Monday, April 08, 2019

Use this as a negative model for security. Does your policy address everything and do your procedures make certain your policy is followed?
So the Congressional report on Equifax’s massive 2017 databreach was released. The title gives you a clue as to what you can expect to read in it:
HOW EQUIFAX NEGLECTED CYBERSECURITY AND SUFFERED A DEVASTATING DATA BREACH
STAFF REPORT
PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
UNITED STATES SENATE
You can access the whole report on the Senate’s web site, here I’ve also made a copy available on this site


(Related)
Take a look at a credit report from one of the big three credit reporting agencies, and you’re likely to see certain types of accounts listed: credit cards, mortgages, car payments, and student loans, for instance.
How you pay those bills impacts the credit score that lenders use to determine how risky you are. But other types of accounts don’t generally show up on your traditional credit report. Those include phone and electric bills, rent, and payments to many types of credit providers such as payday lenders, rent-to-own stores, and online personal lenders.
The country’s biggest credit bureaus—Experian, Equifax, and TransUnion—are trying to change that. As part of a growing push to expand the population to whom lenders can offer loans, the companies are helping lead an industry push to gather “alternative” credit data, in what’s been called one of the biggest changes to credit scoring in years.




Do you rely on a computer to monitor and adjust your machines? What if these are proof of concept attacks, gathering a portfolio of systems an aggressor could take down in the first seconds of a cyber war.
Most OT Organizations Hit by Damaging Cyberattacks: Survey
A majority of organizations that have operational technology (OT) infrastructure experienced at least one damaging cyberattack in the past two years, according to a survey conducted by Ponemon Institute and Tenable.
The report shows that 90% of respondents admitted suffering at least one damaging cyberattack in the past two years, and nearly two-thirds were hit at least two times. These statistics include attacks on IT systems, which are still relevant as attackers may be able to move from IT to OT systems.
Half of respondents said they had experienced an attack on their OT infrastructure that resulted in downtime of the plant and/or operational equipment. Many organizations also admitted suffering significant business disruptions and downtimes as a result of cyberattacks.
Furthermore, nearly a quarter of respondents believed they had been targeted by a nation-state actor.




Why two-factor authentication is better.
FOOLING FINGERPRINT SCANNERS WITH A RESIN PRINTER
Biometrics have often been used as a form of access control. While this was initially limited to bank vaults in Hollywood movies, it’s now common to see such features on many laptops and smartphones. Despite the laundry list of reasons why this is a bad idea, the technology continues to grow in popularity. [darkshark] has shown us an easy exploit, using a 3D printer to fool the Galaxy S10’s fingerprint scanner
The Galaxy S10 is interesting for its use of an ultrasonic fingerprint sensor , which continues to push to hardware development of phones minimal-to-no bezels by placing the sensor below the screen. The sensor is looking for the depth of the ridges of your fingerprint, while the touchscreen verifies the capacitive presence of your meaty digit. This hack satisfies both of those checks.




What if your decrypted data still looked like gibberish?
Orin Kerr writes:
I am pleased to say that the Texas Law Review has published the final version of my article on how the Fifth Amendment applies to compelling a person to enter a password: Compelled Decryption and the Privilege Against Self-Incrimination This article has roots in some blog posts that I wrote here at the Volokh Conspiracy a few years ago. Given the recurring and difficult nature of the question, I decided to expand considerably on the posts by writing the full article. It’s still relatively short by law review article standards, though, at a relatively svelte 33 pages.
Here’s the abstract:
This Essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: an assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock.
Read more of his post on Reason.com.




An expansion of the GDPR or a replacement?
Why the UK is moving to regulate the internet
In a world first, the UK has published a blueprint for new legislation that will hold tech companies to account and protect those using their platforms.
The online world is changing rapidly, and it needs an independent regulator. It will enforce a new legal obligation for online platforms to exercise a duty of care to their users. This means that companies will have a responsibility to take reasonable and proportionate steps to protect their users from harm. It is similar to the principle that when you take your child to a playground, you trust that the builder made sure the equipment was safe and that no harm will come to them. Why should it be any different online?




A source of GDPR integration wisdom?
Let’s start this week with some positive news. From the Information Commissioner’s Office in the UK:
Recognising the increasingly vital role played by professionals working in the sector, the second ICO Practitioner Award for Excellence in Data Protection was presented to Mikko Niva, Group Policy Officer at Vodafone Group Services Ltd based in London.
Chosen by an independent panel, Mr Niva has been recognised for delivering a pioneering global privacy compliance programme for Vodafone across 21 different countries, and for being a constant advocate for information and privacy rights.
Paul Jordan, Managing Director Europe at the International Association of Privacy Professionals (IAAP), who was one of the judges, said:
This year nominations were all of high calibre, having done some really great GDPR integration work for their respective organizations and stakeholders;
Source: INFORMATION COMMISSIONER’S OFFICE




Seems like a lot of thought.
Aspen Institute – Automation and a Changing Economy
Automation is an important ingredient driving economic growth and progress. Automation has enabled us to feed a growing population while allowing workers to transition from subsistence farming to new forms of work. Automation helped moved us from a craft system to mass production, from blue-collar to white-collar to “new collar” work—with better work, higher wages, more jobs, and better living standards.
But without adequate policies and institutions, automation can also have negative effects on individuals and communities. Emerging technologies—including artificial intelligence, machine learning, and advanced robotics—have the potential to automate many tasks currently performed by workers, leading to renewed questions over what the future holds for the American workforce. We must ensure the proper support structures are in place to promote opportunity and prosperity for all. Automation and a Changing Economy is divided into two sections. – Automation and a Changing Economy: The Case for Action and Policies for Shared Prosperity.”




I think they released these as a draft back in December. Maybe.
European Commission announces pilot program for AI ethics guidelines
Last summer, the commission appointed a group of independent experts appointed to help develop a set of ethical guidelines. That group created seven general guidelines that were presented today officially and will be reviewed at a forum scheduled for tomorrow:
  1. Human agency and oversight: AI systems should enable equitable societies by supporting human agency and fundamental rights, and not decrease, limit or misguide human autonomy.
  2. Robustness and safety: Trustworthy AI requires algorithms to be secure, reliable and robust enough to deal with errors or inconsistencies during all life cycle phases of AI systems.
  3. Privacy and data governance: Citizens should have full control over their own data, while data concerning them will not be used to harm or discriminate against them.
  4. Transparency: The traceability of AI systems should be ensured.
  5. Diversity, non-discrimination and fairness: AI systems should consider the whole range of human abilities, skills and requirements, and ensure accessibility.
  6. Societal and environmental well-being: AI systems should be used to enhance positive social change and enhance sustainability and ecological responsibility.
  7. Accountability: Mechanisms should be put in place to ensure responsibility and accountability for AI systems and their outcomes.
The commission is seeking partners to test these guidelines and offer feedback. Details of how the pilots will work have yet to be announced.




Almost everyone hates social media. Almost everyone uses social media.
Poll: Americans give social media a clear thumbs-down
The American public holds negative views of social-media giants like Facebook and Twitter, with sizable majorities saying these sites do more to divide the country than unite it and spread falsehoods rather than news, according to results from the latest national NBC News/Wall Street Journal poll.
What’s more, six in 10 Americans say they don’t trust Facebook at all to protect their personal information, the poll finds.




For my Architecture students. How do we speed up change?
The First Law of Digital Innovation
By now, most of us have heard of Moore’s law.
The “law,” coined more than 40 years ago by Intel cofounder Gordon Moore, has helped to shape the pace of innovation for decades.
I’d like to propose a new law. It’s one I know to be true, and one that too many people forget. We can call it the first law of digital transformation. Or we can just call it George’s law. It goes like this:
Technology changes quickly, but organizations change much more slowly.




I’d call it, fooling the censors. (Youtube video)
Manipulating the YouTube Algorithm – (Part 1/3)
Smarter Every Day – “This is video 1 of a 3 part series on Social Media Algorithm manipulation and countermeasures. Even if you’re aware of these issues, odds are your friends and parents are not. I’m hoping we can use this video series to educate an incredible amount of people about the realities of algorithmic manipulation online. The engineers tasked with working on these problems take their jobs very seriously and they are truly the unsung heroes in this fight…”




Cenosillicaphobia is the fear of an empty beer glass. Don't live in fear: go, get a beer.


No comments: