Monday, August 19, 2019

New Certification Rules from the EU Cybersecurity Act


In June 2019, the European Cybersecurity Act was instituted, introducing the first-ever EU-wide rules on the cybersecurity certification of products, processes, and services. This serves to strengthen the role of the EU Agency for Cybersecurity (ENISA).

The European cybersecurity certification framework establishes tailored and risk-based EU certification schemes, aiming to increase the cybersecurity of online services and consumer devices. Such European cybersecurity certification scheme comprises a comprehensive set of EU-wide rules, technical requirements, standards and procedures serving to evaluate a specific product, service or process on the basis of its cybersecurity properties. Each certificate will carry one of three assurance levels, and will be recognized EU-wide.
The harmonized rules are expected to facilitate cross-border trade of relevant products and services, reduce market-entry barriers, and simplify the process of cybersecurity certification.
ENISA has received a permanent mandate with additional responsibilities and resources to better help Member States in addressing cybersecurity threats and incidents. This includes support to policy implementation, standardization, certification, crisis management and coordinated vulnerability disclosure. ENISA's mandate has been applicable since 27 June 2019. The Commission is currently preparing the requests for ENISA to design certification schemes and to establish two expert groups:
the European Cybersecurity Certification Group, consisting of Member States representatives; and
the Stakeholder Cybersecurity Certification Group, mandated to advise ENISA and the Commission.
I.a. on the basis of a public consultation, the Commission will identify strategic priorities for certification and a list of ICT products, services and processes to be included in the scheme.”

See further information here...

Friday, August 16, 2019

Abuse of Online Privacy Rules Means Personal Info Can Be Compromised - So Require Credentials

With the introduction of Europe's General Data Protection Regulation, firms in Europe and around the globe should be aware that social engineering tactics can be used to acquire an individual’s sensitive data.

“…For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 percent of revenues if they don't comply, so [the] fear of failure and time are strong motivating factors.

In addition, the type of people who handle GDPR requests [is] usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier….” See this article.

Direct email marketing, for example, is already regulated under the EU's e-Privacy Directive. Such rules require consent before someone can be sent direct marketing. A so-called "soft opt-in" makes this slightly easier. If a firm has an existing relationship, for instance, if a customer has bought a product from them before, they may still contact that recipient.

The European Union is updating the rules on electronic communications just as the UK is hustling to engage its own Data Protection Act in place, considering how Brexit will affect tech firms. The continued flow of data between the UK and the rest of Europe (and the world) depends on governments’ ability to interact.

Monday, August 12, 2019

Is LIDAR going away for A.I. vision? Elon Musk says yes, others disagree

Cornell researchers published a research paper that is somewhat critical of about lidar. Using nothing but stereo cameras, the computer scientists achieved breakthrough results on KITTI, a popular image recognition benchmark for self-driving systems. Their new technique produced results far superior to previously published camera-only results—and not far behind results that combined camera and lidar data. LiDAR sensors use lasers to create 3D point maps of their surroundings, measuring objects’ distance via the speed of light. Stereo cameras, which rely on two perspectives to establish depth, as human eyes do, seemed promising. But their accuracy in object detection has been woefully low, and the conventional wisdom was that they were too imprecise.

Radar sensors deliver images similar to optical sensors. LiDAR delivers points which measure the distance between the instrument and the target. Cameras plus lidar performed better than cameras alone had nothing to do with the superior accuracy of lidar's distance measurements. Rather, it was because the "native" data format from lidar is easier for machine-learning algorithms to work with.


Thursday, August 8, 2019

Finnish Approach to Flexible Work is a Model


By now many employers recognize that remote workers tend to be more productive because they don't need to commute into work. Many often finish their work on their own time and they aren't distracted by their coworkers -- maintaining that crucial state of "flow" that intellectual capitalists workers.

Finland has a decent idea of how to make flexible work part of the culture. According to a survey commissioned by the EU, Finland is the leading teleworking country in Europe. The use of information technology, in its various forms, is the driving force behind teleworking, also known as distance working

https://www.bbc.com/worklife/article/20190807-why-finland-leads-the-world-in-flexible-work

Tuesday, August 6, 2019

Known Apple Vulnerability Remains Unpatched

Apple Wireless Direct Link (AWDL) is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods.

It seems that the AWDL protocol, installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks.
These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.