Daily Tech Digest - November 24, 2021

The Importance of IT Security in Your Merger Acquisition

There is no question that cybersecurity risks and threats are growing exponentially. A report from Cybersecurity Ventures estimated a ransomware attack on businesses would happen every 11 seconds in 2021. Global ransomware costs in 2021 would exceed $20 billion. It seems there are constantly new reports of major ransomware attacks, costing victims millions of dollars. Earlier this year, the major ransomware attack on Colonial Pipeline resulted in disruptions that caused fuel shortages all over the East Coast of the United States. It helped to show that ransomware attacks on critical service companies can lead to real-world consequences and widespread disruption. This world of extreme cybersecurity risks serves as the backdrop for business acquisitions and mergers. A Garner report estimated that 60% of organizations who were involved in M&A activities consider cybersecurity as a critical factor in the overall process. In addition, some 73% of businesses surveyed said that a technology acquisition was the top priority for their M&A activity, and 62% agreed there was a significant cybersecurity risk by acquiring new companies.

The Language Interpretability Tool (LIT): Interactive Exploration and Analysis of NLP Models

LIT supports local explanations, including salience maps, attention, and rich visualizations of model predictions, as well as aggregate analysis including metrics, embedding spaces, and flexible slicing. It allows users to easily hop between visualizations to test local hypotheses and validate them over a dataset. LIT provides support for counterfactual generation, in which new data points can be added on the fly, and their effect on the model visualized immediately. Side-by-side comparison allows for two models, or two individual data points, to be visualized simultaneously. More details about LIT can be found in our system demonstration paper, which was presented at EMNLP 2020. ... In order to better address the broad range of users with different interests and priorities that we hope will use LIT, we’ve built the tool to be easily customizable and extensible from the start. Using LIT on a particular NLP model and dataset only requires writing a small bit of Python code. 

How software development will change in 2022

Local development environments are now largely the only part of the software development lifecycle time that is done locally on a developer’s computer. Automated builds, staging environments and running production applications have largely moved from local computers to the cloud. Microsoft and Amazon have both been working hard on addressing this challenge. In August this year, Microsoft released GitHub Codespaces to general availability. GitHub Codespaces offers full development environments that can be accessed using just a web browser that can start in seconds. The service allows technology teams who store their code in Microsoft’s GitHub service to develop using their Visual Studio Code editor fully in the cloud. Amazon also has its own solution to this problem, with AWS Cloud9 allowing developers to edit and run their code from the cloud. Startups have also been created to address this problem – in April, Gitpod announced it had raised $13m for its solution to move software development to the cloud. 

Microservices — The Letter and the Spirit

Ideally, services don’t interact with each other directly. Instead, they use some integration service to communicate together. This is commonly achieved with a service bus. Your goal here is making each service independent from other services so that each service has all what it needs to start the job and doesn’t care what happens after it completes this job. In the exceptional cases when a service calls another service directly, it must handle the situations when that second service fails. ... Microservices presents us with an interesting challenge – on the one hand, the services should be decoupled, yet on the other hand all should be healthy for the solution to perform well so they must evolve gracefully without breaking the solution. ... There are multiple ways to do versioning, any convention would do. I like the three digits semantic versioning 0.0.0 as it is widely understood by most developers and it is easy to tell what type of changes the service made by just looking at what digit of the three got updated. 

All Roads Lead To OpenVPN: Pwning Industrial Remote Access Clients

OpenVPN was written by James Yonan and is free software, available under the terms of the GNU General Public License version 2 (GPLv2). As a result, many different systems support OpenVPN. For example, DD-WRT, a Linux-based firmware used in wireless routers, includes a server for OpenVPN. Due to its popularity, ease of use, and features, many companies have chosen OpenVPN as part of their solution. It’s a feasible option for organizations that want to create a secure tunnel with a couple of new features. Rather than reinventing the wheel, the company will most likely use OpenVPN as its foundation. In the past year, due to the increased popularity and growing remote workforce, Claroty Team82 was busy researching VPN/remote-access solutions. The majority of them included OpenVPN as part of the secure remote access solution while the vendor application is a wrapper that manages the OpenVPN instance. After inspecting a couple of such products, we identified a key problem with the way these types of products harness OpenVPN—a problem that, in most cases, can lead to a remote code execution just by luring a victim to a malicious website.

More Stealthier Version of BrazKing Android Malware Spotted in the Wild

"It turns out that its developers have been working on making the malware more agile than before, moving its core overlay mechanism to pull fake overlay screens from the command-and-control (C2) server in real-time," IBM X-Force researcher Shahar Tavor noted in a technical deep dive published last week. "The malware […] allows the attacker to log keystrokes, extract the password, take over, initiate a transaction, and grab other transaction authorization details to complete it." The infection routine kicks off with a social engineering message that includes a link to an HTTPS website that warns prospective victims about security issues in their devices, while prompting an option to update the operating system to the latest version. ... BrazKing, like its predecessor, abuses accessibility permissions to perform overlay attacks on banking apps, but instead of retrieving a fake screen from a hardcoded URL and present it on top of the legitimate app, the process is now conducted on the server-side so that the list of targeted apps can be modified without making changes to the malware itself.

Common Cloud Misconfigurations Exploited in Minutes, Report

Unit 42 conducted the current cloud-misconfiguration study between July 2021 and August 2021, deploying 320 honeypots with even distributions of SSH, Samba, Postgres and RDP across four regions–North America (NA), Asia Pacific (APAC) and Europe (EU). Their research analyzed the time, frequency and origins of the attacks observed during that time in the infrastructure. To lure attackers, researchers intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password, which granted limited access to the application in a sandboxed environment. They reset honeypots after a compromising event—i.e., when a threat actor successfully authenticated via one of the credentials and gained access to the application. ... The team analyzed attacks according to a variety of attack patterns, including: the time attackers took to discover and compromise a new service; the average time between two consecutive compromising events of a targeted application; the number of attacker IPs observed on a honeypot; and the number of days an attacker IP was observed.

Getting real about DEI means getting personal

Leaders also need to know themselves and their own biases. “We learn biases through the media, family, friends, and educators over time and often don’t realize that they’re causing harm,” Epler explained. She called out her own struggles with nonbinary gender pronouns. I can relate. When you grow up in a Dick-and-Jane world, it isn’t easy to switch pronouns and learn new ones that conflict with grammatical rules that have become baked into your DNA after decades of writing. If you aren’t aware of your biases, they are likely to manifest in microaggressions, if not something worse. “Microaggressions are everyday slights, insults, and negative verbal and nonverbal communications that, whether intentional or not, can make someone feel belittled, disrespected, unheard, unsafe, other, tokenized, gaslighted, impeded, and/or like they don’t belong,” writes Epler in her book. When leaders witness microaggressions, they must defend the people subjected to them.

IT hiring: 5 ways to attract talent amidst the Great Resignation

By now, perhaps your organization has its remote work environment down to a science. Ask yourself what resources you can promote to potential new hires that will instill confidence in their decision to move forward with your company. Especially for recent graduates just entering the workforce, a commitment to help them transition and build success from the start can help move the needle in your organization’s favor. Earlier this year, for example, social media software company Buffer found success by offering new hires $500 to set up their home office. According to one employee engagement blog, Buffer also offers its employees coworking space stipends and internet reimbursement. To increase engagement and productivity, consider what portion of your resources you can allocate to designing a premium onboarding experience for new hires. A strong career growth curve is a must-have for recent grads. Making your career advancement initiatives clear in the early stages of the recruiting process is a win-win for organizations and employees alike.

Report: China to Target Encrypted Data as Quantum Advances

The Booz Allen Hamilton researchers note that since approximately 2016, China has emerged as a major quantum-computing research and development center, backed by substantial policy support at the highest levels of its government. Still, the country's quantum experts have suggested that they remain behind the U.S. in several quantum categories - though China hopes to surpass the U.S. by the mid-2020s. While experts say this is unlikely, China may surpass Western nations in early use cases, the report states. Advancements in quantum simulations, the researchers contend, may expedite the discovery of new drugs, high-performance materials and fertilizers, among other key products. These are areas that align with the country's strategic economic plan, which historically parallels its economic espionage efforts. "In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations," researchers say, though they claim it is unlikely that Chinese computer scientists will be able to break current-generation encryption before 2030. 

Otomi: OSS Developer Self-Service for Kubernetes

The ultimate goal of developer self-service is to have less friction in the development process and ensure that developers can deliver customer value faster. This can be achieved by enabling the separation of concerns for both dev and ops teams. The ops team manages the stack and enforces governance and compliance to security policies and best practices. Dev teams can create new environments on-demand, create and expose services using best practices, use ready-made templatized options, and get direct access to all the tools they need for visibility. Think of it as paving the road towards fast delivery and minimizing risks by providing safeguards and standards. Developers can do what they need to do and do it when they like to. And yes, sometimes not always how they would like to do it. The only challenge here is, building a platform like this takes a lot of time and not all organizations have the resources to do so. The goal behind the Otomi open-source project was to offer a single deployable package that offers all of this out-of-the-box.

Quote for the day: 

"Leaders who won't own failures become failures." -- Orrin Woodward

No comments:

Post a Comment