Daily Tech Digest - April 20, 2018

Google disables “domain fronting” capability used to evade censors

Domain fronting uses a manipulation of the secure HTTP Web protocol (HTTPS) and the Transport Layer Security (TLS) standard to help fool deep packet inspection systems and firewall rules about the intended destination of a Web request and to exploit the functionality of content delivery networks (CDNs). Domain names show up three times during a Web request—as part of a DNS query for the IP address of the site, in the Server Name Indication (SNI) extension of TLS (which tells a server with multiple sites which domain the traffic is for), and in the HTTP "host" header of the Web request. For HTTP traffic, all three of those instances of the domain name are visible to a censor's network gear; when surfing an HTTPS site, the HTTP header is encrypted. In a domain fronting scheme, the DNS request and SNI extension use the domain name of an unblocked host, but the HTTPS header contains the actual destination—which the request is then forwarded to, as long as it's part of the same CDN. That destination is usually a proxy server, VPN gateway, or a Tor bridge.

Software Design Principles DRY and KISS

DRY stand for "Don't Repeat Yourself," a basic principle of software development aimed at reducing repetition of information. The DRY principle is stated as, "Every piece of knowledge or logic must have a single, unambiguous representation within a system." "We enjoy typing" (or, "Wasting everyone's time."): "We enjoy typing," means writing the same code or logic again and again. It will be difficult to manage the code and if the logic changes, then we have to make changes in all the places where we have written the code, thereby wasting everyone's time.To avoid violating the DRY principle, divide your system into pieces. Divide your code and logic into smaller reusable units and use that code by calling it where you want. Don't write lengthy methods, but divide logic and try to use the existing piece in your method. ... The KISS principle is descriptive to keep the code simple and clear, making it easy to understand. After all, programming languages are for humans to understand — computers can only understand 0 and 1 — so keep coding simple and straightforward. Keep your methods small. Each method should never be more than 40-50 lines.

Nine Things That Are Poised To Impact Cybersecurity

The next wave of cybersecurity attacks will come from the internet-of-things (IoT) devices like appliances, lights and cameras. These types of devices are cheap, easy to hack, can be found in large numbers and are geographically distributed, making them ideal targets for a hacker to commandeer and launch a distributed-denial-of-service (DDoS) attack on an unsuspecting enterprise. ... Utilize multi-factor authentication and SSO technologies to get a handle on authentication. Integrating this with Hashicorp Vault or an HSM solution can bring about encryption key management, encryption key rotation and administration of all your data. For sensitive information within databases, consider field-level encryption so that even with the breach, any data that is leaked is encrypted. ... Decentralizing data used for authentication is here and doing it for more PII is next. Firms are abandoning storage of biometrics, PINs, and passwords and now secure them on endpoints like mobile devices. Users authenticate on-device and swap public keys with their service provider.

Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others

The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. UpGuard's own report, published Wednesday, contained search queries that Localblox would use to cycle through email addresses that it had collected through Facebook's search engine to retrieve users' photos, current job title and employer information, and additional family information. Facebook locked down its search feature earlier this month after scammers were running automated searches to harvest people's data. It's also believed that the company supplements its collected data from non-public sources, like purchased marketing data. The data is then compiled, organized and blended into existing individual profiles. The report described the collection operation as an effort to "build a three-dimensional picture on every individual affected" to use for advertising or political campaigning.

DevOps is key to low-code BPM, digital process automation

Created to reduce manual intervention in business process implementations across organizations, business process management (BPM) software did automate manual tasks. Until recently, however, the development of that software wasn't an automated affair. During a business process software development project a decade ago, Scrum master Reshma Nagrani relied on tools that were hardcoded and that had fragile code. It was hard to modify the existing software, so the project needed to be customized, and it wasn't easy to find the talent to do the customization work. Today, older BPM suites (BPMS) are more robust than ever in that they are customizable and customer-centric. New low-code BPM tools are so simple that non-IT business people can develop enterprise apps, although they're not so simple that companies don't need business process developers and managers. Indeed, their roles in DevOps teams and emerging digital process automation (DPA) projects remain critically important.

UK Commonwealth cyber security funding welcomed

The Commonwealth Cyber Declaration sets out, for the first time, a common vision for ensuring the internet remains free and open across the Commonwealth. It will commit members to raising national levels of cyber security and increased cooperation to counter those who seek to undermine nations’ values, security, even the integrity of elections. The new funding will help Commonwealth countries to prevent and respond to cyber security risks affecting governments, businesses and citizens. Some £5.5m of the funding has been earmarked to enable low- and middle-income Commonwealth members to carry out national cyber security capacity reviews before the next CHOGM in 2020. Prime minister Theresa May said cyber security affects all countries because online crime does not respect international borders. “I have called on Commonwealth leaders to take action and to work collectively to tackle this threat,” she said. “Our package of funding will enable members to review their cyber security capability, and deliver the stability and resilience that we all need to stay safe online and grow our digital economies.

What is hybrid cloud really, and what's the best strategy?

cloud computing business services
In an attempt to create clarity, some companies and vendors started using the term multi-cloud instead of hybrid, indicating that the strategy simply involves more than one cloud – public-public or public-private. Others have applied their own definitions to hybrid cloud to include any combination of public and private cloud with consistent platforms and/or services, but those are relatively new, she says.  Indeed, the market itself is shaping the definition of hybrid cloud, and analysts and vendors are beginning to fall in line in agreement on the definition a true hybrid cloud strategy. Increasingly, it’s about moving workloads seamlessly between public and private cloud platforms and creating a consistent architecture across both environments. Some vendors are promising these capabilities soon, while others are already starting to deliver. “Hybrid cloud is a cloud computing environment that uses a mix of private cloud and public cloud services with orchestration between the platforms allowing data and applications to be shared between them,” says Ritu Jyoti, research director on IDC's enterprise storage, server and infrastructure software team.

Understanding fast data and its importance in an IoT-driven world

The first necessity is a streaming system that processes various events as quickly as they arrive. Next, there must be a data store that extracts information just as speedily. When they both work together, businesses are well-equipped to understand why fast data offers such a wealth of information they won’t want to overlook. Investigating what’s available now gives companies a leg up to prepare for the increasing prominence of IIoT technologies. Being proactive also gives business leaders a chance to think about how they can use fast data most effectively to get closer to their goals. There are several ways fast data aligns with business objectives. As the IoT becomes more prominent than ever, the gadgets people use every day increasingly have Wi-Fi-enabled sensors that collect data and give personalized information. Among the likely use cases for the industrial sector are intelligent lights that sense when people leave the room and turn off to save energy, plus water fixtures that measure utility usage over time to let leaders know when and where waste happens.

Data protection is a business issue, says IAPP

Unlike the information security industry, the data privacy industry does not have a gender bias issue, he said. “Our membership is approximately 50/50 and there is roughly equal representation of men and women at all levels of seniority, right from the very top down, with equal salaries for men and women doing the same jobs.” The privacy industry started about 20 years ago, said Tene, when companies started appointing privacy officers and treating privacy as a strategic business issue rather than a compliance issue. The first movers were data-intensive companies such as DoubleClick, IBM, Axiom and Microsoft. As a result, the privacy industry is more mature in the US, but has started to pick up significantly in Europe and in recent years, largely driven by the GDPR, said Tene. “Data privacy is increasingly a business issue, and we are seeing a growing emphasis in business on data management, data governance and data risk,” he said.

The Importance of Validating the Testing Infrastructure

Sometimes when given something to test, some key details may be forgotten—and that’s okay. That’s why, as testers, it’s on us to validate the test infrastructure before diving in. Fortunately, there are several ways to do so. ... Access each node by checking the IPs of the components and that they have the indicated services. Validate the operating systems, and verify their versions, as well as the versions of the components (for example, Java, Apache, etc). In a performance test, looking for optimizations, different configurations are usually tested, trying to improve the results, comparing the performance of different options. So, to validate that what is documented in the results is accurate, it is necessary to review the initial configurations (at least the most relevant ones). For example, the size of each connection pool (in the database or the web server), the maximum and minimum allocated memory (in the case of JVM), etc.

Quote for the day:

"You do not lead by hitting people over the head. That's assault, not leadership." -- Dwight D. Eisenhower

Daily Tech Digest - April 19, 2018

5G Security Challenges and Ways to Overcome Them

5G is on its way to serve vertical industries, not just individual customers who are more bothered about experiencing a faster mobile network or richer smart phone functionalities. When it comes to serving vertical industries, security requirements may vary from one service to the other. As the Internet of Things (IoT) continues to gain momentum, more people will be able to remotely operate networked devices and this will surely call for the deployment of a stricter user-authentication method to prevent unauthorized access to IoT devices. For example, biometric identification systems can be installed in smart homes. ... 5G networks are believed to be enhanced by the deployment of new cost-effective IT technologies such as virtualization and Software Defined Network (SDN)/Network Functions Virtualization (NFV). However, 5G services can be equipped with appropriate security mechanisms only if the network infrastructure is robust enough to support the security features. The security of function network elements, in legacy networks, depends, to a large extent, on how well their physical entities could be separated from each other.

As IoT devices grow in popularity, it creates a greater security vulnerability for consumers. Service providers and consumer electronics manufacturers can now leverage the USP standard to perform lifecycle management of connected devices and carry out upgrades to address critical security updates. Newly installed or purchased devices and virtual services can also be easily added, while customer support is improved by remote monitoring and troubleshooting of connected devices, services and home network links. Additionally, the specification enables secure control of IoT, smart home and smart networking functions and helps map the home network to manage service quality and monitor threats. Work on the USP specification was carried out by the Broadband User Services (BUS) Work Area, which is led by Co-Directors John Blackford of Arris, who is also a Broadband Forum board member, and Jason Walls of QA Cafe. AT&T, Axiros, Google, Greenwave Systems, Huawei, NEC, Nokia, and Orange also participated in developing USP.

Notes from the AI frontier: Applications and value of deep learning

Notes from the AI frontier: Applications and value of deep learning
Neural networks are a subset of machine learning techniques. Essentially, they are AI systems based on simulating connected “neural units,” loosely modeling the way that neurons interact in the brain. Computational models inspired by neural connections have been studied since the 1940s and have returned to prominence as computer processing power has increased and large training data sets have been used to successfully analyze input data such as images, video, and speech. AI practitioners refer to these techniques as “deep learning,” since neural networks have many (“deep”) layers of simulated interconnected neurons. ... Deep learning’s capacity to analyze very large amounts of high dimensional data can take existing preventive maintenance systems to a new level. Layering in additional data, such as audio and image data, from other sensors—including relatively cheap ones such as microphones and cameras—neural networks can enhance and possibly replace more traditional methods. AI’s ability to predict failures and allow planned interventions can be used to reduce downtime and operating costs while improving production yield.

From BDD to TDD, the pros and cons of various agile techniques

citizen developers
Distributed agile makes it possible to escape any constraints of space or skills and experience in your immediate location. Modern collaboration tools like Slack, Skype, Teams, and Hangouts have made this possible. You can actually work together on stories without being in the same place and ask questions without disturbing your coworkers’ flow. Trust, rapport and communication are still essential. That’s why distributed agile works best when you have at least two teammates in any given location, they meet face to face periodically, and understand each other’s language and culture well. It’s helpful to have the whole team within a short flight and similar time zones so you can easily collaborate physically as well as virtually when needed. That team solidarity makes all the difference when you’re trying to crack a tough problem, get business or user feedback, or just onboard new team members. Agile works best when there is fast, frequent communication through standups and other formal and informal collaboration.

The evolution of forensic investigations

Protecting data, intellectual property (IP), and finances has become an increasing priority at the board room level as fraudsters proliferate and constantly adapt to more sophisticated controls and monitoring. While most organizations are susceptible to seemingly boundless criminal ingenuity, those lacking antifraud controls are predictably worse off, suffering twice the median fraud losses of those with controls in place. However, even organizations with antifraud controls can have their investigative efforts impeded by several factors. Reliance on rules-based testing is a primary culprit. Rules-based tests typically assess and monitor fraud risks across a single data set, giving only a yes or no answer. Information silos further impede analytics-aided investigative efforts. Organizations often struggle to balance the need for locally-tailored processes with the potential benefits of integrated data sharing, unintentionally creating barriers to investigative exploration as a result. The vast and growing volumes of unstructured data amassing in organizations, such as videos, images, emails, and text files.

City & Guilds Group deploys SD-WAN to improve Office 365 performance

City & Guilds Group deploys SD-WAN to improve Office 365 performance
It’s a different story, though, for workers located remotely like in the Asia-Pacific region. For those individuals, the experience can be very frustrating. I have first-hand experience with this. Prior to being an analyst, I spent some time as a consultant, and I remember trying open PowerPoint and Word documents out of region and it would often take minutes. Sometimes the process would go “not responding,” necessitating the need to shut down the application and start over. The most frustrating part was that there was no way of telling whether the file was still being downloaded or if the process died. I would often “open” the files and then go do something else for a while and come back and hope they finished opening. Bandwidth speeds have increased, but so have the size of Office documents. This is the situation that remote City & Guilds workers were facing. For example, users in Wellington, New Zealand, saw extremely slow response times when accessing files from the corporate Share Point drive, leading to a number of user complaints and a loss of productivity.

Google Cloud speech-to-text service gets revamp

In the future, enterprises will be able to feed automatically generated transcripts of business conversations into virtual assistants like IBM Watson or Google Assistant, helping those machines learn how to assist workers or customers better. "If you have your VP of marketing provide an overview of what a particular product does, that video is captured, that audio is converted into text, that text becomes searchable, and, ultimately, that text can be fed into machine intelligence systems," Vonder Haar said. Vendors are continually improving their speech-to-text tools, but enterprises shouldn't wait until those platforms are perfect before experimenting with them, said Jon Arnold, principal of Toronto-based research and analysis firm J Arnold & Associates. "To me, the big takeaway is these platforms definitely provide a lot of exciting possibilities," Arnold said. "Do some harmless in-house trials, get a feel for it, because the use cases will come out of the woodwork once you start getting comfortable with it."

15 Ways To Build Security Into Your Development Process

Knowing where to focus your likely very limited resources is key, and can be tackled by performing application risk assessments and threat modeling. By better understanding where your product or service may have unacceptable risk exposure, you can focus your time and resources appropriately. - Vijay Bolina, Blackhawk Network  As with any collaborative endeavor that brings together people from different backgrounds, experiences and outlooks, it’s important to acknowledge the possibility of conflict up front and deal with it head-on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company’s future, and hold everyone accountable for advancing its success. - Todd DeLaughter, Automic Software, owned by CA Technologies (NASDAQ: CA) One of the most effective ways to embed security into software is to initiate the security on boot-up. When a user restarts their device or software, the manufacturer should run a series of boot tests to determine any changes in the software and that the software is entirely authentic.

Beyond Java: Programming languages on the JVM

Beyond Java: Programming languages on the JVM
If there is any language that is a known and proven quantity for developers, it’s Java. Enterprise developers, web developers, mobile developers, and plenty of others besides, have made Java ubiquitous and contributed to the massive culture of support around Java. What’s more, the Java runtime, or Java Virtual Machine (JVM), has become a software ecosystem all its own. In addition to Java, a great many other languages have leveraged the Java Virtual Machine to become powerful and valuable software development tools in their own right. Using the JVM as a runtime brings with it several benefits. The JVM has been refined over multiple decades, and can yield high performance when used well. Applications written in different languages on the JVM can share libraries and operate on the same data structures, while programmers take advantage of different language features. Below we profile several of the most significant programming languages created for the JVM. 

Microservices Communication and Governance Using Service Mesh

A service mesh is an infrastructure layer for service-to-service communication. It ensures reliable delivery of your messages across the entire system and is separate from the business logic of your services. Service meshes are often referred to as sidecars or proxies. As software fragments into microservices, service meshes go from being nice-to-have to essential. With a service mesh, not only will you ensure resilient network communications, you can also instrument for observability and control, without changing the application run-time. ... In the direct interpretation it could be used to describe both the network of microservices that make up distributed applications and the interactions between them. However, recently the term has been mostly applied to a dedicated infrastructure layer for handling service-to-service communication, usually implemented as lightweight network proxies (sidecars) that are deployed alongside application code. The application code can treat any other service in the architecture as a single logical component running on a local port on the same host.

Quote for the day:

"You never will be the person you can be if pressure, tension and discipline are taken out of your life." -- Dr James G Bilkey

Daily Tech Digest - April 18, 2018

Study Suggests Lack of Analytical Capability is Slowing IoT Adoption

IoT data is of no use if it isn’t analyzed appropriately, and descriptive analysis is essential for gaining a more granular view of specific processes. Prescriptive analysis matters as well; creating a strong feedback loop to optimize and even automate data analysis can create a much more powerful system. Artificial intelligence can be a cornerstone technology. Predictive capabilities are key to maximizing IoT resources, and effective IoT management involves recognizing patterns and responding accordingly. The power of IoT devices comes with a risk: Security. Capgemini stresses the importance of ground-up security investment, as a flawed architecture will always present certain risks even if it’s patched and monitored. ... Other components of a company’s resources need to be secured as well, but it’s important to recognize the unique nature of IoT devices and implement appropriate solutions instead of trying to fold IoT devices underneath a broader, but incompatible, security umbrella.

Using intelligence to advance security from the edge to the cloud

Security increasingly is a team sport not only within an enterprise but across the customer network. Intelligence data, in particular, gets better with additional signals coming in, and so we’re increasing the ability for customers and partners to collaborate with us, with one another and with their own customers. Today we’re announcing the preview of a new Microsoft Graph security API for connecting to Microsoft products powered by the Microsoft Intelligent Security Graph. The new security API provides an integration point that allows technology partners and customers to greatly enhance the intelligence of their products to speed up threat investigation and remediation. Already, leading companies like Palo Alto Networks, PwC and Anomali are exploring the security API for their own solutions. And because we’re committed to collaborating with customers and partners to enable integration between Microsoft’s security technology and the broader ecosystem, we are also announcing the new Microsoft Intelligent Security Association.

Security budgets up, but talent scarce, says Isaca

The data also shows that gender disparity can be mitigated through effective diversity programs. In organisations with a diversity program, men and women are much more likely to agree that men and women have the same career advancement opportunities. Some 87% of men said they have the same opportunities, compared with 77% of women. Another positive finding is that security managers are seeing a slight improvement in the number of qualified candidates. Last year, 37% said fewer than 25% of candidates for security positions were sufficiently qualified. This year, that number dropped to 30%. Budgets are also increasing, with 64% of respondents indicating that security budgets will increase this year, compared with 50% last year. “This research suggests that the persistent cyber security staffing problem is not a financial one. Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organisations critically need,” said Isaca CEO Matt Loeb.

Cryptographers spank blockchain, social media

Marlinspike said blockchain's distributed nature can show value, but he said the problem is that there are not many apps where distributed is valued. "The consumer space sees zero value," he added, noting that blockchain reminds him of the peer-to-peer crazy in the early 2000s. "There were a lot of people with a lot of enthusiasm and ideas about a lot of great things, but it was not very sound." Marlinspike had similar feelings on social media, which he said has suffered a substantial perception hit in the past year. "The utopian narratives of connecting the world and organizing information is coming to an end.," he said. "Across all contexts and political spectrums, people are seeing social technology less as a hopeful tool for a brighter, better tomorrow and more like weapons everyone simultaneously thinks are in the wrong hands." He said this has direct consequences on society and things people are doing [at RSA] and what people and thinking in the worlds of privacy and cryptography."

Technology doesn’t mean you can forget the basics of customer service

Whether you step into a store, or order your shopping online, you expect a level of personalisation. No individual, or customer, is the same and should not be treated with the same manner, temperament and style of service. 66% of all consumers say they’re extremely or somewhat likely to switch brands if they feel like they’re treated like a number rather than an individual. With the explosion of data and digital interactions, customers now expect a more tailored service. One example of a company that aims to deliver this highly personal experience is Atom Bank, which lets customers design their own user interface when signing up to an account – whether that’s a brand logo, colour scheme or name. Speaking of this strategy, the bank has stated that “no one should have exactly the same experience of Atom”. This example, combined with plans to let customers access accounts through biometrics, perfectly showcases how some brands are making completely digital interactions as personal as if you were dealing with them face to face.

Stresspaint Malware Campaign Targeting Facebook Credentials

On April 12, 2018, Radware’s threat research group detected malicious activity via internal feeds of a group collecting user credentials and payment methods from Facebook users across the globe. The group manipulates victims via phishing emails to download a painting application called ‘Relieve Stress Paint.’ While benign in appearance, it runs a malware dubbed ‘Stresspaint’ in the background. Within a few days, the group had infected over 40,000 users, stealing tens of thousands Facebook user credentials/cookies. This rapid distribution and high infection rate indicates this malware was developed professionally. The group is specifically interested in users who own Facebook pages and that contain stored payment methods. We suspect that the group’s next target is Amazon as they have a dedicated section for it in the attack control panel. Radware will continue to analyze the campaign and monitor the group’s activity. Prior to publication of this alert, Radware has detected another variant of the malware and saw indication of this new version in the control panel.

Chatbots are dead. A lack of AI killed them.

While Bloch is right to say that "No one can point to a chatbot that 'all your friends were using'" as "Such a thing simply never existed," once upon a time many pundits pointed to chatbots as the future of commerce, social, and just about everything else. Chatbots were one of the big themes of Mobile World Congress 2017, with the conference organizers summarizing the buzz from main stage and hallway conversations thus: "There was overwhelming acceptance at the event of the inevitable shift of focus for brands and corporates to chatbots (often referred to as 'conversational commerce'), reflecting the need for brands to go where consumers are, even if many companies remain uncertain at this stage of the eventual outcome." While they went on to acknowledge that "the true potential of chatbots will require further advances in AI and machine learning," the people behind the industry's biggest mobile event felt the only significant question around chatbots had to do with who would dominate, and not whether chatbots would take off: "Will a single platform emerge to dominate the chatbot and personal assistant ecosystem?"

Five Surprising Reasons to Invest in Better Security Training

A businesswoman training colleagues in a meeting room.
Seventy-one percent of attacks against healthcare companies fall into this category, while 58 percent of incidents in financial services, the most-attacked sector, originate from insiders. The majority of these insiders are inadvertent actors — mostly employees who were tricked into initiating the attacks. These numbers expose the inadequacy of today’s normal training programs. They’re not frequent, memorable or thorough enough. In other words, they’re not working. The bottom line is that training has not kept up with the evolution of cyberthreats or their remedies. That’s why it’s more important than ever to implement the best possible tools to protect sensitive data. But decision-makers must remember that even the best software cannot stop all threats. For example, any employee with access to any phone anywhere at any time is potentially vulnerable to social engineering. The reality of bring-your-own-device (BYOD) environments is that employees may be connecting to company resources at all hours and exposing their devices to threats in arbitrary locations and over insecure networks. 

IoT devices could be next customer data frontier

Finally we, have sensors like iBeacons sitting in stores, providing retailers with a world of information about a customer’s journey through the store — what they like or don’t like, what they pick up, what they try on and so forth. There are very likely a host of other categories too, and all of this information is data that needs to be processed and understood just like any other signals coming from customers, but it also has unique characteristics around the volume and velocity of this data — it is truly big data with all of the issues inherent in processing that amount of data. The means it needs to be ingested, digested and incorporated into that central customer record-keeping system to drive the content and experiences you need to create to keep your customers happy — or so the marketing software companies tell us, at least. ... Regardless of the vendor, all of this is about understanding the customer better to provide a central data gathering system with the hope of giving people exactly what they want. We are no longer a generic mass of consumers.

DDoS attacks cost up to £35,000

The research also highlights the growing complexity of DDoS attacks, and their capacity to act as a distraction for more serious network incursions. The majority of those surveyed (85%) believe that DDoS attacks are used by attackers as a precursor or smokescreen for data breach activity. In addition, 71% reported that their organisation has experienced a ransom-driven DDoS attack. “A DDoS attack can often be a sign that an organisation’s data is also being targeted by cyber criminals. As demonstrated by the infamous Carphone Warehouse attack, DDoS attacks can be used as a smokescreen for non-DDoS hacking attempts on the network,” said Stephenson. “Hackers will gladly take advantage of distracted IT teams and degraded network security defences to exploit other vulnerabilities for financial gain. Considering the huge liability that organisations can face in the event of a data breach, IT teams must be proactive in defending against the DDoS threat, and monitor closely for malicious activity on their networks,” he said.

Quote for the day:

"To have long term success as a coach or in any position of leadership, you have to be obsessed in some way." -- Pat Riley