Daily Tech Digest - March 26, 2021

Text authentication is even worse than almost anyone thought

For years, the key argument against relying on text message confirmations is that they are susceptible to man-in-the-middle attacks, which is still true. But this peek into the authorized infrastructure for text messages means that text takeovers can happen far more simply. There are plenty of easily accessed apps that make text-like authentication far more secure, including Google Authenticator, Symantec's VIP Access, Adobe Authenticator, and Signal. Why risk unencrypted, easily stolen texts for account access or anything else? For the moment, let's set aside how relatively easy and low-cost it is to move to a more secure version of text confirmations. Let's also, for the moment, set aside the compliance and operational risks your team is taking by letting the enterprise grant account access vis unencrypted texts. How about solely looking at the risk and compliance implications of offering third-party access via unencrypted text authentications? Remember this from the Vice piece: "The (attacker) sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts." Once a bad guy takes control of a customer's texts, a vast domino effect kicks in, where lots of businesses can be improperly accessed.

How to Mitigate Low-Code Security Risks

On the low-code spectrum, there is the attitude that “people aren’t really doing mission-critical applications — they’re mainly doing prototyping, or back office automations,” Wysopal said. Or, since low-code applications often do not publicly expose an application, they are deemed low-risk and fall to the bottom of the security team’s inbox and list of to-dos. “We’re still in a world where people don’t secure all applications,” he said. However, these attitudes are a bit short-sighted, since “applications aren’t islands,” Wysopal said. Even if applications are intended for internal use only, phishing attempts could expose credentials and gain access to the network. Here, attackers could leverage sensitive resources or steal infrastructure for compute power. Thus, all low-code users should be aware of potential threats and change habits to address these risks accordingly. However, the onus is also on low-code vendors to sufficiently arm their systems. Having a vulnerability disclosure, bounty program and an easy means to accept bug reports from white hat security researchers will be necessary to continually patch issues. Low-code continues to permeate more and more digital operations, opening up novel potential for citizen developers.

Smart cities are built on data

Cities must understand the full set of stakeholders who should be involved in setting data governance policies. They include civic authorities, the public, the private sector, technology providers and academic experts. Then they need to look at smart city projects as an “integrated ecosystem,” which means using the data for the collective benefit of the city, public and private sector, Chiasson said. “In a lot of cases, the costs are concentrated, but the benefits are diffuse,” he said. For instance, improving traffic flow would benefit many stakeholders, but the cost tends to be concentrated with the agency paying for sensors and algorithms. “Holistically tying that together … is the way you start to have data that’s good and data that’s valuable,” Chiasson said. And valuable means data that can be turned into usable information. For instance, a city may have ridership and traffic data, but if they can’t use it to reduce emissions, it’s not helpful. “Data is not information,” Dennis said. “Oftentimes, what we’ll see is that there’s too much data and not enough ability for the city to convert it into information holistically.” Urban SDK has a data specification for smart cities that lets them aggregate data from a range of sources and normalize it into one database. From there, the data can be analyzed into information.

GAO warns on cyber risks to power grid

The country's electrical systems are increasingly susceptible to cyberattacks, according to government auditors, and there is uncertainty about the extent to which a localized attack might cascade through power distribution systems. A new report from the Government Accountability Office examines the vulnerabilities of electricity grid distribution systems, how some states and industry actions have hardened those systems and the extent to which the Department of Energy has addressed risks by implementing the national cybersecurity strategy. Government and industry officials told GAO that a cyberattack on a grid distribution system would likely have localized effects, but a coordinated attack could have widespread consequences. However, the officials conceded that assumption is based on their professional experience, GAO noted, and none of them were aware of an assessment that confirmed their claims. "Moreover, three federal and national laboratory officials told us that even if a cyberattack on the grid's distribution systems was localized, such an attack could still have significant national consequences, depending on the specific distribution systems that were targeted and the severity of the attack's effects," according to the report.

Vaccinated Employees Returning with Un-Vaccinated Devices

With vaccines making their way throughout the country and lockdown restrictions loosening up, a debate surrounding the office return emerges. Hybrid vs. remote vs. full-time – every scenario is different, as well as the rules and accommodations to make the return safe and productive for all. User systems will be coming back as well, and their absence from the network could present new challenges. In the vast majority of cases, computers and mobile devices have not been on-premise for close to a year. Ever vigilant from a security perspective, the best way to approach the “repatriation” of these systems onto the office network is to regard them as potentially infected. At the very least, consider that these devices are not in the same state as when they left. During this time, the company office extended into the homes of employees, and the line separating home from work was essentially diminished. ... Even with device management in place, the potential for unaccounted change from field devices is significant. Consider this both a threat and an opportunity. The first goal is to ensure that workstations have been adequately patched and updated. Devices, security software and applications must be validated and brought up-to-date before actively working on networks hold sensitive, critical data.

Cyber threats, ongoing war for talent, biggest concerns for tech leaders

When it comes to talent, 44% of respondents said that finding enough qualified employees to fill open positions is the biggest risk they face over the coming year. An almost equal percentage say the task is just as difficult as it was a year ago. To close the skills gap, companies said they are trying a variety of strategies, including building flexible, on-the-job training opportunities (61%); rewriting job descriptions or job titles (42%); creating an apprenticeship program (39%); and eliminating requirements that applicants have certain types of academic degrees (24%). Some other pathways to finding the right talent: easing location restrictions; gamification of training; and prioritizing the search for candidates with a diversity of career backgrounds. In fact, nearly three-quarters of the respondents said that in the past year they’ve filled open technology positions with candidates with liberal arts degrees. An equal percentage have taken internal candidates from non-tech teams. About half of tech leaders have hired people with no college degree at all. A little over 60% of survey participants said their company is ahead of the curve when it comes to investing in new technology, and 35% said they’re about average. 

When Every Millisecond Matters in IoT

It starts with a network of seismic sensors, which are used to detect the P-waves, providing a ton of information that can be used to calculate the size and location of the damaging earthquake. The data is distributed in real-time to every subscribed party: emergency response, infrastructureand everyday users who have the app installed. The next critical piece of technology is a real-time network: a super-fast, low-latency and reliable infrastructure that is optimized to broadcast small amounts of data to huge audiences of subscribers. This may include both the earthquake data itself, as well as push notifications or alerts specified by the app developer. This is where every millisecond matters, so ensuring reliability at scale, even in unreliable environments, is mission critical. When selecting a real-time network, whether you go with a hosted service or build it yourself, app developers need to understand the underlying technology, real-time protocols and other indicators of scalability. Lastly, you need the application that connects your real-time IoT network to the deployed sensors, where notifications are transmitted and the response is automated based on incoming data.

What businesses need to know to evaluate partner cyber resilience

Protecting customer data is vital and now regulated in certain geographies with the introduction and implementation of privacy laws like the GDPR and the CCPA. Non-compliance with either of these regulations may result in large fines that can pose a serious threat to business continuity depending on the size of the company and violation. While the GDPR and the CCPA are the two of most well-known regulations, at least 25 U.S. states have data protection laws, with Virginia being the most recent to enact legislation. Legislation aside, organizations must protect data and be able to recover it in the event of any loss. Not being able to recover data, albeit at the fault of a partner, can quickly propel an organization toward financial setbacks, damaged relationships and diminished reputation. When it comes to evaluating a partner, ask them to detail their backup strategy and policies. Regular infection simulations and backup procedure tests are crucial in making sure you are prepared for a real DEFCON scenario. Businesses must have endpoint security in place as cybercriminals are constantly developing new ways to attack networks, take advantage of employee trust and steal data. In traditional office building settings, employees were better protected within the corporate network.

How one data scientist is pioneering techniques to detect security threats

It was all pretty accidental, not something I had planned. I did really well in college—I was first in my class. And I finished in 2010, in the middle of the Great Recession, which hit the Spanish labor market horribly. At that time, the unemployment rate was 25 percent. The lucky ones, like people in engineering, were getting job offers. But when you’re in technology, the only options in Spain are to work for a consulting company or to do support or sales. There weren’t any entry-level jobs in research and development. So, I started a master’s with a group doing research on biometrics. The master’s was also in computer science and very related to artificial intelligence and a lot of interconnected fields like multimedia signal processing, computer vision, and natural language processing. I did my thesis on statistics around forensic fingerprints, and the probability of a random match between a latent fingerprint found at a crime scene and a random person that could have been wrongly convicted of that crime. ... One good approach is to find an internship that has some connection between doing data science and security and fraud, even if it’s just loosely related.

What To Expect From The New US-India Artificial Intelligence Initiative

India and the US can complement each other in this collaborative effort to ensure equitable progress. “For the US, India represents a massive consumer market – and one of the world’s largest troves of data. Technology firms in the US accessing this data will be like energy firms finding oil in the Middle East,” said Prakash. “For India, the US algorithms are solutions to a variety of development challenges India faces, from bringing banking to hundreds of millions of people to modernising the Indian military to offering healthcare to the masses. At the same time, for US technology firms, India churns out massive amounts of engineers and computer scientists – critical talent that these firms need.” Another major reason for a partnership between India and the US is the new geopolitical realities. China’s growing influence in the field of AI is a pressing concern. “What India and the US bring to the table is what is a supposedly democratic governance model of emerging technology, said Basu, “Despite the change in administration from Trump to Biden, there are certain things where there is continuity – like distrust in China and Chinese technology....”

Quote for the day:

"Leadership is a dynamic process that expresses our skill, our aspirations, and our essence as human beings." -- Catherine Robinson-Walker

No comments:

Post a Comment