Feed aggregator

Multiple benchmark refinance rates have decreased. Refinancing makes sense if you can get a lower interest rate on your home loan.

Some major mortgage rates declined. It's still expensive to buy a house, but there's more good news in the housing market.

A ruinous pandemic business strategy, declining innovation, exodus of talent, and a “worst sneaker of all time” accolade has laid the world's biggest sports brand low.

Don't sleep on these CDs. You may not find APYs this high for much longer.

Voters in a record number of states — including the battlegrounds of Arizona and Nevada — are set to decide this fall whether to enact far-reaching changes to how their elections are run.

(Image credit: Ronda Churchill)

The sooner you open a high-yield savings account, the more interest you stand to earn.

In their book AI Snake Oil, two Princeton researchers pinpoint the culprits of the AI hype cycle and advocate for a more critical, holistic understanding of artificial intelligence.

A festival and rodeo in Pahrump, Nevada, offers a glimpse into rural voters in the battleground state and how they could impact the election.

(Image credit: Krystal Ramirez for NPR)

Southwest Airlines is expected to say more this week about its major change to assigned seats. It’s part of a larger shift across the industry to maximize revenue, even if it makes boarding slower.

(Image credit: Mario Tama)

After Megan Atherton was evicted from her home, her car broke down. She had a long drive ahead and nowhere to go, until a kind stranger stepped in.

When you purchase a car, would you trust it if it hadn't gone through extensive crash safety testing? Of course not. The safety and reliability of the vehicle are paramount and knowing that it has been rigorously tested gives you peace of mind.

Similarly, would you take a new prescription drug that hadn't gone through rigorous FDA safety and effectiveness testing? Absolutely not! We rely on these safety measures to protect our health and well-being.

So why is it that so many enterprises buy software and hardware without thoroughly evaluating the cybersecurity risks associated with these products? In today’s world, where cyber threats are increasing in frequency and sophistication, this blind trust in software security is not just risky—it’s unacceptable.

Why Should Software Security Analysis Be Part of the Enterprise Purchasing and Procurement Process?

In the modern enterprise, software is the backbone of every enterprise. It powers business processes, connects companies with customers and partners, automates back-office tasks, and even builds market presence. Today’s world is built on software – 3rd party software, open-source software, in-house developed software, operating system software, applications, containers, and device firmware to name a few.

However, this reliance on software comes with hidden dangers. Many companies operate under the assumption that the software they purchase is inherently secure. Unfortunately, recent high-profile software supply chain breaches have very much proven otherwise. The reality is that every piece of software, no matter how reputable the source, poses risks.

Despite this, current software procurement processes rarely include quantifiable methods to evaluate the cybersecurity risk of the products being considered. According to NetRise software analyses, there can be up to a 300% difference in software risk levels between similar software asset classes from different vendors. This means that some products may be significantly more secure than others, even if they appear similar on the surface.

The recognition that cybersecurity should be a key consideration in purchasing decisions isn’t new. Since at least 2018, there has been growing awareness that purchasing departments should evaluate the cybersecurity of a vendor’s software alongside traditional factors such as quality and delivery performance. The question is no longer whether to include cybersecurity in procurement processes, but why now more than ever.

Why Now?

Supply chain security cyber-attacks are very much on the rise, consider these alarming statistics:

According to Capterra’s “2023 Software Supply Chain Survey,” 61% of companies were impacted by a software supply chain cyber-attack in the 12 months preceding the survey.

Software supply chain attacks have become a global challenge, growing dramatically in scope and frequency. Yet, proactive efforts to mitigate these risks are still rare—only 7% of respondents to Sonatype’s ninth annual State of the Software Supply Chain report have made efforts to review security risks in their supply chains.

Clearly, the enterprise purchasing and procurement process is where these evaluations should begin.

But Isn’t Security Already Part of the Enterprise Procurement Process?

One might assume that security is already baked into the enterprise procurement process. To some extent, this is true. Many organizations do include supply chain security measures as part of their procurement practices. However, these measures typically do not include direct testing or evaluation of the cybersecurity risks of the software products being considered.

So, what does the typical enterprise procurement process include? According to the Cybersecurity and Infrastructure Security Agency (CISA), standard practices often involve:

• Vendor questionnaires and assessments 
• Reviews of the vendor's security policies and practices 
• Audits of third-party certifications (e.g., ISO 27001) 
• Contractual security requirements 
• Supplier performance management

These steps are important, but they rely heavily on self-reporting by vendors. While we entrust third-party organizations like the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration (FDA) to conduct independent safety tests for cars and drugs, we often rely on software vendors to self-report their cybersecurity status. This is a critical gap in the process, and it’s where the principle of “trust but verify” must come into play.

Trust, But Verify: Knowing the Exact Vulnerability and Risk State of the Software You Purchase

Enterprises should take a proactive approach by directly analyzing the business software they are considering for purchase as part of their procurement process.

However, many organizations don’t realize this is even possible. But it is possible. And it can be done in minutes! Some may struggle to believe it when they first encounter the idea. But it is possible, and it can be done efficiently and effectively.

This is where “trust but verify” comes in. Blind trust in software can lead to devastating consequences—from data breaches to operational disruptions. Comprehensive visibility into all software components and dependencies is not just advisable; it’s necessary. And this level of visibility can be seamlessly integrated into every enterprise purchasing and procurement process.

Steps to Incorporate Software Analysis in Procurement

To address these challenges, organizations must prioritize integrating software analysis into their procurement workflows. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components and risks. Here are some basic steps companies should consider:

Generate Comprehensive SBOMs: Creating detailed Software Bills of Materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively. In a recent Netrise study, we generated detailed SBOMs for 100 tested networking equipment devices and saw that each device contains 1,267 software components on average.

Implement Automated Software Risk Analysis: Using detailed software risk analysis methods, companies can uncover a complete risk picture of each software or firmware package, ensuring a thorough risk assessment. In the NetRise study, We find that the average network equipment device has 1,120 known vulnerabilities in the underlying software components.

Prioritize and Compare Software Risks: Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. Using this prioritized list of critical threats, teams can compare and contrast the risk state of different considered software products. For example, in the NetRise study, we find that there are only 20 weaponized vulnerabilities per networking device on average, and looking closer there are only 7 weaponized vulnerabilities that are also network accessible.

Responsible Vulnerability and Risk Disclosure: Once implemented into purchasing and procurement processes, companies should establish processes for the responsible disclosure of vulnerability and risk assessment information to the considered software vendors. This information should be considered confidential and not shared outside the organization.

By focusing on these steps, organizations can significantly enhance the cybersecurity of their supply chain security processes and software and/or hardware purchases.

Conclusion

In today’s rapidly evolving cyber threat landscape, it’s no longer enough to trust that the software you purchase is secure. The risks are too great, and the consequences of a breach are too severe. By incorporating software analysis into the procurement process, organizations can ensure that they are making informed, secure choices when acquiring new software and hardware.

Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not just best practices—they are essential steps for any organization looking to protect its digital assets. It’s time to move beyond trust alone. It’s time to verify. By adopting these practices, organizations can build a robust foundation for their cybersecurity efforts and safeguard their operations against the growing wave of software supply chain attacks.

Now is the time to act. Integrate software analysis into your procurement process today and take control of your software supply chain security.

We feature the best patch management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Following Labour’s victory in the recent 2024 general election, they have recommitted to bringing forward the deadline for phasing out new gas and diesel cars back to 2030.

The UK Government’s Zero Emission Vehicle (ZEV) mandate requires 80% of new cars and 70% of new vans sold in the UK to be zero emission by 2030, increasing to 100% by 2035.

However, the UK is set to significantly miss current targets for electric vehicle (EV) sales by both 2030 and 2035. Fluctuating sales data and an overall decline of sales in the UK emphasizes that there is work to be done to meet Labour’s deadline.

This upcoming EV revolution also brings a breadth of cybersecurity concerns, some being their reliance on local power grids and the growing interconnectedness of vehicles worldwide. As all new cars sold will be connected by 2026, protecting drivers and repairers will be a core to nurturing the growth needed.

One way of supporting the industry’s preparedness for the introduction of EVs and other innovations is through clear and secure access to security related repair and maintenance information.

Not only does this assure protection for manufacturers sensitive repair information but it also ensures garages can streamline their processes to meet the demand and diversity of vehicles on our roads.

The critical role of secure information sharing in automotive

Secure information sharing is central to maintaining the integrity and reliability of vehicle systems in our highly interconnected and digital automotive environment.

The importance of such security measures is underpinned by a number of data breaches, notably the 2022 Arnold Clarke ransomware attack, during which an unauthorized third party accessed the personal data, including contact details, bank details, national insurance numbers, vehicle information, and more, of over 10,000 customers of the car dealership. In the following weeks and months, numerous victims reported evidence of identity theft attempts, as well as instances of successful fraud, leading to legal action which is suggested to have cost the dealership millions in damages.

The incident highlights how digital vulnerabilities can, beyond significant financial losses, quickly halt business operations, impede customer service, and increase concerns over data security, ultimately eroding trust between drivers and dealerships.

Security measures in automotive are increasingly critical as the connective nature of cars increases, due to the onset of advanced driver-assistance systems, driver monitoring systems, e-commerce, pay-by-car parking, digital key systems, and more. These innovations require greater regulation to navigate the growth in connectivity, brands, and models of vehicles, as well as vehicle types.

How SERMI streamlines information sharing

Previously, sharing data amongst independent operators (IOs), remote service suppliers (RSSs) and vehicle manufacturers was disjointed.

Each vehicle manufacturer required independent certifications, creating a cumbersome and time-consuming system for them to talk to others in the vehicle life cycle.

SERMI, the scheme for accreditation, approval and authorization to access security-related repair and maintenance information, is a standardized and single access point for everyone across the sector. It’s a framework for accreditation, approval, and authorization - ensuring secure access to critical vehicle data. This enables quicker, more accurate repairs, reducing wait times for customers.

The SERMI scheme has already been introduced in Europe across 29 countries and is set to be rolled out in the UK later this year, giving independent repair shops access to the same repair information as dealerships. Prior to SERMI, the information asymmetry between dealerships and independent garages placed independent shops at a disadvantage. Consumers often perceived dealerships to have a higher level of expertise due to their exclusive access to manufacturer information.

Not only is this scheme about accessibility, but also about maintaining security. Digital identity companies play a crucial role in enabling a smoother experience for all stakeholders involved safe from bad actors and compromise.

Importance of a Trust Centre

The Trust Centre within the SERMI scheme plays a crucial role in maintaining the integrity, security, and trustworthiness of the scheme. The Trust Centre acts as a certification authority, issuing digital certificates to authorized IO and RSS employees. These certificates authenticate the identity of the operators’ employees and enable secure access to the vehicle manufacturer’s security-related repair and maintenance information.

This helps prevent unauthorized access and potential misuse of sensitive vehicle information.

Digidentity, the Trust Centre for SERMI, have developed a secure virtual token that is stored as a digital SERMI certificate in the Digidentity Wallet on the users’ mobile phone, granting IOs and RSSs access to security related repair and maintenance information on every vehicle manufacturer’s website. This not only simplifies access but also enhances security by eliminating the need for storing or managing multiple credentials.

In addition to eliminating the need for multiple logins and passwords, and streamlining the information retrieval process, it also ensures that sensitive information from both parties remains secure.

Securing car manufacturers’ information is vital to preventing unauthorized access to diagnostic data, ensure accurate and safe vehicle repairs, and protect intellectual property. If left vulnerable to breaches, it could lead to faulty repairs, vehicle hijacking, and overall loss of consumer trust.

Strengthening this automotive security is increasingly important as the push to meet Labour’s deadline accelerates EV sales over the coming decade.

A Trust Centre plays a critical role in this, ensuring that both technicians and drivers of these vehicles can maintain trust and safety, while still supporting industry growth in line with the greater goal of achieving a successful transition to a zero-emission future.

We list the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Save up to $200 on Dyson's cordless vacuums including the V12 Detect, Gen5Detect, and more.

Boeing said Monday it made a “best and final offer” to striking machinists, but the workers' union said the proposal isn't good enough and there won't be a ratification vote before Boeing's deadline.

(Image credit: Lindsey Wasson)

Electric vehicles made in China could be banned in the US from 2027 if a proposed new rule is passed. The US Bureau of Industry and Security (BIS) has published a Notice of Proposed Rulemaking that would prohibit the import and sale of vehicles and components made by manufacturers "with a sufficient nexus" to the People's Republic of China or Russia. 

The proposed rule focuses on specific elements in electric vehicle (EV) hardware and software, and the potentially malicious use of the information and data required by them. The Vehicle Connectivity System (VCS) allows cars to communicate externally through Bluetooth, cellular, satellite or Wi-Fi modules, while the Automated Driving System (ADS) allows a car to operate without a driver. This ban would encompass any parts imported for use in American-made cars, as well as those built into vehicles from China and Russia.

If passed without change, the only vehicles that would be exempt are those related to agricultural or mining purposes. And, while a senior Biden administration official says “[Chinese] and Russian automakers do not currently play a significant role in the US auto market", they believe it’s a necessary preventative strike given the sophistication of today's electric cars and their growing centrality.

(Image credit: Volvo)

A statement from the White House clarifies that, "These technologies include computer systems that control vehicle movement and collect sensitive driver and passenger data as well as cameras and sensors that enable automated driving systems and record detailed information about American infrastructure."

"While connected vehicles yield many benefits, the data security and cybersecurity risks posed by software and hardware components sourced from the PRC and other countries of concern are equally clear,” said National Security Advisor Jake Sullivan.

It was only this month that the US increased tariffs on Chinese EV imports to 100%, and this rule comes as China's auto exports have boomed, increasing by more than 30% in the first six months of 2024 according to the Associated Press.

Though the proposal could still see change, if passed in its current state the new software ban would take effect on all vehicles with the model year 2027, with hardware provisions beginning with model year 2030.

More privacy, fewer options

This new rule can equally be viewed as a way to protect American electric vehicle manufacturing (and its considerably more expensive vehicles) as much as being about protecting Americans’ privacy and security.

Despite heavy tariffs, cars like the Volvo EX30 undercut the Tesla Model Y in some markets, and according to The Atlantic, the average price for an EV in China is about $18,000 cheaper than the United States. Lei Xing, former Chief Editor at China Auto Review, says "If the 100 percent tariffs on made-in-China EVs were a wall, the proposed ban on connected vehicles would be a death sentence for China EV Inc."

That's not to say these new rules aren’t without merit. With the cameras, GPS tracking, microphones and other technologies of modern EVs, “It doesn't take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of US citizens" said Gina Raimondo, Secretary of Commerce.

However, Raimondo's speculation of China causing mayhem by shutting down "hundreds of thousands of Chinese connected vehicles" aren’t likely to occur any time soon, given the insignificant role Chinese and Russian automakers play in the US. According to Statista as of August 2024, Tesla makes up 82.5% of the U.S. EV market, with the American-owned Ford (3%) and Chevrolet (2.9%), South Korean Hyundai (2.2%), and German BMW (1.8%), Volkswagen (1.7%) and Mercedes-Benz (1.4%) leaving only 4.5% split between Nissan, Kia and other manufacturers.

(Image credit: Tesla)

This obviously isn't the first tech-related legal run-in between China and America. In 2022 equipment from Huawei and ZTE was banned, and Bytedance is still fighting the forced divesting of TikTok in court.

While the potential malicious use of American data is certainly something to be wary of, if this proposition becomes law the impact on EV pricing in the US could be significant. So, while this rule will see citizens remain protected against "countries of concern" using their data, they’d also miss out on some of the world’s cheapest electric vehicles.

The company announced these new features at its annual conference, Duocon.

It's a day ending in Y, so a new AI video generator is joining the ever-growing mass of similar tools. Alibaba is the latest to join the field with its new text-to-video model, part of its Tongyi Wanxiang portfolio. Announced at the Alibaba Cloud Apsara Conference, the AI video tool was only part of an avalanche of new AI options from the Chinese tech giant, including more than 100 new large language models (LLMs), 

Tongyi Wanxiang is Alibaba's collection of synthetic media generation models, starting with an AI image creator last year. The new tool will produce high-quality videos from text prompts in both Chinese and English and still images. Alibaba's executives bragged that the company has some of the most advanced diffusion transformer (DiT) architecture, enabling it to make videos that maintain their quality regardless of the style requested by the user, including realistic live-action and many animation styles.

Alibaba didn't spend too much time on how they envision users employing the AI video maker, but the company's emphasis on third-party partnerships is suggestive. The technology might be employed in a range of marketing and entertainment videos. It might also end up in video games, producing visual references or even entire introductory videos.

Seen Sora?

The sheer number of AI video generators out or coming soon is astonishing, considering there weren't any at the consumer level not long ago. OpenAI drew a lot of attention to the idea with its Sora model. Still, the company's decision to limit Sora to certain partners left a lot of people hunting for alternatives, and companies like Alibaba are happy to fill in some of the gaps. 

Runway, Stability AI, Pika, Hotshot, and Luma Labs' Dream Machine are only some of the most prominent examples. And Alibaba isn't alone among Chinese competitors. Kling and TikTok owner Bytedance's Jimeng are in the same race. Alibaba has said action, but the final cut with final winners and losers has yet to be filmed.

You might also like...

• Stable Diffusion AI spin-off will let you create weird videos from text prompts
• Watch the AI-produced film Toys"R"Us made using OpenAI's Sora – and get misty about the AI return of Geoffrey the Giraffe
• A new OpenAI Sora rival just landed for AI videos – and you can use it right now for free

Here are some hints — and the answers — for Connections No. 471 for Sept. 24.

Here are some hints and the answer for Wordle No. 1193 for Sept. 24.

Here are some hints, and the answers, for the Sept. 24 Strands puzzle, No. 205.