There is currently no clearly defined standard for the vaccine passport. The Biden administration has announced that there would be no central, national policy, leaving the private sector to create its own solutions. Many projects — including those of IBM, the International Air Transport Association and several individual airlines — are already underway. Depending on where you intend to travel, this could mean handing over personal information and login credentials to multiple airlines and industry bodies. The more places that store this information, the more vulnerable it is to breach and loss. This lack of any agreed standard also opens the system up to fraud and manipulation. Cybercriminals are already working the impact of the pandemic to their advantage, and a patchwork of vaccine passport systems presents another golden opportunity. Because of the emphasis on equity for rollout, vaccine passports will have to be both paper and digital. For those who do not have digital devices, paper passports will show up on the dark web — the same way that we see fake vaccine passports already showing up for a few hundred bucks.
Cybersecurity, emerging technology and systemic risk: What it means for the medical device industry?
A personal goal of mine is that within 5 years, I can talk to any medical device developer about cybersecurity and find that they have comprehensive knowledge of all aspects of creating a secure device. To achieve that, I partnered with Axel Wirth to write and publish the world’s first comprehensive, how-to book on medical device cybersecurity. Also, Velentium has launched a training certification process to train engineers, developers, and managers at medical device manufacturers (MDMs) and other embedded and IoT device designers, so they’ll have qualified, knowledgeable cybersecurity expertise on-staff. According to a recent (ISC)² report, the global cybersecurity talent gap remains at more than 3 million. Cybersecurity employment must grow by 41 percent in the U.S. and by 89 percent worldwide to fill the existing gap. Clearly there is huge shortfall of talent in the IT arena, but the situation is far worse for the embedded device arena. Skilled people simply are not available.
A side-channel attack is an implementation specific attack that exploits the fact that using different inputs results in the algorithm implementation behaving differently to gain knowledge about the secret value such as a cryptographic key used during the computation using an indirect measurement such as the time the algorithm took to execute the computation. One of the most infamous cases of timing attack, is the fact that the time taken by the naive square-and-multiply algorithm used in textbook implementation of the RSA modular exponentiation depends linearly on the number of "1" bits in the key. This linear relation can be exploited by an attacker, to infer the number of "1" bits in the key by timing how long it takes to perform the computation for diverse RSA keys. He can then use this knowledge to guess the number 1 in an unknown RSA key stored in a hardware crypto device by simply measuring how long the code takes to run. While nowadays most hardware crypto-implementation have constant time implementation, timing attacks are still actively used, mostly in blind SQL injection.
Privacy Pass, an open-source web extension, was the step towards the right direction, keeping privacy at its core. It helps to bypass CAPTCHA challenge repetition by using a set of Tokens/Passes. Let’s look at how it works. Users have to download the Privacy Pass extension for Chrome/Firefox web browser. You can see the Privacy Pass icon; Visit the CAPTCHA website and answer the CAPTCHA challenge, which grants 30 Tokens/Passes; These tokens are stored in the extension for future use. The concept is simple when the user visit’s another page, the Privacy Pass extension issue these Token/Passes. And the great thing here is that each of these Token/Passes goes through a cryptographic process known as “blinding” that shields users’ privacy. ... Google has recently started developing a Trust Token API. It was developed as a substitute solution for third-party cookies to fight against fraud in online advertising by differentiates Bots vs. human. More importantly, Google Trust Tokens will distinguish bots from real humans and obsolete Third-party Cookies in Google Chrome.
Without fully addressing the underlying issue, companies virtually guarantee that the same problem – or a similar one – will reoccur. Not identifying root cause often prevents a durable fix. In addition, companies lose the opportunity to proactively improve application code or infrastructure based on real-world experiences and issues. Postmortems may only result in reviews of monitoring and observability solutions and the inevitable updates to alert rules. Most DevOps professionals not only understand but have lived through these frustrations on an ongoing basis. Management, then, often wonders why their systems are so unstable. Changing the model for incident management has been limited by a combination of the overriding urgency combined with short-staffed, overworked teams. Although AI and machine learning has been positioned as the panacea for nearly every kind of technical ill, this is a clear case where “machines” could fundamentally enhance human efforts to improve a situation. The best troubleshooters exhibit a combination of instinct, experience and patience to carefully sift through reams of data, spotting unusual events and their correlation with bad outcomes.
Technology innovation is constantly moving forward so don’t think single cloud. Even though you might feel that you’re saving time. Internal applications teams, and the databases and tools they leverage for data-rich applications, need to support multiple clouds. Take a long-term view towards resiliency when you might need to leverage multiple clouds for scale or times of duress for critical applications. Your strategy needs to work across multiple clouds and while you should pick the application that suits your immediate needs. Keep flexibility in mind so that you’re able to pick another cloud further down the line. The cloud now has very clear standards as defined by the Cloud Native Computing Foundation (CNCF). You should demand the same of your database. Most proprietary innovations are now becoming open source and standards across multiple cloud vendors. A perfect example of this is Kubernetes, which originated from Google over ten years ago. Stick to the standards, reduce custom development, and set yourself up for multi-cloud success. We have a lot to thank the cloud platform vendors including Amazon, Google, Microsoft, and others for.
One of the biggest mistakes companies make when trying to automate their processes is they think technology, in and of itself, is the answer. As a result, they go out and buy subscriptions to software tools they never end up using — because they fail to properly integrate the tools into their existing organization and processes. As a result, between 32%-41% of what a company spends on software internally gets wasted. The reason is because the tools were not properly integrated into the human processes already in place. As AI continues to promise endless automation potential, this problem of “buying but failing to integrate” will likely accelerate. Companies will buy tools they think will solve all their problems without taking the time to think deeply about how to properly integrate those tools into their existing systems and infrastructure. A decade ago, it was unfathomable for most companies to host their data in the public cloud. Today, not only is that conventional wisdom, but it’s becoming increasingly popular and expected. For example, Netflix has been a prime example of how companies can get through the long and arduous process of migrating to the cloud — which started in 2008 when Netflix “experienced a major database corruption.”
Today, AI is hugely integrated in all aspects of our day-to-day lives. From chatbots, online shopping, smartphones, social networking to ride sharing - AI is being applied in everyday apps that we use. The huge amounts of data that all these apps are gathering about our likes and dislikes, our searches, our purchases, our movements and almost every aspect of our lives, is contributing further to advancement in AI. All this data is being used to train and fine-tune these AI and ML algorithms to learn and predict what we want with even more accuracy. ... AI has already being applied in healthcare with the use of chatbots to provide real time assistance to patients and to predict ICU transfers or patient risks. It has huge potential to transform how we administer healthcare in the future. AI algorithms will enable healthcare providers to analyze data and tailor healthcare to each patient. ML algorithms will keep learning as they interact with training data, to provide precise and accurate clinical decisions with respect to patient diagnostics, treatment and care, and predict patient outcomes. In the filed of transportation, one area where AI will continue to make improvements is self-driving vehicles. Google and Tesla have already launched autonomous cars.
While most security practitioners know accidental data exposure is a common cloud security issue, many don't know when it's happening to them. This was the crux of a talk by Jose Hernandez, principal security researcher, and Rod Soto, principal security research engineer, both with Splunk, who explored the ways corporate secrets are exposed on public repositories. In today's environments, credentials are everywhere: SSH key pairs, Slack tokens, IAM secrets, SAML tokens, API keys for AWS, GCP, and Azure, and many others. A common risk scenario is when credentials aren't properly protected and left exposed, most often in a public repository – Bitbucket, Gitlabs, Github, Amazon S3, and Open DB, are the main public repos for software. "If you are an attacker and you're trying to find somebody that, either by omission or neglect, embedded credentials that could be reused, these would be your sources of leaked credentials," Soto said, noting these can help attackers pivot between endpoints and the cloud. Splunk researchers found there are 276,165 companies with leaked secrets in Github. ... More organizations have a "converged perimeter," a term he used to define environments with assets both behind an Internet gateway, such as DevOps and ITOps, and in the cloud.
Quote for the day:
"I think leadership's always been about two main things: imagination and courage." -- Paul Keating