Archive for November 16, 2021

Clutch Raises $100 Million To Transform The Used Car Buying Experience For Canadians

Posted in Commentary with tags on November 16, 2021 by itnerd

Clutch, Canada’s first online car retailing platform, announced today that it has raised CAD $100 million Series B equity financing to provide Canadians with an unparalleled, online experience for buying pre-owned cars. This most recent financing round is led by D1 Capital Partners with participation from Flight Deck Capital, Canaan Partners, Upper90, Real Ventures, GFC, Brand Project, and FJ Labs. Since 2016, Clutch has been focused on delivering the best customer experience for car buying in Canada. Its fully-vertically integrated business model ensures that each car undergoes a rigorous 210-point inspection and is reconditioned to the highest standard by its team of in-house mechanics. Clutch saves customers hours of time by avoiding endless trips to the dealership or uncomfortable meetings with strangers in parking lots. The seamless end-to-end online process provides customers with detailed, high-resolution 360° photos of each vehicle, a free instant CarFax report and access to a wide range of financing options without having to leave the comfort of your home. Finally Clutch offers complete peace of mind with a 10-day money back guarantee so customers can be sure the car fits in the routine of their everyday lives.

With this funding and support from D1’s Scott Baxter, who will join the company’s board of directors, Clutch will strengthen operations in the existing markets it serves, which includes Alberta, British Columbia, New Brunswick, Nova Scotia, Ontario and Prince Edward Island, as well as expand to new markets in the coming months. Additionally, the company has plans to continue expanding its product offerings in 2022, helping facilitate the entire car-buying process even further. Clutch plans to make significant investments in growing its rapidly expanding team by over 200 people next year in order to continue delivering the easiest, most transparent and most trusted way to buy a car in Canada.

Recently named one of the Fastest Growing Canadian Companies by the Globe & Mail and one of the Top Canadian Startups by LinkedIn, Clutch is modernizing the car buying experience across Canada. Clutch’s mission is to build customer trust by providing a delightful car buying and ownership experience while making a positive impact on the communities in which they operate.

Nokia & Bell Canada test 25G PON Fiber Broadband Technology

Posted in Commentary with tags , on November 16, 2021 by itnerd

Nokia and Bell Canada today announced the first successful test of 25G PON fiber broadband technology in North America at Bell’s Advanced Technical Lab in Montréal, Québec.  

The trial validates that current GPON and XGS-PON broadband technology and future 25G PON can work seamlessly together on the same fiber hardware, which is being deployed throughout the network today. 25G PON delivers huge symmetrical bandwidth capacity that will support new use cases such as premium enterprise service and 5G transport.

For the past decade, Bell has been rolling out fiber Internet service to homes and businesses across the country, a key component in the company’s focus on connecting Canadians in urban and rural areas alike with next-generation broadband networks. With this successful trial, Bell can be confident that its network will absorb the increased capacity of future technologies and connect Canadians for generations to come.

Bell and Nokia have closely collaborated over the years on many industry breakthroughs, such as the first Canadian trial of 5G mobile technology in 2016. Bell continues to work with Nokia to build and expand its 5G network across Canada. 

Nokia’s 25G PON solution utilizes the world’s first implementation of 25G PON technology and includes Lightspan and ISAM access nodes, 25G/10G optical cards and fiber modems.

Usually located in telecom central offices, Nokia’s high-capacity access nodes are deployed for massive scale fiber roll-outs. They connect thousands of users via optical fibre, aggregate their broadband traffic and send it deeper in the network. The fiber access nodes can support multiple fiber technologies including GPON, XGS-PON, 25G PON and Point-to-Point Ethernet to deliver a wide range of services with the best fit technology.

Nokia ONT (Optical Network Termination) devices, or fiber modems, are located at the user location. They terminate the optical fibre connection and deliver broadband services within the user premises or cell sites.

New Procore Survey Reveals Challenges and Opportunities for Construction Project Cost Management in Canada

Posted in Commentary with tags on November 16, 2021 by itnerd

Procore Technologies, Inc. a leading provider of construction management software, today released Canadian-focused findings from a report developed in partnership with Dodge Data& Analytics, a leading provider of commercial construction project data. The report found both owners and contractors in Canada face a variety of challenges when it comes to project cost management, but they believe using one streamlined tool will help facilitate construction projects and cost management more efficiently.

Conducted in July 2021, the report explores the industry’s perception of project cost management and how construction professionals across multiple regions leverage technology to effectively manage costs. Participants included construction owners, general contractors, and subcontractors in the public and private sectors across Canada, Australia, New Zealand, the United Kingdom and the United States.

Technology’s Role In Cost Management

When it comes to leveraging technology to track projects and costs, Canadian organizations are split — with many using multiple applications and spreadsheets to manage the information. While many are confident in their ability to track information to the benefit of their business, there are still many areas where there are needs for improvement.

Key Findings of Procore’s New Construction Cost Management Report:

●  Canadian Confidence: Canadian respondents were confident in how they are managing information.

  • Of all the regions surveyed, Canada led the way in knowing the real-time profit/loss status of projects/portfolio, with 68 per cent of Canadian respondents agreeing or strongly agreeing that they know where they are making or losing money on a project or across their portfolio, at any given moment.
  • Fifty-eight per cent of Canadians indicated they can easily uncover cost details and create comprehensive financial reports from a single source of truth.
  • Sixty-three per cent said they can dynamically track every dollar in their budgets and forecast critical costs with real-time data from the field, while staying in sync with the accounting system.

The report shows that owners expressed more confidence in their overall cost management capabilities than contractors surveyed, and each type of owner studied (public and private) is more confident than either type of contractor (general and trade). General contractors are more confident than specialty trades.

●  Staying on Top of Costs: When asked which cost-management activities their company has the greatest difficulty with, the top five selected by Canadian organizations are as follows:

  • Determining appropriate contingency amounts (32 per cent)*
  • Accurately estimating total cost to complete for activities in the work breakdown structure (31 per cent)*
  • Tracking costs for every aspect of the job to determine how they impact overall project cost (31 per cent) 
  • Control of project cash flows (29 per cent)*
    • Understanding in real-time where they are making or losing money (26 per cent)

      * Canada also leads in these three challenges when compared to its global counterparts. 

●  Varying Workflows: Canadian respondents are collaborating with external partners in various ways — including older, traditional processes — when it comes to workflows related to cost management:

  • Email and attachments (17 per cent)
  • Generic, third-party collaboration software (17 per cent)
  • Telephone and personal communication (16 per cent)
  • Manual processes relying on printed paper (14 per cent)
  • FTP server managed by a project team member (13 per cent)

When it comes to internal collaboration, third-party collaboration software (18 per cent) and email and attachments are the top tools.

  • The Cost of Technology: Globally, general contractors and specialty contractors reported notably different levels of satisfaction with their use of software for cost management. The disparity sends an important message that the right technology — and the right amount of it — is needed to effectively support the workflows of every team member in order to advance the entire industry.
  • And, while a high level of Canadian respondents indicated they know where they are making or losing money on a project or across their portfolio at any given moment, the results show there is room to spend more on the technology they need to be successful with 20 per cent of Canadian organizations said they are spending “the right amount” on technology required for cost management practices and 30 per cent said they are spending somewhat or much less than they should.
  • Improvements Needed in the Next 3-5 Years: When asked about the most important future needs to solve with project cost management, tracking dollars and data were high priorities. Globally, forecasting critical costs with real-time data from the field topped the list (30 per cent). In Canada, respondents cited these top three as the most important:
  • Dynamically tracking every dollar in my budget (30 per cent) 
  • Leveraging data from previous projects to benchmark cost performance (29 per cent)
  • Accurately assessing risk related to any changes or performance issues (29 per cent)

Listen to the conversation between Jas Saraw and Stephen Jones during the Cost Management: The State of the Industry webinar here

Download The Construction Cost Management Report here

To learn more about Procore solutions, including Financial Management and the ERP Connector Platform, visit Procore.com

Waze & Halo Unlock Two New Vehicles & Moods In Halo Experience

Posted in Commentary with tags on November 16, 2021 by itnerd

This month, Waze is transporting you 500 years into the future to be part of an epic battle for the fate of the galaxy. We’ve teamed up with Xbox and 343 Industries, creators of the legendary Halo series, to bring the groundbreaking and beloved Halo universe experience to the road.

To mark the franchise’s 20th anniversary, for the first time ever you can ride along with a heroic Spartan super-soldier or a fierce alien war chief—and play your part in the fight to get humanity back on the right path. 

Choose Your Side
Join the UNSC and the legendary Master Chief to help humanity tackle every obstacle thrown at them—whether it’s an interstellar alliance or rush hour traffic. Spartan-117 has dismantled the Covenant, turned the tide against the Flood, and battled the Banished—with that kind of experience in your corner, the mission of successfully making that dinner date will be no problem. Of course, having an all-terrain terror like the Warthog doesn’t hurt either.

Or perhaps you like to be on the rebellious side? For those that want to take control of their own fate—and the road ahead—look no further than the Banished war chief, Escharum. This brutal warrior will be there to lead your Ghost into uncharted territory and ensure victory—and a swift and safe arrival—at any cost. 

Let’s Ride!
So, buckle up and confirm your coordinates because while Halo Infinite is coming this holiday, you can drive with the Halo universe today. Click here to enjoy the Halo experience every time you hit the road, with your choice of voice in English, Spanish, French or Portuguese, and Moods and Cars—all available for a limited time. Or head to your Waze app, tap “My Waze,” and select the Halo banner to activate the experience.

Terranova Security Introduces Click and Launch Cyber Security Awareness Training

Posted in Commentary with tags on November 16, 2021 by itnerd

oday, Terranova Security, the global partner of choice in security awareness, introduced its Click and Launch solution, dedicated awareness and phishing training bundles that only take minutes to launch, saving companies time, labour and money. Organizations can now deploy world-class cybersecurity awareness training faster than ever and keep sensitive information safe from cyber threats. 

The easy-to-use, out-of-the-box offering enables organizations to deploy security awareness training in just a few clicks. The training features high-quality content that is both engaging and cost-effective. With these powerful, budget-friendly bundle options, security professionals can use pre-configured training campaigns and phishing simulations to save valuable time and resources.​ 

The Click and Launch bundles, named Champion and All-Star, supply many benefits that help change employee behavior and build a security culture, including: 

  • Easy-to-use content – Each Click and Launch bundle requires only a few minutes to get started. This level of efficiency saves organizations lots of time normally spent on creating, deploying, and supporting training campaigns. 
  • Powerful, engaging training campaigns – The Terranova Security pre-built training campaigns feature real-world phishing simulations along with diverse reinforcement tools. This way, any organization’s workforce is prepared for various cyber attack scenarios and understands how to safeguard sensitive data from threats. 
  • High-quality training experiences – Click and Launch builds off the tremendous value of other Terranova Security products by using over 20 years of industry expertise. This results in a powerful learning experience for businesses to support their goals and needs. 

This offering is built to be budget-friendly for organizations and is available as multilingual content. For an even more straightforward, hands-off approach, organizations also have the option to add Managed Services to their Click and Launch bundle of choice. 

Being an official Terranova Security partner is simple and profitable. Terranova Security partners get access to dependable, powerful security awareness solutions, comprehensive partner training and certification, special offers that drive new opportunities, and tools and resources designed for business growth. 

For more information, visit the Click and Launch page on the Terranova Security website

Guest Post: Seamlessly Discovering Netgear Universal Plug-And-Pwn (UPnP) 0-Days

Posted in Commentary with tags on November 16, 2021 by itnerd

Introduction

A Vulnerability Researcher’s Favorite Stress Relief

Continuing in our series of research findings involving Netgear1 products,2 this blog post describes a pre-authentication vulnerability in Netgear SOHO Devices that can lead to Remote Code Execution (RCE) as root. While our previous research investigated the Netgear web server and update daemons, the issues described in this blog revolve around the device’s UPnP daemon. Anyone with Small Offices/Home Offices (SOHO) device vulnerability research experience will be familiar with UPnP. UPnP servers allow any unauthenticated device on the network to connect to the server and reconfigure the network to support its operations. For instance, the Xbox One uses UPnP to configure port forwarding necessary for gameplay. However, this service provides a large attack surface for the device, as it must allow unauthenticated requests and parse complex input to handle those requests. Further, the UPnP service on SOHO devices has previously been exploited in the wild.3

In addition to detailing the vulnerability and exploitation process, this blog post also describes how an incorrect patch in a few of Netgear’s devices actually prevents exploitation. As always, the write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. While this research was conducted internally at GRIMM, the bug was not initially disclosed by us to Netgear. Prior to our planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.

Bug identification

Netgear SOHO Devices upnpd Service Pre-Authentication Stack Overflow

  • Vulnerability Type: Pre-Authentication Stack Overflow
  • Location: gena_response_unsubscribe function in the upnpd daemon
  • Affected devices and versions listed in Table 1
  • Fixed versions: see Netgear security bulletin
  • Impact: RCE as root on the device by an unauthenticated attacker on the device’s LAN.

These devices are vulnerable, but the vulnerable feature within upnpd has been broken by a previous vulnerability mitigation, and thus they cannot be exploited. See the Broken Functionality section below for more information.

The upnpd daemon accepts unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes. The gena_response_unsubscribe function handles the UNSUBSCRIBE requests. This function (shown in Figure 1) copies 512 bytes of the HTTP request to a local stack buffer, converts it to lowercase (via strlwr), and then validates that it contains the strings sid:host:, and uuid:

Figure 1: Pre-authentication stack overflow in gena_response_unsubscribe

 Afterwards, it calls find_token_get_val function to parse the UUID header (i.e. get the value between the strings uuid: and \r\n). The find_token_get_val function’s 4th argument is used to return the parsed value to the caller; find_token_get_val will copy the parsed value of at most 1024 characters to this argument (as shown in Figure 2). 

Figure 2: strncpy with assumed 1024 length in find_token_get_val

 However, the uuid_buffer stack buffer passed to this function from gena_response_unsubscribe is only 64 bytes. As such, an attacker can overflow this stack buffer and control the saved registers and return address on the stack. The stack layout during the overflow is depicted in Figure 3. 

Figure 3: stack layout during the stack overflow

Technical analysis

This section describes a Proof of Concept (PoC) exploit developed for the vulnerability that can reset the administrator password or execute arbitrary commands on a vulnerable device.

UUID Exploit

This stack overflow is a traditional stack overflow that is not protected by any modern vulnerability mitigations. However, exploitation of this stack overflow is complicated by a few factors:

  1. Prior to overflowing the stack, the buffer with the user’s input is converted to lowercase. As a result, the exploit cannot use any gadgets which contain bytes with capital letters (ASCII 0x41-0x5A).
  2. The copy which overflows the stack is a string copy. As such, it will stop copying characters if it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes.

While the first limitation can be easily avoided by carefully choosing gadgets, the second limitation is much more difficult to bypass. All of the addresses within the upnpd daemon contain a NULL character as the Most Significant Byte (MSB). Further, the exploit cannot specify a library address either. While the main upnpdexecutable does not support Address Space Layout Randomization (ASLR), the Linux kernel will automatically randomize the address of any loaded libraries. Thus, the exploit cannot know where the libraries are loaded. Instead, the PoC bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ending the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte for us. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.

The PoC implements two separate techniques for converting the execution of a single gadget into a useful effect. The first technique simply jumps to the code shown below, which resets the web server password to the string password:

acosNvramConfig_set("http_passwd", "password");

The second technique jumps to a gadget which adds 0x1000 to the stack, and then continues loading gadgets. This gadget skips several stack frames to find the raw HTTP request received by the upnpd daemon. The raw HTTP request is not limited in the characters it can contain, and has not been modified from the value initially received. By loading addresses from the raw HTTP request, the PoC can include gadgets with NULL and upper case characters. This process is illustrated in Figure 4. With the ability to call arbitrary gadgets, the PoC can now call a system gadget to run a custom command. As the upnpd daemon’s machine code does not always contain a system gadget with the command on the stack, the PoC first stores the command to run in a global variable, and then references that variable when calling a non-stack based system gadget.

Figure 4: Stack pointer redirection

Testing

A Python script, upnp_uuid_exploit.py has been provided that will exploit the UUID vulnerability in the upnpddaemon. If not specified, the exploit will automatically determine the device’s model and version by querying the device’s web server for the /currentsetting.htm page. This page contains the model and version information and is available without authentication on most Netgear devices. Figure 5 demonstrates the PoC against a Netgear XR300 router. By default, the PoC will reset the web server’s password to password. Once the exploit has finished, the attacker will be able to login to the web server and modify any settings or launch further attacks on the web server. Alternatively, the PoC exposes the -rce-exploit option which will cause the PoC to send a RCE payload instead. However, the PoC only supports RCE payloads for a smaller subset of the affected devices. The RCE exploit will execute a custom command, which by default will start the telnet daemon on port 3333.

Figure 5: The UUID handler stack overflow PoC exploiting the upnp server on the XR300

The PoC has been written for and tested against the list of device and versions below. Additional devices can be added by analyzing the firmware images to find the necessary gadgets.

  1. R7000 version 1.0.11.100, 1.0.11.106, and 1.0.11.110
  2. XR300 version 1.0.3.56 and 1.0.3.38
  3. R6700v3 version 1.0.4.118

Broken Functionality

In some firmwares, the handle_subscribe_unsubscribe function, which calls the vulnerable gena_response_unsubscribe function, contains an incorrect fix for a previous stack buffer overflow (shown in Figure 6). This stack overflow occurred when the user input (up to 8191 bytes) is copied into a 512-byte stack buffer at the beginning of handle_subscribe_unsubscribe. However, beginning in version 1.0.11.116 of the R7000, the strcpy was converted to a strlcpy(beginning_of_input, all_input, 4) call. As such, only the first 3 bytes of the user’s input are copied to the stack buffer (leaving 1 byte for the terminating NULLcharacter). This stack buffer is then parsed to respond to the request, which obviously cannot be done with only the first 3 bytes of the request. As a result, all UPnP SUBSCRIBE and UNSUBSCRIBE requests are broken in the R7000 in version 1.0.11.116 and later. Thus, the vulnerable UUID handling code within upnpd cannot be reached and these firmware images are not vulnerable to the UUID stack overflow vulnerability. However, once this functionality is fixed, the vulnerable code will once again be reachable, and the devices will be exploitable again. 

Figure 6: Broken SUBSCRIBE and UNSUBSCRIBE handling within the R7000 1.0.11.123 firmware

While only the developers know the source of this incorrect patch, we can make an educated guess. As the size of a pointer on the R7000 is 4-bytes (32-bits), it’s likely that the incorrect patch is the result of the sizeof operator incorrectly being applied to a pointer type.4 For instance, consider the following strlcpy code:

char beginning_of_input[0x200];
char *beginning_of_input_ptr = beginning_of_input;
// wrong: beginning_of_input_ptr type is char*, size 4
strlcpy(beginning_of_input_ptr, input, sizeof(beginning_of_input_ptr));
// right: beginning_of_input type is char[0x200], size 0x200
strlcpy(beginning_of_input_ptr, input, sizeof(beginning_of_input));

If the sizeof operator is passed the beginning_of_input_ptr pointer, rather than the beginning_of_input character buffer, it will return a size of 4. 

While disabling the SUBSCRIBE and UNSUBSCRIBE request handlers in this way prevents exploitation of this vulnerability, it also will prevent legitimate applications from using this functionality. UPnP event subscriptions are used in home automation systems, such as SmartThings5 and Homebridge,6 to detect changes within devices on their network. Without a working event subscriptions system, they won’t be able to detect changes within the SOHO device.

Other models within the same codebase, such as the RS400, have not fixed the original bug, as shown in Figure 7. 

Figure 7: Unmitigated strcpy within the SUBSCRIBE and UNSUBSCRIBE handler in the RS400 1.5.0.68 firmware

However, most models, such as the XR300, have fixed it correctly, as shown in Figure 8. In either case, the vulnerable UUID handler is reachable and can be exploited. 

Figure 8: Correct SUBSCRIBE and UNSUBSCRIBE handling within the XR300 1.0.3.56 firmware

Impact

The impact of this vulnerability is that attackers on the LAN of the affected devices can compromise vulnerable devices, leading to code execution as root. Since the upnpd daemon runs as root, the highest privileged user in Linux environments, the code executed on behalf of the attacker will be run as root as well. With root access on a device, an attacker can read and modify all traffic that is passed through the device. For example, if an employee connects to a corporate network via a compromised router, the router could Man-in-the-Middle (MitM) the connection and read any unencrypted data sent between the user’s device and devices on the corporate network. Additionally, a compromised router or modem could be used to attempt to exploit any of the devices on its network.

Vendor response

While putting the finishing touches on the disclosure report, Netgear released a security bulletin and patch for this vulnerability for the R6700v3. Since the patch only covered one of the many affected devices, GRIMM decided to go forward with the disclosure to ensure that Netgear was aware of the full impact of the vulnerability as well as the extent of the affected devices. Before the end of the 45-day disclosure period, Netgear was able to release an updated security bulletin as well as patches for all of the affected devices that are still actively maintained. It should be noted that some of the devices on GRIMM’s coverage list are no longer actively supported by Netgear, so for those devices this is an evergreen vulnerability.

Conclusions

This report detailed a vulnerability in the UPnP daemon included in many Netgear SOHO Devices. Exploitation of this vulnerability allows attackers on the affected device’s network to obtain RCE as root on the SOHO device. The exact list of devices affected by these vulnerabilities is included in the Bug Identification section.

For many organizations, SOHO devices typically fly under the radar when it comes to cybersecurity risk management. However, the significant increase in employees remotely connecting to corporate networks (e.g. due to updated work-from-home policies brought into practice as a result of COVID-19) has similarly increased the risk to corporate networks from vulnerabilities in SOHO devices. To mitigate the risks to corporate environments posed by vulnerable SOHO devices, GRIMM recommends the provisioning and use of Virtual Private Network (VPN) clients. These clients should be configured to handle all traffic to ensure that an attacker cannot read or modify network traffic in a way that cannot be detected by the VPN endpoints. Additionally, typical hardening techniques, such as enabling a host-based firewall, will help prevent a compromised device from being used to pivot an attack into the corporate-owned devices.

Timeline

  • 09/16/2021 – Vendor release security advisory for the R6700v3
  • 09/28/2021 – Disclosed additional affected devices to vendor
  • 11/09/2021 – Vendor releases security advisory and patches
  • 11/16/2021 – NotQuite0DayFriday release
  • 11/16/2021 – Blog release

GRIMM’s Private Vulnerability Disclosure (PVD) program

GRIMM’s Private Vulnerability Disclosure (PVD) program is a subscription-based vulnerability intelligence feed. This high-impact feed serves as a direct pipeline from GRIMM’s vulnerability researchers to its subscribers, facilitating the delivery of actionable intelligence on 0-day threats as they are discovered by GRIMM. We created the PVD program to allow defenders to get ahead of the curve, rather than always having to react to events outside of their control.

The goal of this program is to provide value to subscribers in the following forms:

  • Advanced notice (at least two weeks) of 0-days prior to public disclosure. This affords subscribers time to get mitigations in place before the information is publicly available.
  • In-depth, technical documentation of each vulnerability.
  • PoC vulnerability exploitation code for:
    • Verifying specific configurations are vulnerable
    • Testing defenses to determine their effectiveness in practice
    • Training
      • Blue teams on writing robust mitigations and detections
      • Red teams on the art of exploitation
  • A list of any indicators of compromise
  • A list of actionable mitigations that can be put in place to reduce the risk associated with each vulnerability.

The research is done entirely by GRIMM, and the software and hardware selected by us is based on extensive threat modeling and our team’s deep background in reverse engineering and vulnerability research. Requests to look into specific software or hardware are welcome, however we can not guarantee the priority of such requests. In addition to publishing our research to subscribers, GRIMM also privately discloses each vulnerability to its corresponding vendor(s) in an effort to help patch the underlying issues.

If interested in getting more information about the PVD program, reach out to us.

Working with GRIMM

Want to join us and perform more analyses like this? We’re hiring. Need help finding or analyzing your bugs? Feel free to contact us.


  1. https://blog.grimm-co.com/2020/06/soho-device-exploitation.html↩︎
  2. https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html↩︎
  3. https://arstechnica.com/information-technology/2018/11/mass-router-hack-exposes-millions-of-devices-to-potent-nsa-exploit/↩︎
  4. https://cwe.mitre.org/data/definitions/467.html↩︎
  5. https://www.smartthings.com/↩︎
  6. https://homebridge.io/↩︎

In Depth: Black Friday & Cyber Monday Data Security

Posted in Commentary with tags on November 16, 2021 by itnerd

Black Friday and Cyber Monday 2021 loom large in the minds of retailers and consumers alike. For consumers, these two unofficial “holidays” signal the kickoff of the holiday shopping season, and offer the promise of scoring big deals on wish list gifts. For retailers, the two days serve as key markers for whether their business will be put into the black – i.e., be profitable this year. 

While the popularity of online shopping has been growing exponentially over the past decade, this year, like last year, Cyber Monday has taken on an increasingly critical role for shoppers and retailers alike. This is especially true in the face of the continuing global pandemic and the fear that 2021 Black Friday and Cyber Monday sales may present them with another disappointing year given the still struggling economy. Consequently, there isn’t room for even the smallest of mistakes — certainly not one that will take their on-prem and/or online systems down for any period of time and send their customers to the nearest competitor. 

I got some commentary from Don Boxley, CEO and Co-Founder of DH2i on this topic:

Data and systems uptime, availability and security will play crucial roles in determining the success or failure of Black Friday and Cyber Monday for retailers in 2021. This is because consumers are savvier than ever and know that should your onsite or online systems go down, your nearest competitor is only a few steps or clicks away. And unfortunately, this exodus may be permanent. Especially if the security of customer data, or PII, was compromised.

On Black Friday, Cyber Monday and all year long, retailers must deploy smart availability solutions that offer far more capability than just combatting unplanned outages. The ideal high availability (HA) solution must deliver an all-inclusive approach for optimization of the retailer’s entire environment. It must ensure both planned and unplanned downtime is kept to near zero, while improving (not complicating as some solutions do) the management experience and lowering overall HA expense. Likewise, retailers must free themselves from outdated and highly vulnerable security solutions — like VPNS, and instead employ a modern data security approach — like a software defined perimeter (SDP). SDP provides users with application-level segmentation versus access to the entire network. In doing so, the overall potential attack surface is minimized, a Zero Trust implementation can be achieved, and the greatest possible level of data security can be ensured.

With data and systems uptime, availability and security assured, retail IT executives can refocus their time and energy instead on activities that ensure optimum customer and employee experiences, increased sales, and a boost to the bottom-line.

Hopefully retailers take this advice to make sure that they have a successful Black Friday and Cyber Monday.

Arkose Labs Data Predicts 60% Increase In Online Fraud As Attempts Across All Industries Heat Up For Seasonal Shopping

Posted in Commentary with tags on November 16, 2021 by itnerd

Arkose Labs, the fraud deterrence platform, today released new data on the latest fraud trends, revealing increased threats during the holidays; rising attacks by bots; and a resurgence in attacks on travel companies. As shoppers fill their online carts, account takeover (ATO) attacks and gift-card fraud remain persistent.

The Q4 Arkose Labs Fraud and Abuse Report, released today, shares the top six fraud-fighting trends from the previous 3 months and provides data highlighting that no digital business is immune from attack. Financial industries saw 32 percent more attacks than in the first half of 2021. Retail and travel attacks increased 63 percent in Q3, and gaming saw a spate of fake new accounts being set up for fraudulent purposes. Media and streaming businesses saw 60 percent of malicious activity targeting logins, and 20 percent of these attacks originating from human fraud farms. Technology platforms see 91 percent of all attacks powered by bots. Overall, attacks are increasing in every industry, and they are growing more sophisticated.

Highlights from the report include:

Holiday Season is also Cybercrime Season. Attacks have steadily increased over 2020, becoming more frequent, launching on a larger scale, and initiating with greater sophistication. Digital companies need to understand how fraudsters work and protect the parts of their business that are vulnerable to attack. Arkose Labs estimates that eight million attacks will occur daily during the 2021 holiday shopping season that is now underway. As long as fraudulent attacks are profitable for bad actors, companies must be vigilant in their defense. 

Travel Industry is Back in the Crosshairs. The world is traveling again, and that means more online bookings through travel sites. The travel sector enjoyed a 40 percent increase in digital traffic, creating the perfect opportunity for attacks, which increased 80 percent from Q2 to Q3 2021. Digital traffic to U.S. travel sites was hit particularly hard, with 66 percent of those online visits marked as fraud or bot attacks.

Asia Leads the Globe in Attacks. Asia has returned as the top originator of fraud attacks, with China driving nearly half of all attacks in Q3. In comparison, the United States, in second place, accounted for 19.4 percent of attacks. 

Bots Take Center Stage. While human fraud attempts are increasing, machine attacks are predicted to hold steady and possibly ramp up during the holiday season. Bots now account for 88 percent of attacks. In 2020, more than 2 million bot attacks occurred between October and December. This year, the number will likely be even higher, making it all the more important for businesses to increase scrutiny of traffic intended to do harm.

Fraud Has a New Face. Digital businesses are experiencing a massive surge of fake new accounts. Arkose Labs detected 560 million malicious attempts on registration flows last quarter, which is four times more than at the beginning of the year. These fake accounts open the doors to downstream fraud that directly impacts the bottom line of e-commerce firms. 

Credential Stuffing Continues to Plague Online Businesses. As more customers open digital accounts, account takeover attempts fueled by large-scale credential stuffing soon follow. Arkose Labs stopped 3 billion credential stuffing attacks over the past year, nearly doubling over the past 12 months. In 2020 digital businesses saw 90% higher volume of credential stuffing attacks during the final quarter of the year, over the holiday shopping period. 

Survey By Zoho Highlights Canadian Business Growth In 2021 & Optimism for 2022

Posted in Commentary with tags on November 16, 2021 by itnerd

A newly released survey by Zoho Corporation has revealed a surprising amount of growth among Canadian businesses in 2021 – despite the extreme challenges of navigating the pandemic – as a majority of the respondents indicated they experienced year-over-year growth in 2021.

The survey – which queried 501 business owners across Canada – found that 72.5% of businesses had year-over-year growth in 2021 and even more said they had high hopes for the future, with 82.6 % stating they had optimism for growth in 2022.

Key Survey Findings:

  • 72.5% of Canadian businesses say their business is growing when compared to 2020, with the Greater Toronto Area (GTA) leading the pack at 77.6%, Montreal lagging behind at 66.7%, and Calgary coming in last at only 59.3%.
  • 82.6% of Canadian businesses are optimistic about the next 12 months, although that optimism is significantly less pronounced in Calgary with only 67.9% stating optimism for 2022. 
  • 66.3% of businesses say they are at the intermediate to advanced level of fully digitizing/automating their businesses, indicating a strong acceleration in digital transformations.
  • Business apps are popular among Canadian businesses with 56.9% of respondents using 1-40 apps and another 7.6% using more than 40 apps.
  • 64.9% said low-code apps improve speed-to-market and another 62.2% plan to use a low-code tool to build more apps.
  • While 40% say they’ll maintain a work-from-home or hybrid model in the future, 33.3% of respondents overall said they’re unsure about where their employees will ultimately work. This is in stark contrast to Montreal, where 50% of those surveyed plan on having employees return to the office full-time.
  • Almost 1-in-5 people surveyed have relocated since the beginning of the pandemic.

Report Methodology

Conducted in October 2021 by Zoho Survey, this study contacted 501 individuals across Canada. Participants of the study included a range of business leaders from manager roles to the C-level at small and large enterprises across a variety of industries.