×
IT

HPE Announces World's Largest ARM-based Supercomputer (zdnet.com) 46

The race to exascale speed is getting a little more interesting with the introduction of HPE's Astra -- what will be the world's largest ARM-based supercomputer. From a report: HPE is building Astra for Sandia National Laboratories and the US Department of Energy's National Nuclear Security Administration (NNSA). The NNSA will use the supercomputer to run advanced modeling and simulation workloads for things like national security, energy, science and health care.

HPE is involved in building other ARM-based supercomputing installations, but when Astra is delivered later this year, "it will hands down be the world's largest ARM-based supercomputer ever built," Mike Vildibill, VP of Advanced Technologies Group at HPE, told ZDNet. The HPC system is comprised of 5,184 ARM-based processors -- the Thunder X2 processor, built by Cavium. Each processor has 28 cores and runs at 2 GHz. Astra will deliver over 2.3 theoretical peak petaflops of performance, which should put it well within the top 100 supercomputers ever built -- a milestone for an ARM-based machine, Vildibill said.

Security

The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 117

Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.

Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.

Security

75% of Malware Uploaded on 'No-Distribute' Scanners Is Unknown To Researchers (bleepingcomputer.com) 14

Catalin Cimpanu, writing for BleepingComputer: Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown, US-based security firm Recorded Future reports, to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
Desktops (Apple)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com) 135

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.
Australia

Australia Discontinues Its National Biometric ID Project (gizmodo.com.au) 41

The Australian Criminal Intelligence Commission's (ACIC) biometrics project, which adds facial recognition to a national crime database, is being discontinued following reports of delays and budget blowouts. From a report: This announcement comes after the project was suspended earlier this month and NEC Australia staff were escorted out of the building by security on Monday June 4. [...] ACIC contracted the NEC for the $52 million Biometric Identification Services project with the view of replacing the fingerprint identification system that is currently in place. The aim of the project, which was supposed to run until 2021, was to include palm print, foot prints and facial recognition to aid in police investigations. The Australian government stated that it wanted to provide Australians with a single digital identity by 2025.
Security

US Government Finds New Malware From North Korea (engadget.com) 92

Days after the historic North Korea-United States summit, the Department of Homeland Security issued a report on Thursday warning of a new variant of North Korean malware to look out for. Called Typeframe, the malware is able to download and install additional malware, proxies and trojans; modify firewalls; and connect to servers for additional instructions. Engadget reports: Since last May, the DHS has issued a slew of alerts and reports about North Korea's malicious cyber activity. The department also pointed out that North Korea has been hacking countries around the world since 2009. And of course, don't forget that the U.S. also labeled that country as the source of Wannacry cyberattack, which notably held data from the UK's National Health Service hostage, and wreaked havoc across Russia and Ukraine. CNN was first to report the news.
Programming

Eric Raymond Shares 'Code Archaeology' Tips, Urges Bug-Hunts in Ancient Code (itprotoday.com) 107

Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."

Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."
Security

Inside the Private Event Where Microsoft, Google, Salesforce and Other Rivals Share Security Secrets (geekwire.com) 48

News outlet GeekWire takes us inside Building 99 at Microsoft, where security professionals of the software giant, along with those of Amazon, Google, Netflix, Salesforce, Facebook (and others), companies that fiercely compete with one another, gathered earlier this week to share their learnings for the greater good. From the story: As the afternoon session ended, the organizer from Microsoft, security data wrangler Ram Shankar Siva Kumar, complimented panelist Erik Bloch, the Salesforce security products and program management director, for "really channeling the Ohana spirit," referencing the Hawaiian word for "family," which Salesforce uses to describe its internal culture of looking out for one another. It was almost enough to make a person forget the bitter rivalry between Microsoft and Salesforce. Siva Kumar then gave attendees advice on finding the location of the closing reception. "You can Bing it, Google it, whatever it is," he said, as the audience laughed at the rare concession to Microsoft's longtime competitor.

It was no ordinary gathering at Microsoft, but then again, it's no ordinary time in tech. The Security Data Science Colloquium brought the competitors together to focus on one of the biggest challenges and opportunities in the industry. Machine learning, one of the key ingredients of artificial intelligence, is giving the companies new superpowers to identify and guard against malicious attacks on their increasingly cloud-oriented products and services. The problem is that hackers are using many of the same techniques to take those attacks to a new level. "The challenge is that security is a very asymmetric game," said Dawn Song, a UC Berkeley computer science and engineering professor who attended the event. "Defenders have to defend across the board, and attackers only need to find one hole. So in general, it's easier for attackers to leverage these new techniques." That helps to explain why the competitors are teaming up.
In a statement, Erik Bloch, Director Security PM at Salesforce, said, "This is what the infosec and security industry needs more of. Our customers are shared, and so is our responsibility to protect them.
China

Chinese Cyber-Espionage Group Hacked Government Data Center (bleepingcomputer.com) 36

Catalin Cimpanu, writing for BleepingComputer: A Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded malicious code on government sites. The hack of the data center happened sometime in mid-November 2017, according to a report published by Kaspersky Lab earlier this week. Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger.
Security

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com) 36

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.
Apple

Apple Maps Was Down For All Users Earlier Today (engadget.com) 74

An anonymous reader shares a report: Apple Maps is down and has been for a few hours today, 9to5Mac reports. Users are noting on Twitter and Apple Support that the service isn't working on phones, Apple Watch or CarPlay and searches for certain places or points of interest result in a "No Results Found" response. Apple has noted on its system status site that all users are experiencing issues with both Maps search and navigation. Update: It is functional again.
Security

How the World Cup Plays Out Among Hackers (axios.com) 28

The World Cup began today in Russia, and hackers were watching the games. From a report: In prior years, Cybersecurity firm Akamai has seen declines in cyberattacks while the World Cup games are in play -- "at least until games are out of reach," said Patrick Sullivan, Akamai director of security technology. Once games are well in hand, attacks from the losing team's nation spike well above normal. Often, said Sullivan, that takes the form of attacks designed to take down news stories in the victor's country that tout a home-team win. Sullivan notes activists frequently use various forms of cyber attacks during major sporting events to protest the host nation -- often targeting sponsors to get their point across. He points to protestors upset with the amount of money spent in the recent Brazillian World Cup as an example.
Businesses

Most Organizations Are Not Fully Embracing DevOps (betanews.com) 298

An anonymous reader shares a report: Although many businesses have begun moving to DevOps-style processes, eight out of 10 respondents to a new survey say they still have separate teams for managing infrastructure/operations and development. The study by managed cloud specialist 2nd Watch of more than 1,000 IT professionals indicates that a majority of companies have yet to fully commit to the DevOps process. 78 percent of respondents say that separate teams are still managing infrastructure/operations and application development. Some organizations surveyed are using infrastructure-as-code tools, automation or even CI/CD pipelines, but those techniques alone do not define DevOps.
EU

Kaspersky Halts Europol Partnership After Controversial EU Parliament Vote (bleepingcomputer.com) 104

An anonymous reader writes: Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament. The Russian antivirus vendor will also stop working on the NoMoreRansom project that provided free ransomware decrypters for ransomware victims.

The company's decision comes after the EU Parliament voted a controversial motion that specifically mentions Kaspersky as a "confirmed as malicious" software and urges EU states to ban it as part of a joint EU cyber defense strategy. The EU did not present any evidence for its assessment that Kaspersky is malicious, but even answered user questions claiming it has no evidence. The motion is just a EU policy and has no legislative power, put it is still an official document. Kaspersky software has been previously banned from Government systems in the US, UK, Netherlands, and Lithuania.

Privacy

Comey, Who Investigated Hillary Clinton For Using Personal Email For Official Business, Used His Personal Email For Official Business (buzzfeed.com) 446

An anonymous reader shares a report: Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business, according to a report from the Justice Department on Thursday. The report also found that while Comey was "insubordinate" in his handling of the email investigation, political bias did not play a role in the FBI's decision to clear Clinton of any criminal wrongdoing.

The report from the office of the inspector general "identified numerous instances in which Comey used a personal email account (a Gmail account) to conduct FBI business." In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account. In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.

Slashdot Top Deals