Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

Cisco has developed a product called Hypershield that it thinks represents a new way to do network security.

The core element of Cisco's plan is the deployment of "enforcement points" – essentially teensy firewalls that can run on a server, or in data processing units (DPUs, aka SmartNICs) installed in servers or networking hardware.

Enforcement points are made aware of the applications they observe and known good behaviors of that software. They're also kept up to date with info about new vulnerabilities or attacks – thanks to the work of Cisco's security intelligence teams, which distil oodles of signals gathered online using AI.

Armed with info about what an app should be doing, and attacks that could change its behavior, enforcement points check for anomalous behavior. When the software finds it, it can do a couple of things.

One is inform admins about which apps need patching.

The other is to implement a "compensating control" that protects the app – essentially by creating new network segments that don't allow dangerous traffic.

Tom Gillis, senior veep and general manager of Cisco's security business, suggested those controls could be actions like blocking access to a known dangerous URL identified to be part of a cyber attack. Compensating controls can be set running wherever they're needed on a network, reconfiguring it on the fly to harden against a live attack.

Gillis revealed that enforcement points run two data paths. One is the equivalent of a production system that has been tested and found to work without issues.

The enforcement point also runs a "shadow path" – basically a beta of its most recent update. The shadow path runs on live data and uses AI to test whether the update is working as expected.

If those automated tests check out, the enforcement point manages its own lifecycle by making the shadow path the production path, and installing the next upgrade to test in the shadow path.

That automation, Gillis told The Register, should be welcomed by beleaguered security and net admins. He thinks it will also be welcomed in industries like healthcare that can't easily update devices with security vulnerabilities – because they just don't mess with hardware that keeps people alive. Self-updating networks and mitigations that keep those machines safe is Cisco's alternative.

Kernel games and DPU delights
When running on a server, enforcement points use the eBPF tech Cisco acquired along with Isovalent. The extended Berkeley Packet Filter (eBPF) allows developers to run code in sandboxed programs that run in a privileged context – such as the operating system kernel – and allows the addition of capabilities to an OS.

The eBPF implementation Cisco used for Hypershield is lightweight, but still uses one or two percent of a CPU's capacity.

Which is why Cisco can also run enforcement points on DPUs/SmartNICs – an arrangement that isolates them further and relieves the burden on server CPUs.

Cisco will also build switches to run DPUs, making it possible to apply enforcement points on each port in a switch.

Gillis explained that Cisco chose this approach after working with hyperscalers who run DPUs, but tired of having to attach them to every server in a rack. Shifting DPUs into a top of rack switch delivers the same benefits, he said, but shrinks DPU fleets and therefore also the cost of acquiring and operating the cards.

Cisco is happy for Hypershield to use DPUs from any vendor, running in servers from any manufacturer.

But only Cisco networking hardware can run DPUs and Hypershield – and that hardware doesn't exist yet.

Once it debuts, Cisco will pitch its DPU-enabled switches as a fine upgrade to both your network and your security.

"Every time a customer refreshes hardware, it becomes a new enforcement point," Gillis enthused.

There is an element of evil genius here, because switching is commodified so devices seldom need to be replaced – except when networks expand and/or new bandwidth-intensive apps come along. For those not yet dabbling with demanding workloads like AI, Hypershield may be the best reason in years to consider new networking hardware purchases.

Hypershield will be licensed per "workload" – a Cisco metric based on core count and other factors. A cloudy app will serve as the management console.

Gillis was at pains to describe Hypershield as a security architecture expressed in software – not just software appliances replacing networking boxes. "This is not a VM of an existing firewall," he stressed. "It is a new architecture from the ground up."

Hypershield will debut in August with its eBPF incarnation. Other elements will follow over time.

And before you ask: "Hypershield" – Cisco really went there for the name?

The company asks the FCC for clearance to test the cellular Starlink technology in several other markets, including Australia, Canada, Japan, and New Zealand.

SpaceX is asking for regulatory clearance to expand testing for its cellular Starlink system outside the US, including Canada, Australia, and Japan.

The company has requested the special temporary authority from the FCC, according to a new regulatory filing. The goal is to test the cellular Starlink technology outside the US for 180 days starting on May 1.

During the tests, SpaceX will beam the internet connectivity from the company’s “Direct to Cell” satellites to unmodified phones on the ground. In the US, SpaceX plans on delivering the broadband through AT&T. But elsewhere, the company has struck partnerships with local carriers, with the aim of using their licensed radio spectrum to send the internet data to customers' phones.

   

Google is about to go on a purge for security purposes — save your old account by signing in by December 1.

t’s the last call to keep any Gmail accounts you haven’t used recently.

Beginning December 1, Google will start deleting accounts that have been inactive for two years, including all associated photos, Drive documents, contacts, emails, and calendar entries. The tech giant first announced this change in their inactivity policy in May.

Google confirmed to Computerworld that it’s proceeding with the deletion plan. “We plan to roll this out slowly and in phases, not all at once,” spokesperson Christa Muldoon said. “We'll be starting with accounts that were created and never used.”

Separate Gmail accounts held by the same user under different names are also subject to deletion, Muldoon said.

In a blog post, Google said they're removing accounts that haven't been used in a while because these accounts can be less secure. The old accounts might have previously used passwords or no extra security steps like two-factor authentication. The first accounts to go will be ones that someone created but never used again.

If you don't want your Google account deleted, log in and use something like Google Drive, Google Photos, Gmail, or Google Play. You can do simple things like send an email, download an app, search on Google, or watch a YouTube video to show you're still using the account. Your account won't be deleted if you have a Google One subscription or other active app subscriptions.

Google will warn people several times before they delete their accounts. This notice allows you to save your stuff using Google's Takeout service or other places to save files like Dropbox or Microsoft OneDrive. Google’s Inactive Account Manager allows users to choose what happens to their account and data if it becomes inactive for up to 18 months. When signing up, users can opt to send specific files to chosen trusted contacts, set up an autoresponder in Gmail, or decide to delete their account altogether.

If you have an old Google account and can't recall the details, there's a way to recover it. Forgot your password? Use Google's password recovery tool. You'll have to answer a few questions to confirm you own the account. Can't remember the email address? Google's account recovery tool can help. You'll need the phone number or a recovery email linked to the account. Tips and links to account recovery resources can be found on the Google Account Help web page.

Google's recent changes to its inactivity policy will affect only personal account holders, not users with school or business accounts.

I would not claim to be a WireShark expert. I actually find it a little overwhelming. There is so much detailed information to process & understand.
But that being said, I think it is a great tool for looking at raw network data, especially when unusual network activity seems to be occurring. 

One thing I think helps is to have an internal DNS server or proxy DNS.  This way you can look at hostnames rather than IP addresses in the live streams. If DNS records do not exist for the devices involved, create static records for the devices not resolving.  Go to Edit, Preferences, Name Resolution, add your DNS server.  
With local DNS resolution configured and working, reading the data stream becomes much easier. Understanding the packet info is the key to getting the most out of WireShark.

A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.

Called Loop DoS attacks, the approach pairs "servers of these protocols in such a way that they communicate with each other indefinitely," researchers from the CISPA Helmholtz-Center for Information Security said.

UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.
The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.

"It pairs two network services in such a way that they keep responding to one another's messages indefinitely," the researchers said. "In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack."

Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.

The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other's resources and making either of the services unresponsive.

"If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely," Yepeng Pan and Christian Rossow explained.

CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.

While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

"Attackers need a single spoofing-capable host to trigger loops," the researchers noted. "As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38."

Hello,
As per usual you need a utility and expect to run it for free & its not. Digisign also charges for frequent use. I was able to launch the URL bellow and sign over 20 documents. I never signed up, or signed in. 

I believe if you create an account you are then limited when choosing the free option. The limitation seems to be 3 documents per month.
Don't sign up or sign in, just sign and download documents galore for free.

https://www.digisigner.com/free-electron...n-document

Hi,
I'm moving to a house with no prewired alarm system. In fact there is no alarm at all. I decided to purchase the OSI GEN2 Alarm system from Amazon for $300. 
When it arrived it seemed to have very easy to follow setup  instructions. I followed the instructions and added Smart Life application to my Android phone. Then with the OSI Alarm in WIFI discovery mode I tried to add the alarm to the Smart Life app. It would discover the alarm but fail to add it to the application. 

I tried resetting the alarm, I tried adding the alarm to the application manually and neither worked. I tried opening all ports and protocols on my firewalls for the IP Subnet of the WIFI. I set my Authentication to WEP2/Personal, I made sure there was no connection from the 2.4Ghz WIFI to Wifi5 or WIFI 6 & the 2.4Ghz WIFI SSID was clearly identified. None of this worked.

Then I assed a friend to use us phone, I created a hotspot with his phone and connected my phone to his hotspot. I was immediately able to add the OSI Alarm to Smart Life using the hot spot. When I disconnected from the hotspot I was still connected to the OSI Alarm and was able to arm and disarm the alarm system, get notifications on my smart phone about the alarm, control settings on the alarm from the Smart Life app.

Since disconnecting from the hot spot and using my own WIFI I was not able to rename accessories like sensors and motion detectors. Renaming these accessories is done on the smart life app and when saved appear in the OSI Alarm screen.  Is this a big problem? I would say no. Default names, custom names, they are just labels therefor in my opinion not important.

Regardless I would like the system to function 100%, so I have asked OSI support for assistance with this issue. Lets see what they come back with.


What you can take from this post is that the hotspot option is a good way to connect to the OSI Alarm when it does not work on your own WIFI network.  In my case I use two hardware firewalls and have enabled dozens of protections and limitations, 

As far as I know so far, the alarm system uses WIFI for its connectivity. I don't see why the internet has anything to do with it. Unless the Smart Life app and the OSI Alarm connect to internet resources. In this case there must be ports and hostnames or IP addresses that it connects to and transmits data, I allow most standard known ports outbound, it must be using non-standard/custom ports.

I will follow up when the accessories name change issue is resolved,
Thanks

IP Protection is now being tested in the Canary version of the browser.
Google is testing a new security feature that hides your IP address in the beta version of the Chrome browser, MSPowerUser reports. The feature is simply called “IP Protection” and will basically do what the name suggests, protect your IP address.

The new feature will hide your IP address when you’re logged into Google Chrome, limit what data suspected trackers can see about your online habits, and redirect some content requests through privacy servers instead of sending them directly to websites. It’s shouldn’t be anywhere near as effective as using a VPN, but IP Protection could be a very welcome feature for privacy enthusiasts indeed.


The IP Protection feature is so far only available on the early Canary preview version of Google Chrome. When it will be launched on the regular version of the browser is not yet clear.

The lords of the Internet propose doing away with an old, confusing IP identifier.

Anyone who’s set up a router probably understands that the IP address “192.168.x.x” signifies your local IP address. Anyone who hasn’t…doesn’t. And the global nonprofit which oversees the Internet’s address space wants to remove the confusion with a new domain: .INTERNAL.

So what, you might be saying. Most routers handle this thing behind the scenes! But just as routers have begun taking this over, a new crop of AI apps have begun using local IPs as a server interface, making it relevant once again.

On January 24, the Internet Corporation for Assigned Names and Numbers proposed the .INTERNAL domain (noted by The Register) as a solution to the local IP issue.

“There are certain circumstances where private network operators may wish to use their own domain naming scheme that is not intended to be used or accessible by the broader Domain Name System, such as within closed corporate or home networks, ICANN wrote. “IANA currently has demarcated special blocks of private-use IP addresses for such applications, but there is no comparable designated private-use namespace in the DNS. This has resulted in operational practices including informal use of top-level domains that have the potential to conflict with the root zone, or other designated purposes.”

The Internet Assigned Numbers Authority (IANA) is a department of ICANN which assigns global IP addresses and zone management in the Domain Name System (DNS).

ICANN came down to two strings: .PRIVATE and .INTERNAL. It dropped the first because it felt that the term implied a higher degree of privacy, which isn’t true. ICANN will allow time for public comment, after which the board will vote on the adoption.

Again, it’s relatively rare for the average consumer to run into the local IP block in their daily activities. Some of the newer AI apps — variants of Stable Diffusion being one example — do, however. In those cases, installing the files creates a local “server” that you access via a Web GUI. While it’s still pretty clear that you’re pinging your own PC (virtually no one accesses a site via its numerical IP address) it’s not always clear to the average user that they’re not contacting a different server. The new .INTERNAL domain will try and make that crystal clear.