Guess What? Facebook Has A ‘Dangerous Vulnerability’ That Exposes Millions Of Email Addresses….. A Huge Reason To #DeleteFacebook

Posted in Commentary with tags on April 22, 2021 by itnerd

A security researcher has made public a Facebook vulnerability exposing millions of user email addresses after Facebook allegedly dismissed the exploit when he reported it to them. Ars Technica has viewed a video created by the researcher demonstrates the exploit:

A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn’t think the weakness he found was “important” enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next.

“As you can see from the output log here, I’m getting a significant amount of results from them,” the researcher said as the video showed the tool crunching the address list. “I’ve spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.”

Facebook said this in response:

In a statement, Facebook said: “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.”

A Facebook representative didn’t respond to a question asking if the company told the researcher it didn’t consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

But here’s what the researcher said about how Facebook responded to his initial report:

The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that “they [Facebook] do not consider to be important enough to be patched.” Earlier this year, Facebook had a similar vulnerability that was ultimately fixed.

“This is essentially the exact same vulnerability,” the researcher says. “And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it.”

Total #Fail for Facebook. But the #Fail gets worse:

An email Facebook inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to “frame this as a broad industry issue and normalize the fact that this activity happens regularly.” Facebook has also made the distinction between scraping and hacks or breaches.

This is now an #EpicFail because it is clear that Facebook doesn’t care about its users and protecting them. If this combined with Facebook’s other #EpicFails doesn’t make you want to #DeleteFacebook, nothing will.

TikTok Sued For Billions Over Use of Children’s Data

Posted in Commentary with tags on April 22, 2021 by itnerd

TikTok is facing a legal challenge from former children’s commissioner for England Anne Longfield over how it collects and uses children’s data:

The claim is being filed on behalf of millions of children in the UK and EU who have used the hugely popular video-sharing app. If successful, the children affected could each be owed thousands of pounds. TikTok said the case was without merit and it would fight it. 

Lawyers will allege that TikTok takes children’s personal information, including phone numbers, videos, exact location and biometric data, without sufficient warning, transparency or the necessary consent required by law, and without children or parents knowing what is being done with that information. The claim is being launched on behalf of all children who have used TikTok since 25 May 2018, regardless of whether they have an account or their privacy settings. Children not wishing to be represented can opt out.

In response, TikTok said:

“Privacy and safety are top priorities for TikTok and we have robust policies, processes and technologies in place to help protect all users, and our teenage users in particular. We believe the claims lack merit and intend to vigorously defend the action.”

This highlights the fact that TikTok still has a fair amount of perceived privacy issues. And they are quickly trending into Facebook country where I can see a scenario where #DeleteFacebook becomes #DeleteTikTok if they don’t quickly, transparently, and permanently address these issues.

Trend Micro Transforms Channel Program To Advance Cloud Security & Services

Posted in Commentary with tags on April 22, 2021 by itnerd

Trend Micro Incorporated today announced a major refresh of the Trend Micro partner program that provide more cloud services resources and rewards partners with additional discounts for enabling organizations to better secure public cloud computing environments.

The objective of the revamped program is to make it more profitable for partners that work with customers to deploy best-in-class Trend Micro cloud security services via our authorized distributors and the AWS Marketplace or the AWS Consulting Partner Private Offer(CPPO) program, through which many cloud-native partners already resell AWS services.

Digital transformation has surged over the past year as organizations shift workloads to the cloud to support remote working, optimize business processes and drive innovative business strategies to engage customers. Channel partners supporting these organizations need a cybersecurity partner they can trust to help them secure a wide range of application environments with confidence.

The cornerstones of the cloud-first partner program are:

  • A cloud-first focus on partners that provide cloud services, such as AWS Consulting Partners or those who have achieved AWS Well-Architected Review (WAR) competencies that assure high-quality security services are implemented in accordance with best practices defined by AWS. The new program offers partners service-oriented pre-sales support, co-selling tools, and free access to Trend Micro’s cloud security posture management solution, Cloud One – Conformity, that can accelerate and automate well-architected security assessments.
  • Increased deal registration discounts to protect margins for partners who register opportunities and actively work with us to bring customer success.
  • Cloud marketplace bundles and security services enablement: Trend Micro’s cloud-first program and new enablement platforms will enable partners to build their cloud service bundles and grow their businesses more profitably on the AWS Marketplace. Our partners are entitled to full use of our new white-label cybersecurity assessment services, cloud risk assessment tool, and can enroll in the Trend Micro professional service partner program.
  • Early Warning Services: The Trend Micro Vision One platform allows Trend Micro’s Incident & Response teams to proactively provide joint customers with threat intelligence and risks through daily scanning for indicators of compromise (IoC) related to notable targeted attacks. It opens a path for partners to build their services to help customers respond to and mitigate threats quickly and efficiently. 
  • Commitment to simplicity and flexibility that shifts compensation from a tier-based standard discount model to a flat standard discount for all partner types. 

Trend Micro’s channel strategy has been recognized with multiple accolades including four separate achievements just this year from CRN including a 5-star rating in its 2021 partner program guide, recognitions on the Top 100 Coolest Cloud Companies list and Top 100 Security Companies list. In addition, the company was named as a Champion in the Canalys Global Cybersecurity Leadership Matrix for 2020 for the increased investment in its channel-first strategy to help partners drive SaaS business across its portfolio.

For more information about the Trend Micro partner program and partnership opportunities, please visit: https://www.trendmicro.com/en_ca/partners/channel-partners/professional-services-partner.html

TELUS Internationally Recognized As Fastest Mobile Operator & Top Wireless Network In Canada

Posted in Commentary with tags on April 22, 2021 by itnerd

As Canadians continue to rely more than ever on strong, reliable wireless networks for work, remote learning, entertainment, and staying connected, TELUS announced today that its superior network speed, strength, and reliability has been recognized by two industry-leading experts, including being named the fastest mobile operator in Canada in the Q1 2021 Speedtest Intelligence report by Seattle-based Ookla®. TELUS also earned the title of Top Wireless Network Quality in Western Canada and tied for first in Ontario in New York-based J.D. Power’s 2021 Canada Wireless Network Quality Study.

Below are key highlights from the reports:

  • Ookla found that TELUS’ network speed outperformed all other mobile operators with a Speed Score of 87.54 Mbps
  • TELUS ranked Fastest Mobile Network in Ontario and Manitoba three quarters in a row by Ookla
  • Seventh consecutive year that J.D. Power has awarded TELUS the top spot in Ontario
  • J.D. Power ranked TELUS #1 in Western Canada for best wireless network quality, outperforming all other network providers with fewest calling, messaging, or data problems

TELUS’ wireless and wireline networks continue to serve Canadians with the highest quality and connectivity excellence during the ongoing COVID-19 pandemic. In 2020, TELUS accommodated a surge in demand on our networks, including a 40% increase in multimedia messaging; a 40% surge in Internet usage; a 50% increase in average monthly call volumes; and a 26% increase in TV viewing. With more Canadians continuing working and learning from home, we are constantly investing in new technologies to enhance TELUS’ network resiliency and world class performance standards to ensure that our customers have a seamless, robust experience.

Since 2000, TELUS has invested nearly $240 billion in network infrastructure, spectrum, and operations to enhance the coverage, speed, and reliability of its networks. Over the next three years, TELUS has committed to investing an additional $40 billion to support the roll out of its 5G network, which will enhance innovation and help drive digital development across key sectors of the Canadian economy.

This latest recognition from Ookla and J.D. Power complements the countless accolades TELUS has earned over the years in respect of their world-leading wireless network. In 2020, TELUS was recognized by other independent industry-leading experts, including UK-based Opensignal, Victoria-based Tutela and New York-based PCMag, building on an outstanding record of achievement with respect to network excellence. Notably, these awards are based on TELUS’ national networks, inclusive of both urban and rural coverage.

Does Tile Have Anything To Worry About When It Comes To Apple’s AirTags? Yes…. But It’s Not For The Reason That Tile Is Focused On

Posted in Commentary with tags , on April 22, 2021 by itnerd

Earlier this week at the Apple “Spring Forward” event Apple finally announced the long rumored AirTags tracking device. I did a story on why Tile can’t or won’t jump onto Apple’s Find My network which allows third party devices to work within the Apple ecosystem. But the real question is this. Now that AirTags actually exists, does Tile have anything to worry about?

Tile clearly thinks so. Almost the second that the “Spring Forward” event was over, Tile called Apple out:

Our mission is to solve the everyday pain point of finding lost and misplaced things and we are flattered to see Apple, one of the most valuable companies in the world, enter and validate the category Tile pioneered.

The reason so many people turn to Tile to locate their lost or misplaced items is because of the differentiated value we offer our consumers. In addition to providing an industry leading set of features via our app that works with iOS and Android devices, our service is seamlessly integrated with all major voice assistants, including Alexa and Google. And with form factors for every use case and many different styles at affordable prices, there is a Tile for everyone.

Tile has also successfully partnered with top brands like HP, Intel, Skullcandy and fitbit to enable our finding technology in mass market consumer categories like laptops, earbuds and wearables. With over 30 partners, we look forward to extending the benefits of Tile to millions of customers and enabling an experience that helps you keep track of all your important belongings.

We welcome competition, as long as it is fair competition. Unfortunately, given Apple’s well-documented history of using its platform advantage to unfairly limit competition for its products, we’re skeptical. And given our prior history with Apple, we think it is entirely appropriate for Congress to take a closer look at Apple’s business practices specific to its entry into this category. We welcome the opportunity to discuss these issues further in front of Congress tomorrow.

Let’s think about this for a second, Apple has opened up the Find My network to third parties. Sure that might be an optics exercise. But it also shows that if Tile really wanted to, they could join the party. But they’re either choosing not to, or they can’t. Something to consider is that if they did participate in the Find My network, they would have to have at least the trackers that are part of that network exclusively inside Apple’s ecosystem. Which means that they would be excluded from the Tile network. Something that I am sure isn’t palatable to Tile.

The other thing that I will say on this front is that Apple would be completely stupid to not allow Tile into the Find My party given how much scrutiny that they’re currently under from the US Congress among others for anti-trust reasons. Thus I have to wonder if this is all about the fact that Tile has just seen their life flash before their eyes because Apple just came out with a product that is potentially better.

Now if you ask me, here’s what Tile should really be worried about. Privacy. Apple as part of the Find My network has some pretty extensive privacy features. Here’s a paragraph from the Apple press release announcing AirTags:

AirTag is also designed with a set of proactive features that discourage unwanted tracking, an industry first. Bluetooth signal identifiers transmitted by AirTag rotate frequently to prevent unwanted location tracking. iOS devices can also detect an AirTag that isn’t with its owner, and notify the user if an unknown AirTag is seen to be traveling with them from place to place over time. And even if users don’t have an iOS device, an AirTag separated from its owner for an extended period of time will play a sound when moved to draw attention to it. If a user detects an unknown AirTag, they can tap it with their iPhone or NFC-capable device and instructions will guide them to disable the unknown AirTag.

Tile has nothing like this to stop unwanted tracking. And unless they get something like this as privacy matters to users these days, they may face mass defections of users that exist inside the Apple ecosystem who care about privacy. In my case, this feature alone is making me consider switching over my investment in the Tile ecosystem to AirTags because I care about privacy. But I will have to get one in house and test it out before I pull that trigger. Which if you clued in that this means that I will be reviewing AirTags, you get to move to the front of the class.

If anything, Tile needs to worry about being one step behind Apple in terms of privacy rather than go to congress and complain about any perceived anti-trust issues that it has with Apple. If they worry about the former, they have the chance to go head to head with Apple because:

  • Tile was in this market first and has sizable lead.
  • Tile has a cross platform product while Apple has a Apple centric product with limited Android support in the form of tapping an AirTag with an NFC enabled Android device to get directions to kill it or return it.

Let’s see if Tile chooses to do the right thing and match Apple in terms of privacy, or go down a path that will likely end in doom for them.

Apple Just Dropped Their New iMac…. And You Need To Be Careful About How You Buy It

Posted in Commentary with tags on April 22, 2021 by itnerd

A couple of days ago, Apple announced new iMacs which promise performance that will simply destroy any Intel based iMac based on the performance that I saw on the M1 based MacBook Air. But you have to be careful about how you buy this iMac when sales start later this month, otherwise you might limit your options in the future. Thus here’s my suggestions for how to buy it:

  1. Skip the base model: The base model is a complete and total waste of your time and money. It only comes with a 7 core GPU which means that there will be a hit in performance. But the bigger issue is that it only comes with two Thunderbolt 4/USB 4 ports. Every other model comes with those ports and two USB 3 ports. That will limit what you can connect to it. On top of that, you won’t get the option for Gigabit Ethernet built into the power adapter. And as a result it limits your flexibility as to connecting to the Internet via Ethernet or WiFi. Then there’s the fact that Touch ID is available only on the 2 higher end models. If you care about upping your security game, that’s a factor to consider. Finally, only 4 of the available 7 colors are available on the base model. For reference, the next step up in the lineup has 6 of the available 7 colors. Finally the top end option has all 7 colors available. What’s weird is that the US has all 7 colors available in the top two models. So if you are in a location other than the US, you might want to keep an eye out for that. The bottom line is that unless you can’t afford to go up to at least the next step up in the iMac food chain, you should skip this model.
  2. Get 16GB of RAM: Seeing as like the other M1 Macs you can’t upgrade the RAM after the fact, getting 16GB of RAM is a must. That way you future proof your iMac and will ensure that you can run anything as your needs evolve.
  3. Get the most amount of storage that you can afford: 256GB is really not enough storage and like the RAM you cannot upgrade later. I would recommend 512GB or more as that too will future proof your iMac and will also ensure that you can run anything as your needs evolve. Here’s my rule of thumb:
    • If you currently have a computer with 256GB of storage, get 512GB. 
    • If you currently have a computer with 512GB of storage, get 1TB.
    • If you currently have a computer with 1TB of storage, get 2TB.

Hopefully that helps you to configure the right M1 based iMac for your needs. If you still have questions, email me and I will help you as best as I can.

Cisco AppDynamics Expands Global Software-as-a-Service Offering With Five New Locations

Posted in Commentary with tags on April 21, 2021 by itnerd

Cisco AppDynamics, the industry leading Business Observability platform, today announced the expansion of its Software-as-a-Service (SaaS) offering through five strategic new locations, enabling fast, secure and reliable access to the AppDynamics Business Observability platform. Built on Amazon Web Services (AWS), new locations in Cape Town (South Africa), Hong Kong (China), London (England), São Paulo (Brazil) and Singapore will provide regional customers and partners with access to full-stack observability solutions that are secure, scalable and adhere to their local data residency regulations, enabling companies to deliver a superior digital experience

Recent research from Gartner indicates that almost 70 percent of organizations using cloud services today plan to increase their cloud spend in the wake of the disruption caused by COVID-19.

As technologists lead their company’s response to the pandemic, many are facing increasingly high pressures to innovate and scale digital services and migrating to a SaaS approach comes with strong considerations. Challenges with implementing SaaS services due to evolving data residency laws and regulations, as well as latency via cloud services that can exist based on proximity to SaaS locations, are areas of concern when considering a SaaS approach. However, modern CIOs recognize the urgent need for a secure, reliable and scalable SaaS solution to support their rapid digital transformation efforts and meet the ever-increasing user demand for flawless digital experience.

The addition of five new locations offers a solution to enterprises concerned with potential data sovereignty and governance requirements, and provides access for customers all around the globe. With points of presence already in place in Portland (US), Frankfurt (Germany), Mumbai (India) and Sydney (Australia), AppDynamics now has more SaaS support than any other vendor in the market.Recently acknowledged as a notable strength by Gartner, AppDynamics’ robust global SaaS footprint will ensure enterprise companies can focus on creating flawless digital experiences through the Cisco AppDynamics Business Observability platform, while achieving greater control around:

  • Data Residency, Privacy and Security – Enables local enterprise businesses to comply with anticipated data residency regulations, comprehensive compliance and security certifications such as SOC 2 Type II, EU-US Data Transfer and GDPR-Ready.
  • Scale – AppDynamics is delivered with the scalability of AWS providing high-speed access to data with lower total costs, less on-premises resources, and added support and maintenance.
  • Faster Access to Innovation – customers can leverage the latest innovation from AppDynamics including cloud native services, APM, and application security through automated and seamless upgrades.

The addition of the five new locations comes on the heels of AppDynamics’ SaaS offering in India, announced in October 2020, and builds on the company’s global SaaS footprint across Africa, Asia, Europe and South America. With each location strategically selected based on regional user demand, AppDynamics is seeing evidence that this strategy is quickly meeting the needs of enterprises around the world. For example, its Frankfurt SaaS location doubled the amount of users in only 18 months.

AppDynamics’ new SaaS locations will be available as follows:

  • Singapore (April 2021)
  • London (April 2021)
  • Hong Kong (July 2021
  • São Paulo (July 2021)
  • Cape Town (July 2021)

Learn more about AppDynamics SaaS and the company’s security and privacy assurance here.

Guest Post: Americans lost $1.19 billion to imposter scams in 2020 Says Atlas VPN

Posted in Commentary with tags on April 21, 2021 by itnerd

Atlas VPN findings reveal that Americans lost $1.19 billion to imposter fraud in 2020, which is $613.8 million more than last year, representing a 106.56% increase. 

Here, a criminal pretends to be a trusted person to get consumers to send money or provide sensitive personal information. Most commonly, scammers impersonate a family member, a government agency, a computer technician, a well-known company representative, or even a romantic interest.

The data is provided by the Federal Trade Commission (FTC). US Citizens can submit fraud reports to the FTC for further investigation. The FTC shares this data to inform the nation about the state of the cybercrime landscape in the US. 

Last year, Americans submitted 498,278 imposter scam complaints, out of which 22% reported a financial loss. Median loss reaches $850. Scammers used phone calls as the most common method of contact. On average, US citizens lost $297.45 million per quarter to imposter scams in 2020.

In 2019, consumers lost $576 million to impersonators from 645,874 individual complaints. Significantly fewer people reported losing money to such scams, with 13% of complaints indicating monetary damages. On average, victims lost $144 million per quarter, with median losses standing at $650. Once again, fraudsters mostly used phone calls to contact the victims.

Looking back at 2018, US consumers submitted 549,922 pretender scam complaints. Over 18% of victims indicated a financial loss, which amounted to $491.6 million in damages. Fraudsters swindled out around $122.9 million per quarter, with median losses at $500.

Finally, throughout the last five years, US residents suffered a staggering $2.34 billion in damages from imposter scams.

To read the full article, head over to: https://atlasvpn.com/blog/americans-lost-1-19-billion-to-imposter-scams-in-2020

Apple Supplier Pwned By Ransomware…. Unreleased MacBook Schematics Are Now Being Held For Ransom

Posted in Commentary with tags , on April 21, 2021 by itnerd

Apple dropped a bunch of new hardware yesterday in a product launch event that was streamed to the world. The long awaited AirTags, a new iMac, and a new iPad Pro all were announced. But the story that you should actually care about is that according to Bloomberg, Apple supplier Quanta was hit by a ransomware attack perpetrated by the ransomware group called REvil. And what’s more, they claim to have in their possession 15 images and or schematics of unreleased MacBooks. And all of this came to light while the event was going on:

By the time Apple’s product launch was over, REvil had posted schematics for a new laptop, including 15 images detailing the guts of what appears to be a Macbook designed as recently as March 2021, according to the documents reviewed by Bloomberg.

REvil is now attempting to shake-down Apple in its effort to profit off the stolen data. They’ve asked Apple to pay their ransom by May 1, as was first reported by Bleeping Computer. Until then, the hackers will continue to post new files every day, REvil said on its blog.

An Apple spokesperson declined to comment on questions about the compromise.

Now Quanta makes computers for a number of brands such as HP, Lenovo and Dell among others. And Bleeping Computer has reported that REvil might be trying to shake down other companies as well. But this is gong to cause a lot of alarm over at 1 Apple Park as Apple is the type of company that really tries to lock things down so that it can fully control the message and it can limit product leaks. Clearly that didn’t work in this case, and now they have a major problem on their hands. One has to wonder if they will cut a cheque or take some other form of action. Like not pay and whatever happens next, is whatever happens next.

I’ll be keeping a close eye on this one.

UPDATE: Justin Fier, Director of Cyber Intelligence & Analytics for Darktrace had this to say:

Following today’s news of the attack on Quanta, we can be in little doubt that complex digital supply chains are a hacker’s paradise. Today, a company’s critical data is fluid, often being handled outside the organization itself. This complexity offers those with criminal intent with many points of vulnerability that may be exploited. 

Across our global customer base, AI is stopping more and more attacks that target intellectual property or commercially-sensitive information for the purposes of extortion or corporate espionage. In this case, attackers accessed Apple’s design blueprints via a trusted third party – and the full extent of the data taken is not yet known. 

Suppliers need to be held to higher standards, and recent calls from the Biden administration and DHS for more stringent requirements for cyber security transparency and vetting are welcome.  Organizations also need to embrace technology that can respond at computer speed in the face of fast moving attacks like ransomware. Those that are being successful against fast-moving threats are protecting their systems with artificial intelligence, capable of detecting the subtle, unusual activity that precedes a full-blown attack, and crucially, which responds at computer speed – before data is held to ransom. 

Rogers Will Credit Customer’s For Yesterday’s Epic Outage…. For What It’s Worth

Posted in Commentary with tags on April 20, 2021 by itnerd

Rogers who is likely still smarting from the epic outage that pretty much inconvenienced their users who are likely working from home in the middle of a global pandemic decided throw their users a bit of a bone. Rogers has again apologized and is now saying they will be giving customers wireless bill credits for the outage.

I suppose that this is a good thing. But for the average user, that may only be about $5 at most. Rogers won’t even notice this credit in their quarterly financials. But they’re really doing this for optics reasons. After all, they’re trying to buy Shaw and the blowback from that has been epic. Thus they really need to make this #Fail go away as quickly as possible. All I have to say is good luck with that as I am pretty certain that Rogers customers aren’t going to forget this any time soon and may make a change in terms of whom their telco of choice is.