Tech Guides - Security

AI and machine learning are quickly becoming integral parts of modern society. They’ve become common personal and household objects in this era of the Internet of Things. No longer are they relegated to the inner workings of gigantic global corporations or military entities. AI is taking center stage in our very lives and there’s little we can do about it. Tech giants like Google and Amazon have made it very easy for anyone to get their hands on AI-based technology in the form of AI assistants and a plethora of MLaaS (machine-learning-as-a-service) offerings. These AI-powered devices can do anything like telling you the weather, finding you a recipe for your favorite pasta dish, and even letting you know your friend Brad is at the door- and opening that door for you. What’s more, democratized AI tools make it easy for anyone (even without coding experience) to try their hands on building machine learning based apps. Needless to say, a future filled with AI is a future filled with convenience. If Disney’s film “Wall-e” was any hint, we could spend our whole lives a chair while letting self-learning machines do everything we need to do for us (even raising our kids). However, the AI of today could paint an entirely different picture of the future for our privacy. The price of convenience Today’s AI is hungry for your personal information. Of course, this isn’t really surprising seeing as they were birthed by companies like Google that makes most of its yearly income from ad revenue. In one article written by Gizmodo, a privacy flaw was found in Google’s then newest AI creation. The AI assistant would be built into every Google Pixel phone and would run on their messenger app “Allo”. Users could simply ask the assistant questions like “what’s the weather like tomorrow” or “how do I get to Brad’s house”. Therein lies the problem. In order for an AI assistant to adjust according to your own personal preferences, it has to first learn and remember all of your personal information. Every intimate detail that makes you, you. It does this by raking in all the information stored in your device (like your contacts list, photos, messages, location). This poses a huge privacy issue since it means you’re sharing all your personal information with Google (or whichever company manufactures your AI-driven assistant). In the end, no one will know you better than yourself- except Google. Another problem with this AI is that it can only work if your message is unencrypted. You can either opt for more privacy by choosing to use the built-in end-to-end encrypted mode or opt for more convenience by turning off encrypted mode and letting the AI read/listen to your conversations. There is no middle ground yet. Why is this such a big problem? Two reasons: Companies, like Google, use or sell your private information to third parties to make their money; and Google isn’t exactly the most trustworthy with users’ secrets. If your AI manufacturer behaves like Google, that privacy policy that you’re relying on will mean nothing once the government starts knocking on their door. VPNs vs AI How AI learns from your personal information is just the tip of the iceberg. There’s a deeper privacy threat looming just behind the curtain: bad actors waiting to use AI for their own nefarious purposes. One study compared human hackers with artificial hackers to see who could get more Twitter users to click on malicious phishing links. The results showed that artificial hackers substantially outperformed their human counterparts. The artificial hacker pumped out more spear-phishing tweets that resulted in more conversions. This shows how powerful AI can be once it’s weaponized by hackers. Hackers may already be using AI right now- though it’s still hard to tell. Users are not without means to defend themselves, though. VPNs have long been used as a countermeasure against hackers. The VPN industry has even grown due to the recent problems regarding user data and personal information like the Facebook-Cambridge Analytica scandal and how the EU’s GDPR effectively drove many websites to block IPs from the EU. A VPN (Virtual Private Network) protects your privacy by masking your IP. It also routes your internet traffic through secure tunnels where it is encrypted. Most VPNs on the market currently use military-grade 256-bit AES to encrypt your data along with a multitude of various security features. The problem is that anyone with the time and resources can still break through your VPN’s defense- especially if you’re a high profile target. This can either be done by getting the key through some nefarious means or by exploiting known vulnerabilities to break into the VPN’s encryption. Breaking a VPN’s encryption is no easy task as it will take lots of computation and time- we’re talking years here. However, with the rise of AI, the process of breaking a VPN’s encryption may have become easier. Just 2 years ago, DARPA, the US government agency that commissions research for the US Department of Defense, funded the Cyber Grand Challenge. Here, computers were pitted against each other to find and fix bugs in their systems. The winner, a computer named “Mayhem” created by a team named “ForAllSecure”, took home the $2 million prize. It achieved its goal by not only patching any holes it found in its own system but also by finding and exploiting holes in its opponents’ software before they could be patched. Although the whole point of the challenge was to speed up the development of AI to defend against hackers, it also showed just how powerful an artificial hacker can be. A machine that could quickly process heaps and heaps of data while developing more ways to defend/attack from its own processes is a double-edged sword. This is why some VPN companies have started incorporating AI to defend against hackers- human or otherwise. The future of VPNs is AI augmented “If you can’t beat them, join them.” One VPN that has started using AI as part of their VPN service is Perfect Privacy. Their AI takes the form of Neuro routing (AI-based routing). With this, the AI makes a connection based on where the user is connecting to. The AI chooses the closest server to the destination server and does so separately for all connections. This means that if you’re in Romania but you’re connecting to a website hosted in New York, the VPN will choose a New York-based location as an exit server. This not only reduces latency but also ensures that all traffic remains in the VPN for as long as possible. This also makes the user appear to have different IPs on different sites which only bolsters privacy even more. Also, because the AI is dynamic in its approach, it frequently changes its route to be the shortest route possible. This makes its routes nigh impossible to predict. If you’d like a more detailed look at Perfect Privacy and its AI-based routing, check out this Perfect Privacy review. Some experts believe that someday in the future, we may just let AI handle our security in the Internet of Things for us. Just recently this year, a wireless VPN router called “Fortigis” was released and touted AI-based defenses. The router uses self-learning AI to keep your connection safe by learning from attack attempts made on any Fortigis router. All devices are then updated to defend against such attacks thereby ensuring up-to-date security. It also allows you to control who can connect to your home network, alarms you when someone is connecting and informs you of all the devices connected to your home network. These are just some of the ways the VPN industry is keeping up with the security needs of the times. Who knows what else the future could bring just around the corner. Whatever it is, one thing is for sure: Artificial intelligence will be a big part of it. About Author Dana Jackson, an U.S. expat living in Germany and the founder of PrivacyHub. She loves all things related to security and privacy. She holds a degree in Political Science, and loves to call herself a scientist. Dana also loves morning coffee and her dog Paw.   10 great tools to stay completely anonymous online Guide to safe cryptocurrency trading

Developers are always on the verge of learning something new, which can add on to their skill and their experience. Organizations such as Red Hat, Microsoft, Oracle, and many more roll out certain courses and certifications for developers and other individuals. 2018 has brought in some exciting areas for security and system experts to explore. Our annual Skill Up survey highlighted few of the technologies that security and system specialists are planning to learn in this year. Docker emerged to be at the top with professionals wanting to learn more about it and its implementations in building up a software with the ‘everything at one place’ concept. The survey also highlighted specialists being interested in learning RedHat’s OpenStack, Microsoft Azure, and AWS technologies. OpenStack being a cloud OS keeps a check on large pools of compute, storage, and networking resources within any datacenter, all through a web interface. It provides users with a much modular architecture to build their own cloud platforms without restrictions faced in the traditional cloud infrastructure. OpenStack also offers a Red Hat® Certified System Administrator course using which one can secure private clouds on OpenStack. You can check out our book on OpenStack Essentials to get started. The survey also highlights that system specialists are interested in learning Microsoft Azure. The primary reason for their choice is it offers a varied range of options to protect one’s applications and the data. It offers a seamless experience for developers who want to build, deploy, and maintain applications on the cloud. It also supports compliance efforts and provides a cost-effective security for individuals and organizations. AWS also offers out-of-the-box features with its products such as Amazon EC2, Amazon S3, AWS Lambda, and many more. Read about why AWS is a preferred cloud provider in our article, Why AWS is the preferred cloud platform for developers working with big data? In response to another question in the same survey, developers expressed their interest in learning security. With a lot of information being hosted over the web, organizations fear that their valuable data might be attacked by hackers and can be used illegally. Read also: The 10 most common types of DoS attacks you need to know Top 5 penetration testing tools for ethical hackers Developers are also keen on learning about security automation that can aid them in performing vulnerability scans without any human errors and also decreases their time to resolution. Security automation further optimizes ROI of their security investments. Learn security automation using one of the popular tools Ansible with our book, Security Automation with Ansible 2. So here are some of the technologies that security and system specialists are planning to learn. This analysis was taken from Packt Skill Up Survey 2018. Do let us know your thoughts in the comments below. The entire survey report can be found on the Packt store. IoT Forensics: Security in an always connected world where things talk Top 5 cybersecurity assessment tools for networking professionals Pentest tool in focus: Metasploit

The past few months saw Facebook struggling to maintain its integrity considering the number of fake news and data scandals linked to it - Alex Jones, accusations of discriminatory advertising and more. Not to mention, Facebook Stocks fell $120 billion in market value after Q2 2018 earnings call. Amidst these allegations of providing fake news and allowing discriminatory content on its news feed, Facebook patented its news feed filter tool last week to provide more relevant news to its users. In the past also, Facebook has made several interesting patents to enhance their news feed algorithm in order to curb fake news. This made us look into what other recent patents that Facebook have been granted around news feeds and fake news. Facebook’s News Feed has always been one of its signature features. The news feed is generated algorithmically (instead of chronologically), with a mix of status updates, page updates, and app updates that Facebook believes are interesting and relevant to you. Officially Facebook, successfully patented its News Feed in 2012, after filing for it in 2006. The patent gave the company a stronghold on the ability to let users see status messages, pictures, and links to videos of online friends, but also the actions those friends take. [box type="shadow" align="" class="" width=""]Note: According to United States Patent and Trademark Office (USPTO), Patent is an exclusive right to invention and “the right to exclude others from making, using, offering for sale, or selling the invention in the United States or “importing” the invention into the United States”.[/box] Here are four Facebook patents in 2018 pertaining to news feeds that we found interesting. Dynamically providing a feed of stories Date of Patent: April 10, 2018 Filed: December 10, 2015 Features: Facebook filed this patent to present their news feed in a more dynamic manner suiting to a particular person. Facebook’s News feed automatically generates a display that contains information relevant to a user about another user. This patent is titled Dynamically providing a feed of stories about a user of a social networking system. As per the patent application, recently, social networking websites have developed systems for tailoring connections between various users. Typically, however, these news items are disparate and disorganized. The proposed method generates news items regarding activities associated with a user. It attaches an informational link associated with at least one of the activities, to at least one of the news items. The method limits access to the news items to a predetermined set of viewers and assigns an order to the news items. Source: USPTO This patent is a viable solution to limit access to the news items which a particular section of users may find obscene. For instance, Facebook users below the age of 18, may be restricted from viewing graphic content. The patent received criticism with people ridiculing the patent for seeming to go against everything that the patent system is supposed to do. They say that such automatically generated news feeds are found in all sorts of systems and social networks these days. But now Facebook may have the right to prevent others from doing, what other social networks are inherently supposed to do. Generating a feed of content items from multiple sources Date of Patent: July 3, 2018 Filed: June 6, 2014 Features:  Facebook filed a patent allowing a feed of content items associated with a topic to be generated from multiple content sources. Per the Facebook patent, their newsfeed generation system receives content items from one or more content sources. It matches the content items to topics based on a measure of the affinity of each content item for one or more objects. These objects form a database that is associated with various topics. The feed associated with the topic is communicated to a user, allowing the user to readily identify content items associated with the topic. Source: USPTO Let us consider the example of sports. A sports database will contain an ontology defining relationships between objects such as teams, athletes, and coaches. The news feed system for a particular user interested in sports (an athlete or a coach or a player) will cover all content items associated with sports. Selecting organic content and advertisements based on user engagement Date of Patent: July 3, 2018 Filed: June 6, 2014 Features: Facebook wants to dynamically adjust its organic content items and advertisements, generated to a user by modifying a ranking. Partial engagement scores will be generated for organic content items based on an expected amount of user interaction with each organic content item. Advertisements scores will be generated based on expected user interaction and bid amounts associated with each organic content item. These advertisement and partial engagement scores are next used to determine two separator engagement scores measuring the user's estimated interaction with a content feed. One engagement score is of organic content items with advertisements and one without them. A difference between both these scores will modify a conversion factor used to combine expected user interaction and bid amounts to generate advertisement scores. This mechanism has been patented by Facebook as Selecting organic content and advertisements for presentation to social networking system users based on user engagement. For example, if a large number of advertisements are presented to a user, the user may become frustrated with the increased difficulty in viewing stories and interact less with the social networking system. However, advertisements also generate additional revenue for the social networking system. A balance is necessary. So, if the engagement score is greater than the additional engagement score by at least a threshold amount, the conversion factor is modified (e.g., decreased) to increase the number of organic content items included in the feed. If the engagement score is greater than the additional engagement score but less than the threshold amount, the conversion factor is modified (e.g., increased) to decrease the number of organic content items included in the feed. Source: USPTO Displaying news ticker content in a social networking system Date of Patent: January 9, 2018 Filed: February 10, 2016 Features: Facebook has also patented, Displaying news ticker content in a social networking system. This Facebook patent describes a system that displays stories about a user’s friends in a news ticker, as friends perform actions. The system monitors in real time for actions associated with users connected with the target user. The news ticker is updated such that stories including the identified actions and the associated connected users are displayed within a news ticker interface. The news ticker interface may be a dedicated portion of the website’s interface, for example in a column next to a newsfeed. Additional information related to the selected story may be displayed in a separate interface. Source: USPTO For example, a user may select a story displayed in the news ticker; let’s say movies. In response, additional information associated with movies (such as actors, director, songs etc) may be displayed, in an additional interface. The additional information can also depend on the movies liked by the friends of the target user. These patents talk lengths of how Facebook is trying to repair its image and make amendments to its news feed algorithms to curb fake and biased news. The dynamic algorithm may restrict content, the news ticket content and multiple source extractions will keep the feed relevant, and the balance between organic content and advertisements could lure users to stay on the site. As such there are no details currently on when or if these features will hit the Facebook feed, but once implemented could bring Zuckerberg’s vision of “bringing the world close together”, closer to reality. Read Next Four IBM facial recognition patents in 2018, we found intriguing Facebook patents its news feed filter tool to provide more relevant news to its users Four interesting Amazon patents in 2018 that use machine learning, AR, and robotics

What is BeyondCorp? Beyondcorp is an approach to cloud security developed by Google. It is a zero trust security framework that not only tackles many of today's cyber security challenges, it also helps to improve accessibility for employees. As remote, multi-device working shifts the way we work, it's a framework that might just be future proof. The principle behind it is a pragmatic one: dispensing with the traditional notion of a workplace network and using a public network instead. By moving away from the concept of a software perimeter, BeyondCorp makes it much more difficult for malicious attackers to penetrate your network. You're no longer inside or outside the network; there are different permissions for different services. While these are accessible to those that have the relevant permissions, the lack of perimeter makes life very difficult for cyber criminals. Read now: Google employees quit over company’s continued Artificial Intelligence ties with the Pentagon How does BeyondCorp work? BeyondCorp works by focusing on users and devices rather than networks and locations. It works through a device inventory service. This essentially logs information about the user accessing the service, who they are, and what device they're using. Google explained the concept in detail back in 2016: "Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user." Of course, BeyondCorp encompasses a whole range of security practices. Implementation requires a good deal of alignment and effective internal communication. That's one of the challenges the Google team had when implementing the framework - getting the communication and buy-in from the whole organization without radically disrupting how people work. Is BeyondCorp being widely adopted by enterprises? Google has been developing BeyondCorp for some time. In fact, the concept was a response to the Operation Aurora cyber attack back in 2009. This isn't a new approach to system security, but it is only recently becoming more accessible to other organizations. We're starting to see a number of software companies offering what you might call BeyondCorp-as-a-Service. Duo is one such service: "Reliable, secure application access begins with trust, or a lack thereof" goes the (somewhat clunky) copy on their homepage. Elsewhere, ScaleFT also offer BeyondCorp services. Services like those offered by Duo and ScaleFT highlight that there is clearly an obvious demand for this type of security framework. But it is a nascent trend. Despite having been within Google for almost a decade, Thoughtworks' Radar first picked up on BeyondCorp in May 2018. Even then, ThoughtWorks placed it in the 'assess' stage. That means that it is still too early to adopt. It should simply be explored as a potential security option in the near future. Read next Amazon S3 Security access and policies IoT Forensics: Security in an always connected world where things talk

You must have been hearing the recent cambridge analytica scandal involving facebook and user data theft. As an aftermath of the recent Facebook Cambridge Analytica scandal, many have become cautious about using Facebook, and wondering how safe their personal data’s going to be. Now, Facebook has filed for a patent for a technology that will allow an ambient audio signal to activate your mobile phone’s microphone remotely, and record without you even knowing. This news definitely comes as a shock, especially after Facebook’s senate hearing early this year and their apologetic messages regarding the cambridge analytica scandal. If you weren’t taking your data privacy seriously, then it’s high time you do. According to Facebook, this is how the patent pending tech would work: Smartphones can detect signals outside of the human perception range - meaning we can neither hear or see those signals. Advertisements on TV or or any devices will be preloaded with such signals. When your smartphone detects such hidden signals from the adverts or any other commercials, it would automatically activate the phone microphone and start recording ambient noise and sounds. The sound recorded would include everything in the background - from your normal conversations to the ambient noise of the program or any other kind of noise. This would be stored online and sent back to Facebook for analysis. Facebook claim they will only look at the user reaction to the advert. For example, if the ambient advert is heard in the background, it means the users moved away from it after seeing it. If they change channels that means they are not interested either in the advert or in the product. If the ambient sound is direct then that means the users were bound to the couch as the ad was playing. This will give Facebook a rich set of data on which ads people are more interested to watch and also get a count of the people watching a particular ad. This data in turn will help Facebook place the right kind of ads for their users with prior knowledge of their interest in it. All these are explained from the point of view of Facebook which at the moment sounds very very idealistic. Do we really believe that Facebook is applying for this patent with such naive intentions to save our time from unwanted ads and show the ads that matter to us? Or is there something more devious involved? The capability to listen to our private conversations, recording them unknowingly and then saving them online with our identities attached to it sounds more like a plot from a Hollywood espionage movie. The patent was filed back in 2016 but has resurfaced in discussions now. The only factor that is a bit comforting is that Facebook is not actively pursuing this patent. Does it mean a change of heart? Or is it a temporary pause which will resume after the current tensions are doused. The Cambridge Analytica scandal and ethics in data science Alarming ways governments are using surveillance tech to watch you F8 AR Announcements

We’re living in a world that’s more connected than we once ever thought possible. Even 10 years ago, the idea of our household appliances being connected to our Nokias was impossible to comprehend. But things have changed now and almost every week we seem to be seeing another day-to-day item now connected to the internet. Twitter accounts like @internetofShit are dedicated to pointing out every random item that is now connected to the internet; from smart wallets to video linked toothbrushes to DRM infused wine bottles, but the very real side to all the laughing and caution - For every connected device you connect to your network you’re giving attackers another potential hole to crawl through. This weekend, save 50% on some of our very best IoT titles - or, if ones not enough pick up any 5 features products for $50! Start exploring here. IoT security has simply not been given much attention by companies. Last year two security researchers managed to wirelessly hack into a Jeep Cherokee, first by taking control of the entertainment system and windshield wipers before moving on to disable the accelerator; just months earlier a security expert managed to take over and force a plane to fly sideways by making a single engine go into climb mode. In 2013 over 40 million credit card numbers were taken from US retailer Target after hackers managed to get into the network via the AC company that worked with the retailer. The reaction to these events was huge, along with the multitude of editorials wondering how this could happen… when security experts were wondering in turn how it took so long. The problem until recently was that the IoT was seen mostly as a curio – a phone apps that turns your light on or sets the kettle at the right time was seen as a quaint little toy to mess around with for a bit, it was hard for most to fully realize how it could tear a massive hole in your network security. Plus the speed of which these new gadgets are entering the market is becoming much faster, what used to take 3-4 years to reach the market is now taking a year or less to capitalize on the latest hype; Kickstarter projects by those new to business are being sent out into the world, homebrew is on the rise. To give an example of how this landscape could affect us the French technology institute Eurecom downloaded some 32,000 firmware images from potential IoT device manufacturers and discovered 38 vulnerabilities across 123 products. These products were found in at least 140K devices accessible over the internet. Now imagine what the total number of vulnerabilities across all IoT products on all networks is, the potential number is scarily huge. The wind is changing slowly. In October, the IoT Security Summit is taking place in Boston, with speakers from both the FBI and US Homeland Security playing prominent roles as Speakers. Experts are finally speaking up about the need to properly secure our interconnected devices. As the IoT becomes mainstream and interconnected devices become more affordable to the general public we need to do all we can to ensure that potential security cracks are filled as soon as possible; every new connection is a potential entrance for attackers to break in and many people simply have little to no knowledge of how to improve their computer security. While this will improve as time goes on companies and developers need to be proactive in their advancement of IoT security. Choosing not to do so will mean that the IoT will become less of a tech revolution and more of a failure left on the wayside.

Solid is a set of conventions and tools developed by Tim Berners-Lee. It aims to build decentralized social applications based on Linked Data principles. It is modular, extensible and it relies as much as possible on existing W3C standards and protocols. This open-source project was launched earlier this month for “personal empowerment through data”. Why are people excited about Solid? Solid aims to radically transform the way Web applications work today, resulting in true data ownership as well as improved privacy. It hopes to empower individuals, developers, and businesses across the globe with completely new ways to build innovative and trusted applications. It gives users the freedom to choose where their data resides and who is allowed to access it. Solid collects all the data into a “Solid POD,” a personal online data repository, that you want to share with advertisers or apps. You get to decide which app gets your data and which does not.  Best thing is that you don’t need to enter any data in apps that support Solid. You can just allow or disallow access to the Solid POD, and the app will take care of the rest on its own. Moreover, Solid also offers every user a choice regarding where their data gets stored, and which specific people or groups can access the select elements in a data. Additionally, you can link to and share the data with anyone, be it your family, friends or colleagues. Is Solid a trick or a treat? That being said, a majority of the companies on the web are extremely sensitive when it comes to their data and might not be interested in losing control over that data. Hence, wide adoption seems to be a hurdle as of now. Also, since its only launched this month, there isn’t enough community support around it. However, Solid is surely taking us a step ahead, to a more free and open Internet, and seems to be a solid TREAT (pun intended) for all of us. For more information on Solid, check out the official Inrupt blog.

The battle for political influence and power is transcending all boundaries and borders. There are many interests at stake, and some parties, organizations, and groups are willing to pull out the “big guns” in order to get what they want. “Hacktivists” are gaining steam and prominence these days. However, governmental surveillance and even criminal (or, at the very least, morally questionable) activity can happen, too, and when it does, the scandal rises to the most relevant headlines in the world’s most influential papers. That was the case in the United States’ presidential election of 2016 and in France’s most recent process. Speaking of the former, the Congress and the Department of Investigations revealed horrifying details about Russian espionage activity in the heat of the battle between Democrat Hillary Clinton and Republican Donald Trump, who ended up taking the honors. As for the latter, the French had better luck in their quest to prevent the Russians to wreak havoc in the digital world. In fact, it wasn’t luck: it was due diligence, a sense of responsibility, and a clever way of using past experiences (such as what happened to the Americans) to learn and adjust. Russia’s objective was to influence the outcome of the process by publishing top secret and compromising conversations between high ranked officials. In their attempt to intervene the American elections, they managed to get in networks and systems controlled by the state to publish fake news, buy Facebook ads, and employ bots to spread the fake news pieces. How to stop cyber interference during elections Everything should start with awareness about how to avoid hacking attacks, as well as a smoother communication and integration between security layers. Since the foundation of it all is the law, each country needs to continually make upgrades to have all systems ready to avoid and fight cyber interference in the election and in all facets of life. Diplomatic relationships need to understand just how far a nation state can go in the case of defending their sovereignty against such crimes. Pundits and experts in the matter state that until the system is hacking-proof and can offer reliability, every state needs to gather and count hand votes as a backup to digital votes. Regarding this, some advocates recently told the Congress that the United States should implement paper ballots that are prepared to provide physical evidence of every vote, effectively replacing the unreliable and vulnerable machines currently used. According to J. Alex Halderman, who is a computer science teacher, this ballot might look “low tech” to the average eye, but they represent a “reliable and cost-effective defense.” Paying due attention to every detail Government authorities need to pay better attention to propaganda (especially Russian propaganda), because it may show patterns about the nation’s intentions. By now, we all know what the Russians are capable of, and figuring out their intentions would go a long way in helping the country prepare to future attacks in a better way. The American government may also require Russian media and social platforms to register under the FARA, which is the Foreign Agents Registration Act. That way, there will be a more efficient database about who is a foreign agent of influence. One of the most critical corrective measures to be taken in the future is prohibiting the chance of buying advertising that directly influences the outcome of certain processes and elections. Handing diplomatic sanctions just isn’t enough Lately, the US Congress, approved by president Trump, has been handing sanctions to people involved in the 2016 cyber attack. However, a far more effective measure to take would be enhancing cyber defense, because it can offer immediate detection of threats and is well-equipped to bring to an end any network intrusions. According to scientist Thomas Schelling, the fear of the consequences of any given situation can be a powerful motivator, but it can be difficult to deter individuals or organizations that can’t be easily tracked and identified, and act behind irrational national ideologies and political goals. Instead, adopting cyber defense can stop any intrusion in time and offer more efficient punishments. Active defense is legally viable and a very capable solution because it can disrupt the perpetrators outside networks. Enabling the “hack back” approach can allow countries to take justice into their own hands in case of any cyber attack attempt. The next step would be working on lowering the required threshold to enable this kind of response. Cyber defense is the way to go Cyber defense measures can be very versatile and have proven effectiveness. Take the example of France: in the most recent elections, French intelligence watched Russian cyber activity for the duration of the election campaign of Emmanuel Macron. Some strategies include letting the hackers steal fake files and documents, misleading them and making them waste their time. The cyber defense can also ensure to embed beacons that can disclose the attackers’ current location or mess with their networks. There is even a possibility of erasing stolen information. In the case of France, cyber defense specialists were one step ahead of the Russians: they made false email accounts and introduced numerous fake documents and files that discouraged the Russians. Known systems, networks, and platforms The automated capabilities of cyber defense can trump any malicious attempt or digital threat. For example, the LightCyber Magna platform can perceive big amounts of information. Such a system may have been able to stop Russian hackers from installing malware on the DMC (Democratic National Committee). Another cyber defense tool, the Palo Alto Network Traps, are known to block malware as strong as the WannaCry ransomware attack that encrypted more than 200,000 computers in almost a hundred countries. Numerous people lost their data or had to pay thousands of dollars to recover it. VPN: an efficient cybersecurity tool Another perfectly usable cyber defense tools are Virtual Private Networks. VPNs such as Surfshark can encrypt all traffic shared online, as well as the user’s IP address. They effectively provide anonymous browsing as well as privacy. Cyber defense isn’t just a luxury that just a handful of countries can afford: it is a necessity as a tool that helps combat cyber interference not only in elections but in every facet of life and international relationships. Author Bio Harold is a cybersecurity consultant and a freelance blogger. He's currently working on a cybersecurity campaign to raise awareness around the threats that businesses can face online. Top 5 cybersecurity myths debunked Skepticism welcomes Germany’s DARPA-like cybersecurity agency – The federal agency tasked with creating cutting-edge defense technology How cybersecurity can help us secure cyberspace

The term “security” often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty and roadblocks to fast development and release cycles. To secure software, developers must follow numerous guidelines that; while intended to satisfy some regulation or other, can be very restrictive and hard to understand. As a result, a lot of fear, uncertaintyand doubt can surround software security.  First, let’s consider the survey conducted by SpiceWorks, in which IT pros were asked to rank a set of threats in order of risk to IT security. According to the report, the respondents ranked the following threats as their organization’s three biggest risks to IT security as follows:  Human error Lack of process External threats  DevOps can positively impact all three of these major risk factors, without negatively impacting stability or reliability of the core business network. Let’s discuss how security in DevOps attempts to combat the toxic environment surrounding software security; by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems. Human error We’ve all fat-fingered configurations and code before. Usually we catch them, but once in a while they sneak into production and wreak havoc on security. A number of “big names” have been caught in this situation, where a simple typo introduced a security risk. Often these occur because we’re so familiar with what we’re typing that we see what we expect to see, rather than what we actually typed.  To reduce risk from human error via DevOps you can: Use templates to standardize common service configurations Automate common tasks to avoid simple typographical errors Read twice, execute once Lack of process First, there’s the fact that there’s almost no review of the scripts that folks already use to configure, change, shutdown, and start up services across the production network. Don’t let anyone tell you they don’t use scripts to eliminate the yak shaving that exists in networking and infrastructure, too. They do. But they aren’t necessarily reviewed and they certainly aren’t versioned like the code artifacts they are;they rarely are reused. The other problem is simply there’s no governed process. It’s tribal knowledge.  To reduce risk from a lack of process via DevOps: Define the deployment processclearly. Understand prerequisites, dependencies and eliminate redundancies or unnecessary steps. Move toward the use of orchestration as the ultimate executor of the deployment process, employing manual steps only when necessary. Review and manage any scripts used to assist in the process. External threats At first glance, this one seems to be the least likely candidate for being addressed with DevOps. Given that malware and multi-layered DDoS attacks are the most existential threats to businesses today, that’s understandable. There are entire classes of vulnerabilities that can only be detected manually by developers or experts reviewing the code. But it doesn’t really extend to production, where risks becomes reality when it’s exploited. One way that DevOps can reduce potential risk is, more extensive testing and development of web app security policies during development that can then be deployed in production.  Adopting a DevOps approach to developing those policies — and treating them like code too — provides a faster and a more likely, thorough policy that does a better job overall of preventing the existential threats from being all-too-real nightmares.  To reduce the risk of threats becoming reality via DevOps: Shift web app security policy development and testing left, into the app development life cycle. Treat web app security policies like code. Review and standardize. Test often, even in production. Automate using technology such as dynamic application security testing (DAST) and when possible, integrate results into the development life cycle for faster remediation that reduces risk earlier. Best DevOps practices Below is a list of the top five DevOps practices and tooling that can help improve overall security when incorporated directly into your end-to-end continuous integration/continuous delivery (CI/CD) pipeline: Collaboration Security test automation Configuration and patch management Continuous monitoring Identity management Collaboration and understanding your security requirements Many of us are required to follow a security policy. It may be in the form of a corporate security policy, a customer security policy, and/or a set of compliance standards (ex. SOX, HIPAA, etc). Even if you are not mandated to use a specific policy or regulating standard, we all still want to ensure we follow the best practices in securing our systems and applications. The key is to identify your sources of information for security expertise, collaborate early, and understand your security requirements early so they can be incorporated into the overall solution. Security test automation Whether you’re building a brand new solution or upgrading an existing solution, there likely are several security considerations to incorporate. Due to the nature of quick and iterative agile development, tackling all security at once in a “big bang” approach likely will result in project delays. To ensure that projects keep moving, a layered approach often can be helpful to ensure you are continuously building additional security layers into your pipeline as you progress from development to a live product. Security test automation can ensure you have quality gates throughout your deployment pipeline giving immediate feedback to stakeholders on security posture and allowing for quick remediation early in the pipeline. Configuration management In traditional development, servers/instances are provisioned and developers are able to work on the systems. To ensure servers are provisioned and managed using consistent, repeatable and reliable patternsit’s critical to ensure you have a strategy for configuration management. The key is ensuring you can reliably guarantee and manage consistent settings across your environments. Patch management Similar to the concerns with configuration management, you need to ensure you have a method to quickly and reliably patch your systems. Missing patches is a common cause of exploited vulnerabilities including malware attacks. Being able to quickly deliver a patch across a large number of systems can drastically reduce your overall security exposures. Continuous monitoring Ensuring you have monitoring in place across all environments with transparent feedback is vital so it can alert you quickly of potential breaches or security issues. It’s important to identify your monitoring needs across the infrastructure and applicationand then take advantage of some of the tooling that exists to quickly identify, isolate, shut down, and remediate potential issues before they happen or before they become exploited. Part of your monitoring strategy also should include the ability to automatically collect and analyze logs. The analysis of running logs can help identify exposures quickly. Compliance activities can become extremely expensive if they are not automated early. Identity management DevOps practices help allow us to collaborate early with security experts, increase the level of security tests and automation to enforce quality gates for security and provide better mechanisms for ongoing security management and compliance activities. While painful to some, it has to be important to all if we don’t want to make headlines.  About the Author Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

What do Sys Admins and Security specialists need to get the best salary they can get in the world today? What skills are companies looking for their employees to have mastered? We interviewed over 2,000 sys admins and security specialists to see the latest trends so far this year for you to take advantage of. Which industries value admins the most hightly? Do Linux or Windows lead the way with superior tools? What role does Python have for the budding pentester in the community today? And what comes out on top – Puppet, Chef, Ansible, or Salt? With this animation on our Skill Up survey results you can get the answers you need and more! View the full report here: www.packtpub.com/skillup/sys-admin-salary-report

Today’s enterprise is effectively borderless, because customers and suppliers transact from anywhere in the world, and previously siloed systems are converging on the core network. The shift of services (and data) into the cloud, or many clouds, adds further complexity to the security model. Organizations that continue to invest in traditional information security approaches either fall prey to cyber threats or find themselves unprepared to deal with cyber crimes.  I think it is about time for organizations to move their cyber security efforts away from traditional defensive approaches to a proactive approach aligned with the organization’s business objectives.  To illustrate and simplify, let’s classify traditional information security approaches into three types. IT infrastructure-centric approach In this traditional model, organizations tend to augment their infrastructure with products of a particular vendor, which form building blocks for their infrastructure. As the IT infrastructure vendors extend their reach into security, they introduce their security portfolio to solve the problems their product generally introduces. Microsoft, IBM, and Oracle are some examples who have complete a range of products in IT Infrastructure space. In most such cases the decision maker would be the CIO or Infrastructure Manger with little involvement from the CISO and Business representatives. Security-centric approach This is another traditional model whereby security products and services are selected based upon discrete needs and budgets. Generally, only research reports are referred and products with high rating are considered, with a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro fall in this category. Generally, the CISO or security team is involved with little to no involvement from the CIO or Business representatives. Business-centric approach This is an emerging approach, wherein decisions affecting cybersecurity of an organization are made jointly by corporate boards, CIOs, and CISOs. This new approach helps organizations to plan for an effective security program which is driven by business requirements with a holistic scope including all business representatives, CIO, CISO, 3rd parties, suppliers& partners; this improves the cybersecurity effectiveness, operational efficiency and helps to align enterprise goals and objectives.  The traditional approaches to cybersecurity are no longer working, as the critical link between the business and cybersecurity are missing. These approaches are generally governed by enterprise boundaries which no longer exist with the advent of cloud computing, mobile & social networking. Another limitation with traditional approaches, they are very audit-centric and compliance driven, which means the controls are limited by audit domain and driven largely by regulatory requirements. Business-centric approach to security Add in new breeds of threat that infiltrate corporate networks and it is clear that CIOs should be adopting a more business-centric security model. Security should be a business priority, not just an IT responsibility.  So, what are the key components of a business-centric security approach? Culture Organizations must foster a security conscious culture whereby every employee is aware of potential risks, such as malware propagated via email or saving corporate data to personal cloud services, such as Dropbox. This is particularly relevant for organizations that have a BYOD policy (and even more so for those that don’t and are therefore more likely to beat risk of shadow IT). According to a recent Deloitte survey, 70 per cent of organizations rate their employees’ lack of security awareness as an ‘average’ or ‘high’ vulnerability. Today’s tech-savvy employees are accessing the corporate network from all sorts of devices, so educating them around the potential risks is critical. Policy and procedures As we learned from the Target data breach, the best technologies are worthless without incident response processes in place. The key outcome of effective policy and procedures is the ability to adapt to evolving threats; that is, to incorporate changes to the threat landscape in a cost-effective manner. Controls Security controls deliver policy enforcement and provide hooks for delivering security information to visibility and response platforms. In today’s environment, business occurs across, inside and outside the office footprint, and infrastructure connectivity is increasing. As a result, controls for the environment need to extend to where the business operates. Key emergent security controls include: Uniform application security controls (on mobile, corporate and infrastructure platforms) Integrated systems for patch management Scalable environment segmentation (such as for PCI compliance) Enterprise Mobility Application Management for consumer devices Network architectures with Edge-to-Edge Encryption Monitoring and management A 24×7 monitoring and response capability is critical. While larger enterprises tend to build their own Security Operations Centers, the high cost of having staff around the clock and the need to find and retain skilled security resources is too costly for the medium enterprise. Moreover, according to Verizon Enterprise Solutions, companies only discover breaches through their own monitoring in 31 per cent of cases. An outsourced solution is the best option, as it enables organisations to employ sophisticated technologies and processes to detect security incidents, but in a cost-effective manner. A shift in focus It’s never been more critical for organizations to have a robust security strategy. But despite the growing number of high-profile data breaches, too much information security spending is dedicated to the prevention of attacks, and not enough is going into improving (or establishing) policies and procedures, controls and monitoring capabilities. A new approach to security is needed, where the focus is on securing information from the inside out, rather than protecting information from the outside in. There is still value in implementing endpoint security software as a preventative measure, but those steps now need to be part of a larger strategy that must address the fact that so much information is outside the corporate network.  The bottom line is, planning Cybersecurity with a business-centric approach can lead to concrete gains in productivity, revenue, and customer retention. If your organization is among the majority of firms that don’t, now would be a great time to start.  About the Author  Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades. 

Security has been a problem for web developers since before the Internet existed. By this, I mean network security was a problem before the Internet—the network of networks—was created. Internet and network security has gotten a lot of play recently in the media, mostly due to some high-profile hacks that have taken place. From the personal security perspective, very little has changed. The prevalence of phishing attacks continues to increase as networks become more secure. This is because human beings remain a serious liability when securing a network. However, this type of security discussion is outside the scope of this blog.  Due to the vast breadth of this topic, I am going to focus on one specific area of web security; we will discuss securing websites and apps from the perspective of an open source developer, and I will focus on the tools that can be used to secure Node.js. This is not an exhaustive guide to secure web development. Consider this blog a quick overview of the current security tools available to Node.js developers.  A good starting point is a brief discussion on injection theory. This article provides a more in-depth discussion if you are interested. The fundamental strategy for injection attacks is figuring out a way to modify a command on the server by manipulating unsecured data. Aclassic example is the SQL injection, in which SQL is injected through a form into the server in order to compromise the server’s database. Luckily, injection is a well-known infiltration strategy and there are many tools that help defend against it.  One method of injection compromises HTTP headers. A quick way to secure your Node.js project from this attack is through the use of the helmet module. The following code snippet shows how easy it is to start using helmet with the default settings:  var express = require('express') var helmet = require('helmet') var app = express() app.use(helmet()) Just the standard helmet settings should go a long way toward a more secure web app. By default, helmet will prevent clickjacking, remove the X-Powered-By header, keep clients from sniffing the MIME type, add some small cross-site scripting protections (XSS), and add other protections. For further defense against XSS, use of the sanitizer module is probably a good idea. The sanitizer module is relatively simple. It helps remove syntax from HTML documents that could allow for easy XSS.   Another form of injection attacks is the SQL injection. This attack consists of injecting SQL into the backend as a means of entry or destruction. The sqlmap project offers a tool that can test an app for SQL injection vulnerabilities. There are many tools like sqlmap, and I would recommend weaving a variety of automated vulnerability testing into your development pattern. One easy way to avoid SQL injection is the use of parameterized queries. The PostgreSQL database module supports parameterized queries as a guard against SQL injection.  A fundamental part of any secure website or app is the use of secure transmission via HTTPS. Accomplishing encryption for your Node.js app can be fairly easy, depending on how much money you feel like spending. In my experience, if you are already using a deployment service, such as Heroku, it may be worth the extra money to pay the deployment service for HTTPS protection. If you are categorically opposed to spending extra money on web development projects, Let’s Encrypt is a free and open way to supply your web app with browser-trusted HTTPS protection. Furthermore, Let’s Encrypt automates the process of using an SSL certificate. Let’s Encrypt is a growing project and is definitely worth checking out, if you haven’t already.  Once you have created or purchased a security certificate, Node’s onboard https can do the rest of the work for you. The following code shows how simply HTTPS can be added to a Node server once a certificate is procured:  // curl -k https://localhost:8000/ const https = require('https'); const fs = require('fs'); const options = {   key: fs.readFileSync('/agent2-key.pem'),   cert: fs.readFileSync('/agent2-cert.pem') }; https.createServer(options, (req, res) => { res.writeHead(200); res.end('hello securityn'); }).listen(8000); If you are feeling adventurous, the crypto Node module offers a suite of OpenSSL functions that you could use to create your own security protocols. These include hashes, HMAC authentication, ciphers, and others.  Internet security is often overlooked by hobbyists or up-and-coming developers. Instead of taking a back seat, securing a web app should be one of your highest priorities, especially as threats on the Web become greater with each passing day. As far as the topic of the blog post, what’s new and what’s not, most of what I have discussed is not new. This is in part due to the proliferation of social engineering as a means to compromise networks instead of technological methods. Most of the newest methods for protecting networks revolve around educating and monitoring authorized network users, instead of more traditional security activities. What is absolutely new (and exciting) is the introduction of Let’s Encrypt. Having access to free security certificates that are easily deployed will benefit individual developers and Internet users as a whole. HTTPS should become ubiquitous as Let’s Encrypt and other similar projects continue to grow.  As I said at the beginning of this blog, security is a broad topic. This blog has merely scratched the surface of ways to secure a Node.js app. I do hope, however, some of the information leads you in the right, safe direction.  About the Author Erik Kappelman is a transportation modeler for the Montana Department of Transportation. He is also the CEO of Duplovici, a technology consulting and web design company. 

Consider this: in the past year cyber thieves have stolen $81m from the central bank of Bangladesh, derailed Verizon's $4.8 billion takeover of Yahoo, and even allegedly interfered in the U.S. presidential election. Away from the headlines, a black market in computerized extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse, especially as computers become increasingly entwined with physical objects and vulnerable human bodies thanks to the Internet of Things and the innovations of embedded systems. A recent survey has once again highlighted the urgent need for UK business to take cyber security more seriously. The survey found that 65% of companies don’t have any security solutions deployed onto their mobile devices, and 68% of companies do not have an awareness program aimed at employees of all levels to ensure they are cyber aware. In addition to this, the survey found that 76% of companies still don’t have controls in place to detect and prevent zero-day/unknown malware entering their organizations, and 74% don’t have an incident management process established to respond to cyber incidents and prevent reoccurrences. What are the most common types of data breaches? The most common attack is still a structured query language (SQL) injection. SQL injections feature heavily in breaches of entire systems because when there is a SQL injection vulnerability, it provides the attacker with access to the entire database. Why is it common for large companies to have these types of errors?  There are a number of factors. One is that companies are always very cost conscious, so they’re always trying to do things on a budget in terms of the development cost. What that often means is that they’re getting under-skilled people. It doesn’t really cost anything more to build code that’s resilient to SQL injection. The developers building it have got to know how it works. For example, if you’re offshoring to the cheapest possible rates in another country, you’re probably going to get inexperienced people of very minimal security prowess.  Companies generally don’t tend to take it seriously until after they’ve had a bad incident. You can’t miss it. It’s all over the news every single day about different security incidents, but until it actually happens to an organization, the penny just doesn’t seem to drop. Leaving the windows open  This is not a counsel of despair. The risk from fraud, car accidents, and the weather can never be eliminated completely either. But societies have developed ways of managing such risk — from government regulation to the use of legal liability and insurance to create incentives for safer behavior.  Start with regulation. Government’s first priority is to refrain from making the situation worse. Terrorist attacks, like the ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guard bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.  The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that Internet-connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it. What are the best ways for businesses to prevent cyber attacks?  There are a number of different ways of looking at it. Arguably, the most fundamental thing that makes a big difference for security is the training of technology professionals. If you’re a business owner, ensuring that and you’ve got people working for you who are building these systems, making sure they’re adequately trained and equipped is essential.  Data breaches are often related to coding errors. A perfect example is an Indian pathology lab, which had 43,000 pathology reports on individuals leaked publically. The individual who built the lab’s security system was entirely unequipped. Though it may not be the only solution, a good start in improving cyber security is ensuring that there is investment in the development of the people creating the code.Let us know where you’d start!  About the Author  Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

See the highlights from our comprehensive Skill Up IT industry salary reports, with data from over 20,000 IT professionals. Read on to discover which skills you should learn and which industry to get into to earn the big bucks! Download the full size infographic here.