Text authentication is even worse than almost anyone thought
For years, the key argument against relying on text message confirmations is
that they are susceptible to man-in-the-middle attacks, which is still true. But
this peek into the authorized infrastructure for text messages means that text
takeovers can happen far more simply. There are plenty of easily accessed apps
that make text-like authentication far more secure, including Google
Authenticator, Symantec's VIP Access, Adobe Authenticator, and Signal. Why risk
unencrypted, easily stolen texts for account access or anything else? For the
moment, let's set aside how relatively easy and low-cost it is to move to a more
secure version of text confirmations. Let's also, for the moment, set aside the
compliance and operational risks your team is taking by letting the enterprise
grant account access vis unencrypted texts. How about solely looking at the risk
and compliance implications of offering third-party access via unencrypted text
authentications? Remember this from the Vice piece: "The (attacker) sent login
requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts."
Once a bad guy takes control of a customer's texts, a vast domino effect kicks
in, where lots of businesses can be improperly accessed.
How to Mitigate Low-Code Security Risks
On the low-code spectrum, there is the attitude that “people aren’t really doing
mission-critical applications — they’re mainly doing prototyping, or back office
automations,” Wysopal said. Or, since low-code applications often do not
publicly expose an application, they are deemed low-risk and fall to the bottom
of the security team’s inbox and list of to-dos. “We’re still in a world where
people don’t secure all applications,” he said. However, these attitudes are a
bit short-sighted, since “applications aren’t islands,” Wysopal said. Even if
applications are intended for internal use only, phishing attempts could expose
credentials and gain access to the network. Here, attackers could leverage
sensitive resources or steal infrastructure for compute power. Thus, all
low-code users should be aware of potential threats and change habits to address
these risks accordingly. However, the onus is also on low-code vendors to
sufficiently arm their systems. Having a vulnerability disclosure, bounty
program and an easy means to accept bug reports from white hat security
researchers will be necessary to continually patch issues. Low-code continues to
permeate more and more digital operations, opening up novel potential for
citizen developers.
Smart cities are built on data
Cities must understand the full set of stakeholders who should be involved in
setting data governance policies. They include civic authorities, the public,
the private sector, technology providers and academic experts. Then they need to
look at smart city projects as an “integrated ecosystem,” which means using the
data for the collective benefit of the city, public and private sector, Chiasson
said. “In a lot of cases, the costs are concentrated, but the benefits are
diffuse,” he said. For instance, improving traffic flow would benefit many
stakeholders, but the cost tends to be concentrated with the agency paying for
sensors and algorithms. “Holistically tying that together … is the way you start
to have data that’s good and data that’s valuable,” Chiasson said. And valuable
means data that can be turned into usable information. For instance, a city may
have ridership and traffic data, but if they can’t use it to reduce emissions,
it’s not helpful. “Data is not information,” Dennis said. “Oftentimes, what
we’ll see is that there’s too much data and not enough ability for the city to
convert it into information holistically.” Urban SDK has a data specification
for smart cities that lets them aggregate data from a range of sources and
normalize it into one database. From there, the data can be analyzed into
information.
GAO warns on cyber risks to power grid
The country's electrical systems are increasingly susceptible to cyberattacks,
according to government auditors, and there is uncertainty about the extent to
which a localized attack might cascade through power distribution systems. A new
report from the Government Accountability Office examines the vulnerabilities of
electricity grid distribution systems, how some states and industry actions have
hardened those systems and the extent to which the Department of Energy has
addressed risks by implementing the national cybersecurity strategy. Government
and industry officials told GAO that a cyberattack on a grid distribution system
would likely have localized effects, but a coordinated attack could have
widespread consequences. However, the officials conceded that assumption is
based on their professional experience, GAO noted, and none of them were aware
of an assessment that confirmed their claims. "Moreover, three federal and
national laboratory officials told us that even if a cyberattack on the grid's
distribution systems was localized, such an attack could still have significant
national consequences, depending on the specific distribution systems that were
targeted and the severity of the attack's effects," according to the report.
Vaccinated Employees Returning with Un-Vaccinated Devices
With vaccines making their way throughout the country and lockdown restrictions
loosening up, a debate surrounding the office return emerges. Hybrid vs. remote
vs. full-time – every scenario is different, as well as the rules and
accommodations to make the return safe and productive for all. User systems will
be coming back as well, and their absence from the network could present new
challenges. In the vast majority of cases, computers and mobile devices have not
been on-premise for close to a year. Ever vigilant from a security perspective,
the best way to approach the “repatriation” of these systems onto the office
network is to regard them as potentially infected. At the very least, consider
that these devices are not in the same state as when they left. During this
time, the company office extended into the homes of employees, and the line
separating home from work was essentially diminished. ... Even with device
management in place, the potential for unaccounted change from field devices is
significant. Consider this both a threat and an opportunity. The first goal is
to ensure that workstations have been adequately patched and updated. Devices,
security software and applications must be validated and brought up-to-date
before actively working on networks hold sensitive, critical data.
Cyber threats, ongoing war for talent, biggest concerns for tech leaders
When it comes to talent, 44% of respondents said that finding enough qualified
employees to fill open positions is the biggest risk they face over the coming
year. An almost equal percentage say the task is just as difficult as it was a
year ago. To close the skills gap, companies said they are trying a variety of
strategies, including building flexible, on-the-job training opportunities
(61%); rewriting job descriptions or job titles (42%); creating an
apprenticeship program (39%); and eliminating requirements that applicants have
certain types of academic degrees (24%). Some other pathways to finding the
right talent: easing location restrictions; gamification of training; and
prioritizing the search for candidates with a diversity of career backgrounds.
In fact, nearly three-quarters of the respondents said that in the past year
they’ve filled open technology positions with candidates with liberal arts
degrees. An equal percentage have taken internal candidates from non-tech teams.
About half of tech leaders have hired people with no college degree at all. A
little over 60% of survey participants said their company is ahead of the curve
when it comes to investing in new technology, and 35% said they’re about
average.
When Every Millisecond Matters in IoT
It starts with a network of seismic sensors, which are used to detect the
P-waves, providing a ton of information that can be used to calculate the size
and location of the damaging earthquake. The data is distributed in real-time to
every subscribed party: emergency response, infrastructureand everyday users who
have the app installed. The next critical piece of technology is a real-time
network: a super-fast, low-latency and reliable infrastructure that is optimized
to broadcast small amounts of data to huge audiences of subscribers. This may
include both the earthquake data itself, as well as push notifications or alerts
specified by the app developer. This is where every millisecond matters, so
ensuring reliability at scale, even in unreliable environments, is mission
critical. When selecting a real-time network, whether you go with a hosted
service or build it yourself, app developers need to understand the underlying
technology, real-time protocols and other indicators of scalability. Lastly, you
need the application that connects your real-time IoT network to the deployed
sensors, where notifications are transmitted and the response is automated based
on incoming data.
What businesses need to know to evaluate partner cyber resilience
Protecting customer data is vital and now regulated in certain geographies with
the introduction and implementation of privacy laws like the GDPR and the CCPA.
Non-compliance with either of these regulations may result in large fines that
can pose a serious threat to business continuity depending on the size of the
company and violation. While the GDPR and the CCPA are the two of most
well-known regulations, at least 25 U.S. states have data protection laws, with
Virginia being the most recent to enact legislation. Legislation aside,
organizations must protect data and be able to recover it in the event of any
loss. Not being able to recover data, albeit at the fault of a partner, can
quickly propel an organization toward financial setbacks, damaged relationships
and diminished reputation. When it comes to evaluating a partner, ask them to
detail their backup strategy and policies. Regular infection simulations and
backup procedure tests are crucial in making sure you are prepared for a real
DEFCON scenario. Businesses must have endpoint security in place as
cybercriminals are constantly developing new ways to attack networks, take
advantage of employee trust and steal data. In traditional office building
settings, employees were better protected within the corporate network.
How one data scientist is pioneering techniques to detect security threats
It was all pretty accidental, not something I had planned. I did really well in
college—I was first in my class. And I finished in 2010, in the middle of the
Great Recession, which hit the Spanish labor market horribly. At that time, the
unemployment rate was 25 percent. The lucky ones, like people in engineering,
were getting job offers. But when you’re in technology, the only options in
Spain are to work for a consulting company or to do support or sales. There
weren’t any entry-level jobs in research and development. So, I started a
master’s with a group doing research on biometrics. The master’s was also in
computer science and very related to artificial intelligence and a lot of
interconnected fields like multimedia signal processing, computer vision, and
natural language processing. I did my thesis on statistics around forensic
fingerprints, and the probability of a random match between a latent fingerprint
found at a crime scene and a random person that could have been wrongly
convicted of that crime. ... One good approach is to find an internship that has
some connection between doing data science and security and fraud, even if it’s
just loosely related.
What To Expect From The New US-India Artificial Intelligence Initiative
India and the US can complement each other in this collaborative effort to
ensure equitable progress. “For the US, India represents a massive consumer
market – and one of the world’s largest troves of data. Technology firms in the
US accessing this data will be like energy firms finding oil in the Middle
East,” said Prakash. “For India, the US algorithms are solutions to a variety of
development challenges India faces, from bringing banking to hundreds of
millions of people to modernising the Indian military to offering healthcare to
the masses. At the same time, for US technology firms, India churns out massive
amounts of engineers and computer scientists – critical talent that these firms
need.” Another major reason for a partnership between India and the US is the
new geopolitical realities. China’s growing influence in the field of AI is a
pressing concern. “What India and the US bring to the table is what is a
supposedly democratic governance model of emerging technology, said Basu,
“Despite the change in administration from Trump to Biden, there are certain
things where there is continuity – like distrust in China and Chinese
technology....”
Quote for the day:
"Leadership is a dynamic process that
expresses our skill, our aspirations, and our essence as human beings." --
Catherine Robinson-Walker
