Daily Tech Digest - January 31, 2021

How retailers can manage data loss threats during remote work

While an e-commerce store often relies on many software tools to help make day-to-day operations a little easier, it's likely that the number of apps being used has gone up with the increase in remote work. However, separate software tools don't always play nice together, and the level of access and control they have over your data might surprise you. Some even have the ability to delete your data without warning. At least once a year, e-commerce merchants should audit all the applications connected to their online store. Terms and conditions can change so it's best you understand any changes in the last 365 days. List all the pros and cons of each integration and decide if any tradeoffs are worth it. SaaS doesn't save everything.  Software-as-a-service (SaaS) tools will always ensure the nuts and bolts of the platform work. However, protecting all the data stored inside a SaaS or cloud solution like BigCommerce or Shopify rests on the shoulders of users. If you don't fully back up all the content and information in your store, there's absolutely no guarantee it will be there the next time you log in. This model isn't limited to just e-commerce platforms. Accounting software like QuickBooks, productivity tools like Trello and even code repositories like GitHub all follow the same model.

Don't make these cyber resiliency mistakes

Manea begins by sharing the well-worn axiom that defenders must protect every possible opening where attackers only need one way in. If realistic, that truism alone should be enough to replace a prevention attitude with one based on resilience. Manea then suggests caution. "Make sure you understand your organizational constraints—be they technological, budgetary, or even political—and work to minimize risk with the resources that you're given. Think of it as a game of economic optimization." ... Put simply, a digital threat-risk assessment is required. Manea suggests that a team including representatives from the IT department, business units, and upper management work together to create a security-threat model of the organization—keeping in mind: What would an attacker want to achieve?; What is the easiest way for an attacker to achieve it?; and What are the risks, their severity, and their likelihood? An accurate threat model allows IT-department personnel to implement security measures where they are most needed and not waste resources. "Once you've identified your crown jewels and the path of least resistance, focus on adding obstacles to that path," he said.

Researchers have developed a deep-learning algorithm that can de-noise images

In conventional deep-learning-based image processing techniques, the number and network between layers decide how many pixels in the input image contribute to the value of a single pixel in the output image. This value is immutable after the deep-learning algorithm has been trained and is ready to de-noise new images. However, Ji says fixing the number for the input pixels, technically called the receptive field, limits the performance of the algorithm. “Imagine a piece of specimen having a repeating motif, like a honeycomb pattern. Most deep-learning algorithms only use local information to fill in the gaps in the image created by the noise,” Ji says. “But this is inefficient because the algorithm is, in essence, blind to the repeating pattern within the image since the receptive field is fixed. Instead, deep-learning algorithms need to have adaptive receptive fields that can capture the information in the overall image structure.” To overcome this hurdle, Ji and his students developed another deep-learning algorithm that can dynamically change the size of the receptive field. In other words, unlike earlier algorithms that can only aggregate information from a small number of pixels, their new algorithm, called global voxel transformer networks (GVTNets), can pool information from a larger area of the image if required.

Manufacturers Take the Initiative in Home IoT Security

Although ensuring basic connectivity between endpoint devices and the many virtual assistants they connect to would seem to be a basic necessity, many consumers have encountered issues getting their devices to work together effectively. While interoperability and security standards exist, there are none in place that provide consumers the assurance their smart home device will seamlessly and securely connect. To respond to consumer concerns, “Project Connected Home over IP” was launched in December 2019. Initiated by Amazon, Apple, Google and the Zigbee Alliance, this working group focuses on developing and promoting a standard for interoperability that emphasizes security. The project aims to enable communication across mobile apps, smart home devices and cloud services, defining a specific set of IP-based networking technologies for device certification. The goal is not only to improve compatibility but to ensure that all data is collected and managed safely. Dozens of smart home manufacturers, chip manufacturers and security experts are participating in the project. Since security is one of the key pillars of the group’s objectives, DigiCert was invited to provide security recommendations to help ensure devices are properly authenticated and communication is handled confidentially.

Has 5G made telecommunications sustainable again?

The state of the personal communications market as we enter 2021 bears undeniable similarity to that of the PC market (personal computer, if you've forgotten) in the 1980s. When the era of graphical computing began in earnest, the major players at that time (e.g., Microsoft, Apple, IBM, Commodore) tried to leverage the clout they had built up to that point among consumers, to help them make the transition away from 8-bit command lines and into graphical environments. Some of those key players tried to leverage more than just their market positions; they sought to apply technological advantages as well — in one very notable instance, even if it meant contriving that advantage artificially. Consumers are always smarter than marketing professionals presume they are. Two years ago, one carrier in particular (which shall remain nameless, in deference to folks who complain I tend to jump on AT&T's case) pulled the proverbial wool in a direction that was supposed to cover consumers' eyes. The "5G+" campaign divebombed, and as a result, there's no way any carrier can cosmetically alter the appearance of existing smartphones, to give their users the feeling of standing on the threshold of a new and forthcoming sea change.

Learn SAML: The Language You Don't Know You're Already Speaking

SAML streamlines the authentication process for signing into SAML-supported websites and applications, and it's the most popular underlying protocol for Web-based SSO. An organization has one login page and can configure any Web app, or service provider (SP), supporting SAML so its users only have to authenticate once to log into all its Web apps (more on this process later). The protocol has recently made headlines due to the "Golden SAML" attack vector, which was leveraged in the SolarWinds security incident. This technique enables the attacker to gain access to any service or asset that uses the SAML authentication standard. Its use in the wild underscores the importance of following best practices for privileged access management. A need for a standard like SAML emerged in the late 1990s with the proliferation of merchant websites, says Thomas Hardjono, CTO of Connection Science and Engineering at the Massachusetts Institute of Technology and chair of OASIS Security Services, where the SAML protocol was developed. Each merchant wanted to own the authentication of each customer, which led to the issue of people maintaining usernames and passwords for dozens of accounts.

Biometrics ethics group addresses public-private use of facial recognition

“To maintain public confidence, the BFEG recommends that oversight mechanisms should be put in place,” it said. “The BFEG suggests that an independent ethics group should be tasked to oversee individual deployments of biometric recognition technologies by the police and the use of biometric recognition technologies in public-private collaborations (P-PCs). “This independent ethics group would require that any proposed deployments and P-PCs are reviewed when they are established and monitored at regular intervals during their operation.” Other recommendations included that police should only be able to share data with “trustworthy private organisations”, specific members of which should also be thoroughly vetted; that data should only be shared with, or accessible to, the absolute minimum number of people; and that arrangements should be made for the safe and secure sharing and storage of biometric data. The BFEG’s note also made clear that any public-private collaborations must be able to demonstrate that they are necessary, and that the data sharing between the organisations is proportionate.

Security Threats to Machine Learning Systems

The collection of good and relevant data is a very important task. For the development of a real-world application, data is collected from various sources. This is where an attacker can insert fraudulent and inaccurate data, thus compromising the machine learning system. So, even before a model has been created, by inserting a very large chuck of fraudulent data the whole system can be compromised by the attacker, this is a stealthy channel attack. This is the reason why the data collectors should be very diligent while collecting the data for machine learning systems. ... Data poisoning directly affects two important aspects of data, data confidentiality, and data trustworthiness. Many a time the data used for training a system might contain confidential and sensitive information. By poisoning attack, the confidentiality of the data is lost. It is often believed that maintaining the confidentially of data is a challenging area of study by itself, the additional aspect of machine learning makes the task of securing the confidentiality of the data becomes that much more important. Another important aspect affected by data poisoning is data trustworthiness.

Fuzzing (fuzz testing) tutorial: What it is and how can it improve application security?

We know when a programmer is developing code, they have different computations depending upon what the user gives them. So here the program is the maze and then we have, let's just pretend, a little robot up here and input to the program is going to be directions for our robot through the maze. So for example, we can give the robot the directions, I'm going to write it up here, down, left, down, right. And he's going to take two rights, just meaning he's going to go to the right twice. And then he's going to go down a bunch of times. So you can think about giving our little robot this input and robot is going to take that as directions and he's going to take this path through the program. He's going to go down, left, down first right, second right, then a bunch of downs. And when you look at this, we had a little bug here. They can verify that this is actually okay. There's no actual bug here. And this is what's happening when a developer writes a unit test. So what they're doing is they're coming up with an input and they're making sure that it gets the right output. Now, a problem is, if you think about this maze, we've only checked one path through this maze and there's other potential lurking bugs out there.

The three steps for smart cities to unlock their full IoT potential

In theory, if a city applied uniform standards across all of its IoT-connected devices, it could achieve full interoperability. Nevertheless, we believe that cities and regulators should focus on defining common communication standards to support technical interoperability. The reason: Although different versions exist, communications standards are generally mature and widely used by IoT players. In contrast, the standards that apply to messaging and data formats—and are needed for syntactic interoperability—are less mature, and semantic standards remain in the early stages of development and are highly fragmented. Some messaging and data format standards are starting to gain broad acceptance, and it shouldn’t be long before policymakers can prudently adopt the leading ones. With that scenario in mind, planners should ignore semantic standards until clear favorites emerge. Building a platform that works across use cases can improve interoperability. The platform effectively acts as an orchestrator, translating interactions between devices so that they can share data and work. In a city context, a cross-vertical platform offers significant benefits over standardization.

Quote for the day:

"Education makes a people difficult to drive, but easy to lead; impossible to enslave, but easy to govern." -- Lorn Brougham

No comments:

Post a Comment