The Rotterdam suspicion machine || Outlook elevation of privilege vulnerability
CyberInsights #85 - ML algorithms making human decisions || Microsoft releases a patch for a 9.8 scored vulnerability
ML Algorithms flag women and people of a different race for further investigation
Yet again, an ML based algorithm shows bias.
Poor training data has led to yet another biased ML based algorithm. Read this extensive piece on Wired.
The city of Rotterdam (in The Netherlands) uses a machine learning based algorithm for identifying suspicious people on government welfare. It uses 315 data points, none of them related to gender or race, but still it manages to be biased.
The training data was a collection of 12,707 people who had previously broken the law.
Further down the article, you can read an expert opinion that the result is no different from random guessing.
Take Action:
I have written multiple times about AI biases. This is a concern for the ‘integrity’ of the output — something we cybersecurity professionals hold dear as a part of the holy C—I—A triad.
An algorithm can be susceptible to bias in two ways — unknowingly (small training data, biased sample selection, etc.) which would be the domain of the data scientist.
The second is deliberate tampering.
If the algorithm is sensitive to certain elements (like in the above article), then it is easy to tamper with.
Discuss this with your data science team. Identify areas where bias can creep in and model solutions.
Microsoft Outlook EoP vulnerability fixed
CVE-2023-23397 is reportedly being exploited actively.
Patch Tuesday had a critical vulnerability in Outlook being patched by Microsoft.
This vulnerability has a CVSS score of 9.8.
This is not the only one being actively exploited right now. There is also the Fortinet vulnerability. Read this article from The Register — we are in for a long ‘patching party’!
Take Action:
As they say, organise an update party. Order the pizza and patch the highest scored vulnerabilities first. By the looks of it, the infra team is in for a long weekend of testing and patching.