Quote for the day:
“Winners are not afraid of losing. But losers are. Failure is part of the process of success. People who avoid failure also avoid success.” -- Robert T. Kiyosaki
How Long Does It Take Hackers to Crack Modern Hashing Algorithms?
Because hashing algorithms are one-way functions, the only method to
compromise hashed passwords is through brute force techniques. Cyber attackers
employ special hardware like GPUs and cracking software (e.g., Hashcat,
L0phtcrack, John The Ripper) to execute brute force attacks at scale—typically
millions or billions or combinations at a time. Even with these sophisticated
purpose-built cracking tools, password cracking times can vary dramatically
depending on the specific hashing algorithm used and password length/character
combination. ... With readily available GPUs and cracking software, attackers
can instantly crack numeric passwords of 13 characters or fewer secured by
MD5's 128-bit hash; on the other hand, an 11-character password consisting of
numbers, uppercase/lowercase characters, and symbols would take 26.5 thousand
years. ... When used with long, complex passwords, SHA256 is nearly
impenetrable using brute force methods— an 11 character SHA256 hashed password
using numbers, upper/lowercase characters, and symbols takes 2052 years to
crack using GPUs and cracking software. However, attackers can instantly crack
nine character SHA256-hashed passwords consisting of only numeric or lowercase
characters.
Sharply rising IT costs have CIOs threading the needle on innovation
“Within two years, it will be virtually impossible to buy a PC, tablet, laptop,
or mobile phone without AI,” Lovelock says. “Whether you want it or not, you’re
going to get it sold to you.” Vendors have begun to build AI into software as
well, he says, and in many cases, charge customers for the additional
functionality. IT consulting services will also add AI-based services to their
portfolios. ... But the biggest expected price hikes are for cloud computing
services, despite years of expectations that cloud prices wouldn’t increase
significantly, Lovelock says. “For many years, CIOs were taught that in the
cloud, either prices went down, or you got more functionality, and occasionally
both, that the economies of scale accrue to the cloud providers and allow for at
least stable prices, if not declines or functional expansion,” he says. “It
wasn’t until post-COVID in the energy crisis, followed by staff cost increases,
when that story turned around.” ... “Generative AI is no longer seen as a
one-size-fits-all solution, and this shift is helping both solutions providers
and businesses take a more practical approach,” he says. “We don’t see this as a
sign of lower expectations but as a move toward responsible and targeted use of
generative AI.”
US takes aim at healthcare cybersecurity with proposed HIPAA changes
The major update to the HIPAA security regulations also requires healthcare
organizations to strengthen security incident response plans and procedures,
carry out annual penetration tests and compliance audits, among other measures.
Many of the proposals cover best practice enterprise security guidelines
foundational to any mature cybersecurity program. ... Cybersecurity experts
praised the shift to a risk-based approach covered by the security rule revamp,
while some expressed concerns that the measures might tax the financial
resources of smaller clinics and healthcare providers. “The security measures
called for in the proposed rule update are proven to be effective and will
mitigate many of the risks currently present in the poorly protected
environments of many healthcare payers, providers, and brokers,” said Maurice
Uenuma, VP & GM for the Americas and security strategist at data security
firm Blancco. ... Uenuma added: “The challenge will be to implement these
measures consistently at scale.” Trevor Dearing, director of critical
infrastructure at enterprise security tools firm Illumio, praised the shift from
prevention to resilience and the risk-based approach implicit in the rule
changes, which he compared to the EU’s recently introduced DORA rules for
financial sector organizations.
Risk resilience: Navigating the risks that board’s can’t ignore in 2025
The geopolitical landscape is more turbulent than ever. Companies will need to
prepare for potential shocks like regional conflicts, supply chain disruptions,
or even another pandemic. If geopolitical risks feel dizzyingly complex,
scenario planning will be a powerful tool in mapping out different political and
economic scenarios. By envisioning various outcomes, boards can better
understand their vulnerabilities, prepare tailored responses and enhance risk
resilience. To prepare for the year ahead, board and management teams should ask
questions such as: How exposed are we to geopolitical risks in our supply chain?
Are we engaging effectively with local governments in key regions? ... The
risks of 2025 are formidable, but so are the opportunities for those who lead
with purpose. With informed leadership and collaboration, we can navigate the
complexities of the modern business environment with confidence and resilience.
Resilience will be the defining trait of successful boards and businesses in the
years ahead. It requires not only addressing known risks but also preparing for
the unexpected. By prioritising scenario planning, fostering a culture of
transparency, and aligning risk management with strategic goals, boards can
navigate uncertainty with confidence.
Freedom from Cyber Threats: An AI-powered Republic on the Rise
Developing a resilient AI-driven cybersecurity infrastructure requires
substantial investment. The Indian government’s allocation of over ₹550 crores
to AI research demonstrates its commitment to innovation and data security.
Collaborations with leading cybersecurity companies exemplify scalable solutions
to secure digital ecosystems, prioritising resilience, ethical governance, and
comprehensive data protection. Research tools like the Gartner Magic Quadrant
also offer reliable and useful insights into the leading companies that offer
the best and latest SIEM technology solutions. Upskilling the workforce is
equally important. Training programs focused on AI-specific cybersecurity skills
are preparing India’s talent pool to tackle future challenges effectively. ...
Proactive strategies are essential to counter the evolution of cyber threats.
Simulation tools enable organizations to anticipate and neutralise potential
vulnerabilities. Now, cybersecurity threats can be intercepted by high-class
threat detection SIEM data clouds and autonomous threat sweeps. Advanced threat
research, conducted by dedicated labs within organisations, plays a crucial role
in uncovering emerging attack vectors and providing actionable insights to
pre-empt potential breaches.
Enterprises are hitting a 'speed limit' in deploying Gen AI - here's why
The regulatory issue, the report states, makes clear "respondents' unease about
which use cases will be acceptable, and to what extent their organizations will
be held accountable for Gen AI-related problems." ... The latest iteration was
conducted in July through September, and received 2,773 responses from "senior
leaders in their organizations and included board and C-suite members, and those
at the president, vice president, and director level," from 14 countries,
including the US, UK, Brazil, Germany, Japan, Singapore, and Australia, and
across industries including energy, finance, healthcare, and media and
telecom. ... Despite the slow pace, Deloitte's CTO is confident in the
continued development, and ultimate deployment, of Gen AI. "GenAI and AI broadly
is our reality -- it's not going away," writes Bawa. Gen AI is ultimately like
the Internet, cloud computing, and mobile waves that preceded it, he asserts.
Those "transformational opportunities weren't uncovered overnight," he says,
"but as they became pervasive, they drove significant disruption to business and
technology capabilities, and also triggered many new business models, new
products and services, new partnerships, and new ways of working and countless
other innovations that led to the next wave across industries."
NVMe-oF Substantially Reduces Data Access Latency
NVMe-oF is a network protocol that extends the parallel access and low latency
features of Nonvolatile Memory Express (NVMe) protocol across networked storage.
Originally designed for local storage and common in direct-attached storage
(DAS) architectures, NVMe delivers high-speed data access and low latency by
directly interfacing with solid-state disks. NVMe-oF allows these same
advantages to be achieved in distributed and clustered environments by enabling
external storage to perform as if it were local. ... Storage targets can be
dynamically shared among workloads, thus providing composable storage resources
that provide flexibility, agility and greater resource efficiency. The adoption
of NVMe-oF is evident across industries where high performance, efficiency and
low latency at scale are critical. Notable market sectors include: financial
services, e-commerce, AI and machine learning, and specialty cloud service
providers (CSPs). Legacy VM migration, real-time analytics, high-frequency
trading, online transaction processing (OLTP) and the rapid development of cloud
native, performance-intensive workloads at scale are use cases that have
compelled organizations to modernize their data platforms with NVMe-oF
solutions. Its ability to handle massive data flows with efficiency and
high-performance makes it indispensable for I/O-intensive workloads.
The crisis of AI’s hidden costs
Let me paint you a picture of what keeps CFOs up at night. Imagine walking into
a massive data center where 87% of the computers sit there, humming away, doing
nothing. Sounds crazy, right? That’s exactly what’s happening in your cloud
environment. If you manage a typical enterprise cloud computing operation, you
are wasting money. It’s not rare to see companies spend $1 million monthly on
cloud resources, with 75% to 80% of that amount going right out the window. It’s
no mystery what this means for your bottom line. ... Smart enterprises aren’t
just hoping the problem will disappear; they’re taking action. Here’s my advice:
Don’t rely solely on the basic tools offered by your cloud provider; they won’t
give you the immediate cost visibility you need. Instead, invest in third-party
solutions that provide a clear, up-to-the-minute picture of your resource
utilization. Focus on power-hungry GPUs running AI workloads. ... Rather than
spinning up more instances, consider rightsizing. Modern instance types offered
by public cloud providers can give you more bang for your buck. ... Predictive
analytics can help you scale up or down based on demand, ensuring you’re not
paying for idle resources. ... Be strategic and look at the bigger picture.
Evaluate reserved instances and savings plans to balance cost and
performance.
AI security posture management will be needed before agentic AI takes hold
We’ve run into these issues when most companies shifted their workloads to the
cloud. Authentication issues – like the dreaded S3 bucket that had a default
public setting and that was the cause of way too many breaches before it was
secure by default – became the domain of cloud security posture management
(CSPM) tools before they were swallowed up by the CNAPP acronym. Identity and
permission issues (or entitlements, if you prefer) became the alphabet soup of
CIEM (cloud identity entitlement management), thankfully now also under the
umbrella of CNAPP. AI bots will need to be monitored by similar toolsets, but
they don’t exist yet. I’ll go out on a limb and suggest SAFAI (pronounced
Sah-fy) as an acronym: Security Assessment Frameworks for AI. These would, much
like CNAPP tools, embed themselves in agentless or transparent fashion, crawl
through your AI bots collecting configuration, authentication and permission
issues and highlight the pain points. You’d still need the standard panoply of
other tools to protect you, since they sit atop the same infrastructure. And
that’s on top of worrying about prompt injection opportunities, which is
something you unfortunately have no control over as they are based entirely on
the models and how they are used.
Hackers Use Malicious PDFs, pose as USPS in Mobile Phishing Scam
The bad actors make the malicious PDFs look like communications from the USPS
that are sent via SMS text messages and use what the researchers called in a
report Monday a “never-before-seen means of obfuscation” to help them bypass
traditional security controls. They embed the malicious links in the PDF,
essentially hiding them from endpoint security solutions. ... The phishing
attacks are part of a larger and growing trend of what Zimperium calls
“mishing,” an umbrella word for campaigns that use email, text messages, voice
calls, or QR codes that exploit such weaknesses as unsafe user behavior and
minimal security on many mobile devices to infiltrate corporate networks and
steal information. ... “We’re witnessing phishing evolve in real time beyond
email into a sophisticated multi-channel threat, with attackers leveraging
trusted brands like USPS, Royal Mail, La Poste, Deutsche Post, and Australian
Post to exploit limited mobile device security worldwide,” Kowski said. “The
discovery of over 20 malicious PDFs and 630 phishing pages targeting
organizations across 50+ countries shows how threat actors capitalize on users’
trust in official-looking communications on mobile devices.” He also noted that
internal disagreements are hampering corporations’ ability to protect against
such attacks.
No comments:
Post a Comment