The IT Nerd

Archive for 2020

Apple Just Shot Itself In The Foot By Cutting Epic Games Off From Apple’s Developer Tools

Posted in Commentary with tags Apple, Epic Games on August 18, 2020 by itnerd

This battle between Epic Games and Apple has been interesting to watch. However, yesterday’s move by Apple to cut Epic off from using Apple’s developer tools is a major mistake by Apple. One that will bite Apple in the rear end.

Here’s why.

By targeting Epic Game’s access to Apple’s developers tools, Apple by extension is targeting the maintenance of the Epic Unreal Engine that is used many third party game makers to allow them to create the visuals behind a lot of really popular games. All these third party developers have nothing to do with this fight. Yet they’ve now been sucked into this fight. Because if Epic Games cannot make updates to the Unreal Engine, third party game makers can’t create or update their games. And that will create the perception that Apple has way too much power. And all this latest move by Apple does is to take the argument that Apple has way too much power, wrap it up in pretty wrapping paper, put a bow on it, and presents it Congress for them to slap Apple with an anti-trust investigation.

I’m not sure if this is what Apple intended. But the die has been cast. And Apple is going to need to think long and hard about whether this is really such a good idea, and if they want to change course to deal with Epic Games so that all these third party game aren’t collateral damage.

Over to you Apple.

3 Comments »

Keyfactor Ranks Fastest Growing Digital Key & Certificate Automation Provider On Inc. 5000

Posted in Commentary with tags Keyfactor on August 18, 2020 by itnerd

Keyfactor, the leader in crypto-agility solutions, ranked as fastest growing digital key and certificate automation provider on the 2020 Inc. Magazine Inc. 5000, an annual ranking of America’s fastest growing private companies. The list represents a unique look at the most successful companies within America’s privately held business sector.

Noting Keyfactor’s momentum, in the past year the company:

Welcomed its 500^th customer to the Keyfactor platform, a five-fold increase since 2018
Secured more than 500 million digital certificates under management
Announced partnerships and integrations with innovators such as HashiCorp, ServiceNow, F5, CyberArk, PrimeKey and Thales
Earned recognition as a Sample Vendor for Machine Identity Management in Gartner’s Hype Cycle for Identity and Access Management Technologies, 2020 (Authored by Ant Allan, Published 16 July 2020)

The 2020 Inc. 5000 is ranked according to percentage revenue growth when comparing 2016 and 2019. Not only have the companies on the 2020 Inc. 5000 been very competitive within their markets, but the list as a whole shows staggering growth compared with prior lists as well.

Complete results of the 2020 Inc. 5000 can be found at www.inc.com/inc5000.

Oracle Said To Be After TikTok

Posted in Commentary with tags TikTok on August 18, 2020 by itnerd

There’s a new player who has joined Microsoft in an attempt to buy TikTok. That player is Oracle according to Business Insider:

Enterprise software giant Oracle has entered the race to acquire some of TikTok’s operations from its Chinese parent company ByteDance, the Financial Times reported Monday.

Oracle has been involved in preliminary discussions with several current US-based TikTok investors, including General Atlantic and Sequoia Capital, to purchase the app’s US, Canada, Australia, and New Zealand operations, according to the report.

Oracle and TikTok both declined to comment and ByteDance could not immediately be reached.

What’s interesting about the Oracle bid is that Larry Ellison who founded Oracle is known to be a Trump supporter and current CEO Safra Catz was on Trump’s transition team. That in my mind may make the Oracle bid the preferred bid for the Trump administration. But we’ll have to see if Microsoft has anything to say about that.

2 Comments »

Apple Threatens To Kill Epic Games Access To Developer Accounts….. Epic Games Goes To Court To Stop That

Posted in Commentary with tags Apple, Epic Games on August 17, 2020 by itnerd

Well, this escalated quickly.

Epic Games via a tweet dropped this news:

Apple removed Fortnite from the App Store and has informed Epic that on Friday, August 28 Apple will terminate all our developer accounts and cut Epic off from iOS and Mac development tools. We are asking the court to stop this retaliation. Details here: https://t.co/3br1EHmyd8
— Epic Games Newsroom (@EpicNewsroom) August 17, 2020

The tweet links to a court filing [Warning: PDF] which asks a Northern California court to stop Apple from removing Epic’s ‌App Store‌ access. That would include app development tools including the tools that Epic uses to work on their Unreal Engine that allows others to create games. That would seriously screw over Epic Games. Perhaps even cripple or kill them. Epic is asking the court to prevent Apple from taking “any adverse action” against it, including restricting, suspending, or terminating Epic’s access to the Apple Developer program. Epic also asks that the court restrain Apple from removing, de-listing, refusing to list, or otherwise making the Fortnite app unavailable, or modifying the Fortnite code.

Apparently Apple sees a number of violations of Apple Developer Program. And all they have to do to get it back is follow Apple’s ‌App Store‌ guidelines. And they have until August 28 to dance to Apple’s tune. Which I can’t see Epic doing.

Get your popcorn ready. Things are about to get really interesting .

1 Comment »

Apple Has Apparently Expanded Its Third Party Repair Program To Macs

Posted in Commentary with tags Apple on August 17, 2020 by itnerd

Reuters is reporting that Apple is expanding its third party repair program to cover Macs as well as iPhones. I’ve been covering this topic for a while now. And while this is a good move on one hand, I continue to question Apple’s motives on this. For example, the terms and conditions that they place on repair shops are shady. And it would likely help if Apple makes products that are actually repairable to the degree that they should be. So I have to wonder if this is a PR stunt to blunt any attempt by Congress to force Apple to allow third parties to repair their products.

I for one am not impressed by this.

1 Comment »

The Canada Revenue Agency Hacks Affects 24 Different Government Agencies…. Some Serious Questions Need To Be Asked About This Incident

Posted in Commentary with tags Canada, Hacked on August 17, 2020 by itnerd

Yesterday I reported on a significant hack on the Canada Revenue Agency. Today, more details have been revealed by the Canadian Government. Apparently attackers used a technique called credential stuffing, along with bugs in the Canada Revenue Agency online services gained access to Canada Revenue Agency accounts. Which in turn allowed the attackers to apply for and get the Canada Emergency Response Benefit.

In total, at least 5600 accounts out of 15 million CRA accounts were affected. And affected accounts have been taken offline. And those affected will get a letter from the Canada Revenue that they were pwned, and how to fix this. Another 9,000 or so accounts were affected by a attack on the Government’s GCKey system. In total 24 different Government departments were affected by this.

I watched the news conference related to this, and while they were handing out important and valid information, and giving a cursory overview of what happened and how they are responding to it, there was a bit of “blame the victim” at play here by the Government. Yes you should use unique passwords, update your OS, and use multi-factor authentication as well as being aware of spear phishing attacks. But there were issues that the Government has addressed that led to this hack. Such as not having the means to defeat credential stuffing. So to heavily push the narrative that it is all the fault of Canadians is a bit of a #fail. Another problem is that that the RCMP was called in on August 11th, but Canadians didn’t find out about this until the weekend. And the systems weren’t taken down until the weekend after multiple attacks occurred. That’s a #fail as well.

Serious questions need to be asked to the Government about this. Especially since the Canada Revenue Agency has been pwned before. Canadians need to hold the Canadian Government accountable for this and for making sure these online systems are actually secure.

UPDATE: David Masson, Director of Enterprise Security at Darktrace had this to say on this hack:

Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information.

Many pre-pandemic spear phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!

Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials.

For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.

3 Comments »

AppDynamics Announces SAP Peak

Posted in Commentary with tags SAP on August 17, 2020 by itnerd

AppDynamics, a part of Cisco and the world’s #1 APM solution, today announced SAP Peak. This is the latest innovation in application and business performance monitoring, which allows IT technologists to manage complex ERP and business intelligence environments in real-time.

The ability to monitor these environments is crucial, but limitations with SAP has meant that technologists have struggled to identify performance issues across their SAP landscapes and the applications they connect. Resulting outages, issues with core transactions and lengthy mean-time-to-resolution (MTTR) all negatively impact the customer and employee digital experience and ultimately cause a loss in productivity and revenue.

With AppDynamics SAP Peak, technologists can now utilize the world’s leading application and business performance monitoring tools to monitor the SAP landscape in real-time, including logs, metadata, background jobs, S/4HANA database and the application server. This enables technologists to gather the business critical insights they need to ensure the smooth running of their operations. With full stack observability across SAP and non-SAP components before, during and after migration, organizations can also mitigate risk and confidently move to S/4HANA or the cloud.

SAP Peak builds on AppDynamics’ existing SAP monitoring solution by providing new and advanced functionality, including:

Business iQ for Business Scenario Transaction Analytics: Bringing visibility and understanding to how bottlenecks are impacting critical business processes by allowing users to monitor key SAP business scenarios, starting with Order to Cash, and then correlating that information back to business performance.
ABAP Code-Level Visibility: Provides base-level APM functionality for SAP monitoring that includes transaction/code level visibility, dynamic baselining, easier Root Cause Analysis of issues, reduced MTTR and application flow maps of the SAP ABAP stack.
Deep SAP Performance Insights: Supplies dashboards that display performance metrics, logs and events for the overall SAP landscape, including processes outside of the user business transactions. These views can help to reduce cost of managing data, save time in performance and regression testing, and help provide visibility into the availability of business related transactions.
Server and Network Visibility: Facilitates full-stack visibility across SAP landscapes to identify and isolate infrastructure performance issues, further reducing MTTR and breaking down operational silos.

AppDynamics SAP Peak is generally available today. Read more about SAP Peak on the AppDynamics blog to get started.

Cabinet Decision Means Higher Prices, Less Competition For Internet Services: TekSavvy

Posted in Commentary with tags Teksavvy on August 17, 2020 by itnerd

TekSavvy Solutions Inc. today voiced its dismay and disappointment in a recent decision by the federal Cabinet concerning the wholesale rates charged by large carriers (such as Bell Canada and Rogers) to smaller ISPs, such as TekSavvy.

In a statement, the federal Cabinet effectively directed the CRTC to increase wholesale rates— above the rates independently set by the CRTC in 2019, after a lengthy proceeding. The CRTC’s 2019 rate decision confirmed that the large carriers overstated their costs of providing wholesale access to their networks, corrected their rates based on evidence of their costs and ordered the large carriers to repay amounts they overcharged ISPs over the 3 year process. The CRTC previously condemned the large carriers’ rate-fixing conduct as “very disturbing” because it would drive smaller ISPs out of business and deny Canadians choice for internet services.

However, the large carriers petitioned Cabinet to overturn the CRTC’s decision and impose higher rates. Over 150,000 Canadians voiced their support for the CRTC’s decision and urged Cabinet to support lower Internet and cell phone bills. In addition, TekSavvy filed a formal Complaint with the Competition Bureau, detailing how large carriers deviated from CRTC-costing rules to grossly inflate wholesale rates for competitors, while at the same time offering retail prices below the wholesale costs they had inflated. TekSavvy submitted that Cabinet should order an investigation into this anti-competitive conduct because it inflates retail prices for Internet services, costing millions of Canadian consumers hundreds of millions of dollars.

Ultimately, in announcing Cabinet’s verdict on the petitions, Cabinet caved to pressure from the large carriers, who threatened to hold back investments in rural Canada unless they were protected from competition. The decision is a reversal from Cabinet’s previous direction that the CRTC place affordability, competition and consumer interests at the forefront of its regulatory proceedings.

Having gone five years without cost certainty, paying inflated interim rates and facing brazen anticompetitive conduct in a climate of extreme regulatory uncertainty, TekSavvy is left with no choice but to interpret this announcement as an expectation from the government that retail prices should be raised.

Check Point Security Report Says That Amazon Alexa Were Subject To Extensive Levels Of Pwnage

Posted in Commentary with tags Amazon, Security on August 17, 2020 by itnerd

A report from Check Point Security researchers paints a pretty scary picture of how secure smart home devices are. Specifically Amazon Alexa products:

Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.

These vulnerabilities would have allowed an attacker to:

Silently install skills (apps) on a user’s Alexa account
Get a list of all installed skills on the user’s Alexa account
Silently remove an installed skill
Get the victim’s voice history with their Alexa
Get the victim’s personal information

In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.

Now all of those issues have been fixed. But it really makes one think twice about having these devices in their homes as it seems really wrong that a third party company is doing the sort of due diligence that the makers of this gear should be doing. The thing is that companies who create these devices have to have security as the top priority if these companies want consumers to buy their gear. Thus the best way for you to get the most secure smart home gear is to demand and expect better from these companies.

2 Comments »

Canada Revenue Agency Pwned By Hackers….. Again

Posted in Commentary with tags Canada, Hacked on August 16, 2020 by itnerd

Yesterday it was revealed that the Canada Revenue Agency has been hacked.Though there had been indications for some time that they were hacked. The CBC has the details:

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.

CERB for those outside of Canada is the Canada Emergency Response Benefit which is an income support for those who lost their jobs because of the COVID-19 Pandemic. You use your CRA account to apply for this, which is why they are a target for hackers. Here’s how they got in:

The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer shared in a statement.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.

Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered.

The thing is that this isn’t the first time that the Canada Revenue Agency has been hacked. Though the person behind that hack was ultimately tracked down and arrested. While credential stuffing isn’t entirely the fault of the Canada Revenue Agency, you would think that the Canada Revenue Agency should have done more to stop this attack from being successful. Hopefully they decide to harden their environment so that Canadians are safe.

4 Comments »