source: infosecurity-magazine.com

Eight years ago, a list of the world's most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime's most wanted.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.

What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.

Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is "improper restriction of operations within the bounds of a memory buffer."

The second-most lethal error was determined to be "improper neutralization of input during web page generation," also known as cross-site scripting, which had a threat score of 45.69. 

In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list's compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs. 

 source: vox.com

The Ring video doorbell is Amazon’s latest infiltration into Americans’ everyday lives, and even though it offers customers convenience and a sense of security, it’s also attracting scrutiny.

Amazon already dominates how we shop for goods online; its Web Services arm is the backbone of numerous internet companies; and its Prime Video and Music services are angling to become primary ways that we watch and listen to media. As its influence has expanded, Amazon has become a political and social flashpoint, facing accusations from politicians, activists, and its own sellers that it relies on monopolistic e-commerce practices, that it mistreats its workers, that it doesn’t pay enough in taxes, and that its relationship with Immigration and Customs Enforcement and Palantir facilitates human rights abuses at the US’s southern border.

Now the company’s Ring cameras are stoking fears that the e-commerce giant is further encroaching on people’s privacy as Ring turns neighborhoods into surveillance operations and profits from the false perception that crime is on the rise. The company’s social media app, where users can share the surveillance their devices record, has been shown to exacerbate racial stereotypes and profiling. Critics view Ring’s growing partnerships with local police departments as self-serving and a way for a private company to use the public sector and taxpayer money to promote its own interests.

What exactly is Ring, anyway?

Ring is a smart security device company. It’s best known for its video doorbell, which allows Ring users to see, talk to, and record people who come to their doorsteps. Acquired by Amazon for $839 million last year, the company sells wifi-enabled products that integrate with its social media app called Neighbors, where users can post videos of suspicious activity and crimes outside their front doors, as well as view posts from other people within a 5-mile radius.

 source: federalnewsnetwork.com

The Defense Department sees its new certification model, which it unveiled to the public this week, as a way to more quickly bring its entire industrial base up to date with best cybersecurity practices.

But the Pentagon also sees this new model as a means to set the stage for a broader, more complex journey to better understand the defense supply chain.

On Wednesday, DoD released a new draft of the Cybersecurity Maturity Model Certification (CMMC), the Pentagon’s most recent to attempt to create a simpler, more consistent framework for the cyber demands it imposes on its contractors and subcontractors.

The department will accept public comment on the certification model through Sept. 25.

“Every company within the DoD supply chain — not just the defense industrial base,  but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,” Katie Arrington, chief information security officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition, said Wednesday at the Intelligence and National Security Summit co-hosted by AFCEA and the Intelligence and National Security Alliance. 

Certification model details five levels

The new certification model has been designed with several familiar cybersecurity requirements in mind, but it’s also an attempt to get a better handle on the defense supply chain, Arrington said.

The model covers 18 domains based on five levels.

Companies who achieve certification at the third level, for example, meet all National Institute of Standards and Technology (NIST) SP 800-171 requirements and have an information security continuity plan. Firms assessed at level five have “highly advanced cybersecurity practices” and can respond at “machine speed,” according to the draft CMMC.

DoD, which has been developing the certification model since March, has partnered with Johns Hopkins University, Carnegie Mellon University, defense industrial associations and members of the Defense Industrial Base Sector Coordinating Council to design the program.

DoD will release the model to a consortium in January 2020, which will help contractors learn the CMMC and the steps necessary to achieve each level of the certification program.

The model will go live and will begin to appear in requests for information next June and requests for proposal later that fall, Arrington said.

 source: scmp.com

An infrastructure of surveillance has come up without public or political debate, and the speed and invisibility around its marriage with everyday technology is worrying

In a public toilet next to Beijing’s Temple of Heaven, it is reported that a toilet paper dispenser uses surveillance cameras to check on people stealing toilet paper.

At Peking University, a lecturer uses surveillance cameras to check whether students are bored.

 

It was street security cameras that identified the 2005 London Underground bomber and the 2013 Boston marathon bomber. It is satellite-based cameras that are tracking typhoons, following IS troops in Syria, watching rhino poachers in African game reserves and tracking the retreat of the Arctic ice cap.

The age of surveillance is upon us. Thanks to artificial intelligence and the burgeoning of big data as our smartphone use explodes, the space left for any individual to find any true privacy has dwindled to a shadow. George Orwell’s “Big Brother” vision has come true, and we are now in a state of permanent visibility.

Sitting here in Hong Kong, our assumption would naturally be that China leads the world in street-level surveillance. Indeed, China today is thought to deploy about 172 million surveillance cameras – about three times as many as are operating in the United States – accounting for 43 per cent of a global US$47 billion business. But on a per capita basis, the US and the UK are understood to be the most densely covered. London and the UK in many ways lead the world, with extensive street surveillance systems introduced in the early 1990s after two massive IRA truck bombings in the city’s financial district. Today, thousands of automatic number plate recognition cameras along the UK’s road network catch speeding motorists, identify expired licences and track stolen cars.

Whether these comprehensive surveillance infrastructures are a good or bad thing is moot. At the time of the London bombings, the British government won broad public support for comprehensive monitoring, using the rhetoric: “If you have nothing to hide, you have nothing to fear.”

Going back a decade, Chicago’s Mayor Daley was similarly supportive: “What cameras do is prevent crime – to tell criminals, ‘Yes, you are gonna be focused on’. There’s nothing wrong with that – to have the good citizens use our sidewalks and our parks, have our children go safely to and from school, have our families go to and from church and feel comfortable. We’re not spying on anybody. This is the public way. We’re not spying or identifying or racial profiling anyone.”