Helping Keep Governments Safe and Secure

Post Syndicated from Sam Rhea original

Helping Keep Governments Safe and Secure

Helping Keep Governments Safe and Secure

Today, we are excited to share that Cloudflare and Accenture Federal Services (AFS) have been selected by the Department of Homeland Security (DHS) to develop a joint solution to help the federal government defend itself against cyberattacks. The solution consists of Cloudflare’s protective DNS resolver which will filter DNS queries from offices and locations of the federal government and stream events directly to Accenture’s analysis platform.

Located within DHS, the Cybersecurity and Infrastructure Security Agency (CISA) operates as “the nation’s risk advisor.”1 CISA works with partners across the public and private sector to improve the security and reliability of critical infrastructure; a mission that spans across the federal government, State, Local, Tribal, and Territorial partnerships and the private sector to provide solutions to emerging and ever-changing threats.

Over the last few years, CISA has repeatedly flagged the cyber risk posed by malicious hostnames, phishing emails with malicious links, and untrustworthy upstream Domain Name System (DNS) resolvers.2 Attackers can compromise devices or accounts, and ultimately data, by tricking a user or system into sending a DNS query for a specific hostname. Once that query is resolved, those devices establish connections that can lead to malware downloads, phishing websites, or data exfiltration.

In May 2021, CISA and the National Security Agency (NSA) proposed that teams deploy protective DNS resolvers to prevent those attacks from becoming incidents. Unlike standard DNS resolvers, protective DNS resolvers check the hostname being resolved to determine if the destination is malicious. If that is the case, or even if the destination is just suspicious, the resolver can stop answering the DNS query and block the connection.

Earlier this year, CISA announced they are not only recommending a protective DNS resolver — they have launched a program to offer a solution to their partners. After a thorough review process, CISA has announced that they have selected Cloudflare and AFS to deliver a joint solution that can be used by departments and agencies of any size within the Federal Civilian Executive Branch.

Helping keep governments safer

Attacks against the critical infrastructure in the United States are continuing to increase. Cloudflare Radar, where we publish insights from our global network, consistently sees the U.S. as one of the most targeted countries for DDoS attacks. Attacks like phishing campaigns compromise credentials to sensitive systems. Ransomware bypasses traditional network perimeters and shuts down target systems.

The sophistication of those attacks also continues to increase. Last year’s SolarWinds Orion compromise represents a new type of supply chain attack where trusted software becomes the backdoor for data breaches. Cloudflare’s analysis of the SolarWinds incident observed compromise patterns that were active over eight months, during which the destinations used grew to nearly 5,000 unique subdomains.

The increase in volume and sophistication has driven a demand for the information and tools to defend against these types of threats at all levels of the US government. Last year, CISA advised over 6,000 state and local officials, as well as federal partners, on mechanisms to protect their critical infrastructure.

At Cloudflare, we have observed a similar pattern. In 2017, Cloudflare launched the Athenian Project to provide state, county, or municipal governments with security for websites that administer elections or report results. In 2020, 229 state and local governments, in 28 states, trusted Cloudflare to help defend their election websites. State and local government websites served by Cloudflare’s Athenian Project increased by 48% last year.

As these attacks continue to evolve, one thing many have in common is their use of a DNS query to a malicious hostname. From SolarWinds to last month’s spearphishing attack against the U.S. Agency for International Development, attackers continue to rely on one of the most basic technologies used when connecting to the Internet.

Delivering a protective DNS resolver

User activity on the Internet typically starts with a DNS query to a DNS resolver. When users visit a website in their browser, open a link in an email, or use a mobile application, their device first sends a DNS query to convert the domain name of the website or server into the Internet Protocol (IP) address of the host serving that site. Once their device has the IP address, they can establish a connection.

Helping Keep Governments Safe and Secure
Figure 1. Complete DNS lookup and web page query

Attacks on the Internet can also start the same way. Devices that download malware begin making DNS queries to establish connections and leak information. Users that visit an imposter website input their credentials and become part of a phishing attack.

These attacks are successful because DNS resolvers, by default, trust all destinations. If a user sends a DNS query for any hostname, the resolver returns the IP address without determining if that destination is suspicious.

Some hostnames are known to security researchers, including hostnames used in previous attacks or ones that use typos of popular hostnames. Other attacks start from unknown or new threats. Detecting those requires monitoring DNS query behavior, detecting patterns to new hostnames, or blocking newly seen and registered domains altogether.

Protective DNS resolvers apply a Zero Trust model to DNS queries. Instead of trusting any destination, protective resolvers check the hostname of every query and IP address of every response against a list of known malicious destinations. If the hostname or IP address is in that list, the resolver will not return the result to the user and the connection will fail.

Building a solution with Accenture Federal Services

The solution being delivered to CISA, Cloudflare Gateway, builds on Cloudflare’s network to deliver a protective DNS resolver that does not compromise performance. It starts by sending all DNS queries from enrolled devices and offices to Cloudflare’s network. While more of the HTTP Internet continues to be encrypted, the default protocol for sending DNS queries on most devices is still unencrypted. Cloudflare Gateway’s protective DNS resolver supports encrypted options like DNS over HTTPS (DoH) and DNS over TLS (DoT).

Next, blocking DNS queries to malicious hostnames starts with knowing what hostnames are potentially malicious. Cloudflare’s network provides our protective DNS resolver with unique visibility into threats on the Internet. Every day, Cloudflare’s network handles over 800 billion DNS queries. Our infrastructure responds to 25 million HTTP requests per second. We deploy that network in more than 200 cities in over 100 countries around the world, giving our team the ability to see attack patterns around the world.

We convert that data into the insights that power our security products. For example, we analyze the billions of DNS queries we handle to detect anomalous behavior that would indicate a hostname is being used to leak data through a DNS tunneling attack. For the CISA solution, Cloudflare’s datasets are further enriched by applying additional cybersecurity research along with Accenture’s Cyber Threat Intelligence (ACTI) feed to provide signals to detect new and changing threats on the internet. This dataset is further analyzed by data scientists using advanced business intelligence tools powered by artificial intelligence and machine learning.

Working towards a FedRAMP future

Our Public Sector team is focused on partnering with Federal, State and Local Governments to provide a safe and secure digital experience. We are excited to help CISA deliver an innovative, modern, and cost-efficient solution to the entire civilian federal government.

We will continue this path following our recent announcement that we are currently “In Process” in the Federal Risk and Authorization Management Program (FedRAMP) Marketplace. The government’s rigorous security assessment will allow other federal agencies to adopt Cloudflare’s Zero Trust Security solutions in the future.

What’s next?

We are looking forward to working with Accenture Federal Services to deliver this protective DNS resolver solution to CISA. This contract award demonstrates CISA’s belief in the importance of having protective DNS capabilities as part of a layered defense. We applaud CISA for taking this step and allowing us to partner with the US Government to deliver this solution.

Like CISA, we believe that teams large and small should have the tools they need to protect their critical systems. Your team can also get started using Cloudflare to secure your organization today. Cloudflare Gateway, part of Cloudflare for Teams, is available to organizations of any size.

2See, for example,;

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

Post Syndicated from Arvind Vishwakarma original

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

DevSecOps is the concept and practice of integrating security into the DevOps cycle. The idea is to bring the different phases of security into the DevOps model and try to automate the entire process, so security is integrated directly into the initial application builds.

In this post, we’ll take a closer look at how to integrate security tools into the various phases of the DevSecOps cycle. We’ll focus here on Rapid7 tools like InsightVM, InsightAppSec, and InsightOps; the same principles apply to integrating other open-source security tools into the process.

In this simple, three-step setup, we’ll use Gitlab as the Version Control System and Jenkins as the build automation server. (Before getting started, you’ll need to have the integration between Gitlab and Jenkins completed.)

We’ll be using a simple declarative script in our pipeline, as follows:

pipeline {
    agent any
    stages {
        stage("build") {
            steps {
                echo "This is a build step"
        stage("test") {
            steps {
                echo "This is a test step"
        stage("release") {
            steps {
                    echo "This is an integration step"
                    sh "exit 1"

Step 1: Integrate InsightAppSec

First, we’ll include the InsightAppSec Scan in the pipeline. Ideally, this would be in the DAST stage.

To get started, we’ll install the InsightAppSec Plugin. We’ll need a few more details on hand, like the Scan Configuration ID and the InsightAPI key, which you can fetch from the InsightAppSec platform. We can then set up the scan on the InsightAppSec platform or use the InsightAppSec APIs to create a scan. Once we have the required details, we can kick-start the scan in our pipeline.

Here, we’ve used python script to add an app and create a scan configuration on the InsightAppSec platform.

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

Now, with the App Name and Scan Configuration ID, we can set up the scan in the pipeline with the following code:

stage(“dast-InsightAppSec”) {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE')
insightAppSec region: 'US', insightCredentialsId: 'Insightappsec-api', scanConfigId: '9d31d36a-f590-4129-aba3-9212fe67fa8e', buildAdvanceIndicator: 'SCAN_COMPLETED', vulnerabilityQuery: 'vulnerability. severity=\'HIGH\'', maxScanPendingDuration: '0d 0h 10m', maxScanExecutionDuration: '0d 1h 0m', appId: 'HackMe', enableScanResults: true

We’ve replaced the “scanConfigId” and “appId” details ― we just need to replace the “insightCredentialsId” with the InsightAppSec API key. Setting the “enableScanResults” option to “true” will show results of the scan as a new option on the Jenkins Build page, with the label InsightAppSec Scan Results.

Step 2: Integrate the InsightVM Container Scanner

Next, we’ll integrate the InsightVM Container Scanner in the pipeline. In this step, we’ll build our Docker Image and scan it using InsightVM Container Scanner before pushing it into our registry to host apps in our staging or production environment.

To get started, we first have to install the InsightVM Container Scanner plugin on our Jenkins Server.

We’ll be building our Docker container using a Dockerfile, which we have to add to our Gitlab repository. After building the Docker container, we’ll scan it using the InsightVM Scanner.

We can set up the InsightVM Scanner in our pipeline with the following code:

stage("InsightVM Scan"){
            environment {
                dockerUrl = ""
                dockerCreds = "registry-auth" 
            steps {
                script {
                    catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
                        dockerImage ='user/repo:$BUILD_NUMBER')
		echo "Built image ${}"
		assessContainerImage failOnPluginError: true,
           	                	imageId: "${}",
           		            		thresholdRules: [

The results of the pipeline should appear as a new option on the build page, with the label Rapid7 Assessment. Alternatively, the results are also available on the Builds tab of the Containers option within the InsightVM platform.

Step 3: Integrate InsightOps

In the final step, we’ll integrate InsightOps, Rapid7’s log management solution, into the pipeline. This integration will forward all the logs to the InsightOps platform.

To get started, we have to install the Logstash plugin on our Jenkins server. Then, to set up InsightOps, we’ll have to configure a collection source on our InsightOps platform.

Simply log into the InsightOps platform, then click on Add Data > Select Webhook — you’ll find this option under System data. Then, name the log set as Jenkins-Console and copy the URL for the log entries.

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

On the Jenkins Server, head to the Configuration page and scroll down to the Logstash option. Click on “Enable sending logs to an Indexer,” and select the Indexer type as Elastic Search. Finally, paste the log-entries URL that was copied from InsightVM. Remember to append the InsightAPI key to the URL.

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

To send the logs, we can either select the Enable Globally option or add the Logstash option to the pipeline, as shown in the following code:

pipeline {
    agent any
    stages {
        stage("build") {
            steps {
                echo "This is a build step"
        stage("test") {
            steps {
                echo "This is a test step"
        stage("release") {
            steps {
                    echo "This is an integration step"
                    sh "exit 1"
        stage("deploy") {
            steps {
                input "Deploy to production?"
                echo "This is a deploy step."

After editing the pipeline, we can run the build again and look at the logs data on our InsightVM dashboard.

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

Lastly, we’ve embedded some other open-source tools to complete our DevSecOps pipeline. The final pipeline looks something like this:

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

This three-step process is an intuitive way to integrate Rapid7 products into a DevSecOps pipeline, but it’s just one way to approach the task. Because our products support APIs, you can set up the integration according to your environment, so you have the flexibility to build the DevSecOps pipeline you need.

The European Space Agency Launches Hackable Satellite

Post Syndicated from Bruce Schneier original

Of course this is hackable:

A sophisticated telecommunications satellite that can be completely repurposed while in space has launched.


Because the satellite can be reprogrammed in orbit, it can respond to changing demands during its lifetime.


The satellite can detect and characterise any rogue emissions, enabling it to respond dynamically to accidental interference or intentional jamming.

We can assume strong encryption, and good key management. Still, seems like a juicy target for other governments.

Raspberry Pi ‘WeatherClock’ shows you the hour’s forecast

Post Syndicated from Ashley Whittaker original

Meet Eli’s WeatherClock, a digital–analogue timepiece that displays the weather at each hour of the day as well as the time. Here’s an example: every day at 3pm, instead of the hour hand just pointing to a number three on the clock’s face, it also points to a visual representation of what the weather is doing. Obviously, Eli’s WeatherClock still tells the time using the standard positions of the hour and minute hands, but it does two jobs in one, and it looks much more interesting than a regular clock.

We agree, she is lovely (sound on for the video will make that make sense)

Detailed forecast

You can also press on every hour position of the watch’s touchscreen display to see more detailed meteorological information, such as temperature and the likelihood of rain. Then once you’ve gotten all the detail you need, you return to the simple analogue resting face to by pressing the centre of the touchscreen.

Weather details view of the weatherclock digital-analogue clock project.
weatherClock can give you more detail if you want it to

Under the hood

The device uses the openWeatherMap API to fetch weather data for your location. It’s a simple build powered by Raspberry Pi Zero W with a Pimoroni 4″ HyperPixel Hi-Res Display providing the user interface. And its slim, pocket-sized design means you can take it with you on your travels.

Inside view of the weatherclock digital-analogue clock project.
Tiny Raspberry Pi Zero W and a Pimoroni 4″ touchscreen fit inside perfectly

We found this creation on The Digital Vagrant‘s YouTube channel. A friend named Eli gave them the idea so the maker named the project after him. The Digital Vagrant liked the idea of being able to quickly check the weather before leaving the house — no need to check a computer or get your phone out of your bag.

Side view of the weatherclock digital-analogue clock project.
Its super slim design makes WeatherClock portable

Want to make your own WeatherClock? The lovely maker has deposited everything you need on GitHub.

The post Raspberry Pi ‘WeatherClock’ shows you the hour’s forecast appeared first on Raspberry Pi.

Raspberry Pi powers weather station in Nepal

Post Syndicated from Ashley Whittaker original

This Raspberry Pi-powered weather station is a vital tool for Nepalese farmers, who work in remote, changeable conditions, and rely heavily on monitoring the environment.

nepal weather station being built
All the parts had to be low-cost and easy to maintain

It’s hard to forecast the weather in Nepal. Conditions can vary a lot within a small area as the country is so mountainous. Plus, there is no national weather service. This makes life even harder for farmers working in remote villages, but there were a few essentials elements any solution had to have:

  • Low-cost to build
  • Reliable and easy to maintain
  • Solar power operated
  • Could also run on readily available motorcycle batteries when the solar panels don’t get enough sun
nepal weather station on the roof
A simple plastic food containers keeps the hardware safe and dry

How was it made?

The battery-backed solar powered weather station was built by a team lead by Prabesh Sapkota and Binod Kandel from the Robotics Association of Nepal. And they were able to complete the project affordably using Raspberry Pi. Prabesh and his team wrote the software and created a display dashboard in Raspbian Jessie.

nepal weather station hardware insides
The core components put together as a prototype with a breadboard to check everything worked

However, one of the issues they faced was being able to reliably power the Raspberry Pi and Arduino, and that’s where the BitScope Blade Uno came in to play (more on that later).

Weather station sensors measure temperature, barometric pressure, humidity, wind direction and speed, and all of the sensors are connected to the Arduino which records the data and send it to the Raspberry Pi to display on the dashboard.

Full kit list:

nepal weather station in action
Testing out the weather station on the roof

The team is working with an Australian sponsor to run workshops on basic electronics in the hopes of building more of these affordable weather stations for rural schools and remote areas.

What is Bitscope Blade?

This weather station is an inspiring application of element 14’s BitScope Blade. These power and mounting solutions were developed for those working in challenging conditions, making them perfect for remote areas of Nepal without access to reliable power.

Bitscope Blade is a “robust power and mounting solution for the industrial deployment of Raspberry Pi.” You can choose from three editions based upon the number of Raspberry Pi you’ll be using:

  • BitScope Blade Uno (above far left) is a flexible power and mounting solution for one Raspberry Pi and optional HAT. It’s recommended for makers, students and engineers.
  • BitScope Blade Duo (above centre) is a mountable solution for a pair of Raspberry Pi and is ideal for building a stand-alone desktop and server system.
  • BitScope Blade Quattro (above far right) works with four Raspberry Pi and can support the creation of compute clusters, private clouds or build farms.

The post Raspberry Pi powers weather station in Nepal appeared first on Raspberry Pi.

Нидерландия глоби TikTok

Post Syndicated from nellyo original

На 22 юли 2021 г. холандският орган за защита на данните („NL DPA“) обяви, че е наложил глоба от 750 000 евро на TikTok за нарушаване на неприкосновеността на личния живот на  деца.

Органът за защита на данните  е представил  доклад със своите констатации на компанията през октомври 2020 г. В отговор TikTok е въвел редица промени, за да направи приложението си по -безопасно за децата.

NL DPA установи, че известието, предоставено на потребителите при инсталирането и използването на приложението TikTok, е на английски език и не е  лесно разбираемо, като по този начин се нарушава Общият регламент на ЕС за защита на данните („GDPR“), по – специално  принципа на прозрачност.

Член 12 от GDPR изисква администраторите да предприемат подходящи мерки, за да предоставят информация за своите дейности по обработка на данни в кратка, прозрачна, разбираема и лесно достъпна форма, използвайки ясен  език, по -специално за дейности, засягащи деца. Съображение 58 от GDPR гласи, че  „децата заслужават специфична закрила“. Предоставената информация е на английски, освен това не е и разбираема за деца на ниска възраст.

Нидерландският DPA е прехвърлил случая на Ирландската комисия за защита на данните (по седалище на компанията за ЕС), за да приключи разследването и да издаде окончателно решение за други потенциални нарушения.


press release and decision

Испанска верига супермаркети глобена 2 520 000 евро за незаконно използване на система за разпознаване на образи

Post Syndicated from nellyo original

На 27 юли 2021 г. Испанският орган за защита на данните („AEPD“) наложи глоба в размер на 2 520 000 евро на испанската верига супермаркети Mercadona, S.A. за незаконно използване на система за разпознаване на образи. След разследването си AEPD установи, че Mercadona използва система за разпознаване на лицата на посетителите в 48 свои магазина в продължение на няколко месеца в цяла Испания, за да открие лица с наказателни присъди или ограничителни заповеди (по -специално лица, които са получили ограничителна заповед след нападение на служител на магазин или който е бил осъждан за инцидент в магазина).

Системата   и свързаната с нея обработка на биометрични данни обхващат лицата на всички клиенти, влизащи в супермаркетите на Mercadona, включително деца и служители на Mercadona. AEPD установи, че нито едно от наличните правни основания съгласно член 9 от Общия регламент за защита на данните на ЕС (който излага правните основания за обработка на чувствителни данни, включително биометрични данни) не се отнася до Mercadona и обяви обработката за незаконна.

AEPD установи, че обработката не отговаря на принципите на необходимост, пропорционалност и минимизиране на данните, прозрачност и поверителност по дизайн. Освен това AEPD установи, че оценката на въздействието за защитата на данните, извършена от Mercadona, е недостатъчна и непълна. AEPD първоначално реши да наложи глоба от 3 150 000 евро, но впоследствие намали размера поради доброволно плащане.


Решението, достъпно само на испански.

Люксембург налага глоба на Amazon в размер 746 милиона евро за нарушения на GDPR

Post Syndicated from nellyo original

На 16 юли 2021 г. Люксембургският орган за защита на данните (Национална комисия за защита на данните, „CNPD“) наложи рекордна по размер  глоба от 746 милиона евро на Amazon Europe Core S.à.r.l. за нарушения на Общия регламент за защита на данните на ЕС („GDPR“). CNPD разпореди  на Amazon в допълнение да преразгледа някои от своите практики. CNPD действа като водещ надзорен орган за Amazon в ЕС, тъй като седалището на компанията за ЕС е в Люксембург.

Въз основа на съобщения в пресата и публични изявления на Amazon, глобата изглежда е свързана с използването на данни от клиенти на Amazon за таргетирана реклама. Размерът на глобата е значително по -висок от предложената глоба в проекторешение, което беше съобщено по -рано в пресата. Въпреки че решението на CNPD не е публично достъпно, решението беше потвърдено от Amazon, като компанията посочва още,  че ще обжалва решението.


Стратегическа рамка на ЕС за равенство, приобщаване и участие на ромите

Post Syndicated from nellyo original

Оказва се, че има специален   Европейски  възпоменателен ден на Холокоста над ромите и това е 2 август.

По този повод Европейската комисия декларира, че

Омразата, насилието на расова основа и етническото профилиране нямат място в Съюза ни, изграден върху зачитането на човешките права.

 Днес отново призоваваме държавите членки да се ангажират със Стратегическата рамка на ЕС за равенство, приобщаване и участие на ромите от октомври 2020 г. Заедно можем да направим Европейския съюз по-равнопоставен, особено за членовете на неговото най-голямо етническо малцинство.”


Повече информация ще намерите в документа тук.

 Страгегическата рамка на ЕС за ромите

Top 5: Featured Architecture Content for July

Post Syndicated from Elyse Lopez original

The AWS Architecture Center provides new and notable reference architecture diagrams, vetted architecture solutions, AWS Well-Architected best practices, whitepapers, and more. This blog post features some of our best picks from the new and newly updated content we released this month.

1. Tag Tamer Solution

Consistency is key when you’re using tags to keep your AWS resources organized. This brand-new AWS Solutions Implementation helps you apply and manage tags for new and existing AWS resources via a pre-built web user interface that enforces tagging rules and helps you spot inconsistencies.

Tag Tamer solution

2. AWS DevOps Monitoring Dashboard

Do you need better insight into how your DevOps initiatives are performing? This new AWS Solutions Implementation automates the process of ingesting, analyzing, and visualizing continuous integration/continuous delivery (CI/CD) metrics for near-real-time analytics. The solution includes pre-built Amazon QuickSight dashboards, but you can also customize it for use with your existing business intelligence tools.

3. An Overview of AWS Cloud Data Migration Services

Migrating data to the cloud is a well-understood business imperative, but it’s still ongoing work for many, many AWS customers. Effective planning of data migrations—particularly when working with live, mission-critical data—should use best practices built from broad experience. This whitepaper was recently updated with the latest guidance.

4. Building an AWS Perimeter

In traditional on-premises environments, you establish a high-level perimeter to help keep untrusted entities from getting in and your data from getting out. This new whitepaper offers guidance on how to draw the same sort of circle around your AWS resources in the cloud so you can clearly separate “my AWS” from other customers.

5. AWS Well-Architected Tool

This update to the AWS Well-Architected Tool gives you the option to mark certain best practices as “not applicable” when you’re running a workload review, and to record why the best practice doesn’t apply. The new functionality offers better flexibility when certain best practices might not be applicable to your business needs or organizational maturity. You can mark best practices as not applicable using the Well-Architected API, too.

The collective thoughts of the interwebz

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.