Connect with us

Uncategorized

Enterprise security attackers are one password away from your worst day

Published

on

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Collective, a back-office for the self-employed, raises $20M from Ashton Kutcher’s VC

Published

on

With so much focus on the ‘creator economy’, and countries hit by the effects of the pandemic, the self-employed market is ‘booming’, for good or for ill. So it’s not too much of a surprise that
Collective,a subscription-based back-office for the self-employed has raised a $20 million Series A funding after launching only late last year.

The round was led by General Catalyst and joined by Sound Ventures (the venture capital fund founded by Ashton Kutcher and Guy Oseary). Collective has now raised a total of $28.65 million. Other notable investors include: Steve Chen (Founder YouTube), Hamish McKenzie (Founder Substack), Aaron Levie (founder Box), Kevin Lin (founder Twitch), Sam Yam (founder Patreon), Li Jin (Atelier Ventures), Shadiah Sigala (founder HoneyBook), Adrian Aoun (founder Forward), Holly Liu (founder Kabam), Andrew Dudum (founder Hims) and Edward Hartman (founder LegalZoom).

Ashton Kutcher said in a statement: “We’re proud to be supporting a company that’s making it easier for creators to focus on what they do best by taking care of the back office work that creates so much friction for so many early entrepreneurs. I would have loved something like this when I was getting started.”

Launched in September 2020 by CEO Hooman Radfar, CPO Ugur Kaner and CTO Bugra Akcay, Collective offers “tailored” financial services, access to advisors that oversee accounting, tax, bookkeeping, and business formation needs. There are currently 59 million self-employed workers in the U.S. (36% of US workforce) who mostly do all their own admin. So Collective hopes to be their online back office platform.

Speaking to me over email, Radfar said that the start-up fintech market tends to serve companies like them – other start-ups and growing SMBs: “Companies like Pilot have done an amazing job at building a back-office platform that handles taxes, bookkeeping and finances for start-ups. We want to offer that same great value to the underserved business-of-one community, since they are the largest group of founders in the country.”

He added: “Before Collective, consultants, freelancers, and other solo founders had to string together their back-office solution using DIY platforms like Quickbooks, Gusto, and LegalZoom. If they were lucky, they had the help of a part-time accountant to advise them. Collective makes handling finances easy with the first all-in-one platform that not only bundles these tools into one platform, but also provides the technology and team to optimize their tax savings like the pros.”

According to some estimates, the number of lone freelancers in the US is projected to make up 86.5 million, 50% of the US workforce by 2027, with the freelancer space projected to grow three times faster than the traditional workforce.

Niko Bonatsos, Managing Director of General Catalyst said: “Collective is serving the $1.2 trillion business-of-one industry by building the first back-office platform that saves individuals significant time and money, while providing them with the appropriate tools and resources they need to help them succeed,” said “We’re excited to support Collective as they expand their team and build an exceptional service for the business-of-one community.”

Continue Reading

Uncategorized

UK publishes draft Online Safety Bill

Published

on

The UK government has published its long-trailed (child) ‘safety-focused’ plan to regulate online content and speech.

The Online Safety Bill has been in the works for years — during which time a prior plan to require age verification for accessing online porn in the UK, also with the goal of protecting kids from being exposed to inappropriate content online but which was widely criticized as unworkable, got quietly dropped.

At the time the government said it would focus on introducing comprehensive legislation to regulate a range of online harms. It can now say it’s done that.

The 145-page Online Safety Bill can be found here on the gov.uk website — along with 123 pages of explanatory notes and an 146-page impact assessment.

The draft legislation imposes a duty of care on digital service providers to moderate user generated content in a way that prevents users from being exposed to illegal and/or harmful stuff online.

The government dubs the plan globally “groundbreaking” and claims it will usher in “a new age of accountability for tech and bring fairness and accountability to the online world”.

Critics warn the proposals will harm freedom of expression by encouraging platforms to over-censor, while also creating major legal and operational headaches for digital businesses that will discourage tech innovation.

The debate starts now in earnest.

The bill will be scrutinised by a joint committee of MPs — before a final version is formally introduced to Parliament for debate later this year.

How long it might take to hit the statute books isn’t clear but the government has a large majority in parliament so, failing major public uproar and/or mass opposition within its own ranks, the Online Safety Bill has a clear road to becoming law.

Commenting in a statement, digital secretary Oliver Dowden said: “Today the UK shows global leadership with our groundbreaking laws to usher in a new age of accountability for tech and bring fairness and accountability to the online world.

“We will protect children on the internet, crack down on racist abuse on social media and through new measures to safeguard our liberties, create a truly democratic digital age.”

The length of time it’s taken for the government to draft the Online Safety Bill underscores the legislative challenge involved in trying to ‘regulate the Internet’.

In a bit of a Freudian slip, the DCMS’ own PR talks about “the government’s fight to make the internet safe”. And there are certainly question-marks over who the future winners and losers of the UK’s Online Safety laws will be.

Safety and democracy?

In a press release about the plan, the Department for Digital, Media, Culture and Sport (DCMS) claimed the “landmark laws” will “keep children safe, stop racial hate and protect democracy online”.

But as that grab-bag of headline goals implies there’s an awful lot going on here — and huge potential for things to go wrong if the end result is an incoherent mess of contradictory rules that make it harder for digital businesses to operate and for Internet users to access the content they need.

The laws are set to apply widely — not just to tech giants or social media sites but to a broad swathe of websites, apps and services that host user-generated content or just allow people to talk to others online.

In scope services will face a legal requirement to remove and/or limit the spread of illegal and (in the case of larger services) harmful content, with the risk of major penalties for failing in this new duty of care toward users. There will also be requirements for reporting child sexual exploitation content to law enforcement.

Ofcom, the UK’s comms regulator — which is responsible for regulating the broadcast media and telecoms sectors — is set to become the UK Internet’s content watchdog too, under the plan.

It will have powers to sanction companies that fail in the new duty of care toward users by hitting them with fines of up to £18M or ten per cent of annual global turnover (whichever is higher).

The regulator will also get the power to block access to sites — so the potential for censoring entire platforms is baked in.

Some campaigners backing tough new Internet rules have been pressing the government to include the threat of criminal sanctions for CEOs to concentrate C-suite minds on anti-harms compliance. And while ministers haven’t gone that far, DCMS says a new criminal offence for senior managers has been included as a deferred power — adding: “This could be introduced at a later date if tech firms don’t step up their efforts to improve safety.”

Despite there being widespread public support in the UK for tougher rules for Internet platforms, the devil is the detail of how exactly you propose to do that.

Civil rights campaigners and tech policy experts have warned from the get-go that the government’s plan risks having a chilling effect on online expression by forcing private companies to be speech police.

Legal experts are also warning over how workable the framework will be, given hard to define concepts like “harms” — and, in a new addition, content that’s defined as “democratically important” (which the government wants certain platforms to have a special duty to protect).

The clear risk is massive legal uncertainty wrapping digital businesses — with knock-on impacts on startup innovation and availability of services in the UK.

The bill’s earlier incarnation — a 2019 White Paper — had the word “harms” in the title. That’s been swapped for a more anodyne reference to “safety” but the legal uncertainty hasn’t been swapped out.

The emphasis remains on trying to rein in an amorphous conglomerate of ‘harms’ — some illegal, others just unpleasant — that have been variously linked to or associated with online activity. (Often off the back of high profile media reporting, such as into children’s exposure to suicide content on platforms like Instagram.)

This can range from bullying and abuse (online trolling), to the spread of illegal content (child sexual exploitation), to content that’s merely inappropriate for children to see (legal pornography).

Certain types of online scams (romance fraud) are another harm the government wants the legislation to address, per latest additions.

The umbrella ‘harms’ framing makes the UK approach distinct to the European Union’s Digital Service Act — a parallel legislative proposal to update the EU’s digital rules that’s more tightly focused on things that are illegal, with the bloc setting out rules to standardize reporting procedures for illegal content; and combating the risk of dangerous products being sold on ecommerce marketplaces with ‘know your customer’ requirements.

In a response to criticism of the UK Bill’s potential impact on online expression, the government has added measures which it said today are aimed at strengthen people’s rights to express themselves freely online.

It also says it’s added in safeguards for journalism and to protect democratic political debate in the UK.

However its approach is already raising questions — including over what look like some pretty contradictory stipulations.

For example, the DCMS’ discussion of how the bill will handle journalistic content confirms that content on news publishers’ own websites won’t be in scope of the law (reader comments on those sites are also not in scope) and that articles by “recognised news publishers” shared on in-scope services (such as social media sites) will be exempted from legal requirements that may otherwise apply to non journalistic content.

Indeed, platforms will have a legal requirement to safeguard access to journalism content. (“This means [digital platforms] will have to consider the importance of journalism when undertaking content moderation, have a fast-track appeals process for journalists’ removed content, and will be held to account by Ofcom for the arbitrary removal of journalistic content,” DCMS notes.)

However the government also specifies that “citizen journalists’ content will have the same protections as professional journalists’ content” — so exactly where (or how) the line gets drawn between “recognized” news publishers (out of scope), citizen journalists (also out of scope), and just any old person blogging or posting stuff on the Internet (in scope… maybe?) is going to make for compelling viewing.

Carve outs to protect political speech also complicate the content moderation picture for digital services — given, for example, how extremist groups that hold racist opinions can seek to launder their hate speech and abuse as ‘political opinion’. (Some notoriously racist activists also like to claim to be ‘journalists’…)

DCMS writes that companies will be “forbidden from discriminating against particular political viewpoints and will need to apply protections equally to a range of political opinions, no matter their affiliation”.

“Policies to protect such content will need to be set out in clear and accessible terms and conditions and firms will need to stick to them or face enforcement action from Ofcom,” it goes on, adding: “When moderating content, companies will need to take into account the political context around why the content is being shared and give it a high level of protection if it is democratically important.”

Platforms will face responsibility for balancing all these conflicting requirements — drawing on Codes of Practice on content moderation that respects freedom of expression which will be set out by Ofcom — but also under threat of major penalties being slapped on them by Ofcom if they get it wrong.

Interestingly, the government appears to be looking favorably on the Facebook-devised ‘Oversight Board’ model, where a panel of humans sit in judgement on ‘complex’ content moderation cases — and also discouraging too much use of AI filters which it warns risk missing speech nuance and over-removing content. (Especially interesting given the UK government’s prior pressure on platforms to adopt AI tools to speed up terrorism content takedowns.)

“The Bill will ensure people in the UK can express themselves freely online and participate in pluralistic and robust debate,” writes DCMS. “All in-scope companies will need to consider and put in place safeguards for freedom of expression when fulfilling their duties. These safeguards will be set out by Ofcom in codes of practice but, for example, might include having human moderators take decisions in complex cases where context is important.”

“People using their services will need to have access to effective routes of appeal for content removed without good reason and companies must reinstate that content if it has been removed unfairly. Users will also be able to appeal to Ofcom and these complaints will form an essential part of Ofcom’s horizon-scanning, research and enforcement activity,” it goes on.

“Category 1 services [the largest, most popular services] will have additional duties. They will need to conduct and publish up-to-date assessments of their impact on freedom of expression and demonstrate they have taken steps to mitigate any adverse effects. These measures remove the risk that online companies adopt restrictive measures or over-remove content in their efforts to meet their new online safety duties. An example of this could be AI moderation technologies falsely flagging innocuous content as harmful, such as satire.”

Another confusing-looking component of the plan is that while the bill includes measures to tackle what it calls “user-generated fraud” — such as posts on social media for fake investment opportunities or romance scams on dating apps — fraud that’s conducted online via advertising, emails or cloned websites will not be in scope, per DCMS, as it says “the Bill focuses on harm committed through user-generated content”.

Yet since Internet users can easily and cheaply create and run online ads — as platforms like Facebook essentially offer their ad targeting tools to anyone who’s willing to pay — then why carve out fraud by ads as exempt?

It seems a meaningless place to draw the line. Fraud where someone paid a few dollars to amplify their scam doesn’t seem a less harmful class of fraud than a free Facebook post linking to the self-same crypto investment scam.

In short, there’s a risk of arbitrary/ill-thought through distinctions creating incoherent and confusing rules that are prone to loopholes. Which doesn’t sound good for anyone’s online safety.

In parallel, meanwhile, the government is devising an ambitious pro-competition ex ante regime to regulate tech giants specifically. Ensuring coherence and avoiding conflicting or overlapping requirements between that framework for platform giants and these wider digital harms rules is a further challenge.

Continue Reading

Uncategorized

Amazon updates Echo Show line with a pan and zoom camera and a kids model

Published

on

Amazon this morning announced a handful of updates across its Echo Show line of smart screens. The top-level most interesting bit here is the addition of a pan and zoom camera to the mid-tier Echo Show. The feature is similar to ones found on Facebook’s various Portal devices and Google’s high-end Nest Hub Max.

Essentially, it’s designed to keep the subject in frame – Apple also recently introduced the similar Center Stage features for the latest iPad Pro. It comes after Amazon introduced a far less subtle version in the Echo Show 10, which actually follows the subject around by swiveling the display around the base. I know I’m not alone in being a little creeped out, seeing it in action.

The new feature arrives on the Show 8’s 13-megapixel camera, which is coupled with a built-in physical shutter – a mainstay as Amazon is look to stay ahead of the privacy conversations. The eight-inch HD display is powered by an upgrade octa-core processors and coupled with stereo speakers. The new Show 8 runs $130.

The other biggest news here is the arrival of the Echo Show 5 Kids – the one really new product in the bunch. At $95, the kid-focused version of the screen features a customizable home screen, colorful design, a two-year warranty in case of creaks and a one-year subscription to Amazon Kids+.

There’s a new version of the regular Show 5, too, featuring an upgraded HD camera, new colors and additional software features. That runs $85. The new devices go up for preorder today and start shipping later this month.

 

Continue Reading

Trending