April 28, 2016

Vulnerability in Java Reflection Library Still Present after 30 Months

The ability to load classes dynamically at runtime using custom ClassLoaders has created the opportunity for a number of applications that wouldn’t be possible otherwise, but unfortunately it has also created a number of security concerns, particularly around class impersonation. A developer could, in theory, create a custom ClassLoader that loads a compromising implementation of the primordial class java.lang.Object, and use this custom Object in a Java application. ... When the issue resurfaced in March 2016, the latest available version at the time, 8u74, proved to be vulnerable. Since then, Oracle has released three updates for Java, namelt 8u77, 8u91and 8u92. However, judging by their release notes, none of those seems to have addressed the problem. 


Docker on Windows Server 2016 Technical Preview

To build and run your first Windows container, get Windows Server 2016 TP5 running, begin writing Dockerfiles for Windows, share images on Docker Hub and don’t hesitate to reach out with questions or feedback on the Docker Forums. ... Docker and Microsoft have come a long way since the 2014 partnership announcement of the Windows Server port of Docker engine, through the first publicly available version, up to today’s release. This journey also sawJohn Howard from Microsoft join the ranks of core Docker maintainers. We’re proud of the progress we’ve made to empower developers and ops teams using Windows with Docker’s proven tools and APIs for building, shipping and running containers and that we can help bring together the Windows and Linux communities with a common toolset for shipping software.


Paying ransomware is what ills some hospitals

Data backups are the key to surviving ransomware attacks. But some hospitals and physician practices don’t back up their data at all. This lack of security awareness puzzles McMillan. “It’s possible is that security is still not seen as a critical business function” in those organizations, he suggests.  Even if a hospital or a physician group does back up its data, it might do so only on a nightly basis. So, if a ransomware attack occurs and the organization uses its data backup to continue operations, the database will be missing everything that has been entered into the system since the previous evening, notes Gibson. That’s much better than nothing, but it will still send clinicians scrambling.  Many hospitals do near-real-time backups of data on mirrored servers. In case one server goes down, the other can take up the slack.


Technologically Constrained Banks Face A Challenge From Agile Fintech Firms

“Banks still struggle with legacy systems and with their culture.” One European bank partnered with a fintech firm on a project. Eighteen days later the technologists had a app and a proof of concept, while the bank was still struggling with deciding who should be in the room to meet with them. Interviews with bank CXOs revealed some startling contrasts with some large banks realizing the need for change while some regionals and super-regionals don’t think fintech innovations will impact them. “Banks are underestimating the value fintech firms provide in delivering a good experience and efficient service, as well as their potential influence on all areas of banking,” the report said. “From the customers’ perspective, fintech firms have value in being easy to use (81.9 percent), offering faster service (81.4 percent), and providing a good experience (79.6 percent).


Man jailed for failing to decrypt hard drives

"His confinement stems from an assertion of his Fifth Amendment privilege against self-incrimination," wrote the man's lawyer, Keith Donoghue. The US Constitution's Fifth Amendment is designed to protect people from being forced to testify and potentially incriminating themselves and states: "No person shall be... compelled in any criminal case to be a witness against himself." The Electronic Frontier Foundation, which campaigns for digital rights, said: "Compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them." The man's appeal also contends that he should not be forced to decrypt the hard drives because the investigators do not know for certain whether indecent images are stored on them.


Singapore Is Taking the ‘Smart City’ to a Whole New Level

“Singapore is doing it at a level of integration and scale that no one else has done yet,” says Guy Perry, an executive of the Los Angeles engineering design firm Aecom who studies “smart city” technologies. It helps in Singapore that government- or state-owned companies own or control many aspects of daily life, including public transport networks and housing. More than 80% of Singapore’s 5.5 million people live in government housing. And while Singapore is a democracy, it has always been dominated by a single party whose control of the system means it can move quickly. Leaders also see a chance to pioneer applications for export. The market for smart-city technology in Asia alone will reach US$1 trillion a year by 2025, according to IDC Government Insights, a unit of International Data Corp., the Framingham, Mass., research firm.


Why Won’t They Pair?

The organizational challenges continue from the physical equipment to how developers are rated for recognition, raises and promotions. If an organization stack ranks their employees, the chance of developers learning to pair effectively is severely hampered. In many cases, the developer wants to be seen as the super hero thereby raising their rank above their peers. Performance reviews are another blocker. Few companies recognize teamwork as a valued skill and instead look for the ‘super hero’ who can come in to save the day during a crisis. Further, organizations that consistently work in a tactical fire-fighting mode will struggle to see the value that comes from pairing where developers share knowledge of technical and domain expertise.


BIP 75 Simplifies Bitcoin Wallets for the Everyday User

One of the main downfalls of BIP 70 is that it doesn’t work well for P2P payments. While it gets the job done for transactions between a customer and a merchant, Bitcoin wallets are unable to receive payment requests when they’re offline. Store-and-forward servers can be used to forward new payment requests to wallets when they come online, but this setup creates new privacy and security concerns. BIP 75 is an attempt to solve this issue by encrypting all communication in the Payment Protocol end to end. “By adding encryption at the application layer we create secure private communications, even in the case where there is a store and forward server for mobile or desktop wallets,” Netki founder and CEO Justin Newton, who co-authored BIP 75, told Bitcoin Magazine.


Ransomware-as-a-service is exploding: Be ready to pay

It starts with a fast click on a link in a harmless-looking email. Then your PC slows to a crawl. A message suddenly pops up and takes over your screen. "Your files and hard drive have been locked by strong encryption. Pay us a fee in 12 hours, or we will delete everything." Then a bright red clock begins counting down. No antivirus will save your machine. Pay the fee or lose everything. You're the latest victim of a ransomware attack. The scary thing is, you're not alone. The ransomware market ballooned quickly, reported TechRepublic's Michael Kassner, from a $400,000 US annual haul in 2012, to nearly $18 million in 2015. The average ransom—the sweet spot of affordability for individuals and SMBs—is about $300 dollars, often paid in cash vouchers or Bitcoin.


Cyber Attacks on Small Businesses on the Rise

Almost half of cyber-attacks worldwide, 43%, last year were against small businesses with less than 250 workers, Symantec reports. The FBI reported last summer that more than 7,000 U.S. companies of all sizes were victims of cyber hacks via phishing email scams as of late 2013, the latest data available, with losses of more than $740 million.  The cyber crooks steal small business information to do things like rob bank accounts via wire transfers; steal customers’ personal identity information; file for fraudulent tax refunds; commit health insurance or Medicare fraud; or even steal intellectual property. The criminals can also hijack a small business’s website to cyberhack other small businesses. “There are probably 20 different ways a bad guy can get into a website” run by a small business, Scott Mann, CEO of Orlando-based Highforge Solutions, has said.



Quote for the day:


"A business of high principle attracts high-caliber people more easily, thereby gaining a basic competitive and profit edge."-- Marvin Bower