Archive for August, 2021

Windows 11 Launching On October 5

Posted in Commentary with tags on August 31, 2021 by itnerd

According to a blog post, Microsoft will be launching Windows 11. It will not however be a free for all as it will be launched in a phased approach. New devices that are eligible for the upgrade will be offered the upgrades first. Then, it will roll out over time to older devices based on intelligence models gathered by Microsoft. These intelligence models consider the hardware eligibility, reliability metrics, age of device, and other factors. Microsoft expects all eligible devices will be upgraded to Windows 11 by mid-2022. Though given the gong show that has surrounded what will and will not be eligible for an upgrade, I fully expect that to be messy.

Now if you want to buy a new PC with Windows 11 pre-installed, you’ll have a few choices:

  • Acer Swift 5
  • Acer Swift X
  • Asus Zenbook Flip 13
  • Asus Zenbook 14
  • Alienware x15
  • Dell XPS 13
  • HP Spectre x360
  • Samsung Galaxy Book Pro
  • Surface Pro 7
  • Surface Laptop 4

At this point, my thinking is that if you really want Windows 11, your best route may be to buy a new PC. I personally will be setting up Windows 11 in a virtual machine and keeping it off of my actual PCs in the short term.

EliteGamingLIVE Secures USD $1.5M In Funding To Grow Educational eSports Leagues For Youth

Posted in Commentary with tags on August 31, 2021 by itnerd

EliteGamingLIVE (EGL), an online learning platform that combines interscholastic competition with education to improve student engagement with STEM subjects, announced today it has raised USD $1.5 million in a funding round led by corporate venture capital firm American Family Insurance Institute for Corporate and Social Impact, with participation from the TELUS Pollinator Fund for Good and Rarebreed Ventures.  

The funding aims to support the hiring of key personnel who will expand the platform’s capabilities and offerings. The company will also power an aggressive marketing strategy as EGL targets North American expansion and reach into new markets.

Beyond inspiring a heightened interest in STEM careers, EGL is focused on enabling equal access to education and training to K-12 students. Studies show that nearly 90 percent of children play video games, with the majority accessing games through various consoles. By focusing exclusively on less cost-prohibitive consoles, EGL is making its platform more accessible for schools, many of which are in low-income areas and reliant on federal funding.

EGL’s engaging platform, designed to spark and cultivate interest in STEM careers, has succeeded in capturing the attention of educators and investors looking to connect with purpose-driven companies committed to driving social and economic change. The TELUS Pollinator Fund for Good is focused on just that – investing in companies driving innovative solutions across health, agriculture, the environment, and enabling inclusive communities. 

To develop its Digital Citizenship and Sportsmanship module focused on online reputation and cyberbullying, the EliteGamingLIVE team collaborated with TELUS Wise. TELUS Wise focuses on offering industry-leading digital literacy education programs through a variety of workshops and resources to empower Canadians of all ages to stay safe online.

EliteGamingLIVE’s 2021-2022 school year kicks off September 13, 2021.

Microsoft Azure Screw Up Leaves Databases Belonging To Fortune 500 Companies Unsecure….. Oops….

Posted in Commentary with tags on August 30, 2021 by itnerd

According to The Verge, Microsoft had a flaw in their Cosmos DB product that was kind of epic:

A flaw in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

And who are those customers? Well:

listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few.

That’s not exactly a insigicant company list.

The company that discovered the flaw got paid $40,000 by Microsoft for finding it. And here’s what the company who found the flaw said:

“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

I wonder how Microsoft is going to explain this screw up. Well, here’s how they tried to do so:

“There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”

And:

In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher activity,” said Microsoft.

Remember kids. The cloud is just someone else’s computer. And if you choose to use the cloud for sensitive or business critical activities, you need to trust that the cloud provider’s security is on point. And looking at this example, even Microsoft can screw this up. Thus you have to wonder if going to the cloud is really worth it.

Cradlepoint Delivers Industry’s First 5G Enterprise Router

Posted in Commentary with tags on August 30, 2021 by itnerd

Cradlepoint, the global leader in cloud-delivered LTE and 5G wireless network edge solutions, is continuing its mission to enable businesses to connect beyond the limits of wired networks through the expansion of its second-generation 5G product portfolio. The Cradlepoint E3000 Series 5G Enterprise Router, orderable now and ships within 30 days, is the industry’s first enterprise-class router that provides businesses with fast, agile, secure, and resilient 5G connectivity for primary, failover, or SD-WAN use cases without traditional performance compromises.

Business models are shifting to streamline operations, enhance competitiveness, and respond to evolving customer demands post pandemic and this has placed increased value on network speed and agility, as well as heightened security. With this shift, and proliferation of 5G services, enterprises are now migrating towards a more Wireless WAN. A recent report from IDC forecasts the market for enterprise wireless routers to reach US$2.98 billion by 2024.

Wired WAN connections no longer meet the needs of today’s agile, resilient, and cloud-centric business environments. While LTE has been enabling businesses to leverage wireless and “cut-the-cord” solutions for a while, the speed, intelligence, and resiliency of next-generation 5G services is becoming a catalyst to Wireless WAN adoption. Not only does it make today’s applications better, but it will also enable a new generation of immersive customer experiences at the network edge, as well as more cost-effective SD-WAN 5G architectures, anywhere connectivity, and high-speed wireless failover for larger sites.

While other vendors are trying to get their first 5G products to market, Cradlepoint is already shipping its second-generation of purpose-built 5G for Business solutions, giving customers the most pathways to all flavors of 5G. For more information, visit: www.cradlepoint.com/products/5g-for-business/

E3000 Series 5G Enterprise Router Summary:

The Cradlepoint E3000 Series 5G Enterprise Router supports the following features and capabilities:

  • Cradlepoint NetCloud for Enterprise Branch with enterprise-class routing (BGP, EIGRP, et.), IPSEC and DMVPN support, wireless-optimized SD-WAN, as well as industry-leading Cellular Intelligence.
  • Wire-speed Unified Edge Security with app-level control, IPS/IDS, IP reputation, web content filtering, and micro-segmenting firewall.
  • Choice of 5G, high-speed fiber and 2.5 Gbps Ethernet WAN ports
  • The most LTE and 5G connectivity options, including an embedded 5G modem for Low/Mid-Band, plus a field-upgradable modem slot for a second Gigabit LTE or 5G connection (early 2022)
  • Exclusive Captive Modem simplifies and reduces the cost of connecting to an external W1850 or outside mounted W2005 (Mid-Band) or W4005 (High-Band, mmWave) 5G Wideband Adapter
  • Nine downstream switched Ethernet ports (4 with PoE) plus Wi-Fi 6 and optional Bluetooth 5.1
  • Private Cellular Networking support for CBRS in both 5G and LTE modes

Orderable today and starts shipping in 30 days.

Microsoft Warns Users About A Credential-Phishing Campaign… And At The Same Time Positions Itself As The Savior From These Attacks

Posted in Commentary with tags on August 29, 2021 by itnerd

Microsoft has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, while simultaneously suggesting it can defend against such attacks.

Here’s the warning:

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Well, this is a very dangerous attack. But fortunately, Microsoft can protect you from this:

Microsoft Defender for Office 365 detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

And if you read the rest of this document, it is literally an ad for both Office 365 and Microsoft Defender for Office 365. I literally cannot find any other mitigation strategies that do not involve one of these two products. Am I the only person who thinks that this is a big “sus” to use an Among Us reference? While it is true that 91 per cent of all cyberattacks originate with email, Microsoft positioning itself as your savior makes this message seem to be little more than an ad. Which makes this a #Fail for Microsoft.

Microsoft Updates CPU Requirements For Windows 11…. But You Still May Not Be Able To Run It

Posted in Commentary with tags on August 28, 2021 by itnerd

When Windows 11 was announced, the system requirements were so hefty that most PCs out there couldn’t run it. Including some of Microsoft’s own Surface hardware. I guess the heat got to Microsoft despite trying to clarify things. Because on Friday they announced a change to Windows 11 minimum operating requirements, though the loosened restrictions are not likely to make it likely that your PC will be able to run it.

So what’s the change?

Windows 11 requires a 1GHz or faster 64-bit CPU, 4GB of RAM, and 64GB of storage. Machines must also support UEFI secure boot, version 2.0 of the Trusted Platform Module (TPM) and include a graphics card compatible with DirectX 12. But they added the Intel Core X and Xeon W CPUs, as well as the Surface Studio 2’s Core i7-7820HQ, to the list of Windows 11-compatible processors. The addition is a nod to users who, despite owning fairly modern hardware (Core X and Xeon W are 7th-generation Intel designs), were seemingly left out in the cold when the operating system was announced.

But there’s a catch. Here’s what Microsoft said to The Verge:

Microsoft is announcing today that it won’t block people from installing Windows 11 on most older PCs. While the software maker has recommended hardware requirements for Windows 11 — which it’s largely sticking to — a restriction to install the OS will only be enforced when you try to upgrade from Windows 10 to Windows 11 through Windows Update. This means anyone with a PC with an older CPU that doesn’t officially pass the upgrade test can still go ahead and download an ISO file of Windows 11 and install the OS manually.

That sounds good right. Well, here’s the next thing that Microsoft said:

Microsoft now tells us that this install workaround is designed primarily for businesses to evaluate Windows 11, and that people can upgrade at their own risk as the company can’t guarantee driver compatibility and overall system reliability. Microsoft won’t be recommending or advertising this method of installing Windows 11 to consumers. In fact, after we published this post, Microsoft reached out to tell us about one potentially gigantic catch it didn’t mention during our briefing: systems that are upgraded this way may not be entitled to get Windows Updates, even security ones.

I’m sorry. That’s complete BS. And it reinforces what I said when this gong show started:

Microsoft may want to rethink this because this is the sort of thing that will drive people to go to the Apple store and have a look at those new M1 based Macs as they absolutely destroy anything that Intel makes, and Apple has a strong history of supporting computers that are as old as six or seven years in age. Which means the chances of getting screwed by Apple at some point are way less than they are with Microsoft. That’s good for Apple, and bad for Microsoft.

While they have started to rethink this, they haven’t gone far enough. And it will come back to bite them when Windows 11 ships. If not before.

Quebec Vaccine Passport QR Codes Pwned

Posted in Commentary with tags , on August 27, 2021 by itnerd

Vaccine passports are going to be one of a number of tools that will allow us to move back to some degree of normalcy. And the Province of Quebec was the first to implement a QR code based vaccine passport. And even before it’s been launched, it’s been pwned by hackers. Ironically, politicians are the ones that have been pwned:

The Health Department said in a statement it was aware of reports that people had managed to steal the QR codes of members of the Quebec legislature and said police complaints had been filed.

The statement came after Le Journal de Montreal and Radio-Canada reported that hackers had been able to obtain the codes of prominent politicians – including Premier Francois Legault and Health Minister Christian Dube.

The quick response codes are scannable codes containing a person’s name, date of birth and information about the vaccinations they have received. They are the central feature of the government’s vaccine passport system, which will be required as of Sept. 1 to visit businesses the provincial government deems non-essential, such as bars, clubs and restaurants.

Ouch. That’s going to affect the usage of this vaccine passport system. David Masson, Director of Enterprise Security of Darktrace had this to say:  

In the case of the Quebec vaccine QR breach, while the hackers didn’t hack the vaccine QR codes themselves, they were able to download the codes of QC residents via an entry point on the Quebec Government website portal. This hack is a reminder that data repositories used in apps and websites, like the Quebec Vaccine Passport, must be protected. 

While we don’t know exactly how the attackers were able to compromise the government portal, their ability to gain access means that a vulnerability existed in the system that developers missed before the launch. While the Quebec Government will certainly patch this vulnerability, incidents like this further reduce confidence in apps. A lack of trust in security may become a barrier to uptake in use. The Quebec Government needs to be transparent about this hack and its steps for remediation to build back trust with citizens.

Cyber attackers are constantly innovating, and defenders must rely on advanced cybersecurity technologies to stay ahead of these malicious actors. Complex systems require complex security. With attacks moving faster than humans can think, much less respond, tools like self-learning AI are a force multiplier in detecting and responding to cyber threats. That is why more organizations and public institutions in Quebec and across Canada are turning to self-learning AI to augment their human security teams and stop attacks in real-time – before the damage is done.

Hopefully, Quebec does whatever is required to make this vaccine passport secure before it launches in September.

T-Mobile CEO “Sorry” For Massive Data Breach….. Sure….

Posted in Commentary with tags , on August 27, 2021 by itnerd

I guess the heat is getting to T-Mobile when it comes to the fact that they were either victims of massive pwnage, or just badly pwned, and it may still get worse for them. Especially since the hacker that pwned them says that their security was “awful.” I say that because the CEO of T-Mobile Mike Sievert has issued a public apology for T-Mobile’s failure to prevent the pwnage via an open letter posted to the T-Mobile website.

To say we are disappointed and frustrated that this happened is an understatement. Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful.

Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them. We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.

I’m sorry, but this doesn’t cut it.

If you’re the CEO of a major company with tons of customer information, and you’ve been pwned on this scale, you should be drafting a letter of resignation immediately. Doubly so given that T-Mobile has been pwned so often. Let me give you a list:

  • The theft of the details of 2 million customers in August 2018
  • A hack involving the theft of prepaid customer data in November 2019
  • The theft of employee and customer data in March 2020 
  • A “security incident” involving “malicious, unauthorized access” to some information related to T-Mobile accounts in January

There’s no excuse for any of this and he needs to walk the plank.

T-Mobile Hacker Says T-Mobile’s Security Is “Awful”

Posted in Commentary with tags , on August 27, 2021 by itnerd

It’s bad enough that T-Mobile got either massively pwned by a hacker, or just badly pwned by a hacker. Though it may still get worse. But it just got worse from the American telco. The hacker who pwned them is speaking out. His name is John Binns, a 21-year-old American who lives in Turkey, and he doesn’t have flattering things to say about the telco and their security:

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.

And:

Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers.

“I was panicking because I had access to something big,” he wrote. “Their security is awful.”

He said it took about a week to burrow into the servers that contained personal data about the carrier’s tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.

You have to wonder how this is going over inside T-Mobile, especially since they’ve been pwned on numerous occasions. But more importantly, this is going to spark a lot of questions and inquiries from people outside T-Mobile. And I’m going to bet that T-Mobile really doesn’t want to answer any questions whatsoever. Because when you’ve been pwned as often as they have, lawmakers and others are going to make your life miserable.

Chargeasap Launches Flash & Flash Pro Plus On Indiegogo

Posted in Commentary with tags on August 26, 2021 by itnerd

Sydney based consumer electronics brand, Chargeasap, known for its incredibly successful crowdfunding campaigns including Infinity UNO and X-Connect cables, is pleased to announce its latest innovation, the Flash Pro and Flash Pro Plus. Following the huge success of the predecessor, Flash 2, which raised over $1,668,532, the next generation power bank will be available on Indiegogo from 20th July. The campaign will run for a 60-day period with shipping expected in December 2021. Pledges for Flash Pro start at $139, a discount of 54% from the RRP $299 and $149 for Flash Pro Plus, a discount of 54% on the RRP $319.

The next generation is here; the world’s fastest charging power banks reengineered for today’s Apple and Android users. After assessing the feedback from over 10,000 backers, Chargeasap has re-engineered the ultimate mobile charger to truly complement users’ work and lifestyle needs. This includes the addition of an extra battery to upgrade the capacity by an additional 20% to 25,000 mAh, giving the extra power that backers requested. It now has enough capacity to charge a 13-inch Macbook 1.3 times, or charge an iPhone 12 Pro 7 times.

A 3rd USB-C port has also been added by popular demand to allow full-speed charging for a 16-inch Macbook Pro, a 13-inch Macbook Pro and an iPhone 12 Pro – all at the same time and at maximum speed. The USB-A port now has an increased 50W of power to support more proprietary fast charging technology from major brands including Samsung, Huawei, Oppo and Vivo. It will also be able to support up to 22.5W for all Huawei devices. A single USB-C port is able to support 100W Power Delivery 3.0 while the additional USB-C ports are able to reach 60W and 20W respectively. Each USB-C port also supports the maximum charging speed of 20W for the iPhone 12 Pro range.

Flash Pro is ideal for Android users, with a wireless fast charging pad upgraded from 10W to 15W, whilst Flash Pro Plus has been designed with Apple users in mind, by incorporating 15W MagSafe compatibility and a 5W Apple Watch wireless pad. Flash Pro Plus is capable of 15W wireless charging. Just place the iPhone 12 on top of the MagSafe charging pad and it will magnetically attach to help the device remain in place. The MagSafe wireless charger is also able to support up to 10W wireless charging for all other devices such as Apple AirPods. Flash Pro Plus delivers an impressive 190W of combined power meaning it can charge up to 6 devices at the same time, so all Apple devices are covered.

Chargeasap has worked hard too on increasing the charging capability with Flash Pro charging at an extraordinary 80% in only 43 minutes, with a full charge delivered within 70 minutes. This makes it the world’s fastest high-capacity charging power bank. The secret to this fast charge technology lies in the same revolutionary graphene batteries, designed by Panasonic and used by a leading pioneer of electric vehicles, used in the original Flash power bank. Graphene batteries are safer and support faster charging at lower temperatures. Flash Pro and Flash Pro Plus will still perform as if they were new, even after 5 years of daily use, with an extended 2,000 use life cycle, 4 times longer than standard batteries with only 500 cycles. The company is so confident in its power banks it offers consumers a two-year guarantee. The clutter is now also removed with pass-through charging allowing charging of up to 6 devices at the same time, even whilst charging Flash Pro.

What really makes Flash Pro unique, is the 1.3-inch OLED screen making it the world’s first power bank to display real-time charging volts and amps, so a user will know exactly how fast the various devices are charging. This is coupled with dual NTC thermistors that “measure” operating temperature for peak efficiency and safety that can be monitored live. The industry leading smart chip ensures the optimum amount of power is distributed from each port, enabling support for all the differing USB devices. It is also upgraded to now detect and charge low powered devices such as earbuds or smart watches.

Chargeasap has also improved the design by making changes, based on feedback received, with the aim of enhancing the user’s experience. The edges have been smoothed out, the corners have been rounded and the power button has been re-designed so that it’s more flush, easier to press and feels sturdier. It has also added a subtle LED glow that makes it simple to turn on the Flash Pro Plus in the dark as well as giving it a sleek look. Additionally, the glass wireless charging pad has been removed to increase the durability of Flash Pro Plus and to make it drop proof, ensuring it can withstand any bangs and drops it may encounter.

All of this is protected by aircraft grade aluminium and comes with over a dozen safety features and international certifications, making it an extremely durable power station that’s safe for airline travel. It is also incredibly portable as the Flash Pro Plus and Flash Pro comes in a pocket-sized 583.5g (1.28lb) 572.5g (1.26lb) respectively. So, whether travelling, on the go or in need of some extra power, users can charge in a flash, with the next generation Flash Pro and Flash Pro Plus.

The Indiegogo campaign runs from 20th July for a 60-day period with shipping expected in December 2021. Pledges for Flash Pro start at $139, a discount of 54% from the RRP $299 and $149 for Flash Pro Plus, a discount of 54% on the RRP $319.

Here’s a video: