Archive for October 14, 2021

Unprotected Endpoints From Older Versions Of Prometheus Can Be Leveraged To Leak Info

Posted in Commentary with tags on October 14, 2021 by itnerd

JFrog researchers have discovered unprotected endpoints from older versions of Prometheus event monitoring and alerting solutions. Prometheus, an open-source system monitoring and alerting toolkit, is used to collect and process metrics from different endpoints, enabling easy observation of software metrics such as memory usage, network usage and software-specific denied metrics, such as the number of failed logins to a web application. Large-scale unauthenticated scraping of publicly available and non-secured endpoints could be leveraged to leak sensitive information. Which isn’t good seeing that Prometheus is meant to help protect corporate environments.

Giora Engel, CEO and Cofounder, Neosec:

“Prometheus, like many other systems, are all based on APIs for accessing the data and managing the systems. Those systems are spun up frequently without any supervision, they are typically meant for internal use and are poorly secured, if at all. Being able to discover all the exposed APIs and finding cases of weak security is essential in order to remediate and prevent data loss. You can never rely on what’s known and documented in these cases – being able to monitor actual traffic typically discovers all those unknown services that are poorly configured.”

If you have Prometheus, now would be a very good time to update them. Because now that this is out, you can be sure that someone will try to leverage this.

Leave a comment »

LinkGraph Named Best Start-Up Agency At The U.S. Search Awards 

Posted in Commentary on October 14, 2021 by itnerd

On October 7, 2021, U.S. Search Awards named LinkGraph the winner of Best Start-Up Agency in the United States. The award recognizes the best SEO agency under 2 years old that demonstrates strong company culture, growth, and profitability with a track record of client wins and retention, while achieving excellent ROI for their clients. LinkGraph was also shortlisted by the Global Search Awards earlier this year in the same category for Best Global Start-Up Agency.​

The U.S. Search Awards recognizes the nation’s best agencies, campaigns, innovation, and individuals working in the search industry. Hosted by We Are Search, the Search Awards celebrates the best in PPC, SEO, and continent marketing for nearly a decade with programs all over the globe.  

The recognition, awarded by a panel of search industry leaders and experts, comes less than a year after releasing the SearchAtlas Software Suite on linkgraph.io and on the heels of the soft launch of the SearchAtlas SEO mobile app and Google Chrome extension.   

Said the judges about LinkGraph’s Best Start-Up Agency win, “We are impressed with how they empower clients to help support their SEO initiatives. It sounds like a positive place to work and they achieve results for a solid client base!” 

LinkGraph was also a finalist in the following categories: Best Software Suite for SearchAtlas Software Suite, Best Software Tool for GSC Insights, and Best Low-Budget Campaign for Veil. To see the full list of 2021 U.S. Search Awards winners, visit: https://ussearchawards.com/2021-winners/

Leave a comment »

Cybersecurity Firm Prove Wins Seven Comparably Awards & Three Expert Insights Awards 

Posted in Commentary with tags on October 14, 2021 by itnerd

Cybersecurity company Prove announced today that it has won a total of seven (7) Comparably Awards and an overall A+ Culture score, in addition to three Expert Insights Awards for its cybersecurity solutions.

Comparably’s set of annual awards highlight the best companies, and its honors include categories such as Best Perks and Benefits, Best Compensation, Happiest Employees, and Best Work-Life Balance. The lists showcase the companies that are keeping their employees satisfied across businesses large and small.

Prove was recognized in 2021 for the following categories:

  • Best Company Perks & Benefits,
  • Best Company Compensation,
  • Best Career Growth 2021,
  • Best Leadership Teams 2021,
  • Best CEOs for Diversity 2021,
  • Best Places to Work in New York 2021, and
  • Best Company Outlook 2021.

Prove was ranked No. 1 by Comparably against industry competitors, such as Socure, Pindrop, TeleSign Corporation, and Neustar, Inc. 

According to surveys, Prove employees provided the following feedback:

  • 100% of employees call their work environment “positive”;
  • 100% look forward to interacting with their teams every day;
  • 83% report they are happy with their work-life balance;
  • Employees describe their work pace as “comfortably fast”; and
  • Prove employees often take unlimited paid vacation and sick days each year.

Expert Insights Awards

Prove also is the proud recipient of three Expert Insights Fall 2021 Best-Of Awards, which honor industry-leading cybersecurity solutions across more than 24 categories.

  • Best of Identity & Access Management
  • Best of Multi-Factor Authentication
  • Best of Zero Trust Security

Previously this year, Prove was named to the Inc. 5000.

Leave a comment »

LinkedIn Partially Pulls Out Of China

Posted in Commentary with tags on October 14, 2021 by itnerd

In a sign that perhaps American companies are getting fed up with having to deal with China and their unique requirements, LinkedIn is shutting down operations in China. Here’s why:

While we’ve found success in helping Chinese members find jobs and economic opportunity, we have not found that same level of success in the more social aspects of sharing and staying informed. We’re also facing a significantly more challenging operating environment and greater compliance requirements in China. Given this, we’ve made the decision to sunset the current localized version of LinkedIn, which is how people in China access LinkedIn’s global social media platform, later this year.

Instead, LinkedIn will do this:

Later this year, we will launch InJobs, a new, standalone jobs application for China. InJobs will not include a social feed or the ability to share posts or articles. We will also continue to work with Chinese businesses to help them create economic opportunity. 

I guess that this is the only way that LinkedIn could operate in the country. I wonder if LinkedIn is going to be the first of many companies to start to back away from China in whole or in part, or is this a unique event?

1 Comment »

Microsoft Azure Fought Off A MASSIVE DDoS Attack

Posted in Commentary with tags on October 14, 2021 by itnerd

Earlier this week, Microsoft announced that Microsoft Azure successfully fended off the largest DDoS attack on an Azure cloud customer to date:

The attack itself came from over 70,000 sources. It was orchestrated from multiple Asia-Pacific countries such as Malaysia, Vietnam, Taiwan, Japan, and China, and from the United States. 

The attack vector was a User Datagram Protocol (UDP) reflection attack. The attack lasted over 10 minutes with very short-lived bursts. Each of these bursts ramped up in seconds to terabit volumes. In total, Microsoft saw three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

In a UDP reflection attack, the attacker exploits the fact that UDP is a stateless protocol. That means the attackers can create a valid UDP request packet listing the attack target’s IP address as the UDP source IP address. It looks as if the attack is being reflected back and forth within the local network, hence the name. This relies on the UDP request packet’s source Internet Protocol (IP) being spoofed, i.e. falsified. The UDP packet contains the spoofed source IP and is sent by the attacker to a middleman server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker. The middleman machine helps strengthen the attack by generating network traffic that is several times larger than the request packet, thus amplifying the attack traffic.

The fact that Microsoft was able to fend off this attack shows how resilient Microsoft’s defenses are. I got some additional commentary from Tim Grelling, Director of Innovation, Security at Core BTS Jason Barr, Senior Director of Innovation at Core BTS:

“While there’s understandable concern surrounding the cloud during an age of incessant breaches, Azure is the most secure offering on the market, as proven by the platform’s ability to fend off this attack. Over ninety percent of Fortune 500 companies use the Azure suite of services with little issue, and this is a strong example of why. The Azure suite can be highly modified for the security needs of individual clients. This ensures that the fatal “one size fits all” approach to security isn’t an issue for Azure users, resulting in safer storage of data.”

This in my mind makes moving to Azure a viable option for companies moving to the cloud as clearly Azure is capable of defending attacks like this.

Leave a comment »

Research Shows FHIR APIs Have Critical Flaws

Posted in Commentary with tags on October 14, 2021 by itnerd

New research from Alissa Knight of Knight Ink shows critical flaws found in FHIR APIs which makes them vulnerable to abuse. In the report, Knight examined three FHIR APIs across an app ecosystem of 48 FHIR apps and APIs and aggregated her data from more than 25,000 health care providers and payers. Key findings show:

  • Three production FHIR APIs serving an ecosystem of 48 apps and APIs were tested
  • The ecosystem covered aggregated EHR data from 25,000 providers and payers
  • 4m patient and clinician records could be accessed from 1 single patient login account
  • 53% of mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs
  • 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials.
  • 50% of clinical data aggregators did not implement database segmentation allowing access to patient records belonging to other apps developed on their platform for other providers.
  • 100 percent of the mobile apps tested did not prevent person-in-the-middle attacks, enabling hackers to harvest credentials and steal or manipulate confidential patient data.

That’s not trivial. And Giora Engel, CEO and Cofounder, Neosec agrees:

“The regulatory requirements to expose healthcare data for patient access and payer interoperability forced a fast pace of digital transformation in many healthcare systems. Part of that transformation exposes inherent security risks. “

“The main problems that we see today are:

  1. No API inventory creates a blind spot for the security team. APIs that are not known to the security team can’t be reviewed and protected. 
  2. Implementation errors and misconfigurations
  3. Abuse of APIs – by authorized users or clients 

Visibility into the API footprint and behavior is an essential part of the digital transformation. “

I got additional commentary on this story. Saryu Nayyar, CEO, Gurucul had this to say: 

   “Healthcare software continues to be a sick child in supporting cybersecurity standards in the US.  Researchers have recently shown that the Fast Healthcare Interoperability Resources (FHIR) healthcare data standard has several flaws that can enable individual users to access many other health records.

While all software can be flawed in terms of security, we need to do a better job with our health care systems. We don’t typically subject health care software to any additional scrutiny, and it’s time that we did.  Software that is safety or security critical needs to be held to a higher standard, and health care is at the top of that list.”

Also, Doug Britton, CEO, Haystack Solutions had this to say:

   “This story highlights the growing and changing attack surface that 3rd party data aggregators bring and the difficulty with balancing security with convenience, access, and openness of data ecosystems. These factors are often fundamentally at odds with each other. Medical records are some of the most complexly regulated and prolific data types. Congressional legislation governing the treatment (e.g. security & handling) and access creates a challenging dynamic. Securing an app ecosystem may not be as straightforward as conceptualizing it may be. Even with design standards in place the very implementation creates the weak points hackers are so good at finding. These findings highlight the need to slow down access until design standards are established and tested. 

   “We also need to continue to invest in the next generation of cyber professionals who are experts at secure system design and development. We have the tools to find them. We need to get them into the fight and secure our critical infrastructure so we may realize the promise of FHIR.”

Seeing as sharing healthcare data is important these days, all parties involved need to do their parts to make sure that health care data remains secure.

Leave a comment »

7 Startups Across North America To Join The Second Cohort Of The Intuit Prosperity Accelerator: AI

Posted in Commentary with tags on October 14, 2021 by itnerd

Intuit and Credit Karma, along with Highline Beta, a venture studio and venture capital firm, today announced the second cohort of theIntuit Prosperity AcceleratorTM: AI. This announcement follows the recent launch of Intuit Ventures, further evolving the company’s strategy to drive future innovations by supporting early to mid-stage startups.

The second cohort is comprised of seven early-stage startups from top technology hubs including San Francisco, New York, Toronto and Montreal. These companies were selected based on their ability to leverage artificial intelligence (AI) to create solutions that help consumers and small businesses overcome financial challenges. Like the startups from the inaugural program in 2020, these companies share Intuit’s value of being mission-driven. Additionally, they focus on customer obsession to deliver innovative products, ideas, and results.

In an effort to fuel their growth and spur industry innovation, Intuit will partner with the cohort over a five-month period. We will coach them, provide product and technology expertise and connect them to Intuit’s existing consumer and small business customers.

Meet the Cohort:

Adaptive Pulse (Waterloo, ON) helps businesses keep a pulse on every customer while predicting and prioritizing their retention efforts, reducing churn and increasing revenues.

Aphrodite (San Francisco, CA) is a plug-n-play data analytics platform intended to help users drive revenue by providing financial clarity and data-driven insights to small businesses.

Bankuish (New York, NY) is a marketplace that provides gig workers and freelancers a simple way to access affordable banking.

Beam.city Inc (Toronto, ON) is an advertising automation platform that helps businesses optimize their performance and skyrocket profits automatically.

Boom (New York, NY) is on a mission to level the playing field for the 110 million renters in the US by making housing more flexible, affordable, and attainable.

QuoteMachine (Montreal, QC) is a software that brings humans back to digital commerce by helping independent retailers close more deals through simplified and personalized sales processes.

Stamped AI (Quebec City, QC) is an AI platform that streamlines and automates accounting data certification, making small businesses year-end ready, all year round.

The Intuit Prosperity Accelerator: AI is a five-month-long initiative, in which the selected startups will work with Intuit and Highline Beta teams to identify and test growth opportunities using Intuit’s design thinking methodology, Design for Delight (D4D). The cohort will also have access to an exclusive network of mentors, investors and founders as well as the opportunity for follow-on investment from Highline Beta.

For more information on the program, visit: www.intuit.com/ca/prosperity-accelerator.

Leave a comment »

Carahsoft Expands Partnership with Qualtrics in Canada

Posted in Commentary with tags on October 14, 2021 by itnerd

Carahsoft Technology Corp., the Trusted Government IT Solutions Provider®, today announced an expansion of its partnership with Qualtrics, the leader and creator of the Experience Management (XM) category. The partnership combines Carahsoft’s expertise in providing technology solutions to public sector organizations in Canada with Qualtrics market-leading technology to make it easier for governments at all levels to listen, understand and act on feedback from employees and constituents to improve everyday experiences in their communities.

As the Delta variant continues to increase COVID-19 cases in Canada, governments, businesses, and education institutions are seeking to lead with empathy and understanding as they set forth policies that keep their organizations safe. The partnership between Carahsoft and Qualtrics enables leaders to use technology to gain experience data—the thoughts, sentiment and emotions of employees and constituents—to provide better services for their community.

The Qualtrics XM Platform™ is used by over 13,500 organizations worldwide, including 750+ government institutions globally. During the COVID-19 pandemic, Qualtrics has worked with hundreds of organizations to reach 100M+ citizens across 25,000 COVID programs that span screening, appointment scheduling, testing, QR scans, and vaccination status management. Most recently, Qualtrics launched Qualtrics Vaccination & Testing Manager, which enables employees to upload images of their vaccination status, recent COVID-19 test results, or proof of exemption, in order to comply with related policies.

Qualtrics solutions are available to partners who have contract/consortium access. For more information, contact the Qualtrics team at Carahsoft at (703)-673-3570 or Qualtrics@Carahsoft.com; or visit the dedicated Qualtrics microsite.

Leave a comment »