion
• Healthcare has the 5th highest count of ransomware among all industries
• Over 50% of the healthcare industry has a network security score of a C or lower
• Past-breached healthcare companies still have 242% as many low scores in social engineering compared to non-breached companies.

from Help Net Security http://ift.tt/2eSOIdG

52% of enterprises choose cloud as the platform of choice

Adoption reality finally measures up to hype for cloud computing. There are game-changing consequences for IT departments as DevOps’ influence extends across the enterprise, according to ServiceNow.

Adoption reality finally measures up to hype for cloud computing

• More than half (52 percent) of respondents said they would choose cloud – software as a service or platform as a service – for new business applications as the platform of choice over on-premises data centers.
• 77 percent said they would complete the shift to cloud within two years.

“For years pundits have waited for an enterprise shift from traditional data center computing to cloud computing,” said Dave Wright, chief strategy officer, ServiceNow. “Today reality meets hype, and cloud-first consumption will accelerate at a break-neck speed in the next two years.”

DevOps drove the charge to a cloud-first world

• Nearly every respondent (94 percent) reported that they are involved in some way with the DevOps movement, a philosophy with origins in the agile development community. The goal of DevOps is to drive the rapid creation and hosting of new apps and services. Traditionally there was little interaction between IT and developers but the DevOps movement aims for early and frequent collaboration between these groups.
• A large majority (76 percent) said that the rise of DevOps is a major factor driving the move to cloud-first. Increasing the development cadence puts pressure on how enterprises deploy new applications. DevOps shines a spotlight on the bottlenecks incurred when hosting apps on company-owned infrastructure. Cloud is the way to rapidly add new streams of revenue-driving apps to fuel business growth.

“Cloud is not new, so why was 2016 the year enterprises became cloud-first? According to the survey, the answer is the rise of DevOps,” said Wright. “DevOps saw early that cloud computing could solve many of the issues they were grappling with. And DevOps’s ‘can-do’ vibe – enabled by cloud – is extending across the enterprise.”

A cloud-first world demands new IT skill set

• 89 percent of companies who have completed the shift to a cloud-first model said their current IT staff lacked the required skill sets to be successful in the new cloud world.
• 88 percent feel cloud could be a replacement for a formal IT department at least some of the time.

IT will have to adapt to this new reality, where most of the apps and infrastructure are outside the data center.

• 72 percent said the cloud shift actually raised IT’s relevancy to the business.
• 68 percent said IT will be completely essential in the future.

“Amidst the cloud-first shift, there are ominous signs for IT if there’s no change,” said Wright. “We believe this presents a real opportunity for those visionary IT organizations who can become strategic partners to the enterprise during this shift to cloud-first.”

The cloud-first shift has several likely consequences for IT departments:

IT visibility and cost predictions could be obstructed. IT must have full visibility of the organization’s compute environment, including all cloud-based services and applications. Visibility helps IT more effectively manage demand, understand compute costs, utilize cloud- and on-premises-based resources, execute on projects, ensure regulatory compliance, and manage business relationships.

The rise of DevOps means more of the enterprise will be playing in IT’s backyard. IT teams will be seeing more business app projects coming from the bottom up, and will need to enable the line of business with greater tools to code. At the same time, they’ll need to maintain control of their enterprise environment for security and compliance. They’ll need to delegate development to a growing legion of employees with DevOps skills.

Cloud growth means cloud sprawl. Implementing more agile cloud management policies and best practices will be critical. Companies will have to deal with a greater number and types of vendors, and those vendors will come and go more quickly than they may be accustomed to. That means Service Integration and Management (SIAM) and vendor management will gain importance.

from Help Net Security http://ift.tt/2fviNDE

LogiLube to offer ironclad security based on Waterfall’s Unidirectional Security Gateway

Waterfall Security Solutions nnounced a collaboration with LogiLube to protect LogiLube’s customers’ industrial sites from online cyber attacks. By deploying Waterfall’s Unidirectional Security Gateways, LogiLube’s customers benefit from real-time, actionable and predictive analytics with protection from cyber risks due to Internet and cloud connections.

“We chose Waterfall’s Unidirectional Gateway product because it enhances LogiLube’s innovative predictive analytic solutions with the highest security to mitigate risks associated with cloud and Internet connections. It complements our innovative predictive data analytic solutions for the oil and gas and other industries,” said Bill Gillette, CEO of LogiLube.

LogiLube’s cloud-based SmartOil solution improves equipment uptime and reliability by monitoring oil properties and by generating actionable, real-time data analytics. Optimized for fleets of high horsepower natural gas-fired engines powering reciprocating compressors, SmartOil provides actionable data and predictive analytics on machine health. It measures attributes such as oil temperature, pressure, viscosity, water contamination and dielectric strength. This data reduces compressor downtime and increases operating revenue for midstream clients.

“Thanks to their selection of Waterfall solutions, the fact that LogiLube’s SmartOil solution is cloud-based should raise no concerns of cyber risks for their clients,” said Lior Frenkel, CEO and co-founder of Waterfall Security Solutions. “Now, unidirectional security technology is enabling LogiLube’s customers’ midstream oil and gas facilities to use and benefit from cloud services, while maintaining safety levels previously attainable only on premises.”

Waterfall recently launched its Unidirectional CloudConnect product to enable cloud connections for the many industrial sectors eager to move to the cloud and the Industrial Internet of Things (IIOT), but hesitant to expose their control system networks to the vulnerabilities of firewalls and software-based cybersecurity solutions.

With Waterfall, IIoT vendors can offer their customers improved operational efficiencies through innovative products and services, and still assure those customers will receive only the beneficial impacts.

from Help Net Security http://ift.tt/2eL0ucj

Conceal Your Valuables at the Beach or Park With a Diaper

Use a Raspberry Pi to Power a LED-Based Record Finding System

Have a bunch of records (or books, games, or any other media on a shelf)? Then you’ll want to check out Hackaday user Mike Smith’s organization project that allows him to find a specific record using the power of LED lights.

The idea here is simple. Smith searches for a record and the LEDs light up to tell him exactly where it is. Obviously there’s a lot of prep here to get it ready, but the end result is pretty amazing system for finding what he needs. The project uses a Raspberry Pi, a set of LED strips, and a few other parts. While this build is specifically for tracking down records, there’s no reason why it couldn’t be used for anything else. It’s a complicated project to be sure, but you’ll find all sorts of help over on Hackaday.

recordShelf | Hackaday

from Lifehacker http://ift.tt/2ecqBIH

Delta's Shockingly Great H2Okinetic Shower Head Is Back In Stock For $20

How to Fix That Broken Chromecast Notification Facebook Is Putting In Your Shade

This Brioche Dough Is the Starting Point for Customizable Breakfast Rolls

Evil Week Showdown: Cell Carriers vs. Cable Companies

Sunday's Best Deals: B2G1 Video Games, Amazon Activewear Sale, View-Master VR

No More Ransom Helps You Prevent and Recover from Ransomware Attacks

Week in review: IoT, Windows code injection, new user privacy rules for ISPs

Here’s an overview of some of last week’s most interesting news, reviews and articles:

New code injection attack works on all Windows versions
Researchers from security outfit enSilo have uncovered a new code injection technique that can be leveraged against all Windows versions without triggering current security solutions.

New FCC privacy rules protect broadband users
The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information.

Review: IS Decisions UserLock
According to a Rapid7 survey, 90% of organizations are worried about compromised credentials and around 60% say they cannot catch these types of attacks. French IT security company IS Decisions tries to tackle this major problem with UserLock, a solution that provides access security and concurrent login control for corporate networks.

Dyn DDoS attack post-mortem: Users inadvertently helped
As StarHub, one of the three major telcos in Singapore, confirmed that they were the latest victim of “intentional and likely malicious distributed denial-of-service attacks” on their DNS system, Dyn has published a short post-mortem of the unprecedented DDoS attacks it suffered on Friday (October 21, 2016).

Top 10 strategic predictions for IT organizations and users
Gartner revealed its top predictions for 2017 and beyond, which examine three fundamental effects of continued digital innovation: experience and engagement, business innovation, and the secondary effects that result from increased digital capabilities.

Understanding IoT botnets
Attackers will likely invest more resources into taking over the hordes of IoT devices added to the Internet every day.

Federal regulators: Increasing cybersecurity stance on financial institutions
The three main prudential regulators for financial institutions—Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC)—released new proposed cybersecurity risk mitigation standards called Enhanced Cyber Risk Management Standards.

Malicious JPEGs can compromise your iPhone
A vulnerability in the iOS CoreGraphics component allows attackers to compromise iDevices by tricking victims into viewing a maliciously crafted JPEG file.

Terabit-scale DDoS events are on the horizon
Corero Network Security has disclosed a new DDoS attack vector observed for the first time against its customers last week. The technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP): one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers.

Australian blood donors’ info found leaking from insecure server
Personal information of some 550,000 Australian blood donors has been sitting exposed on a web developer’s server and has been downloaded by a person who effectively stumbled on it.

Icarus takes control of drones by impersonating their operators
Researcher Jonathan Andersson, a member of Trend Micro’s TippingPoint DVLabs, has demonstrated how a specialized hardware module dubbed Icarus can be used to hijack a variety of widely-used hobbyist drones and make them do your bidding.

Photos: IoT Solutions World Congress Barcelona 2016
The world’s leading industrial Internet companies and experts gathered at the Fira de Barcelona for the IoT Solutions World Congress (IoTSWC) in order to showcase solutions for industries across different sectors.

Smart city initiatives: Highly integrated and complex problems to solve
Every day, leaders of large cities grapple with knotty, complex problems like decaying public transportation infrastructures, aging utility lines, urban blight, neighborhoods that are vulnerable to the effects of climate change, and other multi-faceted socio-economic challenges. Increasingly, municipal leaders are turning to urban analytics, data collection, and advances in sensor technology to help solve the problems of modern cities in bold, transformative ways.

Common enterprise IoT devices are hackable in minutes
ForeScout Technologies’ research focused on seven common enterprise IoT devices, including IP-connected security systems, smart HVACs and energy meters, video conferencing systems and connected printers, among others.

Why don’t all businesses have a good continuity strategy?
It has been said that an ounce of prevention is worth a pound of cure. In the case of disaster recovery, however, businesses tend focus on prevention without anticipating the need for a cure.

88% of employees lack awareness to stop privacy or security incidents
MediaPro surveyed 1,000 employees across the U.S. to quantify the current state of privacy and security awareness, and revealed employee knowledge trends across eight risk domains, ranging from working remotely to identifying phishing attempts, and assigned three risk profiles indicating employees’ privacy and security awareness IQ.

Enabling the Industrial Internet of Things with Unidirectional CloudConnect
Waterfall Security Solutions launched Unidirectional CloudConnect, a solution based on its patented Unidirectional Gateway technology, designed to meet the challenges of both cybersecurity and interoperability.

Over one-third of Americans have been hacked
Two-thirds of Americans believe themselves to be tech savvy, although their actions with regard to online security indicate otherwise – with millennials being the worst offenders, according to Arbor Networks.

Free tool for Active Directory changes monitoring
Netwrix Change Notifier for Active Directory tracks changes to Active Directory (AD) users, group memberships, OUs, permissions, and provides visibility into what’s happening inside your AD.

Hackers changing tactics, techniques and procedures
Organizations need to conduct better penetration testing to combat continual changes in hackers’ tactics, techniques and procedures (TTPs), according to NTT Security.

Best practices for securing your data in-motion
Data in-motion has to contend with human error, network failures, insecure file sharing, malicious actions and more.

from Help Net Security http://ift.tt/2eISDfl

This Week's Top Downloads

Nine Simple Halloween Treats You Can Throw Together Before a Party

If you’re hosting a ghoulish gala or your kids are having a Halloween party at school, these themed snacks are quick and easy to make.

If you want to have some fun, these ideas from the the HouseholdHacker YouTube channel make for some great spooky snacks. You can turn chocolate covered donuts into vampire bats, use graham crackers to make “bloody bandage cookies,” and turn a basic serving of guacamole into some pumpkin puke. On the healthier side, you can creep-ify a bowl of vegetable dip, or just draw jack-o-lantern faces on some whole oranges. Food is food, but why not try to make it more fitting for the occasion?

http://ift.tt/2ePkXu7

9 Last-Minute Halloween Snacks You Can Make Right Now | YouTube

from Lifehacker http://ift.tt/2frzWOj

Build an Animated GIF Camera with a Raspberry Pi Zero

Let Your Kids Eat All of the Halloween Candy They Want

Learn How to Prepare, Cook With, and Clean a Cast Iron Skillet

Cast iron skillets is a fantastic tool for most stove-top cooking. However, like all the best tools, they can require a little extra care to get the most out of them. This video shows you the basics.

The video above, from BuzzFeed Tasty, shows you how to get started by seasoning your skillet, which will help protect it from rust and give it a non-stick surface to cook on. It goes on to explain that you need to preheat your skillet to get an even cooking temperature. Note: the video incorrectly says that cast iron is a good conductor of heat, but the opposite is true. While it retains heat very well, it takes a while for heat to conduct through the entire skillet, which is why it can heat up unevenly. Hence the need for preheating.

Cast iron skillets can take a little more work than your average pan, but they’ll last forever and they’re versatile to work for nearly anything you need to cook on a stove top.

How To Cook With Cast Iron | Tasty

from Lifehacker http://ift.tt/2eHafs9

Why We Blush, and Why We Can't Control It When We Do

Charles Darwin once said that blushing is the most peculiar and most human of all expressions. While it’s definitely a common response to embarrassment, anger, or maybe one too many drinks, this video explains what’s happening in our body and how blushing can actually be kind of endearing.

When your face turns red, you’re actually experiencing your body’s all-too-familiar “fight or flight” response, which involves an increased heart rate and dilated blood vessels to improve blood flow. Your cheeks are particularly sensitive to these changes and presumably turn red because of them. Another plausible explanation for why we blush is that it’s like a non-verbal, physical apology for when you’ve done something socially unacceptable, like farting really loud in public. This social signal of regret or remorse makes you more relatable and likable, so don’t be embarrassed by your blushing.

Why Do We Blush? | AsapSCIENCE

from Lifehacker http://ift.tt/2f0uBuC

Top 10 Last Minute Tips for an Awesome Halloween

Make an Indoor Water Garden in a Jar for Carefree Greenery

Today's Best Deals: Crock-Pot, All-Clad, Starship Enterprise, and More

Sneak Money Out of a Piggy Bank With a Butter Knife

If you accidentally slipped a few too many coins in your piggy bank and don’t feel like breaking it open to get them back, use this trick instead.

This post is part of our Evil Week series at Lifehacker, where we look at the dark side of getting things done. Sometimes evil is justified, and other times, knowing evil means knowing how to beat it. Want more? Check out our evil week tag page.

This video from the Hacks World YouTube channel demonstrates a clever way to siphon some change out of an unbreakable piggy bank. Just grab a butter knife, slide it into the coin slot, and tilt the piggy bank upside down. The blade of the knife will act like an emergency escape slide for the poor coins imprisoned inside.

http://ift.tt/2dV2WJc

How to get Money out of a Piggy Bank without Breaking it | YouTube

from Lifehacker http://ift.tt/2f0K3Fz

Remains of the Day: Steam Is Having a Halloween Sale

Build Your Own Wi-Fi Drone Disabler With a Raspberry Pi

Facebook's Voting Guide Dishes Out a Personalized Voting Plan to Help You Learn About Your Ballot

Wear Flip Flops In The Rain

Friday Squid Blogging: Squid Nebula

This Spooky Spot the Difference Game Teaches Kids to Code with Python

What Features Do You Want In Your Next Laptop?

The ASUS RT-AC68U Is Your Favorite Wireless Router

This Week's Most Popular Posts: October 21st to 28th

Watch for These Baby Milestones to Know Which Safety Rules to Follow

This Fast Food Joint Gives You the Most Fries With Your Order

Find Animated GIFs From the Early Web With GifCities

This $100 Sous-Vide Circulator Will Forever Change the Way You Cook

Ensuring that ICS/SCADA isn’t our next IoT nightmare

The Best Halloween Movies and Where to Watch Them

Peek Previews Downloadable PDFs, Docs, and Videos Before You Click

Share Spooky Stories in Today's Open Thread

Today's Best Deals: Men's Suiting, Quick Charge Batteries, $100 Sous-Vide Circulator

Celeb nude photo thief Ryan Collins sentenced to 18 months in jail

How to Fake 'Before and After' Fitness Photos

PayPal 2FA bypass – how did *that* get past testing?

Amazon's Blowing Out Dozens of Tommy Hilfiger Accessories For Under $20, Today Only

Get Tough Tasks Done More Efficiently with the Two Minute Rule

Make an Umami-Packed Pesto with Seaweed

Oh Hey, Amazon's Already Taking Up to $360 Off the New MacBook Pros

Expect and Embrace Your Mistakes For Better Public Speaking

The FCC Passes New Rules to Protect Consumer Data From ISPs

Australian blood donors’ info found leaking from insecure server

Personal information of some 550,000 Australian blood donors has been sitting exposed on a web developer’s server and has been downloaded by a person who effectively stumbled on it.

The person contacted Troy Hunt of the Have I Been Pwned (HIBP) online service, and has passed the information to him to choose what to do next.

Hunt contacted AusCERT, who then took on the responsibility to work with the Red Cross Blood Service to solve the issue.

The leaked data came in the form of a database backup, and the file contains over 1.2 million records for over half a million donors. These records include their name, date of birth, blood type, phone and email address, real world address, but also personal information about their health, and potentially sensitive information about their sexual activity in the last year.

The Red Cross Blood Service pinned the blame for the leak on the third party that develops its website, and that the file includes info on individuals who donated blood between 2010 and 2016.

Apparently, the file was exposed on the server from 5 September 2016 to 25 October 2016.

As Hunt explains it, the 1.74GB database backup file was published to a publicly facing websitem and the server had directory browsing enabled on it. The individual that took the file simply exploited this function, saw the file, guessed its contents, and downloaded it.

He didn’t include the leaked data in his HIBP service, as Red Cross Blood Service took it upon themselves to notify each affected donor directly.

They have also fixed the security hole through which the data was exfiltrated.

The person who took the file says that he didn’t sell or give the file to anyone else, and that he has destroyed it. Hunt did the same.

The Service is still investigating if someone else exfiltrated the data.

“If organisations don’t track where their data is moving and who holds it, it’s only a matter of time before a damaging breach occurs. With sensitive data often passing between multiple companies during partnerships and sales, it’s essential that organisations have a data-centric security strategy in place to ensure that data is secure wherever it goes,” Steve Murphy, senior vice president EMEA at data giant Informatica, commented for Help Net Security.

“The cost of poor data security is now far more than just financial. Consumers are sharing more and more personal information with a wide range of organisations, from medical trusts to e-vendors. As a result, businesses which fail to secure that data risk inadvertently exposing their customers to blackmail, impersonation and scams – not to mention the reputational damage to the company. All types of organisations must address their data security now to be sure they do not fall prey to a disastrous data breach.”

from Help Net Security http://ift.tt/2eYO0uH

Don't Try to Buy Your Way to Status, Earn It Instead

New FCC rules impose privacy boost for ISP customers

Canadian police to text all phone numbers in vicinity of murder victim

Will It Sous Vide? Chili Is in the Bag

Keep your family safe with these security tips from Sophos

If you’re a regular Naked Security reader you’re probably already aware of Sophos Home – our free enterprise-grade security product for home users.

Whether you use Sophos Home or other security software to protect your home computers, that’s only half the battle of keeping your family safe and secure online. What about the other steps you need to take in order to batten down the hatches against those sneaky cybercriminals?

The guys and girls behind Sophos Home have put together a toolkit full of handy videos that offer security advice on how you can protect yourself and your family.

From securing your computer and phone to staying safe on social media and implementing parental controls, there are loads of tips on what you and your family can do to remain safe online.

Watch the videos and read the tips.

Follow @NakedSecurity

from Naked Security http://ift.tt/2e3P1nE

Eavesdropping on Typing Over Voice-Over-IP

Keep your LinkedIn profile secure with the Kevin Bacon rule

New code injection attack works on all Windows versions

Researchers from security outfit enSilo have uncovered a new code injection technique that can be leveraged against all Windows versions without triggering current security solutions.

They’ve dubbed the technique AtomBombing, because it exploits the operating system’s atom tables.

“These tables are provided by the operating system to allow applications to store and access data. [They] can also be used to share data between applications,” enSilo’s Tal Liberman explained.

“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

Depending of the process in which it is injected, the malicious code could allow attackers to take screenshots, access encrypted passwords, or perform Man in the Browser (MitB) attacks.

“Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint infiltration prevention solutions,” Liberman explained.

“Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products.”

There is no effective way to patch this hole, as it’s not a vulnerability. The only solution is for security solutions to start monitoring API calls for malicious activity.

The success of AtomBombing depends on attackers being able to trick users into running a malicious executable, but that is still not that big of a problem.

from Help Net Security http://ift.tt/2eCcCwr

Understanding IoT botnets

If you were online on Friday October 21st, you were probably affected by the DDoS attack against managed DNS provider Dyn.

Dyn observed that tens of millions of IP addresses participating in the attack were from IoT devices infected by the Mirai botnet. But what exactly is an IoT botnet? What was so different about this DDoS attack and why does it have security professionals so worried?

A botnet is a collection of connected devices which have been infected with malware that allows an attacker to gain remote control and coordinate their actions. Attackers most commonly use their botnets to launch DDoS attacks, but they can also be used to send spam emails, sniff out sensitive passwords, or spread ransomware.

Botnets are created when a victim’s computer or Internet-connected device is infected with a botnet virus or worm. Some botnets are able to self-propagate, finding and infecting vulnerable hosts automatically. Other botnets require a user to unknowingly infect their own computer by installing malware.

IoT offers a new avenue of attack

The rapid proliferation of IoT devices and their lack of security opens up a brand new avenue for botnet creators, and we are now starting to experience the resulting impact. The Mirai botnet that took down Dyn is believed to be created with the same malware that launched two record-setting DDoS attacks in September against the KrebsonSecurity.com and French webhost OVH.

The Mirai botnet follows the same formula of most botnet malware by performing two main functions; growing the botnet by finding and infecting more vulnerable hosts, and launch DDoS attacks using the infected hosts. Where Mirai and other IoT botnets differ from traditional Windows-based botnets though is their devastating effectiveness in spreading to a huge number of IoT device hosts.

In comparison to traditional Windows-based botnets, IoT botnets flourish thanks to a lack of security by design with most IoT devices. Many IoT manufacturers don’t have experience securing network connected devices and often opt for off-the-shelf, embedded operating systems without default settings and exposed network services.

To cap it off, the simplistic designs and functions of most IoT devices lead to users configuring them with the default or easily guessed passwords, leaving them wide open to brute-force takeovers by attackers. When consumers connect these IoT devices directly to the internet (an unfortunately common practice with IoT security cameras for example) they become exposed to every vulnerability and botnet scanner in use.

To make matters worse, it’s very difficult to tell when an IoT device had been infected with botnet malware. With personal computers, the user can typically discover a malware infection through normal use when the machine begins behaving erratically or issues with host-based antivirus detection start to crop up. But users usually interact with IoT devices through a limited web-based GUI rather than accessing the embedded OS, so this lack of interaction allows botnet infections to go unnoticed for extended periods of time.

How Mirai works

The creator of the Mirai botnet recently released the source code for command and control server and the botnet client itself, allowing us a look into exactly how this malware functions. When a host becomes infected by Mirai, the malware starts by killing all other competing malware infections on the device, probably to free up resources for more effective attacks from the infected host.

Mirai then uses the infected host to scan for other vulnerable hosts on the internet and attempts to gain access using a brute force dictionary attack of common usernames and passwords. Once it gains access to a vulnerable host, it installs the Mirai malware and adds the new host to the botnet. While self-propagating, Mirai also checks in with a Command and Control server for instructions and then launches DDoS attacks against designated targets.

IoT botnets are here to stay

Attackers will likely invest more resources into taking over the hordes of IoT devices added to the Internet every day. Industrial IoT device manufacturers need to use the recent attacks as a wakeup call to refocus on securing their products. At a minimum, manufacturers should remove unnecessary network services and include ways to easily or automatically patch security vulnerabilities in their products.

IoT consumers should treat their devices similarly to their personal computers when it comes to security best practices. Here are a few simple steps you can take to make your new smartwatch or connected home gadget more secure:

• Avoid connecting IoT devices directly to the internet without a firewall.
• Remove the default password for your devices and set strong, hard to guess passwords.
• Update the firmware on your IoT devices regularly if your manufacturer releases security patches.

It will take a combined effort of manufacturers and consumers to slow the spread of IoT botnet malware, but it is possible. Until then though, the October 21st Dyn attack may be just the start of things to come.

from Help Net Security http://ift.tt/2eBZ5Vi

Nearly half of consumers have been cybercrime victims

45% of consumers have been a victim of some form of cybercrime — with 65% choosing not to report the incident to authorities. Research also found that one in six of these consumers have lost funds due to online fraud, with 20% losing in excess of $1,298.

Conducted by Opinium, the research surveyed 3,457 consumers across the U.K., U.S., Germany, France, Italy, Denmark, Spain, Sweden and the Netherlands to gauge perceptions, attitudes and experiences regarding online fraud, security and cybercrime.

Of the cybercrimes carried out, false requests to reset social media account passwords was the most common fraud — experienced by 20% of the subsample, closely followed by emails impersonating legitimate companies attempting to solicit personal information (17%).

Victims of cybercrime were fearful of using online services in the future. In addition 21% of the victims experienced dissatisfaction with the brand involved.

This impact on brand reputation was reflected in the fact that when asked about recent high-profile cyberattacks, 71% of consumers said they believed these events damaged an organization’s reputation, 65% said they thought it decreased trust in the brand, while a further 53% stated people wouldn’t engage with the brand in future. The findings highlight the importance of organizations having a comprehensive brand protection strategy in place.

The research found that consumer confidence in transacting online is highest when it comes to established channels, such as mobile banking apps and online shopping websites that were rated as being 52% and 50% trustworthy, respectively. Social media channels (16%) and social media advertising (14%) scored lowest with consumers highlighting a high level of scepticism that these channels fail to keep the personal information of consumers safe.

There is a high level of awareness amongst consumers (87%) of the dangers of transacting online and the tactics used by cybercriminals leading them to use a number of precautions when online. Limiting the entry of personal details to the websites of familiar brands was the most common answer (54%), followed by checking for https or the padlock symbol in the Web address bar (50%).

Despite this knowledge, the research also uncovered that there were areas, such as the Dark Web that consumers didn’t fully understand, with 37% saying they didn’t know what the Dark Web was used for.

“Cybercrime is affecting both brands and consumers, and is only set to rise as our use of the Internet increases. As a result there needs to be a multi-layered approach to online brand protection, to ensure customer trust, reputation and bottom line are maintained,” says Mark Frost, CEO, MarkMonitor. “This research demonstrates that consumers are not only aware of the severity of cybercrime and the tactics employed, but also the effects these attacks have on the brands themselves. Yet despite these high levels of awareness, they are still falling victim to cybercrime.

“As the sophistication of cyber attackers rises and criminals make more use of underground sites, such as those found on the Dark Web, it is critical that brands look at every method of protection and consider all threat vectors in order to ensure they can protect every aspect of their business and keep their customers safe.”

from Help Net Security http://ift.tt/2ehp2Xp

Phishers are impersonating major UK banks on Twitter

Customers of UK banks are being targeted by phishers impersonating the banks’ customer support account on Twitter, Proofpoint warns.

The phishers usually choose a variation on the legitimate accounts’ name and replicate its look, and swoop in when a user puts a question to the legitimate account.

In the example depicted above, the fake account is @BarclaysUKHelp, while the legitimate one is @BarclaysHelpUK.

The phisher manning the fake account replies and directs the user to a phishing site that looks very much like the bank’s own login page. Needless to say, users who enter their online banking credentials into this fake site are effectively handing them over to crooks.

Sometimes the scam doesn’t end there, and victims are asked to enter additional personal and financial information. This info will later be used by scammers to bypass the banks’ security measures and access the victims’ account.

Users are often told to be wary of unsolicited messages. This method of phishing is highly effective because the user is already expecting a response from the bank’s Twitter account, and simply assumes that the received message is from the right one. Of course, phishers do everything in their power not to raise any suspicion.

Proofpont says that the phishers have been using Twitter to impersonate every major UK bank. Similar attacks have previously been leveraged against PayPal users.

According to the company, social media phishing grew more than 100% between Q2 and Q3 of 2016.

Users are advised not to be lulled into complacency by the informal nature of Twitter conversations – messages received through the microblogging platform can be just as dangerous as malicious emails or SMSes.

It’s also good to remember that official accounts often have the blue “checked” mark near their name. If not, perform a short Twitter search to see if some other accounts pop up, and if they do, carefully assess each one and weed out the fakes.

from Help Net Security http://ift.tt/2ehlsMQ

Photos: IoT Solutions World Congress Barcelona 2016

This week, the world’s leading industrial Internet companies and experts gathered at the Fira de Barcelona for the IoT Solutions World Congress (IoTSWC) in order to showcase solutions for industries across different sectors.

8,000 participants discussed how the industrial Internet is radically transforming industry as we know it, and the benefits these technologies are bringing to companies and consumers alike.

Here are photos from the show floor, the featured companies include: Dell, IBM, Intel, Kaspersky Lab, Metasonic, Microsoft, Red Hat, Schneider Electric, Thales e-Security, Vodafone, and Waterfall Security.

from Help Net Security http://ift.tt/2flFaLM

Rise in cloud adoption, confusion about managing complex cloud environments

Today’s enterprises are increasingly moving to the cloud to transform internal IT environments, but are struggling to manage the complexity, according to 451 Research and Embotics.

We expect cloud computing to be:

More than 75 percent of enterprises are using multiple clouds, including public and private. Managing multiple cloud environments is leading to complexity, with 65 percent of respondents with more than one cloud using a cloud management platform and 54 percent using tools from multiple providers. However, the tools enterprises are using continue to fall short in solving several key management challenges.

The research found that users are unsatisfied with slow response times, are challenged with the management and tracking of digital assets, and that internal IT teams lack insight into how virtual machines are being used over time. More than 80 percent of IT professionals surveyed believe that their cloud management platform tools lack essential capabilities.

“IT departments being tasked with transformation to cloud-based infrastructure are struggling with the challenges and complexity of managing multiple environments, and our research shows that a majority of the platform providers they turn to today are falling short in supporting that transformation,” said William Fellows, Research VP at 451 Research. “As enterprises continue along the cloud maturity curve, we anticipate a sharp demand for cloud automation, self-service and provisioning capabilities as they seek to increase efficiency, flexibility, spend and agility.”

How many public cloud providers are currently in-use?

Managing complex cloud environments

Additional survey highlights include:

• More than 35 percent of IT enterprises have moved beyond virtualization and onto automation and orchestration along the 451 Research Cloud Maturity Curve.
• More than 50 percent of respondents are currently using or plan to use over the next 12 months container and orchestration technologies. Sixty-three percent have adopted or plan to adopt cloud automation technology.
• Critical capabilities are lacking in current cloud management platforms. Just 21 percent of respondents can accurately report on who is consuming VM resources, while just 19 percent can assign and track virtual assets in real time or model future costs based on consumption.
• VM sprawl is a major issue for IT teams. Only 13 percent or respondents understand how virtual machines are being utilized over time, while just 12 percent can identify who has logged in and how often. Twelve percent can analyze workloads so system admins can optimize sprawl servers.

from Help Net Security http://ift.tt/2eWfToo

Smart city initiatives: Highly integrated and complex problems to solve

Every day, leaders of large cities grapple with knotty, complex problems like decaying public transportation infrastructures, aging utility lines, urban blight, neighborhoods that are vulnerable to the effects of climate change, and other multi-faceted socio-economic challenges. Increasingly, municipal leaders are turning to urban analytics, data collection, and advances in sensor technology to help solve the problems of modern cities in bold, transformative ways.

So-called smart city initiatives are getting lots of attention in the marketplace as well as from the federal government. Many visionaries have asserted the transformational power of the Internet of Things, marked by the increasing ubiquity of sensors that collect and in some cases share or communicate data that can be used in almost infinite ways.

The Obama White House announced just last month more than $80 million dollars in federal investment on smart city program incentives emphasizing features related to climate, transportation, public safety and innovative delivery of city services.

According to a White House report, released in February 2016, “Information and communication technologies (ICT), the proliferation of sensors through the Internet of Things, and converging data standards are… combining to provide new possibilities for the physical management and the socioeconomic development of cities. Local governments are looking to data and analytics technologies for insight and are creating pilot projects to test ways to improve their services,” the report states.

“Even though the applications are complex and varied, the goal is simple: whether it’s water or energy, commuter time or taxpayer’s money, better data collection and use of information can help us build and adapt systems that use our resources much more wisely than we have in the past,” said John West, SC16 General Chair from the Texas Advanced Computing Center. “In many ways, we are at the leading edge of a new era in city design, and we need massive programming acumen and computing power to help bring it to fruition,” according to West. “Smart city initiatives are highly integrated and complex problems to solve – exactly the kind of challenges that we HPC systems experts are equipped and excited to support.”

As old systems become obsolete, the most visionary urban planners are taking the opportunity to design the future, not just repeat and rebuild the past. So how are we making our cities smarter? Here are just a few examples:

Automation of code inspection functions

Imagine if all the aging bridges in a city were equipped with sensors that measure and transmit their “shake” data to the postal truck that travels over them each day, and that data is then collected and used to make decisions about which bridges take first priority for repair or replacement.

Similar systems could help with pavement crack/pothole detection, and other types of urban blight indicator tracking. Trial projects of this kind are underway in Illinois, Pennsylvania and Maryland.

Resource and climate tracking

Streetlights use significant energy and are a source of light pollution, both of which can be mitigated by incorporating LED lights equipped with sensors that allow them to operate specifically how and when they are needed. Sensors placed inside water pipes can detect volumes and patterns of usage, helping utilities and consumers plan, shift and anticipate.

Sensors in flood-prone areas could give advance warning of damaging flood conditions before they have developed to the point where they impact public safety, creating an early warning system for flash floods. Other systems are being tested to monitor air quality throughout a city more comprehensively and automating the process of pinpointing the sources of damaging pollution.

Enabling transportation improvement and reinvention

Moving people around is a hot spot of potential for the future of urban centers. Smart cities aren’t just about the sensors that have proliferated with the Internet of Things.

They also feature adaptations like bike loan programs with accompanying apps for end users to maximize green transportation; fresh approaches to upgrading bus systems with dedicated lanes and loading zones in urban centers and yes, mobile phone apps to help users maximize their use of public transportation; and even brand new species of clean, efficient public transportation like closed-loop driverless public transportation systems that can operate safely and quietly in a wide range of weather conditions, independent of human intervention.

from Help Net Security http://ift.tt/2ehc4sJ

The Halloween Party Playlist

Five Ways to Cheat Your Way to 10,000 Fitbit Steps Every Day

Some days you just don’t have the time or energy to get your 10,000 recommended steps in. These tricks won’t help you keep active, but they will make sure you keep your numbers up.

This post is part of our Evil Week series at Lifehacker, where we look at the dark side of getting things done. Sometimes evil is justified, and other times, knowing evil means knowing how to beat it. Want more? Check out our evil week tag page.

While improving your health may be the main reason to wear a fitness tracker, there are other reasons too. Some companies give out special offers to active fitness tracker users, like Walgreens’ Balance Rewards. Even some health insurance companies offer discounts for using one. If you can’t get your walking in for the day, this video from the Wired YouTube channel shows off some useful tricks:

1. Wrap it around the chuck of an electric drill and get spinning.
   
2. Hook it up to your dog’s collar and let them do the walking.
   
3. Attach it to your electric mixer and get whisking. (Bonus: make some cookies at the same time.)
   
4. Open up a cheap desk fan, attach it to one of the blades, then start it up.
   
5. Get comfy in your favorite rocking chair and rock your way to the top (rotating your wrist might help.)
   

You shouldn’t use these all the time, of course, and you do so at your own risk. After all, what’s the point of a fitness tracker if you’re not going to ever use it properly? But these tricks can help you take the top spot in your office Fitbit competition, or help you keep your numbers up while you take a much needed break.

http://ift.tt/2bl4tru

Here’s How to Cheat Your Fitbit in a Totally Not Fraudulent Way | YouTube

from Lifehacker http://ift.tt/2eAOVUW

Remains of the Day: Twitter Is Shutting Down Vine

Loneliness Is a Signal, Not Just a Feeling

Reduce Your Caffeine Intake and Boost Productivity With This Morning Rule

How to Deal With the Financially Irresponsible People in Your Life

60db Dishes Out Short-Form Podcasts Personalized for You

Convince Someone That Your Dumb Idea Is True By Simply Repeating It Over and Over

This DIY Electromagnetic Pulse (EMP) Generator Is Simple to Build, Fries Small Electronics

If you want to get your hands dirty on a semi-evil electronics project, this DIY EMP generator is fun—if not a little dangerous—build to try. It won’t fry much, except at extreme short range, so you should be careful with it, but you’ll learn a lot in the process.

The video above tells the tale, and the project is actually the work of YouTuber FPS Weapons. You can see near the end of the video how he used it to make an old Game Boy Advance boot loop itself, and how he fried a couple of old smartphones. Of course, if you build it yourself, you shouldn’t run around killing people’s peripherals, and anything even remotely well shielded can stand up to what this will put out—but the process of building this will teach you a bit about electromagnetic fields, and how to generate them and how strong they can be based on the power source you provide. Hackaday notes:

The device is pretty simple. A DC source, in this case an 18650 lithium battery cell, sends power to an “Ultra High Voltage 1000kV Ignition Coil” (as the eBay listing calls it), when a button is pressed. A spark gap is used to dump a large amount of magic pixies into the coil all at once, which generates a strong enough magnetic pulse to induce an unexpected voltage inside of a piece of digital electronics. This usually manages to fire a reset pin or something equivalent, disrupting the device’s normal operation.

While you’re not likely to actually damage anything in a dramatic way with this little EMP, it can still interrupt an important memory write or radio signal and damage it that way. It’s a great way to get the absolute shock of your life if you’re not careful. Either from the HVDC converter or the FCC fines.

That last part is important to note, so if you do decide to try this project, keep it to the confines of your own home, or the local hackerspace, where you can be free to experiment with things like this.

How to Make a Handheld EMP Jammer | FPS Weapons (YouTube) | via Hackaday

from Lifehacker http://ift.tt/2eAk236

Hardware Bit-Flipping Attacks in Practice

A year and a half ago, I wrote about hardware bit-flipping attacks, which were then largely theoretical. Now, they can be used to root Android phones:

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren't reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. But the new proof-of-concept attack developed by an international team of academic researchers is challenging those assumptions.

An app containing the researchers' rooting exploit requires no user permissions and doesn't rely on any vulnerability in Android to work. Instead, their attack exploits a hardware vulnerability, using a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.

[...]

Drammer was devised by many of the same researchers behind Flip Feng Shui, and it adopts many of the same approaches. Still, it represents a significant improvement over Flip Feng Shui because it's able to alter specific pieces of sensitive-security data using standard memory management interfaces built into the Android OS. Using crucial information about the layout of Android memory chips gleaned from a

from Schneier on Security http://ift.tt/2dPZKhW

Everything Apple Announced at the MacBook Event that Actually Matters

Leave a Coin on a Cup of Ice Before Leaving Home to See If the Power Went out While You Were Away

The Best Black Friday Deals

Check back here soon for all of 2016's best Black Friday deals from around the web, brought to you buy the Kinja Deals team.

from Lifehacker http://ift.tt/2fjYp8c