Candlelites

Everything from Everywhere

eWeek

Latest headline news from eWeek with momentary update to provide the online news, world news, sports news, family news, health news, video news, national news, food news and politics news from eWeek.



google pay unifies separate online payment service brands

google has unified its mobile and web payment services under a single brand as part of a broader effort to enable a more consistent payment experience across its products. effective this week, google's new google pay app for android has replaced the company's previously separate android pay and google wallet apps. users can use credit and debit cards saved to their google account with the new google pay app.google is currently working on enabling support for google pay across all google products said gerardo capiel, product management director for consumer payments and varouj chitilian, engineer director for consumer payments at google. the goal is to ensure that people shopping on chrome or via google assistant-driven services will have the same checkout experience as android users. further readinggoogle is also working with retailers, developers and online partners to embed google pay on sites, within mobile apps and at physical locations around the world, the two google managers said in a blog feb. 20. google's effort to unite its payment services under the pay brand is designed to enable a quicker, safer and more consistent checkout experience for users. the company has said that having a consolidated payment app will also make it easier for users to access rewards and promotional offers and pay for purchases and services. google pay mitigates the need for users to file online payment forms each time they want to pay for an online purchase. instead google pay enabl...





redlock security researchers reveal tesla public cloud account breach

an unsecured kubernetes container management console allowed cyber-attackers to breach a tesla cloud account that contained sensitive data, including telemetry data from the company’s electric cars, according to a report by security company redlock. details about tesla cloud account breach where included in redlock report as an example of the cyber-security threats face enterprises that store sensitive data and run important business applications on cloud services. redlock’s cloud security intelligence team found that the tesla breach resulted from the exposure of amazon web services security credentials after hackers penetrated tesla’s kubernetes console, which was not password protected this led to the exposure of the company’s amazon s3 cloud account, which contained sensitive data including the tesla vehicle telemetry. the breach also provided access to tesla’s aws compute services, which the hackers used to mine crypto-currency. according to the redlock report, the hackers went to great lengths to hide their activity by not using a public mining pool, by using cloudflare as a way to hide their traffic and by using non-standard ports. the attackers also apparently throttled their cpu usage to avoid detection. further reading“the recent rise of crypto-currencies is making it far more lucrative for cyber-criminals to steal organizations' compute power rather than their data,” said redlock cto gaurav kumar in an email. “in particular, organizations' pub...





virtual instruments updates storage-performance monitoring tool

infrastructure performance management software maker virtual instruments on feb. 20 launched an enhanced and rebranded version of its load dynamix enterprise storage-performance validation solution, calling it workloadwisdom.the company said that the new package is more tightly integrated with virtualwisdom, its frontline app-centric infrastructure performance monitoring and analytics platform.the new workloadwisdom provides administrators with a scalable high-performance platform for storage workload modeling, testing, validation and performance analysis from production-to-the-lab. the company claims it delivers improvement in results reporting over the previous version, particularly for larger scale test environments.the toolset completes the production-to-the-lab solution for automated workload analysis and temporal modeling for all tier 1 storage technologies by adding coverage for smb (server message block protocol) and complementing existing capabilities for nfs (network file systems), fibre channel and iscsi connectivity.further readingthe workloadwisdom 6.0 release features new capabilities in three key areas: high-speed fabrics support, scale-out/cloud nas (network-attached storage) testing, and virtualwisdom integration. these are enabled by the toolset’s storage vendor-agnostic architecture, which is designed to analyze and perform “what-if” analysis across production workloads, validate storage systems with true production workloads, and forecast future pe...





samsung now mass-producing 32tb solid-state disks

as the u.s. stock market has been breaking records in the past couple of years, so has the storage media industry—at least in terms of capacity.samsung  said feb. 20 that it has begun mass-producing its new 32-terabyte (rounded off from 30.72tb) serial attached scsi (sas) solid-state storage drive, the world’s largest capacity to this point.the previous ssd record for data capacity was held by samsung’s 15.36tb lineup introduced in march 2016. the new drive utilizes 64-layer, 3-bit 512-gigabit (gb) processors.the 30.72tb ssd, dubbed the pm1643, will use samsung's latest v-nand technology, the company said. v-nand is a type of non-volatile flash memory that retains data even in the absence of an electrical current.further readingthese large new drives will be used to satisfy the growing storage needs for a long list of market segments, including the government, financial services, health care, education, oil and gas exploration, pharmaceuticals, social media, business services, retail and communications sectors.this breakthrough was made possible by combining 32 of the new 1tb nand flash packages, each comprised of 16 stacked layers of 512gb v-nand chips. these super-dense 1tb packages can store about 5,700 5gb full high-definition movies within a mere 2.5-inch storage device, samsung said.in addition to the doubled capacity, samsung claimed that data-speed performance levels have risen and are nearly twice that of its previous generation high-capacity ssd. based on a ...





five security truisms that have stood the test of time

we’ve all seen it: the data security industry has been on a wild ride during the last three decades, from the initial “glory attacks” of the 1990s and early 2000s, to the rise of financially motivated and hacktivist attacks, to current profoundly dangerous nation-state campaigns against governments, businesses and public infrastructure.as these threats have evolved, so have enterprise security requirements. we’ve also seen many new technologies–ranging from antivirus and firewalls, to data loss prevention and log management, to next-gen siem (security information and event management) and threat intelligence–emerge over the years, each promising to solve our cyber security woes.eweek, led by security journalists sean michael kerner, robert lemos, ryan naraine, wayne rash, yours truly and a number of others over the years, has chronicled the rise and fall of various security approaches. these include the basic client-server schemes, along with network-centric, server-centric, workload centric, cloud-centric, file-centric and even block-centric security.here is a go-to listing of 100 articles in this publication for your reference dealing with security trends.further readinghowever, through all of the changes, there is some fundamental security advice that has stood the test of time. security software and services provider optiv security, through infrastructure security expert brian wrozek, offers eweek readers five security adages that are as relevant today as the...





chef debuts inspec 2.0 to improve security compliance automation

devops vendor chef announced on feb. 20 the latest edition of its open-source inspec compliance tool in an effort to accelerate and enable a devsecops approach to it security.the emerging discipline of devsecops (developer security operations) involves using programmatic constructs and automation to improve and scale it security. with inspec 2.0, organizations can define policy profiles for it infrastructure that is both on-premises and in the cloud."the major feature in inspec 2.0 is the ability now to check for cloud compliance," julian dunn, director of product marketing at chef, told eweek. "in other words, this evolves inspec from its roots as a language for checking compliance of machines and allows it to check apis."further readinginspec is an open-source tool that has its roots in technology that chef gained through the acquisition of vulcanosec in november 2015. when chef acquired the inspec technology from vulcanosec, it had just achieved relative parity with serverspec, upon which inspec was based, according to dunn. he added that inspec at the time of the chef acquisition was not yet a stand-alone open-source project."since we spun out inspec as a separate tool, we've been adding many more out-of-the-box resources to allow for elegant expression of compliance checks," dunn said. "for example, rather than using shell scripts to grep through various configuration file formats, we have language right within inspec to do parsing of common formats like apache ...





nine reasons humans are key to the success of automation

1 of 11how it professionals can survive, and thrive in, an automated world for network engineers who’ve seen the recent ibm watson commercial where the mystical cube detects and remediates thousands of security threats automatically, it would be easy to think that the robot overlords are set to take their jobs. well, that’s only partly true. networking and it staff typically include lists of manual tasks and cli (command-line interface) inputs that draw time and effort away from bigger problems, so naturally the more a machine can handle that, the better. but humans won’t flee for new jobs as quickly as some automation advocates believe. the future of automation mandates that network engineers adapt and acquire new skills to thrive. in this eweek slide show, using industry information from michael bushong, vice president of enterprise marketing at juniper networks, we offer nine ways humans can adapt to an automated future. 2 of 11specialists always will be needed companies that adopt an automation agenda will find that they can move from device-led to architecture-led, and eventually to operations-led systems. but there must be specialists such as network engineers who still understand the protocols and can troubleshoot as needs arise. basically, someone still must know how the switches and routers function. 3 of 11automation will create its own category of new jobs according to mckinsey research, artificial intelligence (ai) and automation ...





qualcomm reveals 5g products, services and partnerships

today’s topics include qualcomm’s preview of its 5g wireless technology and strategy; juniper networks’ latest switches and software for multi-cloud environments, google’s new high-performance virtual machine options for cloud customers; and the latest hack the air force campaign has awarded more than $100,000 for bug discoveries.qualcomm technologies has previewed its 5g technology and strategy as service providers prepare to upgrade their networks to support this advanced wireless protocol.the company offered insights into early-stage use cases for 5g chips, chipsets and modems, revealed an international group of 18 telecom partners who are updating their systems in anticipation of the new hardware and previewed a new set of 5g wireless services.use cases for 5g will include enhanced mobile broadband to smartphones, always connected pcs, head-mounted displays for virtual reality, augmented reality and extended reality hardware; and mobile broadband, all of which require constant and consistent cloud connectivity. however these products won't reach the market until 2019 at the earliest, qualcomm executives said.related readingjuniper networks this week is expanding its multi-cloud strategy with an array of hardware, software and services offerings to give businesses improved throughput, automation and security.the broad range of network offerings comes with the understanding that enterprises are rapidly embracing not only hybrid cloud environments, but also multi-cl...





expressroute comes under microsoft network performance monitor's gaze

after teaming with computer networking giant cisco to help joint customers get to the bottom of their azure expressroute networking issues last month, microsoft's is now using its cloud-based network performance monitor tool to provide more visibility into the connections that power their hybrid cloud environments.azure expressroute provides businesses with a direct, private link to microsoft's cloud, a tactic that bypasses the public internet, improving security and boosting reliability, two major considerations for running enterprise workloads in the cloud. network performance monitor (npm), part of the microsoft operations management suite of it management tools for on-premises and cloud infrastructures, is a tool that enables users to oversee their network links to the azure cloud.now, with the general availability release of a new expressroute extension for network performance monitor, customers can use the same tool to keep an eye on their private links to azure.further reading"npm can monitor the packet loss and network latency between your on-premises resources (branch offices, datacenters, and office sites) and azure vnets [virtual networks] connected through an expressroute. you can set up alerts to get proactively notified whenever the loss or latency crosses the threshold," explained abhave sharma, a program manager in the azure infrastructure and management group at microsoft, in a blog post.insights are delivered in near real time, although the tool's netwo...





apple patches indian telugu character crash bug in ios, macos

over the past week, apple device users have been hoping to avoid receiving a message with a specific indian symbol that crashes devices simply by having a user view the symbol. apple users can now breathe a sigh of relief as the so-called "text bomb" has been patched.on feb. 19, apple patched the text bug across its various operating systems with the ios 11.2.6, watchos 4.2.3, tvos 11.2.6 and macos high sierra 10.13.3 supplemental updates."processing a maliciously crafted string may lead to heap corruption," apple warned in its advisory.further readingthe flaw is formally identified as cve-2018-4124 and was an issue in the apple core text framework. core text is the apple software component that handles font and text layout with a low-level programming interface. according to apple, cve-2018-4124 was a memory corruption issue that has now been patched with improved input validation.the character that was able to crash apple devices is in the telugu language, which is native to india. the issue was publicly reported on feb. 12 and was actively being used in the days after it was first reported as a "text bomb," shutting down devices that attempted to render the text.  users did not have to click on a link to trigger a restart. users simply had to view a page with the telugu character on it. the text bomb was embedded by some individuals in twitter messages, and it was also being placed in popular ios game chats and forums, triggering device reboots. one security resea...





consumers prefer smartphones to conduct business with wireless services

1 of 12j.d. power finds consumers relying on smartphones for mobile purchases in a study of the u.s. wireless purchase experience, researcher j.d. power discovered that during the last six months of 2017, the typical customer purchasing experience varied considerably among users who bought mobile devices through wireless services providers compared to similar purchases made on tablets or personals computers. “the wireless market is rapidly evolving into a self-contained ecosystem in which all aspects of the ownership experience, from buying the device to engaging with customer support, is done entirely on a mobile device,” peter cunningham, technology, media, and telecommunications practice lead at j.d. power stated in releasing the study results. this slide show will cover the details of the j.d. power findings, which are derived from survey responses from more than 13,000 people who purchased something from a wireless carrier at the end of 2017. 2 of 12wireless customers more satisfied buying things on smartphones according to the data collected by j.d. power, consumers are generally more satisfied with wireless purchases when they make them on smartphones instead of desktops or tablets. overall customer satisfaction on smartphone purchases had a rating of 857 out of a possible 1,000 in the study, topping the 823 points awarded to web-based purchases on a desktop or tablet. 3 of 12customers report purchases are faster on smartphones too wirel...





chef debuts inspec 2.0 to improve security compliance automation

on feb. 20, devops vendor chef announced the latest edition of its open-source inspec compliance tool to help accelerate and enable a devsecops approach to it security.the emerging discipline of devsecops (developer security operations) involves using programatic contructs and automation to help improve and scale it security.  with inspec 2.0, organizations can define policy profiles for it infrastructure that is both on-premises and in the cloud."the major feature in inspec 2.0 is the ability now to check for cloud compliance," julian dunn, director of product marketing at chef told eweek. "in other words, this evolves inspec from its roots as a language for checking compliance of machines and allows it to check apis."further readinginspec is an open-source tool, that has its roots in technology that chef gained through the acquisition of vulcanosec in november 2015. dunn explained that when chef first acquired the inspec technology from vulcanosec, it had just achieved relative parity with serverspec, upon which inspec was originally based. he added that inspec at the time of the chef acquisition, was also not yet a standalone open-source project."since we spun out inspec as a separate tool, we've been adding many more out-of-the-box resources to allow for elegant expression of compliance checks," dunn said. "for example, rather than using shell scripts to grep through various configuration file formats, we have language right within inspec to do parsing of common ...





google acquires xively platform to extend cloud iot core service

google has announced plans to acquire logmein’s xively business unit for $50 million in a move that should help bolster google's capabilities in the iot device management space. xively's iot management, messaging and dashboard technologies will become part of google's cloud iot core, a managed service for connecting and managing distributed internet-connected devices. antony passemard, a member of google's iot team said the acquisition would allow google's cloud business to gain "deep iot technology and engineering expertise." further reading"our customers will benefit from xively's extensive feature set and flexible management platform, paired with the security and scale of google cloud " passemard said in a blog announcing the planned acquisition feb. 15. xively says its iot platform is designed to help organizations connect almost anything they use to the internet—from small factory floor smoke detectors and sensors to large shipping containers. the goal is to give organizations a way to collect and use information such as status, usage and error conditions from these connected systems to improve quality, modify existing products, to troubleshoot them and for various other applications, xively has noted. xively's connectivity technologies include a device-messaging tool, an embedded iot client agent and mobile sdk for android and ios. besides connecting devices to the internet, xively also offers technology designed to help enterprises aggregate and ma...





13 russians indicted in alleged 2016 election disinformation campaign

a group of 13 russians and three related organizations have been indicted for carrying out a series of cyber-crimes conducted over nearly three years that attempted to disrupt the 2016 u.s. presidential election. the 37-page federal indictment that was unsealed on feb. 16 alleges that russia’s internet research agency as well as two companies closely related to russian president vladimir putin, conducted illegal activities on social media sites facebook, twitter and instagram in addition to conducing illegal financial activities via paypal. the indictments, announced by deputy u.s. attorney general rod rosenstein, reveal a wide range of illegal activities including identity theft which was used to provide information to open paypal and bank accounts. further readingthe indictment also alleges that russian operatives conducted their activities using email and social media when they conspired to violate u.s. election laws, that they tried to cover their crimes by erasing or otherwise manipulating email and social media information and that they constructed fake personalities to use in pretending to be u.s.-based political activists. the russian operatives used those stolen and fake identities to procure computer hardware and services in the u.s. so that it would appear that their operations were u.s.-based, the indictment alleges. some of the activities included creating fictional groups that were opposed to each other, and then arranging rallies for the same time and pl...





qualcomm snapdragon x24 lte wireless modem set for 2018 release

the new lte chipset, expected to be available in some smartphones and other mobile devices by the end of 2018, will be demonstrated at mobile world congress in barcelona, spain, later in february.the latest chipset offers twice the speed of qualcomm's first-generation gigabit lte modem, while supporting up to seven times the carrier aggregation in the downlink.with its faster performance, smartphone and other device makers will be able to offer consumers faster mobile experiences including immersive 360-degree video, connected cloud computing, rich entertainment and instant apps, according to qualcomm.arm this week introduced project trillium, a platform that includes a processor specifically made to run machine learning and neural network workloads and another processor for object detection and software to leverage such neural network frameworks as google’s tensorflow, caffe and android.further readingthe platform will enable mobile device users to run more than 4.6 trillion operations per second. with its low-power architecture and dominant presence in mobile devices, arm is looking to become a key player at the network edge and in the internet of things.with project trillium, the goal is to give these devices the compute power and energy efficiency to run machine learning operations, even if they’re not connected to the cloud.initially, the technologies in the platform will be optimized for mobile devices and smart ip cameras, but they will be able to scale up and dow...





five security truisms that have stood the test of time

we’ve all seen it: the data security industry has been on a wild ride during the last three decades, from the initial “glory attacks” of the 1990s and early 2000s, to the rise of financially motivated and hacktivist attacks, to current profoundly dangerous nation-state campaigns against governments, businesses and public infrastructure.as these threats have evolved, so have enterprise security requirements. we’ve also seen many new technologies–ranging from antivirus and firewalls, to data loss prevention and log management, to next-gen siem (security information and event management) and threat intelligence–emerge over the years, each promising to solve our cyber security woes.eweek, led by security journalists sean michael kerner, robert lemos, ryan naraine, wayne rash, yours truly and a number of others over the years, has chronicled the rise and fall of various security approaches. these include the basic client-server schemes, along with network-centric, server-centric, workload centric, cloud-centric, file-centric and even block-centric security.here is a go-to listing of 100 articles in this publication for your reference dealing with security trends.further readinghowever, through all of the changes, there is some fundamental security advice that has stood the test of time. security software and services provider optiv offers eweek readers five security adages that are as relevant today as they were years ago.the “throw-money-at-the-problem” approach d...





microsoft visual studio code added to anaconda python distribution

anaconda, a distribution of the python programming language, now includes visual studio code, announced microsoft and anaconda, inc."visual studio code can easily be installed at the same time as anaconda, providing a great editing and debugging experience for python users, with special features tailor-made for anaconda users. this is another example of microsoft's continued investment in the python community, following our release of an official python extension for vs code [visual studio code], strong support for python in azure machine learning studio and sql server, and azure notebooks," stated john lam, principal program manager at microsoft, in a feb. 15 announcement.visual studio code is microsoft's free, lightweight and cross-platform code editor for macos, linux and windows. anaconda, originally continuum analytics, is an austin, texas software firm that distributes the popular open-source python data science and analytics platform. the company also backs the numpy scientific computing package for python and scipy, a phython-based software library for mathematics, engineering and science.further readingthe new integration is made possible, in large part, by microsoft's python extension for visual studio code, lam noted.the recent january 2018 release (version 2018.1.0) introduced a feature that allows users to create a python terminal that automatically initiates a selected conda or virtual environment, along with improved default linter rules and new linting co...





security researchers find that poorly-protected docker containers are inviting targets for attackers seeking to install crypto-currency mining malware.

the characteristics of cloud containers that make them attractive to data center managers also make them attractive to crypto-miners. the ease of setup, the isolation and the performance advantages, coupled with the fact that containers may not enjoy the same level of security as hardware infrastructure, mean that an attacker can operate crypto-currency mining in relative safety and with a reduced risk of discovery. researchers at aqua security software said that they’d heard about crypto-currency mining attacks on docker containers and wanted to learn how they were carried out. they also wanted to check the operations of the aqua container security platform. to accomplish this, they set up a honeypot. further readinghoneypots are computers set up to attract cyber-attackers. they appear to be legitimate assets, but they usually don’t contain real data and they’re thoroughly instrumented and logged so that the attacker can be observed and to discover weaknesses can be fixed. honeypots are not new. computers as honeypots have been around for decades. i first set one up to find out who was attempting to infiltrate a military computer system for which i was responsible in the mid-1980s, and i wasn’t the first. in this case, the researchers at aqua decided to create an unprotected docker installation and waited to see what would happen. as the researchers explained in their blog, “we deployed a virtual machine, installed docker on it and exposed it to the internet.?...





u.s. formally blames russian government for notpetya ransomware attack

when organizations in the ukraine first began reporting in june 2017 that they had been impacted by a ransomware attack known as notpetya, there was early speculation that russia was involved.now seven months after the devastating notpetya attack, that spread far beyond the ukraine to impact organizations around the world, global governments including the u.s., u.k., canada and australia are formally accusing russia of being behind the attack."in june 2017, the russian military launched the most destructive and costly cyber-attack in history," the white house wrote in a feb. 15 statement. "the attack, dubbed notpetya, quickly spread worldwide, causing billions of dollars in damage across europe, asia, and the americas."further readingrussian officials have repeatedly denied any involvement in the notpetya incident. while the attack first impacted ukraine, within a day it was already spreading to other countries. the u.s. government alleged that russia used the notpetya attack to help de-stabilize ukraine."it was part of the kremlin’s ongoing effort to destabilize ukraine and demonstrates ever more clearly russia’s involvement in the ongoing conflict," the white house stated. "this was also a reckless and indiscriminate cyber-attack that will be met with international consequences."the white house statement came hours after a similar accusation from the united kingdom's foreign office minister."the uk government judges that the russian government, specifically ...





fedex customer data left publicly exposed in amazon s3 cloud storage

fedex is the latest company to have inadvertently left personally identifiable information, publicly exposed on a cloud storage server.on feb. 15, security firm kromtech publicly reported that it discovered an un-secured cloud storage repository, which contained 119,000 scanned documents from both u.s. as well as international citizens. the data came from bongo international which was acquired in 2014 by fedex corp."technically, anybody who used bongo international services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years," bob diachenko, head of communications at kromtech security center stated. "seems like bucket has been available for public access for many years in a row."further readingthe scanned data that was discovered by kromtech was collected by bongo, as part of an application process for individuals to to get delivery of mail through an agent. the scanned information included driver's licenses, passports and other forms of security identification. diachenko stated that it's unknown whether fedex was aware of the scanned data when it bought bongo international back in 2014.what is clear though is that fedex is now aware of the data and has taken steps to secure it."after a preliminary investigation, we can confirm that some archived bongo international account information located on a server hosted by a third-party, public cloud provider is secure," fedex stated. "the data was part of a service that ...