Daily Tech Digest - May 24, 2020

Capital One data breach latest example of constant cyber security threats

Experts: Capital One data breach latest example of constant cyber security threats
The list of corporate victims includes Yahoo, Marriott, Equifax, eBay, Target and Facebook. Even the U.S. Postal Service and the IRS have experienced major data breaches. Five years ago, hackers accessed sensitive data of more than 60,000 UPMC workers. The increase in security breaches is an indicator of how far technology and security companies have to go, said Bryan Parno, a Carnegie Mellon University computer science and engineering professor and member of the school’s Security and Privacy Institute, or CyLab. He attributed the increased number of breaches to information becoming digitized and a more sophisticated criminal economy. To help fight against breaches, places like CyLab are exploring ways to build more secure software and networks that can detect when somebody infiltrates a network. But limited laws surrounding data breaches can also impact how well companies protect against threats, Parno said. In Pennsylvania, companies that store or manage computerized data, including personal information, are required to give a public notice in event of a breach in the security system.

Why Cyberthreats Tied to COVID-19 Could Hit Diverse Targets

Besides hospitals and academic institutions, dozens of nonprofits, including so-called "nongovernmental organizations" - or NGOs - around the world must protect their COVID-19 research and related activities from those seeking to steal data or disrupt their operations, says cyber risk management expert Stanley Mierzwa of Kean University.A wide variety of these nonprofit organizations are potential targets for cyberattacks during the COVID-19 pandemic. These include those that exist to "advance science around the world with research and serving to advance particular missions," he says in an interview with Information Security Media Group. Other nonprofits work on policy issues or public health concerns, he notes. "They often research and recommend strategies to governments in countries and can be involved with implementing programs," he says. "Any of these could be targeted for cyberattacks if they are involved in pursuing COVID-19 research activities ... including the response to COVID-19."

In an typical application development project, we have quality assurance (QA) and testing processes, tools, and technologies that can quickly spot any bugs or deviations from established programming norms. We can run our applications through regression tests to make sure that new patches and fixes don’t cause more problems and we have ways to continuously test our capabilities as we continuously integrate them with increasingly more complex combinations of systems and application functionality. But here is where we run into some difficulties with machine learning models. They’re not code per se in that we can’t just examine them to see where the bugs are. If we knew how the learning was supposed to work in the first place, well, then we wouldn’t need to train them with data would we? We’d just code the model from scratch and be done with it. But that’s not how machine learning models work. We derive the functionality of the model from the data and through use of algorithms that attempt to build the most accurate model we can from the data we have to generalize to data that the system has never seen before. We are approximating, and when we approximate we can never be exact. So, we can’t just bug fix our way to the right model.

Data for good: building a culture of data analytics

Leaders need to cultivate a culture of data science and analytics from the top down. Data literacy should be viewed as a crucial skill and you need to empower workers at all levels of your organisation to work with data. In order to avoid a digital divide, data must be easily accessible. By democratising data, you enable ordinary people — not just trained statisticians — to solve complex data science challenges. Once you combine democratised data with human creativity, you can solve almost any problem. We managed to get to the moon using a slide rule back in the ’60s. This perfectly illustrates what the power of a little bit compute plus liberated thinking can deliver. Combining data with human thinking could help us to solve all sort of societal and technological challenges, covering everything from healthcare to climate change and space travel, and the future of autonomous vehicles. We help some of the biggest businesses in the world to revolutionise their business through data science and analytics. 

Mercedes software leaks via Git and Google dork

In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. … Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information. ...  Without a proactive approach to security, companies open themselves up to undue risk. Most organisations rely on detecting risks and misconfigurations in the cloud at runtime … instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues. … Organizations should ‘shift left’ by taking preventative measures early on in their … CI/CD pipelines. … Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.

Fintech Regulations in the United States Compared to Regulations in Europe and Asia

AML regulations in Europe are under a complete Anti-Money Laundering Directive. Although the article “Regulation of FinTech Must Strike a Better Balance between Market Stimulation and the Security and Stability of the Financial and Economic System” has a lengthy title, it perfectly describes the article’s content (“MIL-OSI Europe”, 2018). The article outlines the European Economic and Social Committee’s criticism and beliefs regarding the European Commission’s Action Plan for regulating fintech. Identifying the risk of certain fintechs and later deciding regulations does not indicate that the EESC believes that deregulation is the key. Instead, the EESC notes that deregulation actually causes higher risk to using those fintechs, and that it is unfair for traditional banking services if fintechs lack regulations or are completely deregulated. The EU has enacted the Anti-Money Laundering Directive for member countries to implement.

Mainstream enterprises increasingly behave like software vendors

Ultimately, reusable sets of API calls and data abstractions that scale workflow across multiple enterprise applications are required to build an open platform architecture, according to Richard Pulliam, principal at 2Disrupt and a contributor to the Cloud Elements report. "The ERP used to be the mission-critical system taking data from all points of the business to help it run more efficiently. This is why ERPs are inclusive of larger suites of software like CRM, marketing automation, customer support, and more. But as the volume of data grows and customers desire to use best-of-breed cloud applications to solve specific functions, the ERP no longer holds all the mission-critical data." On average, both enterprise and software vendor respondents selling digital platforms want to add dozens of new integrations in the year ahead -- 34 on average. Most enterprise respondents listed authentication, custom objects, and workflows as the most challenging aspects of API integration.

8 states targeted in CARES Act scams from cybercrime group

Due to the economic crisis caused by the coronavirus pandemic, states have been overburdened trying to get money to the more than 34 million Americans who are now unemployed. Most states have received an extraordinary amount of applications for funding, making it nearly impossible for their short-staffed agencies to thoroughly vet each request. More than $48 billion in unemployment insurance payments was sent out by states through the month of April. Cybercriminals with Scattered Canary have taken advantage of the situation according to Peterson, who wrote that the group filed more than 80 fraudulent claims for CARES Act Economic Impact Payments and even more claims for unemployment insurance in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, Wyoming and most recently Hawaii. Unfortunately, the IRS and some states have already sent the money out before being notified that the applications came from people who had their personal information stolen or misused by hackers within Scattered Canary.

Machine Learning: What Is It Really Good For?

AI artificial intelligence concept Central Computer Processors CPU concept
In other words, for many organizations, the best option with machine learning may be to buy an off-the-shelf solution. The good news is that there are many on the market—and they are generally affordable. But regardless of what path you take, there needs to be a clear-cut business case for machine learning. It should not be used just because it is trendy. There also needs to be sufficient change management within the organization. “One of the greatest challenges in implementing machine learning and other data science initiatives is navigating institutional change—getting a buy-in, dealing with new processes, the changing job duties, and more,” said Ingo Mierswa, who is the founder and president of RapidMiner. Then what are the use cases for machine learning? According to Alyssa Simpson Rochwerger, who is the VP of AI and the Data Evangelist at Appen: “Machine learning can solve lots of different types of problems. But it's particularly well suited to decisions that require very simple and repetitive tasks at large scale.

Jepsen Disputes MongoDB’s Data Consistency Claims

MongoDB’s default level of read concern allows aborted reads: readers can observe state that is not fully committed, and could be discarded in the future. As the read isolation consistency docs note, “Read uncommitted is the default isolation level”. We found that due to these weak defaults, MongoDB’s causal sessions did not preserve causal consistency by default: users needed to specify both write and read concern majority (or higher) to actually get causal consistency. MongoDB closed the issue, saying it was working as designed, and updated their isolation documentation to note that even though MongoDB offers “causal consistency in client sessions”, that guarantee does not hold unless users take care to use both read and write concern majority. A detailed table now shows the properties offered by weaker read and write concerns. ... Clients observed a monotonically growing list of elements until [1 2 3 4 5 6 7], at which point the list reset to [], and started afresh with [8]. This could be an example of MongoDB rollbacks, which is a fancy way of saying “data loss”.

Quote for the day:

"If you want someone to develop a specific trait, treat them as though they already had it." -- Goethe

No comments:

Post a Comment