https://ift.tt/2G8tCdw
Putin to Trump: let's collude to stop election hacking https://ift.tt/345Lkqg Russia has taken the unusual step of posting a proposal for a new information security collaboration with the United States of America, including a no-hack pact applied to electoral affairs. The document, titled “Statement by President of Russia Vladimir Putin on a comprehensive program of measures for restoring the Russia – US cooperation in the filed of international information security”, opens by saying “One of today’s major strategic challenges is the risk of a large-scale confrontation in the digital field,” before adding “A special responsibility for its prevention lies on the key players in the field of ensuring international information security (IIS).” Russia therefore wants to reach agreement with the USA on “a comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies (ICTs).” Putin suggested four actions could set the ball rolling:
Russia stands accused of interfering in the 2016 US presidential election with widespread use of fake social media accounts. The USA’s Federal Bureau of Investigations last week warned that “Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.” On September 17th FBI director Christopher Ray testified before the House Homeland Security Committee Events and named Russia as a nation already interfering in this year’s elections (video below). It is unclear if Russia’s document elicited a public response from the USA. The two nations sought a cyber-détente in 2017, when Putin and Trump discussed a Cyber Security unit with unspecified functions and purposes. The effort was quickly explained-away as a policy thought bubble that was floated without any accompanying detail. The idea deflated soon afterwards, leaving the two nations in their current state of uneasy enmity. ® Digital Trends via The Register – Security https://ift.tt/2XeTLgv September 27, 2020 at 11:41PM
0 Comments
Dell Encryption Enterprise Installer Search Path privilege escalation https://ift.tt/2M1QawE A vulnerability was found in Dell Encryption Enterprise and Endpoint Security Suite Enterprise (the affected version is unknown). It has been declared as critical. This vulnerability affects an unknown part of the component Installer. Upgrading eliminates this vulnerability. Digital Trends via vuldb.com https://vuldb.com September 27, 2020 at 11:34PM
https://ift.tt/348R9D8
Cómo madurar un programa de gestión de vulnerabilidades https://ift.tt/2G4LkPf El panorama global de ciber-amenazas se encuentra en constante evolución lo cual resalta la necesidad emergente de que las organizaciones fortalezcan su capacidad para identificar, analizar y evaluar los riesgos tecnológicos antes de que evolucionen a incidentes de seguridad completamente. Cuando se trata de mitigar el riesgo, los términos “gestión de parches” y “gestión de vulnerabilidades” se usan como si fueran intercambiables. Cuando en realidad aplicar parches es una de las muchas formas de mitigar los riesgos en ciber-seguridad. La decisión de desplegar, desinstalar o dejar pasar un parche específico cae dentro de un contexto más amplio de la gestión de vulnerabilidades. Definida como “una práctica de seguridad diseñada específicamente para mitigar o prevenir de manera proactiva la explotación de las vulnerabilidades de TI”, la gestión de vulnerabilidades no es únicamente escaneo y parchado. Es una función holística que tiene la visión proactiva de administrar la, en ocasiones desalentadora, tarea de abordar las vulnerabilidades identificadas en los dispositivos de hardware y software implementados. En pocas palabras, la gestión de vulnerabilidades es un concepto más amplio que envuelve la gestión de parches. La administración de vulnerabilidades es más que solo recibir alertas cuando su infraestructura necesita un parche aplicado. La gestión de vulnerabilidades consiste en tomar decisiones informadas y priorizar adecuadamente qué vulnerabilidades mitigar y cómo. Esto se logra al incorporar agentes internos para telemetría en todos los sistemas de interés, así como controles externos para inteligencia de amenazas de todas las fuentes. La gestión de vulnerabilidades se respalda por una inteligencia de amenazas que proporciona una comprensión más profunda de cómo y por qué los atacantes están utilizando ciertas vulnerabilidades e ignorando otras. La inteligencia sobre la explotabilidad de la vulnerabilidad prepara a su organización para lograr el equilibrio correcto entre parchear sistemas vulnerables e interrumpir las operaciones comerciales. Un enfoque basado en el riesgo de las amenazas hace que sea mucho más fácil comunicar el peligro de una vulnerabilidad a sus equipos desde seguridad y operaciones hasta gerentes senior e incluso a el consejo. Este nivel de visibilidad en la lógica detrás de las decisiones tomadas en torno a las vulnerabilidades aumentará la confianza en el equipo de seguridad en toda su organización y ayudará a evitar que ocurran fugas de datos, como la que sufrió Equifax. Etapas de maduración para un programa de gestión de vulnerabilidadesHay cuatro etapas principales en cualquier programa eficaz de gestión de vulnerabilidades:
La primera etapa se enfoca en construir un proceso que sea medible y repetible. Las etapas dos a cuatro se centran en ejecutar el proceso con énfasis en la mejora continua. Examinemos brevemente cada etapa y cómo Tripwire puede ayudarlo. ETAPA 1: PROCESO DE ESCANEO DE VULNERABILIDADLa primera etapa se puede dividir en cuatro pasos. El primer paso es identificar la criticidad de los activos en la organización. No se puede crear un programa eficaz de gestión de riesgos si no se determina qué activos hay que proteger. Estos incluyen sistemas informáticos, dispositivos de almacenamiento, redes, tipo de datos y sistemas de terceros en la red de la organización. Los activos deben clasificarse y priorizarse en función de su riesgo real e inherente para la organización. Se deben considerar muchos aspectos al desarrollar el riesgo inherente de un activo, como la conexión física o lógica a activos clasificados más altos, el acceso de usuarios y la disponibilidad del sistema. Los activos con mayor criticidad tendrán mayor prioridad que los activos con menor criticidad. Sin embargo, la remediación de activos con menor criticidad no debe ignorarse ni posponerse indefinidamente. Todos los activos contribuyen al riesgo organizacional general, y el esfuerzo de remediación siempre debe basarse en minimizar el riesgo general. El segundo paso es identificar a los propietarios de cada sistema. Los propietarios del sistema son responsables del activo, su riesgo asociado y la responsabilidad si ese activo se ve comprometido. La rendición de cuentas es un factor determinante para el éxito final del programa de gestión de vulnerabilidades. Los activos y vulnerabilidades sin propietario quedarán olvidados y se convertirán en un riesgo no identificado para la organización. El tercer paso es establecer la frecuencia de escaneo. El Centro para la Seguridad de Internet en su CIS Control 3 “Gestión continua de vulnerabilidades” recomienda que una organización “utilice una herramienta actualizada de escaneo de vulnerabilidades para escanear automáticamente todos los sistemas en la red semanalmente o con mayor frecuencia para identificar todas las vulnerabilidades potenciales en los sistemas de la organización “. El escaneo frecuente permite a los propietarios de los activos rastrear el progreso de la remediación, identificar nuevos riesgos y volver a priorizar la remediación de vulnerabilidades basadas en inteligencia actualizada. Como límite externo, el escaneo de vulnerabilidades debe ocurrir al menos mensualmente. El cuarto paso es establecer y documentar plazos y umbrales para la remediación. Los plazos de remediación deben tener en cuenta la gravedad del impacto de una vulnerabilidad al ser explotada y darse a conocer a toda la organización. Las vulnerabilidades con el mayor impacto deben remediarse de inmediato. El programa también debe atender las excepciones en caso de que una vulnerabilidad no se pueda remediar dentro del plazo aprobado, documentando el riesgo aceptado junto con un plan de acción para remediar la vulnerabilidad en una fecha determinada. ETAPA 2: DESCUBRIMIENTO DE ACTIVOS E INVENTARIOEl descubrimiento de activos y el inventario son los controles uno y dos de CIS. Estas son las bases de cualquier programa de seguridad. No puedes proteger lo que no conoces. El propósito de CIS Control 1 es “Administrar (inventariar, rastrear y corregir) activamente todos los dispositivos de hardware en la red para que solo los dispositivos autorizados tengan acceso, y se encuentren dispositivos no autorizados y no administrados y se les impida acceder”. Además, el Control 2 de CIS resalta la necesidad de “Administrar activamente (inventariar, rastrear y corregir) todo el software en la red para que solo el software autorizado esté instalado y pueda ejecutarse, y que el software no autorizado y no administrado se encuentre y se evite su instalación o ejecución. ” Estos dos controles van de la mano, ya que los atacantes siempre intentan identificar sistemas que sean fácilmente explotables para ingresar a la red de una organización, como Shadow IT. Sin el descubrimiento apropiado de activos y el control de acceso a la red, este tipo de dispositivos pueden proporcionar una sencilla puerta de enlace para un atacante a la red corporativa. Una vez que ingresan, pueden aprovechar el control que han obtenido para atacar otros sistemas e infiltrarse aún más en la red. Estar al tanto de lo que hay en la red le permite al equipo de seguridad de la información proteger mejor los sistemas y proporcionar orientación a los propietarios de sistemas para reducir el riesgo que representan sus activos. ETAPA 3: DETECCIÓN DE VULNERABILIDADUna vez que se identifican todos los activos en la red, el siguiente paso es identificar el riesgo por vulnerabilidad de cada dispositivo. El método recomendado para el escaneo de vulnerabilidades es a través de credenciales. Esto permite una mayor precisión para determinar el riesgo existente de la organización. Luego, de acuerdo a lo encontrado por la etapa de descubrimiento, se pueden correr firmas de vulnerabilidades específicas por sistema operativo encontrado. ETAPA 4: INFORMES Y REMEDIACIÓNUna vez que se completa el escaneo de vulnerabilidades, se asigna un puntaje a cada vulnerabilidad utilizando un algoritmo exponencial basado en las habilidades requeridas para explotar la vulnerabilidad, los privilegios obtenidos tras una explotación exitosa y la edad de la vulnerabilidad. Cuanto más fácil sea explotar la vulnerabilidad y cuanto mayor sea el privilegio obtenido, mayor será el puntaje de riesgo. Además de esto, a medida que aumenta la edad de la vulnerabilidad, también aumenta la puntuación de la vulnerabilidad. La primera métrica que debe obtenerse es la puntuación de riesgo promedio general como referencia para la organización. Con base en esta métrica, las organizaciones deberían comenzar a apuntar a una tasa de reducción de riesgo del 20-25% anual. La siguiente métrica es el puntaje de riesgo promedio por propietario. De manera similar al objetivo para la organización en general, cada propietario debe enfocarse en reducir su puntaje de riesgo promedio en un 10% a 25% año tras año hasta que estén por debajo del umbral aceptado para la organización. Para la implementación exitosa del programa el equipo ejecutivo podría premiar a los propietarios de activos con los puntajes más bajos. Los datos de vulnerabilidad empíricos para delinear qué vulnerabilidades deben corregirse junto con instrucciones de cómo llevar a cabo la corrección permiten a los propietarios del sistema priorizar sus esfuerzos con un enfoque en las vulnerabilidades que reducirán al máximo el riesgo organizacional general. A medida que se ejecutan nuevos escaneos de vulnerabilidad, las métricas, como las que ofrece CIS, se pueden usar para mostrar un análisis de las tendencias del riesgo y el progreso de la corrección. La clave es mostrar el progreso mes a mes, trimestre a trimestre y año a año. Los puntajes de riesgo de vulnerabilidad y el tiempo de reparación deberían disminuir a medida que los equipos se familiaricen más con el proceso y se eduquen más sobre los riesgos que plantean los atacantes. Cómo ayuda TripwireLa gestión de vulnerabilidades y riesgos es un proceso continuo, y debe adaptarse continuamente al panorama cambiante de amenazas de ciberseguridad. Por lo tanto, el proceso debe revisarse periódicamente y el personal debe mantenerse actualizado con las últimas amenazas y tendencias. Desarrollo continuo para el personal, los procesos y la tecnología asegurarán el éxito del programa de gestión de riesgos y vulnerabilidad empresarial. Si desea tener un programa de gestión de vulnerabilidades, Tripwire IP360 es la solución que estaba buscando. Tripwire IP360 descubre todos los activos dentro de su organización y las aplicaciones siendo ejecutadas en ellos antes de realizar un análisis de vulnerabilidad. Los análisis de vulnerabilidad con credenciales proporcionan un análisis detallado y también identifican vulnerabilidades que un atacante vería en un análisis de vulnerabilidades externo no autenticado. Finalmente, Tripwire IP360 proporciona una puntuación de riesgo significativa y clasifica las vulnerabilidades numéricamente en función del impacto, la facilidad de explotación y la antigüedad. Puede obtener más información sobre cómo crear un programa maduro de gestión de vulnerabilidades leyendo este documento técnico. Este blog se publicó originalmente en inglés aquí: https://ift.tt/2MXssT9 Digital Trends via The State of Security https://ift.tt/2dEfvfb September 27, 2020 at 10:29PM
https://ift.tt/3mTboxv
Understanding Cybersecurity Supply Chain Risk Management (C-SCRM) https://ift.tt/2S6Es6s Cybersecurity Supply Chain Risk Management (C-SCRM) deals with more than protecting an organization from cyber-attacks on third parties. It also addresses third parties to those third parties (known as “fourth parties”). Further still, a vendor to your vendor’s vendor is a fifth party, then a sixth party, etc. Your SCRM should involve knowledge of how far, complex and even convoluted your supply chain is. Then measure this complexity with your risk appetite. (You might wonder, “What happened to the second-party?” Those are your members and customers.) What really makes the difference between C-SCRM and any other kind of technical vulnerability management (VM)? There really isn’t much difference in the tactics used. What becomes essential in C-SCRM is that the technical aspect of VM gets done and gets done well. With C-SCRM, managing and monitoring aren’t optional. If a company has a relatively small number of third-party vendors, then there may not be too much more to do than a typical VM program. But if one has a multitude of third parties, then it’s inevitable that the total number of suppliers increases exponentially. This factor immediately leads to numerous vulnerabilities for which your company is responsible to manage. While it may seem unfair that you have to manage those vulnerabilities, in the end, your customers are relying on you to provide a solid product and service. Digital transformation imposes and increases third-party risk. Two primary threats in the increasingly outsourced digital economy are:
Is there any data to show that third-parties are really such a serious risk? According to Verizon’s 2019 Insider Threat Report’s “5 Types of Insider Threats,” the 5th type of insider threat is the Feckless Third-Party, described as follows: “Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.” C-SCRM is based on knowledge. As such, the DIKW model is a handy overview here. “D” is for “Data,” “I” is for “Information,” “K” is for “Knowledge,” and “W” is for “Wisdom.” More specifically, input for C-SCRM is found in the D-I-K tiers.
With C-SCRM, the aspects of DIK can be addressed with technologies (especially those leveraging AI) such as firewalls, spam filtering, EDR and DLP. The “Wisdom” tier is relegated to experienced personnel who determine what to do with all of that DIK. Technology can send plenty of bits and bytes to the governance committee, but it can’t decide traits like a company’s risk appetite, product direction or security budget. How does one decide how to proceed with all of that info? Think of the visual arts. A vital aspect of visual art that makes it viable art is boundaries; there has to be some kind of border. It could be comic book panels, the borders of the canvas, the limits of the monitor, a scene in a film or a character’s silhouette. When creating C-SCRM programs, there have to be borders. No organization can possibly handle the entirety of the intel that’s available. Even if it could, not all of it matters. This is why even the most complex VM tools filter data. With any C-SCRM, you want to know what information is coming in and going out. With the supply chain, especially digital, you now have an exponential amount of data being transferred. As a sample, any and every time a department buys new software for that department, there’s one if not multiple new threat vectors. Unless that vendor and the software has been vetted, then that purchase has created a blind spot. Not surprisingly, there are plenty of aspects to consider in C-SCRM. Here’s how one might outline them:
The Intelligence step is where you take all of the threats that could materialize from and through your suppliers and cull those possibilities to produce better data sets that would produce actionable steps. Unless you are certified in app/web testing and the supplier has paid for your testing services, the likelihood of being able to directly test a vendor’s apps and sites is zero. So, feel free to ask for any kind of third-party testing results for your X-party suppliers. If acceptable to the requesting organization, the supplier’s internal ISMS documents or program can be requested in lieu of third-party testing. There are many paid and free tools available for gathering threat intel. While your supplier may not have direct threats that can be monitored, there are likely extant threats – such as vulnerabilities in the codebase that are outsourced by the company responsible for creating your software – that affect that company. Those threats can be monitored. Integration is taking the garnered intelligence and putting it into place in your network. In exploring the tools found in the Intelligence phase, the more you can streamline the integration of that data into your environment, the better. Monitoring, alerting & reporting are in this stage. Each product is different, so in vetting the product, especially for vital data (e.g., Critical alerts of anomalous activity), ensure that it will actually produce email or text alerts. Maturing the processes is always on the project board. In Year One, it might suffice to use a spreadsheet to keep track of assets by using a service on lower-end server to scan your network. But Year Two may require a more robust software tool for asset tracking and a higher-end server for real-time scanning. Alternatively, your internal alert ratings could change. What was Low priority last year might now be High and need to re-labeling. Correction is part of this phase. Are there new suppliers? Are there former vendors that no longer need any kind of access but for which there’s still an IP address opening on your firewall and servers? Correction can be addressed with recurring projects. Set-it-and-forget-it makes it possible. Before embarking on a C-SCRM plan, have an IR plan. Bad things happen at any time, and they don’t wait until programs are fully developed. If a successful attack were to occur, it’s likely that it will happen before the program is completed because the unfinished program has more security holes in it than a completed one. What are your communication channels (e.g., call tree)? Who will you contact if the app you just installed company-wide has a bug? Which person at Company X will you call if there’s malicious traffic flowing from that supplier? Who is your contact for the worst-case scenario of a breach in that supplier? Test the People, Processes and Technologies involved in the IRP. How and when will you practice your IR plan? After testing, produce the results according to your BC, IR and DR policies. In responding to incidents, it’s important to focus on defense, not offense. (NOTE: Unless you have some special authority, “hacking back” is not a valid response.) Each of these steps may end up becoming quite complex, which is precisely why C-SCRM is so difficult. The concepts are quite commonsense, but the tremendous amount of detail and the lack of a one-size-fits-all approach makes it appear onerous. What is to be done if your company is part of someone’s supply chain? Ask yourself, “What are the chinks in my armor?” Maybe the armor imagery isn’t your thing, but what will help your program is making it personal. Maybe you like basketball or football and want to think of it as setting up a defensive move. Or you’re in finance and think of Red Flag warnings. In looking for how to better protect your company’s network, it may help to start calling it “your” network and see, as objectively as possible, where your network has holes. Depending on a company’s criticality in the chain, customers may ask for your vulnerability assessment results. These are typically considered “for internal use only.” By not sharing them, you’re not avoiding being honest or vulnerable (see what I did there), but there are many ways that those reports can be misunderstood. An example of misunderstanding can occur when internal corporate vulnerability scans assess both Prod and Test servers. If the reports reflect both, then the Test environment is likely filled with holes on purpose. Internal staff will understand the results, but external parties will not and may well consider the team lax in their duties – even if they are on top of the situations. If vulnerability assessments aren’t shareable, at minimum have a professional response ready for those inquiries and provide some metrics by which prospects and risk assessors can measure the internal security of the product or service to which they’re uploading their data. Here’s a recently developed tool from NIST that can help as you develop and mature your C-SCRM. About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. More From Ross Moore about Supply Chain Risk ManagementDigital Trends via The State of Security https://ift.tt/2dEfvfb September 27, 2020 at 10:05PM
https://ift.tt/338Nkik
This Is the Newest Way to Show Full Stadiums During the Covid-19 Apocalypse https://ift.tt/335AAJ3 As you all have probably noticed, competitive sports does not like being without fans during covid-19 times. Officials have been racking their brains for ideas—some less strange than others—to deal with empty stadiums for months, and we just got a new one: Fill the stands with South Park residents. That’s what the Denver Broncos did on Sunday when they faced off against the Tampa Bay Buccaneers. Although the stadium was nowhere near its approximately 76,000-seat capacity, there were purportedly hundreds of South Park cutouts in the stands. In fact, ESPN reported that there were more than 1,800. What makes the initiative even better is that the fictional residents were all wearing masks. A good chunk also appeared to be social distancing. Which is what everyone should be doing, I might add, especially in large gatherings. FYI, a good chunk doesn’t cut it if you’re a human that can catch and transmit the novel coronavirus. G/O Media may get a commission The idea is also pretty funny because the animated show is set in the fictional town of South Park, Colorado. The show’s creators, Trey Parker and Matt Stone, are also reportedly huge Broncos fans. Besides the South Park cutouts, the game also had about 5,700 actual humans in attendance as well. According to CBS Local, the Broncos worked with the Colorado Department of Public Health and Environment over three months to come up with plans and special rules to allow a limited number of fans to attend in-person. The 5,700 fans were organized in groups of 175 people, which is the limit for outdoor gatherings in the state. Safety measures included mandatory face coverings and social distancing. The team also axed tailgating and banned congregating in parking lots, concourses or the stadium bowl, per its website. It also installed bipolar ionization in the stadium’s HVAC system, UV-C lights under escalators to reduce and eliminate bacteria on handrails and more than 500 hand sanitization stations. When it comes to bathrooms, the team states that they are now entirely hands free, including toilets, sinks and paper towel dispensers. Although I’m not really that into sports, I understand the need for fans. It’s part of that game day atmosphere (and let’s be honest, more money for the teams). And even though some of the initiatives so far have looked kind of, eh, strange—such as the NBA’s fan projections via Microsoft Teams—the important thing is to enjoy sports while being safe. At least it’ll help you forget the apocalyptic situation we’re living in for a while. Digital Trends via Gizmodo https://gizmodo.com September 27, 2020 at 09:48PM
https://ift.tt/2GbRAVd
Pre-Teens Rejoice! Federal Judge Strikes Down TikTok Ban https://ift.tt/2S42X43 A U.S federal judge has said that a ban on TikTok - scheduled for Monday, September 28 - will not go ahead as planned. The delay will allow users to access the app on various app stores while the court explores the legality of banning a consumer application on security grounds. TikTok, by Chinese software house ByteDance, has filed two injunctions against the ban since September 18. The U.S. government rejected the injunction on Friday and scheduled a public hearing in DC District Court by Judge Carl J. Nichols today. Today’s unexpected ruling has stopped the ban outright. In an opposition document filed on Friday, September 25, U.S. government noted that the ban was not a regulation of personal communications and does not violate the First Amendment. “The regulation of a single service provider is not akin to regulating or prohibiting transmission of information or informational materials themselves, nor to an indirect restriction of them through limitations imposed on an entire ‘medium of transmission,’” they wrote. The latest filings from the case are not yet publicly available and the last document of note was the sealed opposition submitted by U.S. Secretary of Commerce Wilbur Ross. G/O Media may get a commission The case against TikTok is based on the belief that it is a “mouthpiece for the Chinese Communist Party,” according to a court filing. Because TikTok’s parent company is beholden to Chinese Intelligence requirements, there is concern that the country could unduly influence U.S. citizens or steal personal data. “My clients are facing irreparable harm, not just from the ban … but from the rest of these prohibitions that’ll go into effect Nov. 12,” said TikTok’s counsel, John Hall of Covington & Burling LLP last Thursday. “It’s apparent to the world now that if nothing is done, this app is going to be shut down completely.” A deal, supported by U.S. President Donald Trump, would have sold a portion of the company to Oracle and Wal-Mart. Today’s move, at least, gives TikTok’s 100 million U.S. users continued access to the app’s countless whimsical - and, presumably, potentially identity-thieving - videos for yet another day. Digital Trends via Gizmodo https://gizmodo.com September 27, 2020 at 08:25PM
https://ift.tt/30fHOZj
Philippines payment processing startup PayMongo lands $12 million Series A led by Stripe https://ift.tt/36eaHsK Stripe has led a $12 million Series A round in Manila-based online payment platform PayMongo, the startup announced today. PayMongo, which offers an online payments API for businesses in the Philippines, was the first Filipino-owned financial tech startup to take part in Y Combinator’s accelerator program. Y Combinator and Global Founders Capital, another previous investor, both returned for the Series A, which also included participation from new backer BedRock Capital. PayMongo partners with financial institutions, and its products include a payments API that can be integrated into websites and apps, allowing them to accept payments from bank cards and digital wallets like GrabPay and GCash. For social commerce sellers and other people who sell mostly through messaging apps, the startup offers PayMongo Links, which buyers can click on to send money. PayMongo’s platform also includes features like a fraud and risk detection system. In a statement, Stripe’s APAC business lead Noah Pepper said it invested in PayMongo because “we’ve been impressed with the PayMongo team and the speed at which they’ve made digital payments more accessible to so many businesses across the Philippines.” The startup launched in June 2019 with $2.7 million in seed funding, which the founders said was one of the largest seed rounds ever raised by a Philippines-based fintech startup. PayMongo has now raised a total of almost $15 million in funding. Co-founder and chief executive Francis Plaza said PayMongo has processed a total of almost $20 million in payments since launching, and grown at an average of 60% since the start of the year, with a surge after lockdowns began in March. He added that the company originally planned to start raising its Series A in in the first half of next year, but the growth in demand for its services during COVID-19 prompted it to start the round earlier so it could hire for its product, design and engineering teams and speed up the release of new features. These will include more online payment options; features for invoicing and marketplaces; support for business models like subscriptions; and faster payout cycles. PayMongo also plans to add more partnerships with financial service providers, improve its fraud and risk detection systems and secure more licenses from the central bank so it can start working on other types of financial products. The startup is among fintech companies in Southeast Asia that have seen accelerated growth as the COVID-19 pandemic prompted many businesses to digitize more of their operations. Plaza said that overall digital transactions in the Philippines grew 42% between January and April because of the country’s lockdowns. PayMongo is currently the only payments company in the Philippines with an onboarding process that was developed to be completely online, he added, which makes it attractive to merchants who are accepting online payments for the first time. “We have a more efficient review of compliance requirements for the expeditious approval of applications so that our merchants can use our platform right away and we make sure we have a fast payout to our merchants,” said Plaza. If the momentum continues even as lockdowns are lifted in different cities, that means the Philippine’s central bank is on track to reach its goal of increasing the volume of e-payment transactions to 20% of total transactions in the country this year. The government began setting policies in 2015 to encourage more online payments, in a bid to bolster economic growth and financial inclusion, since smartphone penetration in the Philippines is high, but many people don’t have a traditional bank account, which often charge high fees. Though lockdown restrictions in the Philippines have eased, Plaza said PayMongo is still seeing strong traction. “We believe the digital shift by Filipino businesses will continue, largely because both merchants and customers continue to practice safety measures such as staying at home and choosing online shopping despite the more lenient quarantine levels. Online will be the new normal for commerce.” Digital Trends via TechCrunch https://techcrunch.com September 27, 2020 at 08:03PM Strategies for overcoming male domination in cyber https://ift.tt/367r4XU People come into cyber security from a wide range of backgrounds, but the usual image is of a core cadre of techies depicted as having progressed from being boys in bedrooms hacking into games – but that’s not true, rather, it was only ever part of the picture, with women also involved in every step of the nascent cyber security industry. Joan D Pepin, Chief Security Officer at AuthO is a great example. She explains her own route into cyber, telling Guru how, from the age of eight, for three years in the 1980s, she was sent by her parents to a kids computer summer camp. While not the majority, girls were by no means a rarity and computing was not perceived as primarily a male domain. There she learned Logo and Basic programming languages, wrote games, programmed robots and learned graphics progams and data structure – which she readily admits was quite advanced for the time. She went on to get an early computer and became interested in hacking, had access to BBS, and was using a 300 baud modem, to sign on. In her junior year of high school she was able to log in to Massachusetts University and got onto the internet, which was not commercialised at that stage. “There were some girls on the course – it seems that back then there were more women in the computing field than there seem to be today. One of the instructors was a woman and at least a quarter of those attending were women. And before the 60s, women such as Hopper etc were pioneers, and at places such as Bletchley Park, women were instrumental and many of the first programmers. It wasn’t until the 1980s and 90s that it became an increasingly male dominated field.” While the reasons for this change are not clear Pepin suggests, “Maybe it was because it became more lucrative, and it became easier to push women aside. Also, the very first games that I remember were text based adventures – black screens and green lettering, eg you are standing in a field, type ‘go left’ etc and work out what you understand and draw out the map. They were not gendered, you were you, and they were built around exploration and you had a mystery to solve. You were playing yourself. Later as graphics evolved we saw more of those games (such as Doom, that developed into today’s ‘shoot ‘em up’ franchises). Pepin later went to the University of Massachusetts and hung out with hackers, was a member of a group that met regularly, and produced a fracking publication. While she majored in art and film, on graduating she subsequently saw that the best way to make a living was to leverage security schools. “I still consider myself an artist and a musician, but I have a really good day job. It’s a career that has been very good to me. I’d moved from home at 18, so the prospect of moving back home was not attractive. I worked in a non-profit healthcare centre where I did everything as IT manager as I was the sole IT person. I did that for a year and a half before going into website design then LLC Rap Group LLC, the Wu-Tang Clan, and Wu-Wear fashion label, one of the first ecommerce sites. Taking credit cards meant being part of that early technology, before PCI, so security was very important – and it aligned with my hacking interest. I then got a job as a penetration tester with International Network Services, hacker for hire, getting two-week engagements, primarily manual pen testing as there was not much in the way of automation tools then. So from broad IT, to web design to specifically focussing on security, then I went to a company that does not exist, associated with MIT Lincoln Laboratories, doing top secret research for the department of defence, and worked on things that I still can’t talk about. From there I went on to managed security services and have spent most of my career in security services, with VeriSign Inc’s Managed Security Services (MSS) which was sold to SecureWorks Inc and then Dell and I came out as director of security at Sumo Logic where I was employee No 11, then Nike business security manager for its US$10 billion revenue consumer division.” Now Pepin is at Auth0, a high growth start-up. She explained that there are three things that appealed about this role.
“The move was for the opportunities here. I have several titles at AuthO, and often have the chance to stretch beyond my normal remit. I’ve had the opportunity to wear many different hats – I have managed security, ran an IT department, a private SAS business, engineering operations, during different periods, QA, built the pipeline, and been CISO twice before. Now I am able to focus more on security with growth; we’ve gone from 250 to 700 employees now and its good to be involved in further growth. “It may look like it’s been an easy progression, but first, it’s been a lot of work. A lot of hours, many of which were stressful. Often it entailed handling difficult situations with not enough resources. But like Nietzsche (‘What doesn’t kill you, makes you stronger’) I’d say I am now seasoned, not stressed out or traumatised.” Pepin agrees that there are specific challenges as a woman in a male dominated sector, and says its good if women are able to tell (their issues to) women who mentor. She adds that a significant problem identified by research is that, “When a woman talks more than 25 percent of the time, men see her as dominating the conversation, so they don’t get as many words in the conversation. And so they have to always be correct.” Pepin describes the problem faced many women, and explains her own strategies to overcome it: “I will ask myself, ‘Do I really have something to say, am I just going to tell a relatable anecdote’ or I will have less chance to say what I need to say, before they (men) hear Wah, Wah, Wah. “(My approach has therefore been) Only open my mouth if I have something of value to add, make my point clear and precise and understood and then shut up. This has been a big part of my success. “If you have something to say, send enough emails about it with your name on so no one can claim its their idea. It’s not just about doing the work, but making sure you get credit for the work, and so do the work AND get recognised. Doing that can get you reputation as a diva, or a reputation hog, but it has to be a price you are willing to pay. You will either be known as someone who didn’t do a lot even if you did, or a self-promoter and I would rather pick the latter. At some point that won’t be necessary, and I can’t wait for that to happen. “I guarantee that if women do group projects where they are 10 to 20 percent of the group, they will already know this is true, whether they have put voice to it or not. It should not be necessary, but something is. “Another tool, a curse – can be used positively. I am cursed to empathise with both sides of the argument and know why they want those things and this has been a successful tool that has enabled me to mediate both sides of an argument. It has allowed me to be seen as someone who wants what’s best for the team (compared to wanting to get credit for things) and to give to the other side. The mediator role has also been very helpful. “Being a good communicator bridges gaps and shines a light on issues. Whether it’s viewed as a stereotype not, if women are either better at or more comfortable doing that then they should do that, ie understand the other point of view even if it is wrong. “When it comes to soft skills or tech skills – both have a purpose. I have a relatively complicated patent (thanks to my tech skills). My soft skills have also been very important. If you are super tech and that excites you, well we are understaffed, and all teams need more tech help. Its important to be excited about what you do and women can do those (tech) jobs fantastically well. But if you are more interested in building those connections there is room for that too. If you want to stay focussed on tech that’s your prerogative. To get the promotion and do interesting projects, not the maintenance, you will have to employ some social skills, as just being a good technical worker will probably not get you on the good projects. “Stereotypically when men are socialising with other men, men talk for status “I caught a bigger fish” etc. When women do that it’s seen as rude. Woman can’t play that game – so they have to play a different game. She is not going to be standing around talking about catching a bigger fish. Soft skills are necessary for everyone but if you are a minority, there’s a particular way to do it, it’s not natural and we need to learn. “What barriers are there to women progressing in this sector? Thinking of things that have happened to me, at one company where I was director of security, I sat near the front door and was assumed to be secretary, I was near the thermostat and told to adjust it. At small companies, someone is expected to buy the birthday cake – and there are unconscious gendered expectations. Assumptions need to be overcome. There is a little fight every day, situation by situation. Are they a jackass or confused about unconscious bias? What is the small indignity today and how do I deal with it gracefully today, or if I am all out of grace, how do I deal with it?” As a parting shot, Pepin concludes: “Women, if you are at all interested in a career in cyber security, it’s not always easy, and may not be initially welcoming but you can have a successful career, others have, and there are interesting jobs and promotions to be had in cyber security.” The post Strategies for overcoming male domination in cyber appeared first on IT Security Guru. Digital Trends via IT Security Guru https://ift.tt/2Q5RfHI September 27, 2020 at 07:53PM
https://ift.tt/3mYLKHq
Your FedEx Packages May Soon Arrive By Autonomous Cargo Plane https://ift.tt/36e926u It’s 2020, and while the skies aren’t full of flying cars like we thought it would be by now, something else straight out of science fiction just got closer to reality: pilotless cargo planes delivering whatever stupid shit you ordered online. FedEx is partnering with Reliable Robotics to incorporate the firm’s unmanned aircraft into its delivery fleet, FedEx CEO Fred Smith said during an annual stockholder meeting last week that has largely flown under the radar. Reliable Robotics, an aviation startup run by former Tesla and SpaceX engineers, completed test flights for two of its remote-piloted aircraft models last month, per a company press release. According to Federal Aviation Administration documents, FedEx now owns the larger model of the two, the Cessna 208 Caravan or C208, a single-engine plane that can carry up to 14 passengers. You can watch a video of the plane’s fully automated remote landing here. “This initiative deals with smaller turboprop airplanes and in this case the single-engine C208, which we are looking at putting in very remote and uninhabited areas as part of our network,” Smith said. FedEx isn’t phasing out its existing delivery aircraft fleet just yet, however. Smith told stockholders that the company’s aircraft crews don’t need to worry about their jobs becoming automated “for the foreseeable future—decades, I would say.” G/O Media may get a commission This partnership is part of FedEx’s larger effort to cut down on delivery costs, especially in that infamous last mile before it arrives at your doorstep, through partially automating its supply chain. On Sept. 19, the air delivery company Wing announced it was teaming up with FedEx Express and other retailers to roll out a pilot program for drone deliveries in Virginia. FedEx also unveiled its in-house fleet of autonomous delivery robots last year to help retailers with same-day and last-mile deliveries. They’re one of several companies racing to gain a foothold in the automated delivery market. Alphabet, the parent company of Google, and UPS have both already received federal approval for their drone delivery services, and the FAA certified Amazon’s program in August. Reliable Robotics said in its release that it’s “now working with the FAA on incrementally bringing this technology to market,” so it may well be on its way to securing federal approval. Digital Trends via Gizmodo https://gizmodo.com September 27, 2020 at 07:48PM
https://ift.tt/3czYAqS
Trump administration’s TikTok ban has been delayed, court rules https://ift.tt/368Hak1 A U.S. federal court has said a ban on TikTok will not go into effect on Monday as scheduled. The move to delay the anticipated ban will allow Americans to continue using the app while the court considers the ban’s legality and whether the app poses a risk to national security as the Trump administration claims. For weeks since President Donald Trump signed two executive orders in early August, the government has threatened to shut down the viral video sharing app over fears that its parent company ByteDance, headquartered in Beijing, could be forced to turn over user data to the Chinese government. TikTok, which has 100 million users in the United States alone, has long rejected the claims. TikTok first filed a lawsuit against the administration on September 18, and on Thursday this week filed a last minute injunction in an effort to stop the ban going into effect Sunday night. On Friday, the government asked the court to reject the injunction in a sealed motion, which the government later refiled as a public motion with some redactions. A public hearing on the injunction was set for Sunday morning. The case is being heard in DC District Court presided by judge Carl J. Nichols. In its ruling on Sunday, the court gave just its decision, with the formal opinion handed over privately to just the two opposing parties. Due to sensitive material included in the government’s motion, the parties have until Monday to ask for any redactions before the final opinion will be published. The decision is just the latest episode in the continuing saga of the sprawling fight over the future of the fastest-growing social app in America. A deal reached between ByteDance and the U.S. government last weekend was believed to have resolved the standoff between the two parties, but the deal has frayed over disputed details between buyer Oracle and ByteDance. The administration first launched an action against TikTok on August 6, with President Trump arguing in an executive order that the app posed an unreasonable national security risk for American citizens. That order mirrored a similar one published the same day that put restrictions on the popular Mandarin-language messenger app WeChat, which is owned by China-based Tencent. Last weekend, a federal magistrate judge in San Francisco put in place an injunction on the Commerce Department’s ban on WeChat, pending further court deliberations. TikTok, whose arguments mirror those in the WeChat lawsuit, was hoping for a similar outcome in its own legal proceedings. One difference between the two lawsuits is the plaintiffs. In WeChat’s case, a group of WeChat users filed a lawsuit arguing that a ban would hurt their expression of speech. TikTok is representing itself in its own fight with the government. The court case is TikTok Inc. et al v. Trump et al (1:2020-cv-02658). Digital Trends via TechCrunch https://techcrunch.com September 27, 2020 at 07:33PM |
Categories
All
Archives
October 2020
|