December, 2017:

This security site shares recent dangers for the Google Chrome extension Archieve Poster.  It may link to Coinhive which will secretly mine crypto-currency with excessive algorithms clocking CPU chips to 100%.  This may result in over-heating the device, draining battery life, or using more electricity than normal

Oh great, even Chrome extensions are mining cryptocurrency now

One up-and-coming form of malware is called “crypto-jacking,” a process whereby a perfectly useful program secretly mines Bitcoin or some other crypto-currency in the background. The amount of mining on any one machine is insignificant — likely a value of a few cents per day, if that — but distributed over tens of thousands of machines, it can make a developer real money.

The latest culprit is a popular Chrome extension called Archive Poster, which helps users repost Tumblr blogs. According to reviews on the Chrome store, Archive Poster is also secretly running Coinhive, a distributed-network crypto-currency mining program. Using Coinhive, the developer was mining a currency called Monero using other people’s CPUs and electricity.

According to the Chrome store, the extension has 105,000 users, and presumably all of those are mining coins whenever their computer is on and Chrome is in use, as the extension runs in the background.

“ATTENTION! DANGEROUS! This extension is hijacked since a few weeks with a code which mines crypto-currency, which means it will change and read ALL data and sites you visit and causes 100% CPU usage,” one Chrome review says. If you have Archive Poster installed, type chrome://extensions into your browser, and click the trash can icon next to the extension to remove it.

The John Maxwell leadership training center shares an excellent article in looking ahead to challenges of 2018.  It focuses on how leaders should partner with their teams in real & meaningful ways.

http://johnmaxwellcompany.com/blog/7-keys-to-authentic-leadership

Many of your leaders may be making this same mistake with those they lead. Simply put, the “Do as I say, and not as I do” mentality does not work. People will do what their leaders do. If your leaders want dedicated, thoughtful, productive people on their team, they must model those characteristics.

If the leaders in your company are not walking the walk they ask of their team members, people will quickly realize they are not authentic. Trust will decline, taking influence and productivity with it. Here are 7 ways leaders can maintain self-awareness and lead in an authentic way that resonates with the people they lead.

Seven Ways to Model Authentic Leadership — Brent Gleeson at Inc.com lays out some tangible ways leaders can be authentic with their teams:

1. Get your hands dirty: Instead of always telling others what to do, jump in from time to time and help. Leaders don’t have to be the most advanced member of the team, but they must understand their industry and business. Working alongside their team builds trust and continues to develop their own knowledge and skills.

2.Watch what you say: Actions do speak louder than words, but words can directly impact morale. Your leaders need to be careful that what they say aligns with what they do. If someone needs help, it’s usually best to do it in private. Leaders should always encourage team members in front of one another.

3.Respect the chain of command: Gleeson says, “One of the fastest ways to cause structural deterioration, foster confusion, and damage morale is to go around your direct reports.” Leaders who don’t model respect for those they follow will have a hard time getting respect from those they lead.

4.Listen to the team: Giving orders is part of being a leader. But the best leaders recognize they don’t know everything. So they take time to stop and listen. Working together increases the odds of winning together. But working together only happens when leaders intentionally ask for and receive ideas and feedback from the team.

5.Take responsibility: No matter whose fault it is, every problem will ultimately become the leader’s responsibility. “Blame roles uphill,” says Gleeson. “Great leaders know when to accept that mistakes have been made and take it upon themselves to fix them.” As difficult as it may be at times, authentic leadership takes ownership for the actions of the team, rather than blaming those they lead for any failures.

6.Let the team do their thing: Leaders need to refrain from micromanaging. They can communicate the mission, vision, values, and goals and give necessary direction. But then then should step back and let the team innovate while monitoring progress. Setting this example fosters trust with team members and encourages them to do the same with those they lead.

7.Take care of yourself: Yes, a leader’s own physical and emotional health contributes to leadership success! When leaders are tired and worn out, their focus and energy levels fade. They may try to keep up the appearance of health, but the people they lead will see through it. The best way to get healthy employees is to model that behavior with a healthy lifestyle.

The practical upside to being authentic in leadership is that it’s downright effective. It disarms resentment and removes friction in the workplace. It opens the door for deeper connections and motivates people to follow leaders, not because they have to, but because the leader is worth following.  Bottom line: authenticity engenders trust. Trust makes everything move faster and everyone more effective.

The John Maxwell leadership training center shares an excellent article in looking ahead to challenges of 2018.  It focuses on how leaders should work to focus on team spirit & an improved gratitude for their human resources.

http://johnmaxwellcompany.com/blog/how-to-increase-productivity

68% of your employees may not want to be there. According to Gallup, only 32% of employees are engaged in the American workplace. Worldwide, it’s even worse: 87% of employees are disengaged at significant levels. The leaders in your company clearly face an uphill climb to build more productive teams. It would be easy for them to emphasize production results while overlooking overall employee satisfaction with his or her work. However, business researchers are finding direct correlations between employees’ rates of satisfaction and their overall productivity.

Productivity Begins with People — Your leaders and managers can make their teams stand out by embracing these 4 keys to more productive teams. When leaders understand and act on them, the entire company will benefit:

1. Production Is Not Enough. Leading a productive team is quite an accomplishment. Achieving goals can be rewarding. But there are higher levels of leadership than just getting work done efficiently and adding to the bottom line.

2. People Are an Organization’s Most Appreciable Asset.  Most of what an organization possesses goes down in value. Facilities deteriorate. Equipment becomes out of date. Supplies get used up. What asset has the greatest potential for actually going up in value? People! But only if they are valued, challenged, and developed by someone capable of investing in them and helping them grow.  People don’t appreciate automatically or grow accidentally. Growth occurs only when it’s intentional. Leaders take their teams to the next level when they think beyond production alone.

3. Growing Leaders Is the Most Effective Way to Accomplish the Vision.  How can your leaders make your organization better? Invest in the people who work in it.  Companies get better when their people get better. That’s why investing in people always gives a greater return to an organization.  Everything rises and falls on leadership.

4. People Development Is the Greatest Fulfillment for a Leader. Few things in life are better than seeing people reach their potential. If leaders help people become bigger and better on the inside, eventually those employees will become greater on the outside.  People are like trees: give them what they need to grow on a continual basis for long enough, and they will grow from the inside out. And they will bear fruit.

CVE = publicly documented Cybersecurity Vulnerability & Exposure

As new technology surfaces such as IoT, hi-tech cars, smartphones, etc., brand new categories for patching and security are surfacing.  The ISC highlights a record year in 2017 of 14,860 published security holes.  2018 is forecast to be an equally challenging year as well. 

https://isc.sans.edu/forums/diary/2017+The+Flood+of+CVEs/23173/

https://cve.mitre.org/about/faqs.html

2017 is almost done and it’s my last diary for this year. I made a quick review of my CVE database (I’m using a local CVE-search instance). The first interesting number is the amount of CVE’s created this year. Do you remember when the format was CVE-YYYY-XXXX? The CVE ID format changed in 2014 to break the limit of 9999 entries per year. This was indeed a requirement when you see the number of entries for the last five years:

2017 … 14,680
2016 … 6,447
2015 … 6,480
2014 … 7,946
2013 … 5,191

If more and more organizations are taking security into consideration, how to explain this peak of reported vulnerabilities? First, I think that, in parallel to organizations focusing on security, “attackers” are also more and more active. Not only bad guys who are always looking into ways to make more profit but also students and security researchers. In Europe, offensive security trainings are very popular. People like to learn how to “break stuff”.

Review for the latest Microsoft Surface Book 2 model is shared below:

https://www.anandtech.com/show/12167/the-microsoft-surface-book-2-15-inch-review

Microsoft has released the Surface Book 2 as a worthy successor to the original, with many improvements. With the launch of the Surface Laptop earlier this year, which targets the $1000 price point, Microsoft was free to ratchet the Surface Book 2 up in performance, and price, and they’ve doubled the number of models, with both a 13.5-inch version, being the upgrade from the original, and a new 15-inch model which clearly targets the performance-starved users. For this review, Microsoft sent us the larger 15-inch model.

Both the 13.5 and 15-inch models are shipping with the latest Intel Core i7-8650U CPUs, offering four cores and eight threads, and a 4.2 GHz Turbo. RAM stays the same with either 8 or 16 GB of LPDDR3, and that’s because Intel CPUs don’t yet support LPDDR4, which is a shame. Storage is 256 GB to 1 TB of NVMe SSD. So far, we have a pretty typical notebook for late 2017.

Microsoft has finally added USB-C to the Surface Book 2, replacing the mini-DisplayPort. Their reasoning for not including it before was that USB-C is a confusing port, where they all look the same, but offer different capabilities. The larger Surface Book 2 15 offers an impressive 85 Wh of battery capacity

The Satori Internet of Things (IoT) botnet uses Huawei Router Exploit CVE-2017-17215 and is reported to be circulating in the wild.

http://www.eweek.com/security/huawei-router-exploit-code-used-in-iot-botnet-goes-public

At the core of the Satori Internet of Things (IoT) botnet that was disrupted by internet service providers (ISPs) earlier this month, is a vulnerability in Huawei routers. Researchers at NewSky Security reported Dec. 28. that code that exploits the Huawei vulnerability has now been publicly posted on the internet.  The Huawei router vulnerability is specific to HG532 devices that are widely used around the world. The vulnerability is formally identified as CVE-2017-17215 and was discovered by security firm Check Point, which reported the issue to Huawei on Nov. 27.

Whether the risk is the Satori botnet, or another IoT botnet, the Huawei CVE-2017-17215 vulnerability will continue to be used by attackers. There are several things that users can do to help limit the risk of being exploited.  “The only thing users should do in regards to this zero-day is to change the default password on their router,” Horowitz said. “This is also Huawei’s suggestion on their Security Notice.”

“Users of this router are mostly home users, who do not typically log in to their router’s interface and don’t necessarily have the know-how and so unfortunately I have to assume most devices would stay vulnerable,” Horowitz said. “We desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.”

The John Maxwell leadership training center shares an excellent article featuring 10 key probing question to assess the mood and progress of employees as they develop in their skills and corporate contributions.  

http://johnmaxwellcompany.com/blog/10-questions-for-performance-management

“How do you feel”? No one ever asked that question of employees in previous generations. But in the new year, mood measurement promises to be a hot topic for HR leaders as they try to keep employees fully engaged and productive. Most of us have heard the expression, “People don’t care how much you know until they know how much you care.” In the present-day workplace culture, however, The reality is that people don’t care as much about a company, if they don’t think the company cares about them. That’s why it’s becoming more important for organizations like yours to understand how to handle performance management and assess the mood and emotions of employees.

10 Questions to Ask Employees — Good leaders ask great questions that inspire others to dream more, think more, learn more, do more, and become more. Here are some of the most important questions leaders can ask to gauge how well employees are doing:

1.What Do You Think? This is the question our founder John C. Maxwell most often asks. It’s a simple question used to gather information, confirm a leader’s intuition, assess someone’s judgment or leadership qualities, teach other people how the leader thinks, and reveal how they process decisions. Asking this question elevates everyone’s ability to thrive and empower the leaders to gather essential information that otherwise might not be offered.

2.How Can I Serve You? When a leader asks employees this question, it immediately communicates that the leader values and respects them. A true leader is first a servant. Asking this question forces a leader to remain humble by serving other people. It also provides an opportunity for greater collaboration to occur. It’s the leader’s responsibility to make sure the team members have what they need to succeed and get their work done.

3.What Do I Need to Communicate? A leader asks this question to his team members to try and find out who the people are, what the situation is, what happened before, and how they can connect and help them.

4.Did We Exceed Expectations? a leader can learn if someone feels as if they didn’t deserve what they were promised, and they can also learn where improvements can be made for the future. One of the most important things a leader can do is make sure they and the organization are delivering on what they promised.

5. What Did You Learn? This question helps everyone better understand and connect with the people around them. It should be asked regularly in a team setting because it keeps team members sharp and growing. It prompts the leader and people to evaluate their experiences and make an assessment.

6. Did We Add Value? A leader’s goal should be to add value daily to those around them. This should not just be true at the workplace, but in every area of life for a leader. Adding value to other people provides a firm foundation to achieve success in other areas.

7. What Do I Need to Know? This question alerts leaders to problems and the current climate of the office. It allows team members to give the leader an overview of a situation, provide vital information, and prioritize what they think to be the most important pieces of information.

8. How Do We Make the Most of This Opportunity? A leader must continually think about, and ask others to think about, ways to make their opportunities better. Asking this question helps determine the best ways to maximize opportunities.

9. How Are the Numbers? Knowing the numbers allows a leader to keep a pulse on areas of success and areas for needed improvements. A leader should want to know the numbers–even if he or she won’t like them. Even with a good vision and a good team, an organization will never be successful if they aren’t thinking about the numbers.

10. What Am I Missing? When a leader asks this question, it displays a willingness to learn from others. Two of the fastest ways to connect with another person are to ask questions and to ask for help. Most people are willing to offer their perspective if asked, and they feel valued when they can offer their wisdom and experience.

A recent Windows 10 insider release includes an open source Secure Shell (OpenSSH) preview, as Microsoft is working to improve Linux/UNIX connectivity.

https://redmondmag.com/articles/2017/12/14/windows-10-openssh-preview.aspx

Say Farewell to Putty as Microsoft adds an OpenSSH Client to Windows 10

A December Serve The Home article includes a demo on how to install this OpenSSH preview, which is part of a recent Windows 10 “Windows Insider Program” test release. OpenSSH is typically used for establishing secure remote connections to Linux or Unix machines, but Microsoft has been working over the past couple of years on supporting OpenSSH in the Windows client and server operating systems, too.

Microsoft had announced in 2015 that it was accepted as an OpenSSH contributor to the OpenBSD Foundation, which steers the development of the OpenSSH protocol. Microsoft’s aim in doing so is to support two-way remote management from Windows to Linux systems, and vice versa, along with supporting OpenSSH in PowerShell. In May of this year, Microsoft indicated that it was nearing completion for integrating OpenSSH in the Win32 version of Windows. Back then, Microsoft had indicated that it still had some testing work to do that would be completed in the next couple of months.

Gartner notes Worldwide Server Revenue Grew 16% in third quarter of 2017 due to increased demand for cloud applications & hosting needs

https://redmondmag.com/articles/2017/12/27/gartner-cloud-driving-server-growth.aspx

https://www.gartner.com/newsroom/id/3837163

In the third quarter of 2017, worldwide server revenue increased 16 percent year over year, while shipments grew 5.1 percent from the third quarter of 2016, according to Gartner, Inc.  “The third quarter of 2017 produced continued growth on a global level with varying regional results,” said Jeffrey Hewitt, research vice president at Gartner. “A build-out of infrastructure to support cloud and hybrid-cloud implementations was the main driver for growth in the server market for the period.”

“x86 servers increased 5.3 percent in shipments for the year and 16.7 percent in revenue in the third quarter of 2017. RISC/Itanium Unix servers declined globally, down 23.5 percent in shipments and 18.3 percent in vendor revenue compared with the same quarter last year. The ‘other’ CPU category, which is primarily mainframes, showed an increase of 54.5 percent,” Mr. Hewitt said.

Hewlett Packard Enterprise (HPE) continued to lead in the worldwide server market based on revenue. Despite a decline of 3.2 percent, the company posted $3.1 billion in revenue for a total share of 21 percent for the third quarter of 2017 (see Table 1). Dell EMC maintained the No. 2 position with 37.9 percent growth and 20.8 percent market share. Inspur Electronics experienced the highest growth in the quarter with 116.6 percent, driven by ongoing sales into China-based cloud providers, as well as global expansion efforts.

SANS Internet Storm Center projects 3 key challenges for the year ahead:

(1) staffing difficulties
(2) How to best secure new products & advances in technology
(3) increased cybercrime & ransomware attacks 

https://isc.sans.edu/forums/diary/What+are+your+Security+Challenges+for+2018/23171/

We are almost at the end of another year. Last year I wrote a diary on Talent Shortage and from what I have seen, it is still difficult to find the right people with the right skills. Anyone willing to learn or is curious about how attacks methods works and how to defend against them, has strong ethics and problem solving skills sound like a candidate you might want to coach and hire.

Technologies are rapidly evolving and changing; keeping on top of all of them is difficult and not really possible. I think it is becoming important to specialize whether it is offensive (pen testing and audit) or defending networks. Don’t get me wrong, I believe it is important to have a strong understand of both but I think at some point picking a side (auditing or defending) is the right thing to do.

Last but not least, cybercrimes are going to continue to grow and be more focus against selected products (corporate “secret sauce”), user data, groups and employees. Malicious actors are always looking for new methods to gain access, steal data and sell it to whoever is willing to pay for it.