Daily Tech Digest - December 10, 2020

Hackers hide web skimmer inside a website's CSS files

Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows. The latest of these odd places is, believe it or not, CSS files. Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page's elements with the help of the CSS language. These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more. However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript. One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule. Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

The Line Between Physical Security & Cybersecurity Blurs as World Gets More Digital

For manufacturers, the importance of forcing users to change default credentials before first use has never been higher. The Mirai botnet, one of the most well-known and successful pieces of malware in history, infected millions of connected devices across the globe by exploiting common default username/password combinations. While manufacturers have been aware of the importance of changing default passwords, we are now seeing mechanisms being put in place to ensure a device doesn't function until the password is changed. Going even further, some states, including California, have reinforced that knowledge with legislation mandating their use. Similarly, integrators must be able to keep devices protected during and after the installation process, avoiding the sort of misconfigurations that cyberattackers are known to exploit. IT departments and users themselves also bear a degree of responsibility when it comes to securing their devices by installing product updates and patches in a timely manner. Organizations must ensure that their employees understand the importance of protecting every device on the network, while also effectively vetting the security knowledge and capabilities of both their manufacturer and integrator partners.

5 big and powerful Python web frameworks

At its core, CubicWeb provides basic scaffolding used by every web app: a “repository” for data connections and storage; a “web engine” for basic HTTP request/response and CRUD actions; and a schema for modeling data. All of this is described in Python class definitions. To set up and manage instances of CubicWeb, you work with a command-line tool similar to the one used for Django. A built-in templating system lets you programmatically generate HTML output. You can also use a cube that provides tools for web UIs, such as that for the Bootstrap HTML framework. Although CubicWeb supports Python 3 (since version 3.23), it does not appear to use Python 3’s native async functionality. ... Django has sane and safe defaults that help shield your web application from attack. When you place a variable in a page template, such as a string with HTML or JavaScript, the contents are not rendered literally unless you explicitly designate the instance of the variable as safe. This by itself eliminates many common cross-site scripting issues. If you want to perform form validation, you can use everything from simple CSRF protection to full-blown field-by-field validation mechanisms that return detailed error feedback.

Myth vs. reality: a practical perspective on quantum computing

Developers and researchers want to ensure they invest in languages and tools that will adapt to the capabilities of more powerful quantum systems in the future. Microsoft’s open-source Quantum Intermediate Representation (QIR) and the Q# programming language provide developers with a flexible foundation that protects their development investments. QIR is a new Microsoft-developed intermediate representation for quantum programs that is hardware and language agnostic, so it can be a common interface between many languages and target quantum computation platforms. Based on the popular open-source LLVM intermediate language, QIR is designed to enable the development of a broad and flexible ecosystem of software tools for quantum development. As quantum computing capabilities evolve, we expect large-scale quantum applications will take full advantage of both classical and quantum computing resources working together. QIR provides full capabilities for describing rich classical computation fully integrated with quantum computation. It’s a key layer in achieving a scaled quantum system that can be programmed and controlled for general algorithms.

A newly-described 'blockchain denial of service' attack could convince miners to stop minin

The attack works by targeting the system’s reward system in a way that discourages miner participation. Specifically, the attacker publishes a proof to the blockchain that signals to other miners that the attacker holds a mining advantage. The researchers found that what they define as “rational” miners will stop mining if they detect that they are at a disadvantage. “If the profitability decrease is significant enough so that all miners stop mining, the attacker can stop mining too,” they write. “The blockchain thus grinds to a complete halt.” The study authors add: “We find that Bitcoin’s vulnerability to BDoS increases rapidly as the mining industry matures and profitability drops.” According to Ittay Eyal, a senior lecturer at Technion who co-authored the study, BDoS attacks are different from a type of attack called selfish mining, in which the attacker manipulates the system to get more than their fair share of rewards. In a BDoS attack, the attacker’s aim is to take down a proof-of-work cryptocurrency rather than reap rewards. Eyal said the findings of the study pertain specifically to Bitcoin, but that’ it’s likely there are similar attacks against Ethereum. The researchers have not gathered any concrete results on this yet, he said.

Zscaler CEO: Network Security Is Dead. Long Live SASE

The security vendor started as a secure web gateway provider before adding firewall and zero-trust network access. It then it added out-of-band cloud access security broker (CASB) capabilities to its platform, all of which positioned it perfectly to dive into SASE when Garter coined the term last year. Earlier this year, Zscaler also acquired Edgewise Networks to add that company’s zero-trust networking and application microsegmentation technologies to its platform, which also give it a SASE boost. SASE, according to Gartner, consolidates networking and security capabilities into an edge cloud-delivered service. While Zscaler arguably provides a best-of-breed SASE security stack, it doesn’t own a networking piece. Instead, Zscaler partners with all of the SD-WAN vendors including VMware, and, in fact, VMware CEO Pat Gelsinger joined Chaudhry for a video appearance during the virtual keynote to tout the two companies’ SASE partnership. When asked if Zscaler plans to continue partnering with SD-WAN vendors to provide a full SASE architecture or acquire SD-WAN to provide its own networking capabilities, Chaudhry said there’s no reason for Zscaler to provide SD-WAN. “We believe that the notion that SASE means networking and security coming together is a misinterpretation of it,” the exec said.

Soft PLCs: The industrial innovator’s dilemma

Industrial control has come a long way from being bulky, maintenance heavy relay-based systems in the 1960s to today’s high-speed processor-based programmable logic controllers (PLCs). What began as a basic attempt to replace relay control quickly transformed as the foundation of modern industrial control and automation.  The introduction of Windows in 1985 spawned the first wave of soft PLCs which manifested themselves in PC-based control systems. The engineering community quickly saw the benefits of combining PLC control and HMI in one box – the PC. Several Windows-based control systems emerged in the 1990’s (e.g. ASAP, Think and Do, Steeplechase Software and Wonderware), but none managed to gain sustained traction in the marketplace. “Blue screens of death” raised questions about the reliability of these systems, and the lack of virtualization / containerization technologies made it difficult to efficiently run multiple workloads (e.g. HMI and control) on a single box. Fast forward to 2020, and the value proposition of PC-based control is much stronger than it was in the 90’s as the maturation of Linux operating systems, virtualization technologies and low-cost edge computing hardware have addressed many of the early issues that plagued the first wave of PC-based control systems.

As Ransomware Booms, Are Cyber Insurers Getting Cold Feet?

Constant innovation is one factor, as ransomware operations have continued to refine their business strategies, including exfiltrating and leaking stolen data, using affiliate programs to boost their reach, and even hiring call centers to run boiler-room operations to pressure victims to pay. In Q3, the average ransom payment - when a victim paid - was $233,817, which was an increase of 31% from the previous quarter, reports ransomware incident response firm Coveware. Gangs' successes carry an obvious cost for victims who pay; their criminal profits put a drain on someone else's budget. When victims do pay a ransom, some will remit it entirely from their own coffers. But many organizations now carry cyber insurance with ransomware or extortion protection. As ransomware payouts have risen, however, insurance providers' profits have been taking a dive. Accordingly, some insurers now appear to be "attempting to shelter themselves from these losses, either by excluding extortion events from standard cyber insurance coverage or by introducing onerous new conditions on policyholders," the Seriously Risky Business newsletter reported last week. Experts across the security and insurance industries say that, with ransomware racking up record profits, there's little chance of it abating anytime soon.

Agile is changing software development. Here's how one company made the switch

At Capital One, Soule has helped the bank move away from legacy ways of working and towards an investment in software engineering capability and Agile methodologies. It's a long-term rebalancing act that has seen the company adopt close-knit development teams with clear and concise deliverables. "Changing little and often is now a reality for this organisation," he says. "That change is the mark of the difference between large, monolithic Waterfall delivery of implementations to open-source software, delivered incrementally in feature form on existing products. We've converted most of our IT spending on assets into people. That's been a stellar story." Back in 2014, there were 30 engineers – most of them infrastructure engineers – working for Capital One Europe. Today, there's as many as 300 engineers in the UK business alone. The vast majority are software engineers, compared to just a few six years ago. Soule says this transformation to Agile working has had a "game-changing" impact on the delivery of applications to customers. In the old Waterfall-based way of working, systems and services would take years of effort and millions of pounds to create. These big projects, says Soule, consumed resources and meant other interesting innovations fell by the wayside: "Often other things didn't get done because all the focus of the development engine was on that one big thing."

Why DSLs? A Collection of Anecdotes

Domain-specific languages rely on a different approach. They allow the domain expert to specify the behavior of the software directly. The transformation from unstructured thought to executable specification happens in their brains. The executable specifications - or models - created this way are then automatically transformed into "real" source code by machinery developed by software engineers. Does this really work? It does under certain conditions. In particular, the language must be suitable for use by non-programmers. The primitives in the language should not be generic to "computation" - such as variables, conditions, loops, functions, monads or classes - but instead be specific to the domain, and therefore meaningful to the user: decision table, treatment step, tax rule or satellite telemetry message definition. The syntax should build on existing notations and conventions used in the domain - tables, symbols, diagrams and text - and not just consist of magenta-colored keywords and curly braces. DSLs are also usually less flexible in the sense that users can only compose new abstractions in very limited ways; while this would be a problem for general-purpose languages, it is a plus for DSLs because it ensures that programs are less complicated and easier for tools to analyze and provide IDE support for.

Quote for the day:

"Successful leadership requires positive self-regard fused with optimism about a desired outcome." -- Warren Bennis

No comments:

Post a Comment