All news with #infrastructure security tag

🔁 ecdysis is a Cloudflare open-source Rust library that enables graceful process restarts without dropping live connections or refusing new connections. It uses a fork-then-exec model with inherited listening sockets and a readiness handshake so the new process can initialize safely. The design provides crash safety during upgrades and prevents gaps where the kernel would refuse connections. The library integrates with Tokio and systemd and has been production-proven since 2021, saving millions of requests across Cloudflare’s global network.

⚡Microsoft is evaluating high-temperature superconductors (HTS) to improve datacenter power delivery, reduce transmission losses, and increase capacity within compact footprints. HTS cables, when maintained at cryogenic temperatures, carry electricity with near-zero resistance, enabling smaller, lighter cabling that generates negligible heat and avoids voltage drops. By partnering with manufacturers and system integrators, Microsoft plans pilots of rack-level HTS architectures and aims to rethink traditional power designs to support AI-era workloads.

🔒 CISA released guidance that examines why legacy industrial protocols are often insecure-by-design and why available protections are not widely adopted. Developed with OT equipment manufacturers and standards bodies, the document reports findings from interviews with asset owners and operators about motivations to secure communication and barriers they face. The guidance identifies practical, operational, and technical obstacles and offers recommendations for owners and operators and manufacturers to drive more usable, sustainable security capabilities.

🔒 CISA released Barriers to Secure OT Communications: Why Johnny Can’t Authenticate to help operational technology (OT) owners, operators, integrators, and manufacturers adopt more secure communications. Based on interviews with stakeholders across Water and Wastewater, Transportation, Chemical, Energy, and Food and Agriculture sectors, the guide explains why insecure legacy industrial protocols persist and how threat actors can impersonate devices or alter messages. It identifies practical barriers—cost and complexity, latency and bandwidth, inspection issues from encryption, and interoperability with legacy products—and offers actionable recommendations to reduce friction and improve usability when procuring, deploying, and maintaining secure OT communications.

📌 AWS Config now supports 30 additional AWS resource types across services including Amazon EKS, Amazon Q, and AWS IoT. If you have enabled recording for all resource types, these additions are tracked automatically and are available in Config rules and Config aggregators. The expanded coverage improves visibility for discovery, audit, and automated remediation and includes types such as EKS::Nodegroup, QuickSight::Dashboard, Glue::Crawler, and IoT::TopicRule.

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.

🔐 Recent large-scale cloud outages affecting providers like AWS, Azure, and Cloudflare have shown how failures in shared infrastructure can incapacitate identity flows and halt business-critical systems. Even when an identity provider remains operational, failures in datastores, DNS, control planes, or load balancers can block authentication and authorization. Organizations should deliberately design resilience—using multi-cloud or controlled on-prem options and predictable degraded modes such as cached attributes or precomputed decisions—to avoid total access collapse.

🔒 This post demonstrates a serverless file integrity monitoring (FIM) pattern using AWS Systems Manager Inventory, Amazon S3, Lambda, and Amazon Security Lake. It collects file metadata from EC2 instances, exports versioned inventory objects to S3, and uses S3 Put events to trigger a Lambda that compares current and previous inventory versions to detect created, modified, or deleted files. When unauthorized changes are found, the function generates ASFF findings in AWS Security Hub, which Security Lake ingests and normalizes for query and visualization via Athena, QuickSight, or OpenSearch.

⚠️ Cloudflare disclosed that a policy misconfiguration on a router caused a 25-minute Border Gateway Protocol (BGP) route leak for IPv6 traffic on January 22, producing congestion, packet loss, and roughly 12 Gbps of dropped traffic. The change removed specific prefix filters and made export rules overly permissive, redistributing internal IPv6 routes externally from Miami. Engineers detected and manually reverted the change, paused automation, and restored normal operations within 25 minutes. Cloudflare says it will add stricter export safeguards, CI/CD policy checks, improved detection, and promote RPKI ASPA adoption.

⚠️On January 22, 2026, an automated routing policy change caused Cloudflare to unintentionally advertise IPv6 routes from a Miami router for 25 minutes. The misconfiguration accepted internal IBGP routes and redistributed them to peers and transit providers, funneling non-Cloudflare traffic into Miami and causing congestion, elevated packet loss, and higher latency on backbone links. Firewall filters on the router discarded around 12 Gbps of ingress traffic for those non-downstream prefixes. Cloudflare paused automation, reverted the change, restored normal operation, and apologized to affected users, customers, and external networks.

🌐 AWS has expanded availability of second-generation Outposts racks to 20 additional countries, enabling customers to deploy AWS infrastructure and services on-premises for low-latency access, data residency, and local processing. These racks support the latest x86 Amazon EC2 instance families (C7i, M7i, R7i) with up to 40% better performance versus first-generation racks, and they introduce simplified network scaling plus a new class of accelerated networking instances optimized for ultra-low latency and high throughput.

🔴 Verizon Wireless is experiencing a widespread outage across the United States, leaving affected phones displaying an SOS indicator and unable to make normal cellular calls. Reports to DownDetector began around 12 PM ET, and callers attempting to reach impacted numbers hear a recording that the called party is temporarily unavailable. The disruption appears to span multiple states rather than a single region, and some other carriers also showed issues during similar timeframes. Verizon has been contacted and the incident is under investigation.

🔧 Amazon Connect Cases now supports AWS CloudFormation, allowing administrators to model, provision, and manage case resources as infrastructure as code. Administrators can author CloudFormation templates to programmatically deploy and update Cases configuration elements—such as templates, fields, and layouts—across Amazon Connect instances, enabling version control and repeatable deployments. The integration reduces manual setup time, minimizes configuration errors, and streamlines multi-instance provisioning across supported Regions.

⚠️ Many German critical infrastructure organizations are transmitting over unencrypted digital radio, creating an easily exploitable interception vector. Wirtschaftswoche reports that prisons, airports and energy providers are operating TETRA networks without encryption—often citing cost reasons—while police networks remain multi-layer encrypted. AG Kritis calls the situation a security-policy disgrace, warning that a laptop, free software and modest technical skill are sufficient to eavesdrop and capture confidential information, potentially endangering supply security and lives.

🚀 AWS today announced that Amazon EC2 I7ie instances are now available in Asia Pacific (Mumbai), Canada West (Calgary), and Europe (Paris). Designed for large storage I/O–intensive workloads, these high-density, storage-optimized instances use 5th Gen Intel Xeon processors and 3rd gen AWS Nitro SSDs to deliver higher compute performance, lower storage I/O latency, and increased local NVMe capacity up to 120TB. They come in nine sizes with up to 100 Gbps networking and significant EBS bandwidth, targeting low-latency, high-throughput applications.

🔔 Amazon Managed Streaming for Apache Kafka (Amazon MSK) is now available in the Asia Pacific (New Zealand) region. Customers can create provisioned clusters with either Standard or new Express brokers, with Express delivering significantly higher throughput, faster scaling, and quicker recovery. Create clusters via the Amazon MSK console or the AWS CLI and refer to the Amazon MSK Developer Guide to get started.

🔁 AWS Transform now automates network conversion for hybrid data center migrations, removing the need for manual VLAN and IP range mapping across VMware and non‑VMware environments. The service analyzes exported inventories and maps network elements to AWS constructs like VPCs, subnets, route tables, and security groups. It also ingests application mapping outputs such as modelizeIT to generate Infrastructure as Code and provision networking in target Regions.

🧠 Cloudflare built a centralized maintenance scheduler on Workers to automatically enforce safety constraints across 330+ data centers, replacing error-prone manual coordination. The scheduler models infrastructure and product relationships as a typed graph, so Workers fetch only the relationships relevant to a maintenance request and avoid memory bloat. A layered fetch pipeline with request deduplication, an LRU in-memory cache, CDN caching and backoff retries reduced response payloads ~100x and drives ~99% cache hits for real-time checks.