Daily Tech Digest - October 05, 2021

How cloud-native apps and microservices impact the development process

One of the more important coding disciplines in object-oriented programming and SOA is code refactoring. The techniques allow developers to restructure code as they better understand usage considerations, performance factors, or technical debt issues. Refactoring is a key technique for transforming monolithic applications into microservices. Refactoring strategies include separating the presentation layer, extracting business services, and refactoring databases. Robin Yeman, strategic advisory board member at Project and Team, has spent most of her career working on large-scale government and defense systems. Robin concedes, “The largest technology barriers to utilizing agile in building or updating complex legacy systems are the many dependencies in the software architecture, forcing multiple handoffs between teams and delays in delivery.” Robin suggests that refactoring should focus on reducing dependencies. She recommends, “Refactoring the software architecture of large legacy systems to utilize cloud-native applications and microservices reduces dependencies between the systems and the teams supporting them.”

Web3 Architecture and How It Compares to Traditional Web Apps

According to Kasireddy, backend programming for a dapp is entirely different than for a traditional web application. In Web3, she writes, “you can write smart contracts that define the logic of your applications and deploy them onto the decentralized state machine [i.e. the Ethereum blockchain].” Web servers and traditional databases, in this paradigm, are no longer needed — since everything is done on, or around, the blockchain. She notes a bit later in the post that “Smart contracts are written in high-level languages, such as Solidity or Vyper.” Solidity was partly inspired by ECMAScript syntax, so it has some similarities to JavaScript (but is very different in other ways). As for the frontend, that “pretty much stays the same, with some exceptions,” writes Kasireddy. ... There are also complications when it comes to “signing” transactions, which is the cryptographic process that keeps blockchains secure. You need a tool like MetaMask to handle this.

UEFI threats moving to the ESP: Introducing ESPecter bootkit

Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, over the last few years we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot. This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal. Previously, we have reported multiple malicious EFI samples in the form of simple, single-purpose UEFI applications without extensive functionality. These observations, along with the concurrent discovery of the ESPecter and FinFisher bootkits, both fully functional UEFI bootkits, show that threat actors are not relying only on UEFI firmware implants when it comes to pre-OS persistence, but also are trying to take advantage of disabled Secure Boot to execute their own ESP implants. We were not able to attribute ESPecter to any known threat actor, but the Chinese debug messages in the associated user-mode client component leads us to believe with a low confidence that an unknown Chinese-speaking threat actor is behind ESPecter.

Business Leadership Changed: The New Skills You Must Master

Strategic plans are important to achieving your vision, but they can't be set in stone either. The pandemic was an unforeseen situation that took all companies in the world by surprise. Consequently, it is important to be ready to turn, change course quickly, and try to affect the entire organization as little as possible. ... People are inherently social creatures. It should come as no surprise then that we long to feel connected to the people we spend most of our time with. So how can we, as business leaders, help these connections occur between employees? Gregg Lederman is a bestselling author focused on employee interaction. After a long investigation he discovered 3 things that people need at work to feel completely fulfilled: The Need for Recognition: People have a need to be recognized for the skill and perspective they bring and for the challenges they have accomplished; The need for respect: People want to be respected for who they are as individuals and professionals and how they contribute to the team; The need for relationships: People want satisfying relationships with the people they work with.

Encrypted & Fileless Malware Sees Big Growth

“This malware family uses PowerShell tools to exploit various vulnerabilities in Windows,” according to the firm. “But what makes it especially interesting is its evasive technique. WatchGuard found that AMSI.Disable.A wields code capable of disabling the Antimalware Scan Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its malware payload undetected.” ... In just the first six months of 2021, malware detections originating from scripting engines like PowerShell had already reached 80 percent of last year’s total script-initiated attack volume. At its current rate, 2021 fileless malware detections are on track to double in volume year over year. “Malicious PowerShell scripts have been known to hide in the memory of the computer and already use legitimate tools, binaries and libraries that come installed on most Windows systems,” explained the report. “That is why attackers have increased their use of this technique, called living off the land (LotL) attacks. Using these methods, a vaporworm might make its script invisible to many antivirus systems that don’t inspect the scripts or systems’ memory.”

What if Chrome broke features of the web and Google forgot to tell anyone?

Earlier this year Chrome developers decided that the browser should no longer support JavaScript dialogs and alert windows when they're called by third-party iframes. That means that if something is embedded from another website, let's say a YouTube video, Chrome wants to stop allowing that embedded content to call the JavaScript alert function, which opens a small alert window. Eventually Chrome aims to get rid of alert windows altogether. So what happens when Chrome does this? At first nothing because it's an obscure entry in a bug tracker – CC'd to the Web Hypertext Application Technology Working Group (WHATWG) – that Chromium and other browser engineers read. ... You know what isn't happening here? No substantial public discussion happens, certainly not with builders of websites. Google puts its idea forward as bug reports, some folks at Apple working on WebKit and at Mozilla working on Firefox are invited to agree with it in a WHATWG GitHub thread and Bugzilla discussion, and they do. Google gets what it wants and the web breaks.

The Shortfalls of Mean Time Metrics in Cybersecurity

As a measurement standard, mean times are a legacy paradigm brought over from call centers many eons ago. Over the years, cybersecurity leaders adopted similar metrics because IT departments were familiar with them. In today's reality, mean times don't map directly to the type of work we do in cybersecurity, and we can't entirely generalize them to be meaningful indicators across the attack lifecycle. While these averages might convey speed relative to specific parts of the attack lifecycle, they don't provide any actionable information other than potentially telling you to hurry up. In the best-case scenario, MTTX becomes a vanity metric that looks great on an executive dashboard but provides little actual business intelligence. ... The fastest MTTX is not worth anything if it measures the creation of an inaccurate alert. We want mean time metrics to tell us about actual alerts, or true positives and not be skewed by bad data. So, you might be thinking, "how does an untuned MTTX tell you about the quality of work your security provider does, or how safe it makes your systems?" 

How Non-Fungible Tokens Work: NFTs Explained, Debunked, and Legitimized

In a real marketplace, even if the property is intellectual property (such as a patent or copyright, whose form can be entirely digital), there will likewise need to be a contractual transfer of the rights to that intellectual property to a new party, with the transfer again having the full endorsement and power of law behind it. For instance, if in making an intellectual property purchase, I acquire the copyright to a picture, even a digital picture, the real market that operates in our society ensures that the transfer is subject to its laws and strictures. Through my purchase, I will own the picture in a real sense and can take legal action against anyone who tries to infringe on my copyright (such as by posting it on a blog without my permission). By contrast, the concept of owning an NFT on a blockchain is specific to the blockchain with no legal force in the society at large. Suppose I snap a digital photo. Because I’m the one who snapped the photo, US law agrees that I own the copyright to it. 

WebAssembly: The Future of Cloud Native Distributed Computing

In its own right, WebAssembly brings new capabilities and additional security features to modern development environments — both in the browser and with cloud native. However, modern cloud native developers are confronted with new challenges, such as CPU diversity, multiple operating environments, security, distributed application architecture, and scalability, that transcend deployments into a single public cloud provider. To understand the modern distributed computing environment, one must consider the rising diversity inside the public cloud, where we see new ARM CPUs challenging the historical dominance of the x86 chipsets, competing on both cost and performance. Traditional enterprise systems typically compile software to a specific development environment including a CPU and an operating system, such as Linux-32 bit, MacOS-ARM64, or Windows-64bit. Looking past the public cloud towards the edge, we find an even more diverse range of execution environments on an assorted set of CPU architectures.

Post-Quantum: Bi-Symmetric Hybrid Encryption System

A significant difference from commonly employed asymmetric encryption is that during the initial handshake to set up communication, no vulnerable data are exchanged. Should the sender key communication be intercepted by a hacker, they still cannot pretend to be the originator of the communication to the receiver. The encryption itself is achieved by randomly generating keys and interweaving them with portions of unencrypted data to be transmitted, applied to single bytes of data rather than long byte collections. During the initial handshake, private keys are generated from or found in the form of login credentials, credit card information, biometric data, or other personal credential information or pre-shared private keys. The private keys are used to start the handshake and are never actually transmitted. Randomly generated data in the form of challenge codes, counter challenge codes and session keys are exchanged during the handshake. This allows for the client and server to ascertain that the communicator, at the other end, are who they say they are.

Quote for the day:

"Leaders who won't own failures become failures." -- Orrin Woodward

No comments:

Post a Comment