Tag Archive for: adoption

SLSA Adoption Would’ve Muted SolarWinds Hack

/in


Adoption of Google Cloud’s Supply-chain Levels for Software Artifacts (SLSA) security framework would have protected organizations from the SolarWinds cyberattack by alleged Russia-backed hackers, according to CEO Thomas Kurian.

The software supply chain is a vector of threats that other cloud providers had not anticipated, Kurian said.

“We had anticipated that,” Kurian said in an exclusive CRN interview ahead of the Google Cloud Next ’21 conference that started today. “Not only did we build the technology in a secure way, but we’re now making it available to customers to use in a secure way. We have now taken that framework and, working with NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology), are making it available to the entire software industry, because that framework would have protected against SolarWinds.”

Pronounced “salsa,” SLSA is a source-to-service security framework for ensuring the integrity of software artifacts by helping to protect against unauthorized changes to software packages throughout the software supply chain. It’s based on Google’s internal Binary Authorization for Borg (BAB), a deploy-time enforcement check designed to minimize insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, especially if that code has the ability to access user data. Google has been using BAB since 2013 and requires it for all of its production workloads.

The SolarWinds hack, which ensnared Microsoft and breached U.S. federal government agencies and private sector companies, first was detected last December. Suspected Russian intelligence attackers injected malicious code into Austin, Texas-based SolarWinds’ Orion network monitoring platform that was downloaded into as many as 18,000 of its customers’ computer networks. Last month, Microsoft said the hackers behind SolarWinds also had developed a backdoor that exfiltrates sensitive information from compromised Microsoft Active Directory Federation Services servers.

Kurian pointed to both the increasing number of cybersecurity threats and the variations of those threats.

“A year ago, if somebody…

Source…

Fraud Follows A Surge in Mobile Adoption

/in


Mobile fraud attacks continue to be on an upward trajectory as mobile has become a prominent channel in launching fraud attacks. In the opening quarter of 2021, there was a 43% increase in mobile attack rate, rising to 32% from 19% in the last quarter of 2020.

There is an increase in attacks originating on mobile devices because more and more good users are interacting with businesses via mobile devices. Fraudsters are taking advantage of this rising popularity to launch mobile fraud attacks across multiple touchpoints. Mobile attacks are not only easy to launch but fraudsters can easily cover their tracks to evade detection. They are able to spoof devices due to the ease with which they can purchase IP addresses and associated mobile fingerprint devices from numerous websites.

Mobile attacks pose a huge challenge for the gaming industry

According to Statista, as of January 2021 mobile phones were the most used devices for gaming worldwide. Online gaming not only saw a prolific increase in the number of players but also in the number of hours as well as the money spent. It is estimated that during the pandemic the number of users playing video games in the U.S. rose to 79% while the time spent on gaming increased 26% and the money spent increased 33%. Online gaming companies experienced the biggest engagement levels and increased revenues that are projected to touch US$23,582m by 2021 and US$31,328m by 2025.

Gaming was also the top sector targeted by mobile-based fraud attacks. The gaming industry that has been under siege throughout 2020, saw high rates of mobile fraud attacks across all touchpoints during Q1. Overall, attacks from the mobile channel increased from 19% in Q4 2020 to 32% Q1 2021. These attacks were overwhelmingly bot-driven, as gaming platforms were barraged with bot attacks that contributed to nearly 97% of the attacks. Attackers launched high-volume campaigns to target multiple consumer touchpoints, including credential stuffing on logins – the most attacked touchpoint on the Arkose Labs network. 

Another industry that experiences a large section of users connecting through mobiles is media that encompasses dating, social, and streaming platforms. The…

Source…

Technology Adoption: Are we too late to the party?

/in


Technology Adoption: Are we too late to the party?

Jan Havránek and Daniel P. Bagge 

Tech

Future technologies:  Source: NATO, “Science & Technology Trends: 2020-2040.”

Introduction

NATO and the West are experiencing a reversed kind of revolution in military affairs (RMA) with new technologies bearing far-reaching implications beyond the conduct of war. Past revolutions in military spilled from the battlefield to the civilian sector. They had an effect either by directly impacting the result of a given conflict or through adoption of military technical advantages in non-military aspects of life. Today, we see an opposite trend brought by the private and non-military, non-governmental actors. In their everyday lives, general publics and governments alike face military-grade technologies developed and applied by the commercial sector. And it is the private sector that enjoys exclusivity over these technologies while the military lags behind.

How information is gathered, processed, analysed, communicated, distributed, and utilized has always underlined military planning and assumptions for success in conflict. For example, the reconnaissance strike complex introduced by the Soviets was based on real-time intelligence gathering and underpinned by automated systems and fast data processing. Similarly, NATO’s deep attack concept assumed that commanders “would be given the automated assessment means necessary to rapidly analyse the enemy’s force array.”[1] Such concepts, however innovative and tech-based, assumed a relatively limited amount of data and relied heavily on the human factor. Today, in the era of cloud computing and artificial intelligence, there is a clear shift towards sensor-centric, automated processing. Reconnaissance and analysis are becoming as important as firepower and kinetic effects. Humans are being pushed out from the decision-making due to the quantity of information gathered/coming from the battlefield. The hyper-speed warfare (or the “hyper war,” a term linking the intensity of conflict with cybernetics) risks making the human factor almost obsolete. To a certain extent, human presence in the loop will consequently become more a question of…

Source…

Google’s Project Zero revises vulnerability disclosure timelines to increase patch adoption

/in


NEW DELHI: Google’s cybersecurity division, Project Zero, has changed its disclosure policies today with the intent to “refocus on reducing the time it takes for vulnerabilities to get fixed”, in the industry right now. The Project Zero team, which deals with vulnerabilities in hardware and software systems, will report vulnerabilities earlier if a company hasn’t fixed the flaw in record time.

“Project Zero won’t share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption,” the company said in a blog post.

The team used to provide a 90-day period after issuing a vulnerability report, followed by a 14-day grace period, before it published details of the vulnerability. Now, if an issue remains unpatched after the 90 days, Google will publish the details immediately. This is likely aimed at making users download patches quickly, once a company issues them.

Further, for vulnerabilities that are being actively exploited by hackers, Google will publish details immediately if the said issues remain unpatched after 7 days of reporting them. If the issue is fixed within the 7 days, then Google will wait 30 days before publishing the vulnerabilities. The company used to offer no grace period on such reports but will allow hardware and software vendors to request for an additional three-day grace period now.

The Project Zero team said the changes are aimed at shortening the time elapsed between a bug report and its patch being made available to users. It also wants to ensure “thorough patch development” and “improved patch adoption” once a patch is released by the affected vendor.

Google’s decision comes on the heels of a general increase in cybersecurity issues around the world last year. According to a March report from the Indian Computer Emergency Response Team (CERT-In), cyber security incidents in India grew from 3,94,499 in 2019 to 11,58,208 in 2020, which is a nearly 200% increase.

Subscribe to Mint Newsletters

* Enter a valid email

* Thank you for subscribing to our newsletter.

Source…