fingers on keyboard
Knowledge & Information Technology
No. 289 - 1 June 2021
Enterprise Security Tidbits

Matt Chiodi of Palo Alto Networks was the featured speaker at the May 19 meetup of the ACM's San Francisco Bay Area Chapter. He mentioned three things we found interesting:
  • 60% of organizations do not disable the Microsoft remote desktop protocol on their Windows clients as they should, potentially allowing hackers to take control of PCs remotely. While RDP has legitimate uses for remote problem solving by helpdesk agents, companies that do not use such a service should disable the RDP client.
  • There is now such a thing as "cryptojacking" -- the hijacking of enterprise computers for cryptocurrency mining. The victim may be unaware of the exploit, but the performance of their servers may be affected and their power consumption will likely increase, costing them (real) money.
  • The most used cryptocurrency for nefarious activities is not Bitcoin, it is Monero (XMR), which offers stronger anonymity to its users.
European Union Draft Regulations on Artificial Intelligence

Following on its now famous and influential regulation on data protection (GDPR), the European Union is now tackling the societal and ethical implications of AI with a set of draft regulations published on April 21. Unsurprisingly, industry players are already complaining that these regulations will be too burdensome, and argue instead for "self-regulation," which generally means no real regulation at all. On the other hand, some privacy and civil rights advocacy groups are criticizing the draft for being too lenient on the private sector. Brussels must be thinking that If you get attacked from both sides, you must be doing something right.

The EU approach is to classify AI applications into four tiers, based on the risk of abuse. The most risky (such as face recognition used for racial profiling) would be banned, the least risky would be allowed with minimal safeguards, and the intermediate tiers would require various levels of testing and labeling.

For a concise and reasonably dispassionate summary of the proposal, see this article in IEEE Spectrum.
AIRSIDE Live 2021

On June 3rd (yes, we're already in June, so that's in just two days) AIRSIDE is presenting a day-long virtual conference on big data, data governance and data security. The event starts at 7:30 a.m. Pacific (first talk at 8:10) and winds down at 4:00 p.m., which gives people in Europe (but not Asia) a chance to catch most of the event. The 30+ speakers represent a mix of consultants, end users, and technology companies. Click here for the detailed agenda and (free) registration.
U.S. Executive Order on Cybersecurity and Request for Comments on Software Bill of Materials

Following the May 12 Executive Order from the White House on cybersecurity, the National Telecommunications and Information Administration, which has already been working for a couple of years to define a Software Bill of Materials (SBOM), has been formally directed to publish the "minimum elements" for an SBOM, and is asking the public for comments. The deadline to respond is not clear yet (it will be at least mid-June) and the requests is posted here.

Software suppliers should pay attention this this: regardless of their own response to the RFC, this will give them a preview of what data they will probably be asked to supply with their software in the future. And if you purchase enterprise software and want to know what's in it, including what vulnerabilities may have been inherited from open-source or commercial components, you should also take an interest in this.
Seen Recently...
Bert Regeer (@bertjwregeer), discussing privacy concerns about Amazon's plan to turn on its Sidewalk mesh network on June 8, potentially connecting devices such as Alexa and Ring to your neighbor's WiFi: "What would it take for TV/device manufacturers to opt-in to Sidewalk and send data back even if the user has opted not to connect it to Wifi/Ethernet?"
Corey Quinn (@QuinnyPig), in response: "Opt in? You naive adorable fool! Amazon will charge these companies through the nose for access to this and they will pay it with a smile on their faces!"