Daily Tech Digest - October 07, 2020

Tips To Strengthen API Security

Plugging these above holes is a good start. However, these are only defensive measures against known patterns; they aren’t helping you keep guard for nuanced attack types. Ideally, security systems should stop cyberattacks before they even get started. Yet, Eliyahu recognizes a big gap in how APIs are monitored. Organizations “don’t have proper tools to know who is looking for vulnerabilities,” he said. “Tools are typically not that advanced. They mainly look for injections and known patterns.” Imagine a hacker probing an API. They will likely do so by trial and error, testing undocumented endpoints, sending malformed requests and so on. “They need to probe for hours or days before they find something,” said Eliyahu. If an AI could detect these odd attempts in minutes or seconds, IT could significantly reduce risk. Security solutions should thus leverage big data and AI to create baselines of typical behavior, then deter malicious activity the millisecond any nefarious probing begins. Eliyahu said such a security AI must consider dozens of behaviors such as, How is the API being accessed? What parameters are being used? What are the relationships between parameters? What is the flow of API calls? What type of data can be exposed?

UK, French, Belgian blanket spying systems ruled illegal by Europe’s top court

In layman’s terms that means that a government can’t build a massive database of what everyone does and then query it later while investigating a case. Instead, they will need to carry out targeted surveillance and data retention - identifying specific people or accounts or phone numbers - and have a court review those requests to make sure they are not overly broad. The ruling is significant because it directly addresses the issue of national security - something that has been used for years to bypass existing personal data protection legislation - and states categorically that EU privacy laws still apply in such circumstances, almost always. The decision includes a specific carve-out when it comes to national security, noting that “in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.”

New Flaws in Top Antivirus Software Could Make Computers More Vulnerable

According to a report published by CyberArk researcher Eran Shimony today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system. The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor. Chief among the flaws is the ability to delete files from arbitrary locations, allowing the attacker to delete any file in the system, as well as a file corruption vulnerability that permits a bad actor to eliminate the content of any file in the system. Per CyberArk, the bugs result from default DACLs (short for Discretionary Access Control Lists) for the "C:\ProgramData" folder of Windows, which are by applications to store data for standard users without requiring additional permissions. Given that every user has both write and delete permission on the base level of the directory, it raises the likelihood of a privilege escalation when a non-privileged process creates a new folder in "ProgramData" that could be later accessed by a privileged process.

How organizations can maintain a third-party risk management program from day one

First and foremost, we really took our time to hire subject matter experts in our industry. We’ve got lots of practitioners that have years and years and years of governance risk and compliance expertise. They’ve run third-party risk programs for some of the largest banks and financial institutions in the world. They’ve run risk programs at heavily regulated industries. Our people, first and foremost, is a huge differentiator. Number two, our products. It’s incredibly configurable, incredibly easy to use. But that’s such a common thing that folks claim. I actually like to say it’s easy to administrate. Some of the platforms that, if you will, we compete with. You can do those things, but you need to pay IT developers or other developers or even the company that you purchase the system from, to configure it for you. From our perspective, we like to empower our clients to really run the programs and configure the applications on their own. And so, from that perspective, I like to say, ease of administration. It’s also easy to use. First and foremost, not just for our clients, but for the vendors. So, think about it, if you’re an important vendor in a vertical like financial services, you’re getting a million of these questionnaires.

Game Development with .NET

All the .NET tools you are used to also work when making games. Visual Studio is a great IDE that works with all .NET game engines on Windows and macOS. It provides word-class debugging, AI-assisted code completion, code refactoring, and cleanup. In addition, it provides real-time collaboration and productivity tools for remote work. GitHub also provides all your DevOps needs. Host and review code, manage projects, and build software alongside 50 million developers with GitHub. The .NET game development ecosystem is rich. Some of the .NET game engines depend on foundational work done by the open-source community to create managed graphics APIs like SharpDX, SharpVulkan, Vulkan.NET, and Veldrid. Xamarin also enables using platform native features on iOS and Android. Beyond the .NET community, each game engine also has their own community and user groups you can join and interact with. .NET is an open-source platform with over 60,000+ contributors. It’s free and a solid stable base for all your current and future game development needs. Head to our new Game Development with .NET site to get an overview of what .NET provides for you when making games. If you never used Unity, get started with our step-by-step Unity get-started tutorial and script with C# as quick as possible.

Suspected Chinese Hackers Unleash Malware That Can Survive OS Reinstalls

The company discovered the UEFI-based malware on machines belonging to two victims. It works to create a Trojan file called "IntelUpdate.exe" in the Startup Folder, which will reinstall itself even if the user finds it and deletes it. "Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware," Kaspersky Lab said. The malware's goal is to deliver other hacking tools on the victim’s computer, including a document stealer, which will fetch files from the “Recent Documents” directory before uploading them to the hacker’s command and control server. Kaspersky Lab refrained from naming the victims, but said the culprits have been going after computers belonging to “diplomatic entities and NGOs in Africa, Asia, and Europe.” All the victims have some connection to North Korea, be it through non-profit activities or an actual presence in the country. While looking over the malware’s computer code, Kaspersky Lab also noticed the processes can reach out to a command and control server previously tied to a suspected Chinese state-sponsored hacking group known as Winnti. In addition, the security firm found evidence the creators behind the malware used the Chinese language while programming the code.

Q&A on the Book Infinite Gamification

There are two types of gaming to consider here - either they are cheating or they have found a cheap way to score points, a loophole in our program design. For cheats, the best way to deal with this is to have a clear set of rules and principles you expect players to follow, then if you find someone cheating you can call them up and explain they are not acting according to the stated rules of the program. In most cases, the person will desist but sometimes you do need to enforce the ultimate sanction of kicking them off the program. The second type of gaming, finding cheap ways to score points, is for you to fix. The principle here is “don’t blame the gamer, blame the game”. There are lots of techniques you can do - making that activity less valuable, capping the number of points they can earn with that activity, and so on. The book lists these. In order to do this though you need to have framed your program as one that will iterate over time. Too many gamification programs are launched as if these are the final rules and nothing can change - this is a recipe for disaster; most programs aren’t right the first time around. Human nature being what it is, by leaving room to evolve the program, you give yourself the flexibility to get it right over time.

How to Survive a Crisis with AI-Driven Operations

As an enterprise turns to AI during a crisis -- whether for predictive sales modelling or automating customer-center operations -- leaders must prioritize developing employees’ core competencies around AI. Employees skilled in AI will be of course be needed to develop and operate the new automation advancements, but the benefit extends beyond this. AI-skilled employees can be tapped to create a roadmap on how to best leverage the technology to drive business value in times of crisis. Organizations should consider developing internal reskilling and upskilling programs or using third party learning platforms to help employees develop AI specializations. Employees can also be instrumental in galvanizing coworkers to readily adopt new AI technology, accelerating adoption rates as an organization looks to quickly scale up the technology across the business to adjust operations in response to a crisis. Enterprises need a clear data strategy around data governance in order to scale up AI quickly and successfully. Ensuring they have a clear set of repeatable protocols and methodologies in place to help them execute that strategy effectively is critical, so leaders don’t have to worry about compliance as they scale up AI in the face of a crisis.

5 blockchain use cases in finance that show value

Financial institutions traditionally work as intermediaries moving payments between different entities, which involves complex and time-consuming processes that add friction into transactions. Blockchain can streamline these processes -- notably reconciliation as well as clearing and settlement -- by removing the friction, thereby reducing the time and cost that financial institutions incur. For example, in April 2020 European financial technology company SIA launched a blockchain infrastructure to enable the Spunta Banca DLT, a private permissioned distributed ledger technology-based project for interbank reconciliation that is promoted by Italian Banking Association (ABI) and coordinated and implemented by ABI Lab, a banking research and innovation center. "The reconciliation process for interbank transactions in Italy -- formerly governed by the spunta process -- has been notoriously complex," said Charley Cooper, managing director at R3, an enterprise blockchain technology company. "With multiple parties involved, the task of identifying and addressing inconsistencies has historically been hampered by a lack of standardization, the use of piecemeal and fragmented communication methods and no single version of the truth," he added.

Cloud data management – the post-Covid future of data protection for MSPs

The dynamic changes in 2020 have emphasized just how much MSPs need to be on the front foot with innovative data management solutions. And those that are pivoting to cloud data management are seeing both a boost in their revenue, and an ability to Covid-proof operations. After all, customers with on-site solutions may not be able to get an engineer visit in person. Companies are shrinking, or growing, rapidly, and need to be able to scale up or down accordingly – without hitting the bottom line. And for remote users the expectation is that they can work wherever they need to, whenever they need to. The only way MSPs can help companies meet these challenges is with cloud data management. ... Unify complex data: With a one-stop, cloud-data management platform, MSPs can stream customers' backup, archive and DR data, while offering invaluable insight into entire data estates. This enables them to gain borderless visibility of all critical data, structured and unstructured - from a single control center in real time. Importantly this includes Microsoft 365 and G Suite data. Eliminate downtime: Modern solutions now instantly restore individual files or whole systems, using user-driven recovery methods. 

Quote for the day:

"Distinguished leaders impress, inspire and invest in other leaders." -- Anyaele Sam Chiyson

No comments:

Post a Comment