Daily Tech Digest - July 09, 2020

Diversity in tech: 3 stories of perseverance and success

It is easy to fall into comfortable patterns. We train for sports by developing muscle memory using repetition to engrain patterns in our brains. It takes an average of 66 days for a behavior to become a habit, and it can require 10 times the effort. Simply stated, hard work and dedication are the foundations for learning, whether learning a new language, improving your golf swing, or rethinking workforce demographics. Organizations are especially resistant to change, requiring cross-organizational commitment and a compelling business imperative. An uncompromising focus on change must cascade throughout an organization and be measured, managed, and reinforced. This resistance to change may explain, at least in part, why the underrepresentation of people of color in technology companies has shown little improvement since 2014. Ideally, the representation of blacks in technology should reflect the overall population, but it does not. According to the Census Bureau, blacks make up 13.4% of the U.S. population but account for only 5% of the workforce at technology companies, with women of color representing even less at 1%.

Pen Testing ROI: How to Communicate the Value of Security Testing

Defining the ROI of pen testing has its nuances, as there are seemingly no tangible results that come directly from the investment. When implementing a pen-testing strategy, you're actively avoiding a breach that could cost your organization money. But the cost of a breach is the most obvious data point for measuring ROI, and those estimates vary widely. My advice? Work toward maturing your security program to a point where the engagement with pen testers is focused on ensuring the effectiveness of existing controls and security touchpoints in your development life cycle — not solely to check a compliance box or single-handedly prevent a breach. Leveraging pen testing throughout the development life cycle can help identify issues in development before deployment rather than the costly discovery of vulnerabilities at a later date. Second, identify metrics, not measurements: Business decisions are often made using measurements, instead of metrics. But in most cases, driving decisions based on measurements (or raw data) can be misleading and end up with business leaders focusing time, effort, and budget on the wrong activities.

How to build a data architecture to drive innovation—today and tomorrow

To scale applications, companies often need to push well beyond the boundaries of legacy data ecosystems from large solution vendors. Many are now moving toward a highly modular data architecture that uses best-of-breed and, frequently, open-source components that can be replaced with new technologies as needed without affecting other parts of the data architecture. The utility-services company mentioned earlier is transitioning to this approach to rapidly deliver new, data-heavy digital services to millions of customers and to connect cloud-based applications at scale. For example, it offers accurate daily views on customer energy consumption and real-time analytics insights comparing individual consumption with peer groups. The company set up an independent data layer that includes both commercial databases and open-source components. Data is synced with back-end systems via a proprietary enterprise service bus, and microservices hosted in containers run business logic on the data. ... Exposing data via APIs can ensure that direct access to view and modify data is limited and secure, while simultaneously offering faster, up-to-date access to common data sets. 

Software Techniques for Lemmings

The performance of a system with thousands of threads will be far from satisfying. Threads take time to create and schedule, and their stacks consume a lot of memory unless their sizes are engineered, which won't be the case in a system that spawns them mindlessly. We have a little job to do? Let's fork a thread, call join, and let it do the work. This was popular enough before the advent of <thread> in C++11, but <thread> did nothing to temper it. I don't see <thread> as being useful for anything other than toy systems, though it could be used as a base class to which many other capabilities would then be added. Even apart from these Thread Per Whatever designs, some systems overuse threads because it's their only encapsulation mechanism. They're not very object-oriented and lack anything that resembles an application framework. So each developer creates his own little world by writing a new thread to perform a new function. The main reason for writing a new thread should be to avoid complicating the thread loop of an existing thread. Thread loops should be easy to understand, and a thread shouldn't try to handle various types of work that force it to multitask and prioritize them, effectively acting as a scheduler itself.

Cloud Security Mistakes Which Everyone Should Avoid

Cloud can be accessed virtually, by anyone who is possessing proper credentials, makes it convenient and vulnerable at the same time. Unlike physical servers that limit a number of admin users, and have more strict access permissions, cloud servers can never provide that level of security. That’s why many small business owners around the world still choose web hosting services that operate on physical servers, especially since you’re able to have a whole server just for your website if you choose a dedicated hosting plan. But virtual servers are much easier to access because of their access permissions that could sometimes be misused. Controlling access to data kept on the cloud is a tricky balancing act between giving people access to the tools they require to get the job done and protecting their data from getting into the wrong hands. Efficiently managing the data requires a comprehensive policy that not only controls who can access what data and from where, but involves monitoring to determine who accesses data, when, and from where to detect potential breaches or any inappropriate access. Therefore, it is vital to educate on how to secure their cloud sessions, including avoiding public networks and effective password management.

The Modern Hybrid App Developer

One of the most frustrating parts about building apps is the massive headache of releasing and waiting for new updates in the app stores. Because hybrid app developers build a big chunk of their app using web technology, they are able to update their app’s logic and UI in realtime any time they want, in a way that is allowed by Apple and Google because it’s not making binary changes (as long those updates continue to follow other ToS guidelines). Using a service like Appflow, developers can set up their native Capacitor or Cordova apps to pull in realtime updates across a variety of deployment channels (or environments), and even further customize different versions of their app for different users. Teams use this to fix bugs in their production apps, run a/b tests, manage beta channels, and more. Some services, like Appflow, even support deploying directly to the Apple and Google Play store, so teams can automate both binary and web updates. This is a major super power that hybrid app developers have today that native developers do not!

HSBC customers targeted in new smishing scam

The text phishing, or smishing campaign begins with a text message purporting to come from HSBC, informing its target that “a new payment has been made” through the HSBC app on their smartphone device. Targets are informed that if they were not responsible for this payment, they should visit a website to validate their bank account. To the untrained eye, the website link – security.hsbc.confirm-systems.com – could conceivably be legitimate, but obviously should on no account be opened. Victims will then be directed to a fake landing page and asked to input their username and password, along with a series of verification steps, on a fraudulent website that uses HSBC branding. The site will also try to weed out specific account details and other personally identifiable financial information (PIFI) from its targets. Griffin Law, which works with a number of accountancy groups and financial support teams in the London area, said it had seen a clear spike in reports of the scam, with almost 50 of its customers telling it they had received the smish so far. A number of them said they did not have any HSBC apps installed on their devices, which suggests the scam is quite indiscriminate in its targeting.

Card Skimmer Found Hitting Vulnerable E-Commerce Sites

Despite the large pool of potential targets, Malwarebytes has only been able to identify a few victims. "We found over a dozen websites that range from sports organizations, health, and community associations to (oddly enough) a credit union. They have been compromised with malicious code injected into one of their existing JavaScript libraries," Segura says. Some historical evidence of other victims who have been hit in the past was uncovered as part of his research, he says, but they have since been remediated. The total number of targets number is not available. The skimmer steals payment card numbers and tries to also swipe passwords, although the latter activity is not correctly implemented and does not always work, according to Malwarebytes. Segura says the skimmer is not that different from others currently operating in how it collects and exfiltrates data. The novelty is that it was only found on ASP.NET websites. "The skimmer is embedded in an existing JavaScript library used by a victim site. There are variations on how the code is structured but overall, it performs the same action of contacting remote domains belonging to the threat actor," Segura says.

MongoDB is subject to continual attacks when exposed to the internet

After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data. The network traffic was monitored for malicious activity and if password hashes were exfiltrated and seen crossing the wire, this would indicate that a database was breached. The research shows that MongoDB is subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online. ... Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP Skynet and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.

How data is fundamental to manufacturing’s digital transformation

The key to creating and deploying an effective data strategy comes down to three factors: sponsorship, a standardised platform and robust governance. Sponsorship is vital, according to Greg Hanson, particularly in larger organisations where buy-in can be more difficult to achieve. “Additionally, the successful deployment of that strategy requires engagement with the organisation as a whole, and a cultural acceptance of responsibility regarding data given GDPR and privacy laws,” he added. Helping to drive this combination of board-level sponsorship and enterprise-wide engagement are Chief Data Officers, newly-created executive roles tasked with deploying and monitoring the effectiveness of data strategies and the adoption of modern, cloud-based architectures – the foundation of many industrial digital transformation initiatives. “There are so many technologies readily available in the cloud space now that companies face the risk of ‘cloud sprawl’ which degrades the impact of their digital transformation and data management,” Hanson continued.

Quote for the day:

''Leadership occurs any time you attempt to influence the thinking, development of beliefs of somebody else." -- Dr. Ken Blanchard

No comments:

Post a Comment