Train, train, train – then expect failure?
Cybercriminals
count on human interaction in 99% of attacks, research shows
Cybercrooks
exploit human flaws in about 99% of their attacks, using social
engineering across email, cloud applications and social media to gain
a foothold in a targeted infrastructure, new research shows. Almost
all cyber-attacks begin with luring employees into clicking on
malicious content.
Cybercriminals
target mainly people, rather than systems, to install malware, steal
data or initiate fraudulent transactions, according to Proofpoint’s
2019 Human Factor report.
You
can insure anything, but you have to define “anything” rather
exactly.
On
Cybersecurity Insurance
Good
paper
on
cybersecurity insurance: both the history and the promise for the
future. From the conclusion:
Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause.
Having done a bit of web scraping myself, I’m
pleased to see formal vindication.
Appeals
court rules web scraping doesn’t violate anti-hacking law
arstechnica:
“Scraping a public website without the approval of the website’s
owner isn’t a violation of the Computer
Fraud and Abuse Act,
an appeals court ruled
on
Monday. The ruling comes in a legal battle that pits Microsoft-owned
LinkedIn against a small data-analytics company called hiQ Labs. HiQ
scrapes data from the public profiles of LinkedIn users, then uses
the data to help companies better understand their own workforces.
After tolerating hiQ’s scraping activities for several years,
LinkedIn sent the company a cease-and-desist letter in 2017 demanding
that hiQ stop harvesting data from LinkedIn profiles. Among other
things, LinkedIn argued that hiQ was violating the Computer Fraud and
Abuse Act, America’s main anti-hacking law. This posed an
existential threat to hiQ because the LinkedIn website is hiQ’s
main source of data about clients’ employees. So hiQ
sued LinkedIn,
seeking not only a declaration that its scraping activities were not
hacking but also an order banning LinkedIn from interfering. A trial
court sided
with hiQ in
2017. On Monday, the 9th Circuit Appeals Court agreed with the lower
court, holding that the
Computer Fraud and Abuse Act simply doesn’t apply to information
that’s available to the general public…”
(Related)
Capital
One Hack Prosecution Raises New and Old Questions about Adequacy of
CFAA
…
While
Congress has made periodic amendments, the CFAA is outdated and has
failed to maintain pace with advances in technology. The antiquated
provisions of the CFAA create challenges for prosecutors. For
example, the prosecution of Sergey Aleynikov, a former high-frequency
trader at Goldman Sachs, hit a snag when the trial court dismissed
a
CFAA charge—holding that Section 1030 does not criminalize actions
taken by an employee who had permissible access to information that
the employee subsequently misappropriates (“In short, unless an
individual lacks authorization to access a computer system, or
exceeds the authorization that has been granted, there can be no
violation of § 1030(a)(2)(C).”). Similarly, in the so-called
“cannibal cop” prosecution, the Second
Circuit held that
a person cannot be prosecuted under the CFAA when the person has
approved access to information, yet accesses the information with an
improper motive.
Can
we still use biometrics for security? Stay tuned! Consent is not
enough?
Swedish
GDPR Fine Highlights Legal Challenges in Use of Biometrics
In
late August 2019, the Swedish data protection regulator issued its
first ever fine under the General Data Protection Regulation (GDPR).
The fine was for 200,000 Swedish Krona, which is just over $20,700.
The
action was brought against the Skelleftea municipality, where a local
school had run a trial facial biometric recognition system to track
22 students for a period of three weeks. The
school had obtained the consent of both the students and their
parents, and the trial was intended to improve school
administration. The trial was a success, and the school had planned
to expand the trial before the regulator stepped in and blocked it.
The
regulator's decision was that the consent obtained did not satisfy
GDPR consent requirements. According to the European Data
Protection Board's commentary on the incident, "consent was not
a valid legal basis given
the clear imbalance between the data subject [the students] and the
controller [the school]." The wider question for
business and security is whether this same 'imbalance' also exists
between employee and employer.
It
appears that it does, making the required use of biometrics (which is
defined as personal data, in fact, a 'special category' of personal
data) for purposes of authentication and access potentially
problematic throughout Europe. This would also apply to the European
offices of American companies.
(Related)
“I hate guns!” Lizzy Borden
Madison
Carter reports:
The Lockport City School District began classes last week — without its long discussed AEGIS facial recognition technology in place.
The State Department of Education told the district to hold off on installing the system while more questions were answered about its use and scope.
Superintendent Michelle Bradley told our 7 Eyewitness News I-Team that as of right now, the system is set to be implemented tracking only guns, not faces at all.
“Oh
wow, you’re going to rat me out? I better get my spin version out
there fast!”
Facebook
warns about iPhone privacy change that could unsettle Facebook users
Less
than two weeks before a likely iOS software update that will give
iPhone users regular pop-ups telling them which apps are collecting
information location in the background, Facebook
has
published
a blog post about
how the Facebook app uses location data.
The
blog post appears to be a way to get out in front of software changes
made by Apple
and
Google
that
could unsettle Facebook users given the company’s poor reputation
for privacy.
Can
you be Buddhist if you have no naval to contemplate?
Robot
priests can bless you, advise you, and even perform your funeral
…
For
now, Mindar is not AI-powered. It just recites the same preprogrammed
sermon
about the Heart Sutra over
and over. But the robot’s creators say they plan to give it
machine-learning capabilities that’ll enable it to tailor feedback
to worshippers’ specific spiritual and ethical problems.
“This
robot will never die; it will just keep updating itself and
evolving,” said
Tensho
Goto, the temple’s chief steward. “With AI, we hope it will grow
in wisdom to help people overcome even the most difficult troubles.
It’s changing Buddhism.”
I
could see using this technology to find parts for all my old
appliances.
Syte
snaps up $21.5M for its smartphone-based visual search engine for
e-commerce
Visual
search has become a key component for how people discover products
when buying online: If a person doesn’t know the exact name of what
he or she wants, or what they want is not available, it can be an
indispensable tool for connecting them with things they might want to
buy.
… Syte’s
approach is notable in how it engages shoppers in the process of the
search. Users can snap pictures of items that they like the look of,
which can then be used on a retailer’s site to find compatible
lookalikes. Retailers, meanwhile, can quickly integrate Syte’s
technology into their own platforms by way of an API.
Geek tools. At some point these could be
mandatory.
AI-powered
code review now available for Visual Studio Code
DeepCode
is bringing its AI-powered code review capabilities to Visual Studio
Code. The company announced an open-source
extension that
will enable developers to use DeepCode to detect bugs and issues in
Visual Studio Code.
DeepCode
is designed to alert users about critical vulnerabilities and avoid
bugs going into production. It uses a machine learning bot to
continuously learn from bugs and issues, and determine the intent of
code. The bot is currently free to enterprise teams of up to 30
developers.
Maybe
“other people” means students?
No comments:
Post a Comment