October 01, 2016

Too few women in cybersecurity: a gap in our protections that must be addressed

Diversity in cybersecurity matters for a very practical reason. Those seeking to breach cybersecurity are willing and able to exploit any flawed thinking, any inadvertent blind spot. Cybersecurity teams that fall into group-think or are blind to alternative ways of working through challenges are more likely to miss things and enable hostile actors. Teams that include people with different expertise, backgrounds, genders, ages, cultures are more likely to deliver robust cybersecurity outcomes; implicit assumptions can be more easily challenged and the fullest range of insights on what can go wrong (and hence what can be done) can be gathered.

How to steal the mind of an AI: Machine-learning models vulnerable to reverse engineering

Taking advantage of the fact that machine learning models allow input and may return predictions with percentages indicating confidence of correctness, the researchers demonstrate "simple, efficient attacks that extract target ML models with near-perfect fidelity for popular model classes including logistic regression, neural networks, and decision trees." That's a polite way of saying such models can be reverse engineered. The researchers tested their attack successfully on BigML and Amazon Machine Learning, both of which were told of the findings in February. In an email, Cornell Tech computer science professor Ari Juels, a coauthor of the paper, suggested mitigating these attacks could prove challenging. "Effective countermeasures to model extraction could well be possible, but this remains an open research question," he said.

How Blockchain can bolster interoperability and information security at the same time

Blockchain has potential value due to its shared, fixed record of peer-to-peer transactions, built from linked transaction blocks and stored in a digital ledger, Deloitte said. The network is both secure and actionable by relying on established cryptographic techniques, and letting participants in a network interact (e.g. store, exchange, and view information), without pre-existing trust between the parties. “Interactions with the blockchain become known to all participants and require verification by the network before information is added, enabling trustless collaboration between network participants while recording an immutable audit trail of all interactions,” Deloitte explained.

Industrial IoT leaders work towards interoperability and open source collaboration

GE and Bosch are working together to shape the connected world through a collaboration between the software divisions of both organizations, GE Digital and Bosch Software Innovations. The organizations have signed a memorandum of understanding where GE Digital and Bosch Software Innovations will further facilitate openness and growth of the Industrial Internet of Things (IoT). The agreement focuses on technology interoperability and platform integration through GE’s Predix operating system and the Bosch IoT Suite. GE Digital and Bosch Software Innovations intend to make complementary software services available on the other company’s cloud platforms to enhance the overall value of each cloud offering and provide solutions to a wider customer base.

Shaw says NHS is under frequent cyber attack

“We are seeing more and more ransomware attacks,” he said. This included one big, but unsuccessful, national level attack early this month which “may or may not have been state sponsored”. “It was big and it was hard and it was sustained... before, we didn’t know this sort of thing was happening until we got the worst outcome, but now we are in detect mode, rather than defence mode.” Shaw revealed a wide range of attacks were being made on the NHS, with some of these using well-known techniques such as spear phishing, in which hackers target an individual to inadvertently reveal useful information or spread malware. He said NHS Digital itself was successfully targeted in a spear phishing attack by a hacker pretending to be an old friend of one of its staff, using information from social media.

Tech Giants Team Up To Devise An Ethics Of Artificial Intelligence

The Partnership on AI announcement lays out an ambitious agenda for research to be conducted or funded by members, in partnership with academics, user group advocates, and industry experts. Topics on the research agenda include ethics, fairness, inclusivity, transparency, privacy, and interoperability. A recent white paper from IBM called "Learning to Trust Artificial Intelligence Systems" provides some hints as to what the Partnership on AI might be tracking. Authored by Guruduth Banavar, IBM's chief science officer for cognitive computing, it basically expands the concept of garbage-in/garbage-out to now include garbage in-between.

What to do when hackers break into your cloud

There are two major types of public cloud computing attacks: single-tenant and cross-tenant. A cross-tenant attack is the stuff of IT nightmares, but it has not yet occurred. Single-tenant breaches are more likely to occur. In these attacks, the hacker has compromised one or more machine instance, but can't go beyond that. The most likely cause of a single-tenant breach is that user IDs and passwords have been compromised. That's typically due to malware or phishing attacks on client devices. In this case, it's all on you; the cloud provider has done its job, but you haven't done yours. When such breaches occur, hopefully you'll figure it out quickly. When you recognize the breach, the best response is to invoke a prebuilt set of processes that can do the following

Task Force Tackles Healthcare Cybersecurity Challenges

According to Theresa Meadows, co-chair of the Health Care Industry Cybersecurity Task Force and CIO of Cook Children’s Health Care System, the panel’s 20 subject matter experts are drawn from a wide variety of organizations including providers, payers, pharmaceutical companies, medical device manufacturers, IT vendors, and government agencies. “We have representation from all the segments within healthcare so that we can have well-rounded discussions,” said Meadows. “There’s also a patient advocate on the task force.” Meadows said the task force has held several public and private meetings to date and will be “wrapping up its charge” early next year, after which it will report to Congress on its findings and recommendations.

An Open API Initiative Update

WebHooks can be tricky, but with the support we’ve been planning, a server designer can tell the consumer exactly what sort of signature they need to implement for successful handling of a WebHook, and even how the consumer can send messages back to the event producer with different response codes, so you can potentially describe the subscription, unsubscription, and retry flows, making the connections 100% automatable. Also, looking at representations and schemas; it may be a JSON world right now, but remember when the XML world would rule forever? We do, and getting more support for different schema formats is essential for the next 5-10 years of API design. Expect to see new and flexible techniques in 3.0 for this topic. Again, we’ll ensure that the final solution is implementable and not just a modeling proof-of-concept.

DNS Security Extensions - Complexities To Be Aware Of

Interoperability amongst the DNS software is another issue that is adding to the problems. Above all, attackers can abuse improperly configured DNSSEC domains to launch denial-of-service attacks. The following are some such major complexities that one should be aware of. .. This is an attractive target for attackers since it allows them to ‘amplify’ their reflection attacks. If a small volume of spoofed UDP DNSSEC requests is sent to nameservers, the victim will receive a large volume of reflected traffic. Sometimes this is enough to overwhelm the victim’s server, and cause a denial of service. Specifically, an attacker sends a corrupted network packet to a certain server that then reflects it back to the victim.

Quote for the day:

"The underlying principles of strategy are enduring, regardless of technology or the pace of change." -- Michael Porter