Author: Evan Schuman

Will new EU crypto rules change how ransomware is played?

Cryptocurrency has always been the payment method of choice for bad guys. Get hit with an enterprise ransomware attack and plan to pay? You’ll need crypto. The key reason cyberthieves love cryptocurrency so much is that it is far harder to trace payments. 

That is why a move being attempted by the European Union has so much potential. The EU — in a move that will likely be mimicked by many other regional regulatory forces, including in the United States — is putting in place tracking requirements for all cryptocurrency. 

If it is successful, and the EU has an excellent track record on precisely these kinds of changes, cryptocurrency may quickly fade as the thief’s payment of choice.

To read this article in full, please click here

Microsoft backs off facial recognition analysis, but big questions remain

Microsoft is backing away from its public support for some AI-driven features, including facial recognition, and acknowledging the discrimination and accuracy issues these offerings create. But the company had years to fix the problems and didn’t. That's akin to a car manufacturer recalling a vehicle rather than fixing it.

Despite concerns that facial recognition technology can be discriminatory, the real issue is that results are inaccurate. (The discriminatory argument plays a role, though, due to the assumptions Microsoft developers made when crafting these apps.)

Let’s start with what Microsoft did and said. Sarah Bird, the principal group product manager for Microsoft's Azure AI, summed up the pullback last month in a Microsoft blog

To read this article in full, please click here

Google’s open-source security move may be pointless. In a perfect world, it should be.

One of the bigger threats to enterprise cybersecurity involves re-purposed third-party code and open-source code, so you'd
think Google's Assured Open Source Software service would be a big help.

Think again.

Here’s Google’s pitch: “Assured OSS enables enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows. Packages curated by the Assured OSS service are regularly scanned, analyzed, and fuzz-tested for vulnerabilities; have corresponding enriched metadata incorporating Container/Artifact Analysis data; are built with Cloud Build including evidence of verifiable SLSA-compliance; are verifiably signed by Google; and are distributed from an Artifact Registry secured and protected by Google.”

To read this article in full, please click here

DOJ reverses itself, says good-faith security researchers should be left alone

In a move that could have a major impact on enterprise penetration testing and other cybersecurity tactics, the US Department of Justice last Thursday reversed one of its own policies by telling prosecutors not to prosecute anyone involved in “good-faith security research.”

This is one of those common-sense decisions that makes me far more interested in exploring the original DOJ policy (set in 2014, during the Obama era). 

The underlying law at issue is the Computer Fraud and Abuse Act, which made it illegal to access a computer without proper authorization. It was passed in 1986 and has been updated several times since then.

To read this article in full, please click here

Think the video call mute button keeps you safe? Think again

Have you recently been on a video confefence call, hit the "mute" button and then offered up some nasty comments about a client or a colleague — or even the boss?

Or maybe while in a conference room with colleagues — muted — and pointed out that some proposed action would violate the terms of a secret acquisition in its final stages?

If you were comfortable that the mute button was actively protecting your secret, you shouldn't have been.

Thanks to some impressive experimentation and research from a group of academics at the University of Wisconsin-Madison and Loyola University Chicago, utterances made while the app is in mute are still captured and saved into RAM.

To read this article in full, please click here

Apple quietly stops meaningful auto-updates in iOS

In the mobile world pitting Apple’s iOS devices against Google’s Android devices, Apple has historically had one distinct advantage: patches and updates.

Given the fragmented nature of Android (hundreds of handset manufacturers versus just one for iOS), it is simply far easier for Apple to quickly and efficiently push out updates in a way that allows a large percentage of users get updates quickly. That has been true regardless of whether its new functionality or a critical security patch.

So what's the problem? Craig Federighi, Apple’s senior vice president of software engineering, has quietly said that Apple has dramatically slowed down auto updates — by as much as a month.

To read this article in full, please click here

Apple quietly stops meaningful auto-updates in iOS

In the mobile world pitting Apple’s iOS devices against Google’s Android devices, Apple has historically had one distinct advantage: patches and updates.

Given the fragmented nature of Android (hundreds of handset manufacturers versus just one for iOS), it is simply far easier for Apple to quickly and efficiently push out updates in a way that allows a large percentage of users get updates quickly. That has been true regardless of whether its new functionality or a critical security patch.

So what's the problem? Craig Federighi, Apple’s senior vice president of software engineering, has quietly said that Apple has dramatically slowed down auto updates — by as much as a month.

To read this article in full, please click here

The Russian cyberattack threat might force a new IT stance

There’s a lot of fear of possible Russian cyberattacks stemming from Russia’s attempted takeover of Ukraine. Perhaps the biggest worry —and quite possibly the most likely to materialize — is that these cyberattacks will likely be finely tuned as retaliation for US financial moves against the Russian economy. 

The cyberattacks would be designed not to steal money or data per se, but to harm the US economy by strategically hitting major players in key verticals. In other words, the Russian government might say, “You hurt our economy and our people? We’ll do the same to you.”

Thus far, there’s no evidence of any large-scale attack, but one could be launched at any time. 

To read this article in full, please click here

When should the data breach clock start?