Daily Tech Digest - September 03, 2021

What is a Botnet – Botnet Definition and How to Defend Against Attacks

Building a successful botnet requires thinking about what the goal is, whether it's creating a sustainable business plan, a target audience (whose devices are going to be infected, and what lure would appeal to them?), and processes to ensure the distribution and internal processes are secure. Then, a prospective botnet herder needs to start with a VPN service which takes anonymous forms of payment (possibly several services to rotate between). These services need to be unlikely to quickly hand over customer records and logs to any law enforcement agencies (a 'bulletproof' service). The next step is getting access to 'bulletproof' hosting (either a somewhat legitimate business which is *inefficient* at processing legal complaints or one specifically aimed at malware operators). Then, the herder needs domains from a registrar which will be unlikely to hand over customer information to law enforcement and which accepts anonymous methods of payment. Optionally, a herder can further disguise their activity with a technique like fast flux. Fast flux can either be single or double flux.

Soft Skills For Solution Architects — Moving Beyond Technical Competence

Solution Architects’ ability to Re-Imagine solution design, business processes, and customer journey along with Business Acumen would be one of the most important differentiators. You need to be innovative enough to design & deliver business functions while keeping business constraints, like time, budget, quality, and available human resources, in mind. Solution Architects need to challenge the existing processes and assumptions of the industry and reimagine new processes and the flow for customer journeys. Additionally, they need to possess the ability to emphasize customer experience over technology. Solution Architects need to shift the mindset and ensure that the product/service that the business offers is focused on decoding the needs and demands of their stakeholders rather than boating a technology that is difficult to traverse through. ... In the past, the Solution Architect role was seen as a bridge between Infra Architect, Network Architect, Security Architect, Storage Architect, Application Architect, and Database Architect. 

Low-Code and Open Source as a Strategy

Yes, there is a “but”. For instance, our system needs an existing database. The end application will also be database-centric, implying it’s typically for the most part only interesting for CRUD systems, where CRUD implies Create, Read, Update and Delete. However, the last figures I saw in regards to this was that there are 26 million software developers in the world. These numbers are a bit old, and are probably much larger today than a decade ago when I saw these figures. Regardless, the ratio is probably still the same, and the ratio tells us that 80% of these software developers work as “enterprise software developers.” An enterprise software developer is a developer working for a non-software company, where software is a secondary function. ... This implies that if you adopt Low-Code and Open Source as a strategy for your enterprise, you can optimize the way your software developers work by (at least) 5x, probably much more. Simply because at least 80% of the work they need to do manually is as simple as clicking a button, and waiting for one second for the automation process to deliver its result.

5 Rock-Solid Leadership Strategies That Drive Success

As a leader, one of the most important actions you can take is being fully engaged in your company. All too often, leaders lose touch with the nuts and bolts of their businesses. Many millenials tend to be over-delegators, and they delegate almost every component of their business to the point they are not able to make the right high-level decisions for their business. This is because they lack a clear understanding of what is happening at the ground level. The front-line workers of an organization tend to be the ones who are directly interacting with customers. When leaders rely on their executive team to find out front-line information, there is much that can get lost in translation. A fully engaged leader knows exactly what is happening on the front line of his or her company and doesn’t hide in an ivory tower and rely on others to get a pulse for the business. Full engagment in your company requires discipline as well as humility. A fully engaged CEO is one that regularly communicates directly to the front-line workers and listens carefully. 

Bluetooth Bugs Open Billions of Devices to DoS, Code Execution

One of the DoS bugs (CVE-2021-34147) exists because of a failure in the SoC to free resources upon receiving an invalid LMP_timing_accuracy_response from a connected BT device (i.e., a “slave,” according to the paper: “The attacker can exhaust the SoC by (a) paging, (b) sending the malformed packet, and (c) disconnecting without sending LMP_detach,” researchers wrote. “These steps are repeated with a different BT address (i.e., BDAddress) until the SoC is exhausted from accepting new connections. On exhaustion, the SoC fails to recover itself and disrupts current active connections, triggering firmware crashes sporadically.” The researchers were able to forcibly disconnect slave BT devices from Windows and Linux laptops, and cause BT headset disruptions on Pocophone F1 and Oppo Reno 5G smartphones. Another DoS bug (CVE pending) affects only devices using the Intel AX200 SoC. It’s triggered when an oversized LMP_timing_accuracy_request (i.e., bigger than 17 bytes) is sent to an AX200 slave.

9 notable government cybersecurity initiatives of 2021

In January, the US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC reviews and combines various cybersecurity standards and best practices, mapping controls and processes across several maturity levels that range from basic to advanced cyber hygiene. “For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats,” reads the Office of the Under Secretary of Defense for Acquisition & Sustainment website. “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” The CMMC is designed to be cost-effective and affordable for all organizations, with authorized and accredited CMMC third parties conducting assessments and issuing CMMC certificates to DIB companies at the appropriate level.

In-Memory Database Architecture: Ten Years of Experience Summarized

Tarantool also has an ACID transactions mechanism. Arrangements for single-threaded access to data enable us to achieve ‘serializable’ isolation level. When we call Arena, we can write to or read from it, or modify data. All that happens is done consecutively and exclusively in one thread. Two fibers cannot be executed in parallel. As far as interactive transactions are concerned, there is a separate MVCC engine. It makes it possible to execute interactive transactions in serializable mode; however, potential conflicts between transactions will need to be additionally handled. Apart from the Lua access engine, Tarantool has SQL. We have often used Tarantool as a relational database. We realized that we designed the database according to relational principles. We used spaces where SQL used tables. That is, each row is represented by a tuple. We have defined a schema for our spaces. It became clear to us that we can take any SQL engine, and just map primitives and execute SQL on top of Tarantool. In Tarantool, we can invoke SQL from Lua. We can either use SQL directly or call what was defined in Lua from SQL.

Low code cuts down on dev time, increases testing headaches

Ironically, the draw of low-code for many companies is that it allows anyone to build applications, not just developers. But when bugs arise citizen developers might not have the expertise needed to resolve those issues. “Low-code solutions that are super accessible for the end-user often feature code that’s highly optimized or complicated for an inexperienced coder to read,” said Max de Lavenne, CEO of Buildable, a custom software development firm. “Low-code builds will likely use display or optimization techniques that leverage HTML and CSS to their full extent, which could be more than the average programmer could read. This is especially true for low-code used in database engineering and API connections. So while you don’t need a specialized person to test low-code builds, you do want to bring your A-team.” According to Isaac Gould, research manager at Nucleus Research, a technology analyst firm, a citizen developer should be able to handle testing of simple workflows. Eran Kinsbruner, DevOps chief evangelist at testing company Perforce Software, noted that there could be issues when more advanced tests are needed. 

Digital transformation – it’s a people problem

Reinbold says that it is vital to “shrink the change you’re trying to accomplish” once momentum towards change has been achieved: “I’ve seen way too many efforts, declare some grandiose, ‘burn the boats’ type of initiatives like, ‘Everybody, for all time, is going to do this thing and only this thing’. “And as you might imagine, the amount of pushback to something like that is as absolutely proportional to the size of the change that is being asked for. It might be necessary, but in order to get traction, you have to build positive momentum.” His advice? Start with the uncontroversial stuff: “Ratify your process, whatever the means is – forgetting that thing accepted and communicated and monitored and policed – whatever that tiny thing is, have it be uncontroversial because you’re still figuring out how all of this works. ... The next step would be to script the critical moves. Your transformation efforts may make great viewing at 50,000 feet, but for employees in the trenches who might not understand where they are and where they need to be, the work they’re doing towards change could be confusing – and it might not make sense in their view.

Critical infrastructure today: Complex challenges and rising threats

Critical infrastructure systems face twin burdens of often having fewer resources to invest in cybersecurity, and the very critical nature of their operations, which attract adversaries and focus attention on any disruptions. When combined with the increasing connectivity of these resources and assets, organizations find themselves in a tough spot where they are targeted more often by adversaries ranging from criminal elements to state-directed entities. Low margins for error, high visibility (when systems fail or are compromised), and poor resourcing combine to make a complex defensive picture. ... Overall, current efforts appear to move the sector in the right direction by increasing focus and making resources available for defense. Where matters get tricky is the distinction between government-directed efforts and privately-owned infrastructure operators. Ultimately, government action short of legal mandates or similar actions will only go so far in addressing issues absent actions from critical infrastructure asset owners and operators. 

Quote for the day:

"The ability to summon positive emotions during periods of intense stress lies at the heart of effective leadership." -- Jim Loehr

No comments:

Post a Comment