Acoustic levitation of a large sphere



When placed in an acoustic field, small objects experience a net force that can be used to levitate the objects in air. In a new study, researchers have experimentally demonstrated the acoustic levitation of a 50-mm (2-inch) solid polystyrene sphere using ultrasound—acoustic waves that are above the frequency of human hearing.
The demonstration is one of the first times that an object larger than the wavelength of the acoustic wave has been acoustically levitated. Previously, this has been achieved only for a few specific cases, such as wire-like and planar objects. In the new study, the levitated sphere is 3.6 times larger than the 14-mm acoustic wavelength used here.


The researchers, Marco Andrade and Julio Adamowski at the University of São Paulo in Brazil, along with Anne Bernassau at Heriot-Watt University in Edinburgh, UK, have published a paper on the acoustic levitation demonstration in a recent issue of Applied Physics Letters.
"Acoustic levitation of small particles at the acoustic pressure nodes of a standing wave is well-known, but the maximum particle size that can be levitated at the pressure nodes is around one quarter of the acoustic wavelength," Andrade told Phys.org. "This means that, for a transducer operating at the ultrasonic range (frequency above 20 kHz), the maximum particle size that can be levitated is around 4 mm. In our paper, we demonstrate that we can combine multiple ultrasonic transducers to levitate an object significantly larger than the acoustic wavelength. In our experiment, we could increase the maximum object size from one quarter of the wavelength to 50 mm, which is approximately 3.6 times the acoustic wavelength."
Although there are several different ways to acoustically levitate an object, most methods use an ultrasonic transducer, which converts electrical signals into ultrasonic waves. The current setup uses three ultrasonic transducers arranged in a tripod fashion around the sphere.
As the researchers explain, the angle and number of transducers can be changed, and this does not interfere with the setup's ability to levitate a large object. The ability to levitate the large sphere occurs because the three transducers produce a standing wave in the space between the transducers and the sphere. In previous methods, small objects are levitated by being trapped at the pressure nodes of the standing wave, but this is not the case here.
"In a typical acoustic levitation device, a small particle can be levitated at the pressure node of a standing wave formed between the transducer and a reflector," Andrade explained. "Instead of trapping the object at the pressure node, the key to levitating an object larger than the acoustic wavelength is to generate a standing wave between the transducer and the object."
Although this strategy is based on earlier work, the tripod arrangement used here provides greater 3D stability.
"The idea of levitating an object larger than the acoustic wavelength was based on the paper of Zhao and Wallaschek," Andrade said. "In their paper, they showed that a large planar object can be levitated by generating a standing wave between the object and the transducer. However, their setup was only capable of providing vertical acoustic forces, and they used a central pin in contact with the object to prevent it from escaping laterally. By using three ultrasonic transducers in a tripod configuration, we obtain vertical and lateral acoustic forces. Consequently, we can levitate an object larger than the acoustic wavelength without any contact with external surfaces."
Using the new method, the researchers demonstrated that the sphere could be levitated to a height of about 7 mm, or approximately half the wavelength of the acoustic waves. They predict that the method can be used to levitate even larger spheres, and can also be extended to levitate objects of different shapes and sizes and at different positions.
"At the moment, we can only levitate the object at a fixed position in space," Andrade said. "In future work, we would like to develop new devices capable of levitating and manipulating large objects in air."
Acoustic levitation has applications for handling and manipulating various materials, such as very hot materials and liquid samples in space. In microgravity, the lower surface tension allows liquid droplets to reach larger sizes than they do on Earth, and acoustic levitation can be used to control and analyze these large liquid samples.

Apple planning major MacBook Pro refresh with AMD Polaris GPUs, Touch ID, and OLED function keys

Apple planning major MacBook Pro refresh with AMD Polaris GPUs, Touch ID, and OLED function keys


The rate at which Apple refreshes its hardware has come under fire in recent weeks. While we’ve noted that the company’s laptops are mostly reasonably new, there are some old MacBook Pros in need of a refresh and the Mac Pro desktop is now nearly three years’ old.
A new report from Bloomberg claims that Apple will refresh its entire MacBook Pro line this fall, with a new design and a number of new features. The company is supposedly working on a new programmable strip of OLED-based function keys that can be switched to perform different functions depending on which application you’re using. Apple’s goal is to simplify shortcuts and allow it to reprogram hardware buttons to add capabilities with software updates, rather than refreshing internal hardware.
Other changes supposedly include a thinner body (but not a tapered one like the MacBook Air), a smaller footprint with shallow curves around the edges of the device, a slightly larger trackpad, and integrated Touch ID support. Some systems will reportedly offer GPUs based on AMD’s Polaris architecture, while the lower-cost models will use Intel’s integrated graphics. USB Type-C is also rumored to be on the way and Thunderbolt 3 is logically expected, though whether Apple will use USB Type-C for it is a matter of debate. Previously, the company used DisplayPort to provide Thunderbolt capability.
We haven’t seen the mobile SKUs for Polaris yet, but it’s generally assumed that they’ll resemble the desktop chips AMD has just launched. At present, only one MacBook Pro uses an AMD GPU, the R9 M370X. That chip is a 640:40:16 configuration with an 800MHz core clock and a 128-bit memory bus. A mobile variant of the RX 460 could make a potent upgrade for that particular chip. It’s an 896:56:16 GPU with 4GB of RAM instead of 2GB and 112GB/s of memory bandwidth, up from 72GB/s.
Polaris10-Die
AMD’s larger Polaris GPU (pictured above) powers desktop chips, while the smaller Polaris 11 is likely intended for mobile.
Mobile chips typically have to operate at lower TDPs than desktop processors, which might require AMD to tweak the RX 460’s power envelope. But we’d still expect Polaris to offer substantially better performance compared to the old GCN 1.0 / Cape Verde GPU that Apple has relied on to anchor its top-end hardware. AMD would undoubtedly relish the halo win, but the impact on its bottom line is likely to be small unless Apple breaks with its own history of offering a limited number of GPU-equipped SKUs.
MacvsiPad
Image by Bloomberg
Apple may be turning back to the Mac line as a way to bolster flagging revenue from the iPad, as Bloomberg notes. While the iPad outstripped the Mac in 2012 and 2013, total revenue from the tablet business has been declining for years, despite Apple’s attempts to renew it with new variants of the iPad and the iPad Pro. One common criticism of the iPad Pro has been that Apple didn’t make the software changes necessary to turn the tablet into a serious productivity system. That kind of adaptation takes time, and it’s clear that the iPad Pro isn’t offsetting the general decline in tablet sales.
Apple isn’t expected to unveil this new hardware at its September 7 iPhone event, but the new systems will likely debut this fall, possibly alongside Intel’s Kaby Lake 14nm refresh.
Google Chrome will start blocking all Flash content next month

Google Chrome will start blocking all Flash content next month


Flash was an integral part of the internet in years past, but it has also been a drag on performance and the source of a great many security vulnerabilities. Today, HTML5 is a better way to get the same sort of interactive content running on the web, and it works on mobile devices. The next phase in Adobe Flash’s agonizingly slow demise starts next month when Google Chrome begins blocking all Flash content.
This will come as part of the Chrome 53 update, which should be available in early September. Chrome 53 will block all the small, non-visible Flash elements on web pages. These are usually tacking platforms and page analytics, but they can slow down page loads just like larger Flash content. This is not Google’s first attempt to de-emphasize Flash on the web. Last year in Chrome 52, Google made most Flash content “click-to-play.”
So, what’s different now? In Chrome 52, the Flash block only applied to Flash objects that were above a certain size, but now that’s being extended to smaller Flash objects. The previous restriction was in place because at the time, there was no reliable way to detect viewability. Now, Chrome’s intersection observer API allows that. You will have the option to enable Flash objects on a page if they are necessary for the experience. If non-visible Flash objects are blocked, an icon in the address bar will alert you.
Google says that all Chrome users will see a benefit from this move. All the Flash objects loading in the background can make page loading sluggish. If you’re on a laptop, Flash also gobbles up power and reduces your battery life. Flash’s innate inefficiency is why it never took off on mobile devices.
click-to-play
While Flash content will be blocked in general, Google is making a temporary exception for some popular sites that still rely heavily upon Flash. Those include Facebook, Twitch, and Yahoo, among others. You’ll be prompted to enable Flash on these sites when loading them, but Google plans to phase out the Flash whitelist over time. When Chrome 55 rolls out in December, HTML5 will become the default experience. It’s not clear how exactly that will affect the whitelist.
The writing is on the wall for Flash; it’s not just Google waging a war on the archaic plug-in. Firefox 48 was announced last week with some Flash content being click-to-play and all Flash being blocked by default in 2017. Even Microsoft is cutting Flash off at the knees. In the Windows 10 anniversary update, Edge uses click-to-play for non-essential Flash elements. Another year or two and we’ll be all done with this.
 How to Stop windows 10 Anniversary Update’s privacy settings

How to Stop windows 10 Anniversary Update’s privacy settings



The Windows 10 Anniversary Update has dropped, bringing a significant number of under-the-hood changes to the operating system. We’ve written many times about Windows 10 privacy issues over the past year, but haven’t gathered up our recommendations and strategies into a single story until now. Want to lock down your install and improve security? You’ve come to the right place.
Before we get started, there are two ways to talk about Windows 10 privacy, both of which are valid. The first one is to go hardcore: There are steps you can take to block Windows 10 from phoning home to Microsoft, or relaying any telemetry at all, even for home users. But those methods also require some fairly sophisticated additional tools, or at least a deeper understanding of Windows functions than many users may be comfortable with. For example, one challenge with locking down Windows 10 is that certain URLs are hardcoded into the operating system and can’t be blocked by any changes to your PC. These URLs can only be locked out via a separate firewall or by modifying your router to do so (if your router supports this function). Furthermore, there’s no practical way to prevent Microsoft from pushing an update that changes the addresses and obviates the bypass you had set up.
So let’s put that aside, and for now go the other way, in a simpler direction. Without going to more drastic measures, we’ll show you can lock down your own system far more than it is after a stock Windows 10 install and ensure your data stays local. The truth is, Microsoft offers a great deal of fine-grained options with Windows 10 — including the ability to adjust privacy settings in ways that were sorely lacking in previous versions of the OS.

A step above Windows 8

When Windows 8 was under development, Microsoft repeatedly highlighted how it would require applications to disclose how they accessed and used user information. This turned out to be a meaningless feature, because while MS did indeed require applications to disclose the data they gathered, it gave the end user no actual choice or control over how that information was used.
Windows 10 isn’t quite as robust as some might like, but Microsoft does offer a number of fine-grained, application-level controls. We’ll touch on some of the specific areas of interest below, but most of these sections follow a common format. Each menu item offers you the option to control privacy settings for that device or capability and most can be fine-tuned at the application level. Windows 10’s Anniversary Update will let you decide to share your microphone with Skype, for example, but not with any other program.
General
The “General” privacy page contains a number of high-level options you’ll want to disable. Turning off the Advertising ID prevents Windows 10 from tracking you across multiple applications and showing you ads that cross app boundaries. For example, if you click on a number of ads in Application A, MS would like to remember that and show you similar ads in Application B.
Turning off Smart Screen actually isn’t recommended, but I’m taking these screenshots off my own rig and I keep it disabled here, because it’s got a nasty habit of blocking benchmarks and other products I use for work. If you don’t need to shut it off, you shouldn’t do so. The other options on this page allow MS to share and synchronize data between applications so you could open an application on one laptop, then continue using it on a different machine.
I’ve left the languages option checked because I don’t care if Microsoft knows I speak English. If you do, this can also be disabled.
Location
Next up: Location. The first options on this slide allow you to control how location settings are set for each account on a machine. You can turn Location Services off globally, or allow the function to run but control it on an application-by-application basis. If you want Windows to be able to give you general information by, say, zip code as opposed to your street address, you can also enable or disable that function. Finally, you can choose to set a default location if you don’t want to give precise information but still want the computer to know what city you live in.
Scroll down from these options (not shown) and you can set your location data on an application-by-application level. Geofencing — knowing whether a system has crossed into or out of a specific location — can also be controlled in this fashion. Microsoft tells you if any applications on your system use geofencing (none of mine do, so I can’t really show the outcome).
SpeechInkType
Speech, Inking, and Typing is an extremely important section for locking down your own privacy. You’ll see various options on this page depending on whether Cortana is currently enabled on your system. While you can’t completely disable Cortana on Microsoft 10, that’s partly because of how Microsoft has combined its “Search” functionality with Cortana’s capabilities.
Cortana-Three
This needs to be unpacked a bit. Before Windows 10 Anniversary Update, Microsoft referred to desktop search as “Search,” and Cortana was its digital assistant. Microsoft has since unified search and Cortana and now refers to the entire edifice as Cortana. So in one sense, no, you can’t turn “Cortana” off, because Cortana now encompasses both desktop search and the personal digital assistant. But you can refrain from using Cortana’s digital assistance capabilities, and you can deactivate her ability to gather data about you.
If you want to turn Cortana off and the box in this window reads “Stop getting to know me” instead of the reverse, you can click that box to disable her, and then visit your Bing personalization page to wipe information Cortana has previously gathered about you, wipe your search history, or delete previous interests and news items you’ve told Bing to aggregate on your behalf.
OtherDevices
Other Devices contains some additional information you’ll want to check. This is where Microsoft sets permissions related to how data is shared across devices. You can choose to allow apps that synchronize across devices to use that functionality here, enable automatic content sharing for trusted devices, and enable or disable the Media Transfer Protocol (MTP). The Windows 10 Phone Companion application can also be enabled or disabled from this screen.
Feedback
The Feedback and Diagnostics panel gives you several important options regarding Windows feedback and the collection of telemetry. Telemetry gathering can’t be completely turned off in Windows 10, but you can dial it back to the most rudimentary level, Basic, that Microsoft allows.

Moving beyond Windows 10’s privacy settings

We’ve covered the various options embedded in Windows 10’s own settings. Windows 10 Pro owners have the option to make some additional changes via Gpedit.msc, but Microsoft doesn’t ship the Group Policy Editor on Windows 10 Home. Gpedit.msc can be acquired online, but it’s not the easiest or simplest way to make certain changes to Windows 10’s privacy settings.
One alternative is to download a third-party utility that can make certain changes for you. There are a number to choose from, though some may not work with Windows Anniversary Update. One we can confirm does work is Spybot’s Anti-Beacon for Windows 10:
SpyBotSearchandDestroy
Anti-Beacon is specifically designed to block Microsoft’s telemetry gathering, which puts it in a different category from the application-level privacy we’ve been discussing. While it’s far from the only tool in use to lock down Windows 10, it’s one of the few produced by a known software house (Spybot is also responsible for Spybot Search and Destroy). We recommend giving it a look if you want to further control what Windows 10 does and doesn’t share about you in the future. Be advised that if you choose to block Bing URLs, you won’t be able to access the search engine at all (the option to block Bing is in the “Optional” tab.)
Questions? Comments? Other issues you’d like us to address? Sound off in the comments and let us know.
September 7,PlayStation Neo expected to debut day

September 7,PlayStation Neo expected to debut day


Sony’s PlayStation Neo (also sometimes called the PlayStation 4.5 or PlayStation 4K) has been a hot topic since rumors of its existence started spreading earlier this spring. Sony is expected to unveil its mid-cycle upgrade platform in just under a month, at a special press event held in New York City. Sony supposedly chose the September 7 date to avoid going directly up against Nintendo’s anticipated announcement of its NX platform at the Tokyo Game Show on September 12.
This report, by French website Gameblog, confirms rumors we’ve heard concerning the PS4 Neo’s anticipated launch. Sony is rumored to want both the new platform and PlayStation VR to launch in time for Christmas 2016, and the resulting hardware extravaganza could contribute to significant earnings for the company — assuming customers bite.

What can the PS4 Neo do?

The rumors we’ve heard to date suggest that Sony will rigidly enforce backwards compatibility requirements for this new PS4. Games can’t include all-new modes of play or Neo-specific features, though developers are allowed to enhance existing capabilities for the new platform. The new console will supposedly feature eight AMD “Jaguar” CPU cores clocked at 2.1GHz (a 31% improvement), a Polaris-derived GPU with double the GPU cores and a higher clock frequency (2,304 cores total and a 911MHz clock, up from 1,154 cores and 853MHz), and 218GB/s of memory bandwidth, up from 176GB/s on the PS4 standard.

That’s all well and good, but it doesn’t tell us much about actual game performance. While there are a number of differences between the PC ecosystem and its console counterpart, we should be able to draw some relative performance data by looking at our own AMD RX 480 review. While none of our desktop GPUs is an exact match for the PS4 or PS4 Neo, the R9 270X comes fairly close to the PS4, while the RX 480 isn’t far off the PS4 Neo. In the graphs below, pay attention to just the 270X and the RX 480 — those are the GPUs we’re comparing against each other.
Rome2-RX480
ShadowofMordor-RX480
Ashes-RX480
In two DX11 benchmarks and one DX12 test, we see the RX 480 blasting past the R9 270X. Again, we’re not claiming that the PS4 Neo will be twice as fast as the PS4 — the two platforms are simply too different to make that assertion. But the significant performance improvements to Polaris should have a correspondingly significant impact on the PS4 Neo’s overall performance, and a 1.4 – 1.6x performance increase seems completely plausible.
The 31% increase in CPU clock speed will keep games from becoming CPU-limited, and it’s possible that Sony addressed other issues in the SoC as well. The PS4’s SoC is better described as two quad-core chips than a single eight-core SoC, but Sony may have paid AMD to design a unified eight-core chip with a faster L2 cache (Jaguar’s L2 historically runs at 50% CPU clock). Past presentations from developers like Naughty Dog have stated that looking up data in the other CPU cluster’s L2 cache has a latency hit almost as severe as just pulling data from main memory in the first place; a unified eight-core chip would alleviate this problem and allow developers to multi-thread more effectively.
There’s still no word on price or availability, but this new console could effectively sweep Microsoft’s refreshed Xbox One S completely off the table. While the Xbox One S is slightly faster than the original model, it’s not going to fare well against a revitalized PS4 — not when those comparisons already tilt Sony’s direction in the first place. Microsoft’s Project Scorpio is expected to leapfrog the PS4 altogether, but that’s not going to happen for another 12 months. If Sony’s VR experience is strong, the company could be set to own 2017 — news that’s probably not particularly welcome at Nintendo, which is hoping to ignite fan interest around its own platform, the mobile/living room hybrid Nintendo NX.

world oldest tool discovery by Archaeology team


How smart were human-like species of the Stone Age? New research published in the Journal of Archaeological Science by a team led by paleoanthropologist April Nowell of the University of Victoria reveals surprisingly sophisticated adaptations by early humans living 250,000 years ago in a former oasis near Azraq, Jordan.
The research team from UVic and partner universities in the US and Jordan has found the oldest evidence of protein residue—the residual remains of butchered animals including horse, rhinoceros, wild cattle and duck—on stone tools. The discovery draws startling conclusions about how these early humans subsisted in a very demanding habitat, thousands of years before Homo sapiens first evolved in Africa.
The team excavated 10,000 stone tools over three years from what is now a desert in the northwest of Jordan, but was once a wetland that became increasingly arid habitat 250,000 years ago. The team closely examined 7,000 of these tools, including scrapers, flakes, projectile points and hand axes (commonly known as the "Swiss army knife" of the Paleolithic period), with 44 subsequently selected as candidates for testing. Of this sample, 17 tools tested positive for protein residue, i.e. blood and other animal products.
"Researchers have known for decades about carnivorous behaviours by tool-making hominins dating back 2.5 million years, but now, for the first time, we have direct evidence of exploitation by our Stone Age ancestors of specific animals for subsistence," says Nowell. "The hominins in this region were clearly adaptable and capable of taking advantage of a wide range of available prey, from rhinoceros to ducks, in an extremely challenging environment."
"What this tells us about their lives and complex strategies for survival, such as the highly variable techniques for prey exploitation, as well as predator avoidance and protection of carcasses for food, significantly diverges from what we might expect from this extinct species," continues Nowell. "It opens up our ability to ask questions about how Middle Pleistocene hominins lived in this region and it might be a key to understanding the nature of interbreeding and population dispersals across Eurasia with modern humans and archaic populations such as Neanderthals."
Another result of this study is the potential to revolutionize what researchers know about early hominin diets. "Other researchers with tools as old or older than these tools from sites in a variety of different environmental settings may also have success when applying the same
technique to their tools, especially in the absence of animal remains at those sites," adds Nowell.


Microsoft, Sony, and other companies still use illegal warranty-void-if-removed stickers

Microsoft, Sony, and other companies still use illegal warranty-void-if-removed stickers


One of the ways manufacturers coerce users not to modify or even open hardware they’ve purchased is through warranty-void-if-removed stickers. These stickers are common on electronics equipment — Microsoft uses them on the Xbox One, Sony has them on the PS4, and you’ve probably owned a phone that had at least one somewhere.
These stickers are almost certainly illegal, as Motherboard points out in relation to the new Xbox One S. The problem with the stickers is that they run afoul of the FCC’s rules on tying repair services to specific products. This issue is also probably why Apple agreed to change its practices regarding iPhones, when devices that had been repaired by third-party shops would then suddenly fail when upgraded to Apple’s latest operating system.
“The stickers could be deceptive by implying consumers can’t use parts the warrantor doesn’t pre-approve, which violates the anti-tying provisions of MMWA,” FTC spokesperson Frank Dorman told Vice.

PS4Feature
This practice isn’t remotely unique to Microsoft. The PS4 does the same thing.  Image by iFixit
Companies don’t like to talk about these policies, most likely because they don’t want to admit they’ve been doing something illegal for decades. Laws like the 1975 Magnuson–Moss Warranty Act were passed to prevent companies from tying customers to expensive repair contracts, or requiring customers to use only approved hardware installed by “authorized” resellers. The common example for this is with cars, where it’s illegal for a manufacturer to try and force you to only install their own parts.
There are, of course, limits to these laws. If you destroy your transmission or engine while servicing them, the manufacturer is under no obligation to repair the vehicle. What manufacturers aren’t allowed to do is refuse to honor a warranty on your engine just because you installed a different set of speakers or an aftermarket radio. The obligation is on the manufacturer to demonstrate that your third-party repairs or modifications caused the failure, not the other way around.
Modern electronics are tightly integrated, but the concept is the same. Microsoft isn’t allowed to prevent you from opening your own hardware, and neither is any other manufacturer. So why do they?
The answer is simple: Because they know you won’t do anything about it. It’s a nifty example of how companies get away with doing illegal things — the cost of taking them to court and forcing them to comply with the law is higher than the value of the product. A car is expensive enough to repair that companies can’t get away with telling you to pony up thousands of dollars for their own parts and repair shops. On the other hand, a smartphone can cost $500 to $700, but that doesn’t begin to cover the cost of a lawyer to litigate the issue, and Apple, Microsoft, and other companies know it.
In Microsoft’s case, its warranty states that it ceases to apply if the Xbox One is “opened, modified, or tampered with.” It’s flatly illegal. But until someone brings a case against the company and litigates it out, electronics companies will continue to put these stickers on their products, and consumers will continue to believe the manufacturers are legally allowed to do.
The situation is also playing out in new ways thanks to the advent of DRM. Tractor manufacturer John Deere and the Library of Congress have both resisted any attempt to require manufacturers to share data on firmware or other DRM’d blocks of information, because it could conceivably allow for piracy or alter the function of the vehicle. John Deere has gone so far as to claim that by purchasing a tractor, farmers gain “an implied license for the life of the vehicle to operate the vehicle.” It’s the concept of software licensing, except applied to hardware, and the fact that it’s illegal doesn’t seem to concern anyone much.


Hacking US infrastructure, what defence is up?

Hacking US infrastructure, what defence is up?


Is our infrastructure vulnerable to hackers? The short answer to the question, unfortunately, is yes. But it’s not like no one is thinking about the issue or doing anything about it. As with the dire predictions of Y2K meltdowns from the turn of the millennium, while there are definite and potentially huge risks, both the public and private sectors are working to mitigate them.

Power grid and utility vulnerability

The Ukraine power grid attack in December 2015 was a sobering wake-up call of the extent of what is possible. In that event, which some security experts have called cunning and brilliant, the hackers planned the attack by infiltrating the power utility systems over a period of months. Using some old-school exploits like Microsoft Word file attachments with an infected macro that downloaded malware, and careful infiltration of the network stealing remote login credentials over time, the hackers were able to get control of the system to ultimately shut off power to 230,000 people in a cold winter.
The good news is that manual overrides were able to turn the power back on relatively quickly, but some parts of the Ukraine grid took longer to return. Russia is suspected to be behind that attack, given the tensions in the region, but the cyberwarfare world has both state and non-state actors. Russia, China, Israel, Iran, North Korea, and the US all have cyber units, and terrorist groups like ISIS and many other lesser known groups have engaged in cyberattacks for coercive, monetary, or political motives.
Part of the risk in cyber intrusions on infrastructure is the connection of these systems to the internet. Many ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) systems are based on older technology. The grafting of internet and networking capabilities to these systems enable remote monitoring and control, and sometimes end-customer access to utility usage and billing data. Sometimes, these newer forms of access are not adequately shielded from systems that control vital aspects of the utilities.
A case in point involved a Verizon report of a data breach at an unnamed water utility in the US in March. That utility’s SCADA platform was based on an IBM AS/400 minicomputer, a 1980s era system, and incorporated valve flow and control software as well as IT applications like customer billing. The system was connected to an end-customer online payment portal. Hackers exploited a flaw in the portal to gain access to the AS/400 admin credentials, essentially gaining control over almost all of its applications.
Security cryptography
Aside from stealing 2.5 million customer account records, including billing information, what’s more frightening is that the hackers were able to gain control over the valve and flow software. They were able to control the chemicals in water treatment and affect the rate at which water was returned for usage. Fortunately, other indicators alerted the water utility’s staff of what was happening and that the system was overridden. But it’s clear that if a series of coordinated attacks were done on vital systems, the havoc would not be easy to contain.
Interestingly enough, some of these issues can be ameliorated by simply better use of existing technology. For example, many remote or VPN logins don’t use two-factor authentication – something increasingly deployed now on many consumer-facing services. This could help thwart many situations of hackers halfway around the world stealing passwords via various known means. Part of the reason is that, in many cases, locally run utilities have regulated rates and limited budgets, and often software upgrades are put off. The “if it ain’t broken, don’t fix it” mentality can delay necessary security improvements, especially when modifying older technology that may introduce new issues.
Another attacker exploit being discovered is infecting the software upgrade mechanisms of ICS/SCADA vendors. Just like Windows Update, these vendors have either manual or automated firmware and software upgrade mechanisms. So rather than break into a specific system, a hacker could plant malware in a software update. That malware may lurk in systems for months or years, ready to be triggered by some specific attack or time-based event.

Smart cities and other infrastructure concerns

Water and electric infrastructure may be particularly vulnerable due to the age of the systems and the universal dependence on these services. But obviously other infrastructure of critical importance may be equally vulnerable – transportation, energy, communications, and healthcare are others. There have been well publicized cases of ransomware attacks on hospital health record systems. While in several of those cases, the hospitals have quickly paid up relatively small sums (compared with the cost of not having their system back), in a cyberwar scenario the effects could be far costlier and deadlier. The Department of Transportation lacks a coherent cybersecurity strategy. With the push for smarter cities, more internet-connected city information and services, and a looming future of autonomous cars, the importance of best practices and standards for cybersecurity in transportation is increasing exponentially. A smart city
The Stuxnet worm virus, reported developed by Israel and the US, is said to have severely slowed Iran’s uranium enrichment development for a nuclear weapon. It is one of the best-known cases of states using cyber capabilities as an alternative to physical attack to reach an objective. We should be mindful that our own nuclear energy infrastructure needs to be better protected. A recent report indicates that attacks on U.S. non-military nuclear systems are increasing. Part of the problem is that there are contracts with vendors that deal with maintaining security, but many of these do not go into enough detail about monitoring, reporting, and performance metrics. Nuclear energy is heavily regulated, and security has always been taken seriously. But it is also an industry with aging infrastructure, and the same budget issues that apply to other utility infrastructure apply here as well.
Does all of this sound scary? It is, but the threats are being taken seriously. In this presidential election season, even the voting systems are also being considered. Considering the recent Democratic National Committee hacks, the Department of Homeland Security is looking into ways the election infrastructure can be better protected. Some of the concern comes from increasing use of wireless technology in voting machines to tabulate and aggregate voting data. It is a complicated task, with over 9,000 jurisdictions controlling voting across the country. But understanding potential threats and security best practices can limit the possibility of tampering with the system. Regardless of the severity of potential consequences, it’s impossible to protect against every threat, in either the cyber or physical world.
In time for Black Hat and DEFCON, we’re covering security, cyberwar, and online crime all this week; check out the rest of our Security Week stories for more in-depth coverage.

Translate

Ads