Daily Tech Digest - June 12, 2019

IoT security vs. privacy: Which is a bigger issue?

Predictably, most of the teeth-gnashing has come on the consumer side, but that doesn’t mean enterprises users are immune to the issue. One the one hand, just like consumers, companies are vulnerable to their proprietary information being improperly shared and misused. More immediately, companies may face backlash from their own customers if they are seen as not properly guarding the data they collect via the IoT. Too often, in fact, enterprises shoot themselves in the foot on privacy issues, with practices that range from tone-deaf to exploitative to downright illegal—leading almost two-thirds (63%) of consumers to describe IoT data collection as “creepy,” while more than half (53%) “distrust connected devices to protect their privacy and handle information in a responsible manner.” ... Police in more than 50 cities and towns across the country are apparently offering free or discounted Ring doorbells, and sometimes requiring the recipients to share footage for use in investigations. Many privacy advocates are troubled by this degree of cooperation between police and Ring, but that’s only part of the problem. Last year, for example, Ring workers in Ukraine reportedly watched customer feeds. Amazingly, though, even that only scratches the surface of the privacy flaps surrounding Ring.

Researchers crack digital safe using HSM flaw

The researchers found that the firmware built into the module was signed, but not encrypted. This meant that they could analyze how it worked, and they found that it allowed them to upload and run additional custom code. They used the software development kit (SDK) provided with the HSM to upload a custom firmware module to the unit. This gave them access to a shell inside the HSM that they could use to run a debugger and analyze the inner workings of the unit. From there, they ran a fuzzer, which sends a lot of queries to the HSM’s PKCS #11 API. PKCS #11 is a cryptographic API created by RSA. They hit the API with a large number of parameters looking for data that might throw the HSM into an unstable state. These tests uncovered several buffer overflow error bugs that they could trigger by sending the HSM certain commands. The researchers were able to write a module that they could run as unsigned custom firmware on the HSM that enabled them to dump all its secrets. They could recover keys, read secrets directly from the HSM’s memory, and dump the contents of the module’s flash storage, including its decryption key.

Combine containers and serverless to optimize app environments

Serverless is a new and misleading label for an old concept: run applications or scripts on demand without provisioning the runtime infrastructure beforehand. SaaS apps, such as Google Docs, might be considered serverless; when users create a document, they don't have to provision the back-end system that runs the application. Serverless takes this concept to application code, which is abstracted from its various infrastructure services, such as storage, databases, machine learning systems and streaming data processing. Google Cloud emphasizes that serverless functions aren't limited to event-driven code execution, but rather include many of its IaaS and PaaS products that instantiate and terminate on demand and don't require prior setup. On cloud serverless platforms, like AWS Lambda and Azure Functions, functions run code in response to an event trigger, such as an event on a message queue or notification service, and are typically used for short-duration jobs that handle tasks such as data acquisition, filtering and transformation, application integration and user input.

Ensuring trust in an age of digital banking

First, the bank needs to be sustainable. That includes following a code of conduct: integrating sustainability risk in processes and strengthening policies and enabling transparent reporting, as well as conducting the work that prevents the bank from being used for different types of financial crime. This is our license to operate. Second, we develop financial services with positive climate impact as a response to our customers’ needs. We have a very proud 10-year history of offering green bonds. Last year we launched green mortgages. In January, we launched our first blue bond [for investing in marine conservation projects], and we also offer green car leasing. We are trying to cater to customer demand. We understand that people care about what they do with their money. We have a very ambitious plan to introduce more financial solutions that capture what every single individual cares about. Today there is a good array of different products and services with positive climate impact, but it is still too little to meet the growing demand.

Hybrid Development: The Value at the Intersection of TDD, DDD, and BDD

Test Driven Development
What is the best way to tackle a large development project? You break it down into smaller, more manageable segments, or in the case of DDD - domains. When you split the project into smaller domains, you can have segregated teams handle the functionality of that domain end-to-end. And to best understand those domains, you enlist the help of domain experts; someone that understands the problem and that realm of knowledge more than anyone else.  Typically, the domain expert is not the one who is responsible for developing the solution, rather, DDD collectively is used to help bridge the knowledge gap that usually exists between these experts and the solution that is trying to be realized. Through models, context, and ubiquitous language, all parties involved should have a clear understanding of what the particular problems are and how the ensuing build will be structured. ... As the complexity of your projects grow, the only way to maintain the viability of your build and ensure success is to have your development practices grow with it.

Reaping the benefits of a strong strategy-driven business analytics IQ

Analytics IQ is a measure of an organization’s ability to leverage analytics to support business and IT objectives. Many organizations start their analytics journey eagerly, but without a clear strategy. This approach often leads to failed pilot projects, which have not provided the needed insights to answer business questions. Let us take a step back and first focus on analytics. It is easier to understand analytics when you understand the process that data goes through to become actual, actionable intelligence, rather than unusable numbers and words. I like to think about it in terms of retail. The price of an item is just plain data. However, when we add additional indicators, e.g., the price is attached to a celebrity’s merchandise, and recently, that person was involved in a controversy — then this data becomes information, something of interest to us. The information can then be used to try and predict what will happen to the price of this merchandise in the following days. That is intelligence: When we add context to information, it becomes intelligence.

Triada backdoors were pre-installed on Android devices

The story of Triada began when Kaspersky Lab researchers discovered it in early 2016, and at that time the main purpose of the Android malware was "to install spam apps on a device that displays ads," according to Google. Last week, Lukasz Siewierski, a reverse engineer on the Android security and privacy team at Google, explained that Triada was much more advanced than previously thought. "The methods Triada used were complex and unusual for these types of apps," Siewierski wrote in a blog post. "Triada apps started as rooting Trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor." While Google added features to Android to protect against threats like Triada, the threat actors behind the malware took another unusual approach in the summer of 2017 and performed a supply chain attackto get the backdoor malware preinstalled on budget phones.

What Stands Out in Proposed Premera Lawsuit Settlement?

Technology attorney Steven Teppler points to the attention given to "fixing" the health insurer's security problems. The proposed agreement, which was filed on May 31 in a federal court in Oregon, would settle a class action lawsuit that consolidated more than 40 lawsuits filed after the data breach was revealed in March 2015 by the Seattle-based insurer. It awaits court approval. The settlement proposes $32 million for breach victims and related legal costs and would require the health insurer to invest $42 million in bolstering data security. The settlement "not only takes care of victims, but takes care of business internally at the organization to make sure there are resources devoted to fixing or mitigating the security problem, but also that there are ways to establish milestones to make sure what is promised is actually done," Teppler says in an interview with Information Security Media Group. Under the settlement, Premera would spend at least $14 million annually over the next three years on enhanced data security measures.

5 ways to achieve a risk-based security strategy

A risk-based security approach, on the other hand, identifies the true risks to an organization's most valuable assets and prioritizes spending to mitigate those risks to an acceptable level. A security strategy shaped by risk-based decisions enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. It also delivers compliance, not as an end in itself, but as natural consequence of a robust and optimized security posture. Although a risk-based security strategy requires careful planning and ongoing monitoring and assessment, it doesn't have to be an overly complex process. There are five key steps to implementing risk-based security, and though time-consuming, they will align security with the goals of the organization. Board-level support is paramount. Input from numerous stakeholders throughout the organization is essential, as risk mitigation decisions can have a serious effect on operations which security teams may not fully appreciate if they make these decisions in isolation.

Large firms look to zero-trust security to reduce cyber risk

Essentially, a zero-trust approach is about applying authentication and authorisation to ensure that all traffic within an enterprise is properly authenticated and authorised, whether it is someone coming in from the outside on a VPN connection, an application talking to another application on the network, or a user trying to use an application on the network. “The data from the survey shows many similarities between the various countries in terms of the gaps and threats that large enterprises need to deal with with respect to secure access,” said Scott Gordon, chief marketing officer at Pulse Secure. “Perhaps the most significant difference in secure access priorities was more focus on improving endpoint security and remediation prior to access in the US (57%) compared with 43% in the UK and just 31% in German, Austria and Switzerland. This trend also matches higher IoT adoption in the US, although Europe is catching up fast.” A key takeaway from this report, said Gordon, is that large organisations across Europe are dealing with an increasingly hybrid IT environment.

Quote for the day:

"Though nobody can go back and make a new beginning... Anyone can start over and make a new ending." -- Chico Xavier

No comments:

Post a Comment