Daily Tech Digest - September 21, 2017

Manage access control using Redis Bitfields

Access control based on action is a flexible, granular approach to securing your resources. Each user is given a list of things they can do and when the user attempts to perform any action, you check the user’s capabilities against what is required of that action. Sounds simple enough, right? This can be a tricky thing to code and it has to be as fast as possible because whatever latency, transit, or computation time this step requires is overhead that cuts into the processing you need to do with the rest of your app (likely stuff you care more about than capabilities and privileges). First, let’s look at a highly efficient way of storing capabilities and later we’ll explore some more advanced functionality. The heart of this approach is to use binary data, which might seem strange. Redis, unlike many databases, can manipulate and store binary data directly.


What Is A Fileless Attack? How Hackers Invade Systems Without Installing Software

Fileless malware leverages the applications already installed on a user's computer, applications that are known to be safe. For example, exploit kits can target browser vulnerabilities to make the browser run malicious code, or take advantage of Microsoft Word macros, or use Microsoft's Powershell utility. "Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications," says Jon Heimerl, manager of the threat intelligence communications team at NTT Security. "Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections."


Google tightens grip on Android hardware with HTC deal

Google never entirely quit the hardware business. Since selling Moto, it has continued to release smartphones and tablets under its own brand, but these were designed and manufactured by other companies, including LG and HTC. Now Google is taking greater control of that design process, paying US$1.1 billion to HTC to acquire the team behind its Pixel devices. It will also receive a non-exclusive license to some HTC intellectual property, the companies said Thursday. The number of HTC employees affected by the deal is around 2,000, according to Reuters. The deal won't give Google any manufacturing capabilities: It will still have to outsource that work to others. And it won't knock HTC out of the smartphone market altogether: It still has a team working on the successor to its U11 flagship, launched earlier this year


DDoS protection, mitigation and defense: 7 essential tips

“A disaster recovery plan and tested procedures should also be in place in the event a business-impacting DDoS attack does occur, including good public messaging. Diversity of infrastructure both in type and geography can also help mitigate against DDoS as well as appropriate hybridization with public and private cloud," says Day. “Any large enterprise should start with network level protection with multiple WAN entry points and agreements with the large traffic scrubbing providers (such as Akamai or F5) to mitigate and re-route attacks before they get to your edge. No physical DDoS devices can keep up with WAN speed attacks, so they must be first scrubbed in the cloud. Make sure that your operations staff has procedures in place to easily re-route traffic for scrubbing and also fail over network devices that get saturated,” says Scott Carlson, technical fellow at BeyondTrust.


The Dangers of the Hackable Car

As vehicles fill up with more digital controls and internet-connected devices, they’re becoming more vulnerable to cybercriminals, who can hack into those systems just like they can attack computers. Almost any digitally connected device in a car could become an entry point to the vehicle’s central communications network, opening a door for hackers to potentially take control by, for instance, disabling the engine or brakes. There have been only a handful of successful hacks on vehicles so far, carried out mostly to demonstrate potential weaknesses—such as shutting down moving a car and taking control of another’s steering. But security experts paint a grim picture of what might lie ahead. They see a growing threat from malicious hackers who access cars remotely and keep their doors locked until a ransom is paid.


Microsoft launches data security technology for Windows Server, Azure

Microsoft claims the service, called Azure confidential computing, makes it the first public cloud provider to offer encryption of data while in use. Encrypting data while it is being manipulated is pretty CPU-intensive, and there is no word on the performance impact of this service.  “Despite advanced cybersecurity controls and mitigations, some customers are reluctant to move their most sensitive data to the cloud for fear of attacks against their data when it is in use,” Mark Russinovich, Microsoft Azure CTO, wrote in a company blog post. “With confidential computing, they can move the data to Azure knowing that it is safe not only at rest, but also in use from [various] threats.” Azure confidential computing uses a trusted execution environment (TEE) to ensure there is no way to view data from the outside, such as via a bug in the OS or a hacker who has gained admin privileges.


CIO interview: John Mountain, Starling Bank

Starling even offers software development kits to third parties to make it easier for them to develop services for its customers. “For the most commonly used languages, we do half the work for them,” he says. “This is what companies like Apple do. They say ‘there is an API [application programming interface] but we want to go a bit richer than that’ and do some of the coding themselves.” In fact, Mountain wants anything that is not core to the business, whether it be accounting software or a customer money management service, to be supplied while Starling’s internal team focuses on core competencies. “We visualise our platform as a series of concentric circles, where we ask ourselves how fundamental to the business a certain piece of software is,” he says. “Everything judged to be at the core of the operation we write ourselves.


Assemble tools to address IT compliance standards up the stack

Security and compliance work hand in hand. The threat landscape is more complex due to distributed applications being broken down into components, an increased variety of end points and dispersed data centers. "An increase in the volume and complexity of cybersecurity breaches and the potential damage that those events have on both business operations and brand reputation [are] driving greater demand for IT and security and risk management solutions," said Angela Gelnaw, security products and solutions analyst at IDC. Consequently, businesses take an expensive, multi-tiered approach to secure information. IDC expects enterprise security spending will increase from $73.7 billion in 2016 to $101.6 billion in 2020. The compound annual growth rate of 8.3% is more than twice the rate of overall IT spending that IDC predicts during the five-year forecast period.


What's Holding Blockchain Back From Large-Scale Adoption?

For those of us who believe wholeheartedly in the future of this technology, it’s up to us to figure out how we can best explain what’s actually happening and why it’s important. For example, I recently spoke at the 100x Blockchain Online Summit, and it was enthralling to dive into such deep use cases and talk through specific problems that blockchain can solve, one of which was counterfeiting in big pharma. But to an everyday consumer, or even someone with a strong tech background, the terminology alone creates some roadblocks. The biggest reason education is the first obstacle is that you have to consider who really needs to buy into using blockchain technology in order for it to scale. It’s not just theorists and coders. It’s CEOs, heads of marketing and business development, even investors who are going to decide to foot the bill—or invest in the Ethereum platform, period.


How to choose a database for your mobile apps

To require an Internet connection for mobile applications is to live in the past. If apps rely on a connection, odds are high that the experience will be sluggish and unpredictable. To avoid reliance on the network, providers of databases and cloud services have added synchronization and offline capabilities to their mobile offerings. Solutions like Couchbase’s Couchbase Mobile, Microsoft’s Azure Mobile Services, Amazon’s Cognito, and Google’s Firebase offer the all-important sync that enables apps to work both online and offline.  With so many offerings available, how does a mobile developer select the right technology for the right application? The following six key criteria are most important when evaluating mobile solutions: platform support, security, modeling flexibility, conflict resolution, sync optimization, and topology support.



Quote for the day:


"A treasured memory is the lasting gift of time well spent." -- Tim Fargo