Daily Tech Digest - December 21, 2016

Why every CIO needs to be a hands-on leader to succeed

If you looked at the job descriptions and expectations for CIOs of the past, almost all of them required the incumbent to be a master builder. A person had to know how build and manage data centers, buy hardware – large and small, and be a virtuoso of disaster and business continuity plans. Today, the cost savings, let alone the flexibility, of utilizing cloud resources for almost everything is just too hard to ignore. While vexing to consider for veteran CIOs, the epic of building physical empires within IT has passed. But this change represents a tremendous opportunity for even the most strategic IT leader to get into the trenches in a meaningful way. By going through data centers, CIOs can be on the frontlines of shutting them down.


10 Cybersecurity challenges from IoT, DDoS, autos and more

We recently saw some of the largest DDoS attacks on record, in some instances topping 1 terabit per second. That’s absolutely massive and it shows no sign of slowing. Through 2015, the largest attacks on record were in the 65 gigabit per second range. Going into 2017, we can expect to see DDoS attacks grow in size, further fueling the need for solutions tailored to protect against and mitigate these colossal attacks. Math, machine learning and artificial intelligence will be baked more into security solutions. Security solutions will learn from the past, and essentially predict attack vectors and behavior based on that historical data. This means security solutions will be able to more accurately and intelligently identify and predict attacks by using event data and marrying it to real-world attacks.


NICE Robotic Automation Improves Interaction Experience

NICE, a longtime contact center systems vendor, has offered real-time process automation since 2001, and it recently launched a new product in this market. It now has three products in this space – desktop analytics, desktop automation and its latest, robotic process automation. NICE Desktop Analytics captures information about what agents, or other designated users, do on their desktop, including systems they access, information they look up, data they enter, information they give callers, and systems they update after finishing calls. The analytics enables organizations to track the four basic components of a call – identifying the caller, identifying the caller’s issue, providing a response and completing any required after call work. The analytics component thus can identify best practices for interaction handling and agent performance, and recommend changes to processes or coaching and training.


Tech companies like Privacy Shield but worry about legal challenges

While U.S. companies are embracing Privacy Shield, many European businesses are "still concerned that Privacy Shield will not hold up under court scrutiny, and they will find themselves in the same scenario as they were in October 2015, when the Safe Harbor agreement was struck down," said Deema Frei, ... Some European companies see Privacy Shield certification as a "tick box" compliance exercise, she added. With some doubts about its long-term viability, companies should also consider other data transfer agreements, such as EU model clauses or binding corporate rules, she recommended. However, if companies can get certainty about Privacy Shield's future, and if it won't be "attacked in the long term by data privacy activists trying to discredit it and challenge its validity, I believe it will work in the long run," Frei added.


Never Fear, Vulnerability Disclosure is Here

There is no excuse for organizations letting fear of working with hackers prevent them from doing so for defense. There is no excuse for lacking a vulnerability disclosure policy, in any organization, private or public sector. The only barrier is building capabilities to handle what can be daunting in terms of facing the world of hackers. Big companies like Google, Apple, and Microsoft have had to deal with this issue for a very long time, and have worked out systems that work for them. But what about smaller organizations? What about other industries outside of the tech sector? What about IoT? And what about governments, who must walk the line between getting the help they need from the hacker community without accidentally giving free license to nation-states to hack them with an overly permissive policy?


Contactless Payments: Addressing the Security Issues

In a contactless environment, on mobile devices in particular, biometrics authentication can replace the need to use PIN entry as an additional authentication layer, King says in this interview conducted at Information Security Media Group's recent Fraud & Breach Prevention Summit in London. "The challenge there is, 'How do you ensure the security and the authenticity of the biometrics?'" he says. "Biometrics have been around for a while, in terms of authentication. ... They are static information. My fingerprints don't change. Now, if I lose my PIN, I can go into the bank and say, 'Can I have a new PIN?' If I lose my fingerprint, if that is compromised, then there's not much I can do." As contactless mobile payments become more commonplace in Europe and elsewhere, card networks and issuers are rethinking how they secure payments, turning to biometrics and, in some cases, transaction and behavioral analytics, he adds.


Google releases Project Wycheproof: Security tests to check cryptographic libraries for known attacks

Project Wycheproof includes over 80 test cases, and Google says they have already uncovered more than 40 security bugs. The list of bugs is available here, though Google notes not all are currently listed as some are still being fixed by vendors. The same goes for some of the tests — they will be released once the affected cryptographic libraries have been patched. The tests encompass the most popular crypto algorithms, including AES-EAX, AES-GCM, DH DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. The tests detect whether a library is vulnerable to many attacks, including invalid curve attacks, biased nonces in digital signature schemes, and all of Bleichenbacher’s attacks. In short, Project Wycheproof allows developers and users to check libraries against a large number of known attacks without having to “sift through hundreds of academic papers or become cryptographers themselves.”


Mobile banking trojans adopt ransomware features

Cybercriminals are adding file-encrypting features to traditional mobile banking trojans, creating hybrid threats that can steal sensitive information and lock user files at the same time. One such trojan is called Faketoken and its primary functionality is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. The malicious app also displays phishing pages to steal credit card information, and it can read and send text messages. ... File encryption is not as popular as screen blocking techniques in mobile ransomware because many of the files stored on mobile devices are backed up to cloud services and can be easily restored, according to Unuchek. That doesn't seem to stop developers from experimenting with such techniques, though. Researchers from security company Comodo have recently analyzed another mobile banking trojan called Tordow 2.0 that has the ability to encrypt files.


Raspberry Pi in 2017: New boards, new OSes and more

Expect to see the Raspberry Pi powering far more appliances in 2017, following the release of the Compute Module 3 (CM3). Due to be launched "very early next year", the CM3 will pack the same quad-core Broadcom BCM2837 processor and 1GB memory used on the Pi 3 onto a slimmer and smaller board. The compact design of the Compute Module, which comes with 4GB eMMC Flash storage, makes it better suited to being built into electronic products. The CM3 marks a significant leap forward in processing power, since the previous Compute Module was based on the first-generation, single-core Raspberry Pi, which is up to ten times slower than the third-generation board. When released, it will also be the first Compute Module to run Windows 10 IoT Core, a cut-down version of Windows 10 designed to support Internet of Things appliances.


Automating the Database: A Win-Win for DBAs and DevOps

In most cases, the DBA invests a lot of time and effort in manually reviewing code from the developers and preparing the deployment script. At times, this goes beyond fine-tuning and actually involves rewriting entire code segments, simply because the DBA has a better understanding and overview of the database. Similarly, when database problems arise during deployment or production, DBAs may be called upon to resolve them by fixing unfamiliar code without access to the original developers. No matter the number of development teams and their potentially overlapping needs, the DBA is tasked with protecting the integrity of the data and ensuring availability. In order to perform this behind-the-scenes “traffic duty”, the DBA must balance the requirements of the various development teams with daily database maintenance routines and administrative responsibilities.



Quote for the day:


"Don't judge me by my past. I don't live there anymore." -- Petteri Tarkkonen