Daily Tech Digest - March 13, 2017

8 Public Cloud Security Threats to Enterprises in 2017

Cloud uptake will accelerate faster in 2017, according to a report by Forrester. ‘Enterprises with big budgets, data centres, and complex applications are now looking at cloud as a viable place to run core business applications’ says Dave Bartoletti, analyst at Forrester. An average of 1031 cloud services is now in use per enterprise — up from 977 in the previous quarter — according to Netskope’s January Cloud Report. But the threat of cyber crime in 2017 is massive and data breaches are becoming more commonplace. With the average cost of a breach now a massive $4 million, enterprises cannot afford to consider public cloud cyber security an afterthought. But there are numerous cyber security threats out there for enterprises migrating to, or already running critical infrastructure in the cloud.


Getting started with Perl on the Raspberry Pi

The origin of the myth is simple. The Raspberry Pi's creator, UK Computer Science professor Eben Upton, has told the story that the "Pi" part of the name was intended to sound like Python because he likes the language. He chose it as his emphasis for kids to learn coding. But he and his team made a general-purpose computer. The open source software on the Raspberry Pi places no restrictions on us. We're all free to pick what we want to run and make each Raspberry Pi our own. ... 'PiFlash' script was written in Perl, but it doesn't require any knowledge of Perl to automate your task of flashing SD cards for a Raspberry Pi from a Linux system. It provides safety for beginners, so they won't accidentally erase a hard drive while trying to flash an SD card. It offers automation and convenience for power users, which includes me and is why I wrote it.


Millennials vs Fintech

Ask 10 Millennials about the definition of Fintech, and only one will answer you correctly (if you’re lucky). But don’t let that fool you, or think that as a bank or company, you shouldn’t invest in financial technology for your clients. Because nine out of these ten Millennials is using financial technology on a daily basis. Life has become phygital, which means that - for youngsters as for the rest of us - the boundaries between digital and fysical are fading. For instance, we use our banking app to transfer money to friends and colleagues instantly, but we go see our banker face-to-face (in the bank/video call) for troubleshooting a financial affair. This trend is unlikely to go away. Technology will continue to infuse our daily lives, be it less and less intrusive and visible. But the technology is no goal in itself. People don’t want tech, they want convenient, instant and transparent services. Technology is only the means to an end.


Now Google's clever AI can tell you're not a bot without reCAPTCHA even appearing

Google hasn't explained how the system works, and as Ars Technica notes, that's probably because Google doesn't want to help spammers bypass it. However, the reCAPTCHA API that supports the ReCAPTCHA checkbox is still working in the background. It allows Google to collect and analyze information about devices and apps. Google has previously said it uses "advanced risk-analysis techniques to distinguish humans from machines". The company's backend services connected with the reCAPTCHA API assess a visitor's interaction with the CAPTCHA before, during and after to tell if they're bots. The evolution of the technology has allowed it over time to introduce easier puzzles for low risk profile visitors, and harder ones for probable bots.


Why C-Levels Need To Think Differently About Social Media Strategy

“Consumers now know that when it comes to customer service, social media gives them much more power,” says Erik Huberman, CEO of Hawke Media, a top outsourced CMO partner. “With social media, these consumers are acutely aware that if they have a problem with your company and you don’t handle it well, they hold the power to expose the issue to their entire network, which can be devastating to a company.” ... It should probably go without saying, but today’s consumers expect timely responses. 32% of consumers who reach out to a brand on social for customer support expect a response in 30 minutes, and 42% expect a response within an hour. For brands without robust social teams, that kind of response time might sound ambitious at best. But with all the tools and technology we have available today, there’s no real excuse for delayed responses anymore — at least in the consumer’s eyes.


Open source security and ‘hacking robots before skynet’

How about robots with wheels instead of legs? Researchers have also proven that cars can be hacked, including steering, brakes, and the infotainment system. Uconnect, an Internet-connected computer feature in hundreds of thousands of vehicles, controls the entertainment and navigation systems, enables phone calls, and even offers a Wi-Fi hot spot. Thanks to one vulnerable element, using the vehicle’s Uconnect system, which plugs into a cellular network, security researchers were able to gain control of the car’s entertainment system and then rewrite the firmware to send commands to critical systems like the brakes, steering, and transmission. In a world where self-driving cars are already on the roads, this should worry everyone. Cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code.


Disaster recovery: How is your business set up to survive an outage?

“The problem is the cost of maintaining and running these infrastructures. If an application or service has requirements to truly be a 'dial tone-like' system (always on – never without) then a business will spend the dollars required to ensure the five nines of availability and then some,” he said.  ... Clustering has also been around for a long time for servers and as that technology has moved down the stack into the infrastructure services, the ease at which availability can be provided is greatly improved – just at a cost.  Although he said cost is not the only down side. “Active-active recovery solutions do not account for user error. They are garbage in garbage out, and in the event of this type of an outage, you need to have something that is tracking point in time consistency of the data to recover back to. The GitLab outage from a few weeks ago is a great example of this,” Foster said.


PwC and Startupbootcamp chart fintech maturity

The early perception of FinTech is shifting. Where startups were once seen as a threat by incumbents, the emphasis is shifting to one of collaboration. While it has taken a while for startups and incumbents to find a way to work together, Startupbootcamp and PwC have witnessed a clear increase in the two parties working together to solve important problems - both for customers and for the companies themselves.  As the relationship matures, incumbent financial services firms continue to struggle with measuring and reporting the success they find when partnering with startups. Nevertheless, the atmosphere of collaboration and mutual understanding is positive and expected to accelerate.


Mainframe: platform of choice for machine learning and ops intel

CA is making significant investments in the areas of machine learning, advanced analytics and automation to drive towards more intelligent mainframe management, addressing not only Mean Time to Resolution (MTTR) but more importantly, “Predicted Time to Avoidance” (PTTA). This represents a shift into a category that Gartner calls AIOps. “AIOps platforms represent the evolving and expanded use of technologies previously categorized as IT operations analytics (ITOA). This shift is in response to the growing importance (due to digital business demands) and the use of big data and machine-learning technologies across all major ITOM functions, including the service desk, automation and monitoring.”  At CA, we believe that MTTR is just part of the solution because it only alerts the mainframe system operator of an issue after it has happened – reactive problem solving.


Bittercoin: true blockchain believers vs. the trough of disillusionment

Is this a slow death spiral, signalling the sad end of Satoshi Nakamoto’s dream and the motley crew of plucky cryptoheroes who defend it? Or is something interesting happening beneath this sheen of despair and decay? The answer is: possibly neither, probably the latter, almost certainly not the former. The searching-for-the-new-new-thing, what-have-you-done-for-me-lately mindset of so much of the tech industry tends to equate a period of slow grinding with stagnation and death. This is not so. The quixotic quest for the cryptocurrency “killer app” — one that will bring widespread, mainstream usage — continues, and won’t succeed any time soon; but, meanwhile, a whole panoply of interesting and practical use cases has arisen. Call them “maimer apps.”



Quote for the day:


"Inspiration is a guest that does not willingly visit the lazy." -- Tchaikovsky


Daily Tech Digest - March 12, 2017

The new European data protection regulation– are you prepared?

The impact of the new regulation on organizations will be manifold and no business will remain unaffected, especially in the light of the ongoing digitalization. Organizations have to understand which of the information they are keeping are impacted by the regulation and how it is handled today, where and why it is kept and how it is protected. It requires understanding and adaption of business rules, business processes, information systems and IT infrastructure. Sounds like a complex and pretty big task to get on top of, and, bad news first, it is for sure not something that is done overnight. But the good news is that now is a good time for getting prepared, and that both methods and tools exist for getting a good grip on the job. Organizations that already have control over the enterprise’s architecture get a head start when it comes to understanding how they should react to changing market dynamics.


AI won’t kill you, but ignoring it might kill your business, experts say

"Amplifying human intelligence, and overcoming human cognitive biases – I think that's where it fits," said Pratt, founder and CEO of business consultancy Noodle.ai. "Humans are really bad probabilistic thinkers and statisticians. That's where cognitive bias creeps in and, therefore, inefficiencies and lost profit."  But machines won't replace humans when it comes to big-picture decisions, he said.  "Those algorithms are not going to set the strategy for the company. ... It'll help you make the decision once I come up with the idea," Pratt said. "But any executive that doesn't have a supercomputer in the mix now on their side – and they're stuck in the spreadsheet era – your jobs are going to be in jeopardy in a few years."


RawPOS Malware Rides Again

As part of a recent forensics investigation by the Cylance Consulting Services team, we uncovered some new RawPOS malware. This family of POS malware has been widely documented in operation since 2008. Numerous retail operations of various sizes have been compromised with this malware and its variants. Rather than rehash old malware, our intent is to discuss ‘signature fidelity’ and explain through technical detail why poorly-written signatures give people a false sense of security. This ‘antivirus is dead’ argument is often presented, but with little technical detail to highlight specifically why this is the case. ... At the end of this post, we’ll provide an updated yara file for identifying all variants of the RawPOS dumper, as well as some sha256 hashes of the new variant.


Digital Transformation Telco Playbook Overview

To thrive in a highly competitive landscape, service providers need to fundamentally rethink their culture. Many of those companies were born as monopolies, and although they have evolved, they are behind webscalers and other innovative companies. Therefore, a fundamental change in their culture is an essential ingredient for their longterm competitiveness: Create an environment where innovation and creativity are encouraged and supported rather than subjected to the frameworks of the existing business; Evolve the business support environment and operations to support a more pioneering and agile environment; Create incentives to reward innovation. Tolerate failure as an opportunity to learn and improve; Create the appropriate financial strategy and metrics that will support innovation, as well as an elastic infrastructure and agile go to market strategy; and Establish the appropriate incentives and rewards for innovation.


How to find the real value in operational big data

Operational Intelligence represents breadth of knowledge—an important and challenging milestone in a company's analytic maturity. If you have 1,000 sites around the world and each site collects, processes, and analyzes its own operational data, then the most any one site can know is what's within its own walls. This is a common situation, as there is typically one site manager who manages data in a way that best helps him or her accomplish the plant's performance goals. Consolidating and standardizing site data broadens the company's information base for the benefit of all. With a centrally organized OI system, site managers can garner insights into how other sites are doing; it opens channels for data-based performance ranking, continual learning from best practices, and accurate benchmarking.


5 Industry Experts on How Technology Will Affect the Future of Recruitment

“It’s about the right mix of technology and in-real-life, human-to-human experiences. It’s important to have regular, reliable, repeatable patterns and good data in your recruiting processes to ensure that candidates are all treated the same way. That said, you can’t use technology to do the work that humans do. It’s got to be the right blend of technology and human interaction. One of the lessons for recruiters is that you can’t Skype your way to an effective hiring decision. You have to bring candidates in and spend some time with them.” ... While technology is playing an important role, personal relationships – the ability to find that visceral connection between your company and the person you’re talking to – is the linchpin.


FBI Chief Calls For Private Sector To Help Battle Cybercrime

"If you are the chief information security officer [CISO] of a private enterprise, and you don't know someone at every single FBI office where you have a significant facility, you're not doing your job. Know that you're pushing on an open door," Comey said. "We're not looking to know your private information, but we need to know you in a way so we can help you in a difficult circumstance." Comey described a multi-pronged initiative underway at the FBI to crack down on cybercrimes that involves recruiting and hiring more cyber experts, improving engagement with outside partners -- including the private sector -- and rethinking the bureau's traditional approach to working cases. The bureaus is also working to bolster deterrence both through hardening systems that might be targeted and winning convictions in more criminal cases.


FinTech Is Not Dying; It Is Evolving

The juggernauts of online lending soon became like the banks themselves. Internally, they regulate themselves to keep shareholders happy. They know they need to pivot and evolve as the industry matures but they still hold to what made them a success in the first place. Unfortunately for our industry pioneers, companies that are slow to evolve in an industry that was built on speed and revolution is not swift or flexible enough to keep up with the changing atmosphere. There are those who study and analyze the good and the bad of these online lenders. While the big companies try to evolve and stay relevant, second generation companies pop up wanting a piece of the market. They tackle the biggest user issues and fix them. FinTech, as we knew it under the first regime, is dying. Evolution has changed online lending.


How Artificial Intelligence Will Invade Classrooms

Educational technology has really struggled. Many incredibly insightful projects that were developed and proven in labs have not succeeded, including AI-powered cognitive tutors that actually understand the mistakes [students] are making and can offer direct supervision. It turns out the wrong way of [integrating AI] is sitting a bunch of kids in front of a computer for hours, marginalizing the teachers. Education is probably ground zero for how the best-intentioned technologies can still really struggle to make a difference. In fact, research indicates that most educational technology actually makes inequality worse, rather than better. Ming: We don’t want just a plug-in education. A lot of edtech uses words like personalization, but the truth is that it does plug every student into a mold, and you just follow a track


Reusing Selenium Scripts in Random Testing

The entire test execution process using a subjective technique is guided by a great deal of solid analytical thinking and a good portion of “randomizm”. With the latter one being a key ingredient, this article is dealing with automation of the yet-unveiled “randomizm”. To make things clear, test automation is not creativity; it’s a well-documented and a clearly defined approach which enables the same test scripts to run over and over again. The question is, how can we leverage those test automation scripts and be more creative at the same time? A product quality model with the documented test scenarios can be outlined with a specific state machine with external attributes. And that’s what test automation loves. Test automation is all about writing test scripts based on a very specific set of test requirements.



Quote for the day:

"Until you cross the bridge of your insecurities, you can't begin to explore your possibilities." -- Tim Fargo

Daily Tech Digest - March 11, 2017

Demystifying Advanced Data Visualization

Advanced Data Visualization gives a new meaning on how pictures can simplify information needed to comprehend complex questions. Angela Hausman states that Big Data does not mean much if the people who control change can’t understand or have to spend too much time deciphering the Great Data that is presented. In addition, Big Data speeds across the Internet, captured from people and the Internet of Things (IoT) including items such as appliances, GPS, and building maintenance. This Big Data constantly updates, second by second, providing not a static picture, but a dynamic movie. Organizations, need to find ways in keeping up with this Big Data in order to understand their customers better and to move much more quickly, smoothly, and efficiently.


Four perspectives on data lakes

Governance is a practice that you apply to “something.” Just like James Watt’s fly-ball governor for the steam engine, a governance program seeks to keep a engine in balance so it works effectively. This engine may be a process, organization, or flow of information. The important point is that the target of what you are governing is clearly defined. Approaches to governance, particularly around a data lake, vary widely due to the different choices that organizations make in their definition of the engine being managed. For example, the IT department may see the data lake engine as a collection of technology working together. The business may see the data lake as part of an innovation engine helping them to create new value from data. So which is the right engine to govern? It depends on the objective for data lake.


AWS Outage and High Availability

Your HA strategy should be also tied to your monitoring, alerting, remediation but also to your customer support strategy. Monitoring and alerting is clear – you want to know if your site or parts of it are down and take the appropriate actions as described in your remediation plan. But why, your customer support strategy? Well, if you haven’t noticed – AWS Service Dashboard was also down yesterday. The question comes up, how do you notify your customers of issues with your service if your standard channel is also down? I know that a lot of IT guys don’t think of it but Twitter turns out to be a pretty good communication tool – maybe you should think of it next time your site is down. Developing solid HA strategy doesn’t need to be a big bang approach.


Quantum technology is beginning to come into its own

Everything in the natural world can be described by quantum mechanics. Born a century ago, this theory is the rule book for what happens at atomic scales, providing explanations for everything from the layout of the periodic table to the zoo of particles spraying out of atom-smashers. It has guided the development of everyday technologies from lasers to MRI machines and put a solid foundation under astrophysicists’ musings about unknowables such as the interiors of black holes and the dawn of the universe. Revealed by a few surprising discoveries, such as that atoms absorb and emit energy only in packets of discrete sizes (quanta), and that light and matter can act as both waves and particles, it is modern physics’ greatest triumph.


Protecting the enterprise against mobile threats

As it is with securing the traditional network, mobile security is also about building policies. "Security resources are scarce," said Simkin, "so, organization needs to think about how they safely enable those mobile devices to access corporate resources. They need to take the time now to consider what technology they are going to put into place to keep the company safe." Even the White House is changing the paradigm a little bit. The President's now infamous use of an Android phone has helped bring to light the need for better mobile security, said Paul Innella, CEO at TDI.  "If organizations don't start treating mobile devices, which includes IoT, as corporate assets, they are going to see this wide scale disruption and infiltration. So, they have to be thinking about how they evaluate the risk of one of these mobile devices coming into their environment," Innella said.


Google offers new 'Always Free' cloud tier to attract users

The free offerings are meant to help attract users to Google Cloud Platform at a time when the company is competing against Amazon Web Services, Microsoft Azure and other public cloud providers for developers’ time and attention. Google’s Always Free tier is somewhat similar to what AWS offers its customers. For example, both platforms allow users to run workloads using their respective event-driven compute services, AWS Lambda and Google Functions. One thing that sets Google apart is its willingness to hand out a free virtual machine. Google previously offered a 60-day free trial with $300 in credits. An extended trial was one of the cloud provider’s most-requested features, since the short time limit often wasn’t enough for a full proof-of-concept test.


Pablo Brenner talks reverse psychology in IT collaboration

The aim is to use automation to help create an environment similar to Stack Overflow inside a company. This could be as simple as offering pop ups on a library telling individuals to avoid this particular site (“programmers spend a lot of time using the wrong library”) and also help to attach skills to a developer. “We’re building life CVs on people,” says Brenner. This may seem a little worryingly intrusive, but Brenner doesn’t think so. He stresses that the system is only looking at technology skills not what people are generally reading online at work. “Like any tool, it could be used in a bad way,” he concedes, but he does not feel there should be any concern that employees will be categorised within an organisation based on the number of skills they have because this is too hard to define. Some people have broader knowledge some people have deeper knowledge.


Banking Industry Still Taking Small Steps with Big Data

Financial organizations also must use data and advanced analytics for fraud and risk mitigation and achieving regulatory and compliance objectives. With cybersecurity more important than ever, falling behind in the use of data for security purposes is not an option. While the majority of institutions might have much of the infrastructure in place to manage the increasing flow of data, significantly fewer have their data integrated across silos. This continues to be a challenge as customer expect their financial organization to understand their entire relationship when working with their bank or credit union. This challenge is obviously exacerbated with smaller organizations who may not even have a CRM system in place.


Facebook rolls out Bryce Canyon, its next-gen storage platform

Facebook on Wednesday unveiled a new storage platform, Bryce Canyon, that offers the efficiency and performance necessary to support the social media company's "video first" strategy. The design specification for the platform is available via the Open Compute Project. It'll be used primarily for high-density storage, including videos and photos. Bryce Canyon supports 72 hard disk drives (HDDs) in four Open Rack units. That's a 20-percent higher density than Open Vault, the first storage enclosure that Facebook in 2013 contributed to the Open Compute Project. Bryce Canyon is also Facebook's first major storage chassis designed from the ground up since Open Vault. Meanwhile, Bryce Canyon also offers a 4x increase in compute capability over the Honey Badger storage server designed in 2015.


Troubleshooting Memory Issues in Java Applications

For a Java process, there are several memory pools or spaces - Java heap, Metaspace, PermGen (in versions prior to Java 8) and native heap. Each of these memory pools might encounter its own set of memory problems, for example– abnormal memory growth, slowness in the application or memory leaks, all of which can eventually manifest in the form of an OutOfMemoryError for these spaces. In this article we will try to understand what these OutOfMemoryError error messages mean, which diagnostic data we should collect to diagnose and troubleshoot these issues, and will investigate some tooling to collect that data and analyze it for resolving these memory problems. This article focuses on how these memory issues can be handled and prevented in the production environments. The OutOfMemoryError message reported by the Java HotSpot VM gives a clear indication as to which memory space is depleting.



Quote for the day:


"It is a leader's job to challenge the status quo. And when you do, you make enemies." -- @CarlyFiorina


Daily Tech Digest - March 10, 2017

Application support and maintenance add up to operational ALM

Approach operational maintenance and support lifecycles with a concept of application states. Every application exists in a specific number of states, each representing a set of components and workflow relationships. One state is usually considered the normal or base state, and all the others are responses to special conditions. In this multi-state dynamic, application maintenance and support has two goals throughout the application's lifecycle. It must define each possible operating state precisely, in terms of component hosting and workflow connection through the network. It also must manage the application's dynamic movement from one valid operating state to another, exhibiting stable, secure and compliant behavior.


Approaching Cybersecurity Risk Management At Any Organization

First, get the company leadership on board. A cyber risk management strategy is unlikely to succeed if it is not a priority across the entire organization. Second, outline and implement a strategy for securely adding new technologies – whether it is a new finance application or connecting something to the network. Review the new solution versus the rest of the network and determine if it adds or eliminates any risk, and assess if its level of impact is acceptable. Finally, educate your employees on their role in the overall corporate cyber risk strategy. Employees could be viewed as an easy target for criminals, so consistently educating them on the threats facing the organization will help prevent some attacks.


Bots: Biggest Player On The Cybercrime Block

Joe St. Sauver, scientist at Farsight Security, said bot makers, using compromised devices, spread the “traffic” among multiple IP addresses, “so that some clicks come from Oregon, others come from Ohio, others from Oklahoma etc. “That software may also include routines designed to mimic natural pauses, while pages are ‘being read,’ or subsequent clicks – perhaps drilling down on optional features, looking for local dealers or other things that look like what a normal human visitor would do,” he said. But Tiffany said too many security professionals still, “falsely assume that bot traffic looks robotic.” Instead, it comes from residential IP addresses, uses real browsers and does unrobotic things like, “run JavaScript, run Flash, use the victim's cookies to look like real humans, and interact with pages like real people, often by emulating the real people who own the computers they've infected.”


China mulls national cryptocurrency in race to digital money

It’s not surprising that countries have found it difficult to tackle cryptocurrencies. People exchanging things on peer to peer (P2P) networks used to be the music and video industry’s problem. Now, suddenly, people were exchanging money with them. When used properly, P2P money offers true anonymity, which creates problems for authorities trying to track the flow of cash to terrorists and organized criminals. Left unchecked, it’s also a great tax evasion tool. Where governments are regulating, they’re typically making sure that anyone trading bitcoins registers their identities so that authorities can follow the money. It’s a tricky line for policymakers to walk. Governments need to control cryptocurrencies, but if they squash them altogether, they risk missing some of its best innovations.


Deep packet inspection: The smart person's guide

Although DPI has a number of uses, the practice is rooted in enterprise network security. Sniffing traffic in and out of a network is understandably useful for preventing and detecting intrusions. Detecting and blocking the IP of malicious traffic is particularly effective at fending off buffer overflow and DDoS attacks. DPI is also used by internet service providers. If packets are mail, ISPs are the postal service and have access to unencrypted web traffic as well as packet metadata like headers. This provides ISPs with an abundance of useful information, and the companies leverage access to user data in a number of ways. Most ISPs in the United States are allowed to turn user data over to law enforcement agencies. Additionally, many ISPs use consumer data to target advertising, analyze file sharing habits, and tier access service and speeds.


State of Cyber Security 2017

State of Cyber Security 2017 reports the results of the annual ISACA global cyber security survey, conducted in October 2016. The survey results bolster the belief that the field of cyber security remains dynamic and turbulent during its formative years. Weekly news headlines confirm that cyberattacks are not a seasonal threat or dependent on specific industry environmental attributes, but are constant and should remain forefront in every enterprise executive’s thought process. To equip you with a comprehensive understanding of the cyber security industry through the lens of those who define it—the managers and practitioners—ISACA is presenting the survey results in a series of reports that focus on individual topics. This report is the first in the ISACA State of Cyber Security 2017 white paper series and presents timely information about cyber security workforce development and its current trends.


Big Growth in Data Security Provides Consultant Opportunities

Consultants need superior application and network penetration skills. This means that they should be able to break down, and analyze the way that software works within any environment. This includes input and output channels. Networks need to be understood in the same way. The purpose of this knowledge, is to identify where risks exist, or where existing security breaches are occurring. Software algorithms are known to provide false positives, so a consultant needs to be able to identify these, and should have skill in determining viable threats. This will help the consultant to allocate resources where they are most necessary, which can benefit their employer, financially. Consultants should build an understanding of the technologies used by their employer. Whenever working on a contract, a consultant will deal with systems that they are unfamiliar with.


Data Security: Don’t Call an Ambulance for a Sore Throat

It’s a constant struggle, one that today’s businesses fight with infrastructure- and device-based approaches, and (vital but often neglected) employee training against social engineering attacks. The challenges continue as technologies evolve from “strange new risk” to “vital to business success.” Five or six years ago, security concerns led many businesses to declare they’d never use cloud services. You’d be hard-pressed to find a CIO or CEO who’d say that today. Just as businesses have evolved toward the cloud, they’re also evolving toward enterprise-wide data access. We recognize the valuable insights and innovations to be gleaned from trading siloed departmental data warehouses for the comprehensive enterprise data lake. Tearing down those silos can cost us a layer of security around specific data sets, but curling up in an information panic room is not the way forward.


Application layer security puts up another obstacle for hackers

Businesses are baking security into applications during the development process. "Identifying a security flaw in development is much less expensive than doing it once the application is running," stated Nathan Wenzler, chief security strategist at AsTech Consulting, a cyber-risk management firm in San Francisco. ... In static analysis, security software examines code without running it. It analyzes source code, identifies locations where vulnerabilities may exist and outlines potential fixes. Dynamic analysis is another option wherein the IT team tests and evaluates application security while compiling the software. Dynamic analysis tools pepper the application with attack scenarios to detect vulnerabilities.


CIA-Made Malware ? Now Antivirus Vendors Can Find Out

Among those techniques are ways to bypass antivirus software from vendors including Avira, Bitdefender and Comodo, according to some of the leaked documents. The documents even include some snippets of code that antivirus vendors can use to detect whether a hacking attempt may have come from the CIA, said Jake Williams, founder of security company Rendition InfoSec. “In the documents, they (the CIA) mention specific code snippets used in operational tools,” Williams said. Antivirus vendors can use this to look at their customers’ networks for any traces of past intrusions. That might be a big blow to the CIA’s surveillance operations. Now anyone, including foreign governments, can use the WikiLeaks dump to figure out if the CIA ever targeted them, according to Williams.



Quote for the day:


"If people follow you, you have an obligation not to abuse that trust." -- Gordon Tredgold


Daily Tech Digest - March 09, 2017

Google: Democratisation of AI tech to ‘greatly improve’ quality of life

The technologies stand to have a transformational impact on the way processes are carried out in the financial services, education, manufacturing, healthcare, retail and agriculture industries, to name a few – if organisations in these sectors can access it. “As technology reaches more people, its impact becomes more profound. This is why the next step for AI must be democratisation, by lowering the barriers to entry and making it available to the largest possible community of developers, users and enterprises,” she said. “It requires rare expertise and resources few companies can afford on their own. This is why cloud is the ideal platform for AI.” Particularly, said Fei-Fei Li, when it comes to drawing on the global reach of the Google Cloud Platform to put AI technologies in the hands of everyday users all over the world.


Say hello to the Robo-bankers: how AI is affecting banking and finance

“The development in the basic technologies, from computer processing and data storage to communication, is allowing more sophisticated technology to advance,” says Marcos Monteiro, CEO of Veezoo and participant in the inaugural Kickstart Accelerator based in Zurich. “So we have AI now able to process all this data and come up with better predictions – giving companies more data and more information.” “Companies have a lot of data but they still find it very difficult to get the information that they need. Our goal is to democratise data inside a company and make it easier for everybody to get the information they need to work.” ... When speaking at the recent RegTech Futures summit in Amsterdam, Sybenetix’s R&D president, Paul Young, advised companies to treat AI as a specialist team member: “A supervised AI approach combined with expert domain knowledge is the key to supporting people, not replacing them.”


GE Favors SaaS For Non-Differentiated Apps, Has Big Plans For IoT 

The more SaaS we can buy the better off we are, especially for non-differentiated applications like HR, scheduling, administrative, bill paying, taxes, compliance, customs, etc. The world can’t get to SaaS fast enough for us. The core applications that make GE different -- how we do field services better, how we sell better, how we do inventory, planning and predictive analysis better -- that stuff we don’t want as SaaS because there is differentiation there for us. Our software and our analytics allow us to do better than our competitors. That’s where we invest. Our feedback to the vendors that want to come in and sell us infrastructure as a service … skip that. We can already run stuff pretty cheap. We’ve got a great cloud strategy and we’ll move when we need to. Give me SaaS, that’s what I really want.


The Disconnected Digital World

Ironically, the continuous stream of digital information itself can create a dissociative effect. Digital feeds such as social media, email, enterprise messaging and collaborative communities inundate individuals to the point where they become info-blind. People are unable to recognize the important slivers of information within the digital landscape before them. How many helpful informational messages are sent in your organization each day, week and month? Are personnel now in the habit of simply filing these away or deleting them before absorbing what may be an important security item? In the same way that startups and DevOps talk about the minimum viable product (MVP), as described in “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses,” by Eric Ries, perhaps we need something akin to a minimum viable digital insight for security.


Securing DNS against threats from the Internet of Things

The simplicity with which DDoS attacks can be generated using DNS infrastructure is what makes them so concerning. After taking control of a system, hackers will use a spoof IP address of their target to send queries to named servers across the internet which, in turn, will send back responses. The attacker is able to amplify the query to return the largest possible response, often by employing a botnet of thousands of computers or, in the examples above, connected devices, to incapacitate the target. However, the responsibility for these attacks needn’t always lay with the owners of the connected devices. It isn’t always clear whether a particular device is vulnerable. The name on the label isn’t always the name of the manufacturer, for example, and these manufacturers tend not to make it easy – or in some cases, possible – to change the passwords on these devices.


Manage SELinux policies for better troubleshooting, access controls

Security-Enhanced Linux is an advanced access control mechanism built into most modern Linux distributions. With Security-Enhanced Linux in place, administrators use policies to better manage security. But these policies are key to not only the security of a system, but to its functionality. For example, Security-Enhanced Linux (SELinux) allows applications to query a policy; admins to control process initialization, inheritance and program execution; and admins to manage files, file systems, directories, sockets, open file descriptors, messaging interfaces and network interfaces. It also allows for in-place policy changes -- the ability to alter SELinux policies without rebooting the system. SELinux works by implementing mandatory access control (MAC) on top of discretionary access control (DAC) to protect systems from intrusion.


Open Rights Group calls for control of spies’ use of zero-days

“While targeted surveillance is a legitimate aim, we need to know that government regulation of this area is sufficient,” said Open Rights Group campaigner Ed Johnson-Williams “From what we learnt during the passage of the Investigatory Powers Act, it appears that the ‘creation’ of techniques is not really regulated at all,” he wrote in a blog post. The leaked CIA documents indicate that US intelligence agencies are working with the UK to stockpile vulnerabilities that can be used on Microsoft Windows, Mac and Linux computers ,as well as iOS and Android smartphones and smart TVs. In the light of the fact that many of the vulnerabilities disclosed came from UK intelligence agencies, Johnson-Williams said the UK government has serious questions to answer


A pragmatic approach to master data management

Some organizations are drawing upon their existing resources to handle master data management, often calling upon employees to manually clean and migrate data. This method tends to be prone to human error, causing further complications and does not scale well as business needs change. Many organizations have implemented specific data management tools to aid with integration and cleansing. Integration tools, however, do not always support large amounts of data and are limited in the types of files and data sources they can manipulate. Another strategy implemented by organizations, despite common understanding that it is a poor solution, is point-to-point integration. Point-to-point integration, commonly referred to as custom code, is a method in which skilled developers write custom code and implement it within each specific endpoint in order to create connectivity.


Hackers Exploit Apache Struts Vulnerability To Compromise Corporate Web Servers

On Monday, the Apache Struts developers fixed a high-impact vulnerability in the framework's Jakarta Multipart parser. Hours later, an exploit for the flaw appeared on Chinese-language websites and this was almost immediately followed by real-world attacks, according to researchers from Cisco Systems. The vulnerability is very easy to exploit and allows attackers to execute system commands with the privileges of the user running the web server process. If the web server is configured to run as root, the system is completely compromised, but executing code as a lower-privileged user is also a serious security threat. What's even worse is that the Java web application doesn't even need to implement file upload functionality via the Jakarta Multipart parser in order to be vulnerable.


How to start building your next-generation operating model

Technology is a core element of any next-generation operating model, and it needs to support a much faster and more flexible deployment of products and services. However, companies often have trouble understanding how to implement these new technologies alongside legacy systems or are hampered by outdated systems that move far too slowly. To address these issues, leaders are building modular architecture that supports flexible and reusable technologies. Business-process management (BPM) tools and externally facing channels, for example, can be shared across many if not all customer journeys. Leading technology teams collaborate with business leaders to assess which systems need to move faster. This understanding helps institutions decide how to architect their technology



Quote for the day:


“Let no feeling of discouragement prey upon you, and in the end you are sure to succeed.” -- Abraham Lincoln