Daily Tech Digest - January 22, 2022

The Rise of the Technical CEO

Today’s environment is a unique one for leaders. Businesses cannot afford for leadership to be focused on just one part of the business—the world is too interconnected and moves too quickly. Which is why we’ve moved onto the era of technologists as CEOs. Every company is a technology company in today’s digital-first world. Industries are constantly being disrupted by the next big thing, which means businesses need modern CEOs that are equally comfortable managing the business as they are with technology. As so many organizations look to navigate digital transformation journeys, having a leader at the helm who understands the importance not just of having technology, but having the right technology, is critical. Technology is a strategic advantage for today’s organizations. Without a leader who can make those nuanced decisions, it’s impossible to create solutions that will be useful for customers. And customers must always be at the center of any CEO’s decisions. Rocket’s solutions touch the lives of so many every day – from withdrawing money from an ATM to swiping your credit card at a convenience store, our technology is critical to ensuring the lives of millions run smoothly.

IT spending trends point to CIO innovation

Forward thinking, meanwhile, will spark an increase in long-term contracts that accommodate three-to-five-year planning horizons. Inflation and the war for talent also encourage extended contract periods, Lovelock noted. Longer-term deals offer CIOs greater certainty regarding cost and the availability of technical skills, he said. The skill shortage will also generate demand for external service providers such as consultants and MSPs. The Gartner forecast shows IT services growing to 7.9% year over year in 2022, hitting $1.3 trillion. The market watcher expects IT services' spending growth to trail only enterprise software, which tops the Gartner forecast with a projected 11% year-over-year increase. Business and technology consulting services will emerge as one of the fastest-growing sectors in IT services, growing at a 10% clip in 2022, Lovelock said. Cloud adoption will help drive that spurt. Gartner research suggests the vast majority of large organizations will hire external consultants to devise cloud strategies over the next few years.

ICO criticises government-backed campaign to delay end-to-end encryption

The privacy watchdog said end-to-end encryption plays an important role in safeguarding privacy and online safety, protecting children from abusers, and is crucial for business services. The intervention follows the launch of a government-funded campaign this week that warns that social media companies are “blinding themselves” to child sexual abuse by introducing end-to-end encrypted messaging services. Stephen Bonner, the ICO’s executive director of innovation, said the discussion on end-to-end encryption had become too unbalanced, with too much focus on the costs, without weighing up the significant benefits it offers. “E2EE serves an important role both in safeguarding our privacy and online safety,” he said. “It strengthens children’s online safety by not allowing criminals and abusers to send them harmful content. “It is also crucial for businesses, enabling them to share information securely and fosters consumer confidence in digital services.”

Looking Beyond Biden's Binding Security Directive

What is truly alarming, however, is how far behind many public and private organizations are with their patch management procedures. We frequently find known vulnerabilities in our customers' business-critical applications that are several years old and still unpatched. This directive looks to change that, ensuring agencies and their third-party vendors develop plans to find and remediate these known vulnerabilities. Multiple studies demonstrate that detecting vulnerabilities and prioritizing the right patches quickly and efficiently are the largest challenges. By establishing a prioritized catalog of vulnerabilities, the directive seeks to give federal agencies a leg up. The onus on establishing a plan and process for remediation, however, still remains with the individual federal agencies. Nevertheless, we're glad to see the Biden administration take this critical step forward in improving the cybersecurity posture of the United States and, by extension, the companies that provide services to the federal government. 

After ransomware arrests, some dark web criminals are getting worried

There's a consensus among cybersecurity experts that many of the major ransomware operations work out of Russia, with the authorities willing to turn a blind eye towards attacks targeting the West. But following arrests throughout the region, some cyber criminals are wondering if the risk is worth it. "This is a big change. I have no desire to go to jail," wrote one forum member. "In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed," said another. There's even concern that administrators of the dark web communities – who would have details about their users – could be coerced into working for law enforcement following arrest. Such is the paranoia among some forum members and ransomware affiliates that they suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many. "Those that are seasoned in cybercrime understand that by moving outside of Russia, they'll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves," Ziv Mador.

The internet runs on free open-source software. Who pays to fix it?

“Tech companies, enterprises, anyone writing software is dependent on open-source,” says Wysopal. “Now there is a recognition at the highest levels of government that this is a big risk.” Easterly and other experts say that tech companies need to improve transparency. Adopting a Software Bill of Materials, as mandated by a 2021 executive order on cybersecurity from President Joe Biden, would help both developers and users better understand what is actually vulnerable to hacking when software flaws are discovered. Valsorda, who has managed to turn his own open-source work into a high-profile career, says that formalizing and professionalizing the relationship between developers and the big companies using their work could help. He advocates turning open-source work from a hobbyist pursuit into a professional career path so that critical infrastructure isn’t dependent on the spare time of a developer who already has a full-time job. And he argues that companies should develop systems to pay the people who maintain open-source projects their fair market value.

The Prometheus traffic direction system is a major player in malware distribution

The goal of such traffic direction systems is to redirect legitimate web users to malware, phishing pages, tech support scams, or other malicious operations. This is achieved by placing malicious scripts on compromised websites that intercept traffic or through malicious advertisements that are served to users on legitimate websites through ad networks. The main benefit of a TDS is that it allows cybercriminals to define redirection rules from an administration panel based on the type of visitors hitting the system's web of malicious landing pages. On compromised websites, Prometheus achieves this through a simple PHP backdoor script that fingerprints visitors -- browser, OS, timezone, language settings -- and sends the information back to a command-and-control server from where it pulls redirect instructions defined by attackers. This means that different categories of visitors can be redirected to different campaigns depending on the target audience the different groups renting TDS services want to reach and victims can also end up seeing localized scams in their language. 

Google finds a nation-state level of attacks on iPhone

The company behind the software used in these attacks, NSO, reportedly uses a fake GIF trick to target a vulnerability in the CoreGraphics PDF parser. The files have a .gif extension, but they are not GIF image files. The name is solely designed to keep a user from getting worried. “The ImageIO library is used to guess the correct format of the source file and parse it, completely ignoring the file extension. Using this fake gif trick, more than 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code.” As Google noted, these attacks are difficult to thwart. Blocking all GIF images is unlikely to prove effective. First, these files aren’t actually GIFs. The simplest approach is to block anything using a GIF extension, but the bad guys will simply switch to a different innocuous-sounding extension. ... nother Google point: “JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory.

FAQ: What's happening with 5G and airport safety?

The Federal Communications Commission (FCC) concluded in 2020 that studies warning of this danger did "not demonstrate that harmful interference would likely result under reasonable scenarios" or even "reasonably 'foreseeable' scenarios." Tom Wheeler, a visiting Brookings Institution fellow and former FCC head, said in a paper that he doesn't think there's a real technical problem. The long-term answer to this problem is to "improve the resilience of future radar altimeter designs to RF interference." In the meantime, Wheeler pointed out, "The FCC created a guard band between the 5G spectrum and the avionics spectrum in which 5G was forbidden. Boeing, in a filing with the FCC, had proposed just such a solution. The Boeing proposal was to prohibit 5G 'within the 4.1-4.2 GHz portion of the band.' The FCC agreed and then doubled the size of Boeing's proposed guard band to a 220 MHz interference buffer between the upper 5G usage at 3.98 GHz, and avionics usage at 4.2 GHz." That's all well and good, but the FAA and major US and international airlines aren't buying it.

Data Mesh Architecture Patterns

An Enterprise Data Mesh is composed of many components (lots more detail available here, here, and here). Data Products, the primary building block within a Data Mesh, contain operational, analytic, and/or engagement data which is synchronized across the organiation using an Enterprise’s Data Mesh. APIs are used to access data within a Data Product. To support federated governance, each Data Product contains an audit log that records data changes and a catalog of data it manages. An Enterprise’s Data Mesh has many Data Products. Data Products subscribe to each other’s data such that when one Data Product changes its data, this change is communicated to other Data Products using Change Data Capture and an Event Streaming Backbone. Lastly, an Enterprise Data Catalog — a synchronized aggregation of all Data Product catalogs and data changes– is used to make it easy for any user or developer to find, consume, and govern any data across the enterprise, while also providing the foundation for understanding data lineage across the enterprise.

Quote for the day:

"Leadership is the key to 99 percent of all successful efforts." -- Erskine Bowles

No comments:

Post a Comment