Daily Tech Digest - February 04, 2022

5 steps to run a successful cybersecurity champions program

A solid program helps to demystify cybersecurity for non-security employees and bring it into the scope of their own specialties. “People often think cybersecurity is an unfathomable, deeply technical concept, but having security champions creates an open dialogue, and couching security issues and threats in ways that are relevant to specific roles is the best way to navigate this issue,” Dr. John Blythe, chartered psychologist and director of cyber workforce psychology at cybersecurity training firm Immersive Labs, tells CSO. “Engineers need to understand how to write secure code, executive teams need to know how to respond better in a cyber crisis, and IT teams need to know how to secure cloud infrastructure.” Once trained, cybersecurity champions can identify and address cybersecurity vulnerabilities before they become widespread and problematic, adds Dominic Grunden, CISO of UnionDigital Bank. “In doing so, they can save organizations significant time and money in the process,” he says. Grunden has integrated and run cybersecurity champions programs across multiple industries and organizations.

Charming Kitten Sharpens Its Claws with PowerShell Backdoor

Charming Kitten is now using what researchers have dubbed PowerLess Backdoor, a previously undocumented PowerShell trojan that supports downloading additional payloads, such as a keylogger and an info stealer. The team also discovered a unique new PowerShell execution process related to the backdoor aimed at slipping past security-detection products, Frank wrote. “The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products,” he wrote. Overall, the new tools show Charming Kitten developing more “modular, multi-staged malware” with payload-delivery aimed at “both stealth and efficacy,” Frank noted. The group also is leaning heavily on open-source tools such as cryptography libraries, weaponizing them for payloads and communication encryption, he said. This reliance on open-source tools demonstrates that the APT’s developers likely lack “specialization in any specific coding language” and possess “intermediate coding skills,” Frank observed.

Toward a 3-Stage Software Development Lifecycle

No one wants someone else to find the fault in their code, but at the same time, developers aren’t crazy about running tests, whether that means writing tests or doing manual tests. But developers shouldn’t have to ship their code off to a testing environment to discover if it works or not and worry about the embarrassment of having a colleague find an error. Robust change validation does just that — it allows developers to spot potential errors before the application or update leaves the local environment. Validating changes involves not only testing that the code is good, but also that it works as expected with all dependencies. When a change isn’t validated, the developer knows immediately and can fix the problem and try again immediately. And when a change is validated, the developer can push the code into the production-like environment with confidence, knowing that it’s been tested against upstream and downstream dependencies and won’t cause anything to break unexpectedly. The idea is that as much hardening as possible happens in the development environment so that developers can ship with maximum confidence. 

The Making of Atomic CSS: An Interview With Thierry Koblentz

Everything was fair game and everything was abused as we had a very limited set of tools with the demand to do a lot. But things had changed dramatically by the time I joined Yahoo!. Devs from the U.K. were strong supporters of Web Standards and I credit them for greatly influencing how HTML and CSS were written at Yahoo!. Semantic markup was a reality and CSS was written following the Separation of Concern (SoC) principle to the “T”. YUI had CSS components but did not have a CSS framework yet. ... Every Yahoo! design team had their own view of what was the perfect font size, the perfect margin, etc., and we were constantly receiving requests to add very specific styles to the library. That situation was unmaintainable so we decided to come up with a tool that would let developers create their own styles on the fly, while respecting the Atomic nature of the authoring method. And that’s how Atomizer was born. We stopped worrying about adding styles — CSS declarations — and instead focused on creating a rich vocabulary to give developers a wide array of styling, like media queries, descendant selectors, and pseudo-classes, among other things.

Cyber Signals: Defending against cyber threats with the latest research, insights, and trends

Cyber Signals aggregates insights we see from our research and security teams on the frontlines. This includes analysis from our 24 trillion security signals combined with intelligence we track by monitoring more than 40 nation-state groups and over 140 threat groups. In our first edition, we unpack the topic of identity. Our identities are made up of everything we say and do in our lives, recorded as data that spans across a sea of apps and services. While this delivers great utility, if we don’t maintain good security hygiene our identities are at risk. And over the last year, we have seen identity become the battleground for security. While threats have been rising fast over the past two years, there has been low adoption of strong identity authentication, such as multifactor authentication (MFA) and passwordless solutions. For example, our research shows that across industries, only 22 percent of customers using Microsoft Azure Active Directory (Azure AD), Microsoft’s Cloud Identity Solution, have implemented strong identity authentication protection as of December 2021. 

Bitcoin encryption is safe from quantum computers – for now

In the second part of the study, the team calculated the number of physical qubits needed to break the encryption used for Bitcoin transactions. Marek Narozniak, a physicist at New York University (NYU) in the US who was not part of the study, points out that this question – whether cryptocurrencies are safe against quantum computer attacks – comes with additional constraints not present in the FeMo-co simulation. While a 10-day computation time may be acceptable for FeMo-co simulations, Narozniak notes that the Bitcoin network is set up so that a hacker armed with an error-correcting quantum computer would have a very limited time to decrypt information and steal funds. According to Webber and collaborators, breaking Bitcoin encryption within one hour – a time window within which transactions may be vulnerable – would take about three hundred million qubits. Based on this result, Narozniak concludes that “Bitcoin is pretty safe”, although he warns that not all cryptocurrencies operate the same way. “There are other cryptocurrencies that work differently, and they have different algorithms that could be more vulnerable,” he says.

The 5 Big Risk Vectors of DeFi

Intrinsic protocol risk in DeFi comes in all shapes. In DeFi lending protocols such as Compound or Aave, liquidations is a mechanism that maintains lending markets collateralization at appropriate levels. Liquidations allow participants to take part of the principal in uncollateralized positions. Slippage is another condition present in automated market making (AMM) protocols such as Curve. High slippage conditions in Curve pools can force investors to pay extremely high fees to remove liquidity supplied to a protocol. ... A unique aspect of DeFi, decentralized governance proposals control the behavior of a DeFi protocol and, quite often, are the cause of changes in its liquidity composition in affecting investors. For instance, governance proposals that alter weights in AMM pools or collateralization ratios in lending protocols typically help liquidity flow in or out of the protocol. A more concerning aspect of DeFi governance from the risk perspective is the increasing centralization of the governance structure of many DeFi protocols. Even though DeFi governance models are architecturally decentralized, many of them are controlled by a small number of parties that can influence the outcome of any proposal.

Thousands of Malicious npm Packages Threaten Web Apps

Because npm packages in general are being downloaded upwards of 20 billion times a week—and thus installed across countless web-facing components of software and applications across the world–exploiting them means a sizeable playing field for attackers, researchers said in their Wednesday report. ... That level of activity enables threat actors to launch a number of software supply-chain attacks, researchers said. Accordingly, WhiteSource investigated malicious activity in npm, identifying more than 1,300 malicious packages in 2021 — which were subsequently removed, but may have been brought into any number of applications before they were taken down. “Attackers are focusing more efforts on using npm for their own nefarious purposes and targeting the software supply chain using npm,” they wrote in the report. “In these supply-chain attacks, adversaries are shifting their attacks upstream by infecting existing components that are distributed downstream and installed potentially millions of times.”

Retail in the metaverse: considerations for brands

While the metaverse may be a golden ticket of new opportunities for retailers, there are very real security risks that also need to be considered. For example, in this new, yet to be explored metaverse, there’s the danger of consumers coming across a virtual man wearing a trench coat selling fake designer watches. How can consumers tell if he is selling the genuine article, or fakes? Ensuring your brand and products are protected in the metaverse is going to be a serious challenge. Monitoring for intellectual property (IP) infringement across the various components of the metaverse will not be easy. If consumers have bad experiences in the metaverse, such as buying fake goods, this can cause great harm to their reputation online and in the real world too. This is why it is important that they take steps to protect their brand and IP as well as their customers. It has been suggested that operators within the metaverse should establish strategies for protecting users’ IP, in the same vein to how YouTube, eBay and Amazon work to protect rights holders from illicit activity on their platforms. 

Where have all the global network aggregators gone?

The best way to leverage SD-WAN’s potential for reducing network transport costs is to have a portfolio strategy with respect to selecting internet transport suppliers. Through robust acquisition processes and detailed coverage and cost modeling, enterprises need to come up with a manageable number of vetted suppliers that meet their global transport requirements. Potential suppliers should be evaluated based on provisioning, SLAs, operational and service support, and commercial and contractual terms, for example. Typically, for larger businesses, a portfolio approach may include one global or strong regional aggregator alongside two-to-five other telecom service providers with different provisioning models. Having a small handful of suppliers as go-to partners rather than a single supplier can yield significant cost savings – and those savings can run 30% higher compared to a single-source supplier approach. If managed correctly, a portfolio approach also offers a way to keep performance/pricing pressure on competing suppliers. 

Quote for the day:

"Don't focus so much on who is following you, that you forget to lead." -- E'yen A. Gardner

No comments:

Post a Comment