Daily Tech Digest - July 21, 2022

Google Launches Carbon, an Experimental Replacement for C++

While Carbon began as a Google internal project, the development team ultimately wants to reduce contributions from Google, or any other single company, to less than 50% by the end of the year. They ultimately want to hand the project off to an independent software foundation, where its development will be led by volunteers. ... The design wants to release a core working version (“0.1”) by the end of the year. Carbon will be built on a foundation on modern programming principles, including a generics system, that would remove the need to check and recheck the code for each instantiation. Another much needed feature lacking in C++ is memory safety. Memory access bugs are one of the largest culprits of security exploits. Carbon designers will look for ways to better track uninitialized states, design APIs and idioms that support dynamic bounds checks, and build a comprehensive default debug build mode. Over time, the designers plan to build a safe Carbon subset. ... Carbon is for those developers who already have large codebases in C++, which are difficult to convert into Rust. Carbon is specifically what Carruth called a “successor language,” which is built atop of an already existing ecosystem, C++ in this case.


The Cost of Production Blindness

DevOps and SRE are roles that didn’t exist back then. Yet today, they’re often essential for major businesses. They brought with them tremendous advancements to the reliability of production, but they also brought with them a cost: distance. Production is in the amorphous cloud, which is accessible everywhere. Yet it’s never been further away from the people who wrote the software powering it. We no longer have the fundamental insight we took for granted a bit over a decade ago. Yes, and no. We gave up some insight and control and got a lot in return: Stability; Simplicity; and Security. These are pretty incredible benefits. We don’t want to give these benefits up. But we also lost some insight, debugging became harder, and complexity rose. ... Log ingestion is probably the most expensive feature in your application. Removing a single line of log code can end up saving thousands of dollars in ingestion and storage costs. We tend to overlog since the alternative is production issues that we can’t trace to their root cause. We need a middle ground. We want the ability to follow an issue through without overlogging. Developer observability lets you add logs dynamically as needed into production.


UK government introduces data reforms legislation to Parliament

Suggested changes included removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), introducing a “fee regime” for subject access requests (SARs), and removing the requirement to review data adequacy decisions every four years. All of these are now included in the updated Bill in some form. “We now have confirmation of what the UK’s post-GDPR data framework is intended to look like,” said Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy and cyber security practice. ... “The GDPR isn’t perfect and it would be foolish for the UK not to learn from those lessons in its own approach, but it’s walking a tightrope between improvements to the current framework and performative changes for the sake of ripping up Brussels red tape. My initial impressions of the Bill are that the government has struck the balance in favour of business and overlooked some civil society concerns, so I would think that reduced rights and safeguards for individuals will be areas that are targeted for revision before the Bill is finalised.”
 

Hackers can spoof commit metadata to create false GitHub repositories

Researchers identified that a threat actor could tamper with commit metadata to make a repository appear older than it is. Or else, they can deceive developers by promoting the repositories as trusted since reputable contributors are maintaining them. It is also possible to spoof the committer’s identity and attribute the commit to a genuine GitHub account. For your information, with open source software, developers can create apps faster and even skip third-party’s code auditing if they are sure that the source of software is reliable. They can choose GitHub repositories maintained actively, or their contributors are trustworthy. Checkmarx researchers explained in their blog post that threat actors could manipulate the timestamps of the commits, which are listed on GitHub. Fake commits can also be generated automatically and added to the user’s GitHub activity graph, allowing the attacker to make it appear active on the platform for a long time. The activity graph displays activity on private and public repositories, making it impossible to discredit the fake commits.


Hackers turn to cloud storage services in attempt to hide their attacks

The group is widely believed to be linked to the Russian Foreign Intelligence Service (SVR), responsible for several major cyberattacks, including the supply chain attack against SolarWinds, the US Democratic National Committee (DNC) hack, and espionage campaigns targeting governments and embassies around the world. Now they're attempting to use legitimate cloud services, including Google Drive and Dropbox – and have already used this tactic as part of attacks that took place between May and June this year. The attacks begin with phishing emails sent out to targets at European embassies, posing as invites to meetings with ambassadors, complete with a supposed agenda attached as a PDF. The PDF is malicious and, if it worked as intended, it would call out to a Dropbox account run by the attackers to secretly deliver Cobalt Strike – a penetration-testing tool popular with malicious attackers – to the victim's device. However, this initial call out was unsuccessful earlier this year, something researchers suggest is down to restrictive policies on corporate networks about using third-party services.

 

How Zero Trust can stop the catastrophic outcomes of cyberattacks on critical infrastructure

The impending necessity of Zero Trust should be recognised by every government and CNI provider around the world if they are to have any hopes of mitigating sophisticated attacks like ransomware. Critical Infrastructure is the backbone of a country’s economy and social order. It is impossible to maintain a sustainable society when sectors like emergency healthcare, energy distribution, food and agriculture, education, and financial services are constantly under disruptive threats. In May 2021, the US government issued an executive order for federal government agencies, to improve their cybersecurity postures and recommended moving toward a Zero Trust architecture as the solution. Following this executive order, the Pentagon launched a Zero Trust office in December 2021 and in January 2022, President Biden further emphasised the urgency of moving to a Zero Trust architecture by mandating all government agencies to achieve specific Zero Trust goals by the end of the Fiscal Year 2024.


Transparency in the shadowy world of cyberattacks

Focusing on the fundamentals of software security is in some ways more important to raise all of us above the level of insecurity we see today. We curate and use threat intelligence to protect billions of users–and have been doing so for some time. But you need more than intelligence, and you need more than security products–you need secure products. Security has to be built in, not just bolted on. Aurora showed us that we (and many in the industry) were doing cybersecurity wrong. Security back then was often “crunchy on the outside, chewy in the middle.” Great for candy bars, not so great for preventing attacks. We were building high walls to keep bad actors out, but if they got past those walls, they had wide internal access. The attack helped us recognize that our approach needed to change–that we needed to double down on security by design. We needed a future-oriented network, one that reflected the openness, flexibility, and interoperability of the internet, and the way people and organizations were already increasingly working. In short, we knew that we had to redesign security for the Cloud.


The importance of secure passwords can’t be emphasized enough

Mobile phones are a main and often overlooked concern. We found that 30% of respondents do not use antivirus on their phones, meaning they are not properly securing their devices. This is especially a concern as the demographic most often on their phones are also the ones who are less worried about online threats and vulnerabilities. Password managers, passwords stored in an electronic file and or in physical format are used most frequently for work devices and least frequently for personal phones. The Autofill option and password managers are used most often by 25-44-year-olds and hard format is used more by those between 55-65. But even if work accounts are secure, that doesn’t mean that sensitive information from work doesn’t carry over onto personal phones. Email and communication apps connected to work accounts are often downloaded onto personal devices, and if someone uses the same passwords across accounts, their personal devices being compromised means their work ones are as well.


Unlocking the potential of AI to increase customer retention

A true AI-fuelled CRM goes beyond simple automation. To provide real benefit, AI must aggregate data from multiple different sources — including in house-sales, marketing, and service tools. It needs to break down organisational silos to identify patterns in interactions and offer deeper customer insights. Some feel they don’t necessarily have enough primary data to build effective predictive models. There are vast amounts of organisational data generated around a single customer or prospect. The trick is to leverage a CRM that understands and captures all of these interactions in a format that can fuel AI initiatives. By breaking down the silos between business units and integrating all of the valuable data that they hold, organisations will be able to benefit from the most advanced predictive models. This is often more challenging than it should be to implement. Business systems are typically good at providing a snapshot of an organisation on any given day, but they aren’t usually as good at gathering historical information. 


Burnout: 3 steps to prevent it on your team

Company culture doesn’t just happen. Leaders must actively maintain and shape it to identify ongoing opportunities that empower employees to support and contribute to it. Employee contributions can be as small as internal pulse surveys or as large as designing new groups or initiatives. Think about creating a club to encourage the workforce to participate in the hiring process and weigh in on how candidates would mesh with internal teams. This engagement would directly shape how the organization operates and builds positive working environments for employees – no matter the physical or remote work setting. By opening the door for employees to get involved and provide input, leaders can identify signs of fatigue earlier, address pain points before employees reach the pinnacle of exhaustion, and create a community that motivates and engages the workforce. ... Too often, leaders view benefits as the silver bullet to burnout. But benefits alone won’t cure feelings of burnout. If your workforce is giving direct feedback on areas that need improvement, simply listening is not enough. Take action to meet these needs and make your actions known.



Quote for the day:

"Take time to deliberate; but when the time for action arrives, stop thinking and go in." - - Andrew Jackson

No comments:

Post a Comment