Archive for RB

Why Your Brain Craves Coffee

Why Your Brain Craves CoffeeFor a long time, the man has held us down. They used their science and medicine to tell is that ingesting coffee, or more accurately the caffeine in coffee, was bad.

Freddie Mercury drinking coffeeTimes they are a changing we no longer have to justify drinking coffee to anybody. Recent research carried out by many free-thinking independent medical professionals from universities and health care institutes has shown that actually, caffeine has many benefits to our bodies and minds.

The caffeine present in our daily coffee can help us to live longer, have more mental ability and focus, fight depression and even help us to lose weight. What’s not to love about the nation’s favorite drink?

Fed up of justifying your coffee freedom to the man? This infographic from Dripped Coffee gives use 13 reasons why our brains carve coffee.

Dripped Coffee - 13 Reasons Why Your Brain Craves Coffee

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

Don’t Know Much Security

Don’t Know Much SecurityWith apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy, or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.

questions about cybersecurityThe Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20% answered eight questions correctly. A relatively large percentage of respondents answered “not sure” to questions rather than providing the wrong answer.

Most Americans don’t know how to protect themselves. Only 10% were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Most Americans still unknowingly allow themselves to be tracked across the web. 61% of those surveyed were not aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.

Internet securityA slight majority (52%) of people recognized that just turning off the GPS function on smartphones does not prevent all tracking of the phone’s location. Mobile phones can be tracked via cell towers or Wi-Fi networks.

Only 54% of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.

phishing attackComputer security software does a good job of blocking most phishing schemes, Stephen Cobb, security researcher for anti-virus software firm ESET told told Phys.org, including many advanced spear phishing attacks targeting people with personalized information.

Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry told KnowB4.

It is probably our No. 1 concern and No. 1 vulnerability … These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.

cybersecurity2/3’s of Americans tested, could not identify what the what the ‘s’ in ‘https‘ meant. The article explains that the ‘s’ stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users check the website addresses – known as the URL – as a first step before they click on a link. ESET’s Cobb said, “You wonder if people know what a URL is … Do they know how to read a URL? So there is plenty of work to be done.”

In the most puzzling finding to me, 75% of participants identified the most secure password from a list of four options. And yet followers of Bach Seat know that year after year passwords suck. Could it be that Americans just don’t care about the online security?

Insecure passwordsFortunately some Americans also recognize that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce. The mixed security results highlights that staying secure online is not a priority for Americans at work or at home.

The Wall Street Journal also covered the Pew findings and quoted Forrester: “The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010.”

In the enterprise,Heidi Shey, a senior analyst at Forrester, told CIO Journal that security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link. Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.

rb-

The data from Pew says that enterprise and home users need to be more security aware. Technology can’t solve stupid so users have to be the last line of defense.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Whats Up With Cisco?

Whats Up With Cisco?What is up with Cisco? Their fiscal results for the recently closed 2017 Q3 showed revenue of $11.9 billion, a 1% decline in revenue, compared to the same quarter last year. This is the 6th consecutive down quarter. The networking goliath also issued downward guidance for 2017 Q4. They estimated a revenue declines of 4-6% year-over year.

Cisco logoOn the earnings call, Cisco CEO Chuck Robbins blamed several factors for the lower guidance. He cited:

  • “a pretty significant stall right now” in the U.S. federal public sector
  • Service provider revenues were down in Mexico.
  • United Kingdom business is being dampened by currency issues.
  • Middle East, there is “pressure… relative to oil prices.”

Then there are the layoffs. Cisco buried the announcement in a footnote in the company’s SEC 8-K report that 1,100 more layoffs are coming, on top of the 5,500 announced Layoffsin August 2016.

In May 2017, we extended the restructuring plan to include an additional 1,100 employees with $150 million of estimated additional pretax charges.

According to SDXCentral, the Cisco CEO stressed several times on the earnings call, that the company is transitioning to more software and subscription-based business. He declared,

I am pleased with the progress we are making on the multi-year transformation of our business.

These weak fiscal results and the move to a subscription-based business have led to speculation about what the Cisco business will look like in the future. TechTarget speculates that Cisco may go so far as to separate the Network Operating System (NOS) from the hardware. They contend that such a move would be a dramatic departure from Cisco’s traditional business model of bundling high-margin hardware with its NOS. The author believes that market trends will likely force the vendor to release an open NOS.

Cisco Catalyst 3750-E.TechTarget cites reports from the The Information that a hardware-independent NOS called Lindt is coming. Reportedly Lindt will run on a white box powered by merchant silicon. According to the article, a number of market trends are driving the move to a hardware-independent NOS.

The first market trend forcing Cisco to release a hardware-independent NOS is the company’s declining dominance of the Ethernet switch market. Since 2011, the company’s share has dropped from about 75% to less than 60% last year, according to the financial research site Trefis. The decline is important to Cisco’s bottom line because switches accounted for 40% of Cisco’s product sales in 2016, 30% of net revenues and 20% of the company’s $162 billion valuation, Trefis reported.

Infrastructure as a ServiceCisco’s weakening performance in switching is tied to the second market trend forcing Cisco to release a hardware-independent NOS. It’s customers are turning to public cloud providers, such as Amazon (AMZN) Web Services, Microsoft (MSFT) Azure and IBM (IBM) SoftLayer, for their IT infrastructure. The more enterprises subscribe to infrastructure as a service, the less networking gear they need in their data centers.

The shift to cloud providers is found in the latest numbers from Synergy Research Group. Revenue from public cloud infrastructure services is growing at almost 50% a year. In the fourth quarter of last year, revenues topped $7 billion.

Cloud providersThe third market trend forcing Cisco to release a hardware-independent NOS is the trend where enterprises that were Cisco’s largest customers are joining cloud providers in building open networking hardware and software to replace inflexible proprietary systems that lock them to a vendor. Those companies include large financial institutions, like Bank of America, Goldman Sachs and Fidelity Investments, and communication service providers, such as AT&T (T), Deutsche Telekom and Verizon (VZ).

The technology shift is driving an enormous amount of spending on IT infrastructure. Worldwide spending on public and private cloud environments will increase 15% this year from 2016 to $42 billion, according to IDC. Meanwhile, spending in Cisco’s core market of traditional infrastructure for noncloud data centers will fall by 5%.

Arista NetworksWhile Cisco is ignoring the trend away from proprietary hardware, the article says Cisco’s rivals are embracing it. Juniper Networks (JNPR) and Arista Networks (ANET) have released a version of their NOS for white boxes favored by cloud providers and large enterprises. Both companies reported year-to-year revenue growth in switching last year. Even Cisco’s patent lawsuit against upstart Arista was set-back by the courts.

Rohit Mehra, an analyst at IDC hypothesized that Cisco’s resistance to change is likely due to fear that giving customers other hardware options would accelerate declining sales in switching. “There would be potentially some risk of cannibalization in the enterprise space,” he added.

Cisco insists its customers are not interested in buying networking software that’s separate from the underlying switch. The Cisco spokesperson told TechTarget:

Cisco insists its customers are not interested

The vast majority of our customers see tremendous value in the power and efficiency of Cisco’s integrated network platforms, and the tight integration of hardware and software will continue to be the basis of the networking solutions we offer our customers

TechTarget adds that Cisco doesn’t say the article is wrong. Instead, the company falls back on a corporate cliché for refusing to discuss a media report. “We don’t comment on rumor or speculation,” a Cisco spokesperson said.

The networking market is evolving away from the hardware that Cisco depends on for much of its valuation. Cisco will resist changing its market approach for as long as possible. But in the end, the company will have to become a part of the trend with an open NOS capable of running on whatever hardware the customer chooses.

Mergers and acquisitionsRather than change its model for selling networking gear, Cisco has spent billions of dollars on acquisitions over the last few years to create software and subscription-based businesses in security and analytics. But Cisco’s software push has yet to pay off with 5 conservative down quarters.

Finally, Cisco just recently patched a flaw in IOS software that affected more than 300 models of its switches. Despite issuing an advisory on March 17, Cisco did not release the patch for this vulnerability until May 8, 2017. The Cisco vulnerability was part of the Vault 7 WikiLeaks dump of alleged CIA hacking tools.

Alleged CIA hacking toolsThe vulnerability, rated a critical 9.8 out of 10 by the Common Vulnerability Scoring System, is in the Cluster Management Protocol, or CMP. could allow a remote, unauthenticated attacker to reload devices or execute code with elevated privileges. This vulnerability can be exploited during Telnet session negotiation over either IPv4 or IPv6.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Cryptocurrencies

CryptocurrenciesThe attackers behind last month’s WannaCry ransomware were planning to extort $300 in Monero cryptocurrency to unlock encrypted files. Until this crisis, who had ever heard of Monero? How could you even buy Moneros to unlock your PC, if you wanted to take that chance? More people are probably aware of Bitcoin (BTC). The Visual Capitalist explains that Bitcoin is the original cryptocurrency, and its meteoric rise has made it a mainstay of conversation for investors, media, and technologists alike.

cryptocurrencyDespite its shady history, Bitcoin has spawned over 800 new markets and cryptocurrencies. While Bitcoin is the dominate cryptocurrency, with a market cap of $37.2 billion, the rest of the cryptocurrencies are worth even more, in combination they are worth nearly $40 billion. The leaders of the altcoin movement are:

Ethereum (ETH) launched in 2015, is the second largest by market capitalization. It is also quite different from Bitcoin. The Visual Capitalist explains that while Bitcoin is designed to be a payments protocol first, Ethereum is designed to work as a blockchain-based computing platform for developers to build and deploy decentralized applications, while also enabling smart contracts. The tokens used to power the network are called Ether, but they can also be traded online. At time of writing, Ethereum’s market capitalization is $15.4 billion.

Ripple logoRipple (XRP) is the native currency of the Ripple Protocol – a broader catch-all for an open-source, global exchange according to the Visual Capitalist. Ripple is aiming to be a settlement protocol for major banks, It’s already being used by banks such as Santander, Bank of America Merrill Lynch, UBS, and RBC. Ripple has a market cap of $10.9 billion.

Ethereum Classic (ETC) The Ethereum network actually split into two in 2016.The Visual Capitalist says it’s a complicated situation. You can read about the hack v. hack battle here. Ethereum Classic is based on the original Ethereum blockchain, and has a market capitalization of $1.4 billion.

Litecoin logoLitecoin (LTC) is one of the first altcoins, and it is nearly identical to Bitcoin after being “forked” in 2011. Litecoin aims to process blocks 4x faster than Bitcoin to speed up transaction confirmation time, though this creates several other challenges as well according to the Visual Capitalist. At time of writing, Litecoin’s market capitalization is worth $1.3 billion.

Monero (XMR) is an open-source, privacy-oriented cryptocurrency launched in April 2014. It is the result of a fork of the Bytecoin cryptocurrency According to CoinDesk, Monero is private by default, and it has achieved the widespread adoption of those interested in using cryptocurrencies to remain anonymous. Monero has a market capitalization of $6.2 million.

Coin Market Cap Monero chartThe price of Monero’s XMR has experienced significant volatility at times, climbing more than 1,300% since it began trading on CoinMarketCap. Since its start, the cryptocurrency has fluctuated between roughly $0.25 (in January 2015) and close to $60 (in May 2017).

Monero leverages ring signatures and stealth addresses to obscure the senders and recipients identity. Ring signatures combine or ‘mix’ a user’s account keys with public keys obtained from Monero’s blockchain to create a ‘ring’ of possible signers, meaning outside observers cannot link a signature to a specific user.

Monero logoOriginally, ring signatures obscured the senders and recipients involved in a Monero transaction without hiding the amount transferred. However, an update called RingCT implemented a new ring signature that concealed both the value of each transaction and the senders and recipients identities to make transaction tracking harder.

In addition to leveraging ring signatures, Monero also enhances anonymity through stealth addresses, which are randomly generated, one-time addresses created for each transaction on behalf of the recipient. With this feature, recipients publish a single address and transactions they receive go to separate, unique addresses. As a result, Monero transactions cannot be linked to the published address of the sender or recipient.

By providing a high level of anonymity, Monero offers fungibility, meaning that each individual unit of a currency can be substituted for another. Another way of putting this is that every coin has equal value.

Due to Monero’s untraceable nature, no two coins are distinguishable from one another, and they are both equal in the eyes of merchants. Without this level of fungibility, a vendor that accepts cryptocurrency might refuse a unit of one of these assets because of its past possibly illegal transaction history.

CoinDesk points out that Monero has enjoyed a steady increase in adoption since its release. This adaption seems to be led by Dark web marketplaces like AlphaBay and Oasis which have embraced it, reportedly due to popular demand.

For those who want to purchase Monero’s, to pay a ransom or for other reasons, can purchase them at an exchange. The Monero market operates like that of many other cryptocurrencies. Those interested in buying the cryptocurrency can get it through exchanges including Poloniex, Bitfinex and Kraken.

Bitfinex, offers XMR/USD and XMR/BTC exchanges along with deposits and withdrawals of Monero. Kraken offers the same options as Bitfinex as well as XMR/EUR.

Other cryptocurrencies in the altcoin universe include NEM, Dash, ByteCoin and Golem.

rb-

If the fraudsters who set off the WannaCry crisis were expecting to make a fortune in cryptocurrenncy, it didn’t work. Apparently there have only made approx. BTC 50.91735344 or just under $150,000 on 320 payments world-wide according to a twitter bot actual_ransom from @collinskeith which is watching the bitcoin wallets tied to the ransomware attack.

I dunno know – Until somehow cryptocurrencies break their implied link to illegal activities online, they will be relegated to the black market. 

The value of cryptocurrencies are really hard to pin down because no one really knows how much they should be worth. Unlike a company there are no assets or revenues that can be used to assess a predictable valuation. So they are subject to wide swings in valuations because they operate without any tangible value behind it.

The underlying technology of blockchain seems to have a brighter future

 

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

Visual Capitalist The Coin Universe Keeps Expanding