Security

There’s a whole wide world of web application firewall options – so how do you choose the right one?

Take the heat out of your firewall deployment


Webcast If you’ve got an application which faces the web, no one would dispute that you should probably have a web application firewall sitting in front of it.

Web apps, after all, are the leading cause of security breaches, and the web application firewall (WAF) is first line of defence, preventing bad actors getting in in the first place, and then leaving with whatever goodies they’ve found.

But while it’s easy to identify the problem, it’s a little trickier to identify the precise deployment approach you should follow to fix it. You can opt for a low-cost commodity product, traditional on-prem hardware, or the full gamut of cloud options, from self-managed to fully managed as a service. All have their pros and cons. The trick is working out which works for your organization, and your app.

It’s a complicated equation to work your way through, but as always, we’re here to help, with our upcoming webcast, Choosing the Right WAF Deployment Model, on April 13 at a very civilized 1100 BST (1200 CEST.)

Your host will be our own Tim Phillips, who has worked through a fair few tricky equations himself over the years. He’ll be joined by Keiron Shepherd of F5 Networks, who has over 20 years of experience tackling hard core cyber security issues.

Together they’ll walk you through the key WAF deployment models, and pick over their pros and cons.

They’ll also take you deeper into key areas such as advanced protection, behavioural analytics, proactive bot protection and API security.

And they’ll help you work out where your WAF choices can – and should fit – with your app development lifecycle.

So, if you’ve even the slightest worry that your current web app protection is a little more whiff that WAF, just drop your details in the registration box, and we’ll make sure to remind you on the day.

Brought to you by F5 Networks

Send us news

China’s digital currency adds support for AliPay – the Alibaba payment app with over 700 million users

And just like that, the Digital Yuan has its route into the mainstream

Alibaba’s controversial financial services arm, the Ant Group, has been welcomed into trials of China’s digital currency.

China’s state-controlled on Monday reported that the Alipay app has added a feature allowing transactions in the Digital Yuan. Alipay has over 700 million monthly active users in China alone.

State-backed journal China Securities Journal reports that functionality to link to a bank is currently limited, and that no merchants are listed. Nor has the feature been made available to all users. But the Journal reports that real-time, anonymous, transactions are possible.

Continue reading

Vietnam’s biggest industrial conglomerate quits smartphones and tellies biz, bets on electric cars

No breakthroughs left to make in electronics, says CEO as company eyes off IPO-by-SPAC

Vietnam's largest industry conglomerate, Vingroup, has announced it will no longer develop televisions and smartphones under its VinSmart brand and instead redirect resources toward its electric vehicle unit, VinFast.

“This is a strategic step to bring VinFast towards its goal of becoming one of the smartest and most convenient electric car manufacturers in the world,” said Vingroup in a canned statement.

The Vietnamese conglomerate said it won't trash its electronics division, will honor warranties, support products and keep its VinSmart factories operational until existing consumer electronics product life cycles end. At that point, they will outsource some of the factory to partners and shift other facilities to new products.

Continue reading

Tencent research team scores free powerups for electric cars with Raspberry Pi-powered X-in-the-middle attack

Another auto-exploit saw rPi push Telegram messages over CAN bus to brick a car

Black Hat Asia Researchers have used the Black Hat Asia conference to demonstrate the awesome power of the Raspberry Pi as a car-p0wning platform.

Chinese web giant Tencent's Blade Team, a security research group, showed they could circumvent payment schemes used at electric vehicle charging stations. Their exploits also changed the charging voltage and current, an act that could damage the EV.

“The construction of charging stations is accelerating all over the world, but there is little research on the security of electric vehicle infrastructure,” said TenCent Blade Team senior security researcher Wu HuiYu.

Continue reading

Indian government says 5G doesn’t cause COVID-19. Also points out India has no 5G networks

But won’t reveal who it wants banned from social media over less obvious disinformation

As COVID-19 continues to ravage India, the nation’s government has told it populace that 5G signals have nothing to do with the spread of the virus – if only because no 5G networks operate in India.

A statement from the nation’s Department of Telecommunications states: “several misleading messages are being circulated on various social media platforms claiming that the second wave of coronavirus has been caused by the testing of the 5G mobile towers.”

After pointing out that the very notion is a nonsense, the Department points out that India approved 5G trials on May 4th and they won’t start for months.

Continue reading

Trend Micro hosted email service is down, inboxes still stuck in cloudy limbo

Blames spam filters for brownout, warns fix could be 'disruptive'

Trend Micro’s hosted email security product is experiencing a global brownout.

The security company’s Japanese support pages say the incident started on Monday afternoon at 1515 UTC, or a quarter past midnight in Tokyo, and has not been resolved at the time of writing more than ten hours later.

Trend’s sparse notification says the company is “aware of some email delivery delays in Hosted Email Security and Pre-filter products affecting customers in all regions. We are currently addressing the issue and hope to have it resolved as soon as possible.”

Continue reading

Amazon says it destroyed two million knockoffs in 2020, a fraction of the amount it ships

Internet souk said it only approved 6% of new sellers

Amazon's latest brand protection report states it destroyed more than two million pieces of counterfeit goods last year and denied most would-be sellers from setting up shop in its online souk.

"In 2020, Amazon invested over $700m and employed more than 10,000 people to protect our store from fraud and abuse," said Dharmesh Mehta, veep of worldwide customer trust and partner support at Amazon, in the report [PDF], released this week. "As a result, the vast majority of our customers continued to only find authentic products in our store."

For what it's worth, Amazon ships billions of packages a year, and made $21.3bn in pure profit [PDF] in 2020. Having spent a fraction of that on tackling fraud – about three per cent – Bezos & Co say they made significant inroads into thwarting the scourge of knockoffs. In addition to intercepting and binning millions of phony goods, Amazon has set up a Counterfeit Crimes Unit to go after those trying to scam buyers.

Continue reading

NASA's first asteroid sample on its way to Earth after OSIRIS-REx boosts for home

Boffins will have to wait until September 2023 to get their hands on the goodies

OSIRIS-REx, the spacecraft carrying NASA’s first-ever asteroid sample, has started its two-year journey back to Earth, the space agency confirmed on Monday.

On Friday, ground control sent the commands directing the 2,110 kg (4,650 lb) vehicle to fire its main thrusters to get out of asteroid Bennu’s orbit and return to our planet. The team erupted in cheers on Monday after it received confirmation that OSIRIS-REx had successfully fired its engines at 2016 UTC, and was on its way.

"Mission navigation has received confirmation of burn cutoff. OSIRIS-REx is headed home with a souvenir of rocks and dusts from a 4.5-billion-year-old asteroid," the NASA team said.

Continue reading

LibreBMC project to open source baseboard management controllers with security as a priority

Freely available to use, from the hardware schematics to RISC-V cores on an FPGA, to the firmware on top

The OpenPOWER Foundation, formed to promote IBM's open-source POWER instruction set architecture (ISA), on Monday said it is putting together a new working group to develop LibreBMC, claimed to be the first baseboard management controller (BMC) designed with open source software and hardware.

"The LibreBMC project came out of a desire to both utilize and showcase the fully open POWER cores, and apply software driven development to hardware design," said James Kulina, executive director of the OpenPOWER Foundation, in an email to The Register. "We determined the lowly BMC controller – something that the broader industry doesn’t think too much about – is a great use case that if successful will have a real positive impact."

BMCs monitor and manage devices in data centers. They collect sensor data like temperature, humidity, fan speed, power supply voltage, and provide administrative functions like remote access.

Continue reading

Kubecon 2021: A largely dry and corporate affair where the best bits involved a spot of Kubernetes-hacking roleplay

But we heard the message loud and clear – it's pretty much the standard runtime platform now

Kubecon A session on how to hack into a Kubernetes cluster was among the highlights of a Kubecon where the main events were generally bland and corporate affairs, perhaps indicative of the technology now being a de facto infrastructure standard among enterprises.

Kubecon Europe took place online last week with more than 27,000 attendees, according to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation (CNCF), which hosts the Kubernetes project among many others.

That is a substantial increase on the reported 13,000 or so at last year's event, which was also virtual. Kubernetes is huge, and if there was an underlying theme at the event it was that Kubernetes is becoming the standard runtime platform.

Continue reading

US postal service goes all in on AI

Plus: Google boffin who resigned over AI ethics controversy, joins Apple

In Brief What do you know? The US Postal Service uses AI technology and have GPU servers running computer vision algorithms to track items being delivered across the country.

The system is called the Edge Computing Infrastructure Program (ECIP, pronounced EE-sip) and is designed to run inference operations on machine learning models using Nvidia’s GPUs. The USPS relies on deep-learning systems to perform image recognition tasks, and hopefully speed up the mail.

“It used to take eight or 10 people several days to track down items, now it takes one or two people a couple hours,” said Todd Schimmel, the manager who oversees ECIP and other USPS systems. Schimmel hopes USPS will deploy more algorithms that can detect if the correct postage stamp has been used for a package, and to automatically read barcodes even if they’re damaged.

Continue reading

As another vendor promises 3 years of Android updates, we ask: How long should mobile devices receive support?

Really, three years should be the bare minimum at this point

Analysis Almost seven months after the brand splashed down in the UK market, mobile maker Vivo is making some bold promises about the longevity of its upcoming phones.

The Chinese company is promising at least three years of software and security updates for selected premium devices introduced after July.

And? It's underwhelming. When it comes to software updates, most smartphone vendors fare dismally. Three years is a decent figure, on par with the Android One programme, although slightly below what Samsung has provided newer Galaxy devices.

Continue reading