Categories
ZDNet

At Amazon, it’s a ‘hands-off’ approach to continuous integration and continuous deployment of software

It’s no surprise that Amazon Web Services is way ahead of the world with continuous integration and continuous deployment of software, especially since it advertises itself as a go-to place for organizations seeking to put CI/CD into full practice. The online services giant has taken its own internal CI/CD practices to the next level, however, making it essentially a completely “hands-off” operation. Photo: Joe McKendrick At AWS, changes in microservices are automatically deployed to production “multiple times a day by continuous deployment pipelines,” according to Clare Liguori, a principal software engineer at AWS. This pipeline-centered strategy is key to its ability to keep pumping out code. In a recent post, she explains how Amazon moves software through its phases rapidly and automatically. Remarkably, managers and developers spend little to no time shepherding deployments and watching logs and metrics for any impact. “Automated deployments in the pipeline typically don’t have a developer who actively watches each deployment to prod, checks the metrics, and manually rolls back if they see issues. These deployments are completely hands-off. The deployment system actively monitors an alarm to determine if it needs to automatically roll back a deployment.”  Software code at AWS moves through four major stages, with automated mechanisms and processes that check and double-check results every step of the way: Source changes, validated: Amazon’s pipelines “automatically validate and safely deploy any type of source change to production, not only changes to application code,” says Liguori. “They can validate and deploy changes to sources such…Continue readingAt Amazon, it’s a ‘hands-off’ approach to continuous integration and continuous deployment of software

Categories
ZDNet

Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL

The Visa and Mastercard payment processors, along with Adobe, have tried last-ditch efforts this month to get online store owners to update their platforms. In three days, on June 30, the Magento 1.x platform is set to reach its official end-of-life (EOL) date, after which Adobe plans to stop offering security updates. Stores that haven’t updated to the latest 2.x branch and are still running Magento 1.x installations will become highly vulnerable to attacks from hackers. The danger is considered high as for the past three years, hackers have been heavily exploiting Magento bugs to breach stores and insert payment card-stealing code in checkout forms — in a form of attack known as web skimming or Magecart. Mastercard and Visa get involved Earlier this week, payments processor Mastercard has issued a security alert to its customers on the topic. In a copy of this alert seen by ZDNet, the company said that its Mastercard Account Data Compromise (ADC) team, responsible for investigating security breaches impacting cardholder data, found that web skimming incidents have been growing in occurrence in recent years. Most of these have been traced back to websites running older versions of the Magento web store software. Mastercard said that 77% of the companies investigated in these incidents were not in compliance with PCI DSS requirement 6, the rule that requires store owners to run up-to-date systems. Mastercard’s alert comes after Visa sent one of its own in April. Just like Mastercard, Visa warned store owners to update to…Continue readingAdobe, Mastercard, Visa warn online store owners of Magento 1.x EOL

Categories
ZDNet

Demand for employee surveillance software soars

Hmm, what is my employee doing now? Getty Images/iStockphoto Your bosses have become a little more caring. They understand that working from home isn’t ideal. They know you may have kids or a small apartment. Or both. So, with the advent of the coronavirus, they’re showing their human side a little more. I want to believe this. I truly do. It seems, though, that COVID-19 has led to an interest in covert activities. Covert management activities, that is. A new study, you see, suggests that interest in employee surveillance software has risen greatly since we were all locked down and loaded with toilet paper. As measured by search data, that is. It seems that the minute April came along, bosses’ impulse to follow their remote employees’ every step and click rose by a fulsome 87% when compared with pre-COVID times. May saw an increase of 71%. They were searching such terms as “work from home monitoring tools” and “how to monitor employees working from home.” There little reason for surprise. Too many employers, especially those less familiar with remote working, will grasp at any technology that makes them feel they’re in total control. It’s unclear how many of these employers tell their employees what’s going on. Or, perhaps, the full extent of what’s going on. The employee may think it’s just another time management tool. Perhaps they don’t realize that a particular tool can manage the camera on their laptop too. Some employers may be perfectly overt. Why, I recently…Continue readingDemand for employee surveillance software soars

Categories
ZDNet

Nvidia squashes display driver code execution, information leak bugs

Nvidia has released a set of security updates to remove vulnerabilities in the Nvidia GPU Display Driver. This week, the tech giant published a security advisory for a total of six bugs in the driver, varying in severity with CVSS scores of between 5.5 and 7.8 and impacting both Windows and Linux machines.  The first vulnerability, CVE‑2020‑5962, is found in the Nvidia Control Panel component of the driver, in which a local attacker can corrupt system files, leading to denial of service or privilege escalation. See also: AI chips in 2020: Nvidia and the challengers CVE‑2020‑5963 is the second bug at hand, found in the CUDA Driver’s Inter Process Communication APIs. The improper access security flaw can be exploited for code execution, denial of service, or information leaks.  The third issue, now resolved, is CVE‑2020‑5964: an error in the service host component of the display driver can lead to resource integrity checks being skipped, thereby resulting in potential code execution, service denial, or information disclosure attacks.  CVE‑2020‑5965 has also been patched. The problem occurs in the display driver’s DirectX 11 user mode driver, in which a “specially crafted shader can cause an out of bounds access, leading to denial of service,” according to Nvidia.  The company has taken the opportunity to also resolve CVE‑2020‑5966, a vulnerability in the kernel mode layer of the Windows-based GPU display driver, in which the dereference of a Null pointer could be weaponized for privilege escalation or denial of service.  The final bug, CVE‑2020‑5967, was found…Continue readingNvidia squashes display driver code execution, information leak bugs

Categories
ZDNet

More than 75% of all vulnerabilities reside in indirect dependencies

The vast majority of security vulnerabilities in open-source projects reside in indirect dependencies rather than directly and first-hand loaded components. “Aggregating the numbers from all ecosystems, we found more than three times as many vulnerabilities in indirect dependencies than we did direct dependencies,” Alyssa Miller, Application Security Advocate at Snyk, told ZDNet in an interview discussing Snyk’s State of Open Source Security for 2020 study. The report looked at how vulnerabilities impacted the JavaScript (npm), Ruby (RubyGems), Java (MavenCentral), PHP (Packagist), and Python (PyPI) ecosystems. Snyk said that 86% of the JavaScript security bugs, 81% of the Ruby bugs, and 74% of the Java ones impacted libraries that were dependencies of the primary components loaded inside a project. Image: Snyk Snyk argues that companies scanning their primary dependencies for security issues without exploring their full dependency tree multiple levels down would release or end up running products that were vulnerable to unforeseen bugs. But while security bugs were prevalent in JavaScript, Ruby, and Java, it was not in PHP and Python, where the vast majority of bugs were in the direct dependencies (primary components). However, there’s a reason for that. “I honestly find it’s more a matter of the development approach within ecosystems themselves,” Miller told ZDNet. “Java and Node.js projects, in particular, seem to leverage dependencies a lot heavier than other ecosystems. In particular, when you look at the sheer size of the Node.js ecosystem, packages building off or leveraging key functionality from other packages is very much the…Continue readingMore than 75% of all vulnerabilities reside in indirect dependencies

Categories
ZDNet

Ex-Intel engineer: Apple turned away from Intel over Skylake CPU bugs

A former Intel engineer reckons Apple decided to switch from Intel due to the unusually high number of bugs in the chip maker’s Skylake CPUs that powered Macs released between 2015 and 2017.  The claim is made by François Piednoël, now principal architect at Mercedes-Benz R&D North America. While it is just the opinion of one former Intel engineer, Piednoël worked at Intel for 20 years and was one of its top CPU architects. He left the company in 2017.  At WWDC last week Apple confirmed the long-predicted switch to Arm for its future Macs, but Piednoël pinpoints the arrival of buggy Skylake Core CPUs as the key event that prompted Apple to move away from Intel. SEE: How to become a developer: A cheat sheet (TechRepublic)  “The quality assurance in Skylake was abnormally bad,” said Piednoël.  “We were getting way too much citing for little things, and basically Apple became the number-one filer of problems with the architecture. And that went really, really bad. When your customer starts finding almost as much bugs as you found yourself, you’re not leading into the right place. “For me, this is the inflection point. This is where the Apple guys that were always contemplating to switch, they went and looked at it and said, ‘We’ve probably got to do it’.  “Basically the bad quality assurance of Skylake is responsible for [obliging them] to go away from the platform.  “I think I witnessed this inflection about three years ago when they said, ‘Yeah, time…Continue readingEx-Intel engineer: Apple turned away from Intel over Skylake CPU bugs

Categories
ZDNet

Credit card skimmers are now being buried in image file metadata on e-commerce websites

Cybercriminals making use of online credit card skimmers continue to improve their attack methods, and this time, malicious code has been found buried in image file metadata loaded by e-commerce websites.  According to Jérôme Segura, Malwarebytes Director of Threat Intelligence, the new technique is a way to “hide credit card skimmers in order to evade detection.” Over the past few years, with the gradual increase of popularity in online shopping — now more so than ever due to the novel coronavirus pandemic — has given rise to cyberattacks dedicated to the covert theft of payment card information used when making online purchases.  After well-known brands were hit in quick succession, including Ticketmaster and British Airways, the term ‘Magecart’ was coined for these types of attacks, in which malicious JavaScript is injected into the payment portal pages of vulnerable websites in order to harvest customer details for as long as possible without detection.  Countless e-commerce domains have become victims to Magecart, of which prolific cybercriminal gangs known to specialize in card skimming have been split up and named as separate Magecart groups for tracking purposes.  See also: Skimming code battle on NutriBullet website may have risked customer credit card data The cybersecurity firm has explored the new technique, described in a blog post published on Thursday, which is believed to be the handiwork of Magecart Group 9. Originally, when Malwarebytes stumbled across a suspicious-looking image file, the team thought it may be related to an older technique that uses favicons to hide…Continue readingCredit card skimmers are now being buried in image file metadata on e-commerce websites

Categories
ZDNet

IBM mocks a startup and the question is what are you doing, IBM?

Was this really necessary? Here’s how it’s supposed to work. When you’re a big company, say one worth $100 billion or more, you stay above the fray. You pose as a great contributor to society. You might even choose to withdraw from offering facial recognition technology. One thing you shouldn’t really do is mock companies that are a lot smaller than you are. I’m a touch perturbed, therefore, to learn that IBM — for this is the company on our purple chaise-lounge today — thought it would make a barbed joke about a relatively small cloud data warehouse company called Yellowbrick. Worse, IBM made the joke on LinkedIn, the Twitter of the dull, monied and lost. This was a LinkedIn ad, of a sort, for IBM’s Netezza, which sounds like a new, faux-Italian frozen confection and is, in fact, a data warehouse appliance and analytics offering. The ad read: “Yellow brick roads are for fairy tales. Netezza. There’s no place like home.” For its part, Yellowbrick got all Twitter-tweaked, or rather LinkedIn-livid, and hit back with: “Lions and tigers and dinosaurs, oh my! Get true #analytics #innovation for #hybridcloud with Yellowbrick Data.” Please, I don’t want to weigh the various merits of these two no-doubt awe-inspiring products. I do want to say that neither of these companies is terribly well-versed in truly cutting social media humor. IBM’s painfully gauche attempt at wit is only marginally worse than Yellowbrick’s straining for an appropriate Wizard of Oz metaphor. Still, the psychology fascinates…Continue readingIBM mocks a startup and the question is what are you doing, IBM?

Categories
ZDNet

Going back to the office? Here are five major tech problems that lie ahead of you

IT departments have had a hectic few months. With organizations across the globe switching to remote working overnight, the majority of IT professionals report that their workloads have increased significantly – by as much as 37%, according to recent research. And unfortunately for support desks, this might only be the beginning.  Now countries are gradually exiting lockdowns, and the focus is on a potential return to the office, at least for some employees. That may sound like fewer tickets filed for faulty WFH laptops or video call fails; but in reality, IT teams are bracing themselves for a storm of new issues.  Most of them are likely to be caused by our bad telecommuting digital behavior, especially when it comes to securing our devices. It’s not about pointing fingers, though: working in a home environment has invariably led employees to relax their awareness of IT concerns, perhaps even momentarily forgetting the golden rule of “Think before you Click”. In fact, up to half of employees have admitted they are cutting corners when it comes to cybersecurity at home. With this in mind, IT professionals are anticipating a wave of unwanted problems making their way into office networks as soon as workers start coming in with unsafe devices.  After racing to make telecommuting safe and efficient, IT teams are going to see a 180-degree shift in focus: one towards making work safe again in the office. These are the bad habits that employees have adopted at home, and which will cause…Continue readingGoing back to the office? Here are five major tech problems that lie ahead of you

Categories
ZDNet

For business customers, Microsoft’s Windows 10 documentation is an unruly mess

One of the unexpected and unwelcome side effects of Microsoft’s push to Windows as a Service is that its documentation has become an unruly mess. The problem isn’t a lack of information. Microsoft’s generally been doing a good job of describing high-level changes in Windows and then supplying lots of technical detail about those changes in relatively short order. That’s especially true for topics that matter to developers and to people deploying Windows at scale in enterprise shops. The two options at the bottom of this page were removed without warning in the Windows 10 May 2020 update. The trouble is finding those details when you need them. Important information is scattered about Microsoft.com like so many puzzle pieces, and it can be a challenge to try to fit those pieces together. For technicians, support specialists, and power users, the move to semi-annual updates is a special challenge. It’s practically a full-time job to keep up with the hundreds of changes that arrive with each new version, then do it again six months later for the next feature update. And just when you think you’re all caught up, seemingly minor changes can make you want to pull your hair out. For a glaring example, look at the Advanced Options page for Windows Update as it appears in the Windows 10 November 2019 Update, version 1909, shown here. If you visit that page after installing the Windows 10 May 2020 Update, version 2004, you’ll see that the two options to defer…Continue readingFor business customers, Microsoft’s Windows 10 documentation is an unruly mess