Daily Tech Digest - October 24, 2018


Despite the well-publicized growth in cyber-attacks every year, both in number and complexity, organizations are still struggling to implement effective security policies. It’s no secret that weak passwords are a leading security threat and bad password habits are far too common. Yet organizations are struggling to quantify their own level of password risk, even those that use password managers. Why? They lack proof of their policies’ effectiveness. They’re missing visibility into their employees’ behaviors. And they can’t verify how they compare to others of similar size, industry or location, including competitors. That is why we undertook an effort to analyze the password habits of employees at 43,000 organizations of all sizes and across industries that use the LastPass password manager. Not only does the report reveal real password behaviors in the workplace, but it offers the first true benchmark that CISOs and other IT professionals can use to see how they rank compared to other similar businesses and how to improve their password security.



Is the IoT in space about to take off?
Last month, cloud leader Amazon Web Services (AWS) struck a deal with satellite provider Iridium to “bring internet connectivity to the whole planet.” The deal calls for them to develop a satellite-based network called CloudConnect, designed specifically for IoT applications. Similarly, earlier this month, U.S.-based Orbcomm, which provides satellite IoT and machine-to-machine communications services, announced it will work with Asia Pacific Navigation Telecommunications Satellite (APNTS) to provide its services in China. Also in October, SemTech and Alibaba Cloud agreed to develop an IoT network in China using small satellites in low Earth orbit — reportedly just two of many companies looking to build such networks. The IOTEE Project (Internet of Things Everywhere on Earth), for example, has been funded by the European Union to provide IoT LPWA services from space. It’s unclear whether it’s the right time for these efforts to come to fruition. There is a market available: It turns out that despite their rapid proliferations, conventional terrestrial networks cover only a small percentage of Earth’s surface.


The issue was in the source code of the jQuery File Upload plugin, originally developed by Tschan, so the vulnerability could affect many other projects. According to GitHub, jQuery File Upload is the most starred -- meaning users mark it in order to signal interest and support -- jQuery plugin and also the most forked. Cashdollar said the plugin has been forked more than 7,800 times and could have been built in to thousands of other projects, making it difficult to determine how widespread the jQuery plugin vulnerability could be. "Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," Cashdollar wrote. "Also, there is no way to determine where the forked projects are being used in production environments if they're being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."


How science can fight insider threats

Detecting insider threats using conventional security monitoring techniques is difficult, if not impossible. ... The emerging field of security analytics uses machine learning technologies to establish baseline patterns of human behavior, and then applies algorithms and statistical analysis to detect meaningful anomalies from those patterns. These anomalies may indicate sabotage, data theft, or misuse of access privileges. This can be accomplished by establishing a contextual linked view and behavior baseline from disparate systems including HR records, accounts, activity, events, access repositories, and security alerts. This baseline is created for the user and their dynamic peer groups. As new activities are consumed, they are compared to the baseline behaviors. If the behavior deviates from the baseline, it is deemed an outlier. Using risk scoring algorithms, outliers can be used to detect and predict abnormal user behavior associated with potential sabotage, data theft or misuse.


Datacentre glitches expose data loss risks

The research found that 29% of respondents had suffered one or two events of data loss because of their datacentre provider letting them down – with 18% saying they had suffered data losses on three or more times during the past 12 months. Jon Arnold, managing director at Volta Data Centres, said: “Outages and data loss can be due to a variety of factors, such as network glitches, human error or inadequate maintenance, but whatever the reason, organisations need to be taking a far more robust approach to datacentre due diligence. “Where is the guarantee of 100% uptime? What power resilience is in place? How many different connectivity options are available – and do they run across different networks for greater contingency? These are all questions businesses need to ask when choosing datacentre providers – or face the risk of more downtime.” The survey also showed that 35% of organisations still locate IT assets mainly on-premise, with 29% shifting mainly to the cloud.


Culture the missing link for cybersecurity's weakest link

Hibbs said that if he could take the humans out of the loop then the risk would drop to zero, but obviously that's incompatible with the reality of human communication within and between organisations made of, you know, humans. "I think we'll always be in that state. While we do need to make them more vital team members, we need to change the culture, which is very critical to reduce it, but there'll always be that risk." But focusing on phishing awareness training and the like is "too much of a tactical response", according to Valerie Abend, who heads up Accenture's global cyber regulatory services. "In order for us to get ahead of it, more than just focusing on that phishing aspect and not further risk, the bad guys are just going to keep outsmarting us. We have to be a little bit strategic on where we're focusing raising the level of attention and awareness," Abend said. Awareness-raising and anti-phishing campaigns are important, she said, but organisations need to raise the level of board and senior management involvement in managing the risk.


Google just quietly gave us a killer midrange Android option

Google Pixel Midrange Android
Google itself is selling the Pixel 2 for $649, in its lowest configuration, and you can find mint-quality used models in the $400 range. Those prices only seem likely to inch downward as time wears on. But there's more: Just think how this situation will spread starting nextyear, when the Pixel 2 will be two years old and yet still have a full year of pending updates under its belt. You'll essentially have a menu of pricing points available for any budget: the current-gen model, with three full years of updates included; the previous-gen model, with two solid years of support still ahead; and the two-year-old version, with a year's worth of foundational improvements still remaining. Google's software focus is thus not only altering the lifespan and value of a flagship phone; it's also completely changing what it means to get a midrange or budget-level phone, thanks to that cascading effect. And even if Google itself doesn't opt to keep selling those older models after a while, the used phone marketplace will provide an intriguing new level of aftermarket value.


8 ways to successfully get AI and analytics into production


“When you build a production analytic or AI system, there are two parts of the problem. One is having the right data and data access, and the other part of the problem is the analytics: actually running the software to analyze the data. Analytics applications require a lot of coordination, and with the increasingly widespread containerization of applications, it’s essential to have a way to coordinate processes running in containers. Kubernetes, an open-source orchestration system for managing deployment of containerized applications, is emerging as a leading solution. But to avoid being limited as to which applications can be containerized, you need a data platform with the capability to persist data (state) from containerized applications as a variety of data structures. This powerful combination of Kubernetes and an appropriate data platform offer a big advantage for production systems.”


GreyEnergy threat group detected attacking high-value targets


Cherepanov and Lipovsky said the similarities between GreyEnergy and BlackEnergy -- overlap in malware frameworks and code, overlap in targets and regions of activity, the timing of GreyEnergy beginning activity and both groups using active Tor relays for command and controlservers -- all indicate that GreyEnergy is the successor to BlackEnergy. However, although experts praised the research by ESET, not all agreed that the evidence supported the connection between the groups or any conclusions that GreyEnergy is specifically targeting ICS infrastructure. Robert Lee, founder and CEO of Dragos Inc., noted on Twitter that the GreyEnergy "tool is a general backdoor and doesn't contain ICS capabilities but neither did BlackEnergy3." "I think it's premature to make assessments on adversary intent, with only three identified victims the focus may be larger than ICS and assessing how the adversary might use the access would be low confidence at best," Lee wrote on Twitter.


CIOs and the cloud: The future of European enterprise software


“The cloud helps when providing compliance in terms of GDPR and governance,” he said. “If we didn’t use the cloud, I’m not even sure how we’d tackle those requirements. Because we use the cloud, we’ve had to work out where all our data resides and that means we’re in a great place in terms of security and legislation.” “We know where our information sits and we can then just apply policies as we need to. Speaking to other CIOs, I don’t think other businesses in other sectors are always in that position. That’s a living nightmare.” That view resonates with Martyn Wallace, chief digital officer for the Scottish Local Government Digital Office. Like Dowden, Wallace believes too many executives fear going all-in with the cloud and believe information is only safe in an internal data centre. Naysayers should recognise the power of working with a technology specialist like Amazon, Google or Microsoft, who have the weight to ensure data stays safe and secure.



Quote for the day:


"The most common way people give up their power is by thinking they don't have any." -- Alice Walker