Daily Tech Digest - February 28, 2018

The questions are sometimes simple, but by no means always. Many questions can be summarized as “What is this?” However, only 2 percent call for a yes-or-no answer, and fewer than 2 percent can be answered with a number. And there are other unexpected features. It turns out that while most questions begin with the word “what,” almost a quarter begin with a much more unusual word. This is almost certainly the result of the recording process clipping the beginning of the question. But answers are often still possible. Take questions like “Sell by or use by date of this carton of milk” or “Oven set to thanks?” Both are straightforward to answer if the image provides the right information. The team also analyzed the images. More than a quarter are unsuitable for eliciting an answer, because they are not clear or do not contain the relevant info. Being able to spot these quickly and accurately would be a good start for a machine vision algorithm.



Memcached Servers Being Exploited in Huge DDoS Attacks

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations. Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai's Security Intelligence Response Team. "A researcher had theorized this could be done previously," Seaman says. "But as Memcached isn't meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment." But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says.


Firms failing to learn from cyber attacks

The survey findings suggest security inertia has infiltrated many organisations, with an inability to repel or contain cyber threats and the resultant impact on the business. This inertia is reflected in the fact that 46% of respondents said their organisation cannot prevent attackers from breaking into internal networks every time it is attempted, 36% said that administrative credentials are stored in Word or Excel documents on company PCs, and half admitted their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics. The report notes that the automated processes inherent in cloud and DevOps mean that privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, the report said these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities.

While the “shift to Teal” is a more big picture view, there is an interesting perspective on self-organization in teams and organizations that states basically that organizations with self-organizing teams actually still have leaders / leadership. This perspective brings the big picture view above more in focus in individual organizations and companies. This is discussed in a book by Lex Sisney titled “Organizational Physics - The Science of Growing a Business”. Sisney proposes that in reality instead of having top-down or bottom up organization, some of the most new and adaptable organizations are actually “Design-Centric” organizations. ... So the leadership shift is not a choice of top-down or bottom-up, but rather one where the leader designs a system within the organization that allows teams to self-organize and to be empowered to deliver the organization’s objectives. If this is done well, there is little need for the leader to intervene in the organization or system because the people and teams are able to effectively lead and guide the organization themselves.


14 top tools to assess, implement, and maintain GDPR compliance

The European Union’s General Data Protection Regulation (GDPR) goes into effect in May 2018, which means that any organization doing business in or with the EU has six months from this writing to comply with the strict new privacy law. The GDPR applies to any organization holding or processing personal data of E.U. citizens, and the penalties for noncompliance can be stiff: up to €20 million (about $24 million) or 4 percent of annual global turnover, whichever is greater. Organizations must be able to identify, protect, and manage all personally identifiable information (PII) of EU residents even if those organizations are not based in the EU. Some vendors are offering tools to help you prepare for and comply with the GDPR. What follows is a representative sample of tools to assess what you need to do for compliance, implement measures to meet requirements, and maintain compliance once you reach it.

Chris Webber, a security strategist with SafeBreach, says configuration errors are one of the most frequently occurring issues with NGFWs. “Many users get tripped up if they only rely on vendor-supplied defaults,” Webber said. “A next-generation firewall can be like having a Swiss army knife on your network, but many times its features aren’t turned on, which lets attackers gain access.” Webber also noted that most vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to NGFWs but that errors may occur during this process, as vendor features and architecture can vary. SafeBreach said it has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new NGFW vendor default policies and auto-migration challenges. Another issue is that many users don’t decrypt encrypted traffic like SSL, TLS, and SSH, which can become a major blind spot for customers, Webber said.

The future of every type of ambitious commercial business, whether it’s a factory making products, a bank loaning money, an IT support shop helping users, a grocery store selling goods, a law firm prepping available information for its client cases, an analyst firm producing insight… is to perform its business operations with the optimum balance of talent, so it can maximise its immediate profits, with an eye on the future to stay ahead of the competition. As soon as someone’s output is predictable, taking inputs from various sources to produce outputs, you can start to figure out how to program software and machines to perform said tasks – and computers will always be cheaper than humans, once they are functional and can do the job. So our goal has to be about furthering our abilities, not only to get the basics of our jobs done, but to immerse ourselves into helping our colleagues and bosses figure out the what next. Because if we only focus on the now, we are eventually going to render ourselves predictable and replaceable.


Virtual Private Networks: Why Their Days Are Numbered

VPNs require an array of equipment, protocols, service providers and topologies to be successfully implemented across an enterprise network – and the complexity is only perpetuated as networks grow. Purchasing the excess capacity and new Multiprotocol Label Switching (MPLS) connections needed to support effective VPNs can weigh heavily on IT budgets, while managing these networks will require greater reliance on personnel. Rather than limit the number of devices on their networks, organizations need to seek out solutions that simplify network management as companies continue embracing mobile and remote workforces. Even businesses that continue to rely on VPN or backhaul networks to protect their data need to employ a defense-in-depth approach to security, since VPNs, on their own, only offer the baseline protections of a standard web proxy.  As more solutions move to the cloud and enterprises rely less and less on physical servers and network connections, the need for VPNs will eventually evolve, if not disappear altogether.

From a security standpoint, what you really want is to be alerted when employees do something suspicious. User behavior analytics (UBA) are a smarter way to sniff out anomalies in users' actions and flag them for further investigation. Companies like IBM and Varonis have developed advanced UBA tools that can detect unusual activity. Is an employee trying to access a file they shouldn’t? Maybe they’re downloading something at 3:00am from a location that isn’t their home. Perhaps they’re trying to move laterally between systems. The beauty of UBA is that it highlights malicious insiders and outsiders using stolen credentials equally well, though it may require further investigation to determine which is which. If you’re going to go to the trouble of monitoring your employees, then maybe you should extract more value from the data you collect. There’s a new breed of software that offers the same potential security protections to ensure compliance but focuses on the end user experience and how it might be improved to remediate issues as they happen.

Monitoring the state of an application is important during development and in production. With a monolithic application, this is rather straightforward, since one can attach a native debugger to the process and have the ability to get a complete picture of the state of the application and its evolution. Monitoring a microservice-based application poses a greater challenge, particularly when the application is composed of tens or hundreds of microservices. Due to the fact that any request may involve being processed by many microservices running multiple times -- potentially on different servers -- it is exceptionally difficult to follow the “story” of the application and identify the causes of problems when they arise. Currently, the main methodology relies on obtaining a trace of all transactions and dependencies using tools that, for example, implement the OpenTracing standard. These tools capture timing, events, and tags, and collect this data out-of-band (asynchronously). 



Quote for the day:

"The mark of a great man is one who knows when to set aside the important things in order to accomplish the vital ones." -- Brandon Sanderson

Daily Tech Digest - February 27, 2018

Visual Studio Code joins the Anaconda Python data science toolkit

Visual Studio Code joins the Anaconda Python data science toolkit
Microsoft’s relationship with Anaconda is intended to go further than Anaconda using R Open and Visual Studio Code. It’s also working with Anaconda to embed its data science tools inside SQL Server. Bringing interactive analytics tooling into the heart of a database is a sensible approach; and Microsoft has already started to put its own analytic tools there. But making that service dependent on an open source project that it doesn’t control is a big step forward for Microsoft. SQL Server is one of its flagship enterprise products, so bringing in a set of tools that update on a very different schedule could be an issue for many of Microsoft’s corporate customers. But with Anaconda a popular tool on data scientists’ desktops, it shouldn’t be too much of a stretch for users. If you don’t need it in a production database, you can always not install it, leaving the SQL Server/Anaconda combination for your data science team’s development environment.



7 transportation IoT predictions from Cisco

7 transportation IoT predictions from Cisco
While many observers note that IoT technology evolves much faster than the vehicles and infrastructure they power, Connor had an opposite viewpoint. “In fact," he said, “the IoT data collected and analyzed from connected cars and infrastructures can help extend the life of these vehicles and the transportation system through predictive analytics and preventative maintenance. For example, by aggregating and analyzing traffic data from IoT sensors on streetlights, transportation agencies can determine which roads are most frequently traveled and service them first. "Additionally, connected cars can alert drivers when maintenance is needed to keep the vehicles running smoothly. And with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) connections optimizing routes, alleviating congestion and helping drivers avoid road hazards, there will be fewer accidents.”


Cryptojacking is the new malware

Serving as the gateway to the Internet, browsers have gotten sophisticated over the years – and so have the hackers. Utilizing easily accessible JavaScript libraries, hackers can inconspicuously inject code into even the most secure websites. When a user visits these infiltrated websites, they are unknowingly running extra bits of code that enable hackers to utilize their device as part of a larger cryptomining initiative. In several notable examples, companies like mining-software library Coinhive, dubbing itself as an alternative to ad-blocking technology, have had their scripts illicitly embedded on websites from Showtime television network to the Ecuadorian Papa John’s Pizza. Covert or overt, drive-by mining schemes are often invisible to users, yet the implications for the enterprise can be severe. Slower performing computers can hamper productivity while the scripts running in the background can provide an open doorway for future malware or ransomware attacks.


Think Like An Attacker And Mitigate Cyber Threat


Crucially, the way that businesses often measure or prioritise their activity in terms of security is whether they will pass an audit. While it may be comforting to members of the business to meet these requirements, they often fall short of industry best practice, and significantly so. And let’s be honest – a hacker has no interest in whether an organisation has passed an audit, and neither will any customers impacted by a breach. On the one hand, meeting regulatory guidelines is often a good starting point for putting in place a sensible approach to security and data. However, simply ticking the box of compliance could well open organisations up to a range of threats. Instead, by ensuring that basic procedures are in place, organisations can build a more comprehensive strategy. This encompasses all the elements needed to support a more complex IT infrastructure and the flexibility to adapt to future changes in the IT landscape.


Making AI software smarter by adding human feedback


While more natural and human-based training does have incredible potential, it’s difficult to imagine this form of AI being used in business-centric processes such as the collection or analyzation of current intelligence. You could not hope to trust a novice or “growing” system with such highly-sensitive systems — or could you?It begs the question: What can IT professionals do to better incorporate AI into business intelligence processes so that it delivers safe, guaranteed results Avanade is a merger between Microsoft and Accenture, powered by the Cortana Intelligence Suite, meant to provide predictive analytics and data-based insights. Because it utilizes Cortana — Microsoft’s version of modern AI and voice assistant technology — it already benefits greatly from the existing platform. It hasn’t been done yet, but if Microsoft and Cortana’s developers were to introduce a form of human-based training for the platform, that information could be fed back into other areas of the technology, such as Avenade’s.


Security leaders investing in automation and AI, study shows


Applying machine learning can help to enhance network security defences and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud and internet of things (IoT) environments, the report said, adding that although they are still in their infancy, machine learning and AI technologies will mature. “Last year’s evolution of malware shows that adversaries are becoming wiser at exploiting undefended gaps in security,” said John Stewart, senior vice-president, and chief security and trust officer at Cisco. “Like never before, defenders need to make strategic security improvements, technology investments, and incorporate best practices to reduce exposure to emerging risks.” However, the Cisco report coincided with a report by UK and US experts that warned that AI is also likely to be used by attackers, who are expected to not only use the technology to increase the effectiveness of attacks, but also to exploit weaknesses in AI technologies by poisoning data, for example.



How to get more women in IT jobs? Mandate an inclusive culture

It was a good and timely question -- especially the last part. Revelations about sexual harassment and cultural breakdown were trickling out of one of Silicon Valley's standouts -- ride-sharing pioneer Uber -- leading, eventually, to the resignation of its chief executive, Travis Kalanick. But does the answer to how to get more women in IT jobs and then ensure the workplace is a safe and welcoming one for them always depend on the CEO? I took up the topic with Kristi Riordan, COO at the Flatiron School, a coding boot camp in New York that offers scholarships to women who want to be part of the high-paying tech economy. To cultivate a good environment for women in technology, organizations need to sign onto that policy at the top, Riordan said. Senior leaders must be expected to establish an inclusive culture of respect and transparency.


What is a data scientist? A key data analytics role and a lucrative career

data science classes math
A data scientist’s main objective is to organize and analyze large amounts of data, often using software specifically designed for the task. The final results of a data scientist’s analysis needs to be easy enough for all invested stakeholders to understand — especially those working outside of IT. A data scientist’s approach to data analysis depends on their industry and the specific needs of the business or department they are working for. Before a data scientist can find meaning in structured or unstructured data, business leaders and department managers must communicate what they’re looking for. As such, a data scientist must have enough business domain expertise to translate company or departmental goals into data-based deliverables such as prediction engines, pattern detection analysis, optimization algorithms, and the like.


India ranks 47th when it comes to inclusive Internet

Across the indexed countries, on average, men are 33.5 per cent more likely to have Internet access than women. "The gap is even larger in low-income countries, which have an average gender access gap of 80.2 per cent compared with 3.7 per cent among high-income countries," said Molly Jackman, Public Policy Research Manager at Facebook. The index assessed a country's Internet inclusion across four categories: availability, affordability, relevance and readiness. "Bringing people online can offer life-changing opportunities, but there are still approximately 3.8 billion people without Internet access. At Facebook, we're working to change that," added Robert Pepper, Head of Global Connectivity Policy at Facebook, in a blog post. "Global connectivity has increased 8.3 per cent and more people are connected than ever before. While this progress is encouraging, we are still far from achieving full Internet inclusivity," Pepper added.


Lenovo introduces new water-cooled server technology

Lenovo introduces new water-cooled server technology
Not only is it a cheaper method of cooling, but it’s more effective. Air cooling is only effective up to about 10 kilowatts of power in a server chassis, while water cooling can handle 70 kW or more. And the ThinkSystem SD650 is one seriously dense server tray. Each tray has two sockets, and up to 12 trays can be squeezed into one 6U NeXtScale n1200 enclosure. That translates to 24 Xeons, 9.2TB of memory, 24 SFF SSDs or 12 SFF NVMe drives, and 24 M.2 boot drives. Lenovo developed the cooling system with the Leibniz Supercomputing Center (LRZ) in Germany. Later this year, the center will deploy a 100 rack supercomputer consisting of 6,500 ThinkSystems SD650s with 26.7 petaflops of peak performance. That would make it the number three supercomputer on the Top500 supercomputer list as of November 2017, but there will undoubtedly be other contenders. The direct-water cooled design allows for up to 90 percent heat recovery, meaning only 10 percent of the heat generated by the CPU has to be addressed with an air conditioner or fan.



Quote for the day:


"He who rejects change is the architect of decay." -- Harold Wilson


Daily Tech Digest - February 26, 2018

The organisations have also developed a series of joint initiatives, which are still in their early stages and in the process of being launched. One of these is a cyber security working group, which will bring together industry representatives with NHS Digital. The working group has three initiatives that are now in the planning phase. These are: TechUK promoting NHS Digital’s hunt for a partner organisation to expand its security operations centre; setting an innovation challenge for suppliers to create a mechanism to trace data back to the original source; and “to assist NHS Digital to baseline the level of cyber security of medical devices”.  The partnership will also undertake a review of NHS Digital’s domains within the Personal Health and Care 2020 framework to find a “common view of the best way to engage with the market at an early stage” and establish governance groups for each domain.


BYOG (Bring Your Own Glasses) Will Bring Headaches For IT

vsplevel
We're facing the prospect of many or most employees carrying semi-concealed sensor bundles that connect either via Bluetooth, Wi-Fi or cellular networks and that track location. It will be difficult or impossible to know which sensors and components are built into which glasses. And in any event, the banishment of these sensor bundles will be extremely difficult, since they're also required for vision and therefore the basic performance of employees' jobs. You can ask meeting attendees or R&D visitors to leave their phones in a box outside, but you can't do that with glasses. In addition to threats to trade secrets and heightened exposure to hacking, there will be new issues with illicit recordings and captured data between and among employees and by partners, customers and others. Nobody has the answers to these challenges. But companies that want to stay ahead of the game need to start figuring out solutions sooner rather than later.


6 Cybersecurity Trends to Watch

Most breaches we see target traditional apps and on-premises environments, not the cloud infrastructure itself. Think Target, Yahoo, and JP Morgan Chase. To date, no cloud application or cloud vulnerability has been the direct source of a cataclysmic breach, and we don't envision this changing anytime soon. In analyzing more than 2.2 million verified security incidents captured in the Alert Logic network intrusion detection system over an 18-month period, the public cloud accounted for, on average, 405 incidents per customer. This was significantly lower than incidents occurring in on-premises environments (612 per customer), hosted private clouds (684), and hybrid cloud environments (977). While the Spectre and Meltdown vulnerabilities didn't bypass cloud deployments, the impact is likely to be disruption from necessary patching and subsequent performance issues. We're unlikely to see a major breach attributed to Spectre and Meltdown because they are unlikely to be used as initial attack vectors.


10 tips for crafting highly effective job descriptions

10 tips for crafting highly effective job descriptions
Hiring great talent starts with attracting the right talent. Here, an effective, engaging and inclusive job description is key. With a little upfront effort, you can craft just the right job description to bring a wide range of highly talented candidates into your pipeline — and ensure you’re not turning off talent before they even apply. "The best job descriptions combine a little bit of marketing, the reality of the role, the necessary skills and competencies and the organization's culture. All those things put together are key to how to present an open role to the market," says Justin Cerilli, managing director of financial services and technology at Russell Reynolds and Associates, an executive search and leadership transition firm. In addition to the standard role description and skills and experience required, recruiters and hiring managers must place an emphasis on culture, mission and values to avoid making a bad hire.


Google’s self-training AI turns coders into machine-learning masters

“We need to scale AI out to more people,” Fei-Fei Li, chief scientist at Google Cloud, said ahead of the launch today. Li estimates there are at most a few thousand people worldwide with the expertise needed to build the very best deep-learning models. “But there are an estimated 21 million developers worldwide today,” she says. “We want to reach out to them all, and make AI accessible to these developers.” Cloud computing is one of the keys to making AI more accessible. Google, Amazon, Microsoft, and other companies are rushing to add machine-learning capabilities to their cloud platforms. Google Cloud already offers many such tools, but they use pretrained models. That limits what they can do—for example, programmers will only be able to use the tools to recognize a limited range of objects or scenes that they have already been trained to recognize. A new generation of cloud-based machine-learning tools that can train themselves would make the technology far more versatile and easier to use.


How companies can predict new tech disruption and fight back against it

istock-687784558.jpg
While many people hear the term "disruption" and immediately think Amazon and Uber, industry-changing companies that tap tech advancements are now a reality across all business sectors, according to a Monday report from Accenture. Of 3,600 companies surveyed across 82 countries, with annual revenues of at least $100 million, 63% said they currently face high levels of disruption, the report found. ... Instead, it has a pattern that businesses can identify and prepare to combat. "Disruption is continual and inevitable — but it's also predictable," Omar Abbosh, Accenture's chief strategy officer, said in a press release. "Business leaders need to determine where their company is positioned in this disruption landscape and the likely speed of change. The more clearly they see what's changing around them, the better they can predict and identify opportunities to create value from innovation for their business and rotate to the 'new.'"


Surveillance watchdog investigates security risks of GCHQ IT contractors


For those determined enough, there are always ways to smuggle data out, from photographing a computer screen using an iPod with a built-in camera, or inserting a device known as a Teensy, which can bypass USB blocking technology by masquerading as a computer keyboard. ... Such controls may irrelevant, however, if contractors are able to access GCHQ's operational IT system remotely from the offices of an IT supplier, or even from home. Depending on the security of the computer systems they are using, it could be much easier to download and remove sensitive data. On this matter, GCHQ has so far appears to have had little to say in public. Why GCHQ is focusing almost exclusively on the security of its command line interfaces in its evidence is difficult to understand. One explanation may be that the organisation does not feel sufficiently confident about the systems it has in place to monitor the activities of its systems administrators


Global megatrends that are problematic for the state of cybersecurity

“Our hope is that CISOs and senior leaders can use this report as a tool to start a deep dialogue about the critical need for cybersecurity within their organizations,” said Raytheon Chairman and CEO Thomas A. Kennedy. “Every day the cyber threat is growing more sophisticated and aggressive, posing a real threat to global businesses across all sectors. To reduce risks, leaders must urgently work with their IT teams to identify potential vulnerabilities, develop an action plan and make the investments needed to protect the value of their organization.” The study looks at how cyber trends have evolved since 2015. It also asks security professionals in the U.S., Europe, Middle East and North Africa to identify future trends over the next three years. ... Senior leadership are also seen as seemingly disengaged in the oversight of their organization’s cybersecurity strategy with 68% of CISO/IT executives surveyed saying their Boards are not being briefed on measures taken to prevent or mitigate the consequences of a cyberattack.


Enabling Better Risk Mitigation with Threat Intelligence

A well-implemented threat intelligence capability can help improve your organization's situational awareness, threat responsiveness and ability to detect threats. Market research firm Markets & Markets estimates the market for threat intelligence services will top $8.9 billion by 2022 from around $3.8 billion in 2017. Threat intelligence is available from a variety of sources and includes IOCs, malware hashes, listings of bad URLs and files, threat actor TTPs, incident reports, exploits and targets. You can get threat intelligence via free open source feeds, paid commercial services, from peer organizations, from sector-specific information sharing groups, even newsletters, emails and spreadsheets. In order to benefit from threat intelligence, you need to be able to operationalize it. That means you need to have systems and processes in place for consuming external threat intelligence and correlating it with data from your internal systems.


What Those Developers Really Mean

What those developers really mean
Developers love to tout their new favorite toy by saying it’s the “new standard” or “it’s quickly becoming the new standard.” Again, “standard” becomes a touchstone that’s meant to make everyone feel good about the choice. The word “new,” however, should raise the hair on the back of your neck. Standards don’t become standards without time. If something is “new” then it’s too early to know whether the crowds will gather behind the bandwagon or your company will be one of the few left out to dry. Developers of the “new standard” may be blowing all the right horns and lighting lots of fireworks, but we won’t know whether the parade will fall into line without time. That doesn’t mean developers don’t have good intentions when they tell you it’s a “new standard” that they’re hot to adopt. After all, this often means they are interested in abandoning or deprecating some old approach.



Quote for the day:


"Sprints must be long enough to complete Stories, but short enough so that the reqmts churn is slower than the Sprint length can accommodate." -- @JamesSaliba


Daily Tech Digest - February 25, 2018

Using Brainwaves to Guess Passwords


EEG signals can’t be used to simply read out what a person is thinking or doing, and the control they can provide as interfaces is relatively crude. But the University of Alabama experiments add to evidence that they can still spill private information. The new study tested the idea that a person who paused a gaming session and logged into a bank account while still wearing an EEG headset could be at risk from malicious software snooping on personal credentials via brain waves. People first entered random PINs and passwords while wearing the headset, allowing software to learn the link between their typing and brain waves. Saxena says this training step could be achieved in the real world by a game that asked users to enter text or codes as part of gameplay, for example. After observing a person enter about 200 characters, algorithms could make educated guesses at new characters a person entered just by watching the EEG data.



The Truth About Hierarchy

People are suspicious of hierarchies for a reason — they sometimes stifle good ideas and the learning process that leads to good ideas. For example, dysfunctional hierarchies have been blamed for long periods of stagnation that companies such as General Motors Co. experienced. So, how can organizations foster learning and innovation? Here are three things leaders can do to leverage the power of hierarchy on teams yet avoid its pitfalls. ... The key is getting teams to identify the members who possess real knowledge. This is often easier said than done, in part because we tend to have implicit biases about the characteristics or backgrounds that signal expertise. For example, a study at a high-technology Fortune 100 company found that, not surprisingly, teams perform better when their more expert members rank higher in the team’s hierarchy. That study also found, however, that teams often pay attention to the wrong things as they sort out who will have more or less influence.


L.A. Times website injected with Monero cryptocurrency mining script

cryptosteal.jpg
In the case of the L.A. Times website, an AWS S3 bucket that was erroneously configured to be publicly writable was leveraged by hackers to inject the mining script. Curiously, in this instance, the script was not configured to run at max settings, which may have enabled it to go by undetected. Troy Mursch, a security researcher at the Bad Packets Report, discovered the attack of the L.A. Times website. In a statement to ThreatPost, he estimated that the script had been in use since at least February 9th. While the L.A. Times declined comment to ThreatPost, the script was removed from the website late Thursday. Coinhive has persisted on the edge of acceptability for some time. The service has used by The Pirate Bay since last September in lieu of traditional advertisements. The progressive politics website Salon has also started using Coinhive for users who have blocked normal advertising through the use of ad-blocking browser extensions.


The GDPR And Its Impact On The Borderless Economy


The GDPR compels businesses to evaluate their data handling and security practices—some businesses are lax in this regard. Consumers are concerned about the data management practices of companies they do business with, and they want assurance that their private information is secure. Surprisingly, consumers feel more strongly about this than businesses do. A 2017 study found that 79 percent of consumers believe an organization is obliged to control access to their information, but less than half of CMOs and IT security personnel agree. Thus, the GDPR presents a chance to correct lax compliance strategies and focus on what matters to customers. Data protection is critical to digital commerce. With smart, transparent security policies, companies can prove that they take the burden of protecting personal data seriously. The hard work to build trust is a smart long-term move because it makes customers more inclined to increase their digital business transactions with the company—and perhaps decrease transactions with a competitor that is less transparent.


Can China Contain Bitcoin?


China didn’t just impose a speed limit on virtual currency, however. It shut down the entire highway. Perhaps Chinese officials banned ICOs until they figure out how to regulate them. Lu, the entrepreneur who had to return $20 million to investors, hopes that this is the case. He says ICOs present a new business model in which users are stakeholders in the company, which gives them an incentive to invite their friends to join the platform. Lu believes that the virtual-currency exchanges will reopen but be run by the government. He says China will take regulation cues from the outside world, particularly the United States. The SEC recently signaled that it would take a more aggressive stance toward ICOs, perhaps by requiring ventures to register with the commission and disclose extensive information to investors. For now, Lu will continue to work on Bihu.com from Shanghai, raising capital with private investment.


How to Fast-Track Innovation Through M&A


Digital M&A comes down to time and money. Skills, products and services take time to build organically, especially in multinational corporations, and that time can be costly when there are rewards for those who adapt the fastest. This explains why, increasingly, organic build options are being complemented, or supplanted, by focused digital M&A strategies. Nearly three quarters of businesses believe M&A, or other forms of inorganic “buy” approaches, are the most effective way to get to where these companies need to be according to the second edition of Digital Deal Economy, a survey of more than 900 executives worldwide. Options range from acquiring digital capabilities, intellectual property (IP) and technologies wholesale, to more collaborative forms of third-party partnerships, such as alliances, joint ventures and outsourcing. By focusing on the transaction lifecycle through a digital lens, the study identified a group of “leaders”


Creating a Culture of Innovation


Innovation and disruption are possibly the overarching objectives of a digital culture. Successful digital companies are known more for their almost cultural predisposition to innovate and disrupt existing industries and markets. They are typically characterized by enterprise-wide capabilities for innovation built on a strong foundation of digital technologies. But innovation and disruption have not always been a core purpose of conventional organization culture. Most traditional companies were perfectly satisfied to focus on incremental improvements on their core products rather than pursue ambitious programs for reinvention. Disruption was something that even large companies like IBM and Lockheed Martin preferred to spin-off into independent culturally and procedurally air-gapped skunkwork programs. But in a digital culture, innovation is the core purpose of every enterprise. The digital economy has completely redefined the metrics of competitive advantage


Serverless Security: What's Left to Protect?


Serverless is a highly controversial name. Since code needs to run somewhere, clearly it will always need some server to run on! A more accurate (if not as catchy) name may be Server-management-less. When using FaaS, the underlying platform handles the servers for you, offloading the need to provision, manage and monitor these beasts. By offloading the servers from you, FaaS also takes on the responsibility for “patching” those servers – updating the operating system and its dependencies to safe versions when they’re affected by newly disclosed vulnerabilities. Known vulnerabilities in unpatched servers and apps are the primary vector through which systems are exploited, due to their frequency and broad deployment, along with the fact updating apps and servers at scale is hard. Serverless takes the unpatched servers risk off your hands, moving it to the “pros” running the platform, and by doing so makes you substantially more secure overnight.


Eight ways AI will change your business in 2018


We’ve all seen the headlines time and again: technologies like artificial intelligence (AI), blockchain, and the internet of things (IoT) will change our lives and work over the next decade. Such long-term forecasts are important, but business leaders must make decisions right now. They don’t want sci-fi visions. They want to know how and when AI will affect their organizations—and what they should do about it today. PwC just published some predictions about immediate trends to watch, based on insights not only from the technologists in our AI Accelerator and Emerging Tech Labs, but also from our finance, risk, operations, and cyber leaders and teams. And plural “teams” is intentional—not a typo. To develop and execute a near-term AI strategy, organizations must form cross-functional teams. No single function can succeed in isolation. These are the trends that are beginning to emerge but haven’t caught much attention yet


Is your staff’s cyber security awareness up to scratch?

A study carried out by OneLogin found that only 31% of companies require employees to change their password monthly, and 52% admitted that staff were only required to reset their password once every three months. This becomes more of a problem when the same password is used for multiple accounts, making it easy for a criminal hacker to gain access to company data. Another issue is that passwords are often shared with other staff members, defeating the point of having a password at all. Passwords should be kept secret and never be shared with colleagues. Staff can easily undermine your organisation’s cyber security. They need to understand and comply with your cyber security rules and regulations. If not, they will inevitably cause a data breach. A cyber health check will help identify your weakest security areas and recommend appropriate measures to mitigate your risks.



Quote for the day:


"Without big data analytics, companies are blind and deaf, wandering out onto the web like deer on a freeway." -- @geoffreyamoore


Daily Tech Diest - February 23, 2018

Cisco automation tools make it easier for network admins

automation-robot-phonlamaiphoto.jpg
Cisco has a new automation software portfolio that helps global service providers manage massive amounts of network data and better prepare for impending security threats. "We built out an entirely new portfolio of automation tools. It really centers on the fact that our customers have a whole set of challenges. They're currently spending on average somewhere between 3-4 times the amount to operate an infrastructure than they are just to purchase the infrastructure," said Jonathan Davidson, senior vice president and general manager of Cisco Service Provider Networking. In 2016, there were 17 billion devices and connections running on service provider networks and this is forecast to grow to 27 billion by 2021. To address this shift, the Cisco Crosswork Network Automation portfolio will assist industry adoption of complete lifecycle network automation and intent-based networking to help networks predict change and react in near real time.



Leveraging Security to Enable Your Business

The first step is to look into more modern technologies, such as a reverse proxy, which can overcome the cumbersome nature of multiple VPNs and ensure quick, seamless, and secure access from anywhere, on any device. With this approach, there is no need to repeatedly require MFA once a user has "passed the test" of proving who they are. Businesses can also leverage adaptive authentication technology, which automatically adjusts authentication requirements relative to the risk of the request. For example, an initial login may require MFA, but subsequent logins by the same user, from the same device, in the same day would not. If, however, the request suddenly comes from an unknown device, there could be something fishy going on. With adaptive authentication, the rules for an MFA requirement for specific risky login instances can be preset and automatically enforced.


AI for good: Can AI be trusted - and is it too late to ask?

Artificial Intelligence Trusted
The answer seems to point towards human input: in the words of AI researcher Professor Joanna Bryson, “if the underlying data reflects stereotypes, or if you train AI from human culture, you will find bias.” And if we’re not careful, we risk integrating that bias into the computer programs that are fast taking over the running of everything from hospitals to schools to prisons – programs that are supposed to eliminate those biases in the first place. Nigel Willson, global strategist at Microsoft, points out the importance of recognising how no technology is ever black and white. “The reality is that AI is like anything else – it can be very dangerous, or it can be amazing, based on how it’s used or misused,” he says. AI is only as as accurate as the information on which it is trained – meaning that we must be very careful with how we train it. Awareness of ‘unfair’ bias integrated into decades of data has led researchers to attempt the design of algorithms that counteract that bias when scraping the data: but this sparks the question of what constitutes ‘fairness’.


Telecom Opportunities: How to Monetize IoT

When League of Legends, one of the most popular online video games, went through the issue of lagging, their developers created their own internet to let players connect to the game. Riot Games created a network of routers, data centers and peer ISPs to create a network that placed latency before costs. Players from any part of the country would be directly connected to Riot’s access servers rather than routers on the regular ISP network. With 5G, Telcos can offer new levels of latency but there is more than just network connectivity that they can offer to gaming companies. One example Ericsson showed me during a recent visit to Kista, Sweden was an interface that allowed the gamer to manage their account from inside the game, for example they could top up their data allowance without having to exit the game.


“There is also growing use of managed security services to complement their on-site capability and provide secure file transfers and software updates, as well as continuous monitoring,” he said. However, he said that although there is a high level of awareness of the need for good cyber security in industrial operations, in many cases cyber security fundamentals are not yet in place. A recent Honeywell-sponsored survey by LNS Research of 130 decision makers from industrial companies revealed that only 37% were monitoring their plant systems for suspicious behaviour and 20% are not conducting regular risk assessments. “The survey also found that 53% said they had already experienced cyber security breach, but that is not surprising, given how young we are globally in cyber protection for critical infrastructure and industrial cyber security,” said Zindel.


Big Data Isn’t a Thing; Big Data is a State of Mind


Big Data is about exploiting the unique characteristics of data and analytics as digital assets to create new sources of economic value for the organization. Most assets exhibit a one-to-one transactional relationship. For example, the quantifiable value of a dollar as an asset is finite – it can only be used to buy one item or service at a time. Same with human assets, as a person can only do one job at a time. But measuring the value of data as an asset is not constrained by those transactional limitations. In fact, data is an unusual asset as it exhibits an Economic Multiplier Effect, whereby it never depletes or wears out and can be used simultaneously across multiple use cases at near zero margin cost. This makes data a powerful asset in which to invest. Understanding the economic characteristics of data and analytics as digital assets is the first step in monetizing your data via predictive, prescriptive and preventative analytics.


How long does it take to detect a cyber attack?

The study found that US companies took an average of 206 days to detect a data breach. This is a slight increase on the previous year (201 days). Ponemon suggests all organizations should aim to identify a breach within 100 days. The average cost of identifying a breach within this time was $5.99 million, but for breaches that took longer to identify, the average cost rose to $8.70 million. There is a similar correlation in terms of containing a breach. Breaches that took less than 30 days to contain had an average cost of $5.87 million, but this rose to $8.83 million for breaches that took longer to contain. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. The majority of breached organizations are notified by someone other than their own staff, according to Mandiant’s M-Trends 2017 report. It found that 53% of breaches were discovered by an external source.


Hackers are selling legitimate code-signing certificates to evade malware detection


Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs, only run code-signed apps by default. But not only does code-signing have an affect on users who inadvertently install malware, code-signed apps are also harder to detect by network security appliances. The research said that hardware that uses deep packet inspection to scan for network traffic "become less effective when legitimate certificate traffic is initiated by a malicious implant." That's been picked up by some hackers, who are selling code-signing certificates for as little as $299. Extended validation certificates which are meant to go through a rigorous vetting process can be sold for $1,599.


Machine-learning promises to shake up large swathes of finance


Natural-language processing, where AI-based systems are unleashed on text, is starting to have a big impact in document-heavy parts of finance. In June 2016 JPMorgan Chase deployed software that can sift through 12,000 commercial-loan contracts in seconds, compared with the 360,000 hours it used to take lawyers and loan officers to review the contracts. Machine-learning is also good at automating financial decisions, whether assessing creditworthiness or eligibility for an insurance policy. Zest Finance has been in the business of automated credit-scoring since its founding in 2009. Earlier this year it rolled out a machine-learning underwriting tool to help lenders make credit decisions, even for people with little conventional credit-scoring information. It sifts through vast amounts of data, such as people’s payment history or how they interact with a lender’s website.


The emerging link between employee well-being and cyber security services

This epidemic means big problems for employees and employers alike — and a significant opportunity for brokers who can provide solutions that protect employees’ financial well-being. When identity thieves take advantage of employees’ stolen personal information to obtain credit or loans, or commit various types of fraud, both employees and employers pay a steep price. ...  In other words, the identity theft resolution process is not only stressful for employees, it has a significant impact on their productivity at work. The reason is because without the assistance of an identity theft resolution resource, employees have to do a lot of leg work, such as filing police reports, writing letters and making trips to financial institutions to report fraud.



Quote for the day:


"You never really learn much from hearing yourself speak." -- George Clooney


Daily Tech Digest - February 22, 2018

(Image: geralt/Pixabay)
Organizations are investing more money in their analytics programs. These programs do more now than recommending a new blouse or what to watch next on Netflix. If you are SpaceX and your data is incorrect, it could result in the loss of a multi-million-dollar rocket, Biltz said. That's a big deal. The Accenture report, culled from survey responses of more than 6,300 business and IT executives worldwide, found that 82% of those executives are using data to drive critical and automated decisions. What's more, 97% of business decisions are made using data that managers consider to be of unacceptable quality, Accenture notes, citing a study published in HBR. "Now it becomes vitally important that the data you have is as true, as correct, as you can make it," Biltz said. Right now, organizations don't have the systems in place to do that." Plus, there's just more data now, coming from a variety of different sources, than there ever has been in the past.


9 ways to overcome employee resistance to digital transformation

While it's easy to assume technology changes would cause the most issues in the transformation process, tech isn't actually the root of the problem, said R/GA Austin's senior technology director Katrina Bekessy. "Rather, it's usually organizing the people and processes around the new tech that's difficult," Bekessy said. "It's hard to change the way people work, and realign them to new roles and responsibilities. In short, digital transformation is not only a transformation of tech, but it also must be a transformation in a team's (or entire company's) culture and priorities." Inertia and ignorance are two key parts of employee resistance to transformation, according to Michael Dortch, principal analyst and managing editor at DortchOnIT.com. "Inertia results in the 'but we've always done it this way' response to any proposed change in operations, process, or technology, while ignorance limits the ability of constituents to see the necessity and benefits of digital transformation," Dortch said.


8 Machine Learning Algorithms explained in Human language

Machine Learning explained in human language
What we call “Machine Learning” is none other than the meeting of statistics and the incredible computation power available today (in terms of memory, CPUs, GPUs). This domain has become increasingly visible important because of the digital revolution of companies leading to the production of massive data of different forms and types, at ever increasing rates: Big Data. On a purely mathematical level most of the algorithms used today are already several decades old. ... You are looking for a good travel destination for your next vacation. You ask your best friend for his opinion. He asks you questions about your previous trips and makes a recommendation. You decide to ask a group of friends who ask you questions randomly. They each make a recommendation. The chosen destination is the one that has been the most recommended by your friends. The recommendations made by your best friend and the group will both make good destination choices. But when the first recommendation method works very well for you, the second will be more reliable for other people.


3 Things You Need to Know (and Do) Before Adopting AI

3 Things You Need to Know (and Do) Before Adopting AI
AI enables machines to learn and act, either in place of humans or to supplement the work of humans. We’re already seeing widespread use of AI in our daily lives, such as when brands like Netflix and Amazon present us with options based on our buying behaviors, or when chat bots respond to our queries. AI is used to pilot airplanes and even streamline our traffic lights. And, that’s just the beginning as we enter the age of AI and machine learning, with these technologies replacing traditional manufacturing as drivers of economic growth. A McKinsey Global Institute study found that technology giants Baidu and Google spent up to $30 billion on AI in 2016, with 90 percent of those funds spent on research and development, and deployment and 10 percent on AI acquisitions. In 2018, AI adoption is expected to jump from 13 percent to 30 percent, according to Spiceworks' 2018 State of IT report.


Is the IoT backlash finally here?

Is the IoT backlash finally here?
As pretty much everyone knows, the Internet of Things (IoT) hype has been going strong for a few years now. I’ve done my part, no doubt, covering the technology extensively for the past 9 months. As vendors and users all scramble to cash in, it often seems like nothing can stop the rise IoT. Maybe not, but there have been rumblings of a backlash to the rise of IoT for several years. Consumer and experts worry that the IoT may not easily fulfill its heavily hyped promise, or that it will turn out to be more cumbersome than anticipated, allow serious security issues, and compromise our privacy.  Others fear the technology may succeed too well, eliminating jobs and removing human decision-making from many processes in unexamined and potentially damaging ways. As New York magazine put it early last year, “We’re building a world-size robot, and we don’t even realize it.” Worse, this IoT robot “can only be managed responsibly if we start making real choices about the interconnected world we live in.”


Intel expects PCs with fast 5G wireless to ship in late 2019

Intel 5g notebook
Intel will show off a prototype of the new 5G connected PC at Mobile World Congress show in Barcelona. In addition the company will demonstrate data streaming over the 5G network. At its stand, Intel said that it will also show off eSIM technology—the replacement for actual, physical SIM cards—and a thin PC running 802.11ax Wi-Fi, the next-gen Wi-Fi standard. Though 5G technology is the mobile industry’s El Dorado, it always seems to be just over the next hill. Intel has promoted 5G for several years, saying it will handle everything from a communications backbone for intelligent cars to swarms of autonomous drones talking amongst themselves.  Carriers, though, have started nailing down when and where customers will be able to access 5G technology. AT&T said Wednesday, for example, that a dozen cities including Dallas and Waco, Texas, and Atlanta, Georgia, will receive their first 5G deployments by year’s end. Verizon has plans for three to five markets, including Sacramento, California.


Who's talking? Conversational agent vs. chatbot vs. virtual assistant


A conversational agent is more focused on what it takes in order to maintain a conversation. With virtual agents or personal assistants, those terms tend to be more relevant in cases where you're trying to create this sense that the conversational agent you're dealing with has its own personality and is somehow uniquely associated with you. At least for me, the term virtual assistant sort of metaphorically conjures the idea of your own personal butler -- someone who is there with you all the time, knows you deeply but is dedicated to just you and serving your needs. .. I think there becomes an intersection between the two ideas. For it to serve you on a personal level, any kind of good personal assistant or virtual assistant needs to retain a great deal of context about you but then use that context as a way of interacting with you -- to use the conversational agent technique for not just anticipating your need but responding to your need and getting to know you better to be able to respond to that need better in the future.


Why the GDPR could speed up DevOps adoption

istock-531240484.jpg
One of the key trends that's happening now, especially with the changing demographics and change in technology, is most people are interacting with businesses digitally, via their phones, via their computers and so on. A lot of businesses, whether it's retail or banking or insurance or whatever have you—the face of those businesses has started to become digital and where they're not becoming digital there are new companies that are springing up that are disrupting those businesses. DevOps, the whole movement, the single biggest thing about it is agility, which is the ability to bring applications to market quicker, so this new demographic that's interacting with all the businesses digitally can consume or can interact with these businesses in ways that they're used to interacting with everything else, and for these businesses to protect themselves against disruption from other people.


Cisco Report Finds Organizations Relying on Automated Cyber-Security

Automation
Among the high-level findings in the 68-page report is that 39 percent of organizations stated they rely on automation for their cyber-security efforts. Additionally, according to Cisco's analysis of over 400,000 malicious binary files, approximately 70 percent made use of some form of encryption. Cisco also found that attackers are increasingly evading defender sandboxes with sophisticated techniques. "I'm not surprised attackers are going after supply chain, using cryptography and evading sandboxed environments, we've seen all these things coming for a long time," Martin Roesch, Chief Architect in the Security Business Group at Cisco, told eWEEK. "I've been doing this for so long, it's pretty hard for me to be surprised at this point." Roesch did note however that he was pleasantly surprised that so many organizations are now relying on automation, as well as machine learning and artificial intelligence, for their cyber-security operations.


Artificial general intelligence (AGI): The steps to true AI

Artificial general intelligence (AGI): The steps to true AI
AI lets a relatively dumb computer do what a person would do using a large amount of data. Tasks like classification, clustering, and recommendations are done algorithmically. No one paying close attention should be fooled into thinking that AI is more than a bit of math. AGI is where the computer can “generally” perform any intellectual task a person can and even communicate in natural language the way a person can. This idea isn’t new. While the term “AGI” harkens back to 1987, the original vision for AI was basically what is now AGI. Early researchers thought that AGI (then AI) was closer to becoming reality than it actually was. In the 1960s, they thought it was 20 years away. So Arthur C. Clarke was being conservative with the timeline for 2001: A Space Odyssey. A key problem was that those early researchers started at the top and went down. That isn’t actually how our brain works, and it isn’t the methodology that will teach a computer how to “think.” In essence, if you start with implementing reason and work your way down to instinct, you don’t get a “mind.”



Quote for the day:


"A man's character may be learned from the adjectives which he habitually uses in conversation." -- Mark Twain