Tag Archives: physical security

New – Machine Learning Inference at the Edge Using AWS Greengrass

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/new-machine-learning-inference-at-the-edge-using-aws-greengrass/

What happens when you combine the Internet of Things, Machine Learning, and Edge Computing? Before I tell you, let’s review each one and discuss what AWS has to offer.

Internet of Things (IoT) – Devices that connect the physical world and the digital one. The devices, often equipped with one or more types of sensors, can be found in factories, vehicles, mines, fields, homes, and so forth. Important AWS services include AWS IoT Core, AWS IoT Analytics, AWS IoT Device Management, and Amazon FreeRTOS, along with others that you can find on the AWS IoT page.

Machine Learning (ML) – Systems that can be trained using an at-scale dataset and statistical algorithms, and used to make inferences from fresh data. At Amazon we use machine learning to drive the recommendations that you see when you shop, to optimize the paths in our fulfillment centers, fly drones, and much more. We support leading open source machine learning frameworks such as TensorFlow and MXNet, and make ML accessible and easy to use through Amazon SageMaker. We also provide Amazon Rekognition for images and for video, Amazon Lex for chatbots, and a wide array of language services for text analysis, translation, speech recognition, and text to speech.

Edge Computing – The power to have compute resources and decision-making capabilities in disparate locations, often with intermittent or no connectivity to the cloud. AWS Greengrass builds on AWS IoT, giving you the ability to run Lambda functions and keep device state in sync even when not connected to the Internet.

ML Inference at the Edge
Today I would like to toss all three of these important new technologies into a blender! You can now perform Machine Learning inference at the edge using AWS Greengrass. This allows you to use the power of the AWS cloud (including fast, powerful instances equipped with GPUs) to build, train, and test your ML models before deploying them to small, low-powered, intermittently-connected IoT devices running in those factories, vehicles, mines, fields, and homes that I mentioned.

Here are a few of the many ways that you can put Greengrass ML Inference to use:

Precision Farming – With an ever-growing world population and unpredictable weather that can affect crop yields, the opportunity to use technology to increase yields is immense. Intelligent devices that are literally in the field can process images of soil, plants, pests, and crops, taking local corrective action and sending status reports to the cloud.

Physical Security – Smart devices (including the AWS DeepLens) can process images and scenes locally, looking for objects, watching for changes, and even detecting faces. When something of interest or concern arises, the device can pass the image or the video to the cloud and use Amazon Rekognition to take a closer look.

Industrial Maintenance – Smart, local monitoring can increase operational efficiency and reduce unplanned downtime. The monitors can run inference operations on power consumption, noise levels, and vibration to flag anomalies, predict failures, detect faulty equipment.

Greengrass ML Inference Overview
There are several different aspects to this new AWS feature. Let’s take a look at each one:

Machine Learning ModelsPrecompiled TensorFlow and MXNet libraries, optimized for production use on the NVIDIA Jetson TX2 and Intel Atom devices, and development use on 32-bit Raspberry Pi devices. The optimized libraries can take advantage of GPU and FPGA hardware accelerators at the edge in order to provide fast, local inferences.

Model Building and Training – The ability to use Amazon SageMaker and other cloud-based ML tools to build, train, and test your models before deploying them to your IoT devices. To learn more about SageMaker, read Amazon SageMaker – Accelerated Machine Learning.

Model Deployment – SageMaker models can (if you give them the proper IAM permissions) be referenced directly from your Greengrass groups. You can also make use of models stored in S3 buckets. You can add a new machine learning resource to a group with a couple of clicks:

These new features are available now and you can start using them today! To learn more read Perform Machine Learning Inference.

Jeff;

 

AWS Key Management Service now offers FIPS 140-2 validated cryptographic modules enabling easier adoption of the service for regulated workloads

Post Syndicated from Sreekumar Pisharody original https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/

AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys. Having additional third-party assurances about the keys you manage in AWS KMS can make it easier to use the service for regulated workloads.

The process of gaining FIPS 140-2 validation is rigorous. First, AWS KMS HSMs were tested by an independent lab; those results were further reviewed by the Cryptographic Module Validation Program run by NIST. You can view the FIPS 140-2 certificate of the AWS Key Management Service HSM to get more details.

AWS KMS HSMs are designed so that no one, not even AWS employees, can retrieve your plaintext keys. The service uses the FIPS 140-2 validated HSMs to protect your keys when you request the service to create keys on your behalf or when you import them. Your plaintext keys are never written to disk and are only used in volatile memory of the HSMs while performing your requested cryptographic operation. Furthermore, AWS KMS keys are never transmitted outside the AWS Regions they were created. And HSM firmware updates are controlled by multi-party access that is audited and reviewed by an independent group within AWS.

AWS KMS HSMs are validated at level 2 overall and at level 3 in the following areas:

  • Cryptographic Module Specification
  • Roles, Services, and Authentication
  • Physical Security
  • Design Assurance

You can also make AWS KMS requests to API endpoints that terminate TLS sessions using a FIPS 140-2 validated cryptographic software module. To do so, connect to the unique FIPS 140-2 validated HTTPS endpoints in the AWS KMS requests made from your applications. AWS KMS FIPS 140-2 validated HTTPS endpoints are powered by the OpenSSL FIPS Object Module. FIPS 140-2 validated API endpoints are available in all commercial regions where AWS KMS is available.

The UK Law Enforcement Community Can Now Use the AWS Cloud

Post Syndicated from Oliver Bell original https://aws.amazon.com/blogs/security/the-uk-law-enforcement-community-can-now-use-the-aws-cloud/

AWS security image

The AWS EU (London) Region has been Police Assured Secure Facility (PASF) assessed, offering additional support for UK law enforcement customers. This assessment means The National Policing Information Risk Management Team (NPIRMT) has completed a comprehensive physical security assessment of the AWS UK infrastructure and has reviewed the integral practices and processes of how AWS manages data center operations. UK Policing organizations can now leverage this assessment (available to those organizations from NPIRMT) as part of their own risk management approach to systems development and design with the confidence their data is stored in highly secure and compliant facilities. Note that the NPIRMT does not offer any warranty of physical security of the AWS data center.

The security, privacy, and protection of AWS customers are our first priority, and we are committed to supporting Public Sector and Blue Light organizations. This assessment further demonstrates AWS’s commitment to deliver secure and compliant services to the UK law enforcement community. We have built technology services suitable for use by Justice, Blue Light, and Public Safety organizations, and whether in law enforcement, emergency management, or criminal justice, AWS has the capability and resources to support this community’s unique IT needs. From Public Services Network–compliant solutions to architecting a UK OFFICIAL secure environment, AWS can help tackle public safety data needs. By combining the secure and flexible AWS infrastructure with the breadth of our specialized APN Partner solutions, we are confident we can help our customers across the industry succeed in their missions.

– Oliver

Coming in 2018 – New AWS Region in Sweden

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/coming-in-2018-new-aws-region-in-sweden/

Last year we launched new AWS Regions in Canada, India, Korea, the UK (London), and the United States (Ohio), and announced that new regions are coming to France (Paris) and China (Ningxia).

Today, I am happy to be able to tell you that we are planning to open up an AWS Region in Stockholm, Sweden in 2018. This region will give AWS partners and customers in Denmark, Finland, Iceland, Norway, and Sweden low-latency connectivity and the ability to run their workloads and store their data close to home.

The Nordics is well known for its vibrant startup community and highly innovative business climate. With successful global enterprises like ASSA ABLOY, IKEA, and Scania along with fast growing startups like Bambora, Supercell, Tink, and Trustpilot, it comes as no surprise that Forbes ranks Sweden as the best country for business, with all the other Nordic countries in the top 10. Even better, the European Commission ranks Sweden as the most innovative country in EU.

This will be the fifth AWS Region in Europe joining four other Regions there — EU (Ireland), EU (London), EU (Frankfurt) and an additional Region in France expected to launch in the coming months. Together, these Regions will provide our customers with a total of 13 Availability Zones (AZs) and allow them to architect highly fault tolerant applications while storing their data in the EU.

Today, our infrastructure comprises 42 Availability Zones across 16 geographic regions worldwide, with another three AWS Regions (and eight Availability Zones) in France, China and Sweden coming online throughout 2017 and 2018, (see the AWS Global Infrastructure page for more info).

We are looking forward to serving new and existing Nordic customers and working with partners across Europe. Of course, the new region will also be open to existing AWS customers who would like to process and store data in Sweden. Public sector organizations (government agencies, educational institutions, and nonprofits) in Sweden will be able to use this region to store sensitive data in-country (the AWS in the Public Sector page has plenty of success stories drawn from our worldwide customer base).

If you are a customer or a partner and have specific questions about this Region, you can contact our Nordic team.

Help Wanted
As part of our launch, we are hiring individual contributors and managers for IT support, electrical, logistics, and physical security positions. If you are interested in learning more, please contact [email protected].

Jeff;

 

Google Infrastructure Security Design Overview

Post Syndicated from jake original http://lwn.net/Articles/711682/rss

Google has posted an overview of its infrastructure security. It includes information about low-level details, such as physical security and secure boot, encryption of data at rest as well as communications between services and to users, keeping employee devices and credentials safe, and more. Undoubtedly there are lessons here for many different organizations. “This document gives an overview of how security is designed into Google’s technical infrastructure. This global scale infrastructure is designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.

Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform.”

Fooling Facial Recognition Systems

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/11/fooling_facial_.html

This is some interesting research. You can fool facial recognition systems by wearing glasses printed with elements of other people’s faces.

Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter, “Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition“:

ABSTRACT: Machine learning is enabling a myriad innovations, including new algorithms for cancer diagnosis and self-driving cars. The broad use of machine learning makes it important to understand the extent to which machine-learning algorithms are subject to attack, particularly when used in applications where physical security or safety is at risk. In this paper, we focus on facial biometric systems, which are widely used in surveillance and access control. We define and investigate a novel class of attacks: attacks that are physically realizable and inconspicuous, and allow an attacker to evade recognition or impersonate another individual. We develop a systematic method to automatically generate such attacks, which are realized through printing a pair of eyeglass frames. When worn by the attacker whose image is supplied to a state-of-the-art face-recognition algorithm, the eyeglasses allow her to evade being recognized or to impersonate another individual. Our investigation focuses on white-box face-recognition systems, but we also demonstrate how similar techniques can be used in black-box scenarios, as well as to avoid face detection.

News articles.

How the President’s Security Motorcade Works

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/t78uFcBrjVM/how-presidents-security-motorcade-works.html

Jalopnik links to The Atlantic’s Marc Ambinder’s great article on how the Secret Service handles a significant event, including details of how the motorcade is organized and run. For those who think about physical security, this is an interesting read including a diagram of each vehicle and its role.

_uacct = “UA-1423386-1”;
urchinTracker();

How the President’s Security Motorcade Works

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/t78uFcBrjVM/how-presidents-security-motorcade-works.html

Jalopnik links to The Atlantic’s Marc Ambinder’s great article on how the Secret Service handles a significant event, including details of how the motorcade is organized and run. For those who think about physical security, this is an interesting read including a diagram of each vehicle and its role.

_uacct = “UA-1423386-1”;
urchinTracker();

Blackhat, ATMs, and Money Fountains, Oh My!

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/2DV_lbEy4-Y/blackhat-atms-and-money-fountains-oh-my.html

Security blogs and websites are all buzzing with the news of Barnaby Jack’s Blackhat demonstration of ATM insecurity. Wired has coverage, our favorite security monkey has a video, and others including Tony Bradley from PC World covers the important lessons from the talk.So does the hack tell us something truly new? I don’t really think so. For years, many ATMs have been poorly embedded systems, often running commodity operating systems that rely more on physical security provided by locked boxes than on heavily secured operating systems with appropriate security controls. I’ve written about the insecurity of some ATM uplinks before, and accessing their network connection is often very simple in public locations.What the exploit does do is serve to point out vulnerabilities in the specific ATMs, both of which were running Windows CE. It also serves as a reminder that any operating system that can be remotely accessed, or that allows its filesystem to be written, or to mount USB devices is vulnerable. Since many ATMs run Windows XP, or even Windows NT, they make attractive targets to those who have pre-written malware that works on Windows systems.It should also remind us to review what devices we rely on that have embedded PC platforms in them. Windows CE, NT, XP, and various flavors of Linux appear throughout our IT infrastructure, and while we’re used to locking down network access, often embedded devices don’t provide strong local security. I’ve run into everything from AV controllers and music players to embedded systems running animal feeding systems for research. Most of the time, my only ability to secure them is to lock them away, limit access to the room they live in, and to ensure that they’re on a secured network.How do you secure your embedded systems? Have you gone so far as to modify appliances that manufacturers don’t want changed?

_uacct = “UA-1423386-1”;
urchinTracker();

Blackhat, ATMs, and Money Fountains, Oh My!

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/2DV_lbEy4-Y/blackhat-atms-and-money-fountains-oh-my.html

Security blogs and websites are all buzzing with the news of Barnaby Jack’s Blackhat demonstration of ATM insecurity. Wired has coverage, our favorite security monkey has a video, and others including Tony Bradley from PC World covers the important lessons from the talk.So does the hack tell us something truly new? I don’t really think so. For years, many ATMs have been poorly embedded systems, often running commodity operating systems that rely more on physical security provided by locked boxes than on heavily secured operating systems with appropriate security controls. I’ve written about the insecurity of some ATM uplinks before, and accessing their network connection is often very simple in public locations.What the exploit does do is serve to point out vulnerabilities in the specific ATMs, both of which were running Windows CE. It also serves as a reminder that any operating system that can be remotely accessed, or that allows its filesystem to be written, or to mount USB devices is vulnerable. Since many ATMs run Windows XP, or even Windows NT, they make attractive targets to those who have pre-written malware that works on Windows systems.It should also remind us to review what devices we rely on that have embedded PC platforms in them. Windows CE, NT, XP, and various flavors of Linux appear throughout our IT infrastructure, and while we’re used to locking down network access, often embedded devices don’t provide strong local security. I’ve run into everything from AV controllers and music players to embedded systems running animal feeding systems for research. Most of the time, my only ability to secure them is to lock them away, limit access to the room they live in, and to ensure that they’re on a secured network.How do you secure your embedded systems? Have you gone so far as to modify appliances that manufacturers don’t want changed?

_uacct = “UA-1423386-1”;
urchinTracker();