Daily Tech Digest - January 07, 2019

Want a hybrid workforce? The trick is getting humans and machines speaking to each other

hybrid.jpg
A stealth company is trying to solve one of the oddest interoperability problems of the modern era: How do you get robots and non-engineers talking to each other? Founded by the former Director of Robotics for Google, the company, Formant, is making its first public bow thanks to a recently-announced $6 million in funding from SignalFire. Formant's pitch is straightforward, and it illustrates the peculiar problem of automation in 2019: Robots perform a lot of tasks in industries like logistics and manufacturing, but those industries still rely on humans for crucial decisions robots can't yet make. Getting robots and humans communicating in real time to facilitate that decision-making has been tricky and usually requires an intermediary in the form of an engineer. ... "We founded Formant to answer the biggest problem that faces automation today: robots produce too much information, in disparate forms that cannot be viewed simultaneously," said Jeff Linnell, founder, and CEO of Formant and a robotics insider with deep industry connections.


Expect banks and fintechs they trust to reach wider arrangements that give banks more confidence in the security surrounding data sharing and third-party innovation.  The Financial Data Exchange, made up of big banks like JPMorgan Chase and Wells Fargo as well as data aggregators and fintechs, was established in 2018 to create a standard to safely share information and address risks tied to open banking. The group — along with the “Secure Open Data Access” framework formed earlier this year with support from Envestnet’s Yodlee, Quovo and Morningstar's ByAllAccounts — could put banks more at ease with open banking.  Meanwhile, banks such as BBVA Compass, Capital One, Citibank and Silicon Valley Bank continue to move forward with open-banking initiatives. ... Meantime, blockchain advocates at financial institutions are weary of trying to convince others of the technology's potential. Blockchain proponents admit bank executives and regulators still link the technology to wild swings in cryptocurrency values.



The well-crafted phishing web pages use custom web font files known as “woff files” to implement a substitution cypher that makes the source code of phishing pages appear benign. When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish using stolen bank branding, but includes encoded display text. Substitution functions in phishing kits are frequently implemented in JavaScript, the researchers said, adding that no such functions appeared in the page source. Instead, the researchers identified the source of the substitution in the CSS [cascading style sheet] code for the landing page. The researchers extracted, converted and viewed the woff and woff2 web font files to discover the phishing landing page was using those custom web font files to make the browser render the ciphertext as plaintext, while the malicious code remained hidden.



Top 4 enterprise tech trends to watch in 2019

Top 4 enterprise tech trends to watch out for in 2019
How can security be improved? Advances in cloud computing and blockchain will help organizations better protect their data, Climer wrote in a recent article. “Though these aren’t new technology trends — blockchain and the cloud led conversations throughout 2018 — how businesses utilize these tech tools for their operational security will likely transition dramatically,” she wrote. Jessica Marie, director of product marketing at Vera Security, also said tech advances in cybersecurity will help. “I'm most excited about advancements in cybersecurity, particularly encryption technologies and securing data in the cloud/collaboration tools. Something tells me with recent breaches, this might become very necessary,” she said during the Twitter chat. Data governance will also play a large role in improving cybersecurity and data privacy, said Tyler James Johnson, founder and CEO of PrivOps. “I'm big on data and analytics solutions, as well,” Johnson said. “I see a big connection between that and data privacy and security. For me, 2019 will be the year all these trends converge.”


Security and patching: 5 resolutions for 2019

Security and patching: 5 resolutions for 2019
The number of IT assets that companies have in place continues to go up, with more endpoint devices, servers and applications in place that all need to be kept up to date. At the same time, the number of known vulnerabilities continues to rise, and the amount of time to deploy the available patches is coming down. The amount of time between vulnerabilities getting announced and exploits becoming available is dropping. The reducing window makes it difficult to keep systems up to date when there are hundreds, thousands or even millions of assets to consider. The second issue is error proofing. Patches may break other applications, or introduce other flaws that lead to more security issues in the future. In some cases, they may not work or break the machines they are applied to. Whatever the output, a poorly applied patch may cause more harm. Testing to check that these failure conditions don't take place is therefore necessary to avoid problems coming up. The third issue is prioritization. With so many assets to look after and so many applications to test, it can be hard for teams to know where to put their efforts.


UK contactless card fraud doubles


Unlike chip and PIN transactions, contactless payments can be made without additional authentication, such as a PIN. Under current rules, payments of up to £30 can be made using the technology. Contactless is overtaking chip and PIN as the most popular way of paying for goods and service because of its convenience. According to recent figures from payment processing firm Worldpay, more card payments were made using contactless technology than chip and PIN in the UK over the 12 months from June 2017 to June 2018. It revealed that, after increasing by 30% on the previous year, contactless payments were the most used card payments in shops. ... “Fraudsters will do all they can to steal your card and account details and take money from your account. If you’ve seen unusual activity on your bank statements, such as purchases you don’t remember making or cash withdrawals from places you don’t remember visiting, tell your bank immediately.”


The attack surface is growing faster than it has at any other point in the history of technology

attack surface growth
In 2019, well known tactics such as advertising, phishing and fake apps will continue to dominate the mobile threat landscape. In 2018, we tracked and flagged countless fake apps using our apklab.io platform. Some were even found on the Google Play Store. Fake apps are the zombies in mobile security, becoming so ubiquitous that they barely even make the headlines as new fake apps pop up to take the place of the ones already flagged for removal. They will continue to persist as a trend in 2019, exacerbated by fake versions of popular app brands doing their rounds on the Google Play Store. In 2018, the return of banking Trojans was also particularly pronounced on the mobile side, growing 150 percent year-on-year, from three percent to over seven percent of all detections we see worldwide. While perhaps not a big shift in terms of the overall volume, we believe that cybercriminals are finding banking to be a more reliable way to make money than cryptomining.


Singapore Airlines data breach affects 285 accounts, exposes travel details

Singapore Airlines employees urged to innovate, fail without fear
"We have established that this was a one-off software bug and was not the result of an external party's breach of our systems or members' accounts. The period during which the incident occurred was between 2am and 12.15pm, Singapore time, on 4 January 2019, at which point the issue was resolved," the spokesperson said.  The airline said it will contact all affected customers and has "voluntarily informed" Singapore's Personal Data Protection Commission about the data breach. ... Upon contacting SIA's customer hotline, the SIA customer was informed by the call agent that the airline was performing a system upgrade and instructed to log out of her account and log back in after 24 hours. "Such incidents are unacceptable for a company as big as Singapore Airlines. How can you do a system upgrade without proper testing?" the customer had said. "It's frustrating that we're held hostage by these companies that demand our personal details, but don't keep the data safe. When you ask for my personal data, I expect you to have the technology and systems in place to keep it secured."


Expanding the boundaries of the digital workplace


One of the central principles in establishing a perimeterless digital workplace is that the network alone does not determine which services users can access. Unlike the perimeter-based security model, the decision to grant or deny access is not tightly bound to a physical location, IP address or the use of a virtual private network (VPN). Instead, user, device and other contextual data, such as threat signals, dynamically determine the appropriate access policy, which may trigger the need for multifactor authentication, access denial or other trust elevation techniques. User and contextual trust should be appropriate to the level of risk associated with the resource being accessed. This is best illustrated with an example of a user accessing sensitive data. Sometimes, the access to sensitive data – for example, company financials – might require the user to be a full-time employee using a fully managed device.


Super Charge the Module Aware Service Loader in Java 11

Java’s answer to provide developers the ability to design and implement extensible applications without modifying the original code base came in the form of services and the ServiceLoader class--introduced in Java version 6. SLF4J uses this service loading mechanism to provide its plug-in model that we described earlier. Of course, dependency injection or inversion of control frameworks are another way to achieve the same and more. But, we will focus on the native solution for the purpose of this article. ... The default ServiceLoader’s “load” method searches the application classpath with the default class loader. You can use the overloaded “load” method to pass a custom class loader to implement more sophisticated searches for service providers. In order for the ServiceLoader to locate service providers, the service providers should implement the service interface--in our case the PaymentService interface.



Quote for the day:


"Management is about arranging and telling. Leadership is about nurturing and enhancing." -- Tom Peters