Tech Bytes - Daily Digest - October 18, 2016
Most businesses vulnerable to cyber attacks through firmware, study shows
According to the survey, 63% of the individuals who consider their organisations to be fully compliant with firmware audits reported higher levels of effectiveness of their patch management processes. On the other hand, more than half of those that did not receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation. “With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, ... “It is time to underline the importance of firmware security in our risk assessments, and embed prioritised controls based on the threat model of each organisation, whether this includes espionage, transaction integrity loss or business disruption.”
The State of the Chief Information Security Officer
It is not surprising given the lower expectations and results that some well-intentioned and seasoned cyber security professionals go from CISO to Chief Scapegoat Officer in short order. Part of the problem is that even after nearly 30 years, the purpose and promise of the CISO is still very much unsettled. Some believe CISOs are not powerful enough or properly positioned in the organization to accomplish the job they have been asked to do. There are long-standing arguments over the proper reporting relationship of the CISO. If the CISO reports to the chief information officer (CIO), he/she can have direct impact to the IT organization and a seat at the table, but many CISOs continue to believe that such a relationship removes “independence” from the CISO’s agenda.
How to improve your odds of landing great talent
"We see there clearly are very different conversion rates depending on the source of a candidate; proactively sourced hires -- where a recruiter goes out and tracks down exactly the skills and experience needed for the role -- and referrals are such strong sources of hires because it increases the chances of a candidate having that cultural alignment with your company, as well as the hard skills they need," Srinivasan says. ... "A referral doesn't have to mean only someone a candidate knows well or has worked directly with. It could be something like, 'I've heard of this person by reputation in my field,' or 'I know such-and-such was a total rockstar developer at my last job,' and then recruiters can reach out on that basis," she says.
Critical flaws found in open-source encryption software VeraCrypt
The audit, which was performed by French cybersecurity firm QuarksLab and was sponsored through the Open Source Technology Improvement Fund (OSTIF), found eight critical vulnerabilities, three medium risk vulnerabilities and 15 low-impact flaws. Some of them are unpatched issues previously found by an older TrueCrypt audit. Many flaws were located and fixed in VeraCrypt's bootloader for computers and OSes that use the new UEFI (Unified Extensible Firmware Interface) -- the modern BIOS. TrueCrypt, which serves as the base for VeraCrypt, never had support for UEFI, forcing users to disable UEFI boot if they wanted to encrypt the system partition. VeraCrypt's UEFI-compatible bootloader -- a first for open-source encryption programs on Windows -- was released in August and is the biggest addition to the TrueCrypt code base made by VeraCrypt's lead developer,
8 digital life skills all children need – and a plan for teaching them
Educators tend to think children will pick up these skills by themselves or that these skills should be nurtured at home. However, due to the digital generation gap, with generation Z being the first to truly grow up in the era of smartphones and social media, neither parents nor teachers know how to adequately equip children with these skills. Young children are all too often exposed to cyber risks such as technology addiction, cyberbullying and grooming. They can also absorb toxic behavioural norms that affect their ability to interact with others. And while most children encounter such challenges, the problematic exposure is amplified for vulnerable children, including those with special needs, minorities and the economically disadvantaged. They tend to not only be more frequently exposed to risk, but also face more severe outcomes.
Abu Dhabi Securities Exchange uses blockchain for e-voting
“Adopting blockchain technology in our projects comes in alignment with the digital transformation of Abu Dhabi’s government services as we constantly strive to introduce ways that ease the process of doing business in the United Arab Emirates,” said ADX CEO Rashed Al Blooshi. “This step comes as we aspire towards becoming a fully digital exchange, with our strategic objectives aligned with Abu Dhabi’s vision for building a knowledge-based sustainable economy that constantly evolves,” he added. ADX expects the service to cut costs, save time and increase stakeholder involvement in decision making at listed companies. The blockchain service is one of the new services offered by ADX as part of its electronic platform. Other services include an initial public offering management system and rights issue management system.
The SAM Pattern: Lessons Learned Building Functional Reactive Front-End Architectures
SAM recommends factoring the business logic underlying a graphical user interface along three concepts: actions, model and state. Actions propose values to the model, which is solely in charge of accepting them. Once accepted, the state certifies that all subscribers are notified, especially the view (which is considered the “state representation”). Every event is processed as a “step”, which consists of a propose/accept/learn flow. This concept provides a stronger foundation to deal with event ordering and effects (such as back-end API calls). SAM is framework agnostic and several members of the community that formed around the pattern [1] went on to build a series of developer tools and code samples using different Frameworks, ranging from Vanilla JavaScript to AWS Lambda and pretty much anything in between.
Side-Channel Attacks Make Devices Vulnerable
“The industry is waking up to security and there are constantly articles in the news about some hack, breach or network problems related to malicious attacks,” says Angela Raucher, product line manager for ARC EM processors at Synopsys. “It is a focus for anyone developing SoCs right now because they have learned that just adding security in the network or in the device or the platform is not good enough. You have to start at the SoC level or there will continue to be vulnerabilities in the system.” Michael Chen, director of early stage programs in the System Level Engineering division of Mentor Graphics, explains that “people are doing a fairly simply power or differential power analysis. There are lots of side channels, not just power. It is any way to extract information from a device. This is usually done using some sort of microwave power reading antenna and is done post silicon.”
Companies Try Out Selfies as Password Alternatives
The authentication process typically starts with an app that asks users to snap a photo of themselves every time they do something online like make a purchase or file their taxes. Software uses the photo to make thousands of facial measurements, such as the width of the nose or the curve of the jaw, and converts them into a string of numbers to create a unique ID code. Then, it compares the code to a reference photo that the person has left on file. A highly probable match verifies the person’s identity. The technology’s accuracy is far from perfect. Shadows, low lighting or facial hair can confuse the software. Underscoring the shortcomings of facial recognition, Alphabet Inc.’s Google unit sparked an outcry last year after its Photos app misidentified two black people as “gorillas.” Google apologized and said it was tweaking its algorithms to fix the problem.
IT attrition could help address the cybersecurity skills shortage
It’s certainly true that if you need a highly experienced cybersecurity professional, you have no choice but to pull someone away from their current job, but this is a zero-sum game from a total employment perspective. So, what else can we do? Well, there’s another disruptive force happening within IT called cloud computing. Simply stated, as organizations move workloads to public cloud providers such as Amazon Web Services, IBM SoftLayer and Microsoft Azure, they no longer need as many infrastructure administrators to babysit Intel servers, storage arrays or data center switches. As it turns out, these uprooted IT folks are a natural fit for cybersecurity jobs. According to the ESG/ISSA research, more than three-quarters (78 percent) of cybersecurity professionals moved from IT jobs to cybersecurity jobs as part of their career progression.
Quote for the day:
"Nothing will ever be attempted if all possible objections must first be overcome." -- Samuel Johnson
