Daily Tech Digest by Kannan Subbiah

September 16, 2016

5 security practices hackers say make their lives harder

It's easy to fall into the trap of thinking of privileged accounts in terms of the human users who have them. But privileged accounts are also extended to machines and systems to allow them to interact. Organizations typically have two to three times more privileged accounts than they have employees. Carson notes that every system that gets deployed comes with a default account, and those systems get connected to service accounts to maintain them. Each virtual machine that gets deployed also receives privileges that don't expire when the machine they're associated with get spun down. And if a VM is cloned, those privileges get cloned along with them. As a result, organizations often wind up with large numbers of rogue privileged accounts with access to their environment.

Polymorphism of MVC-esque Web Architecture: Classification

Arguably, the model has experienced the most significant changes since the inception of the MVC almost forty years ago. For this discussion, the model is defined liberally to include the in-memory model object (such as record set), the source data/document/file/signal of system of record (SoR) behind the object, and all the processes synchronizing and bringing them together. The type of data repository of the model has evolved from a small floppy disk to RDBMS, and to MMDBMS (multi-model database management system). The repository has gone from co-locating with the in-memory model object isolated on the user’s desktop to locating remotely from the domain object as broadband-connected, distributed and/or cloud-based systems.

5 Things You Should Know About Nigerian 'Digital Check Washing' Rings

WWG1 uses a simple tool to crawl the Internet and scrape employee email addresses from corporate websites. Those employees are then bombarded with viral emails (the kind with a virus, not the kind that gets Internet-famous). The goal is to infect one machine, and then use that as a foothold to ultimately secure privileged access to the company's Web email server. Once they gain control of the email server, they begin daily monitoring for purchase order communiques. They also prepare lookalike emails, as well as arrangements to wire funds into bank accounts set up to launder stolen payments. None of this requires any special hacking expertise; the necessary software and tutorials are widely available online.

How blockchain is transforming business models

To put it simply, multiple distributed ledgers are just a method of recording data digitally, and can be applied to anything that needs to be independently recorded and verified as having happened e.g. transactions, agreements, contracts, ownership, etc. According to a SWIFT Institute Working Paper, it is the robustness and relative simplicity of the Bitcoin blockchain that has sparked the interest of similar technology to be applied to wholesale markets’ securities settlement as this can potentially reduce costs and risks. And according to a White and Case report, a similar blockchain can also be used to improve and enhance currency exchange, supply chain management, trade execution and settlement, remittance, peer-to-peer transfers, micropayments, asset registration, correspondent banking and regulatory reporting

What Airbnb can teach HR about trust

You may be thinking, sharing a car with someone and then rating them on their driving skills is nowhere near equivalent to the relationships that form in the workplace. In reality, with websites like Glassdoor and Indeed, companies are already developing their own online reputations based on employee reviews. The potential impact of these reviews can be explained by the similarity bias. Job seekers are going to be much more apt to believe in the reviews of current employees than in company recruitment efforts or statements by the CEO. Creating trust between employees and managers should therefore be at the top of every HR department’s agenda. Using best practices from the sharing economy can be easier than you think.Essentially, what Airbnb and other companies have proven is that opening yourself up to feedback will increase trust in the eyes of others.

Cognitive Computing: Five “I wish I would haves” to Avoid

Computing capabilities are unbelievably strong today. There’s a greater discipline in algorithms than we’ve ever seen. Data storage costs, what, around 3 cents to store a gig of data today? Put it all together, and you realize that whatever we’ve done in cognitive computing today will soon be considered quaint early indicators of the seismic changes that follow. We are heading down an exponential change curve. Because cognitive computing is already a burgeoning reality among the businesses I work with every day, I’ve already observed a few serious risky views on it. Why are they risky? Because if they take hold, they’re likely to lead many to say, “I wish I would have” in the not-so-distant future. And in this case, the implications of getting it wrong, or simply not getting on board fast enough, could be serious.

It’s time to practice what we preach in cloud security

Most hackers are after a quick and easy payday. And any savvy hacker knows there’s loot to be had from cloud services. Given today's consumer / corporate crossover world we live in, things like Dropbox are a prime target as they’re a vast cache of IP and corporate databases – and probably a fair amount of personal information that can exploited. At the same time, apps like OneLogin are designed to increase security and anyone looking to procure a few passwords would do well to try their luck here. The cloud industry has been hard at work dragging people over the line in the security debate for some time. We have worked hard to tackle the issue head on and incidents like these don't help assuage the doubts that many still have.

For regulators, cybersecurity must be more than just site visits and questionnaires

One has to do with the fact that regulatory bodies still rely on a rather old-fashioned technique for assessing compliance in cybersecurity (and really any area): having an examiner visit an organization's site and ask questions, or require the organization to fill out questionnaires. This kind of "point-in-time" monitoring certainly has its value, but too easily can be a once-a-year bureaucratic exercise that provides only a snapshot of an enterprise's cybersecurity health. These exercises are quite financially burdensome for the regulated entities to comply with, and budget-strapped agencies are also hard-pressed to stay on schedule with the assessments. Regulatory agencies, fortunately, are looking at new commercially available technologies that provide critical cybersecurity performance data in a continuous fashion.

Pros and Cons of Cross-Platform Mobile App Development

Since the User Interface (UI) and User Experience Design (UXD) of iOS and Android are quite different from each other, it’s not an easy task to create a uniform GUI wrapper on top of it. Though Xamarin and others have put in significant work on this front, it is far from perfect. It works well if you design your application to live within the framework’s limitation, however, if you need anything that doesn’t fit with the framework’s vision, it requires a lot of work to implement and requires writing platform specific code. To give you an example, in Xamarin Forms, it takes a lot more work if your designer chooses to give custom colored borders to text fields. As this is not obvious to the designer, once you have settled in on the design, the programming team needs to put in a lot of efforts to pull off this seemingly simple design.

Risk Management Best Practices For CISOs

There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Quote for the day:

"As we look ahead into the next century, leaders will be those who empower others." -- @BillGates

September 15, 2016

If an Infosec policy falls in the forest

If you don’t have a proper governance structure in place it can cause you some angst. As an example, how can you remove an employee who is surfing porn on the Internet if you have no framework in place to deal with such an action? That is the simplest example that comes to mind. To spin it differently, there was a shop that I worked for at which I was told that I could not use a certain piece of software. It was a fairly benign software application so, I couldn’t help but to ask why. Now, bearing in mind I had no argument with being told no. I was just interested in knowing what the rationale was for that decision. The answer I received was, “because $group said no."

Chief Data Officer Barney Krucoff Drives Washington, D.C.’s Data Strategy

My impression is that D.C. has a tremendous technology infrastructure. We are more unified in our technology than many large cities or states. There’s a city-owned network backbone that connects us all, and there’s a centralized security team, so not everybody’s got their own firewall group and you’re not necessarily negotiating that across multiple agencies. The IT department is fairly operational, not just a policy shop. We run all the email, we run many applications, we run the centralized web team. So there’s a lot of infrastructure in D.C., and there’s a reasonable amount of resources for the amount of government we have. We weren’t necessarily as efficient as we’d like to be, and I think that’s part of my job, to try to align these pieces.

How can we address the Insecurity of Things?

“With IoT, it's only a question of time that with regards to privacy and physical security issues, governments will have to enforce regulations and standards,” said Sayag. “It's a two way process. One is from the regulatory authorities, to come up with really strong steps, to encourage development of security of IoT nodes and devices; and on the side of users, they should be more aware of the kind of things that can be hacked,” said Chattopadhyay. “I think we are too passive about these new challenges, we think that they will be sorted out by themselves, maybe by market forces. We should work faster, and we should encourage more innovative technologies and products with built-in security in mind. That is something the security community, researchers and the industry, should consider right now. I think this is a problem we should solve altogether,” emphasized Sayag.

Security Think Tank: Brexit – An opportunity for infosec pros to take the lead

The main negative point is the uncertainty, but as the EU will deny access to its marketplaces to any company not up to code, certainty comes back into the picture again as we realise the regulations have to be implemented anyway. Not quite incidentally, when considering international data regulations in this context, those responsible in a risk and compliance role should keep keen eyes on the progression of the Safe Harbour and Privacy Shield saga in the Irish courts. Opting for private model contracts to cover international data exchanges in the absence of Safe Harbour is a legally uncertain decision, and their use could cause major international disruption if ruled inadequate.

8 Culture Change Secrets Most Leaders Don’t Understand

Results will actually precede the cultural change. This important insight runs counter to arguments from some leaders that think they don’t have time for culture since they need results now and culture change takes a long time. Focusing the work on a top mission or performance priority will actually increase the likelihood of seeing results in a meaningful area AND supporting the targeted cultural shift. Behaviors that lead to positive results will spread. Schein said these behaviors will not be spreading because employees were “told to” but because “they work”. I love his explanation: “if it’s successful, and people like it, and it becomes a norm then you can say it’s become a culture change.” So, what’s a norm? That question brings us to our next secret.

Cybersecurity Is Every Executive’s Job

While the CISO will identify risks and prioritize security protocols, it is incumbent on senior executives to understand and carry out the procedures across the business — to the most-vulnerable points of entry for cyber criminals. Executives must sponsor the CISO’s threat assessments and review the results together. The CISO should be included on new business initiatives early on so that security is baked in rather than bolted on afterward. In fact, the best practice is to have the CISO work with each team to determine ways to reach goals in the most secure fashion, and then executives must hold their people accountable for risks and flaws identified by the CISO. What’s more, executives should help promote the importance of security within the organization, starting with better education and training.

Cyber risk in financial firms is a key concern – Central Bank Guidance

The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability. Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality. ... The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas.

Emerging technologies are poking holes in security

Automation affects change management and security because there may not be an understanding of how to support the new information security requirements of automation as change occurs. This can make the enterprise susceptible to intrusion and unable to adequately respond when disaster recovery plans must execute, Davison says. As for information technology service partnering, when partner employees don’t follow the enterprise change management process, information security risks rise, says Walker. In cloud computing environments, simply adding errors in the process of coordinating change among different cloud environments to the already precarious task of implementing federated security across these clouds can add significant risk.

Commodities may be a sweet spot for blockchain

Over-the-counter commodity derivatives are another potential sweet spot for blockchain. Banks such as Barclays have explored the use of smart contracts for interest rate and equity derivatives. They might consider trying them out in OTC commodity derivatives, which are largely not yet subject to regulatory central clearing mandates. The lack of potential resistance from clearing houses, as well as the smaller size of the markets overall, might make it easier to roll out smart contracts in OTC commodities than in other asset classes. Some might question whether commodities – the oldest asset class around – will really be the sector where blockchain takes off. I would advise such sceptics to look at a little company called Ice.

FTC focuses on combating ransomware

"The spate of ransomware incidents are escalating at an alarming rate," Ramirez says, citing an estimate from the Department of Justice that incidents of ransomware, now averaging some 4,000 a day, have increased 300 percent in the past year. "The financial motivation for ransomware attacks suggests that the threat is unlikely to go away any time soon," she says, warning businesses to step up their own defenses to ensure that they are protecting their users from online scammers. The agency has already brought dozens of enforcement actions against companies for failing to adopt what it considers reasonable security protections. Ramirez and some industry experts see ransomware as the latest evolution of malware, but with a notable twist.

Quote for the day:

"If you can't laugh at yourself life is going to seem a whole lot longer than you'd like." -- Sam, Garden State

September 14, 2016

Six shifts that define enterprise digitization in 2020

Before company leadership teams get dragged into conversations about specific technologies or start speculating about how they can be the "Uber of their industry," they first need a common perspective on the business, consumer and technology trends that are driving enterprise digitization, and consensus on which are most important for their context and which can be safely ignored. This creates the starting point for a business-led strategy that will yield much better results than chasing after the latest buzzwords. Often, CIOs find themselves leading the way in creating this shared understanding. So to help, CEB has conducted a comprehensive analysis of the business model, consumer and workforce changes that will have the greatest impact on the digital enterprise by 2020. The trends point to six shifts that apply broadly across industries, geographies, customer types and operating models.

The structure of Blockchain Technology and How it works.

Every block within the blockchain is recognized by a harsh, created with the SHA256 cryptographic hash algorithm on the block header. Every block also references a preceding block, referred to as the parent block. In other words, every block has the hash of its parent in its own header. The series of hashes connecting each block to its parent makes a chain going back to the first block, referred to as the genesis block. Although a block has one parent, it can momentarily have many children. Each child refers to the same block as its parents and has the same parent harsh. Many children appear when there is a blockchain “fork,” a short-term situation that happens when different blocks are found nearly concurrently by different miners. Ultimately, only s single child block becomes the blockchain part and the “fork” is resolved.

Digital government isn’t about user needs – it’s more fundamental than that

It’s not hard to conjecture that exposing the value chains of government services to the public, so that we can all see and compare and improve on them on a daily basis – akin to tinkering with a giant Meccano set made of lots of standard components – would amount to nothing less than a democratic revolution. An early example of an exposed value chain is DVLA’s road tax renewal service, where we watch government join up our registration, insurance and MOT databases, and take our money, in real-time. Instead of stale, self-legitimising talk by public administrators about how they are building stuff to “meet user needs”, the function of public administrators becomes increasingly about providing us with the building blocks to, for example, assemble, innovate, combine, question and contract for our public services.

Montreal cops hunting data thieves

The curious question that comes to mind is how long has this been going on at Concorida? Or even more to the point, where else has this activity been taking place? I would be curious to see if other universities have discovered similar instances. ... This serves as a great lesson to have a strong monitoring regime in place in your organization. Do you have alerting in place to fire in the even someone inserts a USB device into a server in your datacenter? Do you have access controls in place to alert you as to who is coming and going from your data center? This might seem rather basic on the face of it but, I have seen many instances over the years where companies would have all these great biometric controls, man traps, cameras and the like but, then they would prop open the back door so that the security guard could sneak out for a smoke break.

AI Can Recognize Your Face Even If You’re Pixelated

The researchers were able to defeat three privacy protection technologies, starting with YouTube’s proprietary blur tool. YouTube allows uploaders to select objects or figures that they want to blur, but the team used their attack to identify obfuscated faces in videos. In another example of their method, the researchers attacked pixelation (also called mosaicing). To generate different levels of pixelation, they used their own implementation of a standard mosaicing technique that the researchers say is found in Photoshop and other commons programs. And finally, they attacked a tool called Privacy Preserving Photo Sharing (P3), which encrypts identifying data in JPEG photos so humans can’t see the overall image, while leaving other data components in the clear so computers can still do things with the files like compress them.

Future of Banking: IoT, Retail & Mobile Banking Industry Trends

As we move forward, banks are turning toward new IoT technologies to enhance the user experience and reduce costs. Some banks have started using beacons, for example, to send customized offers right to customers' smartphones as soon as they enter the branch. And some ATMs now have live stream video support that allows customers to speak to tellers if they need additional assistance. Financial executives are pouring significant money into these technological changes to help stave off competition from tech companies that are sticking their hands into the financial services industry. A recent PwC survey revealed that these executives expect their digital investments to increase their revenues and enhance the customer experience above all else.

Business and IT alignment gets physical at Avnet

We take business and IT alignment very seriously at Avnet. For example, my senior IT leaders are part of the lines of business unit teams, and they sit in those executive teams. Their variable compensation is tied to business performance and not just IT performance. We take that very seriously. What we find is happening in business, in general, is just the rate of innovation, the rate of change is accelerating. So at Avnet, we're introducing agile methodologies to help move faster and be more nimble. What we're finding is key to that increased rate of innovation is really that we need colocation, so we're colocating our IT teams with our business teams. It helps to really bring the groups together and follow a term that we have in IT, which we call 'place business at the center of IT.'

Hired guns: The rise of the virtual CISO

There’s no set universal standard for hiring a virtual CISO. You can set up a retainer for a certain number of hours, you can hire someone on a project basis, and/or you can even buy a chunk of support hours and use them when you need them. It's a way of getting the cream of security talent without buying the whole cow.Contracting a virtual CISO can be far more cost effective than hiring a full-timer. They can fill in where you need it the most, helping your CIO pull together your security policies, guidelines and standards. That could entail anything from coming to grips with HIPAA or PCI compliance to staying on top of vendor risk assessments. A qualified virtual CISO is going to be fully up to speed on the latest best practices, they have experience dealing with a wide variety of scenarios, and they are well-positioned to train your internal security staff.

Empower your employees by embracing shadow IT

Embracing shadow IT can actually benefit your company and your employees, but according to Martin Johnson, senior director of Cloud Product Marketing at Blue Coat, attitudes around shadow IT will likely change depending on who you talk to. Employees at smaller business units don't necessarily consider the negatives of adopting new software without IT's knowledge. Rather, they see it as a faster and more efficient way to increase productivity and alleviate redundant tasks. For example, your workers might opt for a third-party cloud service over an internal network, so they can access files across devices or on the go, which leaves IT largely out of the loop, but makes their work lives easier. IT, on the other hand, views it as a "security risk," according to Johnson, but notes that IT departments also understand the importance of remaining on top of the latest technology trends.

Digital Transformation Boosts Captive Offshore Center Growth

Cultural differences and alignment with business objectives historically have been the biggest challenges for captive offshore centers. But as they have taken on higher-level deliverables like digital services, these GICs must also rethink their talent acquisition models. “The GICs are undergoing fundamental shifts in their operating models… from being centered around arbitrage to skill-centric, functional orientation,” says Kala. “This shift is significantly impacting the relative emphasis on talent attributes required for success.” Domain, functional, and technical knowledge are now table takes; digital services require skills in the areas of collaboration, analysis, creativity and innovation.

Quote for the day:

"First ask yourself: What is the worst that can happen? Then prepare to accept it. Then proceed to improve on the worst." -- Dale Carnegie

September 13, 2016

Indian-origin scientist's tech to let you read closed books

Terahertz frequency profiles can distinguish between ink and blank paper, in a way that X-rays can not, and has much better depth resolution than ultrasound. The system exploits the fact that between the pages of a book tiny air pockets are trapped about 20 micrometres deep. The difference in refractive index - the degree to which they bend light - between the air and the paper means that the boundary between the two will reflect terahertz radiation back to a detector. In the new system, a standard terahertz camera emits ultrashort bursts of radiation, and the camera's built-in sensor detects their reflections. From the reflections' time of arrival, the algorithm can gauge the distance to the individual pages of the book.

CIOs, CTOs playing greater role in technology decisions

"What we found is that, in the past, CIOs and CTOs reported to the COO or CFO, and they weren't getting as much of a seat at the table as far as strategy and more tactical initiatives go. Their role was just to make sure IT departments and technology spending were kept under control and overhead was low -- but with the cloud and digital, tech leaders are seen as more than just a cost center, they've become increasingly strategic and their voices are louder," says Steve Keathley, national technology leader, Deloitte Growth Enterprise Services and Partner Deloitte Consulting, LLP. Mid-market organizations are increasingly seeing productivity gains and a faster time-to-value as a result of technology investment, which is driving a willingness to see technology as a solid investment, Keathley says.

Blockchain can not only transform insurers, but also benefit customers; here’s how

A shared ledger can reduce the instances of fraud as companies can ensure that there are no subsequent claims on the same product. But the real application of the technology comes in the form of new niche insurance products it ceates when combined with internet of things (IoT). For instance, the black box in a car can generate data on driving habits of the user based on which blockchain can help create personalised insurance covers for each kind of user. ... One of the pain points of insurance for consumers is the claim approval process. Blockchain can ensure validation of data faster and quicker disbursement. Also, with IoT systems and better tracking of consumers, this process can get even faster. For instance, a home security system with cloud connectivity can allow companies to track information real-time and help process claims.

5 Ways Blockchain will Transform Financial Services

Financial institutions across the world are responsible for complying and reporting on a number of requirements from their local regulator. Know Your Customer (KYC) is a key requirement here but the process can be incredibly time consuming and lack the automated customer identification technology and integration needed by teams to efficiently carry out their work. Blockchain technology could provide a digital single source of ID information allowing for the seamless exchange of documents between banks and external agencies. This would likely result in automated account opening, reduced resource and cost, all whilst maintaining the privacy of data that is legally required.

The IoT and Cloud security measures — not as well developed as needed

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.” Agreed Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto, a leader in digital security, “It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network.

Startup maps journey to automate US freight trucking

“It’s too simplistic to say this is Uber for trucking,” he says. “The Uber problem is one of ‘I need a car now and give me the closest car’; the shipping one is ‘I need a truck at a certain time with a certain load going in a certain direction, plus there are contractual relationships’. Then there’s the Big Data element of understanding traffic patterns, predicting where you need capacity and optimising routes.” Kropp and CFO Jan Gildemeister each have over 10 years’ experience in trucking and logistics and say they want to create the “next evolution of trucking technology”. Kropp says that truck fleet operators have tended to focus on improving fuel economy, aerodynamics and other elements but believes that, by taking a fresh look at the logistics of the industry, much bigger savings are to be had.

5 tips to successfully pitch your IT project

There are many statistics about how many IT projects fail and many internet posts suggesting why. After hearing the above story from a friend, I have been wondering how many worthwhile IT projects never even get greenlighted and why? I suppose accurate statistics would be hard to find, after all, what doesn't get started rarely gets documented and measured. As a guide, though, multiply the number of projects that you yourself have not successfully pitched by the number of project teams that you imagine there are on the planet (Project Management Institute estimates that there are 16.5 million project managers in the world) and you probably have a very big number indeed floating across your mind. These can't all have been terrible projects, can they?

Designing with Exceptions in .NET

If you read early literature on .NET design patterns, you’ll often come across the phrase “pit of success”. The basic concept is this: make the code easy to use correctly, hard to use incorrectly, and ensure the exceptions tell you what you did wrong. This philosophy of API design guides the developer into writing correct code almost by default. This is why a naked NullReferenceException is so bad. Other than the stack trace, which may be quite deep into the library code, there is no information to help the developer figure out what they did wrong. ArgumentNullException and InvalidOperationException, on the other hand, give the library author a way to explain to the application developer how to fix the problem.

CIO skills: The right stuff for executive-board, CEO positions

CIOs are definitely becoming CEOs. We've seen a couple of interesting statistics, and things in the market evolved over the last couple of years. Within the Fortune 500 today, for example, CIOs are now reporting to CEOs 56% of the time. That's up about 12% over the last five years. And depending upon the environment, the CIO touches the enterprise across the entire technology function, likely the platform, becoming much more comfortable with being front and center with clients and customers. And so the CIO is actually very well positioned to take even a greater stride towards becoming CEO in the future.

Is your security awareness training program working?

Training in and of itself is not enough. A successful awareness program will have training in conjunction with the testing. "Do the training to know what’s going on and the testing to keep it activated in people’s minds. Who falls for the bait?" Weber said. "Each person in the organization should be tested monthly. It could be more frequent than that, but not to the point of annoying people. That’s measurable," Weber said. Because so many breaches are the result of human error, "Sometimes it’s easier to block access to it all and then grant access by request. Then anybody who requests access needs to install some type of device management software to help organizations keep track and monitor and have a little bit more control over the resources," Weber said.

Quote for the day:

"Distilling truth from overwhelming amounts of information is the essence of leadership." -- Carly Fiorina

September 12, 2016

Thousands Of Seagate NAS Boxes Host Cryptocurrency Mining Malware

The researchers used an internet scanning engine called Censys to identify public FTP servers that allow anonymous access with write privileges. They found 7,263 such servers and determined that 5,137 of them had been contaminated with Mal/Miner-C. Another interesting discovery was that many of those FTP servers were running on Seagate Central NAS devices. While this malware threat does not specifically target such devices, it turns out that Seagate Central's configuration makes it easier for users to expose insecure FTP servers to the Internet. By default, the Seagate Central NAS system provides a public folder for sharing data, the Sophos researchers said in a paper published Friday.

Microservices Imply a Distributed System

When you split up your systems landscape into small components, testing is required at a lot of different levels. First of all, inside your components unit tests will likely cover the component’s internals. Next, the service interface needs to be tested whether it produces the right output or document, such as JSON objects or PDF’s. Next applications or other components consuming services offered by components need to test whether these components still offer the right output. As the services in a microservices architecture are loosely coupled, usually via REST and JSON over HTTP, a change to a service interface is not always picked up immediately by the teams. Having automated tests run at every change of a component, the pipeline signals breaking changes as fast as possible.

5 Tips for How to Work Safely Beyond the Corporate Firewall

Some people tell me we should focus on flexibility and forget about control. Others say we have to control information and forget about flexibility. I say you can and should have both. The only real way to maintain an acceptable level of control is to also offer your workforce flexibility. This is more important than ever in this age of working beyond corporate walls and firewalls. You may have the best information management system and internal governance on the planet, but if you don’t accommodate distributed and mobile staff, you will lose control. People will find a way around your firewall if you don’t provide it for them. Basement email servers, unauthorized cloud drives, and personal smartphones, oh my! To safely work beyond corporate firewalls, follow the “cloud first, Web first, mobile first” principles of solution design for flexibility and control

What You Must Know to Evaluate Unified Communications-as-a-Service

Thus, an all-in-one Unified Communications-as-a-Service (UCaaS) platform is pretty appealing. An extension of Unified Communications (UC), UCaaS wraps a host of business communication and collaboration applications and services into a single experience delivered via the cloud. That encompasses everything from enterprise social messaging and chat apps to online videoconferencing and meeting software to business voice-over-IP (VoIP) services. UCaaS platforms come in all shapes and sizes. There are different types of cloud and on-premises distributions, complicated security protocols, and vendors on all sides of the market—from VoIP and telecom providers to major cloud and enterprise players—pushing their own solution. Here are a few key considerations to help your CISO choose the UCaaS platform that best suits your organization.

Why Security Performance Will be Key in NFV

Think of this as some sort of security microcosm, where as we go from cellular to molecular level, there is the need to drive security deep into the data center, so that it becomes deeply embedded in a system that is analyzing the activity of every packet and application traversing the network. The central nature of the SDN paradigm make this a better security model, in general. Rather than managing security policies on individual devices or proprietary hardware system, a centralized SDN controller could analyze and supervise security across an entire data center. Pursuing a zero-trust, stateful security model – in which all applications are monitored in real-time — can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers.

The Malware Battle Is Mostly Silent

For security researchers, the fact that malware authors include abusive messages in their code comes as an acknowledgement of their work. Thus, researchers will continue to report on new and updated malware, regardless of whether developers are dissatisfied with how their malware is portrayed or are unhappy that they made it to the headline. “We believe it’s crucial to inform Internet users, whether home users or people involved in companies, of emerging cyber threats. It’s not only about building awareness, but it’s also an essential tool to help people learn how to get protected,” Andra Zaharia said. “We believe that spreading correct and relevant information about new and improved malware is an important part of helping people become more aware of the issue and its potential impact.”

The Right Time and Place: Data’s Enabling Role in Enterprise IoT

The key to making the most of any operational or service-based enterprise IoT application is to act on data at its peak point of value: the moment it is created. If your vehicle operating system learns about an imminent traffic hazard, you’ll need it to notify the driver immediately, not minutes later. That means enterprises will need to increase the velocity of data processing. The traditional process, where data is collected in one place, and then processed and analyzed in multiple separate phases, slows things down and is not a sustainable model for the volume and velocity of IoT-produced data. Instead, data refinement, processing and analysis must move closer to the connected device. Sensor manufacturers are already developing compute capabilities that happen on the device, breaking analytics out of the data center and putting it into the real world.

Trouble Spotted On The Network

When you work for a smaller organization, you don’t have the luxury of a 24/7 SOC. In my company, we compensate by building automation into the monitoring of our logs and cherry-picking events that will generate email notifications. Other events get our attention when we can carve out time to monitor the threat logs generated by our advanced firewalls and the security logs produced by a multitude of other devices: web and database servers, load balancers, proxies, file integrity monitoring software, etc. We collect the logs in a centralized server, and a few filters help identify logs that meet certain criteria. I and a couple of analysts take turns monitoring the filtered logs. We don’t get 24/7 coverage, but it’s pretty close.

How a loud noise brought a data center to its knees

In a peculiar and rare phenomenon, the loud noise created by inert gas being released during a planned test of fire extinguisher systems not only forced the bank's main data center in Bucharest, Romania, offline, but also managed to destroy dozens of hard drives in the process, causing serious and irrevocable damage. Inergen is a kind of fire extinguishing system which relies on gas rather than traditional foam or liquid. Suitable for enclosed spaces, Inergen, stored in cylinders as compressed gas, is dispersed through hoses and nozzles evenly across a small space to wipe out fires. Usually, this kind of fire protection would be best suited for data centers -- especially as foam and liquid would damage valuable and delicate equipment -- but in this case, something went horribly wrong.

Why automating software testing without restraints reduces benefits

Automation gives you a lot of confidence that things are working. It empowers your QA testers to go off and do the most valuable tasks. We've been using TestPlant [eggPlant Functional] to automate routine tasks, for example. This frees up time for exploratory testing or destructive testing, where testers sit down and really pull the product apart, and try and do weird and wonderful things with it. A lot of QA teams spend way too much time doing regression tests, and that's where automation really does help. Without automation, your scope of your testing is incomplete, because you're only going to do regression testing for what you can remember, which is probably three or four sprints back. And then, things drop off.

Quote for the day:

"Trust because you are willing to accept the risk, not because it’s safe or certain.” -- Anonymous

September 11, 2016

Why the Blockchain Is Perfect for Government Services

As a government entity, what can you do with the blockchain? Generically, there are 4 categories of activity: 1) Verification. Licenses, proofs of records, transactions, processes, or events. Did this event take place? Was this service performed on this piece of equipment? Does this person have the right permit?; 2) Movement of assets. Transferring money from one person/entity to another. Enabling direct payments, once a work condition has been performed; 3) Ownerships. Land registries, property titles, and any type of real estate ownership. The blockchain is a perfect keeper of the chain of custody for any physical asset; and 4) Identities. Government, cities should issue blockchain e-identities to its citizens, enabling them to securely use services like voting.

When A.I. whispers in your ear all day

Google is working on a secret initiative called Project Aura. (Don't confuse Project Aura with Google's Project Ara, a modular smartphone research program discontinued this week.) Project Aura is rumored to involve an enterprise version of Google Glass, plus one or two audio-only wearables -- often described as Google Glass without the glass -- essentially screen input replaced by voice and Google Now. Microsoft is reportedly building a hearable device, possibly aimed at women, called the "Clip." The earpiece would enable hands-free interaction with Microsoft's Cortana virtual assistant.

Blockchain Really Only Does One Thing Well

Despite the hype, blockchain is not a “trust protocol”; it’s actually the opposite. Just think about it: it’s not as though paying by bitcoin stops you from being ripped off. For anything of value other than bitcoin to be transacted via the blockchain requires additional layers of agents, third parties and auditors – things that just don’t square with the trust-free architecture. Lofty claims are made for blockchain’s ability to decentralise all sorts of things. But in truth, blockchain only decentralises the adjudication of the order of entries in a ledger. It is not a general or native “Internet of Value” as claimed by authors like Don and Alex Tapscott. It was expressly designed for electronic cash; it has no native connection to real world assets.

The Blockchain: An Experiment in Governance Without Power

The absence of a central authority figure is also not synonymous with a lack of leadership. To the contrary, it means anyone and everyone is able to lead. The difference is that without compulsion, different ideas and solutions must openly compete against each other. No one can be forced to accept any service or use any software. The resulting competition means that multiple solutions to different problems can be market tested and users will ultimately vote with their feet. This simple dynamic is the key to not only how the bitcoin ecosystem works, but how it can ultimately thrive over centralized planning. Ineffective solutions to problems on the part of stakeholders are able to fail in isolation without threatening the whole ecosystem, and valuable solutions can succeed and grow on their own merit and earn the appropriate amount of market share.

U.S. lawmakers make last-ditch bid to block internet governance transfer

The lawmakers said there is still no legal certainty about whether the termination of the IANA functions contract would amount to relinquishment of U.S. government property, despite a request in 2015 to the Government Accountability Office to do an audit report on the issue. Relinquishment of government property would require approval from Congress, the legislators wrote. In the Senate, Ted Cruz, a Republican senator from Texas, on Thursday urged Congress to stop the proposed “giveaway” of internet control by the administration of President Barack Obama, warning of the risks of increasing the influence of countries like Russia, China and Iran over the Internet.

Why CISOs should stop focusing on data

As technical people, CISOs and other security and risk professionals tend to be very detail- oriented, thorough and complete. But they ignore the fact that this approach will not give them the best results. If the CEOs gives you only five minutes to present, how can you use that very brief moment to make a pitch, highlight your concerns and get the funding to enable you to do the right security projects? It's a very tricky situation. So CISOs should try to make their presentations more interesting rather than complete. This is where storytelling comes to their rescue. It's a very powerful medium of communication and leverages the elements of images, visuals, events and language to convey a message effectively. Often times, CISO feel that as a part of their role they do not need the skill of story-telling.

Changing enterprise architect role opens new doors, closes others

"The enterprise architect must provide the vision on how to maintain a consistent approach to delivering IT services across all these platforms, while providing a unified approach to foundational IT components," Carroll said. This will also include providing secure, consistent access to these applications. Carroll said he envisions the new enterprise architect functioning essentially as a cloud and mobile services leader for the business, choosing the appropriate platforms and creating a clear vision for the use of cloud and mobile technology. ... Meanwhile, other experts see the role of the enterprise architect splitting, particularly as the architect role goes beyond designing systems. The rise of DevOps will bring the enterprise architect into working with application development teams, said Rich Kucharski, vice president of solutions architecture at SimpliVity Corp

Why whole-enterprise architecture matters

Although we can’t know from outside how the systems are structured, there are several options to make it work better from a user’s perspective. Whilst it depends on the actual structures, of course, one example would be to be much more explicit about what has or hasn’t been confirmed – such as the ‘success-page’ modified to show the current status for each partner-booking, and update that success-page as messages come back in, accessible via the ‘Manage My Booking’ or equivalent functionality on the airline’s web-page. Another option would be to auto-trigger email-alerts after a time-out period, to warn the customer that expected confirmation-messages have not been received. Even with current technologies, none of this should be hard to architect, design and implement.

IT4IT™ and TOGAF® – How Do They Fit Together?

For a CIO, IT4IT gives me a way to look across my organization, and to assess all its functional components for quality or maturity (or whatever other factor is important) and to decide where my biggest pain points are. IT4IT also gives the CIO a very clear way to understand the data needed to manage an IT organization and provides a framework for evaluating how well that data is flowing across the different organizational silos. A second perspective for which IT4IT is useful is that of an Enterprise Architect. As an Enterprise Architect, it would be my job to look across the entire enterprise. We use the Porter Value Chain here as one simple representation of a way to segment your Enterprise Architecture according to TOGAF.

Benefits of Agile Transformation at Barclays

It is also worth noting that teams who are just beginning their agile journey need some guidance to what practices they should implement first. Experienced agile practitioners understand that the practices you use are dependent on your context; however, for beginners this just leaves them feeling lost and confused. We use a 4 level scale for teams to measure themselves against where level 1 is more prescriptive and practice based, moving towards output/outcome measures as teams move to levels 3 and 4. These levels are a lagging indicator of agility and they aggregate things like reduced lead time, increased quality, automation, technical excellence and team structure. It is important that these are not framed as the reason as to why agile is being adopted. The reason why is separate, the levels are waypoints on the agility journey, useful for planning ahead

Quote for the day:

"Everything we care about lies somewhere in the middle, where pattern and randomness interlace." -- @JamesGleick

September 10, 2016

How GIS is Helping Electric Cars on the Road

The use of GIS is becoming of paramount importance in creating infrastructure for electric cars to become more feasible for more people traveling on road. For one, unlike normal vehicles, simply mapping the shortest or fastest route to a destination might not be feasible for an electric car, as it may need to recharge along the way. Powering stations often need to be incorporated into the calculation, including those that are available and can charge relatively quickly. This make the use of real time data about given powering points, traffic patterns, and road conditions critical. ArcGIS provides some free data on charging stations that help navigate areas. The University of California Davis created an application called EV Explorer that allows you to map your journey using information about charging points and costs of charging in planning a journey.

What would a blockchain world look like?

One reason the blockchain reaction is racing toward critical mass faster than previous disruptive technologies is that it is arriving in the midst of the digital transformation already sweeping through most sectors of the global economy. Consequently, despite the obstacles still to be overcome, businesspeople and governments are preconditioned to recognize blockchain’s potential and tech companies have already established much of the digital infrastructure required to realize blockchain business visions. Early pilots are already underway in many industries. They tend to focus on blockchain uses that drive cost out of business processes by making transactions more efficient.

SWIFT report examines Bitcoin as a currency

“This would create a new dynamic in the global monetary order, one in which central banks would struggle to implement monetary policy,” Wilkins said, “And, central banks couldn’t act as lenders of last resort as they do for their own currencies.” The Bank of Canada has since researched digital currencies extensively. ... Author Warren E. Weber states “it is unlikely that the Bitcoin standard will come into existence, because governments and central banks will take actions to prevent it.” A similar sentiment was expressed by JPMorgan Chase CEO, Jamie Dimon, in November 2015. “Virtual currency, where it’s called a bitcoin versus a U.S. dollar, that’s going to be stopped,” Dimon predicted. “No government will ever support a virtual currency that goes around borders and doesn’t have the same controls. It’s not going to happen.”

Winning the cyber war with AI and cognitive computing

There are some exciting developments in cognitive computing from both start-ups and industry leaders such as IBM with its IBM Watson solution. I believe we are already seeing some of these trends showing positive results with new security products hitting the market that find anomalies in unstructured data. However, I don’t see these results as a cyber silver bullet. One problem that we are going to have to overcome is that the bad guys may already (or will) have access to some of the same (or different) tool sets that use AI and cognitive computing. I have told several young audiences to remember that Darth Vader was well trained. In other words, the same technology can be used for good and for evil. Putting controls on use of this technology may be effective for a time, but they can also lead to other problems.

The Evolution of Digital Marketing In The Enterprise

Today’s digital marketing executive brings much needed focus, rigor, and strategic optimization of existing content across all channels, producing stronger outcomes and the ability to scale resources while amplifying organizational marketing efforts. It is key to increase the entire marketing team’s focus, intelligence, and internal influence while successfully advocating for digital resources to build and enhance highly skilled teams. With a strong digital marketing executive leading the digital efforts, digital marketing is positioned as an ideation hub within the business unit, driving execution of digital tactics and marketing solutions against the backdrop of corporate strategy proficiency. Supported properly, the digital team can and should deliver tactical execution of email marketing, website updates and builds, social media, SEM/SEO, video, design, and user experience

8 Vital Steps to Data-driven Operations in Your Business

While many businesses start by using data to inform their decision making, data can also go a step further and integrate into your daily business operations and help you run the business more smoothly. This aspect of big data is less about people making better decisions and more about using systems and algorithms that automate and improve processes. Whether you want to improve your manufacturing process by automatically identifying faults, optimizing delivery routes, targeting the right customers, or detecting fraud, data can help. Here I set out an eight-step process for changing the way you run your business using big data.

Ecosystem of Cloud Services for Enterprise App Development

Applications have not historically been designed to leverage third party cloud services. With the rise of cloud platforms like AWS, Azure, Bluemix, and others, has come new ways of managing and deploying applications in the cloud. The floodgates are open, and best of breed services are emerging to complement or supplement the capabilities of these cloud platforms. The Box Content API is one of many such emerging cloud services, and with this article we’ll deep dive into some of the other strategic cloud services you should be thinking of for your modern IT stack. This ecosystem diagram is not meant to be exhaustive or exclusive, it is a point in time view of the world from our vantage point with our Box customer base. We are often asked by CIOs and CTOs at our customers what we see as the landscape that Box fits into, and this is an attempt to answer those questions:

Cloud plus artificial intelligence = future

Technology around us will provide an “augmented intelligence” that will help humans to make smarter decisions, improve business models and solve problems that were previously intractable. “The ways in which we are able to interact with computers is going to make people a lot more efficient and more effective, and build digital models.” This, says Richard Paris, senior data scientist at KPMG New Zealand, is the future of digital. We are increasingly seeing the digital world interact in our everyday lives, says Paris, who spoke at the inaugural KPMG Technology Series in Auckland. People interact with smartphones and these devices are becoming our intelligent assistants. “We are moving into the Internet of Things (IoT),” he adds. “We are surrounded by devices getting data from us, so we interact with them.”

Vietnam’s Cyber Security Law Threatens Privacy Rights and Encryption

The third chapter of the law deals with ‘civil cryptography’ (the storing, sending and receiving of encrypted messages). From a rights perspective, this chapter and the subsequent July 2016Decree on Civil Cryptography is greatly concerning. Encryption tools and services are now divided into two overarching categories – those that require a license and those that can be freely distributed without a license. Widely used free chat services like WhatsApp, which employ end-to-end encryption, should not require a license: “Operating systems, Internet browsers and software with integrated cryptographic components (though cryptographic protection of information is not the primary function), which are used on a grand scale and developed to be installed by users without providers’ help” are exempted.

Fraudsters, hackers & thieves!

Financial information such as credit card numbers are still coveted information, although their per-card value is going down and their shelf life is short since credit card companies and credit card owners are using technology to shut down fraudulent transactions quickly. Instead, the new sought-after information is information from insurance, government and healthcare organisations that is being targeted. The more details someone has about an individual, the easier it is to commit identity fraud, and targeting these groups provides more complete profiles of individuals to criminals. Real names are still the most common (78%) type of information exposed, according to the ISTR, followed by home addresses, birth dates, Government IDs (such as social security numbers), medical records, and financial information.

Quote for the day:

"In order to succeed in anything you have to do even the hard things when you don’t want to." -- Elizabeth McCormick

September 09, 2016

Using analytics to align IT with the business

"Inevitably, conflicts arise because different line of business and departmental managers see IT priorities differently," said John Saaty, CEO and co-founder of Decision Lens, which provides decision analytics software that aligns the IT portfolio and its projects with business strategy. Determining the best path toward achieving company objectives with IT is also more important than it has ever been before, as CIOs continue to get pushed to deliver results that are both strategic and transformational to the business. Decision Lens offers a cloud-based, software analytics approach to this often difficult phase of mediation, where some IT projects get prioritized and others don't. "The idea actually began in political negotiations with my father, who as a mathematician developed decision concepts for conflict resolution back in the 1970s," Saaty said.

Enterprise augmented reality: AR applications are just around the bend

AR applications are not confined to the unique needs of shipbuilding. Training and education are both fertile territory for AR technologies. Emerson Educational Services and Fisher Flow Controls have come up with an AR-based training system for engineers and technicians. "One of the groundbreaking tools we are working on is augmented reality, allowing us to superimpose a 3D computer model onto a real world object in real time," said Richard Ritter, instructional designer at Emerson Process Management, in an email exchange. The goal, Ritter explained, is to show workers how to install or repair Fisher products. The application uses a platform developed by Scope AR. "This will impact how we train our employees and customers in a positive way," Ritter added.

How Citibank Delivers Real Business Benefits With Its Data-First Approach

In addition to architecting and engineering the data technology platform, his Data Science team often acts to “jump-start” Big Data-driven analytical activity within whatever parts of the business where it can be shown to offer benefits. Identifying where Big Data resources can most effectively be used involves lining up business use cases with technological capabilities, and is one of the biggest possibilities. Simone tells me, “Since the inception of our Data Innovation program, we have executed hundreds of proof-of-concepts and use cases, all validated against meeting specific business requirements. We are focused on having actionable results that are balanced with very specific metric-based outcomes.”

Artificial Intelligence Swarms Silicon Valley on Wings and Wheels

“Whenever there is a new idea, the valley swarms it,” said Jen-Hsun Huang, chief executive of Nvidia, a chip maker that was founded to make graphic processors for the video game business but that has turned decisively toward artificial intelligence applications in the last year. “But you have to wait for a good idea, and good ideas don’t happen every day.” By contrast, funding for social media start-ups peaked in 2011 before plunging. That year, venture capital firms made 66 social media deals and pumped in $2.4 billion. So far this year, there have been just 10 social media investments, totaling $6.9 million, according to CB Insights. Last month, the professional social networking site LinkedIn was sold to Microsoft for $26.2 billion, underscoring that social media has become a mature market sector.

Developers Are Flocking to Blockchain Bootcamps

With banks and insurers starting to tinker with the blockchain, as a tool to record transactions and asset transfers, and venture capitalists investing more than $1.1 billion in related startups, there aren’t enough developers who have mastered the software. The career site Indeed.com listed 136 jobs with “blockchain” in the description as of Sept. 7, everywhere from New York to Boston, while Monster.com posted 77 jobs. “The supply of people that have extensive blockchain experiences is pretty low,” said Jered Kenna, an entrepreneur who may be hiring a blockchain expert this fall. “And the demand is quickly increasing. Sometimes they get five job offers a day.”

BMC Advises IT Pros to Get Ready for the Hyper Agile Enterprise

Blockchain is basically a distributed database that uses a secure digital ledger of transactions that users can share across a computer network. "It has the potential to completely redesign how we do transactions if it takes off, though I don't know if it will," said Beauchamp. Finally, he noted that many essential computer technologies are being rewritten by breakthroughs in artificial intelligence changing everything from customer service to anticipating security threats. Beauchamp said a new kind of "hyper-agile digital enterprise" is needed to deal effectively with all the technology advances that continue to emerge. He emphasized it's not just about adopting technology, but redesigning how companies relate to customers, their supply chain, partners and their employees.

Why APIs Are Worth The Time And Attention Of IT Professionals

"The addition of Apigee's API solutions to Google cloud will accelerate our customers' move to supporting their businesses with high quality digital interactions," said Google SVP Diane Greene in a blog post. "Apigee will make it much easier for the requisite APIs to be implemented and published with excellence." Google is a bit late to the API management party, which ramped up in 2013 with CA acquiring Layer 7 and Intel acquiring Mashery (only to sell it to TIBCO last year). Other partygoers include 3scale, Akana, Axway, IBM, HP, Mulesoft, and Oracle, not to mention Amazon's API Gateway. Forrester has predicted a shakeout, based on its finding that only 40% of enterprises are advancing digital initiatives relating to mobility, IoT, and big data to the extent that API management investment would be beneficial.

Who influences CIOs? Here's the top 20

One surprise (until, that is, you see the quality of the content she publishes) is Martha Heller, the CIO recruitment expert. Martha has the second highest reach of all the people listed in the report reaching an exceptionally high 9.3 per cent of the CIOs in the sample...This reflects the fact that her content output, Twitter follower / following base and day-to-day focus revolve around the CIO community. Perhaps surprisingly, there are only 10 technology analysts that make the top 300, but leading the way is Michael Krigsman of CxOTalk. Michael's published content is heavily directed towards the CIO which is why they are so attentive to his output. The biggest group in the 300 are the 'CIOs and IT Management' category. Led by Chris Curran, Chief Technologist at PwC.

6 Ways to Build a Solid IT Foundation

Finding IT-centric employees is not an easy task. Consider building internship programs within your organization and work closely with local technical colleges to find IT students who are looking at the traditional IT industry without knowing that the physical security industry is even an option. Attend job fairs and educate students on the great career paths that they can take in the system integration industry. Many of these colleges have apprenticeship programs that integrators can be a part of. Growing an IT student within your organization through an apprenticeship program will result in an engaged and energetic new employee who has been trained in your company’s processes and procedures.

This USB stick will fry your unsecured computer

"When tested on computers, the device is not designed or intended to erase data. However, depending on the hardware configuration (SSD vs platter HDD), the drive controllers may be damaged to the point that data retrieval is impractical," the company said in its marketing material. USB Kill also said the device was created for use by hardware designers of public machines, such as photo booths, copy machines, airline entertainment systems and ticket terminals -- anything with exposed USB ports that need to "ensure that their systems resist electrical attacks." "Finally, the general public, or anyone who wants to test or kill their own devices should equip themselves," the company stated. "Penetration testers and security auditors should include the USB kill 2.0 to their arsenal of testing tools."

Quote for the day:

"The only way to do great work is to love the work you do." -- Steve Jobs

September 08, 2016

John McAfee’s company could spoil the party for Intel’s new venture

John McAfee states in the filing that he entered in 1991 into an agreement with McAfee Associates to transfer certain assets to it in exchange of stock and a promissory note, but at no point did he “assign the rights to his personal name, via assignment of trademark or otherwise, or agree to restrict his right to do business using his own name.” At the time of the agreement, John McAfee had not filed for or registered the trademark to “John McAfee” or “McAfee” or any other variation of the name, according to the filing. ... But none refer to John McAfee, who claims that Intel "never consulted, requested or otherwise obtained the permission of McAfee to use his last name as part of Defendants’ Marks on its products," according to the filing.

The Next Successful Hack May Be Your Fault

By a careful design and timing of the message, it should be possible to make virtually any person to click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message content and context. Expecting from the users error-free decision making under these circumstances seems to be highly unrealistic, even if they are provided with effective awareness training. It's easy to become pessimistic about cybersecurity in the face of such behavior by advanced internet users who are well aware of the threat. Ordinary users, just because they are curious or easily distracted, appear to be the most vulnerable element in any computer system, and they are the one that cannot be fixed. As Benenson wrote, "human traits such as curiosity will remain exploitable forever, as humans cannot be patched against these exploits.

As strong as your weakest link: A look at application vulnerability

When it comes to patching and updating software vulnerabilities, operating systems and web browsers seem to get all the love. But in reality, vulnerabilities in those two types of software usually account for a minority of the publicly disclosed vulnerabilities published in the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. Where are the rest of the vulnerabilities? The majority are in applications (i.e. software that doesn’t ship as part of operating systems or browsers), and unless you’re spending time protecting those too, your application layer could be a big chink in your IT armor. CIOs, CISOs and their security teams need to focus on assessing and patching known vulnerabilities in all business apps, or they could in fact be missing the bulk of the vulnerabilities that exist in their environments.

IoT for Logistics in India – One of the Largest Upcoming Domains

At the first level, the biggest contribution that IoT has is to monitor assets and focus on avoiding predictable delays. For instance a connected truck will throw up the information on the diminishing engine oil or an over exerted clutch in advance – averting either an accident or an unprecedented delay – thus enabling greater transit predictability. This connected asset will also enable organisations to achieve greater asset utilization. Fleet management can also extend to public services management tracking peak and lean times, to and fro destinations, optimizing the number of vehicles available basis the traffic flow, optimizing the available routes to minimize on road time, minimize fuel consumption, thus impacting better bottom lines.

Encrypting the Internet of Things

"We're talking about some very constrained devices, 8-bit processors [with] little memory, low speed, low power," says cryptographer and IT security author Bruce Schneier. He sees the lightweight cryptography project as important because "a lot of the algorithms we have just aren't suitable for these constrained environments. ... We want good algorithms for constrained devices." NIST plans to create a portfolio of lightweight primitives through an open process, in which submitters describe physical, performance and security characteristics of these algorithms. NIST used a similar process to develop its portfolio of block cipher modes of operations. A block cipher mode is an algorithm that provides an information service, such as confidentiality or authentication.

Half of network management systems vulnerable to injection attacks

Getting access to a network management system gives an attacker a current map of the company's environment, without risking detection by running their own scans. To take advantage of one of these vulnerabilities, an attacker could physically enter an organization's facility and connect a small device, such as a Raspberri Pi, to the network. Or an attacker who already has access to a networked device through some other kind of attack could use this vulnerability to escalate their privileges, Heiland said. The products were Spiceworks Desktop, Ipswitch WhatsUp Gold, Castle Rock SNMPc, ManageEngine OpUtils, CloudView NMS, Opmantek NMIS, Opsview Monitor, Netikus EventSentry, and Opmantek NMIS. All nine vendors have been notified and have released patches to their products, said Heiland.

New tech can help catch spearphishing attacks

"We look at the IP address of the sending domain, the age of the domain, the DNS servers that are being used, all those elements," he said. The average cost of a spear phishing attack is $1.6 million, according to a survey released earlier this year by security firm Cloudmark and research firm Vanson Bourne, and 73 percent of respondents said that spearphishing was a significant threat. Over the past 12 months, 27 percent of organizations received a targeted spearphishing attack, according to a report released today by Osterman Research. And 11 percent of organizations were successfully tricked. "That's a little sobering," said Tim Helming, director of product management at DomainTools, the company that sponsored the research.

Smart Wearables Hold Productivity Potential In Enterprises

Specifically, enterprises such as manufacturing and science labs are starting to use smart eyewear in limited settings, said Jitesh Ubrani, a senior research analyst for IDC, and the coauthor of the Sept. 6 report. Ubrani told InformationWeek that IT is still trying to find where these types of devices fit within the larger enterprise. "Right now we're in the very early stages of how this benefits [enterprises]," Ubrani said in a phone interview. "We're talking about very small pilot programs and not mass deployments, at least not yet. If businesses are not in pilots this year, they may be considering them for next year." In addition to the few pilot programs, the number of offerings for enterprise-ready equipment is slim.

Quote for the day:

"Leaders should use sweet and soft words in case they need to eat those words sometime in the future." -- @GPackwood