Daily Tech Digest - May 04, 2018

7 Ways To Embrace Shadow IT & Win

7 ways to embrace shadow IT and win
Direction on how to deal with shadow IT tools is best obtained by asking users to discuss the value the technology is delivering to them and the specific problems it's helping to solve. "It's similar to what our IT teams do when evaluating new technologies, except that the new technology is already part of some business workflow," says Sean Cordero, head of cloud strategy at Netskope, a cloud security platform provider. "If it turns out your team can’t deliver the capabilities needed, then it’s likely a good time to dig further into the use cases and identify solutions that can meet the business' needs." A top shadow IT example is surreptitious use of public cloud services. Employees often share files, offer multiple users document access or simply back up important files to services such as Dropbox or Google Docs. "While these platforms are ubiquitous and easy to use, they can put sensitive data at risk," Green warns. He notes that enterprise-focused cloud platforms offer more robust security and utilization controls, including options to encrypt files so they can be accessed only by intended parties.



We're going to kill off passwords and here's how, says Microsoft

"Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we've been busy at work trying to create a world without them -- a world without passwords," said Karanbir Singh, principal program manager for enterprise and security at Microsoft, in a blog post. Singh said the goal was to make it possible for end users to never deal with a password in their day-to-day lives, and to provide instead user credentials that cannot be cracked, breached, or phished. For Microsoft, multi-factor authentication and biometrics is seen as a good replacement for passwords -- using a physical key, and/or your face or fingerprint to log into your device instead of a string of letters and numbers. Singh said that Microsoft's Windows Hello biometric log-in is now being used by over 47 million users and that more than 5,000 businesses have deployed Windows Hello for Business, which is used on over one million commercial devices. Another technology in the mix is the Microsoft Authenticator app, which allows you to access your Microsoft account using your mobile phone.


How mobile money is spreading


Both the “Chinese” and the “Kenyan” models have crossed borders. Most developing countries have a mobile-payment service, but Sub-Saharan Africa is the only region where the share of adults with a mobile account exceeds 10%. Tencent has an e-payment licence in Malaysia where it plans to launch WeChat Pay—its first foray outside China and Hong Kong. Alipay has taken a higher-profile approach, enlisting merchants in Europe and America to accept it as a means of payment for the benefit of Chinese residents and tourists. And in Asia itself, Ant Financial has been investing in local mobile-payment services in India, Indonesia, Malaysia, the Philippines, Singapore, South Korea and, most recently, Pakistan. ... It is hardly surprising that many in this industry, rooted in charitable development work, feel ambivalent about vast commercial enterprises entering the payment business. The suspicions are not confined to Pakistan, and are likely to become more acute as American and Chinese tech giants slug it out for market share in poor countries. As a still largely nascent market of enormous potential, Pakistan also illustrates many of the other tensions affecting the payment business.


No Computing Device Too Small For Cryptojacking

It is unclear how many IoT devices an attacker would need to infect with mining software in order to profit from cryptomining, Merces says. A lot would depend on the type of device infected and the cryptocurrency being mined. "[But] a big botnet with a few thousands of devices seems to be attractive to some criminals, even though some of them disagree." Not all of the cryptocurrency malware that Trend Micro observed is for mining. Several of the tools are also designed to steal cryptocurrency from bitcoin wallets and from wallets for other digital currencies like Monero. But a lot of the activity and discussions in underground forums appear centered on illegal digital currency mining. And it is not just computers that are under threat but just about any internet-connected device, Trend Micro says. "The underground is flooded with so many offerings of cryptocurrency malware that it must be hard for the criminals themselves to determine which is best," Merces says in a Trend Micro report on the topic this week.


Google releases open source framework for building “enclaved” apps for cloud


The SDK, available in version 0.2 for C++ developers, abstracts out multiple hardware and software back-ends for applications so they can be easily recompiled for any of them without a source code change. There's also a Docker image provided via Google Container Registry that includes all the dependencies needed to run the container on any environment that supports TEE. "Asylo applications do not need to be aware of the intricacies of specific TEE implementations," wrote Google Cloud Senior Product Manager Nelly Porter and other members of the Google Cloud team in a blog post published today. "[Y]ou can port your apps across different enclave backends with no code changes. Your apps can run on your laptop, a workstation under your desk, a virtual machine in an on-premises server, or an instance in the cloud." The current Asylo implementation provides enclaves through the use of a software back-end. "We are exploring future backends based on AMD Secure Encryption Virtualization (SEV) technology, Intel® Software Guard Extensions (Intel® SGX), and other industry-leading hardware technologies 


New Research Finds C-Suite ‘Infosec Averse’


When asked which part of their organizations’ demographics were more infosec-averse, 41 percent laid blame at their fellow C-suite counterparts. In fact, management as a whole, from C-level executives down to junior department heads, were cited as the most likely to flaunt security risks and leave data vulnerable. Day-to-day knowledge workers, who are often charged with being most likely to cause security problems, were cited by only 25 percent of respondents. Security C-suiters demonstrated a varied but sophisticated view of the risks posed by inefficient security. When asked what was their greatest concern regarding security, 26 percent cited the possibility of fines or other sanctions. In contrast, 42 percent of infosec executives instead cited a potential loss of stakeholder and customer trust as the most concerning potential repercussion. In third place was a loss of employee trust, noted by 16 percent of respondents. This number varied by age, with older infosec executives being more likely to cite stakeholder and customer trust as a greater concern, while youngers executives were more concerned about fines.


Strategies to master continuous testing

If your enterprise delivers new software code several times a day, iteratively and agilely updating applications, you're not alone. A growing number of businesses focus on uninterrupted, continuous software delivery and deployment. This process sounds great, until you realize that continuous delivery (CD) can also mean constant bugs and hiccups. Continuous testing is the only way to avoid delivery failures. If you can test at the same speed that developers build code, your chances of catching bugs greatly increase. This Software Development Training Center entry covers strategies to implement, improve and assess continuous testing. Learn about continuous testing in DevOps, how to test with Jenkins and where continuous integration (CI) and continuous development fit in.


Crypto flaw in Oracle Access Manager can let attackers pass through

Oracle Access Manager CVE-2018-2879
“The Oracle Access Manager is the component of the Oracle Fusion Middleware that handles authentication for all sorts of web applications,” SEC Consult researcher Wolfgang Ettlinger explained. “In typical scenarios, the web server that provides access to the application is equipped with an authentication component (the Oracle WebGate). When a user requests a protected resource from the web server, it redirects her to an authentication endpoint of the OAM. The OAM then authenticates the user (e.g. with username and password) and redirects her back to the web application. Since all the authentication is handled by a central application, a user only has to authenticate once to access any application protected by the OAM (Single Sign-On).” But the vulnerability can be exploited to decrypt and encrypt messages used to communicate between the OAM and web servers. The researchers have managed to construct a valid session token and encrypt it, then pass it off as valid to the web server. This allowed them to access protected resources as a user already known to the OAM.


Rise of the decentralized and distributed mesh computer

Companies have been embracing cloud computing for nearly a decade, but it’s currently being disrupted by the IoT phenomenon. Analysts are predicting that there will be 75 billion internet-connected devices by 2025. The cloud was not designed for massive sensor data uploads, nor was it designed for low-latency, real-time communications. This is the catalyst for all IoT platform vendors racing to release edge computing gateways and appliances to bring more connectivity and computing capabilities to edge networks rather than routing everything through “the cloud.” ... With over 75 billion internet-connected devices expected by 2025, there’s going to be a ton of idle/wasted CPU resources and an insatiable demand for machine learning computes! We are moving into an era of decentralized and distributed computing where everything computes (together) as if they are peer-to-peer nodes on a global mesh computer. Decentralized web and decentralized apps will run on this new decentralized and distributed mesh computer. 


Is Payments Industry Ready for New Encryption Protocols?

Is Payments Industry Ready for New Encryption Protocols?
Dr. N. Rajendran, chief technology officer at National Payments Corp. of India, which is migrating to the new TLS protocol, notes: "The challenge for most organizations is to migrate their legacy systems to a new protocol; the entire process is ... investment intensive." But Tim Sloane, vice president of payments innovation at Mercator Advisory Group, points out: "It would be a sad commentary if acquirers are almost a year behind Salesforce.Com and others in upgrading to the more secure TLS 1.1 or higher. If acquirers or merchants haven't already deployed, or at minimum haven't got a plan to deploy, TLS1.1 or higher, then they have been asleep at the security switch and don't deserve to receive PCI compliance." Adds Julie Conroy, research director at Aite Group: "While we've known about this deadline since 2015, there are always laggards around various aspects of PCI compliance, and this is no exception. The problem of merchants running behind on security has been compounded as so many micro-merchants have come into existence over the past few years. Most of them believe they're too small to be on hackers' radar; ..."


Microsoft Wants to Secure IoT and ICS Devices With New TCPS Project

Microsoft engineers have started working on a new project codenamed TCPS —short for Trusted Cyber Physical Systems— that is intended to provide a hardened system for securing Internet of Things (IoT) and Industrial Control Systems (ICS) devices. Microsoft formally announced TCPS at the Hannover Messe 2018, a trade show for industrial technology that took place last week. ... Normally, good IoT and ICS systems utilize various security features to protect data in transit (data moving between devices — e.g., use of HTTPS encryption) and data at rest (data stored on a device — e.g., cryptographic file signatures). According to Microsoft, the purpose of its new TCPS project is to add support for the last missing piece in IoT and ICS systems design —protection for data in execution— by utilizing TEEs, similar to how they're used on desktops and laptops. Microsoft cited the recent attacks with the Trisis/Triton malware as the reason it started working on TCPS.



Quote for the day:


"An intelligent person is never afraid or ashamed to find errors in his understanding of things." -- @BryantMcGill