Archive for May 24, 2023

The White House Makes Another Announcement Related To AI

Posted in Commentary with tags on May 24, 2023 by itnerd

For the second time this month, The White House has made an announcement in regards to the responsible use of AI. Unlike an earlier announcement, this one centres around R&D and deployment:

AI is one of the most powerful technologies of our time, with broad applications. President Biden has been clear that in order to seize the opportunities AI presents, we must first manage its risks. To that end, the Administration has taken significant action to promote responsible AI innovation that places people, communities, and the public good at the center, and manages risks to individuals and our society, security, and economy. This includes the landmark Blueprint for an AI Bill of Rights and related executive actions, the AI Risk Management Framework, a roadmap for standing up a National AI Research Resource, active work to address the national security concerns raised by AI, as well as investments and actions announced earlier this month. Last week, the Administration also convened representatives from leading AI companies for a briefing from experts across the national security community on cyber threats to AI systems and best practices to secure high-value networks and information.

Ani Chaudhuri, CEO, Dasera was kind enough to provide their view of this announcement:

The Biden-Harris Administration’s recent steps to advance responsible artificial intelligence (AI) research, development, and deployment are crucial in our rapidly evolving digital age. Undoubtedly, AI technologies will transform how we live and work, so we must approach this field with a responsible yet innovative mindset.

One fundamental aspect of this responsible approach is to ensure data security. Every AI system relies on vast amounts of data, whether it’s automating tasks, making predictions, or creating new services. Ensuring the security of this data, its privacy, and its ethical use is not just a good practice; it’s a necessity. An AI system is only as good as the data it’s trained on, and if that data is biased, misused, or breached, the consequences can be severe.

However, while the government’s role in fostering responsible AI innovation is critical, we should be mindful of the potential pitfalls of heavy-handed regulation. We must strike a careful balance: on one side, safeguarding the rights and safety of individuals, and on the other side, not stifling innovation and competition. This is a delicate act. It’s essential to refrain from giving too much power to the government over the tech sector and limit regulatory barriers that could hamper the global competitiveness of our AI industry.

 Sam Altman, CEO of OpenAI, was recently in front of Congress and proposed a new agency to oversee AI. The idea of issuing licenses to train and use AI models is thought-provoking. Still, it could create regulatory capture where established players protect their position by creating barriers for others.

Instead, we should consider a more collaborative and decentralized approach that fosters trust, transparency, and accountability. Regulations should be built with an understanding of the technology and, more importantly, its implications on society and individuals. Instead of a single body that issues licenses, why not have a network of organizations, including academic institutions, non-profits, and private enterprises, that review, audit, and certify AI systems and their uses?

The risks associated with AI are complex and multifaceted, akin to cybersecurity risks. Cybersecurity has always been a cat-and-mouse game between those who seek to exploit vulnerabilities and those who work tirelessly to patch them. The same will likely be true with AI.

We should learn from our experiences in handling cybersecurity and data privacy issues. Clear guidelines, self-regulation, transparency, and domestic and international cooperation are vital in managing these risks without curbing innovation. While it’s true that we might not be able to regulate every AI model, we can build regulations for how these models are used, just like we have regulations for how personal data is used.

It’s crucial to focus on the main goal: making AI serve humanity, protect individuals, and foster innovation. We should not just regulate AI but guide it towards that goal. Our approach should be both proactive and adaptive, ready to embrace the opportunities AI presents and address the risks it poses. After all, AI is a tool we created, and it’s up to us to ensure it’s used responsibly.

It is a positive step that The White House is interested in putting up guardrails around AI. Because in my mind, AI could either be a positive force for all of us, or it could go off the rails in a really bad way. The actions that we take now will decide which way that goes.

UPDATE: Craig Burland, CISO, Inversion6 adds this comment:

On the surface, this is a well-considered, positive, and actionable step forward. The government appears to be looking at AI as a tool with both potential and risks, seeking first to understand. This is a smart approach for any new technology, particularly for something disruptive like AI.

The nine strategies outlined within the updated roadmap are sound, again balancing both the potential and risk of AI.  For example, the first strategy focuses on investment in AI research.  The third strategy focuses on ethical, legal, and societal implications of AI.  Maybe more importantly, what the administration lays out is actionable. They’ve outlined strategies that the US government can drive. They’ve avoiding calling for moratoriums, global bans, or other unattainable steps that would accomplish little.

UPDATE #2: Kevin Bocek, VP Ecosystem and Community, Venafi adds this commentary:

“We are still in the early stages of understanding the impact of AI on both businesses and the public, and it’s a constantly moving target, with new use cases and products being announced on a daily basis. So, it is very encouraging to see The White House take the first steps in developing a responsible AI framework. As part of this process, it is vital that the government recognizes that smart organizations will not slow down the innovation that we’re seeing with Generative AI, and that the results will be overwhelmingly positive. However, there are known and unknown risks that need to be skillfully mitigated. 

“As such, the priority for regulations must be to contain risks while encouraging exploration, curiosity and trial and error. But any steps to achieve this can’t be approached with a “set and forget” mentality. Regulators need to establish policies and guidelines that are reviewed and refreshed frequently as we explore the power of AI in more depth. This means the government will need to constantly collaborate and communicate with experts in the field to avoid neglect and exploitation.”

Tesla’s Brand Reputation Takes A Dive Thanks To Elon Musk

Posted in Commentary with tags on May 24, 2023 by itnerd

Elon Musk has a lot of problems right now. And here’s one more that he has to deal with. The Harris Poll has put out their Reputation Quotient, and boy did Tesla take a serious hit. Tesla’s score fell 6.4% to 74.3 out of a possible 100. The only company that I could find that took a bigger hit was BP. As in the company that was responsible for the Deepwater Horizon disaster. But here’s the thing. Tesla was ranked so highly in the previous year’s Reputation Quotient. Meaning that it’s reputation fell more than BP.

So, why would Tesla take such a hit? I’ve got a few theories:

  • Elon’s management of Twitter is casting a negative light on Tesla
  • Elon’s embracement of the alt-right is casting a negative light on Tesla
  • Elon’s lack of focus on Tesla is hurting Tesla
  • All of the above

The fact is that from my perspective, it’s Elon’s fault that Tesla’s brand reputation has tanked the way it has. Now while I have always said that Tesla would have the high ground in terms of EVs until traditional carmakers got serious about EVs, I never thought that Elon would simply hand the market over to his competition. Because that’s what he’s doing by behaving the way he is at the moment. Including saying that he didn’t care if his companies lost business because of what he chooses to say.

Well, perhaps he should care as this is sure to influence EV buyers away from Tesla and towards other brands who don’t have an unstable personality as its CEO.

GDPR Turns Five Tomorrow

Posted in Commentary with tags on May 24, 2023 by itnerd

Tomorrow marks the fifth anniversary of the European Union’s General Data Protection Regulation (GDPR). The European Union adopted this legislation in 2016. It was officially enforced on 25th May 2018 to govern the utilization of data companies in European and non-European regions that gather, store, and process data of European citizens.

There are many views on how effective GDPR has been. I personally think it’s been a good thing as it holds companies accountable for how they handle data. But I got a second view on this from Ani Chaudhuri, CEO, Dasera:

There is often an overlooked aspect of GDPR – the potential exploitation of its provisions for malicious ends. When we discuss GDPR, we typically focus on the empowerment it gives individuals over their personal data, yet GDPR’s ‘Right of Access’ can indeed have negative consequences for data privacy if misused.

However, I firmly believe that GDPR continues to be of net benefit to data subjects and data protection. Despite these potential pitfalls, the importance of a legal framework that protects individuals’ data rights and fosters transparency and accountability in data processing cannot be overstated.

As for measures taken by the EU since GDPR, the EU is generally known for its proactive stance on data privacy issues, and I anticipate they would take such issues seriously, working on improvements to address these gaps.

The crux of the problem is verifying the identity of individuals making data access requests. In this regard, automated data security and governance controls can offer a strong solution. By using sophisticated verification and monitoring systems that can detect abnormal patterns or suspicious requests, we can bolster the security of data access processes.

Lastly, let’s not forget that we’re still relatively early in the implementation of comprehensive data privacy laws. The GDPR is groundbreaking legislation, but it is also an evolving one. As we learn more about its strengths and weaknesses, we must continue to refine and improve it. It is vital to shed light on vulnerabilities that need to be addressed, ensuring that the GDPR remains a robust and effective tool for protecting personal data.

Where once enterprises could buy, sell, share, and store customer data with relative freedom, for the last 5 years every organization that operates under the GDPR has been subject to scrupulous regulatory compliance requirements. And we have seen companies like Amazon, Meta and Google fined for breaches and other issues. This is a very good thing as like I said earlier, these companies are being held accountable. That forces them to change the behaviours of said companies for the better.

UPDATE: Ted Miracco, CEO, Approov Mobile Security added this comment:

    “While no law is perfect, the GDPR regulation was one of the most ground-breaking, necessary, and extremely well crafted pieces of cross-border legislation in recent history. Protection of Personal Data is critical to a well-functioning and open society, and while GDPR didn’t stop the abuse of big technology companies, it made the consequences of their actions substantive and many, including Google and most recently Meta have been fined billions of dollars for their abusive handling of Personal Data. Even the definition of “Personal Data” per GDPR, was forward looking in that it cast a wide net, anticipating that tech companies would try bypass the definition to continue to harvest, export and profit by exploiting the data made available to them. The law was both clear and manageable and therefore it has become a framework for many data privacy laws around the world. If you ask if the law has been effective, I will give a resounding “yes”, and back it up by the data in a recent Cyber Threats Report1. on the security of mobile applications, where European based fintech companies outperformed their US counterparts by a significant margin.”


1.  The Approov Mobile Threat Lab issued findings in March 2023 that analyzed the 200 most popular financial services apps in use in the USA, France, Germany and the UK. Using an automated approach, researchers were able to immediately extract and classify thousands of secrets from these apps, including API Keys for critical financial services. In addition, from these automated scans, it was possible to determine how well protected apps were against run-time threats such as 

– Extraction of API Keys and other Secrets
– Man-in-the-Middle (MitM) attacks
– Device manipulation or “Man-in-the-Device” attacks

Results: 28% of US apps exposed high value secrets; 28.5% of French apps exposed high value secrets; 24.5% of U.K. apps exposed high value secrets; and 19.5% of German apps exposed high value secrets. The full report is available upon request.

Cisco Revolutionizes Customer Digital Experience Monitoring with Full Stack Observability Integration

Posted in Commentary with tags on May 24, 2023 by itnerd

Uniquely positioned to deliver industry-leading Full-Stack Observability to customers, Cisco announced today a new OpenTelemetry-based integration of Cisco AppDynamics application observability and ThousandEyes network intelligence. This integration is bi-directional, with data exchanged simultaneously between both solutions, in real time.

User experience has increasingly become a key performance indicator at the boardroom level.  Organizations are working to ensure they can elevate digital experiences at scale via the applications that are at the heart of all business interactions today. That said, user experience can be impacted by many factors. The key is to find the root cause of impact as soon as possible and address the issue before it reaches the end user and hurts the overall performance of the application and ultimately the business.

Cisco’s solution provides insights into both the application and the network, with internet connectivity metrics for application operations and real-time application dependency mapping for network operations. The solution is automatically available without further installations, drives powerful customer digital experience monitoring from the combined application and network vantage points, and delivers differentiated business outcomes.  It significantly reduces Mean Time to Resolution (MTTR), closes observability gaps with actionable recommendations and helps teams prioritize network remediation based on business impact/criticality.

Cisco’s Customer Digital Experience Monitoring solution also allows organizations to break down the barriers to meaningful collaboration that can exist between Infrastructure & Operations teams, Application Developers, SecOps and DevSecOps teams; all of whom now need to work more closely together to ensure success. This helps organizations to move fast and focus on what matters most – driving revenue, elevating user experience, managing risk and reducing costs all while reducing tool sprawl.

The ability of companies to get a complete picture of their applications’ health and users’ journeys positions businesses to make better-informed decisions and resolve issues quicker; ultimately leading to better user experience and improved business outcomes.

This bi-directional integration further strengthens Cisco’s ability to deliver world class customer digital experience monitoring especially when coupled with the industry leading Real User Monitoring (RUM) that Smartlook offers.

In April Cisco announced the intention to acquire Smartlook, a company that excels at analyzing and contextualizing end user digital behavior. Smartlook, the bi-directional integration and the innovations Cisco continues to deliver fulfill the expectations customers have to be able to enjoy end-to-end monitoring of an experience for user accessing applications and services hosted anywhere from any location using any device.

Cisco remains committed to simplifying the buying experience as well. In February Cisco Business Risk Observability was launched and is included in the Cisco FSO Essentials bundle, which also includes critical full stack observability capabilities.

In addition, the company is also announcing the Cisco FSO Advantage bundle. This bundle adds real-time ingestion of network intelligence metrics into application observability and real-time application dependencies for network operations. 

This offer helps customers deliver the end-to-end visibility, correlated insights, and recommended actions, tied to business context, across application monitoring, application security, the network and the internet. Only Cisco can combine the required vantage points of applications, networking and security at scale that can power true Full-Stack Observability.

Additional Resources

Join Cisco at Cisco Live to engage with Cisco leaders and Full-Stack Observability experts. Meet the Strategy, Incubation and Applications team and demo our latest application and security solutions.

Mujjo Is Now A B Corp-Certified Brand

Posted in Commentary with tags on May 24, 2023 by itnerd

The news is out that Mujjo is now a B Corp-certified brand. They are always working to make the world a better place because of what they do and are committed to making great products with the least possible impact on the planet. 

As part of the B Corp movement – a group of certified companies using business to help solve social and environmental problems – Mujjo meets the highest verified standards of social and environmental performance, transparency, and accountability. 

Here are some quick highlights:

  • Almost 72% of their products by volume are made from recycled materials.
  • They use eco-friendly leather that’s rated Gold for environmental standards.
  • 100% of their fabrics are made from recycled water bottles.
  • They offset 100% of the carbon emissions from our shipping.
  • Their London store and head office is powered by 100% renewable energy.
  • Packaging is made from 100% Forest Stewardship Council-certified paper.
  • Leather is rated Gold for environmental standards by the Leather Working Group.

Learn more about the strides they’ve made here.

New Research Discovers Updated Version of Legion Malware

Posted in Commentary with tags on May 24, 2023 by itnerd

Cado Security has released an update on Legion, an AWS Credential Harvester and SMTP Hijacker discovered last month by Cado Labs researchers. Matt Muir, Threat Intelligence Researcher at Cado Security, is set to reveal fresh insights into the evolution of the Python-based hacktool that has been actively undergoing development to exploit vulnerable web applications and recent findings that indicate a significant broadening of scope.

Legion has now developed capabilities to compromise SSH servers and presents expanded features to retrieve additional AWS-specific credentials from Laravel web applications. This demonstrates that Legion’s focus on targeting cloud services is becoming increasingly refined with each iteration.

A key update of the Legion malware is its ability to exploit SSH servers. In the prior version, the code to exploit SSH servers using the Python library Paramiko was commented out. However, this code has been uncommented and is now operational. 

Researchers also discovered that the updated Legion had expanded its credential harvesting capabilities with an increased focus on cloud services. The malware now searches for credentials specific to several services, including DynamoDB, Amazon CloudWatch, and AWS Owl.

You can read the update here.

Guest Post: Federal agencies reported over 30,000 cyber incidents in FY22

Posted in Commentary with tags on May 24, 2023 by itnerd

Today Atlas VPN is covering the recently published FISMA report by the United States Office of Management and Budget (OMB) for the fiscal year 2022.

The FISMA report published by the OMB provides information about the overall state of government information security, including challenges, progress, and incidents.

In the fiscal year 2022, agencies saw fewer cyber incidents overall, which decreased by around 6%. 

There were 30,659 cyber incidents in FY 2022, according to the OMB’s annual FISMA report to Congress, down from 32,509 in 2021.

The Federal Information Security Modernization Act (FISMA) requires Federal agencies to develop, document, and implement agency-wide information security programs to protect sensitive government information and operations.

Agency officials, like chief information officers and inspector generals, conduct annual reviews of an agency’s information security program and submit those to the OMB. 

The OMB gathers all those annual reviews and summarizes them in the FISMA report, which is then submitted to Congress. 

These reports are publicly available on the website.

Improper usage incidents were the most commonly reported by Federal agencies in FY 2022, with 10,467 total cases, a slight uptick from 10,123 in 2021.

Improper usage incidents result from violating the organization’s acceptable usage policies, like using work computers for personal matters. 

In addition, agencies said email or phishing attacks increased slightly to more than 3,010 last year from 2,962 in 2021.  

The most significant growth in incidents was seen in the loss or theft of equipment category. 

Around one thousand computing or media devices were lost or stolen in 2021, while in 2022, the number climbed to 1,786 incidents. 

The most common attack vector remains in the “unknown” category.

Major incidents on the decline

According to OMB, 93% of the incidents in 2022 were classified as “baseline” or “unsubstantiated or inconsequential event[s].”

Four of almost 31 thousand incidents reported by agencies in FY 2022 were classified as major. 

Government bodies affected by the incidents included the Department of Education, the Department of Treasury, and the Department of Agriculture. 

One incident remains classified.

In contrast, agencies encountered seven major incidents in FY 2021. 

Overall, the incidents’ number and severity remain relatively similar in FY 2022 and 2021. 

To read the full article, head over to: