itwbennett writes: CIOs are known to have short tenures. (Remember the old saw about CIO standing for Career Is Over?) But 4-5 years on the job is just about right, says Chris Patrick, global CIO practice leader at Egon Zehnder. His reasoning is that in that timeframe you are able to 'usher in change, stabilize and augment the function and move on before the organization grows stale.' But hitting that 4-5 year sweet spot is increasingly challenging for many CIOs — and that may be because of the new pressures associated with digital transformation.
itwbennett writes: Would taking the 'name and shame' approach popularized by Consumer Reports to software security improve the sorry state of enterprise software? That's the hope of the Cyber Independent Testing Lab (CITL), which is building a 'fuzzing binaries at scale and building a checklist of compile-time security best practices,' writes CSO Online's JM Porup in a recent article. The idea is that with this sort of transparency, 'enterprise security administrators will be able to use the CITL's ratings to identify weaknesses in their infrastructure and to demand more secure software from their suppliers.' Will it work? Tim Carstens, acting director of the CITL, admits that 'Hitting 100 out of 100 on my test does not mean your software is invincible."
itwbennett writes: 'The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems,' writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the 'small number of reported BSD kernel vulnerabilities compared to Linux,' dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.
itwbennett writes: Security startup Cymmetria has a new offering for customers: “legal hack back”. The hack back tools have been added to the company's MazeHunter deception technology and will enable 'tracking down the attack servers and wiping data originally stolen from their servers, probing the attack infrastructure for weaknesses to exploit, disabling the systems controlling malware, looking for information about the attackers to use in attribution, and launching distributed denial-of-service attacks to slow down criminal operations,' but security teams are restricted to taking these actions on systems within their organizations, writes Fahmida Rashid in CSO Online. 'Legal hack back via MazeHunter is more than traditional incident response because the organization can run a payload on the infected machine to engage with the attacker even before the forensics part of the investigation is complete,' said Gadi Evron, founder and CEO of Cymmetria.
itwbennett writes: Steve Ragan reports in CSOOnline that a phishing campaign active since June has been targeting government agencies, industrial organizations, financial firms and universities, among others in an attempt to collect usernames and passwords for Office 365 accounts. 'Considering most organizations leverage Office 365 credentials for Exchange, One Drive, Skype, and SharePoint, and Office Store apps, the damage potential is serious,' Ragan says. Researchers from Fujitsu told Ragan that based on just a few investigations, 'at least 30,000 Office 365 Phishing emails have fit the description of a sustained chain attack against Office 365 customers.'
itwbennett writes: ‘Given how competitive the security industry is, it isn't often that stories of researchers from rival firms working together surface. When they do, they're usually worth telling,’ says CSOonline’s Steve Ragan. This is one such story. On August 19, two days after attacks from a botnet that would later come to be known as WireX started ramping up, researchers at Akamai, found ‘strange looking User-Agent strings’ in their log data and reached out to Cloudflare, a member of a ‘trust group’ that also includes researchers from Flashpoint, Google, Oracle (Dyn), RiskIQ and Team Cymru. ‘We pooled our collective knowledge about these attacks, which led to the discovery of the likely infection source. Akamai was able to locate the specific malicious applications, and Cloudflare worked to decompile those applications so the research group could investigate further,’ explained Justin Paine, head of Trust & Safety at Cloudflare. ‘As of today, WireX isn't completely dead, but the trust group says it's largely neutralized,’ Ragan writes.
itwbennett writes: As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline's Fahmida Rashid warns that it's bad infosec. 'If the government has any evidence—or even compelling reasons for being suspicious—it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn’t done so makes it likely this is all just geo politics,' writes Rashid. 'There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs.'
itwbennett writes: Many of us can remember a day (not so long ago) when business processes were a company's secret sauce, and custom software was built to suit those processes. Not anymore. According to a survey by low-code software company TrackVia, 82 percent of companies report changing a part of their business operations or processes to match the way their software works. The reason: companies are no longer looking to their processes and operations to provide competitive advantage. Instead, as anyone who's bought into the 'digital transformation' hype will tell you, the new differentiator is customer experience.
itwbennett writes: On April 4, Google triumphantly tweeted that it had closed the gender pay gap. Just 3 days later, in a hearing about a lawsuit that the Labor Department brought against Google to force the company to hand over salary information, Labor Department Regional Director Janette Wipper testified in a San Francisco court that the department 'found systemic compensation disparities against women pretty much across the entire workforce,' according to a report in The Guardian. 'The government’s analysis at this point indicates that discrimination against women in Google is quite extreme, even in this industry,' Janet Herold, regional solicitor for the DoL, told The Guardian.
itwbennett writes: Asked to point to a successful open source business model, you'd likely bring up Red Hat and how it charges for services. Or maybe you'd point to charging for customization and support for open source software. But are those the best business models for open source startups? Venture capitalist Sam Myers doesn't think so. 'Despite Red Hat, it is actually quite challenging to make money selling customization, support and consultancy,' Myers says. 'Why? Because it is head-count driven, the model doesn't scale, and you get low renewals. And you have competition from other consultancies.' What do you think is the best business model for open source software?
itwbennett writes: SoftBank, Sprint’s parent company, reportedly wants to merge the wireless carrier with either T-Mobile or Comcast. CIO.com's Bill Snyder says that's a terrible idea — not because going from 4 to 3 major carriers would restrict consumer choice all that much, but because it comes at 'a time when competition in the wireless market is finally heating up,' says Snyder. As for which merger would be worse for consumers, Snyder says 'losing T-Mobile as an independent force would be as bad as it gets' because of all the carriers, it is the one most willing to try new pricing schemes in the fight for marketshare.
itwbennett writes: Over the weekend, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails. At the same time, he showed that this type of vulnerability can be used to trick the Java runtime to initiate FTP connections to remote servers. After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. 'But his attack is more serious because it can be used to punch holes through firewalls,' writes Lucian Constantin in CSO Online.
Copy that 2 writes: Bitcoin and ransomware seem to go hand-in-hand, but experts explain that doing away with the cybercurrency would just force cybercriminals to find another anonymous way to extort money.
itwbennett writes: Whether or not beginning programmers should learn C is a question that has been roundly debated on Slashdot and elsewhere. The general consensus seems to be that learning it will make you a better programmer — and it looks good on your resume. But now there might be another reason to learn C: the rapid growth of the internet of things (IoT) could cause a spike in demand for C skills, according to Gartner analyst Mark Driver. 'For traditional workloads there is no need to be counting the bytes like there used to be. But when it comes to IoT applications there is that need once again.'