Connect with us

ZDNET

Private firms can’t protect us from digital attacks. Government must step in.

For the last 30 years various forms of criminality and nation state aggression against Americans and America has been a staple of daily life. Despite the efforts of a number of multibillion dollar companies to protect us, they’ve failed to do so. The government must act.

Published

on

Unless you’ve been living under a rock, you know that our digital infrastructure is under attack. ZDNet’s excellent security coverage has daily updates, usually with names I’ve never heard of before. As the ZDNet security tagline says, “Let’s face it. Software has holes. And hackers love to exploit them. New vulnerabilities appear almost daily.”

Sadly, that’s not hyperbole. “SolarWinds attack is not an outlier, but a moment of reckoning for security industry, says Microsoft exec” is a recent headline.

Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, said,

“These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm. This is why what we do is more important than ever. I believe that SolarWinds is a moment of reckoning in the industry. This is not going to change and we have to do better as a defender community and we have to be unified in our responses.”

But Ms. Jakkal is wrong. Private enterprise can’t handle serious, nation state digital aggression. Nations have the resources and patience to pursue long term strategies. Even the largest corporations lack the heft of a nation.

Microsoft estimates that at least 1,000 engineers were needed to develop the SolarWinds hack. What company, what consortium of companies, could devote similar resources?

We don’t send defense contractors to fight wars. We send armed forces, backed by intelligence agencies and diplomacy – as well as the weapons defense contractors develop – to defeat the enemy.

Digital aggression is aggression

Scale changes everything is a Silicon Valley truism. Back when the Internet’s predecessor, ARPAnet, was five nodes, there was no money in digital crime.

Now the Internet is five billion nodes. Deep into the transition to a digital civilization, crime is following the money. The thieves, gangs, and nation-state bad actors are stealing everything that isn’t locked down. Money, industrial secrets, intelligence assets, and personal data.

There’s no end in sight since “software engineering” is an oxymoron. As Randall Munroe had a software writer say on xkcd.com: “. . . our entire field is bad at what we do, and if you rely on us, everyone will die.” We don’t know how to build a digital dike that doesn’t leak. We can only plug holes after the bad guys find them.

Strategically, deterrence seems to be the only option for persuading nation states to back off. And only a strong nation can persuade another nation to chill, as the Cold War showed.

Likewise, today’s Internet needs a police force as well. The Internet is borderless, so a global force is needed to bring the criminals to heel.

Despite massive private investment in digital security, the stakes keep rising and the hacks are getting worse. Private enterprise isn’t working. Private efforts to coordinate across organizations to record and analyze attacks are not enough.

Can the US government take this on?

Don’t reflexively dismiss the idea that government could handle this. Consider the US armed forces, the world’s most powerful fighting force. Handsomely funded, well-trained, and constantly analyzing the threats America faces. That’s a blueprint for US Digital Defense Force.

Perhaps you recoil at the thought of higher taxes to pay for the DDF. But the choice isn’t between no taxes and higher taxes. Criminals and nation-states – in Russia, they may be one and the same – are already collecting massive taxes to fund their aggression. The choice is essentially between paying for digital order and security, or paying the criminals.

The take

America’s adversaries are actively probing our infrastructure for vulnerabilities. America’s superiority in conventional forces – for now anyway – makes a big shooting war unlikely. But crippling America’s government, power, water, energy, and medical systems all at once would help even the odds if someone wanted to take us down.

The current model of digital security isn’t working, nor is there a plan to fix it. Sorry Microsoft, you – and the rest of the private firms – don’t have the chops to take on Russia, Iran, and North Korea.

We’ve been here before. London in the early 1800s was a city of 1.3 million people with no central police force. In 1829 Parliament established the Metropolitan Police to bring order and security. Private firms and wealthy individuals had guards, but that was not enough.

Like 1820s London, we need to be a well-funded and trained force to stop digital muggers, gangs, and conspiracies, whether private or nation sponsored. And our government to make it clear that countries that mess with our digital infrastructure will face painful consequences.

Comments welcome. If you don’t like the government idea, what would you do instead?

But Ms. Jakkal is wrong. Private enterprise can’t handle serious, nation state digital aggression. Nations have the resources and patience to pursue long term strategies. Even the largest corporations lack the heft of a nation.

Source: https://www.zdnet.com/article/private-firms-have-failed-to-protect-our-digital-lives-we-need-the-government/

private-firms-can't-protect-us-from-digital-attacks.-government-must-step-in.

ZDNET

Even computer experts think ending human oversight of AI is a very bad idea

The UK government is thinking of scrapping the right to ask for a human to review decisions made entirely by AI systems, but some experts are warning that it is not the right way to go.

Published

on

gettyimages-1299491248.jpg

The right to a human review will become impractical and disproportionate in many cases as AI applications grow in the next few years, said a consultation from the UK government.

Image: iStock / Getty Images Plus

While the world’s largest economies are working on new laws to keep AI under control to avoid the technology creating unintended harms, the UK seems to be pushing for a rather different approach. The government has recently proposed to get rid of some of the rules that exist already to put breaks on the use of algorithms – and experts are now warning that this is a dangerous way to go.

In a consultation that was launched earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) invited experts to submit their thoughts on some new proposals designed to reform the UK’s data protection regime.

Among those featured was a bid to remove a legal provision that currently enables citizens to challenge a decision that was made about them by an automated decision-making technology, and to request a human review of the decision.

SEE: Report finds startling disinterest in ethical, responsible use of AI among business leaders

The consultation determined that this rule will become impractical and disproportionate in many cases as AI applications grow in the next few years, and planning for the need to always maintain the capability to provide human review becomes unworkable.

But experts from the BCS, the UK’s chartered institute for IT, have warned against the proposed move to scrap the law.

“This rule is basically about attempting to create some kind of transparency and protection for the individuals in the decision making by fully automated processes that could have significant harms on someone,” Sam De Silva, partner at law firm, CMS and the chair of BCS’s law specialist group, tells ZDNet. “There needs to be some protection rather than rely on a complete black box.”

Behind the UK’s attempt to change the country’s data protection regulation lies a desire to break free from its previous obligation to commit to the EU’s General Data Protection Regulation (GDPR).

The “right to a human review”, in effect, constitutes the 22nd article of the EU’s GDPR, and as such has been duly incorporated into the UK’s own domestic GDPR, which until recently had to comply with the laws in place in the bloc.

Since the country left the EU, however, the government has been keen to highlight its newly found independence – and in particular, the UK’s ability to make its own rules when it comes to data protection.

“Outside of the EU, the UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country,” starts DCMS’s consultation on data protection.

Article 22 of the GDPR was deemed unsuitable for such future-proof regulation. The consultation recognizes that the safeguards provided under the law might be necessary in a select number of high-risk use cases – but the report concludes that as automated decision making is expected to grow across industries in the coming years, it is now necessary to assess whether the safeguard is needed.

A few months before the consultation was launched, a separate government taskforce came up with a similar recommendation, arguing that the requirements of article 22 are burdensome and costly, because they mean that organizations have to come up with an alternative manual process even when they are automating routine operations.

The taskforce recommended that article 22 be removed entirely from UK law, and DCMS confirmed in the consultation that the government is now considering this proposal.

According to De Silva, the motivation behind the move is economic. “The government’s argument is that they think article 22 could be stifling innovation,” says De Silva. “That appears to be their rationale for suggesting its removal.”

The consultation effectively puts forward the need to create data legislation that benefits businesses. DCMS pitched a “pro-growth” and “innovation-friendly” set of laws that will unlock more research and innovation, while easing the cost of compliance for businesses, and said that it expects new regulations to generate significant monetary benefits.

For De Silva, however, the risk of de-regulating the technology is too great. From recruitment to finance, automated decisions have the potential to impact citizens’ lives in very deep ways, and getting rid of protective laws too soon could come with dangerous consequences.

SEE: Programming languages: Python just took a big jump forward

That is not to say that the provisions laid out in the GDPR are enough. Some of the grievances that are described in DCMS’s consultation against article 22 are legitimate, says De Silva: for example, the law lacks certainty, stating that citizens have a right to request human review when the decision is solely based on automated processing, without specifying at which point it can be considered that a human was involved.

“I agree that it’s not entirely clear, and it’s not a really well drafted provision as it is,” says De Silva. “My view is that we do need to look at it further, but I don’t think scrapping it is the solution. Removing it is probably the least preferable option.”

If anything, says De Silva, the existing rules should be changed to go even further. Article 22 is only one clause within a wide-ranging regulation that focuses on personal data – when the topic could probably do with its own piece of legislation.

This lack of scope can also explain why the provision lacks clarity, and highlights the need for laws that are more substantial.

“Article 22 is in the GDPR, so it is only about dealing with personal data,” says De Silva. “If we want to make it wider than that, then we need to be looking at whether we regulate AI in general. That’s a bigger question.”

A question likely to be on UK regulators’ minds, too. The next few months will reveal what answers they might have found, if any.

The consultation determined that this rule will become impractical and disproportionate in many cases as AI applications grow in the next few years, and planning for the need to always maintain the capability to provide human review becomes unworkable.

Source: https://www.zdnet.com/article/even-computer-experts-think-ending-human-oversight-of-ai-is-a-very-bad-idea/

even-computer-experts-think-ending-human-oversight-of-ai-is-a-very-bad-idea

Continue Reading

ZDNET

National Australia Bank keeping staff connected with Google Pixel rollout

More than 2,000 Google Pixel devices were issued to NAB’s customer contact teams to enable them to support customers remotely.

Published

on

15664-android-nab-blog-v2-max-1000x1000.png Image: Google

When National Australia Bank (NAB) recently revised its device strategy to look at new ways it could support the mobility of its employees and reduce the time and cost of support legacy devices across multiple platforms, the big bank partnered with Google to issue more than 2,000 Pixel devices to its customer contact teams.

Each device, managed with Android enterprise, was rolled out by Vodafone using “zero-touch” enrolment to set up the devices and configure each one with the necessary applications.

“With zero-touch enrolment, each Pixel setup was 20 minutes faster than our previous device enrolments, saving our IT team and colleagues over 500 hours during the initiative. With our communication and collaboration apps available right out of the box, our teams could get to work right away to help customers,” NAB Mobility manager Simon Thoday said.

Another consideration of the rollout was how customer data was going to remain secure, with Thoday pointing out that using Android Enterprise provided the solution to that question.

“Pixel security updates from Google provide a reliable cadence of ongoing protection as threats evolve, and the work profile hits the right balance between security and privacy for our teams,” Thoday said.

“Our contact centre teams use Pixel devices that are fully managed, which allows us to provide the necessary security controls, and wipe and re-enroll them when transferred to a new employee,” he said.

“Branch managers use Pixels with the work profile, separating work and personal applications. This gives employees the ability to use the device in a personal capacity while our IT team manages and ensures data security over the work profile.”

Additionally, with managed Google Play, NAB can assign the apps that are necessary on its managed devices.

“Providing our teams the flexibility to assign apps to the right teams is a major time saver and ensures everyone has the resources they need,” Thoday said.

“Branch managers can look up customer service records or answer a ping more quickly from their Pixel, instead of returning back to their desk and logging back on to their desktop computer. Android Enterprise has been a catalyst in a more mobile and responsive environment for our various teams.”

Earlier this month, the red and black bank completed its transition to TPG to deliver fixed and mobile network services across the bank.

The transition follows a deal struck between the two companies in September for the newly merged telecommunications giant to deliver fixed network services across NAB’s corporate offices, business banking centres, and branches, as well as providing mobile connectivity to the majority of the NAB workforce.

Vodafone delivered the solution to more than 80% of NAB’s mobile fleet across corporate offices and branches in metro and major regional areas. The company said Vodafone, alongside Google, would also be providing those who opt for a company phone with the Pixel 4a.

Related Coverage

Another consideration of the rollout was how customer data was going to remain secure, with Thoday pointing out that using Android Enterprise provided the solution to that question.

Source: https://www.zdnet.com/article/national-australia-bank-keeping-staff-connected-with-google-pixel-roll-out/

national-australia-bank-keeping-staff-connected-with-google-pixel-rollout

Continue Reading

ZDNET

Crackonosh malware abuses Windows Safe mode to quietly mine for cryptocurrency

The malware is thought to have generated millions of dollars in just a few short years.

Published

on

Researchers have discovered a strain of cryptocurrency-mining malware that abuses Windows Safe mode during attacks.

The malware, dubbed Crackonosh by researchers at Avast, spreads through pirated and cracked software, often found through torrents, forums, and “warez” websites.

After finding reports on Reddit of Avast antivirus users querying the sudden loss of the antivirus software from their system files, the team conducted an investigation into the situation, realizing it was due to a malware infection.

Crackonosh has been in circulation since at least June 2018. Once a victim executes a file they believe to be a cracked version of legitimate software, the malware is also deployed.

The infection chain begins with the drop of an installer and a script that modifies the Windows registry to allow the main malware executable to run in Safe mode. The infected system is set to boot in Safe Mode on its next startup.

“While the Windows system is in safe mode antivirus software doesn’t work,” the researchers say. “This can enable the malicious Serviceinstaller.exe to easily disable and delete Windows Defender. It also uses WQL to query all antivirus software installed SELECT * FROM AntiVirusProduct.”

Crackonosh will scan for the existence of antivirus programs — including Avast, Kaspersky, McAfee’s scanner, Norton, and Bitdefender — and will attempt to disable or delete them. Log system files are then wiped to cover its tracks.

In addition, Crackonosh will attempt to stop Windows Update and will replace Windows Security with a fake green tick tray icon.

The final step of the journey is the deployment of XMRig, a cryptocurrency miner that leverages system power and resources to mine the Monero (XMR) cryptocurrency.

Overall, Avast says that Crackonosh has generated at least $2 million for its operators in Monero at today’s prices, with over 9000 XMR coins having been mined.

Approximately 1,000 devices are being hit each day and over 222,000 machines have been infected worldwide.

In total, 30 variants of the malware have been identified, with the latest version being released in November 2020.

“As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers,” Avast says. “The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Crackonosh has been in circulation since at least June 2018. Once a victim executes a file they believe to be a cracked version of legitimate software, the malware is also deployed.

Source: https://www.zdnet.com/article/crackonosh-malware-abuses-windows-safe-mode-to-quietly-mine-for-cryptocurrency/

crackonosh-malware-abuses-windows-safe-mode-to-quietly-mine-for-cryptocurrency

Continue Reading

Title

CNBC1 day ago

Earnings

Corporate Company Earnings, Find Earnings Per Share and Earnings History Online

ZDNET2 days ago

Even computer experts think ending human oversight of AI is a very bad idea

The UK government is thinking of scrapping the right to ask for a human to review decisions made entirely by...

Crunchbase4 days ago

The Briefing: Hailo Lands $136M Series C

Crunchbase News' top picks of the news to stay current in the VC and startup world.

Cointelegraph4 days ago

Ethereum loses key support level as ETH price falls to two-month lows against Bitcoin

Ethereum's value against Bitcoin dropped below its 200-day exponential moving average for the first time since March 2020, raising risks...

Ventureburn7 days ago

Local emotional intelligence app users significantly grow

It’sOk, an innovative tech startup that aims to promote emotional intelligence among students has experienced exponential growth.

Reuters1 week ago

Facebook apologizes for second outage in a week, services back up

Facebook Inc apologized to users for a two hour disruption to its services on Friday and blamed another faulty configuration...

Bioengineer2 weeks ago

Pioneering chemistry approach could lead to more robust soft electronics

Credit: Udit Chakraborty, Cornell University RESEARCH TRIANGLE PARK, N.C. -- A new approach to studying conjugated polymers made it possible

Ventureburn2 weeks ago

SA fintech partners with rising global fintech to foster financial inclusion in SA –

Ukheshe Technologies has partnered with Chipper to help in the global fintech's rollout of digital payment services and products.

CNBC3 weeks ago

Stitch Fix shares surge as online styling service reports surprise profit

Stitch Fix shares jumped after the online shopping and styling service reported a surprise profit for its fiscal fourth quarter.

Techcrunch1 month ago

South Korean antitrust regulator fines Google $177M for abusing market dominance – TechCrunch

The Korea Fair Trade Commission (KFTC) said on Tuesday it fined Google $177 million for abusing its market dominance in...

Review

    Select language

    Trending