Daily Tech Digest - November 13, 2019

Best Strategies For Data Security And Compliance

Assessing which obligations apply to your organisation can be arduous but it’s a vital process when considering the consequences of non-compliance. On balance, the costs incurred to establish the necessary policies, acquire the relevant applications, and hire the right staff are far outweighed by the huge costs which come from failing to comply. The value of adequate preparation is even higher for those industries held accountable to the most stringent regulation. In particular, financial services, healthcare and public sector organisations are key targets for cybercriminals due to the ‘sensitive’ data they handle. Companies operating in these sectors must be even more focused on boosting collaboration between security, privacy and compliance teams to ensure the appropriate privacy and security policy-setting and monitoring has taken place. Organisations can avoid major fines and hits to their bottom line caused by reputation damage and lack of customer trust if they adhere to the data privacy and security regulations that apply to their data. The costs of proactively protecting an organisation against bad actors will very likely save a lot of money in the long run.

“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences,” said Rodolphe Simonetti, global managing director for security consulting at Verizon. “We see an increasing number of organisations unable to obtain and maintain the required compliance for PCI DSS, which has a direct impact on the security of their customers’ payment data. With the latest version of the PCI DSS standard 4.0 launching soon, businesses have an opportunity to turn this trend around by rethinking how they implement and structure their compliance programmes.” Verizon’s report also incorporated data from its in-house Threat Research Advisory Centre (VTRAC), which found that compliance programmes lacking the proper controls to protect data were completely unsustainable and far more likely to be hit by a cyber attack. 

China Said It’s Developing 6G. What Does That Mean?

Though the United States has not launched its own assertive statement about 6G endeavors, critical research on the next generation of wireless technology is already happening at academic institutions across the country. Professor in the Bradley Department of Electrical and Computer Engineering at Virginia Tech Walid Saad and his team are already exploring the future of 6G wireless communication systems—with funding from the United States’ government.  “From my perspective, this announcement doesn’t worry me—it actually corroborates that we are doing the right thing in doing this research. From an academic perspective, it’s also nice to see, whether it’s China or other countries working on similar topics, because we can have collaboration and the exchange of ideas,” Saad said. “So it doesn’t feel threatening at all from an academic perspective, it’s more like ‘that’s nice, let’s see more activity happening.”

7 Ways to Make Test Automation Effective in Agile Development

One of the main reasons behind not achieving desired results in agile testing with automation is that agile development is all about continuous delivery with a number of short iterations in a development and deployment pipeline. Because of which QA teams often get to run short and frequent regression testing sprints as well. Small testing cycles means that it has now become more complicated for the testers to find, fix, and test the products of each iteration. Thus, it is essential to allocate enough time for testing, automation testing as well. The first step in reducing the test times is to start executing parallel testing, i.e., running multiple test threads at the same time. Parallel testing will not only improve the automation process, but it will also improve the team’s productivity. It will even allow your testers to invest time in more exploratory testing and actually debugging the issues there are. Another vital factor to consider is building robust tests. Testers need to develop quality test scripts that can be integrated with regression testing easily.

How much does it cost to launch a cyberattack

United States one-cent coin / penny / binary code
The low cost of entry, relative ease with which attacks can be deployed, and the high returns means the potential pool of threat actors isn’t limited by technical skill level. “If we look at the barrier to entry three years ago versus the barriers to entry now, a lot of these very focused services really didn't exist or were just starting to kind of really come into the market,” says Keith Brogan, managed threat services leader at Deloitte Cyber Risk Services. “It really isn't that expensive or hard for cybercriminals to go out and make some money very easily. The barrier to entry is very low; you could very easily get access to these different services and enablers and really turn a profit pretty easily. You are in some cases limited by your own imagination,” Brogan adds. This low cost of doing business and high rate of return means disparity between the profit criminals make versus the cost of repairing the damage is huge, says Oliver Rochford, director of research at Tenable. With ransomware, for example, he says even with a payment rate of 0.05% the ROI is estimated to be over 500%. While estimated global revenue of cybercrime is around $1.5 trillion, Rochford says the cost of damage is thought to be upwards of $6 trillion.

Why your providers should support IPv6

world globe global network nodes wifi internet code programming
It would be disappointing to discover that a service provider has not yet implemented IPv6 at all. That would be a huge red warning flag that the service provider is not innovative when it comes to network technology. If the provider isn’t offering IPv6 services at this stage, it calls into question its prioritization of innovation and whether it is falling behind the competition in other areas. This situation really puts the enterprise into a bind if they may need IPv6 capabilities sooner rather than later because the enterprise’s ability to enable IPv6 is based on the IPv6 deployment schedule of the provider. Each enterprise is different and has a different motivation for enabling IPv6 on their public-facing applications and services. IPv6 deployment is an inevitable technology as there is no other alternative to the IPv4 address exhaustion problem. Given that IPv6 is an eventuality for enterprises, they should start to plan for the deployment and assess the constraints to their deployment schedules. Enterprises should ask providers what services they offer with IPv6 to determine where they stand and what options they have.

Micron announces 1TB industrial microSD, aimed at surveillance markets

Micron is positioning the card for edge compute, with surveillance systems increasing storing video on-device, rather than transmitting everything to external storage as it is recorded, eliminating the need for on-site DVRs, lowering TCO costs. This may be an application where QLC NAND makes sense, if it takes three months to fill the microSD on a continuous write (though increasing the resolution of the storage image could undercut this). Given that QLC is rated for 100 to 1,000 erase/write cycles, for three months per device write, a pessimistic view would put the lifespan at 25 years. Micron returned to the microSD market earlier this year with the release of the c200 series, also powered by 3D QLC NAND.  The company previously owned the consumer-focused brand Lexar from 2006-2017, selling it to Longsys in August 2017. Under the direction of Longsys, Lexar re-entered the market in August 2018, introducing its first 1TB (full-size) SD card this January, 15 years after Lexar introduced its first 1GB SD card.

Shared responsibility model key to solving 5G security problem

“With the large number of devices associated with 5G, authentication and identity need to be considered in the scope of security, similar to the public cloud. The 5G service provider can help confirm device identity as well, because the network will know a device’s physical location. In a way, the 5G service provider uses the network itself as a security tool,” she added. Lanowitz said that while introducing 5G networking affected many different technical areas, it was also an ideal opportunity to enhance and modernise approaches to security. For example, software-defined networking (SDN) and network functions virtualisation (NFV) technology will help organisations prepare for the sheer scale of 5G, but in parallel, there is no reason why security cannot also be virtualised and automated to some degree.

Everything you need to know about brain-computer interfaces and the future of mind-reading computers

I'm not sure I'm willing to have a chip put in my brain just to type a status update. You may not need to: not all BCI systems require a direct interface to read your brain activity. There are currently two approaches to BCIs: invasive and non-invasive. Invasive systems have hardware that's in contact with the brain; non-invasive systems typically pick up the brain's signals from the scalp, using head-worn sensors.  The two approaches have their own different benefits and disadvantages. With invasive BCI systems, because electrode arrays are touching the brain, they can gather much more fine-grained and accurate signals. However, as you can imagine, they involve brain surgery and the brain isn't always too happy about having electrode arrays attached to it -- the brain reacts with a process called glial scarring, which in turn can make it harder for the array to pick up signals. Due to the risks involved, invasive systems are usually reserved for medical applications. Non-invasive systems, however, are more consumer friendly, as there's no surgery required -- such systems record electrical impulses coming from the skin either through sensor-equipped caps worn on the head or similar hardware worn on the wrist like bracelets.

Diligent Engine: A Modern Cross-Platform Low-Level Graphics Library

This article describes Diligent Engine, a light-weight cross-platform graphics API abstraction layer that is designed to solve these problems. Its main goal is to take advantages of the next-generation APIs such as Direct3D12 and Vulkan, but at the same time provide support for older platforms via Direct3D11, OpenGL and OpenGLES. Diligent Engine exposes common C++ front-end for all supported platforms and provides interoperability with underlying native APIs. It also supports integration with Unity and is designed to be used as graphics subsystem in a standalone game engine, Unity native plugin or any other 3D application. The full source code is available for download at GitHub and is free to use. ... The repository contains tutorials, sample applications, asteroids performance benchmark and an example Unity project that uses DiligentEngine in native plugin.

Quote for the day:

"Bad times have a scientific value. These are occasions a good learner would not miss." -- Ralph Waldo Emerson

Daily Tech Digest - November 12, 2019

SASE is more than a buzzword for BioIVT

Application security  >  Software code + data protected with a lock
Making the leap to this SASE platform was quite a change for BioIVT. How did Thomson justify the transition to his executives? “We positioned it as a platform for everything that we wanted to be able to do over the next three years with the business,” he says. “The big goal, the business strategy, is growth and acquisition. We presented this as a platform, as a base service that we just had to have in place in order to leverage things like voice over IP, Office 365, Azure, cloud-based computing services, hosting servers in the cloud. Without a common core solid foundation, we wouldn't have been able to do any of those things reliably without adding staff to do monitoring or maintenance or administrative overhead.” Further, Thomson says he positioned the Cato solution as almost a black box tool for networking where they would know what services they were getting. “We could manage it through a web interface, didn't have to worry about specific technical skillsets that we would need to bring in. Just going with Cato's SD-WAN, we dealt with all of those networking things as well as security, which just continues to become more and more important and wasn't something that we could afford to treat as just a single vendor outsource that's half paying attention to what was going on.”

US Cyber Command uploads new malware samples linked to North Korean state-backed financial heists

Analysis of malware samples revealed that one backdoor was capable of uninstalling or updating itself, suggesting that North Koreans hackers are currently trying to hide their identities from security teams. In September, US Cyber Command uploaded 11 malware samples on VirusTotal, many of them linked to Lazarus Group - an umbrella term used to describe the hacking activity carried out to advance the interests of the North Korean government. Some of those samples were found to be similar to "HOPLIGHT," a trojan used by hackers to collect information on the operating systems of victims' machines. Earlier in August, Cyber Command released two malware samples, one of which was a dynamically linked library, while another was an executable file. All these announcements come weeks after a UN report that revealed that North Korea had used 35 cyber attacks to steal $2 billion from foreign financial institutions, and spent the money on its weapons programmes. In September, the US Treasury sanctioned three hacking groups - Lazarus, Bluenoroff and Andariel - all linked with North Korea.

Top concerns for audit executives? Cyber risks and data governance

Cybercriminals are now operating highly sophisticated organizations with a variety of low-cost, readily available hacking tools. A lack of relevant skills and low cybersecurity budgets means that organizations are falling behind in their attempts to counter the growing number of cyberattacks. Without an increase in resources, organizations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property and regulatory exposure. At a minimum, organizations should have foundational security measures in place, such as privileged access controls on sensitive assets and mature vulnerability identification. It is also important to evaluate not only employee cybersecurity training and access management policies, but also the organization’s overall network security mechanisms and operational technology assets. Finally, organizations should ensure their response plan for cyber-physical attacks (which target the control of an organization’s physical infrastructure) addresses all of its vulnerabilities in the event of an incident.

Low-code and no-code development platforms

Low-code tools come with libraries which provide off-the-shelf components, for instance to support the latest innovations such as blockchain and artificial intelligence. Components may be provided by the supplier, third parties or the community of users, and may be free or paid for. There are also application programming interfaces (API) that enable external integrations – calling web services, for example. APIs were often lacking in the original 4GLs. Low-code tools will vary in their support for other features many consider now central to any application building effort, such as version control and support for DevOps. Low-code tools providers also claim faster testing of applications, lower error rates and more reliable security, all of which reduce cost and are areas where 4GLs were felt to fall short. Of course, the low-code tools themselves must be paid for, whereas many 3GL compilers are open source and make use of free open source libraries.

The data science gender pay gap is shrinking—barely

No matter what strategy is used, maintaining a diverse workforce is advantageous for any organization. "Organizations benefit from successful collaboration amongst different perspectives and viewpoints," said June Severino Feldman, CMO of Intelligent Product Solutions. "The greater the gender and ethnic diversity and a company's ability to collaborate effectively, the greater the potential for successful outcomes." Across the world, improvements have been made, but we are far from equality. Here is the break down, by region, of Harnham's research. ... Regardless of what strategy the company uses to encourage a diverse team, all team members must be on-board, starting from the top, Romansky said. "We suggest a holistic approach," Romansky continued. "It has to be a mandate supported by leadership with a variety of strategies that not only attract underrepresented talent—from sourcing, selection, and conversion—but then also engage and include that talent once they're in the door." To welcome diverse talent,companies must work to eliminate bias. "Employers must also look at themselves and their biases honestly -- it feels so much easier and natural to hire the guy who looks just like you, but to routinely follow this practice shortchanges the teams' abilities to adapt, create and innovate," Feldman said.

Real-World Cybersecurity: Keeping Ourselves And Our Children Safe

Our society is in a period of hyper-connectivity. This goes beyond our cellphones and laptops to include smart TVs, IoT-connected baby monitors and much more. If it’s a popular appliance, there’s at least one manufacturer out there touting an internet-connected version. This trend is creating massive personal data trails. There’s a high likelihood that almost every day, you’re handing over your valuable information without even giving it much thought – whether it’s at the grocery store, on social media channels or within your fitness tracker. Every bit of this data has value assigned to it, both for legitimate organizations and for cyber criminals who are determined to capitalize on it. Risks can include everything from gas pump and ATM card skimmers to schemes as nefarious as scamming people out of their life savings under the auspices of purchasing their dream home. The most vulnerable in the physical world – senior citizens and children – face similar risk in the cyber world. As the general population goes about daily life, convenience and ease of use are top of mind– risk isn’t usually a consideration. As a private citizen, you’re not likely to invest in heavy-duty cybersecurity tools.

Retirements pose threat to cybersecurity expertise in Congress

Retirements pose threat to cybersecurity expertise in Congress
The retirements of Republican Reps. Hurd, Mac Thornberry (Texas), and Greg Walden (Ore.) previously underlined the threat to cyber leadership in the House. Hurd, a former CIA official, is viewed as one of the major cybersecurity voices in Congress, and has co-sponsored numerous bills around this issue, including those intended to secure internet-connected devices against cyberattacks and to secure elections. Hurd also serves as the top Republican on the House Intelligence Subcommittee on Intelligence Modernization and Readiness. In announcing that he would not run for reelection in 2020, Hurd highlighted cyber and tech issues as areas that the government would still need to address, and tweeted that he hoped to "pursue opportunities outside the halls of Congress to solve problems at the nexus between technology and national security." In a separate statement, Hurd highlighted cyber and tech issues, saying, "We are in a geopolitical competition with China to have the world's most important economy. There is a global race to be the leader in artificial intelligence, because whoever dominates AI will rule the world. We face growing cyberattacks every day."

Augmented Reality to Fill Skills Gap

Augmented reality is a new tool that can make the mining and retention of that expertise much better and much more automated. Having an experienced worker perform, for example, a regular maintenance procedure on a piece of equipment and recording a voice over using augmented reality greatly enhances skill and experience transfer rom one generation of workers to the next. “Using an augmented reality headset, a new employee can follow, very specifically, the procedure that was performed by a more experienced worker, with great knowledge transfer and a fraction of the time it would otherwise take,” explains Higgins. With augmented and mixed reality-enabled headsets, workers can safely train, in a digital environment, to address problems such as – increased line speed, quality issues, breakdowns, hazardous conditions, among others. “Systems like Vuforia from PTC is aimed at helping close the skill gap by expertly capturing a procedure that is done in an industrial environment and passing that expertise on to someone else,” he said. Workers can more effectively and efficiently address challenges with more real-to-life instructions presented by veteran co-workers with tribal knowledge of the work environment in this 3D-based work instruction format.

The FBI multi-factor authentication notification that should have never been

There are two factors that can prevent account takeover, which results from the above types of attacks. Mixing true multi-factor authentication with rich context ensures that you are interacting with the intended user and that they understand what they are approving. In a SIM swap scenario, using a secondary form of authentication that isn’t outside the person’s control would be enough to thwart the FBI documented attacks. For instance, a device that is registered to that person and not their phone number. However, such a solution on its own would not be enough to prevent account takeover resulting from a session hijacking. What could help is providing more context around authorization requests and on a secondary device. I find it hard to imagine a hijacking attempt being successful if a user was prompted by their baking website to re-authenticate their session while receiving a request on their authentication device to authorize a credential change. The rich context provides the intended victim with enough information to reject the attempt by the attacker no matter how well they perform the phishing attack.

Cheap IoT satellite network gets approval

distributed / decentralized network connections across the globe
“Swarm will begin rolling out its commercial, two-way data offerings in early 2020,” Sara Spangelo, co-founder and CEO told me in a recent e-mail. The company aims to deploy 150 satellites before the end of 2020, she says. The FCC, in October, granted Part 25 approval for the startup to deploy and operate 150 non-geostationary, Low Earth Orbit (LEO) satellites, for non-voice purposes. Swarm intends to target logistics, energy and the maritime verticals with what it promises to be a cheap service. Data over satellite, while allowing connections remotely across the entire globe unlike cellular, has historically been expensive: Satellite-communications incumbent Iridium’s Short Burst Data rates can be a dollar per kilobyte, for example. Swarm doesn’t say how much its service will cost. However, in January, the company obtained $25 million in Series A funding to build what Spangelo then described as “the world’s lowest cost satellite network.” Telemetry from connected vehicles, farmland agricultural sensors, on-board shipping logistics and remote rural sensors, such as water monitoring in Africa or smart meters, plus remote-area, human-to-human texting are all applications the company believes appropriate for its network.

Quote for the day:

"Leaders are more powerful role models when they learn than when they teach." -- Rosabeth Moss Kantor

Daily Tech Digest - November 11, 2019

5 Potential Oversights In Enterprise Identity Management

5 Potential Oversights In Enterprise Identity Management
If you don’t take the time to consider these potential oversights in identity management, you could face some unneeded costs in your cybersecurity. First, you should seek out a singular solution for your identity and access management (as discussed above). The fewer solutions on your network, the fewer the costs. However, you need to weigh more than just your solutions’ integrations. In addition, you need to weigh the initial deployment costs—you need a solution that fits with your budget. Ideally, you should consider identity management a critical business process and budget accordingly. On the other hand, you still need a solution which fits your network—a more expensive solution may not benefit you.  Finally, your enterprise needs to also consider your IT security team. These individuals will maintain and work with it intimately, and they deserve proper compensation for their services. Moreover, the solution you select must fit with their individual skill sets so they can optimize their performance. “You can’t protect what you can’t see,” says the old cybersecurity adage. 

Data cannot be democratised without giving the consumers of that data an understanding of its trustworthiness and relevance to the business. That means having a firm grasp of the context, quality and business value of all available information sources – both inside and outside the organisation. Data governance is fundamental to enabling businesses to give their executives a holistic view of the metrics that matter and empower them to make agile, evidence-based decisions. It allows data scientists to focus on answering business questions and training AI models with confidence in the outcomes. It enables more and more workflows to be informed or transformed by putting contextual insight or predictive capability in the hands of non-technical users. And when provided within a framework of privacy, data can actively help to preserve customer trust as well as driving automation and delivering intelligent, engaging customer experiences. Amid the great DX gold rush, data needs to be perceived and treated in the same way as any other strategic asset, like people and facilities: managed with the right tools and governed by the appropriate policies and practices.

AT&T Sounds Alarm on 5G Security
Not surprisingly, the top security concerns related to 5G include the larger attack surface (44%), and the number of devices on networks (39%), followed by the need to extend security policies to new IoT devices (36%), and authenticate a greater number of devices (33%). “Most of the transitions in networking have been about faster speeds or increased capacity. 5G introduces more complex networking and is being delivered with virtualization in mind,” analysts wrote in the report. “The latter appears to be a crucial gap in the way enterprises are preparing for 5G, as enterprises will need to take advantage of virtualization to make the network nimbler and more responsive.” Many enterprises have yet to embrace that approach, according to the study. Only 29% of respondents said their organizations plan to implement security virtualization and orchestration during the next five years. Moreover, only 25% are confident that their organization’s current security policies will be effective in a 5G environment. More than half, or 53%, say some adjustments will be required and 22% anticipate a need to completely rethink their security policies.

Bitcoin and the disruption of monetary oppression

One of the tangible social impacts of Bitcoin can be witnessed in the human rights arena. As one example, Song offers an overview of the refugee crisis in Venezuela, explaining that Bitcoin is allowing those wishing to flee the country to sell their belongings and retain their money when crossing the border to Columbia. “There’s very clear evidence of this,” Song explains “because the price of Bitcoin in Columbia is actually lower than everywhere else in the world because there’s such a big supply. Four million Venezuelans have left. That’s 10% of their population. That’s a serious impact. Usually in refugee crises, it has gotten so bad that people were willing to leave everything behind. With this, they get to carry their wealth. It undermines the Maduro government to a large degree.”  The US’s market-driven monetary imperialism has led, Song argues, to a sort of global US dollar hegemony—the impact of which is that all global trade is settled in US dollars; if you’re in Kenya and want to trade with someone in neighboring Nigeria, you have to trade for the US dollar and then back to the Kenyan shilling.

Companies are also finding it hard to recruit enough skilled security personnel to properly protect their systems as there simply isn’t enough talent to go around, Vellante said. And so it may come as a surprise to learn that enterprises are actually becoming more circumspect about how much money they’re willing to spend on security relative to previous years, according to data from Enterprise Technology Research. According to Sagar Kadakia, director of research at ETR, “CIOs no longer have a blank check to spend on security.” One could be mistaken for thinking this means enterprises have thrown in the towel, so to speak, but in fact it’s more of a reflection of how fluid the cybersecurity space is right now. What’s actually happening according to ETR is that spending on cybersecurity is bifurcating, with a select few companies seeing their spending momentum and market share grow at the expense of others. Among those on the up are startups such as CrowdStrike Holdings Inc. and Okta Inc., plus more established players such as Palo Alto Networks Inc., Cisco Systems Inc. and Microsoft Corp. In contrast, the likes of Dell EMC, IBM Corp., Symantec Corp., Check Point Software Technologies Ltd. and SonicWall Inc. are all losing ground according to ETR surveys.

Breaking Into Data Science

Webinar Wrap Up: Breaking Into Data Science
Data scientists are critical in transforming massive volumes of data into action for companies. They were in high demand in the past too but limited to large enterprises and digital natives until recently. Today almost all companies worldwide are investing in data science skills. A top job seeker site, Indeed, shows a 29 percent increase in demand for data scientists year over year and an increase of 344 percent compared to five years prior. According to the LinkedIn Workforce Report, as of late 2018, every large U.S. city reported a shortage of data science skills. There is a gap of 151,717 people with data science skills, particularly acute in New York City (34,032 people), the San Francisco Bay Area (31,798 people), and Los Angeles (12,251 people). The U.S. Bureau of Labor Statistics estimates that there will be around 11.5 million jobs in data science and analytics by 2026. No doubt, data scientists need a strong educational background. If we look at the qualifications of currently working data scientists, 88 percent have a Master’s degree, and 46 percent hold a Ph.D.

IoT Has Spawned Entity-Based Risks -- Now What?

The exponential growth in IoT devices has led to more ransomware, malware and botnet attacks that are specifically targeting certain equipment. The Mirai botnet is a recent, high-profile example. Using a distributed denial of service (DDoS) attack against infrastructure provider Dyn, it disabled much of the internet on the U.S. East Coast on October 21, 2016. Mirai took over poorly secured IoT devices like security cameras, DVRs and routers by logging in using default passwords. In comparison, smaller, more targeted attacks can easily evade detection by conventional security products. ... Another approach involves using machine learning models to learn what constitutes normal behavior for an IoT device and monitor its activity to detect anomalies as they occur. This requires a mature User and Entity Behavior Analytics (UEBA) system capable of monitoring large numbers of IoT devices in real time. Machine learning provides the force multiplier needed to monitor for IoT security threats at scale. While IoT devices are not complicated equipment in and of themselves, connecting hundreds, thousands or more of them to the network creates a massive attack surface that can be difficult to protect using traditional methods.

Microservices security calls for zero-trust, data classification

"It's looking at running processes and system calls -- looking at what the server is actually doing, not what the log says is being done," Dougherty said. Omada has a small SecOps staff, so it leans on Threat Stack's security operations center (SOC) service to escalate alerts as well. Some tech futurists believe a zero-trust model will eventually mean that security is primarily the domain of applications, and that microservices security will rely on app functions that decide in real time whether to use a certain piece of infrastructure. But for now, zero-trust practitioners say sound security calls for proactive and reactive defenses at both the application and infrastructure level. FullStory is still building up its zero-trust model and microservices security practice, but at GitLab, Wang said the company used all the cybersecurity practices available, from code scanning to developer training to red teaming and bug bounties, and that full spectrum will be necessary for the foreseeable future.

Encrypted Emails on macOS Found Stored in Unprotected Way

Gendler discovered something curious in some of those .db files. “The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails,” he wrote. “And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED.” Further, he discovered that even with Siri disabled, the OS still collects and stores data for Siri, in effect, storing encrypted emails without encryption in a database. This defeats “the purpose of utilizing and sending an encrypted email,” Gendler wrote. Typically, emails encrypted with S/MIME do so with a recipient’s public key, with a corresponding private key—also in the hands of the recipient–required to decrypt the messages, he explained. “If the private key is unavailable or removed, the message should not be readable, by anything,” Gendler wrote. “Unless the private key is compromised, you can be confident that only your intended recipient will be able to access the sensitive data in your email.” Gendler informed Apple on July 29 of the problem, which he discovered occurring on macOS Mojave 10.14 and the beta of macOS Catalina 10.15.

How to navigate cybersecurity in a 5G world

"Security virtualization could be the most crucial advancement related to 5G security, for both the provider and their enterprise customers. Enterprise IT is becoming more distributed, and through virtualization networking is following suit. Security needs to follow that trend," according to the report. Endpoint security is also a concern for 5G users. As more 5G devices are connected to the network, such as Multi-access Edge Computing (MEC) nodes, authentication and certification becomes paramount. However, only 33% of respondents said they planned to implement tighter network access controls in the next five years, and only 37% said they were creating new systems for device authentication, the report found. A zero-trust security model could help address these concerns, as it would continually check a user's presence and behavior, regardless if the user is a human or machine. Enterprises are embracing zero-trust, with 68% saying they have implemented it or are in the process, but only 33% said they have multifactor authentication (MFA) in place, the report found.

Quote for the day:

"Failure is simply the opportunity to begin again, this time more intelligently." -- Henry Ford