Technology insight for the enterprise, Breaking Science and Technology News

LATEST NEWS 24H

Tuesday, December 29, 2015

Lian Li's wild new PC cases mimic cruise ships and double as standing desks

Lian Li’s famous in enthusiast circles not just for creating computer cases—it’s known for creating crazily audacious enclosures that twist your perception of what a computer case can be. This is the company behind cases shaped like spiders, seashells, and trains (oh my!) after all. And at CES 2016, Lian Li’s keeping the tradition alive with not one, but twonew case designs that will leave you wondering “How the heck do you fit a PC in there?”
A Lian Li representative shared the short teaser video above exclusively with PCWorld, showcasing the company’s upcoming designs: A computer case that doubles as a standing desk, and another open-air case that looks like a cruise ship. Yes, really.
lian li cruise ship
Sadly, Lian Li isn’t spilling the beans about technical details for the two cases yet, though I’ll be checking them out firsthand at CES 2016 next week. Judging by the cutouts in the rear of the cruise ship, your motherboard and graphics card will apparently slot into the transparent upper portion of the case, presumably leaving the bottom open to stash your storage drives and whatnot.
Lian Li’s standing desk, meanwhile, appears to be a fitness-focused variant of the company’s DK line of cases, which have already gone through several iterations after kicking off the “desks that hold your PCs inside” craze along with Red Harbinger’s Cross Desk. Expect a loadout similar to what you’d find in Lian Li’s existing computer desks, but likely with adjustable-height legs. The brief glimpses we get through the glass in the video above seem to show ample room for beastly PC hardware.

New Chinese law takes aim at encryption

If requested, service providers must help the government decrypt content

us china relations flag
The U.S. flag flutters on a car in Beijing, China, on April 13, 2013. Credit: Department of State
A new law passed by China's Parliament on Sunday requires technology companies to assist the government in decrypting content, a provision that the country maintains is modeled after Western law.
ISPs and telecommunication companies must provide technical assistance to the government, including decrypting communications, for terrorism-related investigations, according to Xinhua, China's official news agency.
Xinhua quoted Li Shouwei, of the National People's Congress Standing Committee legislative affairs commission, as saying the law doesn't require technology companies to install "backdoors," the term for code that would give security agencies consistent, secret access to data, in software.
The law comes into force in January, according to a separate Xinhua story. China officials said the law is necessary for conducting anti-terrorisms operations, but critics worry it could have far-reaching impacts in a country with a much-criticized human rights record. There are also concerns over how the law will impact Western technology companies in China.
ISPs and service providers can also face a fine or jail time if they fail to stop transmitting content that is considered extremist or related to terrorism, Xinhua reported.
In the U.S., technology companies have been fighting increasing calls from lawmakers to engineer systems that can allow easier access by law enforcement.
Many companies have moved ahead in designing systems in which they do not retain a decryption key for scrambled data. That makes it more difficult for law enforcement and security agencies to decrypt communications without knowing a person's passcode or password. 
There is also fierce opposition to building backdoors into software products, which security experts contend could be discovered and abused by hackers or state-sponsored cyber spies.
The move to build more secure systems gained momentum after documents leaked in 2013 by former NSA contractor Edward Snowden revealed large-scale data collection operations by Western intelligence agencies, including the U.S. and U.K.

The most innovative and damaging hacks of 2015

The most innovative and damaging hacks of 2015

The year's most significant attacks highlight how hackers are changing tactics -- and how security must evolve in the year ahead.

The most innovative and damaging hacks of 2015


Not a week went by in 2015 without a major data breach, significant attack campaign, or serious vulnerability report. Many of the incidents were the result of disabled security controls, implementation errors, or other basic security mistakes, highlighting how far organizations have to go in nailing down IT security basics.
But looking beyond the garden-variety attacks and vulnerabilities lends great insight into the future of malicious activity and how to defend against it. And 2015 had its share of intriguing invasions, each of which highlighted the modified techniques that lead to new forms of breaches or pinpoint areas in need of new defenses. The past year saw cyber criminals adopting innovative approaches and state-sponsored actors becoming bolder. Motivations shifted, with financial gain no longer the sole reason for launching an attack. Inflicting physical damage, stealing trade secrets, hacking as a form of protest -- 2015 was a year in which malicious activity served many ends.
The increasingly interconnected world means bad guys can cause a lot of damage; more important, many malicious actors now have the skills and means to carry out chilling attacks. Below is a roundup of some of the most significant incidents of the past year, each of which pushes the overall security conversation further, showing new paths and needs for defense. Which ones did we miss?

Bitcoin under barrage

Bitcoin -- and the idea of crypto currency in general -- captured mainstream attention this year, in part because of nefarious actors who used the platform as cover for payment. Ransomware gangs have demanded payment in bitcoins before unlocking victims’ files and folders, and blackmailers have demanded bitcoins in exchange for not launching DDoS attacks against websites. But bitcoin made security headlines several times in 2015 for a different reason: Thieves kept stealing bitcoins ... lots of them.
European exchange Bitstamp suspended trading after discovering one of its operational bitcoin storage wallets was compromised in early January. The exchange is believed to be the world’s third busiest and handles approximately 6 percent of all bitcoin transactions. About 19,000 bitcoins, or roughly $5 million, were stolen at the time. That wasn’t the only bitcoin attack, as China-based exchange BTER reported in February that 7,170 bitcoins, or roughly $1.75 million, were stolen from its cold wallet system. Thieves stole 10.235 BTC, or roughly $2,500, from bitcoin startup Purse in October.
Consider it a twist on the traditional bank heist: Instead of looting bank accounts, exchanges are raided. In addition to showing there is real financial value associated with the virtual currency, the thefts highlighted the need “for an internationally recognized security standard” for bitcoin, said Florindo Gallicchio, director of information security in the Optiv Office of the CISO. In February, the Cryptocurrency Certification Consortium (C4) proposed 10 standardized rules for the creation, storage, audit, and use of bitcoins, as part of the Cryptocurrency Security Standard (CCSS).
While the amounts stolen aren’t insignificant, they pale in comparison to the 850,000 bitcoins, worth close to $450 million, that disappeared from Japanese-based exchange Mt. Gox in 2014. The exchange, believed to have handled 70 percent of all bitcoins, has since closed and entered bankruptcy. Japanese police believe the theft was an inside job.
As is often the case with technology, the exchanges have thus far focused on functionality and usability, with security an afterthought, said Steve Donald, CTO of Hexis Cyber Solutions. Many of the attacks relied on social engineering to gain a foothold on to the exchange’s network. Exchanges need to adopt secure code development practices, as well as dynamic and static code analysis to protect their applications. “Bitcoin exchanges should be highly incented to improve security as this will be a requirement before this new type of currency will achieve wide scale usage,” Donald said.

Cyber goes real-world

Cyber attacks that result in damage in the physical world happen far more often on TV shows than they do off-screen. It was scary when the Shamoon malware attack partially wiped or totally destroyed hard drives of 35,000 computers at Saudi oil company Aramco back in 2012. We saw the blurring between cyber and physical again -- to be fair, the attack actually happened in 2014 and the report providing the details were released shortly before the end of the year -- at an unnamed German steel mill when attackers manipulated and disrupted control systems. The blast furnace could not be properly shut down, resulting in “massive” damages, according to reports.
There is a tendency to think cyber attacks are about stealing data or knocking systems offline. There can be real-world damage, too. An attacker can potentially compromise a pharmaceutical company’s production process or quality control systems and modify the recipe for a particular drug. Hospital systems are also vulnerable to attack, especially since many legacy systems still in use cannot be secured. As much as 20 percent of hospitals are vulnerable to attacks that can disable critical care systems, Gallicchio said.
“People can be physically hurt from a cyber attack,” Gallicchio said.
Industrial control system security comes up a lot in conversation, but the incident at the German steel mill highlights the fact that the threat is no longer theoretical. One of the challenges facing industrial control system security, especially in manufacturing, is the simple fact that the systems are typically controlled and administered by operations and engineering departments, not IT. The operations and engineering teams are focused on reliability and make decisions at the expense of security in order to maintain uptime.
Improving defenses requires “a mix of basics and more contemporary defenses,” such as ensuring proper segmentation and access controls between different networks, Donald said.

Financial crime goes big

There were a number of attacks against financial institutions in 2015, but none was more audacious than the Carbanak crime ring, which targeted more than 100 banks and other financial institutions in 30 nations. Kaspersky Lab estimated the gang had stolen as much as $1 billion since late 2013 and had managed to stay under the radar for two years because it kept each transaction between $2.5 million and $10 million.
The scale of attacks against financial institutions indicate criminals are moving away from low-value consumer-related attacks such as identity and credit card theft in favor of high-value attacks. “The old ‘smash and grab’ jobs are becoming carefully orchestrated and executed jobs,” said Mike Davis, CTO of CounterTack.
The FBI also warned of an increase in social engineering campaigns where an attacker sends an email purporting to be from the CEO or another senior executive to the CFO or another executive authorizing a wire transfer. If the recipient is tricked and doesn’t validate the email’s authenticity before the transfer, that money is gone, usually for good.
While external attackers still pose the biggest threat to financial organizations, 2015 showed insiders can cause damage as well. Earlier this year, a former employee of Morgan Stanley pleaded guilty to stealing confidential data from more than 700,000 customer accounts while he was interviewing for a new job with two competitors. And external attackers target insiders who already have access to sensitive data. Encryption, dynamic security policies that travel with data, and robust multifactor authentication controls are some of the defenses financial institutions should consider to ensure that unauthorized individuals can’t read anything they shouldn’t be allowed to see, said Ron Arden, vice-president of Fasoo.

Health care on the breach radar

Some of the biggest breaches in 2015 involved health care organizations, including Anthem, Excellus BlueCross BlueShield, Premera Blue Cross, and CareFirst, to name a few. Eight of the 10 largest health care breaches happened in 2015, according to the U.S. Department of Health and Human Services.
It’s no surprise the attackers went after health care, since the companies tend to have valuable data, including names, addresses, Social Security numbers, medical records, and financial information. The data is difficult to change, meaning it has a longer shelf life and can be used in a variety of follow-up attacks. Attackers accessed more than 100 million health care records in 2015.
While some of the breaches may have been part of identity theft and other cyber crime activities, security experts believe Anthem was the work of Chinese state-actors. The attackers may have been after data on specific individuals for intelligence purposes, or they may have wanted intellectual property relating to how medical coverage and insurer databases are set up. The Chinese government has denied any involvement in the attacks, and Chinese authorities recently arrested individuals they claim had targeted Anthem for cyber crime purposes.
“Just like how the financial verticals evolved to the next-generation bank heists, we will soon see attackers use health care information records to support more sophisticated business models,” said Itzik Kotler, co-founder and CTO at SafeBreach.
These attacks were successful in large part because health care companies have not traditionally invested as much on security initiatives as financial institutions have. The Anthem breach, in particular, showed how far some health care companies lag on basic security best practices. As Target shook the retail sector out of its complacency in 2014, Anthem made the health care industry sit up and notice the very real dangers it faces.
Worse, encryption practices around sensitive data had no effect. In many health care breaches, users were socially engineered out of their credentials, letting attackers easily bypass encryption controls. It doesn’t take a lot, either. Attackers stole 80 million personal records from a large health care insurance company by compromising only five user accounts, Eric Tilenius, CEO of BlueTalon, said. “Every company should ask, ‘How much data would be exposed if a user account gets compromised?’ and then work to limit that exposure,” he said.
“It doesn’t matter how strong your security platform is, if employees aren’t properly trained in best security practices, it all can go out the window,” said Garry McCracken, vice president of technology at WinMagic.

Attacks as part of a long game

Perhaps the most intriguing, significant, and shocking security incident of 2015 was theattack against the U.S. Office of Personnel Management. The personal data of millions of government employees, U.S. military personnel, and government contractors who had received background checks and security clearances were stolen. In a typical data breach, the attackers target the organization because they want the information it has. In the case of OPM, the attackers didn’t want the records simply for the sake of having them, but to obtain background information on targeted individuals.
“[The OPM breach] represents human targeting at its finest, understanding that people are our biggest security risk … our weakest link in the chain,” said Renee Bradshaw, manager of solutions strategy at NetIQ, the security portfolio of Micro Focus.
The method of attack followed a formula: Target a subcontractor in a social engineering attack and steal credentials to gain access to the network. Plant malware on a system and create a backdoor. Exfiltrate data for months, undetected. The level of poor security practices at OPM “was astounding,” including lack of consistent vulnerability scanning and two-factor authentication, as well as untimely patch management, said Bradshaw.
The OPM breach also emphasized organizations' vulnerability to social engineering. Government employees and contractors are now subject to security awareness training programs to learn about the dangers of spear phishing and other social media threats.

Vulnerabilities out of control

The attack against Hacking Team over the summer was an eye-opener. The Milan-based company developed and sold surveillance software to government agencies around the world. The company relied on zero-day vulnerabilities to develop software that was difficult to detect and could intercept communications. When an unknown individual released more than 400GB of data stolen from Hacking Team, including email communications, business documents, and source code, security researchers uncovered proofs-of-concept for three different zero-day vulnerabilities in Adobe Flash Player. While Adobe scrambled to fix the flaws as quickly as possible, cyber criminals were able to create exploits and use them in large-scale attacks.
“Hoarding zero-day exploits at both the national and private level is dangerous for everyone. We can’t expect to come out on top if we are sitting on these types of vulnerabilities,” said Tom Gorup, security operations leader at security consulting firm Rook Security.
Not reporting the vulnerabilities to the vendor for fixes means someone else can come along and find the same bug. If it was found in the first place, it stands to reason someone else will eventually find it, too. As Hacking Team learned the hard way, anyone can be breached. And once the vulnerabilities are public, everyone is at risk. Zero-day exploits are not like physical weapons in that the original owner has control over how and when it is used. The weapon can be used right back, with devastating consequences.
“We need to refocus our cyber efforts to a defensive posture and let our infantry and airmen handle the offensive efforts,” Gorup said.

Government services leak too much info

As attacks against government agencies go, the IRS Transcript Service breach was small beans. Only 100,000 people had their information exposed through this breach, which is significantly less than the 21.5 million affected by the OPM breach. The attackers plugged in the victim’s name, address, and Social Security number into the IRS Get Transcript service to obtain detailed information such as income, employer name, and dependents.
More uniquely, attackers used legitimate services to convert basic personally identifiable information to determine detailed data that could be used to falsify tax returns and other forms of financial fraud. The same method can conceivably be used with the Department of Motor Vehicles' online renewal process or with a property appraisal site maintained by the county. With the information obtained through these services, identity theft becomes easier. It was especially effective, as attackers enjoyed a 50 percent success rate using the stolen data, noted Morey Haber, vice president of technology at BeyondTrust.
“Many sites like the Get IRS Transcript website exist all over the Internet for state, local, and federal governments. The IRS was an easy target, but so are the others,” Haber said.

Forget cars, what’s happening with airplanes?

Vehicular hacking burst on to the scene in 2015 and grabbed a lot of security headlines, but we should be worried about all the things we don’t know regarding attacks on airplanes. About the time researchers Charlie Miller and Chris Valasek were exploiting a Chrysler’s UConnect infotainment system to remotely control a 2014 Chrysler Jeep Cherokee, there were reports the group behind the OPM breach had successfully obtained records of origins and destinations of United Airlines passengers, as well as passenger manifests. Another group of attackers also disrupted the IT systems for LOT Polish Airways, which resulted in the airline canceling 20 flights and grounding 1,400 passengers.
Then of course there’s the FBI’s claim that security researcher Chris Roberts caused a plane’s engine to climb when he was poking around aircraft systems while on a United Airlines flight. The jury’s out on whether Roberts actually managed to take over the jet.
Should these attacks concern us? Are airplanes at risk? Both United and LOT have refused to provide any information on the issues.
“The scary answer here is that we don’t know, and that’s both surprising and unsurprising at the same time,” said Johnathan Kuskos, manager of the threat research center at WhiteHat Security.
There are two different types of attacks to worry about. One targets IT systems, such as the airline website and check-in kiosks at the airport. The other targets onboard systems that actually power and control the aircraft. The onboard systems tend to be heavily sandboxed and are locked down. IT systems are more at risk. And according to WhiteHat’s vulnerability statistics report, every online application has at least one serious vulnerability.
“It’s hard to imagine that a professional criminal syndicate or state-sponsored hackers haven’t targeted these major airlines yet,” Kuskos said.

Getting around Apple’s walled garden

Palo Alto Networks this year uncovered XcodeGhost, a malware attack that infected iOS applications and existed in the App Store for months before being detected. The attack relied on iOS developers downloading a compromised version of Xcode, the iOS dev kit. Compromising a toolchain is not a new attack method, and XcodeGhost was extremely successful at infecting developers on a wide scale. The real danger lies in what lessons the XcodeGhost team learned from its success and how it will try again.
The way the malware infected iOS apps before they were distributed into the App Store was completely new, said Ryan Olson, intelligence director at Palo Alto Networks. Developers are vulnerable and attackers can piggy-back on their apps into the App Store, past Apple’s vaunted security measures.
“While the XcodeGhost malware was not particularly dangerous, it was groundbreaking in the way it gained access to millions of devices,” Olson said.
XcodeGhost showed people that Apple’s walled garden can be breached and at a wide scale. It forced app developers to clean up their systems, re-issue their applications, and be better about where they get their developer tools. In order to defend against similar attacks, iOS developers need to understand their dev systems and apps are valuable to attackers looking for ways to target iOS users.
“XcodeGhost was the first truly widespread malware that impacted non-jailbroken phones, it was a massive eye-opener for iOS users who had previously thought they were invulnerable to attack,” Olson said.

Juniper’s unauthorized backdoor scandal

Juniper Networks recently uncovered unauthorized code in its Juniper NetScreen firewalls that could allow attackers to decrypt VPN traffic. The issue arose from the fact that Juniper used Dual_EC_DRBG, a known flawed random-number generator, as the foundation for cryptographic operations in NetScreen's ScreenOS. Juniper claimed it used additional precautions to secure the random number generator. It turned out the safeguards were ineffective.
The backdoor in Dual EC can be viewed as two parts, where one adds a second keyhole that overrides the normal lock on a door, and the other is a specific lock cylinder that fits that keyhole, Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, wrote on Twitter. The attackers replaced the NSA-approved lock cylinder with their own lock cylinder. They wouldn’t have been able to replace the cylinder if the door hadn’t been modified with the keyhole in the first place.
In the end, someone somewhere was able to decrypt Juniper traffic in the United States and around the world. The matter is currently under investigation by the FBI.
“NSA built in a powerful eavesdropping backdoor. The attackers simply repurposed it by changing a few bytes of code,” Green said. “I’ll be honest, while I’ve been worrying about something like this for a long time. Seeing it actually happen is staggering.”
In light of the mounting pressure from government officials on the tech industry over encryption backdoors, what happened to Juniper is a clear example of how backdoors can be abused. 2016 will tell whether law enforcement and government will learn the lesson and back off on those demands.

Understanding 2015

It’s clear from looking at the attacks and breaches this year that the IT security industry is not well-positioned to defend itself. Knowing is half the battle, but there’s a long road ahead for organizations that don’t follow the basics of security best practices. “Security isn’t cheap, and when you’ve historically underinvested in security, what it takes to catch up in both technology investment and human capital is expensive,” said James Carder, CISO at LogRhythm and vice president of LogRhythm Labs.


All 2016 Samsung smart TVs will be ready to talk to your appliances

Also, Samsung's high-end SHUD TVs will be able to control other SmartThings devices

samsung tv airport manila
A Samsung TV on show at Manila's Ninoy Aquino International Airport on Oct. 25, 2015. Credit: Martyn WilliamsAll Samsung smart TVs sold in 2016 will be IoT-ready, meaning they’ll be able to talk to compatible appliances around the home, Samsung said Tuesday.
In addition, all of Samsung’s high-end SHUD TVs sold next year will be able to act as a hub for its SmartThings platform, meaning the TV will be the controller for things like lights, thermostats and door locks. That could save people having to buy a standalone SmartThings hub for $99 - though SHUD TVs are quite pricey.
smartthings3MIKAEL RICKNAS
The SmartThings Hub with a number of sensors.
The announcement comes a week before the giant CES gadget show in Las Vegas, where all the big electronics manufacturers are expected to show TVs, washing machines and other home appliances that can be networked together.
With an outdoor camera connected to the TV, for instance, you’ll be able to see who’s at the front door without getting up from the couch. Motion sensors could flash an alert on the TV screen if someone’s prowling around the garden.
It’s all part of the electronics industry’s latest push to get you to go out and buy new products, though how many people will embrace the idea remains the be seen.
There are several protocols and platforms vying to link the smart home together. Samsung acquired its SmartThings platform when it bought the startup that developed it last year. Samsung says it’s an open platform, meaning other manufacturers can use the technology in products. It says there are 200 compatible products on the market in addition to those from Samsung.
While all of its SHUD TVs with ship with SmartThings technology inside, the functionality will be “activated regionally as SmartThings expands its platform availability,” the company said. It didn’t provide any more details than that. 
Samsung says its SHUD TVs give superior picture quality thanks to a “nano crystal” technology. The cheapest 60-inch model runs about $1,800 at Costco in the U.S.

7 critical things to do immediately with a new PC

68COMMENTS

M.2 SSD roundup: Tiny drives deliver huge performance

M.2 SSD roundup: Tiny drives deliver huge performance


No, M.2 (pronounced M-dot-two) is not a government spy organization or secret project. It’s a small-form-factor (SFF) multi-purpose connector designed to replace the small mSATA and mini-PCIe slots commonly used in laptops. As such, M.2 isn’t designed strictly for storage, (it supports USB, SATA, and PCIe), but storage is a large part of what’s driving its adoption—even on the desktop.
Say what? The thing is, M.2’s PCIe connectivity has coincided nicely with the migration of SSD drives to PCIe, to sidestep the 600MBps limitation of the SATA bus. The marriage of PCIe and the SSD has resulted in uber-fast storage for your PC.
pcie versus sata
PCIe SSDs simply blow their SATA brethren out of the water in terms of sequential throughput, and in the case of NVMe, queued small writes.
When I say uber-fast, I’m talking nearly four times the speed of SATA. Yup: 2GBps. It’s hard to describe how smoothly your system runs with a x4 PCIe M.2 SSD on board. But I’m going to try, and also let you know which of the currently limited, but excellent selection of M.2 SSDs you should buy. Note that there are also SATA M.2 SSDs, but they’re subject to the 600MBps limit. Boring, but handy if that’s all your laptop supports.
Don’t have an M.2 slot on your system? If you’re talking about a desktop, you’re in luck. Simply add a $25 PCIe M.2 expansion card, such as the Addonics AD2M2S-PX4 PCIe we used for some of our testing.

Head to head


We took six M.2 SSD drives for a spin. The state of the art was represented by these drives:
  • The $240, 256GB Samsung SM951 PCIe (AHCI)
  • The $240, 256GB Samsung SM951 PCIe (NVMe)
  • The $499, 480GB Kingston HyperX Predator PCIe (AHCI)
We also ran a last-generation $200, 256GB Samsung XP941 PCIe (AHCI) through its paces. 
Also included are two SATA M.2 drives:
  • An older $300, 320GB Intel 530
  • A newer $99, 256GB Samsung EVO SATA drive 
To be perfectly honest, we included SATA drives only to show you the enormous performance gains offered by PCIe. Sneaky, eh?
Lastly, there was the aging $220 Plextor M6e, the first M.2 PCIe (AHCI) drive we ever tested. It’s included to show just how far things have come in a little over a year.
You may have noticed the parentheses indicating whether the PCIe drives were AHCI (Advanced Host Controller Interface) or NVMe (Non-Volatile Memory express). AHCI is basically the SATA protocol implemented over PCIe (or any bus really), while NVMe is a new communications protocol designed from the ground up for non-volatile storage. AHCI over PCIe removes the 600MBps bandwidth limit, but NVMe offers some advantages for multi-threaded operations, as you’ll see in the 4K queued test results seen below. 
The only issue with NVMe is that your system must support booting from it. All the motherboards I’ve seen that offer a PCIe-enabled M.2 slot allow booting from NVMe, but if you’re adding M.2 to your desktop via a PCIe expansion card, you may need to go AHCI. Any motherboard of relatively recent vintage should support booting from AHCI.

Performance


All testing was done on an Asus X99 Deluxe/U3.1  motherboard with 32GB of DDR4 and an Intel Core i7-5820K. We used the motherboard’s integrated PCIe-only M.2 slot for the AHCI/NVMe SSDs, while SATA drives were tested using the aforementioned Addonics AD2M2S-PX4 PCIe expansion card. Note that the AD2M2S-PX4 doesn’t have a dedicated SATA HBA (host bus adapter). It simply uses SATA cables from the motherboard that plug into the card.
sequential new
PCIe M.2 drives rock when it comes to raw sequential throughput.
As you can see from the charts, the results were split dramatically by technology. The PCIe drives won by huge margins in flat-out sequential read speed, something you’ll notice when you copy large files. NVMe proved faster than AHCI when it’s fed small files from multiple queues (the AD SSD 4K/64 threads test). Whether this scenario occurs depends upon your operating system and NVMe driver.
4k 64t new
When threaded, NVMe can really strut its stuff with small files. It’s the reason NVMe showed up in servers first.
Keep in mind that M.2 PCIe, and PCIe drives in general, are relatively new technologies. The SM951 AHCI, only a single generation removed from the XP941 AHCI, is dramatically faster. Both are x4 PCIe, but the XP941 is PCIe Gen 2 (500MBps per lane), while the SM951 is PCIe Gen 3 (1GBps) PCIe. But even the x4 PCIe 2.0 provides 2GBps of bandwidth, so that can hardly explain the entire disparity.
4k new
The difference in small file performance between SATA and PCIe isn’t as dramatic, but still shows the advantages.
Having previously experienced only the Plextor, Kingston and XP941 AHCI drives, we were surprised and pleased to see that the SM951 AHCI was competitive with its NVMe sibling. Also note that in our real-life 20GB tests, the Kingston proved almost as fast as either Samsung drive.
20gb copy chart
All these drives are faster than SATA-bound SSDs, writing a single large file, but the Plextor M6e is actually slower than some when it came to writing small files and folders.
We’ve seen well over 2GBps from Intel’s 750 series NVMe PCIe card drive, which plugs into a an open PCIe slot like a video card (an alternative to M.2 that desktop users should consider), so the SM951 NVMe may not be showing the full potential of NVMe. Intel told us it didn’t produce an M.2 version of the 750 because at top speed, the power draw exceeded what’s available from M.2 slots. Basically, not all the ducks are in a row yet to fairly evaluate AHCI versus NVMe. It is safe, however, to say that PCIe SSDs obliterate their SATA cousins in terms of raw sequential throughput. They also occupy a slot in your motherboard.
Here are the details on the drives involved in the testing.
hyperx predator pcie ssd hyperx predator ssd m2 pcie installed 01 07 2015 11 21

Top 15 security predictions for 2016

Top 15 security predictions for 2016


Cyber security experts and analysts weigh in on what the new year will bring in the world of evolving threats and solutions
In putting a security spin on the holiday song, "It's the most predictive time of the year."

Not that those in the industry -- even the best informed -- have an infallible crystal ball. It's that being effective in an ever-more-rapidly evolving threat environment means looking ahead. An accurate prediction can help an organization protect itself better. A wrong one can mean less ability to prevent or respond effectively to a breach that can damage reputation, the bottom line and more.

[ Roger Grimes' free and almost foolproof way to check for malware. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
So, here are some best guesses about 2016 from more than a dozen vendors and analysts. (For an expanded version of the 2016 predictions, watch CSO's slideshow.)

IoT for ransom

(ThetaRay/Palerra/Blue Coat/LastPass) The Internet of Things will become an ever more fertile attack surface for governments, mercenaries, hacktivists and even terrorists. Many IoT devices lack significant memory space or OS capability, so treating them like endpoint agents will fail.

Ransomware will gain ground on banking Trojans and extend into smart devices like coffee makers, refrigerators, baby monitors, cars, wearables and medical devices, often owned by wealthier and therefore more lucrative targets. Most wearables, which collect personal information, lack even basic security features.

[ ALSO ON CSO: More predictions for the security space for 2016 ]

This will increase the threat of a massive collision among connected cars; stolen personal information about users' home electrical and water usage; and attackers locking medical devices until a ransom is paid.

Your card is safer. You aren't

(Javelin) Card-Not-Present (CNP) fraud will grow from $10 billion in 2014 to more than $19 billion in 2018. The increasing adoption of EMV cards and digital wallet solutions, such as Apple Pay and Google Wallet, will reduce point-of-sale system fraud and counterfeit credit cards. Unfortunately, that will push more fraudsters online to monetize fake and stolen credit cards.

Extortapalooza

(RSAC Advisory Board/Kaspersky/ThreatStream) DOXing -- public shaming and extortion attacks -- which rose in 2015, will spike exponentially in 2016, as everyone from hacktivists to nation states embraces the strategic dumping of private pictures, information, customer lists, and code to shame their targets. It will go well beyond Charlie Sheen having to admit his HIV status -- cyber criminals know they can use the data for extortion, which will lead to some websites to be breached for the sole purpose of mass personalized extortion schemes. Call it "weaponizing" data.

At your criminal service

(Kaspersky/Seculert) The profitability of cyber-attacks means sophisticated criminal gangs with modern organizational models and tools will replace common cyber criminals as the primary threat. That, in turn, will draw mercenaries to meet the demand for new malware and even entire operations. The latter gives rise to Access-as-a-Service, offering up access to already hacked targets to the highest bidder.

Ghosts of Internet Past

(Raytheon|Websense) The structure of the Internet is aging -- forgotten and deferred maintenance will become a major, increasingly expensive problem for defenders. Among them: Alexa 1000 certificates not up to date; old and broken JavaScript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc and new applications built on recycled code with old vulnerabilities (think Heartbleed and POODLE).

Malicious e-commerce goes social

(DataVisor) Many traditional social networking sites such as Pinterest, Facebook and Twitter have announced plans to add "buy" buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. This will attract criminals looking to conduct fraudulent transactions on these platforms.

Passwords pass away

(Identity Automation) "No password" authentication methods will no longer be a pipe dream. Organizations will begin offering authentication methods that are a quicker and more seamless experience for users than passwords. They will include biometric, geolocation, Bluetooth proximity and pictographs.

The power of prediction

(Seculert) Prediction will emerge as the new Holy Grail of security. Prevention is passé, and even detection technologies will be supplanted by prediction, with machine learning becoming a key tool to help organizations anticipate where hackers will strike. 

Cloud Wars

(DataVisor/Blue Coat) As more organizations store their most valuable data in the cloud (customer and employee data, intellectual property etc.), the bad guys will find a way to gain access to this data, using computation infrastructure, which allows them to hide easily behind legitimate network sources and thus remain anonymous.

Hackers will use credentials to cloud services as a major attack vector. Social engineering tactics will focus on mimicking cloud login screens to gain credentials.

Crime piggybacks politics

(Raytheon|Websense) The U.S. elections will drive significant themed attacks. Attackers will use the attention given to political campaigns, platforms and candidates, as an opportunity to tailor social engineering lures. Others will focus on hacktivism, targeting candidates and social media platforms.

Getting physical

(Seculert/Imperva/DomainTools/ThreatStream) 2016 will witness the world's first openly declared cyber war, where the primary goals of the attackers -- hacktivists, nation states or terrorists -- are not financial but to cause physical damage in support of terrorist or geopolitical agendas. That will put infrastructure, priceless artifacts and more at risk. Transnational terrorist groups such as ISIS will attempt to attack a SCADA system or critical infrastructure with the goal of inflicting either economic damage or mass casualties. 

Smaller won't be safer

(AT&T) Hackers will no longer target just large organizations, as they can get equally valuable information in other places through analytics on the data they are collecting and combine data to make it more valuable. That means smaller organizations are more likely targets.

Cyber crime goes even more global

(Blue Coat) Smaller, developing countries that weren't big on cyber crime want in. It doesn't take a big military to cause big damage. Some -- like Nigeria -- are already entering the fray with more sophisticated attacks. Conflicts throughout the world will bring with them hardware-connected attacks.

Divide and conquer the juncture

(Kaspersky) The appearance of a balkanized Internet, divided by countries, which would make any region vulnerable to attacks on the service junctures that provide access across different boundaries. Such a landscape could lead to a black market for connectivity.

Get thee an MSSP

(Blue Coat) The failure of organizations and countries to build up cyber talent will become a huge problem. Demand for information security professionals is expected to grow by 53 percent through 2018. Because of this, security jobs will be filled by MSSPs, and the cost will not decrease.

This story, "Top 15 security predictions for 2016" was originally published by CSO.

Most Popular