Daily Tech Digest - August 22, 2020

There is a crisis of face recognition and policing in the US

When Jennifer Strong and I started reporting on the use of face recognition technology by police for our new podcast, “In Machines We Trust,” we knew these AI-powered systems were being adopted by cops all over the US and in other countries. But we had no idea how much was going on out of the public eye.  For starters, we don’t know how often police departments in the US use facial recognition for the simple reason that in most jurisdictions, they don’t have to report when they use it to identify a suspect in a crime. The most recent numbers are speculative and from 2016, but they suggest that at the time, at least half of Americans had photos in a face recognition system. One county in Florida ran 8,000 searches each month. We also don’t know which police departments have facial recognition technology, because it’s common for police to obscure their procurement process. There is evidence, for example, that many departments buy their technology using federal grants or nonprofit gifts, which are exempt from certain disclosure laws. In other cases, companies offer police trial periods for their software that allow officers to use systems without any official approval or oversight.

Outlook “mail issues” phishing – don’t fall for this scam!

Only if you were to dig into the email headers would it be obvious that this message actually arrived from outside and was not generated automatically by your own email system at all. The clickable link is perfectly believable, because the part we’ve redacted above (between the text https://portal and the trailing /owa, short for Outlook Web App) will be your company’s own domain name. But even though the blue text of the link itself looks like a URL, it isn’t actually the URL that you will visit if you click it. Remember that a link in a web page consists of two parts: first, the text that is highlighted, usually in blue, which is clickable; second, the destination, or HREF (short for hypertext reference), where you actually go if you click the blue text. ... One tricky problem for phishing crooks is what to do at the end, so you don't belatedly realise it's a scam and rush off to change your password (or cancel your credit card, or whatever it might be). In theory, they could try using the credentials you just typed in to login for you and then dump you into your real account, but there's a lot that could go wrong. The crooks almost certainly will test out your newly-phished password pretty soon, but probably not right away while you are paying attention and might spot any anomalies that their attempted login might cause.

Taking on the perfect storm in cybersecurity

The future of cybersecurity depends on a platform approach. This will allow your cybersecurity teams to focus on security rather than continue to integrate solutions from many different vendors. It allows you to keep up with digital transformation and, along the way, battle the perfect storm. Our network perimeters are typically well-protected, and organizations have the tools and technologies in place to identify threats and react to them in real-time within their network environments. The cloud, however, is a completely different story. There is no established model for cloud security. The good news is that there is no big deployment of legacy security solutions in the cloud. This means organizations have a chance to get it right this time. We can also fix how to access the cloud and manage security operations centers (SOCs) to maximize ML and AI for prevention, detection, response and recovery. Cloud security, cloud access and next-generation SOCs are interrelated. Individually and together, they present an opportunity to modernize cybersecurity. If we build the right foundation today, we can break the pattern of too many disparate tools and create a path to consuming cybersecurity innovations and solutions more easily in the future.

FBI and CISA warn of major wave of vishing attacks targeting teleworkers

Collected information included: name, home address, personal cell/phone number, the position at the company, and duration at the company, according to the two agencies. The attackers than called employees using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees. "The actors used social engineering techniques and, in some cases, posed as members of the victim company's IT help desk, using their knowledge of the employee's personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee," the joint alert reads. "The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP." When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used it in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee. "The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed," the FBI and CISA said.

Why you need to revisit your IT policies

Part of that proactive planning should be adjustments to your IT policies. These documents are often forgotten until they're most needed, and the recent rushed transition from office work to remote work likely highlighted this condition. In the rushed transition, imagine how helpful it would have been to have some basic policy guidance on what equipment is supported for remote work, what items are reimbursable and where they can be sourced, and which software was recommended. If nothing else, some simple policies and guidance around these topics probably would have saved your already-stretched support staff dozens of phone calls and emails. ... At their best, policies provide guidance based on organizational priorities and experience, and at their worst, they are an extensive list of "Thou Shalt Nots" that assume your colleagues are nefarious scallywags one step away from destroying the organization should you not be there to preempt each of their misguided notions. Many employees dislike policy documents since they bias toward the latter, and unsurprisingly when you treat your colleagues like children and scoundrels, they'll rise to the occasion.

Styles, protocols and methods of microservices communication

For those who choose to stick with asynchronous protocols, consider exploring the advanced message queuing protocol (AMQP). This widely available and mature protocol provides a standard method for microservices communication and should be a priority for those developing truly composite microservices apps. Asynchronous protocols like AMQP use a lightweight service bus similar to a service-oriented architecture (SOA) bus, though much less complex. Unlike HTTP, this bus provides a message broker that acts as an intermediary between the individual microservices, thus avoiding the problems associated with a brokerless approach. Keep in mind, however, that a message broker will introduce extra steps that can add latency. The individual services still contain their functional and operational logic, and will need time to process that logic. The bus simply helps standardize and throttle those communications. Major cloud platforms, such as Azure, provide their own proprietary service bus for message brokering. However, there are also third-party options such as RabbitMQ, an open source message broker based in the Erlang programming language.

Edge computing: 4 problems it helps solve for enterprises

Enterprises in the construction, manufacturing, mining, and oil and gas industries, for example, are embracing the edge, which enables them to run the core elements of any solution locally by empowering local devices to save their state, interact with each other, and send important alerts and notifications. “This means that even if the internet goes down the factory, warehouse, construction site, mine, or field, edge processing continues to work full steam ahead,” Allsbrook says. ... Edge computing can minimize the network and bandwidth issues associated with moving large amounts of data to or from IoT devices and reduce reliance on the network. Companies look to edge solutions that can process data at the source and provide summary information on what’s going on. This eliminates the need for expensive SIM cards, data plans, and other network costs if the data were to have to be transported from the device to a network. “Edges can use simple ‘if-then’ logic or advanced AI algorithms to understand and build those summary reports,” explains Allsbrook of ClearBlade.

The Great Reset requires FinTechs – and FinTechs require a common approach to cybersecurity

Established financial services providers have a number of frameworks, standards and industry-driven initiatives available to test the security of FinTechs and other third parties. However, the volume of industry initiatives – driven by the pace of technological change and the multiplication of regulations – is now creating “noise”. This makes it difficult for FinTechs to direct their resources in a way that allows for security while also facilitating commercial partnerships. Requirements placed on FinTechs sow confusion, increase costs and may incentivise “security through obscurity”, in which less well-resourced firms play a game of chance, betting that they’re too small to be targeted by attackers and setting themselves up for problems in the future. ... The sector needs a mutually understood and widely accepted base level of cybersecurity controls. Clarity at the base level of security will support effective protection of business and client assets across the wider supply chain. This can accelerate the speed at which FinTechs can come to market and create commercial partnerships – and, in turn, incentivise good cyber hygiene

IBM Finds Flaw in Millions of Thales Wireless IoT Modules

The modules, which IBM describes as mini circuit boards, enable 3G or 4G connectivity, but also store secrets such as passwords, credentials and code, according to Adam Laurie, X-Force Red's lead hardware hacker, and Grzegorz Wypych, senior security consultant, who wrote a blog post. "This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider's backend network," Laurie and Wypych write. "In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker." In a statement, Thales says "it takes the security of its products very seriously and therefore has, after communicating and discussing this issue with affected customers, delivered software fixes in Q1/2020." The modules run microprocessors with an embedded Java ME interpreter and use flash storage. Also, there are Java "midlets" that allow for customization. One of those midlets copies custom Java code added by an OEM to a secure part of the flash memory, which should only be in write mode so that code can be written there but not read back.

How to manage unstructured data using an ECM system

Structured data is information governed by a database structure, organized into defined fields, usually within the context of a relational database. The database structure requires that data in the fields follow a prescribed format. For example, a date must have the format of a date and a name must be limited in length. The most common place that people encounter structured data is in the cells of a spreadsheet. Structured data has many applications within businesses and is easy to search. It is found in finance, customer relationship management, supply chain and other applications where compliance to structures is keyed to business tasks. Unstructured data, on the other hand, is data without rules and is not as searchable. Users who create unstructured data are writing free-form, rather than complying with structured data fields. There is minimal enforcement of any rules on the length of content, the format of the content or what content goes where. Despite the lack of formal structure, unstructured information -- which users create in word processing programs, spreadsheets, presentation files, PDFs, social media feeds, and audio and video files -- forms the bulk of the data created in an organization.

Quote for the day:

"When you expect the best from people, you will often see more in them than they see in themselves." -- Mark Miller

No comments:

Post a Comment