Daily Tech Digest - July 17, 2019

PayPal-backed blockchain aims to help banks verify digital IDs


Security is critical to a project like this. “You could in theory have some centralized database that would store all the personal information for a group of banks,” Commons said. “But it's very difficult to do that while getting the appropriate consent and making sure that the information is really being shared on a truly need to know basis.” CV Madhukar, investment partner at Omidyar Network and global leader of the firm's work on digital identity, sees the project as a means of enabling financial inclusion and helping cut the cost of know-your-customer compliance. “One of the biggest use cases for digital identity is in financial inclusion, and one of the biggest challenges for financial inclusion is getting the KYC process right,” he said. “For the most vulnerable populations, getting KYC documentation is such a big challenge. Every time they need documents supporting KYC, they run into trouble. So whatever can ease the burden of the KYC process has value.” “This makes it easier for individuals and companies to get this done quickly and most importantly puts the user data in a safe place to access,” Madhukar said. “This is very central to protecting individuals’ privacy.”


An IoT security maturity model for IT/OT convergence



"On the IT security side, we're used to operating in a certain way," Carielli said. "We're used to saying, 'One Sunday a month for a couple hours we're going to shut down and apply patches.' It's OK from an IT perspective, but those paradigms don't work for OT." Shutting down a plant or factory, even for a couple of hours on a Sunday, could cost millions of dollars in lost production. And shutting down utilities, such as a smart grid, simply isn't feasible. "It's incumbent upon security folks to start to understand how operational technologies need to do business and how those may differ from what they're used to," Carielli said. IT security teams must also accept the fact that OT system lifecycles are much longer than those of IT systems, Carielli noted. This introduces legacy and brownfield equipment and applications IT teams aren't familiar with -- some of which have been in place for decades. Additionally, OT systems generally never connected to the internet in the past as they do today, so security wasn't built in from the start. Many industrial systems must be retrofitted with security controls -- which requires OT teams to adapt.


Security Flaw Exposed Valid Airline Boarding Passes
"It was possible to download valid boarding passes - not belonging to the user - for future flights due to an insecure direct object reference weakness within the application," Stubley tells Information Security Media Group. "Insecure direct object reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls." Amadeus develops travel industry software used by 500 airlines - including United Airlines and Air Canada - as well as hotels, rail and cruise lines, tour operators and others. "Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution," a spokeswoman tells ISMG. "Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers."



DevOps, The SDLC, and Agile Development


DevOps has a mutually beneficial relationship with Agile development, thus offering more flexibility than the other rigid structures which were present in the IT arena. The whole idea is directed at people working together and accepting change. It is this which allows the release of high quality software, and at a faster delivery speed. In addition to the coordination, the people-centric culture of DevOps is built on a particular viewpoint. It encourages a culture of open-mindedness, predictability, cross-skill training, and trying to do something extra. Thus, there is a development of shared identity between different teams. ... Solutions which are reached evolve through coordination between various cross-functional teams which use proper practices for their context. The focus thus lies on collaboration and self-organization of teams as the team together decides the next approach on things. Agile is hence a mindset which is made up of values which are contained in the Agile Manifesto. The whole idea behind Agile can be deduced from the first sentence of the Agile Manifesto, which says, “We are uncovering better ways of developing software by doing it and adjust accordingly."



How a Big Rock Revealed a Tesla XSS Vulnerability


Curry writes in a blog post that he'd been trying to find a flaw within Telsa's web browser, which is a pared-down version of Google's Chromium. Then in April, he experimented with naming his Tesla. Owners can assign their car a nickname, which is displayed in the mobile app. Curry set his car's name to "%x.%x.%x.%x." That's a type of format string attack. A vulnerable application may try to execute the string, causing unintended consequences. At one time, BMW's 2011 330i was vulnerable to this kind of attack, which could remotely crash the multimedia software due to an issue with its Bluetooth stack , designated CVE-2017-9212. But the naming approach didn't work. So he decided to change the car's name to a cross-site scripting payload that came from XSS Hunter, a tool for finding these types of vulnerabilities. Nothing happened, or at least not right away. Curry says he had a month of free time earlier this year and decided to drive across the U.S. "I went on this super long - probably like 70 hours of driving - road trip," he says.


Ransomware attacks: How to get the upper hand


"It's no different than a tornado or flood. Something happened. You assess the damage and if your recovery plan is solid, you're in good shape," he said, adding that the reverse is also true. If you haven't prepared and can't recover from ransomware, "you're screwed." Not only should an organization back up its files, but it should also place a layer between the server and its backup files so that a hacker won't see there are more assets to steal or freeze, Scott advised. Some ransomware attacks are sophisticated and can destroy metadata and passwords, he said, so it's best to preserve digital assets with a corresponding level of complexity. For instance, organizations could take the necessary disaster recovery steps now to perform a bare-metal restore -- essentially, a reinstall of operating systems and applications -- so that, later, all is not lost if ransomware locks out users. But even simple disaster recovery preparedness works as a defense against ransomware attacks.


Are CIOs Losing The Cyber Security Battle?

Are CIOs losing the cyber security battle? - CIO&Leader
Despite taking tangible steps to reduce their cybersecurity risk, a question that comes to mind is, ‘Why are companies still getting hit and more than ever?’ The report clarifies that there are some security holes not being plugged and it is here that CIOs need to pay greater attention. For example, the report explains, an up-to-date malware signature list won’t stop attackers hijacking your accounts, while rock-solid authentication won’t help if you’re not protecting your computers from ransomware. “Good cybersecurity demands defense in depth and proper risk assessment so that you can protect your weakest spots from attack first,” says the report. The survey also revealed that companies are facing attacks via multiple channels, including email (33%) and web (30%) among others. Software vulnerabilities and unauthorized USB sticks or other external devices were also common attack vectors. Perhaps even more worrying is that 20% of CIOs didn’t know how their networks were compromised. With cyber threats coming from supply chain attacks, phishing emails, software exploits, vulnerabilities, insecure wireless networks, and much more, businesses need a security solution that helps them eliminate gaps and better identify previously unseen threats.


Building blocks of an IIoT security architecture

Security framework functional building blocks
Since IIoT involves both IT and OT, ideally security and real-time situational awareness should span IT and OT subsystems seamlessly without interfering with any operational business processes. Average lifespan of an industrial system is currently 19 years. Greenfield deployments using the most current and secure technologies are not always feasible. Security technology must often be wrapped around an existing set of legacy systems that are difficult to change. In both greenfield and brownfield deployments, all affected parties -- manufacturers, systems integrators and equipment owner/operators -- must be engaged to create a more secure and reliable IIoT system. As there is no single "best way" to implement security and achieve adequately secure behavior, technological building blocks should support a defense-in-depth strategy that maps logical defensive levels to security tools and techniques. Due to the highly segregated nature of industrial systems, security implementation needs to be applied in multiple contexts.


Vulnerable firmware in enterprise server supply chain


The first vulnerability is a failure in the update process to perform cryptographic signature verification before accepting updates, while the second relates to command injection vulnerability in the code in the BMC that performs the firmware update process. Both of these issues allow an attacker running with administrative privileges on the host (such as through exploitation of a different host-based vulnerability) to run arbitrary code within the BMC, and malicious modifications to the BMC firmware can be used by an attacker to maintain persistence in the system and survive common incident response steps such as reinstallation of the operating system, the researchers found. An attack could also modify the environment within the BMC to prevent any further firmware updates through software mechanisms, thus enabling an attacker to disable the BMC permanently, and the update mechanism could be exploited remotely if the attacker has been able to capture the administration password for the BMC, the researchers said.


Martin Fowler Discusses New Edition of Refactoring, along with Thoughts on Evolutionary Architecture

Refactoring is the idea of trying to identify the sequence of small steps that allows you to make a big change. That core idea hasn’t changed. Several new refactorings in the book deal with the idea of transforming data structures into other data structures, Combine Functions into Transform for example. Several of the refactorings were removed or not added to the book in favor of adding them to a web edition of the book. A lot of the early refactorings are like cleaning the dirt off the glass of a window. You just need them to be able to see where the hell you are and then you can start looking at the broader ones. Refactorings can be applied broadly to architecture evolution. Two recent posts How to break a Monolith into Microservices, by Zhamak Dehghani, and How to extract a data-rich service from a monolith by Praful Todkar on MartinFowler.com deal with this specifically. Evolutionary architecture is a broad principle that architecture is constantly changing. While related to Microservices, it’s not Microservices by another name.



Quote for the day:

"It doesn't matter how much we know, what matters is how clearly others can understand what we know." -- Simon Sinek

Daily Tech Digest - July 16, 2019

Best tools for single sign-on (SSO)

login credential - user name, password - administrative controls - access control - single sign-on
Interestingly, most SSO products also cost about $8 per user per month but will require more IT manpower to implement. (Ping’s solution offers a lot of bang for the $3 per month price point, however.) Let’s talk a bit about using MFA, because it is an important motivation behind going the SSO route. The idea of using MFA used to be mostly for the ultra-paranoid. Now MFA is the minimum for enterprise security, especially considering the number and increasing sophistication of spear-phishing attacks. Sadly, the deployment of MFA is far from universal: a recent survey from Symantec (Adapting to the New Realities of Cloud Threats) found that two-thirds of the respondents still don’t deploy any MFA tools to protect their cloud infrastructures. Certainly, having SSO can help ease the pain and move toward broader MFA acceptance. Besides MFA, there is another reason to up your authentication game: the need for adaptive or risk-based authentication. This means changing your perspective from issuing your users an “all-day access pass” when they begin work by logging into their laptops.



Trump’s hostile view of Bitcoin and crypto could chill industry

bitcoin behind bars > cryptocurrency ban or restriction
Trump tweeted Facebook Libra's "virtual currency" will have little standing or dependability. "If Facebook and other companies want to become a bank, they must seek a new Banking Charter and become subject to all Banking Regulations, just like other Banks, both National," Trump wrote. Those comments came one day after he criticized both Facebook and Twitter for what he called bias against his supporters. Like other cryptocurrencies backed by fiat currency, Facebook's digital money would be purchased through a typical financial network and then stored in the Calibra digital wallet application for making purchases via ads on the social media platform. A user could also do the same thing through Facebook's most popular communication platforms: WhatsApp and Messenger. Facebook did not respond to questions by Computerworld about whether the president's comments would affect its plans to issue a cryptocurrency. Avivah Litan, a vice president of research at Gartner, said while it's "very difficult" to analyze Trump's intentions from his tweets, "it sounds to me like he is gearing up to clamp down on cryptocurrency adoption by Americans.


How to deal with cloud complexity

How to deal with cloud complexity
Many popular approaches that deal with architectural complexity tell you to practice architectural discipline so your systems won’t be complex in the first place. The assumption is that you build and migrate cloud systems in short, disconnected sprints with little regard for standard platforms such as storage, compute, security, and governance. Most migrations and net-new developments are done in silos without considering architectural commonality that would drive less complexity. More complexity becomes inevitable. Although many are surprised when they experience complexity, it’s not always bad. In most cases, we see excessive heterogeneity because those who pick different cloud services make best of breed a high priority. Complexity is the natural result. A good rule of thumb is to look at cloud operations or cloudops. If you’re staying on budget, and there are few or no outages and no breaches, then it’s likely that your complexity is under control. Revisit these metrics every quarter or so. If all continues to be well, you’re fine. You are one of the lucky few who deal with a less complex cloud implementation—for now.


Single Sign-Ons To Accelerate Growth Of Digital Identity: Study

Single sign-ons to accelerate growth of digital identity: Study - CIO&Leader
Wide varieties of countries have recently planned, or are planning, to bring digital identity to many citizens. It will have an effect on the kinds of digital identity security available to consumers, as many of these initiatives are intended to bring identity verification to those who have never had official identification before. That being the case, these schemes need to be accessible to those with low levels of digital access, and are likely to be SIM-based, rather than relying on an online presence as such. These initiatives will also be more likely to have a physical card than other forms of digital identity. This impacts a range of use cases and allows a more consistent application of identity verification than in the case of identities that do not connect to a physical asset. This is frequently because the core documentation on which the foundation of the identity is built contains a photograph as the core verification method. Other methods (such as fingerprint sensors) require additional infrastructure and do not eliminate the chance of presenting false data at the point of on-boarding.


How Suse is taking open source deeper into the enterprise


What a company like Suse is doing is to help enterprises such as banks, healthcare providers and retail companies match what they’re trying to do with what’s available in the open source world. We select the projects and make sure they can work together with enterprise IT infrastructure, and are stable, secure and supported over time. We’ve started doing that with Linux, OpenStack, Cloud Foundry and Kubernetes. Now, you mentioned Asia. The challenges I mentioned are common to everybody, but what we see in Asia, like in Europe, is that Asia is not a single, homogeneous market. Different countries are in different stages of adopting open source. I spend quite a lot of time in Japan, China, Hong Kong, Singapore, all of which are very different markets. Typically in Japan, enterprises are more conservative so we have a lot of customers like banks that are running Linux on mainframes. Singapore is more innovative, so we see OpenStack being used by the public sector and manufacturing companies.


Understanding the role of governance in data lakes and warehouses

Having data well organized and consistently aggregated allows for the creation of performance and operational metrics – reporting that drives business and allows leaders to make informed decisions. Inclusion of both historical and current information organized in a consistent manner within the data warehouse increases the quality of the viewed data, thus increasing decision-making quality. ... Although they are different, the key to successful data lakes and data warehouses with useful, quality data, is the same – governance. Data governance allows for the understanding of not only what is stored where and its source, but the relative quality of the data and being able to ascertain it consistently. Aside from clarity and structure, governance also allows control. With such control, the organization knows how the data is being used and whether or not it’s meeting its intended purpose. Say the data has been manipulated to meet a set of determined requirements, without data governance, someone else could come along and pull the data – not knowing it had been previously employed – thus resulting in an inaccurate data analysis.


Cybersecurity: Is your boss leaving your organisation vulnerable to hackers?


CEOs and other senior board-level executives are exposing their organisations to cyberattacks and hackers because of a lack of awareness around cybersecurity, a new study has warned. Research by cybersecurity company RedSeal surveyed hundreds of senior IT and security professionals and found that many of these personnel believe there's a disconnect between the CEO and the information security team, which could be putting organisations at risk. ... "CEOs have wide access to their organisation's network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets," he added. However, despite some having fears around security at the very top of the organisation, on the whole, businesses appear to be taking cybersecurity seriously. Two thirds of businesses say their cyber-incident response plan is well defined and well tested – either via real breaches, or simulation tests. Three quarters of firms also report they have cyber insurance, suggesting there's an awareness around preparing for the aftermath of an incident, should one occur.


To pay or not pay a hacker’s ransomware demand? It comes down to cyber hygiene

CSO  >  ransomware / security threat
According to the FBI and most cybersecurity experts, no one should ever pay ransomware attackers. Giving in to the attackers’ demands only rewards them for their malicious deeds and breeds more attacks, they say. “The FBI encourages victims to not pay a hacker’s extortion demands,” the FBI says in an email to CSO. “The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes.” Jim Trainor, who formerly led the Cyber Division at FBI Headquarters and is now a senior vice president in the Cyber Solutions Group at risk management and insurance brokerage firm Aon, agrees. Trainor, who spent a fair amount of time dealing with ransomware attacks while he was in the Bureau, said his position has not changed. “I would recommend that people not pay the ransom. It’s extremely problematic,” he tells CSO. He conceded that making the determination to pay or not pay the attackers is ultimately a business decision, one that almost always hinges on whether the victim has access to adequate backups.


Government must ‘stop choosing ignorance’ around data


“The National Data Strategy must go beyond public services. Government’s role is broader than the delivery of public services; it can help shape how data is used across the whole of society through interventions such as research funding, procurement rules, regulatory activities and legislation,” the letter stated. “The strategy must recognise this and describe how government will make data work for everyone in the UK,” it added. However, the strategy “must deliver transformative, rather than incremental, change”, the letter stated, adding that the national data plan must be a long-term endeavour for government, with a vision for at least the next decade along with practical steps to turn any future vision into reality. Such ambitions may be unfulfilled if there is a lack of sustained strategic leadership on data, the letter warned. This is an issue that had been previously outlined in a recent report by the National Audit Office (NAO). Echoing the NAO’s concerns, the organisations stated the government must “get leadership from the very top if it is to get a grip on data”.


How digital and marketing executives are taking charge of digital transformation


Brahin says the key to success has been the marketing team's hybrid approach to digital transformation at UBS. Content is at the heart of this approach, where a centralised marketing organisation is helping line-of-business functions to transform the online experiences of clients. "Everything that concerns content delivery into the website and marketing channels is through a single approach, while business units still have control of their products and services. We partner with them to deliver marketing content into their service areas," she says. "It's an approach that has allowed us to create a solid foundation with a powerful content-delivery hub, where we can pump content to individual areas from a single hub. That's worked pretty well for us." The firm has analysed website analytics and used this insight to help deliver "modern, mobile experiences". McBain says the focus recently has been around optimisation and extending its content across new channels, including a recently launched website for the main brand.



Quote for the day:


"Strategy is not really a solo sport, even if you're the CEO." -- Max McKeown


Daily Tech Digest - July 15, 2019

Most Common Security Fails 

Image title
The most common security failure is not having a process. In addition, there’s also a disconnect between the security and compliance regulations that executives focus on, one being HIPPA’s cybersecurity requirement below: 164.306(a)(1) ensure the confidentiality, integrity, and availability of all electronically protected health information the covered entity creates, receives, maintains, or transmits. The above is such a broad and generic statement and that’s just one statement out of a document that has almost a hundred statements, so it’s no longer meaningful. From the perspective of security failures —which ties into the state of security management — there’s an absolute disconnect between high-level frameworks like ISO, COBIT, and HIPAA and how you actually implement them. Many companies today feel they have a framework that they follow, but that’s not a security program; that’s a document that gives guidance, one that doesn’t even give you detail on how to implement said guidance. For example, you start out with a security framework like HIPAA and you use something like the CIS controls to implement the guidance within HIPAA, that’s the second phase.



Why is it so hard to see IoT devices on the network?

Most IoT devices are known for their low CPU, minuscule memory and unique operating system (that often needs to be studied from scratch). Many IoT devices are “protected” by factory-derived usernames and passwords that are rarely changed. Furthermore, these devices are designed to connect to the wireless network, and most won’t function at all without a connection. These challenges make discovering and managing the devices a significant challenge, especially if they aren’t being accounted for as part of IT inventory. To track their presence on the network, IT teams need dedicated visibility tools with a price point that outweighs the relative low cost of adopting the IoT devices themselves. As a result, many IoT devices are given free reign over the network and can’t be seen in regular endpoint or vulnerability scans. You may be thinking that the answer to this challenge lies with the device manufacturers. Indeed, this thinking is correct, but due to a lack of regulation on IoT security, manufacturers are only now starting to realize that a lack of security presents a barrier to implementation.


Leak Confirms Google Speakers Often Record Without Warning

Leak Confirms Google Speakers Often Record Without Warning
Responding to the VRT NWS report, Google says that building technology that can work well with the world's many different languages, accents and dialects is challenging, and notes that it devotes significant resources to refining this capability. "This enables products like the Google Assistant to understand your request, whether you're speaking English or Hindi," David Monsees, Google's product manager for search, says in a Thursday blog post. Google says it reviews about 0.2 percent of all audio snippets that it captures. The company declined to quantify how many audio snippets that represents on an annualized basis. "As part of our work to develop speech technology for more languages, we partner with language experts around the world who understand the nuances and accents of a specific language," Monsees says. "These language experts review and transcribe a small set of queries to help us better understand those languages. This is a critical part of the process of building speech technology, and is necessary to creating products like the Google Assistant."


Network visibility challenges in modern networks

Organizations should strive for an end-to-end view of the health and operational status of their networks for several reasons. For one, visibility can enhance your ability to troubleshoot problems as they arise. Everything from a downed network and interfaces to operational, yet degraded links can be more quickly identified when monitoring and baselining data flows as they pass through the local area network (LAN), wide area network (WAN) and even out to the internet edge. Another reason for network visibility is to validate performance-based configurations. Visibility can help network managers better understand how network issues affect data on a per-application basis. If specific applications are business-critical, a manager can use configuration techniques, such as quality of service and traffic policing and shaping, to optimize these important data flows. Visibility can then validate that the performance modifications are working or identify when further configuration adjustments are needed.


Billion-dollar privacy penalties put CEOs on notice


The unprecedented penalties imposed on Facebook, Marriott and British Airways should serve as a warning for company leaders, according to Tom Turner, CEO of cyber security ratings firm BitSight. “CEOs around the globe are on notice that they are accountable for cyber security performance management just the same way they are accountable for managing the business,” he said. Commenting on the FTC settlement, Nuala O’Connor, president and CEO of the Center for Democracy & Technology (CDT), said: “The record-breaking settlement highlights the importance of data stewardship in the digital age. “The FTC has put all companies on notice that they must safeguard personal information,” she said, adding that privacy regulation in the US is “broken”. While large after-the-fact fines matter, O’Connor said strong, clear rules to protect consumers are more important, and called on the US Congress to pass a comprehensive federal privacy law in 2019.


How Not to Get Eaten by Technology

Cue Jaws theme song
Effective and smart learning techniques and strategies are required. By effective learning techniques, I mean methods that will help you to identify hot markets, hot technologies, trends, learning how to focus on what matters, learning things quickly, and so on. Specialization became more valuable as the platforms are becoming more sophisticated, so being a “Jack of all trades” is no longer acceptable for many companies since mastering a particular track is a non-trivial time and effort investment. (Well, this is subject to debate!) The software engineering field is becoming a well-paid field, in particular for renowned experts since it is not easy to become a well-versed engineer. Soft skills such as negotiation skills, requirements engineering, time planning, and public speaking are timeless valuable skills that will boost career opportunities. Domain knowledge is always valuable; it's worth it to spend time understanding the business rules, domain language, and concepts on a specific business area you are working in, such as health, HR, banking, etc.


How organizations are bridging the cyber-risk management gap

How to bridge the cyber-risk management gap
OK, so there’s a cyber-risk management gap at most organizations. What are they going to do about it? The research indicates that: 34% will increase the frequency of cyber-risk communications between the CISO and executive management. Now, more communication is a good thing, but CISOs must make sure they have the right data and metrics, and this has always been a problem. I see a lot of innovation around some type of CISO cyber-risk management dashboard from vendors such as Kenna Security, RiskLens (supporting the Factor Analysis of Information Risk (FAIR) standard), and Tenable Networks. Over time, cyber-risk analytics will become a critical component of a security operations and analytics platform architecture, so look for vendors such as Exabeam, IBM, LogRhythm, MicroFocus, Splunk, and SumoLogic to make investments in this area. 32% will initiate a project for sensitive data discovery, classification, and security controls. Gaining greater control of sensitive data is always a good idea, yet many organizations never seem to get around to this.


Software Engineer Charged With Stealing Company Secrets

Xudong Yao, 57, has been indicted on nine federal counts of theft of trade secrets, according to the U.S. Attorney's Office for the Northern District of Illinois, which is overseeing the case along with the FBI. Yao, who also used the first name "William," is believed to be living in China, according to federal prosecutors. During his time with the company, Yao allegedly downloaded thousands of computer files and other documents that contained various company trade secrets and intellectual property, including data related to the system that operates the unnamed manufacturer's locomotives, according to the indictment. While Yao was taking his former employer's intellectual property, he was negotiating for a new job with a firm in China that provided automotive telematics service systems, the Justice Department alleges. Yao was born in China, but he's a naturalized U.S. citizen, according to the FBI. Theft of trade secrets is a federal crime that carriers a possible 10-year prison sentence for each count, according to the Justice Department.


IT-Based Attacks Increasingly Impacting OT Systems: Study

IT-based attacks increasingly impacting OT systems: Study - CIO&Leader
While IT systems have been standardized for many years on the TCP/IP protocol, OT systems use a wide array of protocols, many of which are specific to functions, industries, and geographies. The OPC Foundation was established in the 1990s as an attempt to move the industry toward protocol standardization. OPC’s new Unified Architecture (OPC UA) has the potential to unite protocols for all industrial systems, but that consolidation is many years away due to the prevalence of legacy protocols and the slow replacement cycle for OT systems. Cyber criminals have actively attempted to capitalize on this confusion by targeting the weak links in each protocol. These structural problems are exacerbated by the lack of standard protections and poor security hygiene practiced with many OT systems—a legacy of the years when they were air gapped. Figure 2 shows the number of unique threats targeting machines using specific ICS/SCADA protocols. Despite seasonal fluctuations and a wide variety of targets, the data is clear on one thing: IT-based attacks on OT systems are increasing.


4 steps to reaping the software benefits of continuous testing

Evolving your software development process to include continuous testing is a necessary investment so your team’s software is high quality and delivered quickly. Testing mitigates the risk of poor software quality by identifying defects before there is impact to your customers, your business operations and your revenue. Testing is good, but continuous testing is better, because you can find and fix more defects sooner to avoid the accumulation of technical debt. Software technical debt includes defects in your software not yet discovered plus the backlog of lower priority defects waiting to be fixed. Technical debt adds to the complexity and cost of maintaining your software over time. With CT, you can take action immediately to fix defects to avoid adding to your technical debt. CT decreases the time and cost to fix a defect. Research by Perfecto disclosed that a software defect fixed on the same day it was detected took only one hour, while it took eight hours to fix if detected at the end of a two-week sprint.



Quote for the day:


"Effective team leaders adjust their style to provide what the group can't provide for itself." -- Kenneth Blanchard


Daily Tech Digest - July 14, 2019

German banks are moving away from SMS one-time passcodes

sms-phone.jpg
The cyber-security industry has been warning against the insecurity of SMS OTP for years now, as well, but not because of SIM swapping attacks -- which are virtually social engineering attacks. The cyber-security industry has been warning against securing systems with SMS-based authentication because of inherent and unpatchable weaknesses in the SS7 protocol used in the backbone of all mobile telephony networks for years. Vulnerabilities in this protocol allow attackers to silently hijack a user phone number, even without a telco's knowledge, allowing threat actors to track users or authorize online payments or login requests. These vulnerabilities have not gone unnoticed in Germany. ... While two-step verification and two-factor authentication is recommended, security experts have been warning against relying on SMS as "the second factor." Instead, experts recommend using authenticator apps or hardware security tokens, two of the methods that German banks are now rolling out to secure their systems and replace SMS-based authentication.


Four Insurtech Startups Shaking Up The Insurance Industry

Insurtech can ease the insurance claim process
Insurtech companies tend to focus on increased personalization and greater speed and efficiency of services to meet changing customer needs, with many using AI to offer deeper data insights. And while some are set on displacing the industry incumbents, others are working with the leading insurance firms as they transition to the age of digital innovation. ... The inconsistent and often unpredictable nature of external data can cause insurers a real headache, leading to delays in processing new opportunities and managing existing books of business. Untangler is the insurtech that gets around that problem by using AI to recognize inbound customer or employee data in any format, transform it into readable data in seconds from which providers can create quotes without having to convert the data within cells. Launched in May this year the technology was developed by entrepreneurs Richard Stewart and Steve Carter, initially for their own startup Untangl, which provides employee benefits, including insurance products, to SMEs.


Beware of Geeks Bearing AI Gifts

Artificial? Definitely. Intelligent? Maybe.
Last March, McDonald’s Corp. acquired the startup Dynamic Yield for $300 million, in the hope of employing machine learning to personalize customer experience. In the age of artificial intelligence, this was a no-brainer for McDonald’s, since Dynamic Yield is widely recognized for its AI-powered technology and recently even landed a spot in a prestigious list of top AI startups. Neural McNetworks are upon us. Trouble is, Dynamic Yield’s platform has nothing to do with AI, according to an article posted on Medium last month by the company’s former head of content, Mike Mallazzo. It was a heartfelt takedown of phony AI, which was itself taken down by the author but remains engraved in the collective memory of the internet. Mr. Mallazzo made the case that marketers, investors, pundits, journalists and technologists are all in on an AI scam. The definition of AI, he writes, is so “jumbled that any application of the term becomes defensible.” Mr. Mallazzo’s critique, however, conflates two different issues. The first is the deliberately misleading marketing that is common to many hyped technologies, and is arguably epitomized by some blockchain companies.


Healthcare Organizations Too Confident in Cybersecurity

"There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multi-factor authentication," said Erin Benson, director of market planning for LexisNexis Health Care. "Multi-factor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn't catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users." The report findings suggest that traditional authentication methods are insufficient, multi-factor authentication should be considered a baseline best practice and the balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy, the press release said.


Big Data Governance: 4 Steps to Scaling an Enterprise Data Governance Program

Picture of dozens of birds grouped on several lines (almost looks like an abacus), an illustration of alignment in nature.
No matter how big your data governance program becomes, it must retain its agility. If you can’t adapt quickly, then you’ll lose momentum and your initiative will start to deliver diminishing returns. A big challenge here is aligning the huge number of people involved in your initiative. We’ve already discussed the need for collaboration, but crowdsourcing solutions to big decisions can soon lead to analysis paralysis. The solution is to develop an efficient decision-making system that allows for everyone’s voice to be heard. A best-practice decision-making framework, such as a DACI approach (Driver, Approver, Contributor, and Informed), can help here. These frameworks establish a continuous cycle of listening and acting, where everyone has a chance to feed into the discussion, but a small group of clearly identified people retain control over decision-making. That way, everyone’s happy and you make steady progress.


Is Programming knowledge Required to Pursue Data Science?

The answer is No! Data Science is not just about having technical knowledge. Being a domain related to both the Computer science world as well as the Business world, the latter has a fair share of skill set that is very vital for becoming a data scientist. In fact, non-technical skills that are mentioned below arguably sum up to 60% of the work as a data scientist. These are skills that were not mentioned in the Venn diagram but are equally important in any ideal data-driven project. ... data science is a field for everyone. From an application developer to a businessman, everyone will have a base skill set that enables anyone to start a fresh career in Data Science. Even those who do not want to learn to programme can hone their strengths in their business or mathematical department and still be a part of this wonderful domain. At the end of the day, a sense of problem solving and commitment is all that one will need to excel in any given situation.


Brazil is at the forefront of a new type of router attack


According to Avast researchers David Jursa and Alexej Savčin, most Brazilian users are having their home routers hacked while visiting sports and movie streaming sites, or adult portals. On these sites, malicious ads (malvertising) run special code inside users' 
browsers to search and detect the IP address of a home router, the router's model. When they detect the router's IP and model, the malicious ads then use a list of default usernames and passwords to log into users' devices, without their knowledge. The attacks take a while, but most users won't notice anything because they're usually busy watching the video streams on the websites they've just accessed. If the attacks are successful, additional malicious code relayed through the malicious ads will modify the default DNS settings on the victims' routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers. The next time the users' smartphone or computer connects to the router, it will receive the malicious DNS server IP addresses, and this way, funnel all DNS requests through the attacker's servers, allowing them to hijack and redirect traffic to malicious clones.


Building Your Federal Data Strategy

The variety of federal agency missions, resourcing and data maturity levels vary greatly and thus each will have a unique perspective on the Federal Data Strategy and how they can leverage it. Regardless of an agency’s start point however, building an agency strategy and implementation plan based on the Federal Data Strategy’s three guiding data principles (i.e., Ethical governance; Conscious Design; Learning Culture) and three best practices (i.e., Building a culture that values data and promotes public use; Governing, managing and protecting data; Promoting efficient and appropriate data use) is imperative. Most of these principles and strategies will likely be driven initially by new policies, reporting requirements, budget planning, and associated activities. Given the necessary policy staffing and approval processes however, it will take some time to get these in place. A sequential, policy-only approach to the strategy is apt to result in extended timelines hindering rapid progress.


What Matters Most with Data Governance and Analytics in the Cloud?


As much as there are benefits, there understandably can be issues to address when it comes to moving data and redeploying processes from legacy platforms to Big Data platforms and the cloud to reduce costs and achieve higher processing performance. “There is a desire to modernize infrastructure into Big Data platforms or clouds,” commented Smith. Syncsort provides solutions for data infrastructure optimization, the cloud, data availability, security, data integration, and data quality. As businesses build data lakes to centralize data for advanced analytics, they need to also ingest mainframe data for Big Data platforms like Hadoop and Spark. According to Smith, the top analytics use cases that drive data lakes and enterprise data hubs are advanced/predictive analytics, real-time analytics, operational analytics, data discovery and visualization, and machine learning and AI. The top legacy data sources that fill the data lake are enterprise data warehouses, RDBMS, and mainframe/IBM I Systems.  “Legacy infrastructure is so critical,” Smith commented. “These systems are not going away.” Mainframes and IMB I still run the core transactional apps of most enterprises, according to the company.


Sensitive Data Governance Still a Difficult Challenge


Governing all of an organization’s mountains of sensitive data, or even knowing what sensitive data exists and where it’s located within the enterprise, isn’t easy. Data classification is hard to accomplish. Often it does not occur reliably given the volume of data that must be discovered and when the task is left to business users. A large health care provider stores 4.1 billion columns of data. A financial services company sucks in more than 10 million data sets per day. As the data pours in, only a small percentage of it — the so called Critical Data Elements (CDEs) — are tagged in a painfully slow and error-prone manual process that leaves most data miscategorized, lost or still waiting to be discovered, and impossible to track. Most companies have between 100 and 200 CDEs, but customers typically have thousands and sometimes even millions of data elements depending on their business, data organization and representation. This presents a risk because CCPA covers any data you know and possess about your customers.



Quote for the day:


"Leaders are the ones who keep faith with the past, keep step with the present, and keep the promise to posterity." -- Harold J. Seymour


Daily Tech Digest - July 13, 2019

Zoom vulnerability reveals privacy issues for users

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call," Leitschuh added. "Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage." According to Leitschuh, it took Zoom 10 days to confirm the vulnerability and in a meeting on June 11, he told Zoom there was a way to bypass the planned fix, but Zoom did not address these concerns when Zoom reported the vulnerability fixed close to two weeks later. The Zoom vulnerability resurfaced on July 7, Leitschuh disclosed on July 8 and Zoom patched the Mac client on July 9. Zoom also worked with Apple on a silent background update for Mac users, released July 10, which removed the Zoom localhost from systems. "Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner," Leitschuh wrote.


What is enterprise? What is architecture?

What exactly was ‘the enterprise’ in that context? If we think of ‘enterprise’ as organisation’, was it just NASA? Or did it include others in the consortium of US organisations that designed and built the launchers, the landers, all of the equipment for the missions? Did it include the broader international consortium of support-facilities such as ‘The Dish‘ at Parkes, New South Wales, through which the TV transmissions for the first moonwalk came? Did it include ‘competitors’ such as the Russian, Chinese and other national space-organisations? If we think of ‘enterprise’ as ‘a bold endeavour’, what was the respective endeavour? Just one moon-landing mission? – or all of them, from Apollo-11 to Apollo-17? Should we include all the other Apollo missions? All of the other US space-missions, before and after Apollo? To what extent would we include other moon-missions from other nations in the same enterprise? Space-explorations in general? Only crewed-missions, or robotic missions as well? Or could and should we extend this enterprise to include the overall story? – the dream of spaceflight and suchlike?


No, 5G isn't going to make your 4G LTE phone obsolete


"This is the first time so many aspects of [the old and new network] are shared," saidGordon Mansfield, AT&T vice president for converged access and device technology. "Some things we'll do for 5G are inherently backward compatible and will lift the capabilities of 4G." By 2025, 15% of mobile connections in the world will be on 5G, according to a 2019 report by GSMA Intelligence, the research arm of the mobile operator group that hosts Mobile World Congress. But LTE usage will be about 59% by the same year, up from 43% in 2018. (In North America, the split will be more even, with about 47% of 2025's connections on 5G and 44% on 4G). Even if 5G becomes an even bigger part of the market by 2025 than estimated today, "it will complement rather than replace LTE," GSMA said in a separate report from last year.  "For operators in many parts of the world, LTE is and will be the foundation for the next 10 years at least," the GSMA report said. "LTE speeds are improving, which makes 5G less compelling without new services such as AR/VR." 


IT strategy: The CIO’s guide to getting stuff done


Shaun Le Geyt, CIO at Parkinson's UK, is part of a senior digital leadership team who are driven by using technology to help people with the condition. Every hour, two people in the UK are told they have Parkinson's. As many as 145,000 people are diagnosed with the condition in the UK, which is around one in every 350 adults. Le Geyt says CIOs who want to meet their targets must focus on the people who will benefit, rather than focusing on the technology they're implementing. "Managing cultural change is as important as managing technological change," he says. Taking control of that change process is as true for internal staff in his organisation as it is for the individuals who benefit from the charity's work. Parkinson's UK has annual income of about £40m and employs 450-plus staff. The charity draws on a dynamic network of expert staff, health and social care professionals, volunteers, and researchers.  "Focus on the needs of the organisation – put people first," says Le Geyt. "There's times when technology comes up and you know it's the right thing to discuss.


DevOps for networking hits chokepoints, tangled communications


Challenges will arise with tighter integration of DevOps and networking. Network automation lags behind other areas of IT automation -- the networking team will argue that this is because automation decreases visibility into this vital component of the application infrastructure. When applications run in the public cloud -- as is often the case with DevOps deployments -- the admins cannot touch the physical network. Instead, the focus shifts to virtual private clouds, autoscaling and failover via setup policies. Cloud certification training can help developers take over these tasks, but developers do not have expertise in network management, just as network admins do not have experience running cloud operations. There's a cultural challenge set up by this change to NetOps. DevOps teams have to collaborate closely with both the in-house network operations team and their cloud service provider. Appoint in-house technical and strategic alliance managers, and request one from a cloud provider to build relationships and overcome these obstacles.


How to learn from inevitable AI failures

cloudai.jpg
Partly this is a problem of skills: To do well with AI or any area of big data, you need a mix of math, programming, and more. That kind of unicorn doesn't readily gallop by. However, it's also the case that finding someone who understands data science may be easier than finding someone who understands your business and the data that makes it hum. This calls to mind Gartner analyst Svetlana Sicular's advice from years ago about big data: "Organizations already have people who know their own data better than mystical data scientists." Therefore, look within your organization because "Learning Hadoop is easier than learning the company's business." Many AI projects fail precisely because the technology is considered in a vacuum. As noted by Greg Satell in Harvard Business Review, any AI project should have a clear business outcome identified, with the right data culled to serve that end. This, in turn, requires (you guessed it!) involving smart folks within the enterprise who understand the business intimately and know where to find the best data. AI, in other words, while ostensibly about replacing people, can't succeed without involving your company's best people.


Asia’s AI agenda: The ethics of AI

Asia's AI agenda: The ethics of AI
Asia’s AI ecosystem participants are aware of and concerned about the potential for embedded biases (race, gender, or socioeconomic status) within AI tools, and the harm this can cause through facilitating overpolicing of minority communities, or economic exclusion. Weaponization and malicious use of AI are also ethical concerns in Asia as applications are increasingly commoditized and industrialized. While Asian decision-makers are concerned about a potentially negative impact, particularly where jobs are concerned, optimism is the more dominant sentiment, which will propel the use of AI in Asia. Asian governments are building institutional capacity and frameworks to increase AI governance—but have yet to develop regulations. Overwhelmingly, more survey respondents believe Asia will lead the world in the development of ethics and governance than any other region: 45%, as compared with only a quarter who see North America as the ethics frontrunner.


The Market Of One

market of one
Smart, agile companies like Lifedata.ai are keeping up with such data developments by recognising that people expect a brand experience that matches their digital lifestyles. Today’s consumers demand improved ease of use, relevance and personalisation, delivered across channels in a frictionless and consistent way. Social and media interactions can be mediated by software and turn IoT sensor data into monetisable experiences. These can unlock context-aware personalisation, obtaining behavioural insights and real-time automation based on a timeline of contextual moments, situational context and relevant behavioural profiles. Lifedata.ai aims to capture how people go through their day and identify moments that matter in order to improve their lives. Omar Fogliadini, Managing Partner of Lifedata.ai, says, “In 2019, integrations with digital assistants are no longer a differentiator. Brands will need to showcase what people can actually do with these integrations. The most successful integrations will be those that make people’s lives easier and help them get things done. ...”


Man Vs. Machine: The 6 Greatest AI Challenges To Showcase The Power Of AI

Man Vs. Machine: The 6 Greatest AI Challenges To Showcase The Power Of Artificial Intelligence
Could artificial intelligence play Atari games better than humans?DeepMind Technologies took on this challenge, and in 2013 it applied its deep learning model to seven Atari 2600 games. This endeavor had to overcome the challenge of reinforcement learning to control agents directly from vision and speech inputs. The breakthroughs in computer vision and speech recognition allowed the innovators at DeepMind Technologies to develop a convolutional neural network for reinforcement learning to enable a machine to master several Atari games using only raw pixels as input and in a few games have better results than humans. Next up in our review of man versus machine is the achievements of AlphaGo, a machine that is able to learn for itself what knowledge is. The supercomputer was able to learn 3,000 years of human knowledge in a mere 40 days prompting some to claim it was “one of the greatest advances ever in artificial intelligence.” The system had already learned how to beat the world champion of Go, an ancient board game that was once thought to be impossible for a machine to decipher.


Is Enterprise Architecture Relevant To Agile?

Is Enterprise Architecture Relevant To Agile?
The first important insight is that EA is valuable to determine the future of pivotal Agile projects. It provides better vision to realize, identify the application and projects which are needed to support this vision. In EA, applications can be introduced as a black box. The Agile Project can open this black box. Agile projects can refine the high-level business requirements into the epics and the user stories in EA. Another important insight is that the focus of Agile will only be the teams, and not the enterprise. Dean Leffingwell designed the Scaled Agile Framework for small teams and it does not scale to the enterprise level. Enterprise Architects are also working under this framework. The responsibilities of the enterprise architect constitute of maintaining the goals, facilitating reuse of emerging solutions, knowledge and patterns. Finally, Agile and Scrum can be considered as enterprise architecture. They can be illustrated in the form of principles and models, core elements of architecture.



Quote for the day:


"The role of leadership is to transform the complex situation into small pieces and prioritize them." -- Carlos Ghosn


Daily Tech Digest - July 12, 2019

Reinforcement learning is an area of machine learning that has received lots of attention from researchers over the past decade. Benaich and Hogarth define it as being concerned with "software agents that learn goal-oriented behavior by trial and error in an environment that provides rewards or penalties in response to the agent's actions (called a "policy") towards achieving that goal." A good chunk of the progress made in RL has to do with training AI to play games, equaling or surpassing human performance. StarCraft II, Quake III Arena and Montezuma's revenge are just some of those games. More important than the sensationalist aspect of "AI beats humans", however, are the methods through which RL may reach such outcomes: Play driven learning, simulation and real-world combination, and curiosity-driven exploration. Can we train AI by playing games? As children, we acquire complex skills and behaviors by learning and practicing diverse strategies and behaviors in a low-risk fashion, i.e., play time. 


APT Groups Make Quadruple What They Spend on Attack Tools

"The potential benefit from an attack far exceeds the cost of a starter kit, says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. For groups like Silence, the profit from one attack is typically more than quadruple the cost of the attack toolset, she says. The ROI for some APT groups can be many magnitudes higher. Positive Technologies, for instance, estimated that APT38, a profit-driven threat group with suspected backing from the North Korean government, spends more than $500,000 for carrying out attacks on financial institutions but gets over $41 million in return on average. A lot of the money that APT38 spends is on tools similar to those used by groups engaged in cyber espionage campaigns. Building an effective system of protection against APTs can be expensive, Galloway says. For most organizations that have experienced an APT attack, the cost of restoring infrastructure in many cases is the main item of expenditure. "It can be much more than direct financial damage from an attack," she says.


Smarter IoT concepts reveal creaking networks

Industry 4.0 - industrial IoT internet of things
"The internet, as we know it, is based on network architectures of the 70s and 80s, when it was designed for completely different applications,” the researchers say in their media release. The internet has centralized security, which causes choke points, and and an inherent lack of dynamic controls, which translates to inflexibility in access rights — all of which make it difficult to adapt the IoT to it. Device, data, and process management must be integrated into IoT systems, say the group behind the project, called DoRIoT (Dynamische Laufzeitumgebung für Organisch (dis-)Aggregierende IoT-Prozesse), translated as Dynamic Runtime Environment for Organic dis-Aggregating IoT Processes. “In order to close this gap, concepts [will be] developed in the project that transparently realize the access to the data,” says Professor Sebastian Zug of the University of Freiberg, a partner in DoRIoT. “For the application, it should make no difference whether the specific information requirement is answered by a server or an IoT node.”


Managing Third-Party Risks: CISOs' Success Strategies

Managing Third-Party Risks: CISOs' Success Strategies
As more organizations rely on third parties for various services, managing the security risks involved is becoming a bigger challenge. Those risks, indeed, can be significant. For example, earlier this year, Indian IT outsourcing giant Wipro was targeted by hackers who in turn launched phishing attacks against its customers. Among the toughest third-party risk management challenges are: Keeping track of the long list of outsourcers an organization uses and making sure they're assessed for security; Taking steps to minimize the amount of sensitive data that's shared with vendors - and making sure that data is adequately protected; and Holding vendors to a uniform standard for security. "For most organizations, there is still a long way to go in strengthening governance when it comes to vendor management," says Jagdeep Singh, CISO at InstaRem, a Singapore-based fintech company. "We need to look at the broader risk posture that vendors bring in ... which will determine the sort of due diligence you want to carry out."


To encourage an Agile enterprise architecture, software teams must devise a method to get bottom-up input and enforce consistency. Apply tenets of continuous integration and continuous delivery all the way to planning and architecture. With a dynamic roadmap, an organization can change its planning from an annual endeavor to a practically nonstop effort. Lufthansa Systems, a software and IT service provider for the airline industry under parent company Lufthansa, devised a layered approach to push customer demand into product architecture planning. Now, the company can continuously update and improve products, said George Lewe, who manages the company's roster of Atlassian tools that underpin the multi-team collaboration. "We get much more input from the customers -- really cool ideas," Lewe said. "Some requests might not fit into our product strategy or, for technical reasons, it's not possible, but we can look at all of them." Lufthansa Systems moved its support agents, product managers and software developers onto Atlassian Jira, a project tracking tool, with a tiered concept. 


What does the death of Hadoop mean for big data?

The Hadoop software framework, which facilitated distributed storage and processing of big data using the MapReduce programming model, served these data ambitions sufficiently. The modules in Hadoop were developed for computer clusters built from commodity hardware and eventually also found use on clusters of higher-end hardware. But the broader adoption of the open-source distributed storage technology that was invented by Google, however, did not come to be, as enterprises began opting to move to the cloud and explore AI, which included machine learning and deep learning as part of their big data initiative. Worse, several big Hadoop-based solution providers that had been unprofitable for years were forced to merge to minimize losses, and one may be forced shut down altogether. However, the questions remain if the fate of these vendors is only indicative of the demise of Hadoop powered solutions and other open source data platforms, or the death of big data as a whole? Was big data merely a fad or a passing interest of industries?


From Machine Learning to Machine Cognition  

Image 4 for From Machine Learning to Machine Cognition
Keeping logic/decisions outside network is what has been done by now. For decisions, we are using automated systems bases on software running on CPUs instead of artificial cognitive networks. While these work very well and will still be present for a long time, they are limited. Basically, these programs perform simple iterative tasks or move controls and numbers on monitor windows with millions of lines of code. This approach may be good while dealing with games and simple narrow tasks but not great when dealing with general concepts. They will not ensure enough internal connections. These will hardly evolve to intelligence. The complexity required is just too high to emulate imagination, intuition etc. Image recognition has been developed with neural networks because it was impossible to generate an iterative algorithm for it. The same should be done with cognition; decisions should use neurons, cognition should be kept inside network together with concepts and learning, as they have common neurons.


Open-Source Tool Lets Anyone Experiment With Cryptocurrency Blockchains

In researching blockchains, Shudo and his colleagues searched for a simulator that would help them experiment with and improve the technology. But existing simulators were too hard to use and lacked the features the team wanted. Moreover, these simulators had apparently been created for specific research and were abandoned soon after that work was completed, because many of the tools the group found were no longer being updated.  "The most recent simulator we looked at was developed in October 2016," says Shudo. "And it was no longer being maintained." So, the group developed its own simulator. Dubbed SimBlock, it runs on any personal computer supporting Java and enables users to easily change the behavior of blockchain nodes. Consequently, investigating the effects of changed node-behavior has now become a straightforward matter, says Shudo. "All the parameters of the nodes in SimBlock are written in Java," he explains. "These source files are separated from the main SimBlock Java source code, so the user simply edits [the nodes’] source code to change their behavior."


Visual Studio Code: Stepping on Visual Studio’s toes?
Microsoft describes Visual Studio as a full-featured development environment that accommodates complex workflows. Visual Studio integrates all kinds of tools in one environment, from designers, code analyzers, and debuggers to testing and deployment tools. Developers can use Visual Studio to build cloud, mobile, and desktop apps for Windows and MacOS.  Microsoft describes Visual Studio Code, on the other hand, as a streamlined code editor, with just the tools needed for a quick code-build-debug cycle. The cross-platform editor complements a developer’s existing tool chain, and is leveraged for web and cloud applications. But while Microsoft views the two tools as complementary, developers have been raising questions about redundancy for years. Responses to a query in Stack Overflow, made four years ago, sum up the differences this way: Visual Studio Code is “cross-platform,” “file oriented,” “extensible,” and “fast,” whereas Visual Studio is “full-featured,” “project and solution oriented,” “convenient,” and “not fast.”


Attacks against AI systems are a growing concern


The continuing game of “cat and mouse” between attackers and defenders will reach a whole new level when both sides are using AI, said Hypponen, and defenders will have to adapt quickly as soon as they see the first AI-enabled attacks emerging. But despite the claims of some security suppliers, Hypponen told Computer Weekly in a recent interview that no criminal groups appear to be using AI to conduct cyber attacks. The Sherpa study therefore focuses on how malicious actors can abuse AI, machine learning and smart information systems. The researchers identify a variety of potentially malicious uses for AI that are already within attackers’ reach, including the creation of sophisticated disinformation and social engineering campaigns. Although the research found no definitive proof that malicious actors are currently using AI to power cyber attacks, as indicated by Hypponen, the researchers highlighted that adversaries are already attacking and manipulating existing AI systems used by search engines, social media companies, recommendation websites, and more.



Quote for the day:


"Leadership is a matter of having people look at you and gain confidence, seeing how you react. If you're in control, they're in control." -- Tom Landry