Daily Tech Digest - January 03, 2018

Don't believe the hype: There are no good uses for blockchain

“Smart” contracts are contracts written as software, rather than written as legal text. Because you can encode them directly on the blockchain, they can involve the transfer of value based directly on the cryptographic consent of the parties involved — in other words, they are “self-executing.” In theory, contracts written in software are cheaper to interpret. Because their operation is literally mathematical and automatic, there are no two ways to interpret them, which means there’s no need for expensive legal battles. Yet real-world examples show the ways this is problematic. The most prominent and largest smart contract to date, an investment vehicle called the Distributed Autonomous Organization (DAO), enabled its members to invest directly using their private cryptographic keys to vote on what to invest in. No lawyers, no management fees, no opaque boardrooms, the DAO “removes the ability of directors and fund managers to misdirect and waste investor funds.”

IoT botnet DDoS attacks predicted after exploit code published

“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” Harshil Parikh, director of security at software-as-a-service platform firm Medallia, told the Isaca CSX Europe 2017 conference in London in November 2017. The exploit code for Huawei vulnerability CVE-2017–17215, which is now available free of charge on text storage site Pastebin, has already been used in the Satori and Brickerbot IoT botnets. These botnets have been described as next-gen Mirai botnets, and in December 2017, the Satori botnet in particular caught researchers’ attention because of its worm-like ability to propagate quickly. According to security researchers at Qihoo 360 Netlab, the Satori botnet propagates by using two exploits to connect with devices on ports 37215 and 52869.

Forever 21 Found Malware and Encryption Disabled on its PoS Devices

Following an investigation with payment technology and security firms, Forever 21 said in an update posted late last week that encryption technology on some point-of-sale (PoS) devices was not always on, and that it had found signs of unauthorized network access and malware installed on PoS devices to search for payment card data. The malware searched for track data from payment cards as they were processed through the PoS system. In most cases this data was limited to card number, expiration date, and internal verification code. Occasionally, the cardholder name was also found. Encryption had been disabled and malware installed on some devices at varying times in US stores from April 3, 2017 through November 18, 2017. Some locations only experienced a breach for a few days or weeks; others were hit for most or all of the timeframe. In most cases, only one or a few of PoS devices were affected at each outlet.

Generative AI: The new power tool for creative pros

Generative AI: The new power tools for creative pros
AI can abstract visual patterns from artwork and then apply those patterns in the fanciful rerendering of photographic images with the hallmark features of that artwork. These algorithms can also transform any rough doodle into an impressive drawing that seems to have been created by expert human artists depicting real-world models. They can take hand-drawn sketches of human facesand algorithmically transform them into photorealistic images. They can instruct a computer to render any image so it appears as if it were composed by a specific human artist in a specific style. ... AI can autocorrect photos by generating and superimposing onto the original any visual elements that were missing, obscure, or misleading. It can also transform any low-resolution original image into a natural-looking high-resolution version. It can generate natural-looking but synthetic human faces by blending existing portraits or abstracting features from any specific portrait.

Is Your Test Automation Team a Team of Superheroes?

The Test Automation Environment Expert has to be familiar with all concerns regarding test programs such as test data management, problem reporting and resolution, test development and design and should have technical skills which include knowledge of programming languages, database technologies, and operating systems. Also known as the test lead, the Test Automation Environment Expert verifies requirement quality, test design, test script and test data development, test environment configuration, test script configuration management and test execution. The test lead has to stay on top of all current developments in the testing industry, the latest testing tools, and test approaches and ensure proper knowledge transfer of the same. He/she is also responsible for conducting test design and test procedure walkthroughs and inspections, implementing test process improvements, test the traceability matrix

GPS tracking vulnerabilities leave millions of products at risk

Malware virus
According to the research, the vulnerable services were exposing location information, device model and type information, IMEI numbers, phone numbers (where such information is used for the device in question), custom assigned names, audio recordings, and images. For example: In addition to the verified data exposures, on gps958.com it is possible to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. No authentication needed. When it comes to images and audio recordings, the exposures happened via open directories on the affected service's website. Stykas and Gruhn first discovered a debugging interface, which allowed them to enter API queries in a web-form (similar to what Temple did in 2015). Once they knew what the API expected, they could query the API even on websites that did not expose the API in a publicly view able directory.

Banking Disruption by PSD2 Takes User Experience Design to the Forefront

Financial UI UX design by UXDA
Open Banking will cause the rapid growth of financial services, taking the user experience to the next level. Many procedures will become simple and automated. With access to the banking APIs, FinTechs can provide users with opportunities to improve their financial lives. For banks and FinTech companies, this means only one thing. It is necessary to revise the existing user flow and redesign the actual service to eliminate friction, making it valuable for customers. Currently, banks have an infrastructure and a customer base, but they are burdened by a product-centered thinking legacy. Most banking solutions are outdated, and interfaces are not intuitive. Unlike the banks, FinTech companies create modern, client-centered solutions, but they do not have enough resources to bring them to market and acquire customers.

The Three Big Trends in 2018 That Will Matter When Doing Business in Europe

Major European data privacy, security and sovereignty regulations will be enacted in 2018 that will affect every company doing business there and beyond. The EU's new General Data Protection Regulation (GDPR) rules, which go into effect in May of 2018, make up-front corporate investment for compliance unavoidable. GDPR's goal is to strengthen and unify data protection for all individuals in the EU while also addressing the export of personal data outside the region, with huge fines imposed for companies that breach its provisions. While any company handling consumer data will be impacted, the effect on some industries will be particularly acute, such as medtech and biotech. For example, gathering patient information in one country and storing it in another will require new oversight, with possible implications for any firm performing clinical trials in Europe.

The Cybersecurity 'Upside Down'

Understanding and establishing true visibility for code and application security is a must for today's enterprises. Most companies are developing technology and using many different infrastructure providers and third-party components, and they're accelerating development practices due to competition and new methodologies such as DevOps. If organizations are not integrating security into the entire development lifecycle, they are exposed. Practices of manual pen testing twice per year, and/or siloed testing within development provide no visibility and painful remediation in an Upside Down event.  Make sure to ask questions. Knowing how organizations in your supply chain are developing and protecting your products gives you a line of sight into issues and areas of potential risk.

No, The Death Of Net Neutrality Will Not Be Subtle

Of course most of the folks that really understand net neutrality have acknowledged that the harms initially may be muted. ISPs will initially want to be on their best behavior in the new year as they wait for the inevitable lawsuits against the FCC (for ignoring the public and ignoring rampant comment fraud) to shake out, wary of providing the ongoing proceedings with any ammunition. And, as we've noted, ISPs are well aware that even then the rules could simply be recrafted at a later date, which is why they're pushing for a fake net neutrality law that makes federal apathy on the subject the law of the land. But should ISPs win in the courts or on the Hill, the end result of what they're trying to accomplish will be anything but subtle. Anybody believing otherwise doesn't understand the full scope of what ISPs lobbyists are (so far successfully) up to here.

Quote for the day:

"You don't lead by pointing and telling people some place to go. You lead by going to that place and making a case." -- Ken Kesey

No comments:

Post a Comment