STE WILLIAMS

Pentagon publishes AI guidelines

As the specter of killer warrior robots looms large, the Pentagon has published a set of ethical guidelines for its use of artificial intelligence. It’s a document designed to guide the use of AI in both combat and non-combat military scenarios.

The document comes from the Defense Innovation Board, a group of 16 heavy hitters chaired by former Alphabet executive chair Eric Schmidt and counting Hayden Planetarium director Neil deGrasse Tyson and LinkedIn cofounder Reid Hoffman among its members.

Called AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense, the missive is an attempt to lay out ground rules for the use of AI early on, giving the military a framework on which to build its AI systems. Frameworks like these are important for the safe rollout of new technologies, it points out, citing civil engineering and nuclear-powered vessels as examples.

The guidelines document says:

Now is the time, at this early stage of the resurgence of interest in AI, to hold serious discussions about norms of AI development and use in a military context – long before there has been an incident.

It’s important to do this now because US adversaries are already gaining traction with their military AI research efforts, the document adds, calling out China and Russia by name.

The guidelines contain five main principles designed to keep AI-driven systems – for combat and other uses – in check:

Responsible – human beings should always guide the development and deployment of AI systems and determine their outcomes.

Equitable – AI systems should not harm people through unintentional bias.

Traceable – AI algorithms should be transparent and auditable.

Reliable – Designers must define the scope of an AI system’s tasks and ensure that it doesn’t overstep into other areas.

Governable – Humans should be able to step in and control AI at any point, including turning it off if necessary.

The guidelines also contain 12 recommendations to support these principles, including the creation of an AI steering committee, investment in research, and workforce AI training. They call for the creation of benchmarks to measure AI system reliability and a methodology to manage risk when rolling out AI.

The guidelines and accompanying white paper weren’t developed in a vacuum. They draw on documents that already guide US military ethics including Title 10 of the US Code and the Geneva convention. The Board also spent 15 months consulting with industry when developing the guidelines, tapping brains at Facebook, the MIT Media Lab, Elon Musk’s OpenAI research institute, and Stanford University.

The Department of Defense also created Directive 3000.9, a 2012 policy document on autonomous weapons development, although the guidelines make it clear that AI doesn’t necessarily equal autonomy.

It’s high time the US army clarified its policy on AI, because it is already researching the use of the technology in military applications. Staff at Google protested over the company’s use of AI in its Project Maven work for the Pentagon, and the company has now launched its own set of principles defining its use of the technology. Meanwhile, the Department of Defense is already working on an Advanced Targeting and Lethality Automated System (ATLAS) system to automatically target enemies.

The debate around using AI for military applications has been raging for a while. As far back as 2015, the UN questioned whether AI should be allowed in weapons but it hasn’t made any rulings as yet, and the Campaign to Stop Killer Robots has been pressing the issue since it formed in 2013.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QVzJCPZlr9g/

Russia’s sovereign internet law comes into force

The Russian government calls it the “sovereign internet” law and from 1 November it compels the country’s ISPs to forward all data arriving and departing from their networks through special gateway servers.

Promoted since 2018, from the government’s point of view the sovereign internet is a way of protecting the country from the bad stuff the internet – or other countries – might throw at it.

To its critics, Runet, as it’s also known, is a straight power grab by a government obsessed with the idea of control, surveillance and censorship of its population.

If this sounds a bit like China’s infamous Great Firewall, senior Russian politicians downplay the comparison. Said Prime Minister Dmitri Medvedev earlier this year:

Certainly, we won’t have Chinese-style regulations. No firewall will emerge here.

On the contrary, he said, Runet was more about pushing back against the historic regulation of the internet by one country, the US, which had the power to threaten the integrity of Russia’s internet infrastructure.

DPI paranoia

At face value, it seems the government’s solution in Runet is to build a sort of parallel national internet, which is connected to global networks but can be disconnected from it if the government decides that’s necessary.

It sounds like an intranet of the sort Iran once proposed – a separate network with connections to the outside world – but its design is closer to that of a giant proxy through which traffic can be made to pass some of the time.

The simplest element of this will be deep packet inspection (DPI), a technology already universally used by ISPs across the world to prioritise traffic, block unwanted protocols, and prioritise specific applications.

But unlike conventional quality of service DPI, this won’t be controlled by ISPs, which will pass traffic to servers in the same racks controlled by communications regulator Roskomnadzor to do Runet’s heavy lifting.

Arguably, this is similar to the Great Firewall because its design sets up government-controlled servers as gateways capable of blocking traffic to applications, websites, and keywords the authorities want to stop citizens from accessing.

DNS 2

DPI has its limits, which is why Runet is trialling a much more radical concept that has some experts scratching their heads – a parallel DNS infrastructure.

DNS is a complex, distributed global address book, listing which IP addresses are associated with which domain names.

Setting up a parallel DNS implies that Russia will somehow mirror or proxy this system, or set up rival root domain servers, allowing it to to filter which domains will be resolved or what they resolve to.

No country has ever tried before and it’s hard to see how it can be done without creating a lot of potential bottlenecks or points of failure.

It looks as if this part of Runet is some way off being operational, which suggests that the technical challenges have yet to be overcome.

There is some justification for Russia’s worry about other countries launching cyber-operations against it – a scattering of reports suggest the US is probing Russian infrastructure (including its infamous ‘troll factory’ in St Petersburg) in a way that should give its leaders cause for concern.

And yet to sceptics, the idea of Runet offering the country glorious isolation is a far-fetched fantasy which ignores the realities of how ISPs and the internet works.

Internet traffic isn’t like a pipe that can be turned on and off or diverted at will. It functions as a cooperative system in which Russian ISPs must peer traffic that is heading to other destinations in ways that belie simple concepts of internal and external, good and bad.

The Russian government’s real battle is with a very narrow range of applications such as messaging app Telegram, VPN network providers (many of which were banned in 2017) and overlay privacy systems such as Tor.

If they are the real target, Runet is just another tool in the box. It won’t stop these from working but it might make accessing them less reliable and dissuade some Russians from using them.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/twD2GGWkqxs/

Please tell us why you’re not securing yourselves, UK.gov asks businesses

The British government wants your bright ideas for improving the nation’s cybersecurity because it wants to “understand the apparent lack of strong commercial rationale for investment” in locking down your shizz.

As part of its fond hope of making the UK a bit more secure than the rest of the world, the Department for Digital, Culture, Media and Sport (DCMS) wants you to tell it what it could be doing better.

The Cyber Security Incentives and Regulation Review is intended to tell UK.gov which of its security-enhancing initiatives do and don’t work. Many of those are routed to the great unwashed via the National Cyber Security Centre (NCSC).

In its detailed consultation document, accessible here, DCMS claimed that “only around 60 per cent of organisations took actions to identify cyber security risks”, citing a survey it carried out earlier this year.

Back in April, NCSC tech director Ian Levy said: “I think we’re still seeing very common things happen that were happening 15 years ago. We’ve got to find some way of changing it. It’s obvious the way we’ve been trying to get people to change this hasn’t been working.”

Perhaps perceptively, the department opined that part of the problem with getting smaller businesses to take cybersecurity seriously was the problem that security is “viewed as an IT-specific issue and an objective in itself, rather than an enabler of business continuity and operational resilience”.

Digital minister Matt Warman, the one-time technology editor of the Daily Telegraph, pleaded: “I hope this review will encourage the industry to think about what government could do to help and what incentives might encourage firms and businesses to manage their cyber risk.”

DCMS also published a postal feedback address, presumably for the use of people who write in green ink and think all of the internet is hopelessly insecure.

Separately, defence ministers published their latest response to Parliament’s Joint Committee on the National Security Strategy, in which the word “cyber” was mentioned just six times across 17 pages.

The Ministry of Defence is spending £40m on its “cyber security operations capability”, bunging £12m on the Defence Cyber School for training uniformed infosec bods, and a total of £265m on securing existing military hardware against cyber threats. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/04/ukgov_security_survey/

New: 2019 State of the Internet / Security: Phishing

Phishing attacks require two things: a lure and a landing. This Akamai-sponsored report digs deep into how the phishing economy works and ways organizations can protect themselves from the ever-evolving threat.

Phishing isn’t a new phenomenon. Since the early days of the Internet, nefarious actors have been impersonating people and businesses in order to first gain your trust, and then your personal information. Now that the Internet is more prevalent in our lives, attackers are getting savvier, making their phishing attacks more sophisticated so that we still fall for them – no matter how aware we are.

Phishing attacks require two things: a lure and a landing. Download this installment of the Akamai 2019 State of the Internet (SOTI) report to explore virtually every aspect of phishing, including:

• The basics of phishing as it has evolved over the years
• The development cycle used by phishing kit creators
• The growth of phishing as a service

The latest SOTI report digs deeper into a few examples of how the phishing economy works, and how users and businesses can take steps to protect themselves against the ever-evolving threat of phishing. This style of attack is not one-size-fits-all, so users and businesses must continue to do due diligence to stay one step ahead of criminals looking to misuse their social trust.

Download

(Registration required.)

Article source: https://www.darkreading.com/edge/theedge/new-2019-state-of-the-internet---security-phishing---baiting-the-hook/b/d-id/1336228?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

To Secure Multicloud Environments, First Acknowledge You Have a Problem

Multicloud environments change rapidly. Organizations need a security framework that is purpose-built for the cloud and that aligns with their digital transformation strategy.

Enterprise cloud adoption continues to increase rapidly. According to Gartner, expenditures toward enterprise IT cloud-based offerings is rising at almost triple the rate of spending on traditional, non-cloud solutions. The firm predicts that more than $1.3 trillion in IT spending will move to the cloud by 2022. As organizations increasingly make their digital transformation to the cloud, they are not only adopting cloud applications, they are moving important parts of their IT infrastructure, such as databases, to the cloud for an infrastructure-as-a-service model. But with this rapid shift to the cloud come new security challenges, especially when an organization has a multicloud environment.  

Research shows that on average, companies use a mix of four or more public and private clouds. Many security professionals think they can simply take their traditional cybersecurity fundamentals, such as patching and scanning, and apply them to their multicloud environment to make their organization secure. While those fundamentals remain essential, they don’t address the reason that so many organizations today are struggling to secure their multicloud environments. The reason securing a multicloud environment is so difficult is because you have essentially handed off your operating environment to a third-party — Amazon Web Services, Azure, Google Cloud Platform, or another. As a security professional, you no longer have control over the infrastructure; you only have control at the application level or just above the operating system level.

It’s a true paradigm shift. Whereas in the past, security professionals had full control over their servers and data and were able to apply and enforce all their security best practices and principles, now they are at the mercy of the cloud provider. No longer owning the infrastructure or the platform, security professionals are discovering that they may not be able to use the same security tools they would have used in the past. It introduces the question, “What controls can I use in the cloud and at what level?”

Compounding the challenge, each cloud provider is now releasing its own, native security tools. While these native-built security tools may make it easier to secure that particular cloud environment, they can’t be used with the other clouds the organization relies upon. With each cloud provider releasing new tool sets at a rapid pace — often daily — enterprise security teams are racing to keep up. In addition, many security vendors have their own private cloud that runs across public cloud hybrids. Enterprise security teams are challenged with trying to interconnect all these clouds at a business level, as well as at the cloud ecosystem level in order to gain visibility and manage risk across all of them. The multicloud environment is a multiplier of complexity, and as a security professional, you’re held responsible for securing all of it.      

Solving the Multicloud Security Puzzle
The first step in securing your multicloud environment is understanding that you have a problem. Many organizations have moved to the cloud so quickly that they’re just beginning to realize they haven’t built the necessary security programs and tools needed to scan and monitor across all their cloud environments. Next, make sure you know where your assets reside in the cloud and put protection around them, using a native approach. The native security tools offered by cloud providers have their advantages, but they don’t work across clouds. In a multicloud environment, you need the ability to bring all your different security tools under a single pane of glass for visibility, monitoring, and centralized control. Using security orchestration, automation, and response (SOAR) technologies, advanced analytics and machine learning, enterprise security teams can gain a single view of the threats, vulnerabilities, and perceived risks across their organization’s entire environment and create a central point for tracking security events and responding to alerts. [Editor’s note: Trustwave is one of a number of vendors that offer such services.]  

It’s important to realize that as you bring all these tools together under a single pane of glass, you want to do it without having to send all your data to yet another cloud service. As much as possible, leave your data closest to where it’s being generated. Look for SOAR solutions that are designed to pull just the alert or a summarization of the data. Then, based on insights gained from analysis, pull only the data necessary to make a decision or increase the fidelity of the alert. There are some excellent cloud-native security incident and event management (SIEM) tools, but you want to make sure the data you have feeding into them is configured correctly.

Of course, security fundamentals also remain essential in a multicloud environment. Many organizations today aren’t performing basic security hygiene for their databases, which is alarming. Scan the cloud, and consistently scan and monitor your databases from both an event and log perspective to see if you have open, inherent risks.  

Finally, perhaps the most important aspect of securing a multicloud environment is to make sure your security leaders are included in the decision-making process early whenever a business unit is considering adopting a new, cloud-based service or application. Too often, the security team is looped into the process too late, which causes a lot of inefficiencies and rework when an incorrect configuration or security lapse early on in the deployment process cascades to cause security vulnerabilities elsewhere.

Multicloud environments change rapidly. Organizations need a security framework that is purpose-built for the cloud and that aligns with their digital transformation strategy. Simply using the security framework you built in your legacy or hybrid environment won’t suffice. Securing a multicloud environment is complex, but there’s no need to do it alone. Seek help from your trusted security partners and consultants and follow a security-by-design approach that incorporates security within your organization’s cloud migration early and often — reviewing and penetration testing each step of the way. By doing so, your organization will be able to enjoy the benefits of the cloud while minimizing the risks.  

Related Content:

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Is Voting by Mobile App a Better Security Option or Just ‘A Bad Idea’?.”

Chris Schueler is senior vice president of managed security services at Trustwave where he is responsible for managed security services, the global network of Trustwave Advanced Security Operations Centers and Trustwave SpiderLabs Incident Response. Chris joined Trustwave … View Full Bio

Article source: https://www.darkreading.com/cloud/to-secure-multicloud-environments-first-acknowledge-you-have-a-problem/a/d-id/1336219?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Chrome bug squashed, QNAP NAS nasty hits, BlueKeep malware spreads, and more

Roundup Let’s check out some of the more recent security happenings beyond what we’ve already covered.

Chrome bugs cleaned up

Anyone running Chrome will want to update and restart their browser in order to make sure they have the latest build, as usual. Google has patched a bunch of flaws including a use-after-free() vulnerability (CVE-2019-13720) that was being actively exploited in the wild against victims. Make sure you’re running version 78.0.3904.87 or higher for Windows, Mac, and Linux to be safe.

More technical details are here: essentially, a malicious JavaScript file on a webpage can exploit the vulnerability to potentially gain arbitrary code execution and install spyware and other horrible stuff on the computer. Kaspersky reckons the flaw was abused in an attempt to infect Chrome-using visitors of a Korean-language news website, in a campaign dubbed Operation WizardOpium.

Crypto-miner spreads via BlueKeep hole

We hope you’ve all patched your Windows systems for the BlueKeep RDP flaw, which can be exploited to achieve remote-code execution on vulnerable machines. It appears Monero-mining malware is spreading among un-patched boxes via the security flaw. Microsoft patched the bug way back in May.

Marcus Hutchins, with help from Kevin Beaumont, has detailed the spread of the BlueKeep-exploiting nasty here for Kryptos Logic.

All the more reason to ensure you’re patched.

ClamAV zero-day lands but don’t panic

Someone has popped onto Pastebin a zero-day code-execution exploit that can hijack systems running the open-source antivirus engine ClamAV. While this software is used quite widely, and thus such a bug could prove disastrous, the danger isn’t very great: exploitation is limited to a very narrow configuration, as discussed here on Twitter.

Azure Sphere gets a release date

Microsoft’s planned hardware-to-cloud Azure Sphere platform now has a general availability date. Microsoft says that the first devices embedded with the tech will be arriving in February of 2020.

For those unfamiliar, Azure Sphere is Microsoft’s bid for a secure IoT platform. Redmond is combining on-chip secure enclave tech with a custom-made Linux kernel and its Azure cloud service. The idea is to offer embedded device makers an all-in-one security package that goes from the silicon level to the cloud management tools.

NAS-ty malware surfaces

Last week, authorities in Finland warned of a newly discovered piece of malware targeting QNAP network storage boxes.

Known as QSnatch, the software nasty connects infected boxes to a command-and-control server and harvests usernames and passwords. The infection also has the potential to load up other modules should the attackers decide to do more with their botnet. According to Germany’s CERT, the malware is already spreading rapidly and has got into at least 7,000 machines in that country alone.

Ensure you’re running the latest version of the QNAS firmware to avoid being compromised. The exploited bug was addressed in February this year, though it looks like malware is finally spreading via the hole on unpatched boxes.

Pwn2Own gets new targets

The popular Pwn2Own competition is set to add a new category, as Trend Micro says it will be adding industrial control systems to the roster of target devices. Those who can hack the hardware will get a cash reward and, if tradition holds, will also be able to take home the hacked kit.

PHP stands for “patch hella pronto”

Anyone running PHP, particularly PHP with the Nginx webserver and FastCGI, will want to take the time out to update their boxes following the discovery and patching of a vulnerability in the software stack. Discovered during a capture the flag competition, the bug can be potentially exploited remotely to achieve code execution, depending on your configuration.

The core problem (CVE-2019-11043) lies in PHP, it seems, so make sure you’ve updated to the latest versions listed here.

LabKey software found to contain RCE hole

Admins in the medical field will want to pay attention to these bugs in LabKey, a software platform used with biomed research gear. If chained together, the flaws would potentially allow for remote code execution.

Fortunately, given how niche the software is, the chances of active exploits targeting the bugs are not particularly high. Still, it would be a good idea to get a patch installed as soon as possible.

India nuclear plants report malware infection

A nuclear power plant in India discovered a malware infection believed to be linked to North Korea. Fortunately, the software nasty, we’re told, was not found near any of the reactor controls.

Credit cards for sale on the internet, gasp

Infosec outfit Group-IB says it has uncovered an estimated 1.3 million cards offered for sale on the internet at a total estimated value of more than $130m. The card data largely belonged to bank customers in India.

Meanwhile, a website called BriansCub that was selling more than 26 million credit and debit card records to fraudsters was hacked, and its contents leaked, allowing banks to cancel the compromised cards.

Domain registrars warns of data thief

Customers of NetworkSolutions, Web.com, and Register.com were warned at the turn of this month that some of their data was exposed to hackers who managed to gain access to the trio’s internal databases.

There were no payment cards nor passwords in the data store, though the miscreants would have been able to see basic contact information, such physical addresses, phone numbers, and email addresses. Those exposed would be wise to keep an eye out for spear-phishing attacks that might use that information to appear more authentic.

Camgirl websites’ security lapse

A network of websites through which netizens – mainly those in Spain and Europe – can watch people, typically women, strip off live over the web left a back-end database open to the internet, exposing some 13 million records including users and camgirls’ email addresses, IP addresses, chat logs, and more. The system has since been secured and hidden from view. One group of security researchers, who contacted El Reg on Friday, planned to go public with the details this week, though they were seemingly beaten to it by cyber-biz Condition:Black over the weekend. It is understood no payment data was exposed.

FireEye details SMS-stealing Chinese malware

FireEye says that the China-based APT41 crew is using a piece of malware known as Messagetap to spy on text messages. The malware is said to be installed on the SMS servers at telco providers and gives the attackers the ability to pull select messages from surveillance subjects. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/04/security_roundup_november1/

Apple props up macOS Catalina with 10.15.1 update

Is Apple’s macOS 10.15 Catalina really experiencing a Windows Vista moment?

In the Windows world, the idea of upgrade problems would be laughed off as something that comes with the territory.

Not so for the smaller and committed Apple base, a vocal minority of whom were quick to express dissatisfaction at the move to Catalina from macOS 10.14 Mojave.

Comparing it to Windows Vista from 2006 sounds like an exaggeration (such were its memory-hogging tendencies that just getting that running at all could be a challenge) but there’s no doubt some Mac users have had unexpected issues with Catalina.

These include problems establishing network connections, connecting to Bluetooth accessories, accepting iCloud terms and conditions, and in some cases even installing at all when disk space is low.

Most annoying of all has been the issue of getting older but valued 32-bit applications to work, with a reported 235 affected in total.

Ironically, this is by design and Apple has been posting compatibility warnings to users when they run these apps since at least macOS High Sierra in 2017.

Users can check their app status before starting the upgrade by clicking the Apple symbol in the menu bar, clicking About This Mac System Report, scrolling to the software list and checking Legacy Software.

Any apps listed here won’t be compatible with Catalina so users need to download 64-bit equivalents where those are available.

Perception is all

If it was just a case of a few miffed users, Catalina would be like every other OS upgrade on just about any platform – some users have problems.

But some of the issues have bordered on silly, for example reports that the Twitter app refuses to accept certain letters when entering passwords, specifically ‘b’, ‘l’, ‘m’, ‘r’, and ‘t’.

Tweeted Twitter inhouse developer Nolan O’Brien on 30 October:

Is macOS becoming more Windows like in its quality control?

In truth, mutterings about Apple’s desktop operating systems has been growing for a while, fuelled by the suspicion in some quarters that in the post-iPhone era the company has lost interest in its older, less profitable business lines.

It’s also the case that operating systems have become more complex since Windows Vista days, both in terms of the services and devices they must support and of the security features necessary to defend them.

In terms of problems, Windows and macOS look very similar these days. What remains a distinguishing feature of Apple’s base is its higher expectations.

Catalina 10.15.1 update

A week after shipping Catalina, Apple released a supplemental update designed to iron out some of its bugs.

This has now been extended with a formal update that adds other fixes to the list plus a raft of routine security updates.

The latter cover 33 CVE-level security vulnerabilities (Happy Birthday, by the way), including several fixes for kernel-level flaws, the CUPS printing subsystem, graphics, and one affecting App Store authentication.

Apple doesn’t comment on the criticality of flaws, but this is an update users will definitely want if they’ve made the jump to Catalina.

If you don’t get updates automatically (as some users don’t because of the issues already discussed) both Catalina and the 10.15.1 update can be found by checking System Preferences Software Update.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q6JmalYHavU/

S2 Ep15: City under attack! VPN hacked, floppies nixed

This week host Anna Brading is joined by Sophos experts Mark Stockley, Greg “Fido” Iddon and Peter Mackenzie.

This week we discuss an attack on the city of Johannesburg that came with a ransom demand and ask “was it ransomware?”; we talk about what the breach at NordVPN means for VPN users; and we reminisce about the ancient floppy disks that, until recently, underpinned the USA’s nuclear deterrent.

Listen below, or wherever you get your podcasts – just search for Naked Security.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a-WrPg31fv8/

Cyber-security super-brain Rudy Giuliani forgets password, bricks iPhone, begs Apple Store staff for help

The month after Rudy Giuliani was named the US president’s cybersecurity adviser, the former mayor of New York queued up outside an Apple Store in San Francisco to get staff to reset his iPhone because he couldn’t remember the passcode.

Giuliani had typed into the wrong code more than 10 times, seizing up the phone and an Apple staffer reset and restored the iPhone 6 using his iCloud backup, according to NBC News which today saw and posted a picture of the internal Apple memo concerning the visit.

The yarn – which has not been disputed – has left security experts stunned. As an adviser on cybersecurity to President Trump and more recently as his personal lawyer, Giuliani has direct access to the White House and, if reports are to be believed, is in charge of a parallel foreign policy effort involving a range of countries, most notably Ukraine.

Or, in other words, Giuliani’s phone is a prime target for surveillance efforts and he simply handed it over to a random Apple employee. Not only that but he couldn’t remember his own passcode, and has backed everything up to Apple’s iCloud. He is a walking security risk.

nbc rudy

A pic of the internal Apple memo on Giuliani’s visit, as obtained by NBC.

The news that Giuliani has absolutely zero recognition of the risks associated with such behavior comes just days after it was revealed that he had twice butt-dialed a telly journalist this month, and left potentially incriminating voicemails.

In one, he was heard discussing presidential candidate Joe Biden and his son – a topic that become the focus of an impeachment inquiry in President Trump – and his attempts to pressure Ukraine into investigating the pair for domestic political gain; on the other he was heard discussing an urgent need for “a few hundred thousand” dollars in a discussion about Bahrain.

Then again, Giuliani caused widespread mirth in the IT security community with this little brain fart on how to lock down computer systems:

Investigation

Those voicemails have already led another presidential hopeful, Senator Kamala Harris, to call for an investigation into Giuliani’s foreign activities.

Giuliani

Donald Trump will take cybersecurity advice from, um, Rudy Giuliani

READ MORE

Adding to his woes, the State Department agreed this week to release documents related to President Trump’s handling of aid to Ukraine, covering communications between officials and Trump’s private lawyers and associates – including Rudy Giuliani.

As we noted at around the time Giuliani was named White House cybersecurity advisor in January 2017, not only does Rudy know nothing about the subject but his website – Giulianisecurity.com – was painfully out-of-date and wide open to hacking.

The fact that even after he was named as a key White House adviser Giuliani didn’t see any issue with turning up to an Apple Store and handing over his phone to effectively a complete stranger is not great.

And in that he seems to share the same lax attitude to security as the president himself, who was repeatedly warned about his use of a personal, insecure phone in the early days of his presidency. Of course, most people don’t want people listening into their conversations – especially when in very powerful positions – because it indicates what their views are on any given topic.

But if those views change significantly from day-to-day, moment-to-moment and tweet-to-tweet, maybe it doesn’t matter at all. Because no one, not even Rudy Giuliani, knows what is going on in his head. Well, apart from Apple Store employees. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/31/giuliani_iphone_password/

Are you as handy with privacy certs as you are with a screwdriver? Ikea has the perfect vacancy

Scandi furniture emporium Ikea is seeking privacy specialists to join its office in Malmö, Sweden.

The company – which famously outsources collection, delivery, assembly and disposal of its products to customers – is calling for applicants who want to “join us on a journey where the road is truly more important than the destination.”

Anyone not too nauseous to continue will need three to five years’ experience for the senior role and one or two years for the junior positions.

The company’s Privacy Operations team is responsible for ensuring compliance with Europe’s General Data Protection Regulation (GDPR), both by in-house developers and outsourced procurement suppliers. You’ll need to be able to run data privacy impact assessments and check development workflow based on privacy by design principles.

The position also requires the winning candidate to train co-workers and product teams during development and run awareness-raising initiatives. The senior post will also need you to act as first line support for advice and enquiries.

Candidates with privacy certifications such as CIPP/E, CIPT or CIPM will have an advantage, as will those with information security qualifications such as CISA, CISM, Security+.

Successful applicants will get a full range of Scandi benefits including relocation support and an Ikea staff discount card.

We’re guessing you might have to start by building your own desk, so best remember the electric screwdriver. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/11/01/ikea_privacy_position/