April 29, 2016

Cyber security in Belgium will gain prominence after terror attacks

There is some good news for the country’s cyber security. Belgium is one of the countries least affected by online banking trojans.  And there is a very good reason for that, according to Eddy Willems, security evangelist at Gdata Software. “Most Belgian banks use advanced authentication system, which makes it more difficult for cyber criminals to obtain the required authentication details to get entrance to the victim’s bank account,” he said. ... Not such good news for Belgium is that it and the other Benelux countries, the Netherlands and Luxembourg, have seen a dramatic increase in the number of ransomware incidents. More incidents have been reported in February 2016 alone than in the last six months of 2015, according to research by security supplier Trend Micro.

In the digital enterprise, everyone is a security newb

In the digital enterprise, protecting critical data has changed. Communication is the missing ingredient because security teams don't have the information they need for the other business leaders who are focused on different objectives, like sales goals or the customer experience. "Those department heads are so concerned about keeping their own systems up so that they can continue bringing in revenue, that they overlook security. For example, the managers of a POS system do not want to have their IT guy take the system offline for an hour to fix a patch during Black Friday," Stolte said. In order to best defend against the threats of malicious actors, leaders across all departments need to become more security savvy. "Line of business and application owners, those who manage assets that contain valuable information, must first recognize that the information they manage is of high value and they must communicate with the security team," Stolte said.

IT performance management pegged for increase of virtualization tools

"There are [fewer] IT organizations using cloud services than everybody expects," said Edward Haletky, CEO and principal analyst for The Virtualization Practice LLC. There has been a large increase in shadow IT, wherein cloud services are purchased ad hoc by workers, but since IT pros are not involved with these unknown services, they aren't factored into decisions about what management tools to buy. Many companies have just started to branch out into the cloud. MetLife Insurance, for example, started with development platforms and has moved to putting new and some existing apps in the cloud, but most of its IT operations are still in owned and hosted data centers, according to Tony Granata, assistant vice president of capacity performance & monitoring engineering at the New York-based insurer.

Rip up the script when assembling a modern security team

Hiring analysts who’ve worked at the same companies or attended the same schools means you may end up with a team that approaches security issues in a similar manner. If they all think alike, they’ll probably miss the same security blind spots. ... look for people who have worked in different companies and industries and have experience fighting a variety of threat vectors. Ideally, your team will include someone with either a military or government background. They’ll have a completely different way of looking at security, forcing your company out of its comfort zone. Military personnel are often familiar with nation-state attacks and malicious intent and understand how complex offensive operations work. And with hackers launching advanced attacks against companies, people who have experience dealing with these threats can apply their knowledge to defend a business.

Don't overlook these two hidden risks to your corporate data

The data your SMB partners have in hand may seem minimal, but it's still critical corporate data. Contact information and services rendered may be valuable to an individual who hacks the SMB's network. As an InfoSec professional, you know what measures you have in place—but what about the SMB? The extent of its security depends upon available resources and what's affordable for it to implement. ... When it comes to internal colleagues exposing sensitive corporate data, it's all about timing and pulling the emotional strings. Along with having the technical skill set to spoof a business's email address, the attacker executed the data breach beautifully by understanding the time of year and knowing who to target at a busy time. The accountant's inbox was potentially flooded with deadline notifications and requests, which created a stressful environment. This makes for an easy target.

The Holistic Approach: Preventing Software Disasters

Understanding each kind of source code and scripts, interpreting the configuration files, evaluating the value of variables throughout the execution cycle for finally piecing all these findings together and reverse-engineering the system blueprint gives CIOs an “X-Ray view” into the inner workings of their organization’s software systems and empowers the CIO to make data-informed decisions to fortify overall software quality. ... But looking at the unit-level source code is not everything, it’s just the beginning - specifically with modern architectures where loose coupling between the different layers is a must. Hence CIOs must also X-Ray the “glue” between software layers and components, which is sometimes defined in configuration, property files or annotations stored directly inside the source code files

10 Free Tools For API Design, Development And Testing

The rise of RESTful APIs has been met by a rise in tools for creating, testing, and managing them. Whether you’re an API newbie or an expert on an intractable deadline, you have a gamut of services to help you get your API up and running quick, and many of them won’t cost you a dime. Following is a sampling of free services for working with APIs: load testers, API designers, metrics collectors, and much more. Some are quick and dirty applications to ease the job of assembling an API. Others are entry-level tiers for full-blown professional API services, allowing you to get started on a trial basis and later graduate to a more professional level of (paid) service if and when you need it.

Is There a Need to Redesign Cyber Insurance?

As insurers increasingly focus on operational risk — that is, failure due to systems, processes, people and external events — as a key element of managing their capital adequacy and solvency, how will the regulators and insurance commissioners view the potential increase in the risk of someone infiltrating an insurer’s own site through some form of remote device? Overall, there seems to be agreement that prevention is better than cure, but where cyber crime happens, it is critical that companies carry appropriate insurance cover. Cyber insurance cover has been around for a decade or so, but as cyber crime has developed, then doesn’t insurance cover also need to mature? With policies provided by some major insurers giving cover to $100m, isn’t it time to think about whether this is enough?

You'll soon be using GPU as a Service

As an example of this new wave, AMD and AP are collaborating to bring immersive experience to news and storytelling. This can significantly enhance the ability to get information to content viewers, while also providing a more concise way to impart information, including the ability to see multiple perspectives, exhibit full dimensional accuracy, get a better sense of time, etc. Although still a niche market, this will help accelerate the adoption of VR clients. In addition to VR clients, the need to process immersive information means that there will be a significant need for high performance graphics processors -- not only at the individual server level, but available as an on-demand service based in the cloud. GPUs as a Service will expand greatly over the next 2-3 years, and will eclipse the PC GPU market in sheer numbers of units.

Production Like Performance Tests of Web-Services

Tests should always keep the end user view in mind to ensure that the software meets with acceptance on the part of the users. But how to test web services which are not directly customer-facing, and in particular, how to performance test them in a meaningful way? This article outlines performance test approaches that we have developed and proven to be effective in the company HERE, which is a leading location cloud company.  ... Tests should be created with knowledge regarding the end user so that they are effective and risk-based. Because of this factor, as well as release techniques such as canary releases and feature toggles, the line between tests run prior to the release and of the released software on production becomes blurred.

Quote for the day:

"Fear causes hesitation and hesitation will cause your worst fears to come true." -- Patrick Swayze

April 28, 2016

Vulnerability in Java Reflection Library Still Present after 30 Months

The ability to load classes dynamically at runtime using custom ClassLoaders has created the opportunity for a number of applications that wouldn’t be possible otherwise, but unfortunately it has also created a number of security concerns, particularly around class impersonation. A developer could, in theory, create a custom ClassLoader that loads a compromising implementation of the primordial class java.lang.Object, and use this custom Object in a Java application. ... When the issue resurfaced in March 2016, the latest available version at the time, 8u74, proved to be vulnerable. Since then, Oracle has released three updates for Java, namelt 8u77, 8u91and 8u92. However, judging by their release notes, none of those seems to have addressed the problem. 

Docker on Windows Server 2016 Technical Preview

To build and run your first Windows container, get Windows Server 2016 TP5 running, begin writing Dockerfiles for Windows, share images on Docker Hub and don’t hesitate to reach out with questions or feedback on the Docker Forums. ... Docker and Microsoft have come a long way since the 2014 partnership announcement of the Windows Server port of Docker engine, through the first publicly available version, up to today’s release. This journey also sawJohn Howard from Microsoft join the ranks of core Docker maintainers. We’re proud of the progress we’ve made to empower developers and ops teams using Windows with Docker’s proven tools and APIs for building, shipping and running containers and that we can help bring together the Windows and Linux communities with a common toolset for shipping software.

Paying ransomware is what ills some hospitals

Data backups are the key to surviving ransomware attacks. But some hospitals and physician practices don’t back up their data at all. This lack of security awareness puzzles McMillan. “It’s possible is that security is still not seen as a critical business function” in those organizations, he suggests.  Even if a hospital or a physician group does back up its data, it might do so only on a nightly basis. So, if a ransomware attack occurs and the organization uses its data backup to continue operations, the database will be missing everything that has been entered into the system since the previous evening, notes Gibson. That’s much better than nothing, but it will still send clinicians scrambling.  Many hospitals do near-real-time backups of data on mirrored servers. In case one server goes down, the other can take up the slack.

Technologically Constrained Banks Face A Challenge From Agile Fintech Firms

“Banks still struggle with legacy systems and with their culture.” One European bank partnered with a fintech firm on a project. Eighteen days later the technologists had a app and a proof of concept, while the bank was still struggling with deciding who should be in the room to meet with them. Interviews with bank CXOs revealed some startling contrasts with some large banks realizing the need for change while some regionals and super-regionals don’t think fintech innovations will impact them. “Banks are underestimating the value fintech firms provide in delivering a good experience and efficient service, as well as their potential influence on all areas of banking,” the report said. “From the customers’ perspective, fintech firms have value in being easy to use (81.9 percent), offering faster service (81.4 percent), and providing a good experience (79.6 percent).

Man jailed for failing to decrypt hard drives

"His confinement stems from an assertion of his Fifth Amendment privilege against self-incrimination," wrote the man's lawyer, Keith Donoghue. The US Constitution's Fifth Amendment is designed to protect people from being forced to testify and potentially incriminating themselves and states: "No person shall be... compelled in any criminal case to be a witness against himself." The Electronic Frontier Foundation, which campaigns for digital rights, said: "Compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them." The man's appeal also contends that he should not be forced to decrypt the hard drives because the investigators do not know for certain whether indecent images are stored on them.

Singapore Is Taking the ‘Smart City’ to a Whole New Level

“Singapore is doing it at a level of integration and scale that no one else has done yet,” says Guy Perry, an executive of the Los Angeles engineering design firm Aecom who studies “smart city” technologies. It helps in Singapore that government- or state-owned companies own or control many aspects of daily life, including public transport networks and housing. More than 80% of Singapore’s 5.5 million people live in government housing. And while Singapore is a democracy, it has always been dominated by a single party whose control of the system means it can move quickly. Leaders also see a chance to pioneer applications for export. The market for smart-city technology in Asia alone will reach US$1 trillion a year by 2025, according to IDC Government Insights, a unit of International Data Corp., the Framingham, Mass., research firm.

Why Won’t They Pair?

The organizational challenges continue from the physical equipment to how developers are rated for recognition, raises and promotions. If an organization stack ranks their employees, the chance of developers learning to pair effectively is severely hampered. In many cases, the developer wants to be seen as the super hero thereby raising their rank above their peers. Performance reviews are another blocker. Few companies recognize teamwork as a valued skill and instead look for the ‘super hero’ who can come in to save the day during a crisis. Further, organizations that consistently work in a tactical fire-fighting mode will struggle to see the value that comes from pairing where developers share knowledge of technical and domain expertise.

BIP 75 Simplifies Bitcoin Wallets for the Everyday User

One of the main downfalls of BIP 70 is that it doesn’t work well for P2P payments. While it gets the job done for transactions between a customer and a merchant, Bitcoin wallets are unable to receive payment requests when they’re offline. Store-and-forward servers can be used to forward new payment requests to wallets when they come online, but this setup creates new privacy and security concerns. BIP 75 is an attempt to solve this issue by encrypting all communication in the Payment Protocol end to end. “By adding encryption at the application layer we create secure private communications, even in the case where there is a store and forward server for mobile or desktop wallets,” Netki founder and CEO Justin Newton, who co-authored BIP 75, told Bitcoin Magazine.

Ransomware-as-a-service is exploding: Be ready to pay

It starts with a fast click on a link in a harmless-looking email. Then your PC slows to a crawl. A message suddenly pops up and takes over your screen. "Your files and hard drive have been locked by strong encryption. Pay us a fee in 12 hours, or we will delete everything." Then a bright red clock begins counting down. No antivirus will save your machine. Pay the fee or lose everything. You're the latest victim of a ransomware attack. The scary thing is, you're not alone. The ransomware market ballooned quickly, reported TechRepublic's Michael Kassner, from a $400,000 US annual haul in 2012, to nearly $18 million in 2015. The average ransom—the sweet spot of affordability for individuals and SMBs—is about $300 dollars, often paid in cash vouchers or Bitcoin.

Cyber Attacks on Small Businesses on the Rise

Almost half of cyber-attacks worldwide, 43%, last year were against small businesses with less than 250 workers, Symantec reports. The FBI reported last summer that more than 7,000 U.S. companies of all sizes were victims of cyber hacks via phishing email scams as of late 2013, the latest data available, with losses of more than $740 million.  The cyber crooks steal small business information to do things like rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; commit health insurance or Medicare fraud; or even steal intellectual property. The criminals can also hijack a small business’s website to cyberhack other small businesses. “There are probably 20 different ways a bad guy can get into a website” run by a small business, Scott Mann, CEO of Orlando-based Highforge Solutions, has said.

Quote for the day:

"A business of high principle attracts high-caliber people more easily, thereby gaining a basic competitive and profit edge."-- Marvin Bower

April 27, 2016

A History of Containerology and the Birth of Microservices

Not only has Microsoft jumped on the container bandwagon, but they also shared the vision of Docker’s application focused model for containers. Microsoft partnered with Docker, and as a result, one can run Linux or Windows containers with Docker. Being able to run applications in either Linux or Windows hosted containers will provide companies flexibility and reduce any refactoring costs associated with rewriting, tweaking or re-architecting existing applications. The bold new world that containerology will take us to is that of microservices. In my opinion, microservices (specifically as enabled by Docker) represent the first feasible step towards mechanized or industrialized applications. In the mechanical engineering world, complex systems were built buying off the shelf components and widgets. In contrast, the software world was accustomed to fabricating every part needed to built complex applications.

API security: Key takeaways from recent breaches

A good practice in approaching API security is first and foremost to know your API assets. An API management suite can help identify the API and exact version, whether in development, QA or production, tracked by its internal registry. This is instrumental in controlling API sprawl. And in the event of a breach, knowing the exact variables in play at the time of the breach will help to expedite the solution. A second detection strategy is knowing your consumers and solidifying their authentication. While most companies may start out exposing their APIs publicly, allowing developers to freely build applications using the APIs, it may help to configure multilayer security elements right down to the API level so that API consumers are easily identifiable. This is also crucial as API providers rely on standards such as OpenID for single sign-on between different applications.

5 years into the ‘cloud-first policy’ CIOs still struggling

The greatest challenge is not getting a contract in place, but what you find out is where those boundaries cross of who's now responsible because you're in a different infrastructure set-up, and what the cloud provider's going to do versus the contract staff, versus the application support staff versus the infrastructure staff," Andrews says. "So, that's the greatest challenge we're having now is defining roles and responsibilities and who's going to do what because the world has changed as we've known it, and we've been client-server for so many years that this is truly a different environment for us." Andrews recalls a recent meeting concerning the role of a cloud vendor and a somewhat tense discussion about "what does the word 'manage' mean in a cloud environment," and who has ownership over the systems and who bears responsibility for resolving the inevitable problems when they arise.

Third Generation Robo-Advisors Are Born

The application of machine learning to robo-advisory is still in inchoate stages, and only a few firms have stepped forward describing plans. Little-known Marstone (which focuses on business-to-business advice) has partnered with IBM Watson to deliver some form of cognitive-computing powered advice. It appears that Wealthfront will use artificial intelligence to provide more data-driven and personalized investment recommendations on its Dashboard. Personalization will be dynamic and driven by the client’s specific risk tolerance, financial profile, and investments as assessed across aggregated accounts. Machine learning in robo-advisory may also analyze, adapt to, and learn from investor behavior and correct for cognitive biases. As Wealthfront states, “observed behavior may reveal insights about ourselves that we aren’t even consciously aware of.”

Data Visualization Drives the Era of Information Activism

The information activism trend draws parallels to the printed word. From the invention of the Gutenberg printing press until the advent of the Internet, the ability to write and publish information was a highly technical skill, in the hands of a select few individuals. The arrival of blogging made the written word a mass activity, open to all. Similarly, people are now eager to express themselves using data visualization to tell engaging and visually stimulating stories without the need for a graphic artist or cartographer. They can just do it for themselves. ... Information activism is catalyzing a renaissance in the world of data, transforming the entire field of analytics. People no longer are mere data consumers, passively waiting for information.

MIT’s Teaching AI How to Help Stop Cyberattacks

A system called AI2, developed at MIT’s Computer Science and Artificial Intelligence Laboratory, reviews data from tens of millions of log lines each day and pinpoints anything suspicious. A human takes it from there, checking for signs of a breach. The one-two punch identifies 86 percent of attacks while sparing analysts the tedium of chasing bogus leads. ... Most of AI2‘s work helps a company determine what’s already happened to it can respond appropriately. The system highlights any typical signifiers of an attack. An extreme uptick in log-in attempts on an e-commerce site, for instance, might mean someone attempted a brute-force password attack. A sudden spike in devices connected to a single IP address suggests credential theft.

Backlash against a bimodal IT strategy

The big problem with a bimodal IT strategy is that it doesn't go far enough, according to the authors. Rather than face digital business head on, bimodal IT is a more staggered introduction, giving CIOs a chance to continue clinging to the security and the stability of tradition rather than fully accept the unpredictability and even the riskiness that come with going fast. "Yes, it's a big transition, but if you only do it partway, you're going to make it so much harder on yourself," Sharyn Leaver, Forrester analyst and an author of the report, said during a recent webinar. One of the consequences of going digital "partway" is that it introduces complexity. Divvying up IT tasks can result in two separate technology stacks and two separate teams that develop different value systems, different cultures and are evaluated on different metrics -- all of which CIOs will eventually have to untangle if they want to fully align with the business and move at a faster pace, according to Leaver.

What The Google I/O Schedule Tells Us About The Future Of Android

Google has big ambitions in virtual reality. Cardboard is just the start, as there have been rumors of the company building its own VR headset and indications from Android N about how the operating system will give more native support to VR. So set your eyes on the VR at Google session on May 19, which is hosted by Clay Bavor, Google’s vice president of virtual reality (who also has a fascinating photography blog). Right now Facebook-owned Oculus is leading the VR game and Google’s frenemy Samsung makes the most popular consumer device in the Gear VR. So expect Google to invest heavily to ensure the company’s services are where the Internet is going. YouTube, as an example, recently added support for VR and 360-degree video.

Will Healthcare Data Encryption be Impacted by NIST Guide?

NIST produced a development process for cryptographic standards and guidelines based on nine principles, which are transparency, openness, balance, integrity, technical merit, global acceptability, usability, continuous improvement, and innovation and intellectual property. Notably, NIST added the global acceptability principle to the final draft after public comments suggested that the organization address the global nature of the current economy and exchange of information. The final document reiterates NIST’s intentions to fostering collaborations with all stakeholders, such as security professionals, researchers, standard developing organizations, and users, to establish strong encryption standards and processes. Stakeholders who contribute to the development process are also part of a variety of industries, including healthcare, academia, and government.

Null Object Design Pattern in Automated Testing

In object-oriented computer programming, a Null Object is an object with no referenced value or with defined neutral ("null") behavior. The Null Object Design Pattern describes the uses of such objects and their behavior (or lack thereof). ... The main idea is that sometimes we need to add promotional codes and then assert that the correct amounts are displayed or saved in the DB. As you can assume, there are various ways to accomplish that. One way is to use the UI directly and assert the text is present in the labels. Another way is to use a direct access to the DB and insert the promotional code, then assert the calculated entries saved in some of the DB's tables.

Quote for the day:

"When you do the common things in life in an uncommon way, you will command the attention of the world." -- George W. Carver