Daily Tech Digest - August 22, 2019

Fake VPN Website Delivers Banking Trojan

Fake VPN Website Delivers Banking Trojan
Reseachers at the Russian security firm Doctor Web say the banking Trojan, which they call Win32.Bolik.2, is a modified version of the original Win32.Bolik.1 Trojan and is being spread by the same unknown hacker group. "The Win32.Bolik.2 Trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," the researchers write. "Using this malware, hackers can perform web injections, traffic intercepts, key-logging and steal information from different bank client systems." The new campaign, which started on Aug. 8, is targeting mainly English-speaking victims by using a cloned website of NordVPN that prompts its visitors to download a program for a particular type of VPN software that contains the Trojan, Doctor Web reports. To make the fake website seem authentic, the fraudsters use a valid Secure Sockets Layer certificate that ensures a secure connection between a web server and a browser. Another campaign in April using the same Trojan spread via the legitimate website for a video editing software package.

Big Switch targets shadow IT, hybrid cloud growth with fortified software family

data center / server racks / connections
Big Switch’s flagship BCF software lets customers manage physical switches as a single fabric that includes security, automation, orchestration and analytics. BCF can run on a variety of certified switches from Dell EMC, HPE and others. In addition, BCF Controller natively supports integration with various Cloud Management Platforms such as VMware (vSphere, NSX Manager, vSAN) and OpenStack. BCF also supports container orchestrators such as Kubernetes, all via a single interface.  “We believe that traditional networking is complicated but that networking in the cloud is easier using technology such as VPCs, and what we are doing is bringing cloud-networking principles to on-prem and the data center,” said Prashant Gandhi, chief product officer for Big Switch. With BCF for AWS customers can discover, determine configurations and troubleshoot all VPCs and workloads configured in AWS, Gandhi said. “One of the benefits to BCF for AWS is that many customers deploying workloads in clouds don’t know everything that’s being run or shared in the cloud – we can discover those shadow IT networks and help IT get a handle on them,” Gandhi said.

The Design Thinking Process: Five Stages to Solving Business Problems

5 Stages in the Design Thinking Process
There are lots of ways to harness ideas and solve problems. Design thinking is one means to foster and refine creative problem-solving. While it doesn’t suggest ignoring your data, design thinking is, at its core, human-centered. It encourages organizations to focus on the people they’re creating for in hopes of producing better products, services and internal processes. ... The best way to put design thinking into use in your organization is by creating a strategic planning approach that takes ideas from assessment to analysis to delivery. By employing an iterative approach with a thorough assessment and a feedback loop, everyone in your organization will feel more empowered and engaged. The reality of business today is that nearly every business problem is going to have a technological solution. It will fall to the IT organization to take the ideas that come out of your design thinking and figure out how to deliver them as solutions at scale and speed. This is where enterprise architecture comes into play. Evaluating, planning and deploying a business solution will require visibility. How will these solutions impact users? Can they be supported by the existing IT infrastructure? How do they fit into the business ecosystem?

A new look at the Cybersecurity Skills Market

The survey found that most businesses used hardware and software regarded as obsolete by suppliers. Few had any full-time in-house IT support staff and most had received no professional training. More-over none of the publicly funded training programmes in the TEC portfolio were felt to be relevant to their needs. Those wanting skilled staff were happy to train their own, provided the TEC would help them identify recruits with the necessary aptitude and attitude. They would also have liked the TEC to create a list of reputable local organisations providing relevant modular short courses. The results were so far out of line with “accepted wisdom” that the implications, beyond the synopsis headline “The users have taken over the system”, were ignored. My draft report and recommendations were never published. ... Almost none will know the training their staff might need. Few will know how to find a reputable supplier of security services who can met their needs at affordable cost.

Can organizations embrace the digital native mindset?

It is not the lack of ideas but a dearth of inspiration for most of the traditional companies in our country that keeps them from taking the digital route. Despite huge sums being invested in research and development, most of the organizations remain unwitnessed to the endless possibilities that digital intervention can bring to their businesses. Although, they seed research practices and incubators point towards this direction, conventional practices prevent these companies from taking the unexplored route. In a recent McKinsey survey, many respondents said that parent companies had hindered the development of their start-ups and limited entrepreneurs’ freedom to make decisions. Scaling up the individual businesses under one umbrella becomes a challenge for many large conglomerates. The transformation needs to start at an operational level with constant awareness to all the stakeholders involved about the change in practices. The key is to include digital intervention in organizational planning to establish the idea across all levels. Later, the plan should be measured against the outcome to promote digitization in good faith.

How to become a cybersecurity RSO

secure system / network security policy management
Given that cybersecurity is regulated, what practices can we adopt from the experiences of HRO’s regarding compliance and regulation? The distinction between goal focused regulation and error-focused regulation is an important concept. Most compliance regimes focus on the former; i.e. meeting control objectives. However, organizations may benefit from enhancing their internal error-detection capabilities. Another applicable point relates to extended organizations. In many cases managing the regulatory and reliability implications of the organization’s supply chain may be the biggest risk faced by the organization. Managing for security has recently become a science. CISO’s now present to the board and know not to be the department of “no” and to support business initiatives. But HRO’s and RSO’s have been managing to high reliability for decades. The “three lenses” view of organizations leads to three parallel paths toward building a cybersecurity HRO. If you fail to see through all three lenses, you will likely not achieve your goals.

Simulation software: protecting your organisation during a sustained period of cyber war

Simulation software: protecting your organisation during a sustained period of cyber war image
We’re in the midst of a cyber war that threatens every single business and the vast majority of individuals. Simulation software may provide a solution, but first, the problem. The problem is not going way, but is in fact, getting worse — technology, an increasing presence in everyone’s lives, connects the operations of pretty much everything. And so, cyber attacks are more pervasive than ever before — the majority own a smartphone. In the cyber war, malicious cyber attacks are increasing in prevalence and sophistication, and the targets chosen are continually widespread. “Businesses, from national infrastructure and network carriers through to businesses of all sectors and sizes are in the sights of cybercriminals,” confirms Martin Rudd, CTO, Telesoft Technologies. “Think of the nationwide damage that would happen if the organisations powering this critical national infrastructure were to suffer a targeted cyber attack. These organisations generate and store colossal amounts of personal data, making them extremely valuable to cyber criminals — but also, thanks to their gargantuan size, difficult to breach.

Creating a culture of learning

Many managers still rise in organizations because they are good at process optimization, driving out waste and inefficiency, and managing for scale. But when you become CEO, your priorities change. You discover more complex issues that can’t be solved through process optimization. Suddenly you spend your time thinking about why the things that ought to be getting better aren’t getting better, and why they may be getting worse. For example, many CEOs are trying to improve diversity in their organizations, and to create less hostile environments. Yet no matter how hard they try to shift the rules — “Let’s set targets, hold people accountable, and engineer our way toward a more diverse workforce” — they’re not succeeding. Workplace behaviors still sometimes get toxic, even though nobody wants them to. To understand why this happens, you have to think in less linear ways. For example, instead of trying to lock everyone into one diversity-and-inclusion process, what if you let employees choose their approach, and talked about that choice openly? You need to develop a culture of learning if you want to be innovative.

Even fintech startups battling to meet cyber security challenges

The research into fintechs shows that eight main websites and 64 subdomains have at least one publicly disclosed and exploitable security vulnerability of a medium or high risk, compared with seven in the banking sector. The most common website vulnerabilities are cross-site scripting (XSS), sensitive sata exposure, and security misconfiguration, despite all of them featuring in the Owasp top 10 application vulnerabilities, which are well-known and have well-established mitigation methods. All of the mobile applications tested contained at least one security vulnerability of a medium risk, while 97% have at least two medium or high-risk vulnerabilities. The tests show that 56% of mobile app backends have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening. The report reveals that 62% of the fintechs’ main websites failed payment card industry data security standard (PCI DSS) compliance test.

Moscow's blockchain voting system cracked a month before election

The French academic was able to test Moscow's upcoming blockchain-based voting system because officials published its source code on GitHub in July, and asked security researchers to take their best shots. Following Gaudry's discovery, the Moscow Department of Information Technology promised to fix the reported issue -- the use of a weak private key. "We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024." Gaudry, who discovered that Moscow officials modified the ElGamal encryption scheme to use three weaker private keys instead of one, couldn't explain why the IT department chose this route. "This is a mystery," the French researcher said. "The only possible explanation we can think of is that the designers thought this would compensate for the too small key sizes of the primes involved. But 3 primes of 256 bits are really not the same as one prime of 768 bits." 

Quote for the day:

"A leadership disposition guides you to take the path of most resistance and turn it into the path of least resistance." -- Dov Seidman

No comments:

Post a Comment