Archive for December, 2021

« Older Entries
Newer Entries »

The Log4j Vulnerability May Actually Far Worse Than Previously Thought

Posted in Commentary with tags on December 19, 2021 by itnerd

One assumption about the 10 out of 10, extremely severe, you must fix right now Log4j security vulnerability was that it was limited to exposed vulnerable servers.

That may now be an incorrect assumption.

The security company Blumira claims to have found a new Log4j attack vector:

Previously, we understood that the impact of Log4j was limited to vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability. At this point, there is no proof of active exploitation.

This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network. 

The client itself generally has no direct control over these WebSocket connections, which can silently initiate when a webpage loads. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.

Blumira suggests users “update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further”. This news makes this vulnerability which was already one of the worst ever seen, absolutely devastating.

Happy holidays sysadmins.

Leave a comment »

Roku Users Livid As Roku OS 10.5 Breaks HomeKit, AirPlay, & More…. And No Fix Is In Sight

Posted in Commentary with tags on December 18, 2021 by itnerd

Hell hath no fury like a scorned Apple user. And a situation where Roku drops Roku OS 10.5 on Roku device owners, which then promptly breaks HomeKit support and AirPlay support illustrates this. Reports of this can be found on Roku’s own forums and Reddit, and what makes matters worse is that Roku’s support people appear to have completely lost the plot by seemingly providing rather useless troubleshooting advice. That has led to lots of people being beyond mad. And take it from me, getting Apple users mad is the last thing that a company should ever do. But the problems extend beyond Apple users. Another thread on Roku’s own forums as well as a story on TechCrunch illustrate that 10.5 breaks other functionality.

To be fair to Roku is allowing users to roll back to Roku OS 10.0 which works fine. But this was being handled on a one to one basis rather than the company simply rolling back all Roku users to a stable version that works. At least until TechCrunch posted their story. All of a sudden these instructions appeared to allow users to roll back to a stable version. What’s interesting about this post is that this problem supposedly affects “A small portion of users”. Many of whom if you browse their forums complain about silence from the company when it comes to these issues. Which when a company does that, is never, ever going to end well for said company.

This is the time of year where people buy a lot of electronics including new TVs. And if someone uses the search engine of their choice to find out what the best brand of TV is for their money, I am pretty sure that they will find lots of complaints about Westinghouse, TCL, Sharp and Hisense TVs that are powered by Roku OS. Which means that sales of Westinghouse, TCL, Sharp and Hisense TVs will likely take a dive. Because people will just avoid Roku powered TVs and make a move towards Android TV products.

The bottom line is that Roku released a version of their OS that is buggy, buggy, buggy. And now their users are paying the price. There’s no end to this in sight, and the lack of real, detailed, and honest communication is hurting Roku’s cause. Frankly, the longer this goes on, the more likely that Roku who sells more streaming devices than anyone else is going to lose that marketshare to others such as Google. And they will only have themselves to blame.

1 Comment »

#Fail: Toyota Makes Owners Pay To Start Their Cars Via Their Key Fob

Posted in Commentary with tags on December 18, 2021 by itnerd

In one of the dumbest moves since BMW tried to make Apple CarPlay a subscription service, Toyota in their infinite wisdom has apparently decided that it’s a great idea for them to charge a subscription to let owners of Toyota vehicles start their cars using the key fobs:

A Toyota spokesperson confirmed to The Drive that if a 2018 or later Toyota is equipped with Toyota’s Remote Connect functions, the vehicle must be enrolled in a valid subscription in order for the key fob to start the car remotely. To be clear, what we’re talking about is the proximity-based RF remote start system, where you press a button on the fob to start the car while outside of it within a certain distance—say, from your front door to warm up your vehicle in the driveway on a cold morning before you get in. Your fob uses radio waves to communicate with the car, and no connection back to Toyota’s servers is needed. But the function will not work without a larger Remote Connect subscription.

This is frankly mind blowingly stupid. Why? It’s not as if I’m trying to start my car from my phone or Apple Watch. I can see them wanting to charge for that and I wouldn’t bat an eye if they did try to make a buck or two from that. But I’m talking about using the factory supplied key fob that is based on an RF radio. This tech has been around since the age of the dinosaurs. There’s no way on God’s green Earth that they should make you pay for that. In short, this is a very cynical attempt by Toyota to make a few bucks on a recurring basis.

All this does for me is ensure that I will never purchase a Toyota product. Just like I removed BMW off my list of cars that I would like to own. And I am going to go out on a limb and say that many other consumers will feel the same way.

Leave a comment »

Full Harvest Announces $23 Million Funding Round Led By TELUS Ventures

Posted in Commentary with tags on December 17, 2021 by itnerd

San Francisco based company Full Harvestannounced the closing of a $23 million funding round, led by TELUS Ventures, to help reduce on-farm waste through digitization of supply chain processes and guaranteeing imperfect produce won’t go to waste.

With 40 per cent of food going to waste each year, Full Harvest works with some of the largest food and beverage companies, processors,  and growers to reduce produce sourcing headaches and food waste by moving the produce supply chain online – allowing buyers to purchase more sustainable produce, lowering food production costs, and creating an additional revenue stream for farmers. 

This, coupled with yesterday’s announcement for Ukko Agro, demonstrates the commitment TELUS Ventures has to investing in organizations that are improving farming and agriculture practices across North America.

Leave a comment »

Forget Pegasus… Meet Predator Which Is The New Weapons Grade Spyware For iPhones That Is Making The Rounds

Posted in Commentary with tags on December 17, 2021 by itnerd

The NSO Group who makes the Pegasus spyware that targets iPhones is getting all the attention these days. And rightly so. It’s highly dangerous and should be made extinct as quickly as possible. But there’s a second piece of weapons grade spyware that’s out there that you need to worry about. University of Toronto’s Citizen Lab has released a lengthy report on ‘Predator’ after finding it on an iPhones running iOS 14.6 that had also been infected with NSO Group’s Pegasus.

Here’s what you need to know:

  • Predator is made by a group called Cytrox based in North Macedonia.
  • Predator and Pegasus have similar feature sets.
  • Predator is delivered to the target’s iPhone via a malicious link sent over something like WhatsApp. When the target opens the link, Predator is able to gain access to the phone’s cameras and microphone, as well as pull data off the phone.
  • Unlike Pegasus, Predator cannot silently infect a phone without user interaction. In other words, the spyware relies on user input, like clicking a malicious link, to activate.
  • Predator can survive reboots. Pegasus can’t.
  • Predator was likely being used by government customers in Armenia, Greece, Serbia, Indonesia, Madagascar, Oman, Egypt and Saudia Arabia. Meta has also crossed paths with Cytrox and their investigation also found Predator customers in Vietnam, the Philippines and Germany. It should also be noted that Meta has banned Cytrox from its platforms and said it removed over 1,500 Facebook and Instagram accounts associated with numerous groups including Cytrox.

Citizen Lab has served this info up to Apple, and the company is apparently investigating. And it isn’t clear if this has already been patched or not. So until we get clarity on that, the usual advice applies. Which is don’t ever click on links that are sent to you.

Leave a comment »

Log4j Actively Being Leveraged By Cybercriminals

Posted in Commentary with tags on December 17, 2021 by itnerd

Because of the rather catastrophic Log4j vulnerability that sent the planet scrambling to patch all the things last week before they were exploited by bad actors. Which is something that didn’t take long to happen. It’s now become a free for all as bad actors are really going to town in terms of exploiting this vulnerability. For example, Conti ransomware uses Log4j bug to hack VMware vCenter servers

Conti, one of the largest and most prolific ransomware gangs today with tens of active full-time members, appears to have taken interest in Log4Shell early on, seeing it as a possible attack avenue on Sunday, December 12.

The gang started looking for new victims the next day their goal being lateral movement to VMware vCenter networks, cybercrime and adversarial disruption company Advanced Intelligence (AdvIntel) shared with BleepingComputer.

Dozens of vendors have been affected by Log4Shell and rushed to patch their products or provide workarounds and mitigations for customers. VMware is one of them, listing 40 vulnerable products.

While the company provided mitigations or fixes, a patch for vCenter versions impacted has yet to become available.

You have to give Conti credit for acting so quickly. But that also means that a whole lot of things are under threat. Stephanie Simpson, VP, Product Management of SCYTHE had this comment:

Cybercriminals regularly take advantage of new vulnerabilities, especially ones as wide-ranged as Lg4Shell. Critically, most organizations are still in the process of responding to the announcement. They haven’t had adequate time to test their security controls, especially when trying to look for new TTPs using this vulnerability. If we’ve learned nothing from the past year, it’s that organizations are struggling to reduce time to detect and remediate because they don’t have a way to continuously improve people, processes, and technologies.Companies are going to need to assume breach and be proactive over the next few days, and we will likely see an uptick in these attacks through early 2022, at the very least.

Conti aren’t the the only cybercriminals who are leveraging this. Anurag Gurtu, CPO, StrikeReady has this comment about the Khonsari gang who are also leveraging this vulnerability:

Are we witnessing a match made in heaven? Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It’s the Khonsari ransomware gang who has built an attack using C# and the .NET framework. 

After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.

There are no signs that the Log4Shell vulnerability is slowing down, in fact a second CVE (CVE-2021-45046) just got announced. In the second and third stages, threat actors are aggressively deploying malware families. Among them are Kinsing, XMR, and Mirai. Additionally, some coin-miners and CobaltStrike beacons have been observed in the wild. Nearly 2000 malicious IOCs have been observed so far, which require immediate attention.

We are likely seeing the start of a flood of new attacks leveraging this flaw. So you really need to patch all the things so that you don’t get pwned.

Leave a comment »

eleven-x’s New eXactpark Solution Will Provide Real-Time Parking Data To Cities, Campuses And Private Organizations

Posted in Commentary with tags on December 17, 2021 by itnerd

eleven-x, a global supplier of wireless IoT solutions, is excited to announce the launch of eXactpark, its newest sensor-based smart parking solution. This game-changing innovative solution will help municipalities, campuses and private organizations drive additional revenues, reduce costs, and ensure a great experience for drivers. eleven-x’s patent-pending, real-time stall occupancy sensor is the key enabling technology for better understanding of how parking assets are being used and for enabling new capabilities designed to improve operations. 

With industry-leading accuracy and unsurpassed reliability, eXactpark offers the lowest cost-per space solution available on the market. Once implemented, this solution will enable seamless parking experiences through proper wayfinding, providing drivers with real-time information on space availability and location. The data it generates will be essential for creating actionable analytics integral to asset management and program planning. 

eleven-x’s smart parking solution is also a critical tool to manage parking compliance and enforcement. Sensors enable alerts to compliance officers when vehicles are in contravention of parking conditions, allowing for more efficiency whether it be a warning or parking ticket. 

This innovative smart parking solution uses LoRaWAN®, a low-power technology that offers longer battery life for sensors and reduced maintenance costs. Providing industry-leading battery life and unsurpassed reliability, eXactpark’s SPS-X sensor uses a combination of wireless technologies and  artificial intelligence to accurately determine the occupancy status of every parking stall. The eXactpark software platform easily integrates with other smart parking technologies and provides historical and real-time data to ensure effective management of parking spaces while optimizing compliance revenues and improving operations.

With the exponential growth of vehicular traffic in cities, it is essential that municipalities, campuses and organizations implement smart parking solutions to better manage traffic flow and provide parking guidance. By incorporating IoT solutions into a smart parking management system, it will be possible to extract valuable data to enhance revenues, streamline operations and improve the customer experience. 

eXactpark is available now and installations have already begun for organizations including the Town of Oakville, City of Stratford, City of Spruce Grove and the University of British Columbia. For more information about eleven-x and its sensor-based stall occupancy monitoring solution, visit www.exactpark.com. .

Leave a comment »

Kajeet Uses AWS to Localize Its Sentinel IoT Management Platform in Canada

Posted in Commentary with tags on December 17, 2021 by itnerd

Kajeet, a leading provider of IoT connectivity, software and hardware solutions that deliver safe, reliable and controlled internet connectivity to nearly 3,000 customers, today announced its award-winning Sentinel® IoT management platform is now localized in Canada. By leveraging its longstanding relationships with Amazon Web Services (AWS) and two of the largest network operators in Canada, Kajeet can now ensure that all customer traffic originates, travels and terminates in Canada.

Sentinel uses the AWS Canada (Central) Region in Montreal, enabling Canadian data sovereignty compliance. Kajeet also established private access agreements with two of the largest network carriers in Canada and now addresses customer privacy by ensuring that data in transit is exchanged with its carrier partners at a common, private facility rather than a public exchange point. Sentinel in Canada also creates local/regional redundancy to ensure customers have in-region backup should a primary connection go down.

Kajeet Sentinel was designed to address the specific connectivity needs of today’s mobile students, keeping safety and flexibility top of mind. The platform provides a safe harbor for students to learn, free from distractions and non-education-related content, through a combination of customized website filters, firewalls, reporting and internet gateways that are device- and network-agnostic. To support various learning environments, Kajeet’s entire education-focused product suite – including Kajeet SmartSpot®, Kajeet SmartBus™, Kajeet HomeWireless™ and LTE-embedded devices – is provisioned on Sentinel.

Kajeet Sentinel is also the most advanced solution for controlling an enterprise IoT network from a centralized console, which streamlines IoT operations, cuts costs, reduces latency and increases speed to market. Sentinel enables extensive administrative control that includes hierarchical account structuring, complete visibility into data usage on all connected devices, mobile policy controls, content blocking for added security and the ability to use multiple networks and technologies for the most reliable service in any location.

To learn more about Kajeet Sentinel, visit: https://www.kajeet.net/sentinel-platform/.

Leave a comment »

My Desk Setup – The 2021 Edition

Posted in Products with tags , , , , , , , , on December 17, 2021 by itnerd

Last week, I reviewed the FlexiSpot Electric Height Adjustable Standing Desk which is a great desk and a serious upgrade to my work from home game. Now I’ve fully set up my desk and I want to show you what that looks like as it really helps me to be productive:

I’m going to start with the FlexiSpot Electric Height Adjustable Standing Desk. I was able to dial in my ideal position so that I can work in comfort with ease. I highly recommend this desk for that reason alone. But if you want more reasons, I would suggest reading my review on the desk. Let’s go underneath the desk.

With the exception of the desk which is plugged straight into the wall, all the electronics are powered from the APC BackUPS 600. In my condo, I have UPS units all over to protect my various electronics as a UPS or Uninterruptible Power Supply will keep your gear running if there is a blackout thanks to the built in battery. Plus it will protect you from power surges and sags thanks to said battery. It also has a USB-A cable that connects to your computer so that if the UPS needs to shut down your computer due to a power event, it can use that cable to send that command to your computer. I highly recommend these to any computer users to make sure that their equipment is protected from any electrical issues.

I have a monitor on my desk which is the Dell E2210Hc monitor. It’s ten years old but still works fine as it does 1920×1080 resolution without a problem. I do plan on upgrading this monitor at some point. But I want to find a monitor that matches the quality of the display on my 16″ MacBook Pro as that display destroys pretty much any monitor including Apple’s own Pro Display XDR. The monitor sits on top of an old Fellowes monitor stand that I am experimenting with and may remove at some point.

The monitor and the UPS connect to my 16″ MacBook Pro via the USB-C Digital AV Multiport Adapter from Apple. This adapter has a USB-C port, USB-A port, and a HDMI port. So I plugged the monitor into the HDMI port and the UPS into the USB-A port. Then I just plug it into my Mac via a single USB-C cable. It’s a simple solution and works for me. On the other side, I have the USB-C to MagSafe 3 cable that is plugged into the Apple 140W power adapter to keep the MacBook Pro charged.

In front of the monitor is the InvisQi wireless charger that is placed under the desk so that I can charge my iPhone 12 Pro or AirPods Pro. Beside it an Asus mousepad that I got at an Asus event along with a Logitech V470 Bluetooth mouse. It’s a simple mouse powered by two AA batteries that works well for me.

One thing that I needed is storage for things like cables, portable hard drives, tools and the like. That’s where these multi-coloured slide out bins from Really Useful Boxes which I got at Staples comes in. They allow me to keep my stuff such as cables and tools organized so that I can find it when I need it with ease.

Below that, I have a old Rubbermaid clear storage bin which holds more cables. And at the bottom is a Gry Mattr Three Drawer Cabinet that I got at Staples. This holds my files, pens, and assorted stuff. It also can be locked which is a big plus for me.

You’ll also note that I have the usual pens, pencil, stapler, and a cordless phone on my desk. Because people still call me even in 2021.

That’s my desk setup for 2021. In 2022, I can see myself doing a monitor upgrade like I mentioned earlier. And I may alter how that monitor sits on the desk. But what do you think? Do you think I am missing any anything that would up my desk setup game? Please leave a comment and let me know.

1 Comment »

Fisker Inc. Commits to United Nations Global Compact 

Posted in Commentary with tags on December 17, 2021 by itnerd

Fisker Inc. who is the passionate creator of the world’s most sustainable electric vehicles and advanced mobility solutions has joined the United Nations Global Compact (UNGC) as a signatory and participant.

The UNGC, established in 2000, is the world’s largest corporate sustainability initiative, according to the organization, uniting businesses in over 160 countries to support Ten Principles in areas of human rights, labor, the environment, and anti-corruption. (Additional detail on the Ten Principles can be found below.)

Shortly after going public, Fisker established a stringent framework for Environmental, Social, and Governance (ESG), including company-wide deliverables aligned with the UN Sustainable Development Goals (UNSDGs) and using the SASB reporting structure.

Signing on to the UNGC was a logical next step for Fisker as it pursues an overarching goal of creating the world’s most sustainable all-electric vehicles, starting with the Fisker Ocean SUV, arriving in late 2022. The company aims to produce a climate-neutral vehicle by 2027.

Ten Principles of the UNGC

The UNGC has articulated Ten Principles for the Global Compact, grouped into four areas:

Human Rights

Principles 1 &2: Businesses should support and respect the protection of internationally proclaimed human rights; and make sure that they are not complicit in human rights abuses.

Labor

Principles 3-6: Businesses should uphold the freedom of association and the effective recognition of the right to collective bargaining; the elimination of all forms of forced and compulsory labor; the effective abolition of child labor; and the elimination of discrimination in respect of employment and occupation.

Environment

Principles 7-9: Businesses should support a precautionary approach to environmental challenges; undertake initiatives to promote greater environmental responsibility; and encourage the development and diffusion of environmentally friendly technologies.

Anti-Corruption

Principle 10: Businesses should work against corruption in all its forms, including extortion and bribery.

Fisker Inc Was Built on ESG

Founded in 2016, Fisker Inc has committed to ESG since the company’s inception and has established a comprehensive ESG framework that informs all aspects of the business. Fisker’s approach to ESG consists of industry leadership, transparency, partnerships, and real-world scientific measurement.

Thanks to this framework, Fisker intends to meet the UN’s requirement to produce a Communication of Progress (COP) on the company’s efforts to support the Ten Principles of the UNGC. The COP will be generated in 2022, documenting Fisker’s specific actions.

Within a few months of going public, Fisker established a publicly reported Responsible Supplier Policy and recently published its Labor and Human Rights Policy, among other important Governance material. The company has formed an ESG Advisory Council that will regularly engage in important Environmental and Social challenges and recommend actions consistent with the company’s values and the Ten Principles of the UNGC.

Renowned actor and United Nations Development Programme (UNDP) Goodwill Ambassador Nikolaj Coster-Waldau has joined the Fisker Advisory Council as its first external member. The “Game of Thrones” actor has been involved with the UNDP since 2016; he will advise Fisker on matters related to the UNGC and the UN’s global goals for sustainable development.

Leave a comment »

« Older Entries
Newer Entries »