Programmers step up
Post-election, things have finally started to change. Nabanita De attended a hackathon at Princeton University and, with three fellow programmers, developed an algorithm that authenticates what is real and what is fake on Facebook. They call this tool FiB.
This algorithm soon turned into a Google Chrome Extension that scans through your Facebook feed, in real time, and this is what I found on their website.
Our algorithm is twofold, as follows:
Content-consumption: Our chrome-extension goes through your Facebook feed in real time as you browse it and verifies the authenticity of posts. These posts can be status updates, images or links. Our back-end AI checks the facts within these posts and verifies them using image recognition, keyword extraction, and source verification and a twitter search to verify if a screenshot of a twitter update posted is authentic. The posts then are visually tagged on the top right corner in accordance with their trust score. If a post is found to be false, the AI tries to find the truth and shows it to you.
Content-creation: Each time a user posts/shares content, our chat bot uses a webhook to get a call. This chat bot then uses the same backend AI as content consumption to determine if the new post by the user contains any unverified information. If so, the user is notified and can choose to either take it down or let it exist.
During the election of 2016 Facebook found itself embroiled in the drama of fake news stories that were created by scammers looking to make a fast buck. Scammers knew they had a massive and willing audience of Facebook, and they struck. Pew Research, the nonpartisan American “fact tank” reported that week that 64% of adults get news through social media, yet only 4% of users trust the information they find on the platforms a lot and 30% trust it some.
To resolve this issue, Mark Zuckerberg said that Facebook is working on a fake new detection system, a warning system, and the means to report fake news, to for many, this plan is too little, too late this article says.
here is the rest of the article: http://www.techrepublic.com/article/fake-news-is-everywhere-should-the-tech-world-help-stop-the-spread/?ftag=TRE684d531&bhid=27250068933112925186573856412477
This is a great article because it outlines most of the fears I always had when looking at scan results in my own systems that separated the types of vulnerabilities from critical down to low. Vulnerability scans provide a way for organizations to check how resistant their networks will be to an attack. The way they typically work is this: a scan shows the known vulnerabilities in the target systems and then ranks them by severity, usually on a scale of “Low,” “Medium,” “High” and “Critical.” In order to best protect the network, the Critical and High severity vulnerabilities are fixed, the Medium severity vulnerabilities are dealt with when and if there is personnel and budget capacity, and the Low severity vulnerabilities are left to persist indefinitely.
First it is necessary to understand how vulnerabilities are assigned a severity ranking. Let’s assume that the scanning tool’s severity rankings are based either directly or indirectly on a vulnerability’s Common Vulnerability Scoring System score.
The general idea is that a number of criteria are considered in order to calculate a “Base Score” for a vulnerability. The Base Score ranges from 0-10 where the threshold for Medium Severity is 4.0, High is 7.0 and Critical is 9.0, and it is this information that is often used to assign severity ratings to vulnerability scanning tool findings.
The Base Scores are calculated using a number of factors including how complex a vulnerability is to exploit, where it can be exploited from, whether an attacker needs to be authenticated, and what the potential impact would be on confidentiality, integrity and availability. While these are all valid criteria that can tell us quite a bit about a vulnerability, the base score ignores some key things that should matter to us. The full version of the CVSS can also calculate “Temporal” and “Environmental” scores.
Focusing on the Critical and High Risk vulnerabilities also ignores the possibility of vulnerabilities being chained together by an attacker. For example, one vulnerability may allow an attacker to gain a foothold on a system under an account with very low privileges while another vulnerability may allow an attacker to escalate privileges to an administrator level. Taken independently these vulnerabilities might each be Low or Medium severity but when combined together the result is an attacker who can gain remote access with administrator level privileges which many organizations would (or at least should) consider high risk. A real world example of how chaining vulnerabilities this way works can be seen in the “Hot Potato” exploit that relies on a series of Windows vulnerabilities, some of which date back over a decade.
here is the rest of the article: http://www.securitymagazine.com/articles/87600-why-low-severity-vulnerabilities-can-still-be-high-risk
Gartner predicts that over the next two years more than half of IoT manufacturers won’t be able to contain weak authentication methods, which can pose a data risk. It is also estimate that by the year 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets. Security experts according to this article, mentioned that last April they projected security spending on IoT will approach $350M this year, that is almost a 24% increase from last year, but this may not be enough, experts say.
With proper measurements and security tactics we could work things out. A recent Forbes article covered the topic of IoT security, advocating “strict regulatory standards,” the need to “enhance security while simplifying compliance” and implementing “an end-to-end approach that integrates both IT and operations technology (OT).”
Devices which must authenticate against other systems (generally in order to access or transmit data) should be configured to do so securely, such as with unique IDs and passwords. It may also be possible to implement encryption (SSH) keys to provide device identity to permit it to authenticate against other systems (securing the keys themselves is obviously a critical priority for this model to work). Examples of IoT devices with this capability can include closed-circuit TV (CCTV) or DVR devices and satellite antenna equipment.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. When it comes to device updates (software and firmware, for instance) authentication should be employed where possible to ensure these can retrieve code only from approved systems, such as internal servers or authorized devices.
Depending on your IoT devices, researching and implementing the capabilities above (if not already) present would be a good first step in security.
Hello class- while looking for something to write about I came across this article and thought I should share with you.
The New York Times has a Tech Tip section, and this week’s part by J.D. Biersdorfer walks us through the opportunities and challenges of creating apps for different technologies, even if you’ve never studied computer programming. It also provides interesting links to explore materials and tutorials for online exercises on your own pace and time.
Under the Computer Science Education Week link https://csedweek.org/, you can try to code for an hour and expand your horizon with this cool site, watch the 5-minute video and get your 5 minutes of coolness’ for the day.
There are other links available for Apple’s free software, videos and tutorials for learning the Swift language, I was also interested in the coding concepts link and the free Swift Playground app for the iPad platform, but why are you still reading this, click on the link and have fun.
We were under attack- said the New York Times in today’s edition, based on users’ reported sporadic problems reaching several websites including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.
Reports from Dyn, a company that servers to monitor and reroute internet traffic said that they experienced a DDOS attack just after 7:00 a.m. Friday morning. Some users reported inaccessible sites from East Coast and it spread westward in three separate waves until evening hours.
Other reports associated to this incident mentioned that the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected and here is the kicker, without their owner’s knowledge, allegedly with software that allows a hackers to commend them to flood a target with overwhelming traffic.
Kyle York, Dyn’s chief strategist, said in this article that others that host the core parts of the internet’s infrastructure were targets for a growing number of more powerful attacks, and “the number and types of attacks, the duration of attacks and complexity of these attacks are all on the rise,” Mr. York said this morning.
So we will be getting the touch and feel of the newest Google browser that will flag “not secured” any non-HTTPS sites that transmit credit cards information and passwords, as of January 2017, called Google’s Chrome 56 browser.
Hypertext Transport Protocol Secured (HTTPS) is a converter for the Web’s lingua franca hypertext transport protocol with encryption from Transport Layer Security (TLS) or secure Socket Layer (SSL) to guarantee the authenticity of a website, it also protects communication between client and server, and obviate man-in-the-middle attacks says Terry Sweeney from InformationWeek Dark Reading magazine.
When a website is loaded over HTTP, someone else on the network can look at or modify the site before it gets to you, since currently Chrome delivers HTTP connections with its neutral indicator, which Google says that it doesn’t reflect the real lack of security.
Net Market Share mentions that Google Chrome is the most widely used browser in the world, with nearly 54% of the combined desktop and mobile user segments as of the month of August.
The main change to users is that eventually the plan is to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that they use for broken HTTPS pages.