Daily Tech Digest - April 13, 2017

Managed services - A catalyst for transformation in banking

To view managed services in the right context, it’s often helpful to understand the evolution and growth of outsourcing in financial services companies. Historically, banks have used a variety of outsourcing models to maximize resource efficiency. These models have evolved with changing times. A good example of this progression is business process outsourcing (BPO), which has existed for at least several decades. In 1992, American Express (Amex) spun off its transaction processing unit, where it already had developed scale and experience, and partnered with a third-party card processing unit. Amex anticipated the commoditization of the transaction processing business, so it placed a strategic bet to focus on the growth of the card issuing business.

Bank gets lesson in the security failings of third parties

A story detailing this attack in Dark Reading noted that “customers accessing the bank’s online services were hit with malware posing as a Trusteer banking security plug-in application. The malware harvested login credentials, email contact lists, and email and FTP credentials.” The bank and the DNS provider did apparently make some mistakes — and mistakes are a great way to learn, especially if they are made by someone else. First, the bank had declined to use the DNS provider’s two-factor authentication. Had it done so, the attack might have never worked. Second, the DNS provider, according to Kaspersky Labs, had patched a cross-site request forgery flaw on its site, Dark Reading said. That flaw, coupled with an email phishing attack of the DNS firm, may have provided the initial access prior to the patching.

The 10 best features in Android O (so far)

Google I/O is still more than a month away, but we’ve already gotten a sneak peek at what Google is planning for Android O. To help developers make sure their apps are in tip-top shape for the public release later this year, Google has given them the first preview a little early, opening up a brand new box of tricks and tools. This first release is just for developers, and is focused mostly on feautures that require particular devleoper support—there will be much more in Android O, with more user-facing improvements in later beta releases. While we’re not sure how many of these features will make it out of Developer options and the System UI tuner and into the main release, but there are a bunch of cool tricks we’ve found while exploring the new settings. Here are our 10 favorites.

Data science gets chic

Predictive analytics is one type of analytical method that is getting much attention. This is because senior executives appear to be shifting away from a command-and-control style of management – reacting after the fact to results – to a much more anticipatory style of managing. With predictive analytics executives, managers and employee teams can see the future coming at them, such as the volume and mix of demands to be placed on them. As a result they can adjust their resource capacity levels and types, such as number of employees needed or spending amounts. They can also quickly address small problems before they become big ones. They can transform their mountains of raw data into information to test hypothesis, see trends, and make better decisions.

With Robots On The Job - It Won't Be IT As Usual

The trend means that CIOs and IT managers need to be prepared for an influx of robotics because introducing this technology isn't as simple as firing up a fleet of humanoid robots and letting them loose in an office building. It's going to take planning, new skills and thought about how robots will affect employees and require new infrastructure. ... "It's very much a different mindset than traditional IT," said Mike Gennert, a professor and director of the Robotics Engineering Program at Worcester Polytechnic Institute, in Worcester, Mass. "IT managers worry about how they manage information, how it's used, how it's stored and secured. But none of that has the ability to directly affect the physical world. Robots affect the real world. That brings issues IT managers have not had to confront."

Who Should Regulate Cybersecurity for Connected Cars?

Lauzon along with other researchers remains skeptical that federal regulations are the best way to ensure safety. “To have regulation that chases down cybersecurity is very difficult because the law generally does not keep up with technology very well,” he said. “No automotive company wants to make a car that is hackable.” One option that could gain support would be to follow suit with the federal automated vehicle guidance released in September 2016. The guidance, which was intended to serve as a living document, laid out several best practices, specified what separate jurisdictions are responsible for regulating, and set up a 15-point self-check safety assessment letter. “I like the way NHTSA approaches it now and says, ‘Here are guidelines you should follow,'” said Lauzon. “With security, you don't usually know there is a problem until it's too late.”

Hacked Dallas sirens get extra encryption to fend off future attacks

The city believes the hack came from the Dallas area, but officials haven't detailed how it occurred. Dallas police are working with the FBI and the Federal Communications Commission (FCC) to validate what they think happened and find the source. The hack caused all 156 emergency sirens to activate for about 90 minutes, scaring some residents and doubling the number of calls to 911. Radio security experts theorized the incident may have been a simple "replay attack" where the hacker recorded the radio signal sent out on April 5 at noon as part of a monthly test of the emergency siren system. Then, the hacker could have played that signal back repeatedly early Saturday. It would take a hacker with a software defined radio (SDR) or other off-the-shelf radio frequency test equipment to pull off the attack, said Chris Risley, CEO of Bastille Networks.

Always-On Strategy

Always-on strategy complements the annual process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year. The always-on process is particularly well suited to addressing issues that span multiple business units (such as a common technology platform), lie outside the scope of existing businesses (for example, growth into adjacent markets), or are too far-reaching to address at the business unit level (such as downstream integration). However, companies must apply always-on strategy systematically—to ensure that executives focus on the highest-priority issues, push for issues to be resolved, and effectively coordinate the activities of the annual planning process with those of the always-on forums.

BrickerBot – The Dark Knight of IoT

The use of the ‘Busybox’ command combined with the MTD and MMC special devices means this attack is targeted specifically at Linux/BusyBox-based Internet of Things (IoT) devices. The similar exploit vector as Mirai means the devices must have their Telnet port open and exposed publically on the Internet. Mostly this would match IoT devices that have been proven vulnerable to Mirai. Because the process does not perform malware infection, but has a clear purpose of corrupting and disabling the device, there is no binary to study and there is not much we can say about how the bot finds its targets. Because BrickerBot.2 is hiding itself behind TOR exit nodes, there is no indication on the location of the bots or even how many bots might be out there. We could assume a random public IP scan to detect potential victims much like Mirai bots are performing.

How to Sell Refactoring? The Case of Nordea Bank AB

When you begin to work with an organization in the context of a specific subject, you usually encounter many points of view. From the very beginning, it is extremely important to realize that these are just different narratives of the same reality and none of them is more real than others. Within the same organization, you talk to different people who often present contradictory information, but each of these is consistent and seems to be justified. ... This way, the developers could focus on how to refactor the backend, style the new views and integrate them with their e-banking system. It drastically reduced the threshold for entering the new technology and made it easier to achieve success. At that stage, our priority was to promote the need for refactoring, not to migrate to a new technology.

Quote for the day:

"The meeting of two personalities is like the contact of two chemical substances: if there is any reaction, both are transformed." -- Carl Jung