Kernel prepatch 6.9-rc1

Post Syndicated from jake original https://lwn.net/Articles/966525/

The 6.9-rc1 kernel prepatch is out for
testing. Linus Torvalds described some rather large updates to the core
kernel code that are coming for 6.9:

The timer subsystem had a fairly big rewrite, to have per-cpu timer
wheels to improve performance of timers, which can be a big deal
particularly for networking. The other fairly notable core update is
to the workqueue subsystem, where one notable addition is for BH
workqueue support. That’s notable mainly because it means we finally
have a way away from tasklets. The tasklet interface has basically
been deprecated for a long while, but we’ve never really had any good
alternatives (with threaded interrupt handlers being one suggested
use-case, but not realistic in many cases).

DORA Regulation: Essential Requirements for Compliance

Post Syndicated from Editor original https://nebosystems.eu/dora-regulation-compliance-requirements/

What is DORA?

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA (EU) 2022/2554 is a regulatory framework established by the European Union to enhance the digital operational resilience of the financial sector. It aims to ensure that all participants in the financial system have the necessary safeguards and measures in place to withstand, respond to, and recover from ICT (Information and Communication Technology) related disruptions and threats.

Who is Affected?

DORA affects a wide range of entities within the EU financial sector, including:

  1. Credit Institutions and Banks: These are financial institutions that have the authority to accept deposits from the public and provide credit to individuals and businesses. Their services may include offering checking and savings accounts, loans, mortgages, and financial advice.
  2. Investment Firms: Firms that engage in various investment services such as portfolio management, investment advice, and trading in financial instruments on behalf of clients. They play a crucial role in securities markets and can range from brokerage firms to asset management companies.
  3. Insurance and Reinsurance Companies: Insurance companies provide risk management to individuals and entities by offering insurance policies. Reinsurance companies, in turn, provide insurance to other insurance companies, helping to manage and mitigate risks across the insurance industry.
  4. Payment and Electronic Money Institutions: These entities facilitate payment services and transactions, including transfers, direct debits, and credit transfers. Electronic money institutions issue electronic money, which is a digital alternative to cash used for making electronic transactions.
  5. Crypto-Asset Service Providers: These providers offer services related to cryptocurrencies and other digital assets, including exchange platforms, wallet services, and financial services involving digital tokens.
  6. Central Securities Depositories (CSDs): CSDs are institutions that hold financial instruments like stocks and bonds in electronic form and enable their transfer through book-entry. They play a pivotal role in the settlement and safekeeping of securities in financial markets.
  7. Central Counterparties (CCPs): CCPs are entities that act as intermediaries between buyers and sellers in derivative and securities markets, guaranteeing the terms of a trade even if one party defaults, thus reducing counterparty risk.
  8. Trading Venues: This term encompasses various platforms where financial instruments are traded, including regulated markets, Multilateral Trading Facilities (MTFs), and Organized Trading Facilities (OTFs).
  9. Managers of Alternative Investment Funds (AIFs) and UCITS (Undertakings for Collective Investment in Transferable Securities): These managers operate investment funds not covered by traditional banking regulations. Alternative Investment Funds (AIFs) include hedge funds, private equity, and real estate funds, while UCITS are mutual funds that are regulated at the European level, designed for retail investors.
  10. Data Reporting Service Providers: Entities that provide reporting and data services related to financial transactions, ensuring transparency and regulatory compliance in financial markets. This includes trade repositories and approved reporting mechanisms.
  11. Crowdfunding Service Providers: Platforms that connect individuals or businesses seeking to fund projects or ventures with people willing to contribute small amounts of money, typically via the internet.
  12. ICT Third-Party Service Providers to Financial Entities: These include providers offering critical ICT services such as cloud computing, data analytics, cybersecurity solutions, and software development, which are essential for the digital operations of financial entities.

These entities encompass a broad spectrum of the financial sector within the EU, each playing a critical role in maintaining the stability and integrity of financial markets, and are thus subject to DORA’s regulatory framework aimed at enhancing their operational resilience against ICT risks.

Sanctions and Penalties:

DORA, the Digital Operational Resilience Act empowers competent authorities to impose administrative penalties and remedial measures for breaches of its regulations. This includes issuing orders to cease breaches, requiring the cessation of practices contrary to DORA provisions, adopting measures to ensure ongoing compliance with legal requirements, requiring existing data traffic records from telecommunication operators under suspicion of a breach, and issuing public notices or statements about the breach and responsible parties . The imposition of penalties considers the breach’s materiality, gravity, duration, the responsible party’s degree of responsibility, financial strength, profits gained or losses avoided due to the breach, losses caused to third parties, and the level of cooperation with the competent authority.

Key Requirements of DORA:

  1. ICT Risk Management: Entities must implement and maintain an effective and comprehensive ICT risk management framework, including policies, procedures and measures to identify, protect, detect, respond and recover from ICT-related incidents.
  2. Incident Reporting: Financial entities are required to establish and maintain mechanisms for the timely detection and reporting of significant ICT-related incidents to relevant authorities.
  3. Digital Operational Resilience Testing: Financial entities must regularly test their digital resilience capabilities through various means, including threat-led penetration testing, to identify vulnerabilities and address them proactively.
  4. ICT Third-Party Risk: Entities must manage and monitor the ICT risks stemming from their reliance on third-party service providers, including cloud computing services, ensuring that these relationships do not undermine their digital operational resilience.
  5. Information Sharing: The framework encourages financial entities to share information related to cyber threats and vulnerabilities to enhance collective defense mechanisms and resilience across the financial sector.
  6. Oversight of Critical ICT Third-Party Service Providers: DORA introduces a framework for the oversight of critical ICT third-party service providers to the financial sector, aiming to mitigate systemic risk and ensure the stability of the financial system.
  7. Compliance and Enforcement: DORA establishes mechanisms for supervisory oversight, compliance and enforcement, including the potential for sanctions in cases of non-compliance with the regulation’s requirements.

By adhering to these requirements, financial entities and their ICT third-party service providers will contribute to a more resilient and stable financial system capable of withstanding and responding effectively to digital disruptions and threats.

Navigating DORA’s requirements can be complex, but you don’t have to do it alone. Nebosystems offers tailored cybersecurity measures and consulting to ensure your compliance. Ready to secure your digital resilience? Contact us today.

Contact us

Reference: Digital Operational Resilience Act (EU) 2022/2554. EUR-Lex.

Understanding GDPR: A Definitive Guide on Key Requirements and Compliance

Post Syndicated from Editor original https://nebosystems.eu/what-is-gdpr-key-requirements-guide/

In the digital landscape where data breaches and privacy concerns are increasingly prevalent, understanding the General Data Protection Regulation (GDPR) is essential for businesses and individuals alike. Implemented on May 25, 2018, GDPR represents a significant overhaul of data protection laws, setting a new global benchmark for privacy rights, security, and compliance.

What is GDPR?

The GDPR is a comprehensive data protection law that came into effect in the European Union (EU) but has far-reaching implications for companies worldwide. It represents a significant shift in the way personal data of individuals within these regions is collected, stored, processed, and protected by organizations worldwide. It aims to give individuals more control over their personal data and to unify data protection regulations across the EU, thereby simplifying the regulatory environment for international business

Who is Affected?

The GDPR affects:

  • Organizations within the EU: All entities operating within the EU, regardless of their size, that process personal data are subject to the GDPR.
  • Organizations outside the EU: Non-EU organizations that offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU are also subject to the GDPR.
  • Individuals within the EU: The GDPR enhances the rights of EU residents, offering them greater control over their personal data.

Key Requirements of GDPR

The GDPR is built around several key principles that dictate how personal data should be handled, processed, and protected. Understanding these requirements is crucial for any organization striving for compliance:

  1. Lawfulness, Fairness, and Transparency: Processing must be lawful, fair and transparent to the data subject.
  2. Purpose Limitation: Data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimization: The collection of data should be limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation: Data should be retained only as long as necessary for the purposes for which they are processed.
  6. Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
  7. Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with all the principles mentioned above.

Rights of Data Subjects

The GDPR enhances and introduces new rights for data subjects, including:

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  • The right of access: Individuals can access their data and ask how their data is being used.
  • The right to rectification: Individuals have the right to have inaccurate data corrected.
  • The right to erasure (Right to be Forgotten): Individuals can request the deletion of their data under certain conditions.
  • The right to restrict processing: Individuals can request the restriction of processing of their personal data.
  • The right to data portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
  • The right to object: Individuals can object to the processing of their personal data in certain circumstances, including for direct marketing.

Additional Requirements:

  • Consent: When processing is based on consent, it must be freely given, specific, informed, and unambiguous, with a clear affirmative action by the data subject.
  • Data Protection by Design and by Default: Organizations must implement appropriate technical and organizational measures to meet the principles of data protection effectively and safeguard individual rights. Integrating privacy considerations into the design of systems and processes, known as ‘Privacy by Design,’ is a GDPR principle that emphasizes proactive privacy measures from the outset of any project or process involving personal data.
  • Data Protection Impact Assessments (DPIAs): DPIAs are required where data processing is likely to result in high risk to the rights and freedoms of individuals, particularly with the use of new technologies.
  • Data Breach Notification: Organizations must notify the appropriate data protection authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Affected individuals must also be notified if there is a high risk to their rights and freedoms.
  • Data Protection Officers (DPOs): Organizations must appoint a DPO if they are a public authority, their core activities require large scale, regular and systematic monitoring of individuals, or their core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
  • One-Stop-Shop: The GDPR introduces a one-stop-shop mechanism for organizations operating in multiple EU countries, meaning they only have to deal with a single supervisory authority.
  • Cross-Border Data Transfers: The GDPR imposes restrictions on the transfer of personal data outside the EU, ensuring that such transfers only occur to countries or entities providing an adequate level of data protection.
  • Processors Obligations: Processors are directly responsible for processing personal data in accordance with the GDPR’s mandates, including processing data based on the controller’s documented instructions, ensuring the confidentiality of the processed data, and aiding controllers in meeting their GDPR obligations .
  • Record Keeping: Controllers and processors must keep detailed records of processing activities.
  • Security of Processing: Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Cooperation Among Supervisory Authorities: Supervisory authorities must cooperate with each other to ensure consistent application of the GDPR across the EU.
  • Certification Mechanisms, Seals, and Marks: The GDPR encourages the use of certification mechanisms, seals, and marks as evidence of compliance with its provisions, including for controllers or processors not directly subject to the regulation due to their geographical location .

By adhering to these requirements, organizations can ensure compliance with the GDPR, thereby enhancing the protection of personal data and potentially avoiding significant penalties for non-compliance. Non-compliance with the GDPR can result in hefty fines, with penalties reaching up to €20 million or 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, for the most serious infringements.

The GDPR’s impact extends beyond the borders of the EU and EEA, affecting any organization worldwide that processes the personal data of individuals within these regions. Its implementation marks a significant step towards enhancing individuals’ privacy rights and setting a new global standard for data protection.

For organizations seeking to fortify their data protection measures in line with GDPR standards, our Comprehensive GDPR Compliance Cybersecurity Solutions provide a robust framework tailored to meet the unique challenges of your business.

Whether you’re looking to enhance your cybersecurity measures or seeking expert consulting to navigate GDPR compliance, reach out Nebosystems today. Let us help you transform GDPR compliance from a daunting obligation into an opportunity for enhanced data security and trust building.

Contact us

Reference: General Data Protection Regulation (2016/679). EUR-Lex.

Седмицата (18–23 март)

Post Syndicated from Надежда Радулова original https://www.toest.bg/sedmitsata-18-23-mart/

Седмицата (18–23 март)

„Понеделник беше, ситен дъжд валеше. Вторник си замина влажен през комина“. Ето така, като в детско стихотворение, започна седмицата след Сирни заговезни: с неделната изцепка на ГЕРБ, която на моменти изглеждаше като кьорфишек, но постепенно набра скорост и доведе до голямо бум. При което отдавна разхлопаната сглобка се разпадна на ръждясали винтчета и гайки със слаби шансове за повторно сглобяване.

На фона на това бум-тряс падна голямо замазване с добре познатата ни гербаджийска маламашка. То не бяха ритуални разходки с папки до Президентството, напред-назад, иди ми – дойди ми и дай си ми куклите, мои са си! То не бяха сръдни и обиди, ти мен уважаваш ли ме, тук ме почеши, там ме погъделичкай, а сега да се извиниш, ама много трябва да се извиниш, пу – ти гониш и пр. Политически цирк, който всички сме арестувани да гледаме от първия ред вече шести ден… А междувременно ротацията става все по-голям мираж. С всички производни от него миражи.

В такива моменти не ни остава друго, освен да си кажем като Волтеровия Кандид: „… но трябва да работим градината си“. Това и продължаваме да правим в новия ни брой… Макар да сме напълно убедени, че не живеем – пак по Волтер – в „най-добрия от възможните светове“.

На тази простряна пред очите ни и все още неизсъхнала от дъжда и преговорните плюнки политическа седмица е посветен анализът на Емилия Милчева „Ще се сглобяват ли? Кой е на ход?“. Текст, в който се проследява алогическата нишка, свързваща действията на преговарящите политически „мъже“ и особения статут на жените папкоприносителки.

Светла Енчева продължава „мигрантската тема“ от предишния брой със статията си „Как думата „мигрант“ стана дехуманизираща“. Този път Светла ни представя не конкретен казус, а по-скоро разисква юридическите параметри на понятия като „мигрант“, „бежанец“, „търсещ убежище“ и прочее, включително социалния и политическия пълнеж, с който раздуваме и деформираме значенията им в България. Истински образователен текст – струва си да го прочетем внимателно, преди да формулираме позицията си по горещата в последните седмици тема.

Оставаме с проблемите на образованието в поредното интервю на Надежда Цекулова „От промяна в училищната среда към промяна в обществената“. Този път се срещаме с Мария Стайнова и Виолетка Славова от архитектурно студио „Лусио“, които се занимават с проектиране на съвременни образователни пространства в контекста на училищните сгради. Ключов процес в реформирането на цялата система, невъзможен без активното участие на ученици и учители.

След прочитането на поредната доза „научни новини“ от Михаил Ангелов, както обикновено, се чувстваме малко по-умни и обнадеждени за бъдещето. Този път това се дължи на данните от „Вояджър 1“, според които има шанс комуникацията с апарата да бъде подновена; на възможността да се произвежда човешки инсулин от крави; на иновациите в сферата на соларните панели и прочее градивни вести от светлата страна на човешката деятелност.

Още едно продължение тази седмица – „Малайзия по стените“ от Петя Кокудева. Пътешествието продължава сред градски рисунки по стените, из пъстри будистки храмове, нощни пазари, разкошни дърворезби и местни обичаи и легенди. Поражда спонтанни желания за незабавно отпътуване натам!

„Госпожо, Вие май сте били затруднена от учтивата форма“ е новата статия на Павлина Върбанова, сервирана в рубриката ѝ „Порция език“. Главната буква и съгласуването понякога се оказват препъникамък дори и за най-грамотните, особено в случаите, когато решенията на кодификатора са несистемни и лишени от логика.

„Ще полети ли България в Космоса?“ пита Александър Нуцов, докато „всичката Мара втасала“ в страната. Във въпроса му обаче има резон предвид  факта, че в световен мащаб високотехнологичната космическа индустрия формира все по-голям дял от бизнеса. Една от първите стъпки в тази посока е създаването на космическа агенция в България – има шанс това да се случи до края на годината. Планира се и магистърска програма в областта на космическите изследвания в поне три университета у нас.

В крайна сметка се оказва, че изучаването на Космоса често разрешава напълно земни проблеми, свързани със същата онази градина, която Кандид ни призовава да обработваме. А и кой знае, един ден градината може да се окаже част от съвсем друг пейзаж – марсиански или лунен?

Приятно четене!

P.S. В края на тази седмица дойде пролетта и си отиде големият писател Алек Попов. Ще го помним. Ще го помни езикът ни. Светъл път и памет!

Run Trino queries 2.7 times faster with Amazon EMR 6.15.0

Post Syndicated from Bhargavi Sagi original https://aws.amazon.com/blogs/big-data/run-trino-queries-2-7-times-faster-with-amazon-emr-6-15-0/

Trino is an open source distributed SQL query engine designed for interactive analytic workloads. On AWS, you can run Trino on Amazon EMR, where you have the flexibility to run your preferred version of open source Trino on Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage, or on Amazon Athena for a serverless experience. When you use Trino on Amazon EMR or Athena, you get the latest open source community innovations along with proprietary, AWS developed optimizations.

Starting from Amazon EMR 6.8.0 and Athena engine version 2, AWS has been developing query plan and engine behavior optimizations that improve query performance on Trino. In this post, we compare Amazon EMR 6.15.0 with open source Trino 426 and show that TPC-DS queries ran up to 2.7 times faster on Amazon EMR 6.15.0 Trino 426 compared to open source Trino 426. Later, we explain a few of the AWS-developed performance optimizations that contribute to these results.

Benchmark setup

In our testing, we used the 3 TB dataset stored in Amazon S3 in compressed Parquet format and metadata for databases and tables is stored in the AWS Glue Data Catalog. This benchmark uses unmodified TPC-DS data schema and table relationships. Fact tables are partitioned on the date column and contained 200-2100 partitions. Table and column statistics were not present for any of the tables. We used TPC-DS queries from the open source Trino Github repository without modification. Benchmark queries were run sequentially on two different Amazon EMR 6.15.0 clusters: one with Amazon EMR Trino 426 and the other with open source Trino 426. Both clusters used 1 r5.4xlarge coordinator and 20 r5.4xlarge worker instances.

Results observed

Our benchmarks show consistently better performance with Trino on Amazon EMR 6.15.0 compared to open source Trino. The total query runtime of Trino on Amazon EMR was 2.7 times faster compared to open source. The following graph shows performance improvements measured by the total query runtime (in seconds) for the benchmark queries.

Many of the TPC-DS queries demonstrated performance gains over five times faster compared to open source Trino. Some queries showed even greater performance, like query 72 which improved by 160 times. The following graph shows the top 10 TPC-DS queries with the largest improvement in runtime. For succinct representation and to avoid skewness of performance improvements in the graph, we’ve excluded q72.

Performance enhancements

Now that we understand the performance gains with Trino on Amazon EMR, let’s delve deeper into some of the key innovations developed by AWS engineering that contribute to these improvements.

Choosing a better join order and join type is critical to better query performance because it can affect how much data is read from a particular table, how much data is transferred to the intermediate stages through the network, and how much memory is needed to build up a hash table to facilitate a join. Join order and join algorithm decisions are typically a function performed by cost-based optimizers, which uses statistics to improve query plans by deciding how tables and subqueries are joined.

However, table statistics are often not available, out of date, or too expensive to collect on large tables. When statistics aren’t available, Amazon EMR and Athena use S3 file metadata to optimize query plans. S3 file metadata is used to infer small subqueries and tables in the query while determining the join order or join type. For example, consider the following query:

SELECT ss_promo_sk FROM store_sales ss, store_returns sr, call_center cc WHERE 
ss.ss_cdemo_sk = sr.sr_cdemo_sk AND ss.ss_customer_sk = cc.cc_call_center_sk 
AND cc_sq_ft > 0

The syntactical join order is store_sales joins store_returns joins call_center. With the Amazon EMR join type and order selection optimization rules, optimal join order is determined even if these tables don’t have statistics. For the preceding query if call_center is considered a small table after estimating the approximate size through S3 file metadata, EMR’s join optimization rules will join store_sales with call_center first and convert the join to a broadcast join, speeding-up the query and reducing memory consumption. Join reordering minimizes the intermediate result size, which helps to further reduce the overall query runtime.

With Amazon EMR 6.10.0 and later, S3 file metadata-based join optimizations are turned on by default. If you are using Amazon EMR 6.8.0 or 6.9.0, you can turn on these optimizations by setting the session properties from Trino clients or adding the following properties to the trino-config classification when creating your cluster. Refer to Configure applications for details on how to override the default configurations for an application.

Configuration for Join type selection:

session property: rule_based_join_type_selection=true
config property: rule-based-join-type-selection=true

Configuration for Join reorder:

session property: rule_based_join_reorder=true
config property: rule-based-join-reorder=true

Conclusion

With Amazon EMR 6.8.0 and later, you can run queries on Trino significantly faster than open source Trino. As shown in this blog post, our TPC-DS benchmark showed a 2.7 times improvement in total query runtime with Trino on Amazon EMR 6.15.0. The optimizations discussed in this post, and many others, are also available when running Trino queries on Athena where similar performance improvements are observed. To learn more, refer to the Run queries 3x faster with up to 70% cost savings on the latest Amazon Athena engine.

In our mission to innovate on behalf of customers, Amazon EMR and Athena frequently release performance and reliability enhancements on their latest versions. Check the Amazon EMR and Amazon Athena release pages to learn about new features and enhancements.

About the Authors

Bhargavi Sagi is a Software Development Engineer on Amazon Athena. She joined AWS in 2020 and has been working on different areas of Amazon EMR and Athena engine V3, including engine upgrade, engine reliability, and engine performance.

Sushil Kumar Shivashankar is the Engineering Manager for EMR Trino and Athena Query Engine team. He has been focusing in the big data analytics space since 2014.

Metasploit Weekly Wrap-Up 03/22/2024

Post Syndicated from Egor Kalinichev original https://blog.rapid7.com/2024/03/22/metasploit-weekly-wrap-up-03-22-2024/

New module content (1)

OpenNMS Horizon Authenticated RCE

Metasploit Weekly Wrap-Up 03/22/2024

Author: Erik Wynter
Type: Exploit
Pull request: #18618 contributed by ErikWynter
Path: linux/http/opennms_horizon_authenticated_rce
AttackerKB reference: CVE-2023-0872

Description: This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.

Enhancements and features (5)

  • #18838 from SickMcNugget – This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.
  • #18841 from randomstr1ng – This PR updates the sap_icm_paths.txt wordlist with the newest entries.
  • #18885 from errorxyz – Enhances the sessions command so that both Meterpreter and the top level Metasploit prompt support sessions -i -1.
  • #18978 from dwelch-r7 – This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.
  • #18980 from zgoldman-r7 – Improves the help command wording when interacting with basic shells.

Bugs fixed (2)

  • #18947 from molecula2788 – Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.
  • #18974 from zeroSteiner – Fixes a typo in the help menu of the dns command.

Documentation added (1)

  • #18965 from adfoster-r7 – This PR updates our README.md to remove a stale documentation link.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

The collective thoughts of the interwebz