How to (Safely) Engage in Wax Play

Mostly associated with BDSM, wax play involves melted wax as a sensual or sensation-focused type of play that involves dripping melted wax onto each other—or it can be done more sensually, with a massage candle. As for why folks engage in wax play, according to Dr. Carol Queen, the in-house sexologist at Good Vibes, the reasons vary whether couples are interested in exploring kink, temperature play, or craving something a little sensual.

"Hot wax play can be a kink—something that is extra-arousing to participants because of the feel or even the idea of it," she says. "The sensation can be shocking, especially when combined with blindfolding, so depending on how hot the wax is, it can be a form of sadism/masochism, or pain play. Even if the wax is not that hot and doesn't have any pain component, it still can have lots of power play elements (again, especially if there is blindfolding). Emotional or mental responses can include fear and anticipation, both of which can be highly erotic for some people."

What happens during wax play

In both types of play—whether you're going for sensation-based or sensual—one partner drips melted wax onto the other. The difference, says Queen, between the two kinds of wax play involves (at least in part) the type of wax used.

"In sensation-based wax play, the wax will be hotter, giving a stinging or mild burning sensation—candle wax will be used for this," she explains. "For sensual play, a massage candle is used. These are made of a wax (often soy oil-based) with a much lower melting point than paraffin or other candle materials, meaning that when it melts it is not as hot, and you get warm massage oil instead of drops of wax that harden on the skin. From there, massage and other kinds of erotic play are the logical (and delightful) next steps, though I would not recommend the oil from massage candles as internal lubricant for insertion play. If so used, definitely get a candle that's unscented. These candles aren't made for this purpose and using scent in a lubricant just isn't a good idea." 

In sensation-based play, where a top is dripping wax onto a bottom, Queen says this could have a "service top" energy to your experience "because the bottom loves it and wants to do it, or it could have 'sexy threat' energy (still consensual and negotiated, mind you!) with lots of dirty talk that emphasizes fear (consensual fear!) and helpless anticipation," she says. "Again, blindfolding can ramp up that energy, as can bondage."

Another scenario involves the top dripping the wax from some height—often a couple of feet up—which lets the hot wax cool a little bit before it hits the body. "It's being dripped on naked skin, since wax is no fun to remove from bedding, lingerie, or hair, etc.," Queen explains. "On the skin it will harden, and another level of the play can involve how it feels to peel or scrape it off." 

How to do wax play safely

Queen recommends negotiating the rules ahead of time with your partner and making sure you have a safe word. Also, since the candles (in either type of play, kinky or massage-focused) will involve lighting a candle and moving it around, you want to do this in a place where you won't risk a fire. It's wise to make sure there is a stable place to set the candle when you are not holding it, and that you ensure the flame is completely out when you're done.

"This level of mindfulness suggests that a certain level of sobriety is a good idea for this kind of play," Queen adds. "Also, watch out not to drip from too high, lest the wax splash and hit places you didn't intend. Additionally, keep the wax away from any mucous membranes, keep it outside of the body, and avoid eyes and hair. Make sure to keep the candle away from any flammable materials."

How to prepare for wax play

Because you are dealing with fire, hot wax, and skin, Queen says it's important to prepare your area, and body, ahead of time. Some simple recommendations include making sure the candle is stable when it's not in hand, that your matches or your lighter works, and that there's water nearby in case the lit wick gets a little unruly. It's also a good idea, says Queen, to protect sheets or furniture in the event the wax splashes off.

"It's also great to know if the bottom has particularly sensitive skin, which might impact the kind of wax you choose," she says. "Test the wax drop on the bottom first to make sure it isn't a material that will irritate them."  

For easy removal, Queen recommends using a scraping device (such as a plastic card) to scrape the wax off their body when done, spank it off with a flogger, comb it, use ice and water, scratch it off with nails, or use natural oils to massage into the skin and hydrate the skin while removing the wax.

Another thing to consider before engaging in wax play is deciding whether the bottom has body hair where you're planning to play. "It's recommended that you do wax play over smooth skin—but some folks are furry," she says. "Maybe they'll want to shave to do wax play, and maybe they won't." 

In any case, she suggests the bottom lightly oil up with something neutral like unscented massage oil, shea butter or silicone lubricant. "But note: Many oils can ignite when exposed to open flame, so it's going to be extremely important for the top to have control of their candle," Queen says. "And if the candle doesn't burn smoothly (spitting, pieces of wick falling off), don't use it."

What type of wax to use

"When I learned my wax play knowledge back in the day, the given info was that the safest wax play candles were plain white unscented plumber's candles with a cotton wick," Queen says. "White paraffin candles can be found as tapers, in glass (like altar candles), or as tea lights. Altar candles are contained in a glass jar so they're easy to handle, but you'll want to watch out for the glass element. Tea lights are easy to use too, until the metal casing they come in gets uncomfortably hot. They can be a challenge to keep hold of. If you use those, or tapers, make sure you have set up a safe place to set them down. This type is strongly recommended if you don't have a sense of how sensitive your bottom's skin might be." 

When it comes to beeswax, or scented or colored candles, Queen says that these can all burn hotter. "You won't necessarily know what color and scent additives are in your candle, so at the bare minimum, test them first if you are going to use a candle like this."

How to make wax play sexy

So you're in the bedroom with the candle. How do you make wax play feel sexy rather than strange, especially if it's your first time? Queen suggests doing the following:

• Use a blindfold

• Add in bondage gear, if you roll that way.

• Erotic talk

• Taking the wax off is sensation play too: Keep the scene rolling while that happens.

• Make it part of temperature play in general and have a small bowl with a few ice cubes on hand. You can do cool, then hot, then cool.  

• Wax play often sensitizes the skin and simple touch will feel different, so that is also something erotic to explore.

Don't forget aftercare

As with any play that can involve intense sensation or fear, Queen says it's key to come back to reality together and lose your power-exchange roles when it's appropriate.

"The top should see what the bottom might need, whether it's to hydrate, a few bites of protein, a bath, [or] a cuddle," she says.

When it comes to the wax play, specifically, Queen says you want to make sure the bottom's skin is doing well and "they don't need burn or pain relief cream. Make sure all the wax is off. Once the wax is off, maybe get in the shower together and remove all the residue."

from LifeHacker https://ift.tt/4IMQN8x

The Best Ways to Keep Potholes From Destroying Your Car

Driving in the late winter and early spring can be brutal on your car, especially if you live in an area with freezing and thawing temperatures, thanks to the rapid proliferation of potholes. Potholes are the result of trapped moisture that expands and cracks pavement, which is further broken down by traffic—and thanks to harsh seasonal conditions, cities may not repair this damage before it has an opportunity to wreak havoc on your vehicle.

Unfortunately, you may have to play defense against winter potholes to avoid costly repairs to your steering and suspension as well as broken wheel rims and blown-out tires.

Monitor your tire pressure and wear

You should regularly inspect your tires for wear, including testing tread depth. Keeping your tires properly inflated according to manufacturer-recommended levels will also mitigate pothole damage. Most vehicles have monitoring systems that alert you if the pressure is dropping or dips below a certain level, but you should check all four tires once a month during the winter (because pressure drops more rapidly in cold weather). Your vehicle's alignment and suspension should also be inspected by a professional.

Drive slower

You may not be able to avoid every pothole, but slowing down (within a safe speed) and keeping your eyes on the road ahead will give you time to respond quickly to any hazards you encounter. Otherwise, you may end up swerving unexpectedly, which can endanger other cars as well as cyclists and pedestrians. In general, driving more slowly lowers the risk of damage to your wheels and suspension. Drive with extreme caution through puddles—these may actually be potholes.

Drive straighter

Again, don't swerve to avoid a pothole. If you can center it underneath your car without leaving your lane, do so with caution. Otherwise, it's best to drive straight over the pothole, slowly, as the damage risk to your tire sidewall is greater if you swerve through it. Ease off the brakes—don't slam them—just before you reach the hole so your wheels can roll gently through. You can also alert other cars to the pothole by tapping your brakes.

Stop and inspect the impact

If you hit a pothole hard, don't ignore it. Find a safe place to park and look for damage to your tire and wheel (front and rear). Pay attention to any shaking, vibrating, or pulling as you drive, and keep an eye on tire pressure, as air loss may occur as a slow leak rather than a blowout. Uneven tire wear can also be a sign of additional damage. If in doubt, have your vehicle inspected by a professional mechanic.

from LifeHacker https://ift.tt/4fGY0yb

Cohesity Gaia helps businesses transform secondary data into knowledge

Cohesity announced Cohesity Gaia, an AI-powered enterprise search assistant that brings retrieval augmented generation (RAG) AI and large language models (LLMs) to high-quality backup data within Cohesity environments.

Cohesity Gaia will be made generally available on March 15. The conversational AI assistant enables users to ask questions and receive answers by accessing and analyzing their vast pools of enterprise data. When coupled with the Cohesity Data Cloud, these AI advancements transform data into knowledge and can help accelerate the goals of an organization while keeping data secure and compliant. Cohesity has announced plans with the three largest public cloud providers to bring their LLM services to Cohesity Gaia.

The underlying architecture of Cohesity Data Cloud manages and secures data with a unique blend of performance, extensibility, and scale. Cohesity Gaia extends the value proposition of Cohesity Data Cloud even further:

• By building a RAG AI solution on Cohesity’s multicloud platform, Cohesity will be able to seamlessly provide RAG AI conversational search experiences across cloud and hybrid environments that will allow enterprises to gain deeper insights into their data and make informed decisions in the future, no matter where their stored data resides.
• Cohesity maintains a fully indexed backup of all files, across all workloads, and at all points in time. This robust capability supports the creation of AI-ready indexes for rapid conversational search and responses, providing enterprises with quick and accurate results. Initially, Cohesity will support Microsoft 365 and OneDrive data and will expand to more workloads over time.
• The unique architecture of Cohesity Gaia ensures that all indexed data is immediately available for reading without the need for backups to be reconstructed. This allows the Cohesity Data Cloud to function like a data lake, providing businesses with real-time access to their data for analysis and decision-making.
• The Cohesity Data Cloud employs granular, role-based access controls and zero-trust security principles, ensuring that only authorized users and models have access to the necessary data. This not only protects sensitive information but also helps enterprises maintain compliance with various regulatory requirements.

Enterprises looking to utilize LLMs often face several challenges. Developers must first create more copies of data, thereby increasing the threat footprint for an attack. What’s more, the data may be incomplete or dated. Finally, this approach requires additional time and resources, and puts an added burden on the system’s performance.

Cohesity Gaia overcomes these challenges by integrating AI capabilities within a customer’s backup environment.

Cohesity Gaia helps organizations make better, faster decisions across a myriad of use cases, such as:

• To assess an organization’s level of cyber resilience.
• To quickly perform financial and compliance audit checks.
• To answer complex legal questions.
• To serve as a knowledge base to train new employees.

“Enterprises are excited to harness the power of generative AI but have faced several challenges gaining insights into secondary data, including backup, archived and vaulted data – because every approach requires re-hydrating the data, and painfully waiting weeks for the data to be available for analytics and insights. Cohesity Gaia dramatically simplifies this process with our patent-pending approach using Retrieval Augmented Generation,” said Sanjay Poonen, CEO and President, Cohesity.

“With Cohesity Gaia, for the first time in our industry, companies will be able to leverage generative AI to query their data in a virtually seamless way. Our approach delivers rapid, insightful results without the drawbacks of more manual and risky approaches. In short, it turns data into knowledge within seconds and minutes,” added Poonen.

“We are an international materials research and manufacturing company, with research centers in many locations, and our researchers speak different languages,” said Ryan Reed, head of IT Products and Services, JSR Corporation. “We want to be able to use generative AI to quickly discover if work done at one location might apply to other projects. Cohesity Gaia allows us to query our rich store of research data and quickly find relevant work. It will also allow our researchers to use their native language to query the system. This could prove incredibly valuable in accelerating the rate of our research and discovery.”

At the core of Cohesity AI technologies is Cohesity Turing, a patent-pending collection of AI capabilities and technologies integrated into Cohesity’s multicloud data management and security platform, that provide operational and data insights.

The foundation of these AI innovations is the concept of “responsible AI,” with capabilities and frameworks that enable customers to introduce AI to backup data securely and safely at scale. All Cohesity Turing solutions adhere to these responsible AI principles:

• Transparency: Protect access to the data with role-based access controls. Promote transparency and accountability around access and policies.
• Governance: Ensure the security and privacy of data used by AI models and the workforce—so the right data is exposed only to the right people (and models) with the right privileges.
• Access: Integrate indexed and searchable data securely and easily while ensuring data is immutable and resilient.

“It is important to understand that Cohesity Gaia does not retrieve data like a search engine; it answers questions,” said Greg Statton, office of the CTO – Data & AI, Cohesity. ”For example, if you notice a rise in costs in a region, typically, you would search for dozens of invoices, review and compare them, and see if you can discover the reason for the cost increases. It could take hours, days, or weeks to resolve. With Cohesity Gaia, you simply ask, ‘Why have costs increased in the region?’, and Cohesity Gaia will pull the relevant data from your stored data, analyze it, and return an answer to your question. It’s that simple.”

“Cohesity is the first data security and management vendor to bring the power of AI search to enterprises with the Cohesity Gaia AI search assistant. Gaia leverages generative AI with the latest RAG enhancements to enable conversational search across secondary protected data,” said Russ Fellows, VP, The Futurum Group Labs.

“Gaia enables companies to quickly leverage their existing stored data with the power of generative AI, while preserving data security and compliance. With Cohesity Gaia, customers can quickly turn data into insights, without the complexity of creating an AI application themself, or worrying about their data privacy and security,” added Fellows.

from Help Net Security https://ift.tt/579QWGF

European retailer Pepco loses €15.5 million in phishing (possibly BEC?) attack

Pepco Group has confirmed that its Hungarian business has been hit by a “sophisticated fraudulent phishing attack.”

The European company, which operates shops under the Pepco, Poundland and Dealz brands, said that the company lost approximately €15.5 million in cash as a consequence of the attack.

“It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police. At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data,” they shared on Tuesday.

Pepco says it’s a phishing attack, but it might also be business email compromise

“Based on the company statement, it sounds like it has been the victim of a social engineering attack, which led to the accidental transfer of money to fraudsters,” Irene Coyle, chief operating officer at OSP Cyber Academy, told Help Net Security.

“If this is the case, this type of attack is called business email Ccmpromise and it involves a fraudster spoofing the email address of a legitimate employee within an organization and then sending out correspondence to other people in the business, mostly those who work in accounting or finance departments, and asking them to urgently pay an invoice or process a payment.”

The widespread availability of AI tools could make these attacks easier to execute and likelier to victimize potential targets, she noted, since it allows scammers to deliver emails without spelling errors that mirror the tone of previous email correspondence.

Advice for defenders

According to Abnormal Security, BEC attackers have been targeting European organizations at an increasing rate.

“Organizations must learn from the incident against Pepco and improve their defenses against BEC phishing attacks,” Coyle pointed out, because these attacks can be business-destroying.

“Organizations must train their staff regularly. Employees that work in accounting and finance must be aware of the techniques criminals use to dupe them and be on guard constantly for these types of threats,” she said.

“It is also important to adopt processes which standardize payment verifications. If an email comes in asking for an urgent transfer, double check its validity. It may delay the payment by a few minutes, but that is a very small price to pay in comparison with the financial losses a company could endure.”

Pepco Group said that it’s taking the necessary steps to investigate and respond to the incident and is conducting a group-wide review of all systems and processes to secure the business more robustly.

“The Group will provide a further update as and when appropriate,” they concluded.

from Help Net Security https://ift.tt/F80QalX

Windows 11 Has a Free Video Editor Again (and It's Pretty Good)

Once upon a time, Windows came with a rather capable video editor called Movie Maker, but it was discontinued back in 2017. After something of a delay, Clipchamp arrived to serve as the new default video editor in Microsoft's operating system, and it comes with a variety of useful features that can help you put together impressive-looking footage.

If you want to get started with Clipchamp for the first time, or dig deeper into what it offers, I've put together some tips for getting the most out of it. It's suitable for any kind of basic movie making—from collecting your family vacation highlights package, to creating your first short film—and it's not difficult to get a handle on.

Unfortunately, unlike Movie Maker, Clipchamp isn't completely free. A lot of the basic features can be used without paying, but you need to pay to export videos in 4K and without a watermark, and a premium subscription gets you loads more filters, effects, and stock content too. The premium package is $12 a month, or $99 a year.

Get started with templates

Templates are a great way to get started. Credit: Lifehacker

As friendly as Clipchamp is, jumping into a blank timeline can be a bit daunting—and a better way to get started could be to load up one of the templates (like TikTok or Birthday) that you can get to from the Templates tab on the front screen.

Once you've selected and loaded a template, you'll be taken to the editing screen, where the timeline is filled up with sample content. Any of these elements can be tweaked or replaced as needed—in the case of text boxes, for example, just double-click them on the timeline to enter your own text.

Up in the top-left corner you've got the Import media option for loading in images, videos, and audio, and you can see everything that's already been imported too. Hover over an item here to get the options to delete it or to add it to the timeline.

Managing the timeline

Right-click to get to more options. Credit: Lifehacker

Once you've got an element down on the timeline—you can drag and drop it from the media panel, or click the + (plus) button on it—you'll see handles at either end when you hover over it. Drag these in either direction to have the element show up in your video for a longer or shorter period of time.

You can't extend video and audio clips longer than their actual length, or course, but you can trim them at either end. Static elements like images and text boxes, meanwhile, can be visible for as long as you like.

To reposition something, simply drag it around. Right-click on an element, and you get options to Duplicate, Copy, Paste, or Delete it, and to Split it—handy if you want to get an audio or video clip separated into several chunks.

Adding fades, filters, and more

Filters change the look of your clips in an instant. Credit: Lifehacker

When you've got the basic building blocks of your project in place, you can start to get a bit more creative. Select an element in the timeline, and Fade in and Fade out options should appear on the right—these do exactly what you would expect, and can work on audio as well as video and static images.

Further to the right you've got options for Filters and Effects: This is where you can change up the colors and the style of what's in your timeline. Under Effects, for example, you've got options such as Blur, Slow zoom, and VHS (for making something look a bit old-school)—there are lots of options to play around with.

Underneath those icons you've also got Adjust colors (a more basic version of Filters), and Speed, where you can speed up or slow down video or audio. As you tweak the speed of an element, its length on the timeline will shrink or grow accordingly.

Dropping in text and transitions

You can create title cards for your movies. Credit: Lifehacker

Over on the left of the edit screen you've got your Transitions panel, which gives you a whole host of options for creating a smoother link between clips and other elements: You can pick from wipes, slides, spins, and plenty more. Just click and drag a transition to a border between two elements to apply it.

Just above Transitions is Text, which is where you can drop in your title cards and your text overlays. Again, you've got a lot of different sizes and styles to pick from: Click the + (plus) button to add a text element into the timeline, or drag it into place.

With a text element selected on the timeline, you can then switch to the Text tab on the right to change the font style, size, and color, as well as the actual text itself. The handles that show up inside the preview window let you change the size and the position of your text box too (just drag around using the mouse).

Exporting your work

Clipchamp gives you plenty of options for exporting videos. Credit: Lifehacker

That all gives you a quick introduction to the world of Clipchamp and what it's capable of, but there's more to explore: Like the Content library tab (on the left of the edit screen) that gives you a choice of stock elements), or the Create a video with AI option (on the front screen) that can quickly make a movie out of your choice of clips and images.

When you've got something that you think is good enough to share with the wider world, click Export in the top right corner of the edit screen, then choose your export resolution (4K won't be available unless you're a premium subscriber).

The next screen lets you choose where your exported video file goes: You can save it directly to various cloud service lockers (like OneDrive and Google Drive), or upload it straight to YouTube or TikTok. You also have the option to save it to a local folder, via Save to your computer.

from LifeHacker https://ift.tt/PkQoDMG

PKI Solutions introduces new version of PKI Spotlight

PKI Solutions introduced a new version of PKI Spotlight, a real-time monitoring and alerting system that provides live status, availability, configuration, and security of PKI environments (Microsoft PKI and others) and hardware security modules (HSMs).

The latest release of PKI Spotlight has increased its “Best Practices” alerting to more than 115. These best practice alerts are designed to aid organizations with operational resiliency, security posture management, threat detection, and refined PKI operational and configuration best practices.

Unfortunately for most organizations, their PKI was installed and then almost forgotten. In reality, a healthy PKI (like most security systems) needs constant review. PKI Spotlight maintains the security and integrity of PKIs with visibility into configurations that can impact identity and encryption systems in a manner that reduces an organization’s risk for business continuity and security threats.

“The distributed nature of PKI creates operational challenges that aren’t addressed by certificate lifecycle management or existing generic system monitoring products,” said Mark B. Cooper, President, PKI Solutions. “PKI Spotlight allows users to easily and effectively manage their PKI and HSM environments to keep them available, functional, and most importantly: Secure at all times. Real-time alerts spot problems in an instant so teams can resolve issues or threats before they become a problem.”

Cooper added, “PKI is the foundation for secure communication and authentication in the digital world. Managing digital certificates, keys, and trust relationships effectively is crucial to maintaining a robust PKI infrastructure. Without this important trust relationship, a hacker can masquerade as a legitimate company resource and only after-the-fact will a company know it’s been compromised. PKI Spotlight’s new best practice alerts further enhance the platform’s ability to identify and rectify potential security weaknesses proactively.”

The benefits of best practice alerts in PKI Spotlight’s latest release include:

Heightened security preparedness: Administrators gain enhanced ability to identify and rectify potential security weaknesses in real-time. These alerts cover areas from cryptographic algorithm compliance, trust chain validation, security configuration settings, and emerging threats. Addressing these alerts quickly helps organizations bolster their security preparedness and reduce the risk of threats.

Enhanced compliance and regulatory adherence: Compliance with industry regulations and standards is critical for PKIs to enable organizations to strengthen their compliance posture. These alerts offer insights into compliance violations and highlight areas that require immediate attention and improvement. This helps organizations adhere to industry and company standards, safeguard sensitive data and meet regulatory compliance.

Streamlined PKI management efficiency: Streamlined PKI management helps administrators prioritize their efforts based on the criticality of each alert for better resource allocation and efficient operations, which reduces administration tasks.

Continuous learning and knowledge enrichment: Continuous learning and knowledge enrichment among PKI administrators and security teams through regular alerts and implementing recommended practices fosters a culture of security awareness. Administrators gain valuable insights into emerging threats, industry best practices, and evolving compliance requirements. This empowers them to make informed decisions, proactively address vulnerabilities, and stay ahead of potential security risks.

Removing the unintended consequences risk: All too often, people who manage a PKI will perform a simple change which can have a cascading effect throughout the PKI. PKI Spotlight will send an alert that this change is in violation of a Best Practice and allow the company to make the correction quickly.

from Help Net Security https://ift.tt/XA8skZH

Akamai extends its segmentation solution to hybrid cloud environments

Akamai announced that it is extending its segmentation solution, Akamai Guardicore Segmentation, to hybrid cloud environments.

Extending Akamai Guardicore Segmentation to the cloud helps reduce attack surfaces and helps contain attacks targeting cloud-native workloads. Network security professionals can seamlessly manage segmentation across their public cloud environments with the benefits of faster time to policy deployment, single network governance across data centers, and reduced management complexity — all through a single interface.

Akamai Guardicore Segmentation will be initially available for Microsoft Azure deployments via Azure Marketplace, followed by Akamai Connected Cloud beginning later this year.

Thirty-three percent of IT decision-makers (ITDMs) intended to increase their use of distributed cloud services to improve security and reliability, according to a recent survey commissioned by Akamai and conducted by ClearPath Strategies. However, 48% of ITDMs claimed that security tools were missing or underdeveloped for a distributed cloud world, underscoring the need for better security tools to protect workloads in the cloud.

While organizations of all sizes are implementing public cloud strategies to innovate and realize new efficiencies, challenges remain. Leveraging Akamai Guardicore Segmentation in the cloud helps organizations address a lack of visibility into application behavior, the need for multiple policies across cloud providers, and governance issues between DevOps and SecOps teams.

“Public and multi-cloud environments are crucial to most organizations’ business operations, but they lack the native visibility and security controls required to effectively lock down a cloud. For clouds to be secure, security practitioners must be able to see which applications, workloads, and traffic flows are moving within the environment,” said Pavel Gurvich, SVP, GM, Enterprise Security at Akamai.

“Applying a microsegmentation policy in the cloud can give security practitioners comprehensive visibility and control across all cloud environments, from a single interface with one set of controls, without the need for agents. We can protect business-critical applications — whether they are on-premises, in the cloud, or on legacy servers — while reducing the number of security solutions that need to be managed,” added Gurvich.

Benefits of Akamai Guardicore Segmentation in the cloud include:

• Comprehensive agentless cloud-native visibility and enforcement enables administrators to visualize cloud workloads using a near-real-time interactive map of true network flows, understanding the application dependencies and bringing together DevOps and SecOps teams in cloud network security governance.
• Hybrid enforcement engine leveraging multiple enforcement points allows an organization to simply define the intent of network policy and have the Akamai Guardicore Segmentation policy engine take care of the rest, dynamically deciding which agent-based and agentless enforcement points are used across the data center.
• Integrated reputation analysis and threat intelligence firewall capabilities are designed to reduce time to detection and incident response time in the event of a breach.
• Scalable and secure solution ensures data does not leave your cloud environment and solution architecture scales automatically within it.

from Help Net Security https://ift.tt/szbcBMI

VIAVI enhances Observer Sentry’s exposure and vulnerability analysis

VIAVI Solutions announced the addition of traffic analysis capabilities to its Observer Sentry Software-as-a-Service-based threat exposure management solution.

With traffic visibility, Observer Sentry goes beyond identifying unintended and potentially dangerous exposures, and enables SecOps, DevOps and cloud architects to determine if a vulnerability has been exploited.

Observer Sentry audits security groups, access control lists, firewall rules and other sources of configuration to identify resources and relationships across all AWS accounts. This analysis locates the misconfigurations and overly permissive settings that create unwanted exposures. Integration with vulnerability scanners allows Observer Sentry to automatically prioritize the remediation of critical vulnerabilities.

Traffic integration enhances Observer Sentry’s exposure and vulnerability analysis by comparing what the configuration will allow with visibility into actual events. In addition, integration with the VIAVI Observer Apex performance monitoring solution enables forensic-level traffic analysis if an exposed resource is compromised or a vulnerability is exploited.

“As cloud service adoption accelerates and attack surfaces grow, enterprises need to move beyond siloed vulnerability management to secure their cloud environments. This is especially critical with customers maintaining multiple AWS accounts,” said Chris Labac, VP and GM, Network Performance and Threat Solutions, VIAVI.

“The powerful combination of Observer Sentry with VIAVI’s industry-leading flow analysis takes threat exposure management to the next level by providing critical traffic visibility, enabling enterprises to identify, prioritize and remediate threats effectively,” added Labac.

Observer Sentry is part of the VIAVI Network Performance and Threat Solutions (NPTS) portfolio. Enterprises worldwide leverage the Observer platform and its patented End-User Experience Scoring to continuously monitor and analyze end-to-end network and service architectures to ensure security and peak performance.

from Help Net Security https://ift.tt/31GXTs0

How to Choose the Right Soil for Your Garden

Before I became a gardener, the differences among all the soil mixes eluded me. When I needed to fill up a planter, pot, or patch of dirt, I just chose the most economical bag of whatever from the big box store. You know the aisle—stacks of colorful bags with minimal information on them to help you understand the difference. You could come to understand this information through trial and error, as I did, or you can avoid my mistakes by reading on. 

What is soil, anyway?

What we call soil is really just dirt: It's a combination of organic matter like broken-down leaves, twigs, branches and whatever else has rotted in the space, as well as organisms within the soil itself. Usually the soil contains clay and/or sand as well as rock particles. The best soil for plants will contain nutrients, enough space for plants to easily spread out their roots, and moisture—but not too much moisture. Those nutrients need to be in relationship to each other, or the plants have trouble receiving it. If your soil is too compacted from clay, roots have trouble growing, and the plant can become stunted. If there's too much sand, the soil will not hold onto enough moisture or nutrients. The conditions in a pot or planter are quite different from a raised bed or just rows in the ground. 

Topsoil (the stuff in your yard) probably isn’t great

When I started gardening, I dreamed of simply digging into the dirt in my yard and planting. I had romantic notions of putting a spade into the garden and discovering loamy soil with happy worms. It’s more likely that your yard has poor soil, as a result of both the nature of the local dirt—perhaps it’s too sandy or clay-filled—and not being fed nutrients over the years. Regardless, that dirt from your yard is considered topsoil, and generally speaking, topsoil is not great soil. It has lots of matter not broken down yet, like  leaves and twigs, so it can become waterlogged. Unless the soil was under years of leaves that were allowed to mulch in place, it likely doesn’t have a lot of organic matter to give it nutrients or good soil consistency. Topsoil serves mostly as mass—a simple way to fill up spaces when building. In most circumstances, you’ll need to augment it with nutrients and other matter.  

Find mixes for your garden beds at local rock yards

If you’re building an entirely new garden, you could consider a garden bed mix, which you coudl buy at your big box store. It's not the most economical choice, however. Bags are sold by the cubic foot, and you’ll need to think in cubic yards. Most local rock yards have a three-way or four-way mix, which means it includes topsoil, compost, sand, and other organic materials. You can order it to be delivered, which means you’re just moving it—by wheelbarrow, most likely—from the pile where it’s delivered to your beds.

In most cities, you can purchase expensive garden bed mixes that are organic and considered higher quality. My personal opinion is that they’re never worth it. I’ve never yielded better results from high-end mixes. The soil you get into your garden is never the end result—you’ll be amending your soil every single year, many times a year. This delivery is simply the base to begin with. 

Compost is not soil

As you garden, you will hear continuously how important nutrients are to your soil, and references to compost as a way to achieve some of those nutrients. You might find yourself asking, since it looks like soil, why not just build an entire bed out of compost? The answer lies in understanding what compost is. When organic matter breaks down, whether that’s leaves, wood, plants, kitchen scraps, animals and their waste, or compostable trash, it becomes a nutrient-rich substance that looks a lot like soil. While it is rich in nutrients, it is poor in structure—it's so loamy and full of humus that it needs sand and clay and well. So usually, soil is top-dressed with compost once or twice a year. You just add compost to the top of your beds, and the nutrients will work their way into the soil through watering and rain. Since you lose volume in your beds season to season anyway —due to erosion, compaction and the soil on plants you pull out—this compost helps replace that volume. 

In many cities, you can get compost cheaply or even for free. The city takes the leaves it collects or collected green bins and makes the resulting compost available for residents. You should ask the city if they have such a program. This is the compost I use, exclusively. 

Planters need planting mix

There are different potting mixes for different kinds of plants, from orchids to cacti. For the most part, they address different moisture levels, and usually add a pop of slow-release fertilizer. Most planters have holes in them, or are made of under-fired terracotta, which will leach moisture. To counteract this, potting mixes include vermiculite, perlite, coco coir or peat moss and other organic materials meant to hold onto moisture. (By the way, you should endeavor to avoid peat moss, a diminishing natural resource, in favor of coco coir.) You may notice colored granules in the mix as well—this is likely the slow release fertilizer, which will over time, feed the plant. Since it doesn’t last forever, potting mix needs to be refreshed yearly by mixing it up again, to break up the compaction, and add fertilizer, like Osmocote. 

Seed-starting mix is kind of like a baby blanket

When you start seeds, you want specific conditions. The soil should be super fluffy and airy, to allow roots to flourish. The soil also needs to be fine, so it will fill the cells of a seed-starting tray. Tender little seeds and seedlings can get burned by fertilizer, so seed-starting mix usually lacks any added nutrients. While you might experience success using potting mix instead, seed-starting mix really sets you up for optimal success, and is always bought by the bag. 

Choose the right soil to start

There is no single variable as important in gardening as healthy soil: Soil that has good drainage, the right nutrients, and can hold onto the right amount of moisture. Ideally it is free of weeds, and the kinds of pests that take your plants out, like slugs and snails. Believe it or not, much of this is under your control.

from LifeHacker https://ift.tt/JxmO8H3

Bitdefender Cryptomining Protection detects malicious cryptojacking attempts

Bitdefender announced Cryptomining Protection, a cryptomining management feature that allows users to both protect against malicious cryptojacking and manage their own legitimate cyptomining initiatives on their Windows PCs.

According to a 2023 report, cryptojacking attacks have increased nearly 400% year over year, putting pressure on end users to defend against hard-to-detect outside mining attempts taking place on their devices.

In this context, Cryptomining Protection helps ensure Bitdefender users remain aware and protected against unauthorized system breaches that reduce device performance, increase electricity costs, shorten device lifespan, and impose security risks to their overall systems.

Cryptomining, however, also serves as a legal and intentional activity where individuals or companies use their computing resources to mine cryptocurrencies for profit. For users who want to run legitimate cryptomining activities, but prevent unauthorized access from abusing their resources, Cryptomining Protection acts as a unique management tool, enabling them to monitor and decide what should be kept running and what should be prevented.

“Cryptojacking is not benign, it has the potential to seriously impact device integrity and performance, contributes to cybercriminal profiteering, and significantly increases cybersecurity risk for users,” said Ciprian Istrate, SVP of operations, Consumer Solutions Group at Bitdefender. “Our new Cryptomining Protection feature detects and stops malicious cryptojacking attempts while simultaneously empowering users to manage legit activities that are part of their digital lifestyles.”

The Cryptomining Protection feature is disabled by default. For users who want to prevent all cryptomining activities (including cryptojacking) it automatically blocks and notifies each time an activity is detected, once enabled. For users opting to run legit cryptomining activities, Bitdefender will first send a warning allowing the user to choose if the activity should be blocked or maintained.

Bitdefender Cryptomining Protection is now available for Bitdefender Total Security, Premium Security, and Ultimate Security protection plans at no additional cost for new and existing customers.

from Help Net Security https://ift.tt/XnMmHwR

CVE count set to rise by 25% in 2024

The report from Coalition indicates an anticipated 25% rise in the total count of published common vulnerabilities and exposures (CVEs) for 2024, reaching 34,888 vulnerabilities, equivalent to approximately 2,900 per month.

Sharp CVE increase heightens software vulnerability concerns

Vulnerabilities are one of the top three vectors ransomware actors use to compromise victims, making it essential to understand their impact. Vulnerabilities are primarily tracked as CVEs, although some may have an incorrect or nonexistent CVE identifier.

The sharp spike in CVEs has led to an increased focus on identifying vulnerable software from both threat actors seeking a means of ingress and defenders trying to protect against exploitation.

The number of vulnerabilities continues to grow exponentially, with thousands announced each month. Unfortunately, businesses tend to optimize for growth, not cyber risk management, and many security and IT teams are stretched thin.

“New vulnerabilities are published at a rapid rate and growing. With an influx of new vulnerabilities, often sprouting via disparate flagging systems, the cyber risk ecosystem is hard to track. Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk,” commented Coalition’s Head of Research, Tiago Henriques.

“In today’s cybersecurity climate, organizations can’t be expected to manage all of the vulnerabilities on their own; they need someone to manage these security concerns and help them prioritize remediation,” Henriques continued.

Zero-day vulnerabilities have received significant attention over the last year, but the Citrix Bleed vulnerability reminds us that many threat actors still build exploits for vulnerabilities where the vendor has already issued a patch.

Published CVEs lack timely scoring, leaving defenders vulnerable to exploits

Defenders need a timely, objective method for scoring vulnerabilities. In many cases, exploits are already available to threat actors before a CVE is published, which means threat actors often have a head start on defenders.

For a significant minority, exploits became publicly available before the CVE was published. An even higher fraction had exploits privately available before publication.

The delay in CVE scoring often means that defenders face two uphill battles regarding vulnerability management. First, they need a prioritization method to determine which of the thousands of CVEs published each month they should patch first. Second, they must patch these CVEs before a threat actor leverages them to target their organization.

Honeypot data

Unique IP addresses scanning for remote desktop protocol (RDP) increased by 59%. This is particularly concerning because Coalition data also reveals that businesses with RDP exposed to the internet are the most likely to experience a ransomware event.

Scans found that around 10,000 businesses are running the end-of-life (EOL) database Microsoft SQL Server 2000, and over 100,000 businesses are running EOL Microsoft SQL servers.

While honeypots provide a wealth of information on threat actor behavior, they also create a great deal of noise. One of the core problems with identifying the needle in the haystack of honeypot data is the volume of benign traffic, which makes determining malicious traffic challenging. Honeypot (sensor) activity spiked by 1,000% 16 days before Progress Software issued its MOVEit security advisory.

“MDR can reduce attack response time by 50% or more – a massive impact to help protect businesses from cyber threats,” said John Roberts, GM, Security, at Coalition.

“We’re at the point where just setting and forgetting a technology solution is not enough anymore, and experts need to be involved in vulnerability and risk management. With MDR, after technology detects suspicious activity, human experts can intervene in numerous ways, including isolating impacted machines or revoking privileges,” Roberts concluded.

from Help Net Security https://ift.tt/5WUcjPO

Cybersecurity crisis in schools

Primary school systems handle sensitive data concerning minors, while higher education institutions must safeguard intellectual property data, making them prime targets for cyberattacks, according to Trustwave.

These attacks not only threaten the safety and security of teachers and administrators but also put the privacy of students, staff, and other associated entities at risk.

With millions of students now learning through technology in hybrid, remote, or in-class settings, device security is no longer optional. It’s crucial to ensure a safe and secure learning environment for everyone. Strong cybersecurity measures protect student data and enable teachers to do their jobs effectively without fear of disruptions or data breaches.

Educational sector vulnerable to cyberattacks due to multiple factors

There are several factors that make the education industry especially vulnerable to cyberattacks, including:

• BYOD dilemma: The “Bring Your Own Device” culture poses security challenges by adding unmanaged devices to the network, straining IT resources.
• Complex infrastructure: Diverse devices, decentralized IT management, and inconsistent security practices create a sprawling attack surface with vulnerabilities.
• Data trove: Huge volumes of sensitive student data (PII, research, IP) attract attackers seeking data breaches and identity theft, amplified by online collaboration and open internet access.
• Exposed systems & services: Publicly accessible network devices like servers, building management systems, access systems, and cameras lack proper security, increasing risk.
• Resource scarcity: Limited budgets hinder investments in cybersecurity software and staff, leaving critical systems under-protected.
• Legacy risks: Outdated IT systems remain vulnerable to exploitation due to lack of updates and security patches.

Trustwave SpiderLabs’ latest research delves into the attack flow employed by threat groups, shedding light on their tactics, techniques, and procedures. The education sector faces significant cybersecurity risks, ranging from job offer scams targeting students to the critical exposure of networked devices due to vulnerabilities in public-facing applications.

Students are being preyed upon with fake job offers, lucrative opportunities offering high compensation, and flexible working hours. Sometimes, students receive a fraudulent cheque with instructions to deposit it and forward a portion of the funds elsewhere.

“The education sector faces an incredible challenge in navigating a diverse and fluid attack surface with increasing financial pressures, leaving little room for error as digital leaders aim to sustain resilience to threats,” said Trustwave CISO Kory Daniels.

“Student, staff, alumni, and professor data each provide different lures and motivators for threat actors to maliciously target the institution, or the individuals affiliated. Our latest threat briefing serves as a vital resource for cyber defenders, equipping them with actionable insights in navigating the latest threats and defenses of their students, staff, and data,” Daniels continued.

Emerging and prominent trends

Trustwave SpiderLabs found significant exposure of critical systems and devices such as public file servers, printers, collaboration systems, and systems storing sensitive data. Shodan analysis and scans revealed over 1.8 million devices related to the education industry being publicly exposed.

The education sector, like many others, relies heavily on third-party vendors such as software-as-a service, hosting providers, storage, and IT services for various functions, including learning management systems, email, and communication and collaboration tools.

These third parties pose a grave risk to the education sector because of undiscovered or un-remediated gaps in their cybersecurity controls or data breach protection. Breaches not only impact the directly targeted institution, but can also have a ripple effect across numerous educational entities relying on the same third-party services.

Ransomware attacks striking the education industry are prominent and growing. For example, in 2023, Trustwave researchers monitored 352 ransomware claims against educational institutions. The threat group LockBit accounted for 30% of ransomware incidents targeting the education sector.

Apache Log4j (CVE-2021-44228) continues to be the most common exploit attempt against educational institutions, accounting for 74% of attempts.

from Help Net Security https://ift.tt/3Mhoz7b