Practice what you breach: Australian Government passes new legislation increasing breach fines
When private companies drop the ball on security, governments have a responsibility to lay down the law. As covered in the Medibank story, some companies are apathetic with their customers’ information. They have been calling the bluff of ransomware gangs that threaten to leak customer data. While this may help their bottom line in the short run, it is incredibly irresponsible. At its core, these decisions show customers that these companies do not care about their data.
Fortunately, in the wake of the Medibank fiasco, the Australian government has passed a new bill that greatly increases the fines for organizations hit by data breaches, with the maximum rising more than 20 times to $50 million AU. This legislation is meant to combat the indifference companies like Medibank have shown. Saving money at the expense of customer security is a terrible decision. A bill like this helps to ensure that companies that make these errors are not let off the hook.
Hyundazed: Vulnerabilities for the MyHundai app and the problem with IoT tech
Smart technology sometimes produces dumb results. Sure, Internet of Things (IoT) tech has allowed for a more user-friendly experience, but as we’ve mentioned before, IoT tech has security vulnerabilities that often go unaddressed and unpatched.
This week, it was revealed that some Hyundai cars built after 2012 are vulnerable to remote attacks that would allow hackers to unlock and start victims’ vehicles. This vulnerability, discovered by security researchers, involves intercepting the traffic generated by the MyHyundai app (which enables owners to lock/unlock and start/stop their vehicles) and creating spoofed accounts with user email addresses to gain control of their cars. Shockingly, the MyHundai app does not require email confirmation for an account to be verified. This is an inexcusable security blunder that could have had dangerous implications.
Hyundai has stated that it is working hard to fix these issues. Still, this vulnerability highlights the problems with putting implicit trust in IoT technology that is unlikely designed with security in mind. Customers love convenience, but when hackers can control your product from an unsecured app, it may be a sign that your organization needs to iron out the security wrinkles.
MLions of possibilities: Machine learning gets spotlighted at Black Hat Europe
AI/ML cybersecurity systems have a mixed reputation. While touted by supporters as a significant advancement, their susceptibility to adversarial attacks can make some question how useful they can be in the real world. A cybersecurity talk being given this week may highlight the value of ML security systems amidst good human security solutions.
Cybersecurity expert Carole Boijaud is giving a presentation at this week’s Black Hat Europe 2022. There, she will discuss how a machine-learning model helped significantly improve the security of a French bank. This model, which was internally developed, was able to detect three new types of data exfiltration that standard security tools were unable to spot. Boijaud’s talk ("Thresholds Are for Old Threats: Demystifying AI and Machine Learning to Enhance SOC Detection") will discuss the ML model at length, while also exploring the security wins other organizations like Microsoft have experienced due to ML security tech.
Above all, Boijaud stresses the importance of having the right security experts to aid ML systems in their security. "Machine learning is about mathematics and models, but one of the important facts is how you choose to represent the data and that requires understanding the data and that means we need people, like cybersecurity engineers, who understand this field." ML security systems can theoretically make cybersecurity easier, but they must be developed and implemented by the right people. This ML model may have saved a bank from security headaches, but, as with all security solutions, the human element will always be an integral piece.