Image: Evolv Have you ever gone to a sporting event and spent what seems like an eternity just trying to get in? Security technologies can slow lines down to a grinding halt, and they’re not always effective – your necklace, keys, and belt may set the metal detector off, while weapons can still get through. […] More
Starbucks says personal data of some customers in Singapore has been compromised, including names, birthdates, and mobile numbers. While credit card details and passwords have not been leaked, it has advised customers to change their password. The US F&B chain sent email messages to multiple customers on Friday, notifying them that it had detected “unauthorised activity online” as well as “some unauthorised access to customer details”. These included names, dates of birth, mobile numbers, and residential addresses, if the personal data had been provided to Starbucks.It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected. Credit card data also had not been compromised since it did not store such information, according to Starbucks. The retailer said local authorities had been informed and it was assisting them on the security incident. While passwords were not compromised, the company urged its customers to reset their password immediately. ZDNET understands that hackers already are peddling the data on an online forum that specialises in the trading of stolen databases. In a September 10 post, the hackers claimed to have access to Starbucks Singapore’s “full database” containing more than 553,000 records and offered a sample dump. In its email, Starbucks said it had implemented additional measures to safeguard customer information, but did not provide details on what these entailed. ZDNET has reached out to the US retailer for more information, including how many customers were affected by the breach, what systems were breached, and when the breach was first uncovered. This article will be updated if and when Starbucks responds. RELATED COVERAGE More
Uber reportedly has suffered another massive security incident, which is likely more extensive than its 2016 data breach and potentially may have compromised its entire network. It also can result in access logs being deleted or altered. A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP). “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline. The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. It was not known, though, how the hacker was able to circumvent the two-factor authentication after obtaining the employee’s password, Reed noted.”This looks bad,” he said, noting that it was likely hackers now could access whatever data Uber had. Asked if the impact was similar or potentially greater than Uber’s 2016 data breach, Reed told ZDNET the latest compromise was certainly large and “as big as it could be”. Every system Uber operated might have been compromised, he said. While it was unclear what data the ride-sharing company retained, he noted that whatever it had most likely could be accessed by the hacker, including trip history and addresses. Given that everything had been compromised, he added that there also was no way for Uber to confirm if data had been accessed or altered since the hackers had access to logging systems. This meant they could delete or alter access logs, he said. In the 2016 breach, hackers infiltrated a private GitHub repository used by Uber software engineers and gained access to an AWS account that managed tasks handled by the ride-sharing service. It compromised data of 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.Uber later was found to have concealed the breach for more than a year, even resorting to paying off hackers to delete the information and keep details of the breach quiet. The ride-sharing company in 2018 reached a $148 million settlement to pay $148 million over the breach and coverup, with the monies distributed across the US. RELATED COVERAGE More
Image: Joe Raedle/Getty Images Every year, thousands of Americans have their phones and other devices searched at the border before they travel abroad. Now, a US senator has revealed that when it searches these devices, US Customs and Border Protection (CBP) downloads their contents — which can include text messages, pictures, and other personal information — […] More
CNET Chrome OS has become quite the platform for users of all types. Whether you’re a typical user who spends most of your time within an operating system browsing social media, writing ad hoc papers, and shopping for the latest trends, or if you’re an administrator who has to work on remote machines throughout the […] More
Two men who helped build Cisco Systems into the internet networking giant it is today – John Chambers and Pankaj Patel – have re-teamed to form Nile, a startup that promptly aims to disrupt their ex-mothership, Cisco. Both execs left the iconic company six years ago.Their new Santa Clara, Calif.-based company emerged from stealth mode today sporting a next-gen networking-as-a-service product that CEO Patel claims needs little or no human intervention to run and has the predictive AI smarts to avoid data flow problems before they happen.Investor and board member Chambers, who served as Cisco CEO or executive chairman for 22 years and grew the company through numerous acquisitions and product updates, claimed that Nile represents the most important change to networking in more than a decade.”As the first self-driven network platform, Nile is focused on ‘disruptive simplicity,'” Chambers said in a LinkedIn post. We have a bold vision to innovate and change the status quo. “In an industry historically known for add-ons and new features to define growth, the Nile team went back to the drawing board to come up with a new system that will uniquely transform how customers acquire, deploy, consume, support, secure, and grow their networks, providing much-needed simplicity, reduced risk, and total cost of ownership. We are coming out of stealth with 50 solution providers already engaged with Nile Connect.” Supplying high-quality corporate Wi-FiNile’s Connect SaaS will supply high-grade corporate Wi-Fi instead of the conventional way companies have had to guess how much networking hardware and software they require. “I would characterize us as a company which is defined by a pretty audacious vision,” Patel told ZDNet. “From day one, we have aimed to remove this critical human dependence from the management of the network. We expect to change forever how enterprises will architect, design, acquire, deploy, configure, secure, and maintain connectivity. This will shift the dynamic of the network from security concerns; we are going to turn this into the very first zero trust network that requires no network operations.”Nile Connect also includes the following functions in its platform menu, according to Patel:maintains a metadata/data bank of secure user information that is utilized by Nile’s constant monitoring sensors to anticipate problems with network flow and fraudulent access far in advance;a holistic, pay-as-you-use consumption model that aligns simply to users on the network; guarantees network performance levels based on outcomes that matter – availability, capacity, and coverage; andremoves operational overhead and reduces risk by delivering complete lifecycle management without the management, with a self-driven network customer experience backed by extensive use of monitoring, analytics, and AI/ML-driven automation.”While the world has changed, networking largely hasn’t,” Patel said. “Of the $25 billion in hardware spent each year in wired and wireless access technology, we estimate another $75 billion is spent in operations. This simply isn’t sustainable, yet the entrenched incumbents have not responded, with business models, ecosystems, and an installed base to protect and they’d have to completely re-engineer their own existing platforms. Nile changes that – now watch us grow.”Nile sees Cisco itself – which has more legacy networking equipment spread over the globe than any other company – as one of those incumbents.Zero-trust security already built in Nile’s approach offers the first out-of-the-box zero-trust network with no network operations required, Patel said. Each user and device is automatically segmented, and every request must be authenticated and evaluated before access is granted. The result reduces the risk of cyber thieves from spreading laterally to deliver ransomware attacks. Additionally, without any complex configuration, security teams can ensure that all connections are seen and controlled no matter where they are in the network. CIOs and CISOs have long known networks as one of the greatest single sources of security risk, conflict, and workload in the enterprise. “Zero Trust has long been a goal of many organizations, one that required a lot of network engineering time and focus, and still rarely achieved its full potential,” Andy Goodenow, CIO at the University of Missouri-Kansas City, said in a media advisory. “Nile’s holistic approach to security solves the missing link for extending Zero Trust into the network.” Complete lifecycle management – without the managementNile’s cloud-native design includes deep physical and virtual instrumentation that provides continuous monitoring, extensive analytics, and AI/ML-driven automation, Patel said. The result is a self-driven network that’s always optimizing for maximum performance, he said. Software upgrades and security patching are orchestrated and delivered through automation to prevent disruption to users and devices, with Nile taking full responsibility to manage the network, Patel said.Consumption-based modelPatel said that Nile aims to provide its customers with the same benefits they see from cloud-based storage and software. The approach combines design, hardware, software, installation, maintenance, and ongoing management into a simple pay-as-you-use model, Patel said. Organizations no longer need to make large upfront capital investments while trying to anticipate needs over the next 5, 7, or even 10 years. Nile will simply add or change capacity and coverage as needs evolve for each individual customer, Patel said.Nile Connect for campus LANs and WLANs is now available in the United States and Canada, with international markets coming online in the coming months, Patel said. More
High-performance network software maker Arista Networks today unveiled what it describes as next-generation cloud-grade routing. The logic behind this is that routing needs to evolve to meet the demands of the cloud. The concept is certainly sound because networks now do much more than simply connect branch offices to a company data center. Historically, companies have thought of networks as discrete entities: mobile, carrier, and business networks. But most cloud apps traverse all three, so experience and security depend on interoperability between the domains.Arista introduced the concept of cloud-grade routing a little over half a decade ago with the idea of having a single software stack with a set of routing capabilities that could meet the needs of enterprises, service providers, and cloud operators. This week it introduced several net solutions, capabilities, and platforms to evolve that cloud-grade routing. Arista introduces TunnelSec to simplify encryption One of the new capabilities Arista has introduced is called TunnelSec which simplifies the use of different encryption technologies. As an example, it’s common for companies to deploy overlay networks to use both IPsec and MACsec encryption. TunnelSec encryption eliminates the need for external encryption traditionally used in networking. It does this by securing data-in-transit and provides in-line encryption at data rates ranging from 10G to 400G in Arista’s R3 Series routing platforms. As a result, TunnelSec removes the performance bottlenecks associated with legacy encryption deployments. With a single network platform, companies can deploy MACsec, IPsec and VXLANsec encryption. This delivers better network economics but also improves performance and network throughput. “We’re seeing a trend where there is demand for encryption. In fact, we have customers who have asked us to do encryption in the data center itself, starting right from the top-of-rack switch,” said Jeff Raymond, vice president of Extensible Operating System (EOS) product management and services at Arista. “We’ve extended that concept, where customers can have encryption end-to-end.”TunnelSec now comes embedded in Arista’s cloud-grade routing platforms. All of Arista’s products are powered by EOS and Network Data Lake (NetDL), which provides a single software base for switching, routing, telemetry, and a common set of data across all Arista platforms. The single OS and data lake are Arista’s secret sauce. More and more network operations require AI-driven insights to optimize performance and secure the network. One set of data and its OS enable Arista to analyze information much faster than if it had to aggregate silos of information. Arista’s reach has expanded past cloud titans By innovating in this space, Arista was able to cross the chasm from the data center to modern routing. The Santa Clara, Calif.-based vendor has a sizable base of customers that have successfully deployed its cloud-grade routing. The list includes cloud giants (Microsoft, Meta), specialty cloud providers (Netflix, CDLAN, Zenlayer), service providers (Comcast, Arelion, Vocus), and internet exchanges (Netnod, Equinix, Seattle Internet Exchange). Vocus, for example, has refreshed its entire backbone and edge by tapping Arista across its 200 sites. New edge capabilities introduced In addition to TunnelSec, Arista revealed a secure enterprise edge capability, which combines the data center and data center interconnect (DCI) domains. Traditionally, the technology has been used to connect two or more data centers together. Arista is bringing in a gateway functionality that allows customers to simplify their multi-cloud deployments.The last capability Arista launched is encryption and timing, designed for compact modular routing. A key aspect of the current 5G network buildout is timing. It requires highly accurate timing enabled by segment routing in order to develop the infrastructure for smart cities, autonomous vehicle connectivity, and other use cases. Arista’s new capability provides modular routing with precision timing and encrypts the traffic.Arista rolls out Jericho 2C+ hardware platforms Parallel with this announcement, Arista has expanded its R3 Series portfolio by adding 26 new products based on the Broadcom Jericho 2C+ silicon. The portfolio now includes the new R3A Series with integrated TunnelSec; 800G-ready 7800R3 with 12- and 16-slot modular systems; 7280R3A compact modular for metro, mobile, and DCI apps; and the 7280R3A Series with a 50 percent performance increase.”The products are an extension of our existing R3 family. Within the 26 products, we have some fixed systems and new modular systems as well,” said Raymond. “We’ve been able to not just integrate the scale we need for routing but also build encryption directly into all of these products.”The expanded features/products are available now in the latest EOS release. According to Raymond, customers can choose from three “flavors,” depending on their needs. The base model is focused on the data center. The middle-scale model provides encryption with a level of scalability. Lastly, the full-scale model offers both routing and encryption.Arista, once thought of as a network vendor that only served the needs of cloud titans, has come a long way in the past half-decade. It now has solutions for companies of all sizes, including mid-market enterprises. This release expands its move into routing with the aim of helping businesses shift to a cloud-first organization. More
SRI Okay, I admit it, I never outgrew the Tonka toys and the sandbox. With the dawning of a new age of construction robots, that fascination has merely transferred to the high-tech descendants of those big yellow construction machines. For example, I could watch this robot excavator dig all day. The truth is, you’re going […] More
