Archive for April, 2022

« Older Entries
Newer Entries »

GitHub Issues Warning That Private User Data Accessed Via OAuth Tokens 

Posted in Commentary with tags on April 19, 2022 by itnerd

On April 18th, GitHub issued this Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators. The alert warns that private repository contents were accessed via third-party OAuth user tokens maintained by Heroku and Travis CI. Which of course is very, very bad.

David Stewart, CEO, Approov had this comment:

“API keys and OAuth tokens are prime targets for attackers because they are relatively long lifetime identifiers which can be exploited at scale via scripts, similar to credential stuffing techniques using traditional usernames and passwords.

Organizations must consider worst case scenarios where API keys and OAuth tokens become available to bad actors and ensure that these assets can’t be weaponized against their business. A typical way to mitigate such situations is to implement and additional authentication requirement to ensure that these credentials can only be used from genuine remote client instances, eg web apps or mobile apps.”

Chances are if you were affected by this, you will know about it. But it wouldn’t hurt to check your GitHub repositories to make sure.

1 Comment »

Users Of Lenovo Laptops Need To Update Their BIOS Firmware ASAP To Avoid Getting Pwned

Posted in Commentary with tags on April 19, 2022 by itnerd

According to researchers at ESET have discovered that over 100 Lenovo laptop models have bugs in their UEFI BIOS firmware that allow threat actors to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer:

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.

This was reported to Lenovo and a security advisory has been put out with the following advice:

Update system firmware to the version (or newer) indicated for your model in the Product Impact section.

The list isn’t small as it has over 100 notebooks on it. But if your Lenovo notebook is on that list, you need to update your BIOS firmware ASAP because now that this is out there, threat actors will be trying to pwn all they can before updates are widely installed.

Leave a comment »

Infosec Institute Partners With VetJobs To Provide Cybersecurity Scholarships To Veterans And Military Spouses

Posted in Commentary with tags on April 19, 2022 by itnerd

Infosec Institute, the leading cybersecurity education company, today announced a new Infosec Gives Partner, VetJobs.  VetJobs is a leading veteran charity organization providing job placement and ongoing career progression to veterans, transitioning military and military spouses.

The Infosec Gives Partner Program enables partners to award three annual Infosec Accelerate Scholarships — fully funded by Infosec — through their organization. Each Infosec Accelerate Scholarship provides qualified recipients lifetime access to Infosec Skills, the leading security and IT skill development platform with over 1,000 hours of hands-on cybersecurity training. Each lifetime Infosec Accelerate Scholarship is valued at $15,000. 

As the second official Infosec Gives partner, VetJobs will award three scholarships to a  transitioning service member, veteran, national guardsman, reservist, or military spouse, enabling  them to build and enhance their cybersecurity skills. Beyond the annual scholarships, the Infosec and VetJobs partnership provides discounted online technical training opportunities to VetJobs technology program participants through the Infosec Skills platform.

Infosec’s technical skill development platform, Infosec Skills, includes over 1,200 learning resources to assess teams and close skills gaps with hands-on cyber ranges, labs, projects and courses mapped to the NICE Workforce Framework for Cybersecurity and the MITRE ATT&CK® Matrix for Enterprise.

To learn more about the scholarships and to apply via VetJobs, click to apply.

Scholarship applications will open on April 18, 2022 and will close May, 13 2022. 

Leave a comment »

TELUS Launches ‘Buy One, Plant One’ Campaign On A Mission To Plant Its 1 Millionth Tree

Posted in Commentary with tags on April 18, 2022 by itnerd

To celebrate Earth Day, TELUS is inviting Canadians to help reach its goal of planting its 1 millionth tree this year. Between April 18 and May 1, TELUS is planting a tree in partnership with Tree Canada on behalf of every TELUS, Koodo, and Public Mobile customer that buys a Certified Pre-Owned cell phone online. As consumers become increasingly conscious of their impact on the environment, a Certified Pre-Owned device is a budget and planet friendly option that helps extend the lifespan of smartphones and keep them out of landfills. To date, TELUS has planted more than 800,000 trees and by the time its millionth tree is planted later this year, it will have planted the equivalent of 20,000 acres of forest, which is twenty times the size of Stanley Park in Vancouver. The Buy One, Plant One campaign is part of TELUS’ commitment to reduce its carbon footprint and become a zero-waste, carbon-neutral company by 2030, earning it the title of one of Canada’s Top 100 Greenest Employers for the second year in a row. 

Earlier this month, TELUS released its 2021 Sustainability Report outlining its environmental, social, and governance strategy and priorities which includes the ambitious goal to use 100 per cent renewable energy by 2025. These sustainable business practices include:

  • Reducing TELUS’ GHG emissions by 41 per cent since 2010;
  • Recycling 3.5 million cell phones since 2005;
  • Generating and purchasing 138,651 Megawatt hours of renewable energy since 2010; 
  • Recycling 1,200 metric tonnes of electronic waste (such as modems) and 1,308 metric tonnes of telephone poles in 2021;
  • Recycling more than 200,000 used devices in 2021 through our Bring-It-Back and Trade-in Programs, and selling more than 122,000 Certified Pre-Owned devices.

In addition to being honored as one of Canada’s Top 100 Greenest Employers, TELUS has also been recognized as the only telecommunications company in Wall Street Journal’s Top 100 Most Sustainably Managed Companies in the World; ranked as the top North American company in environmental, social and governance (ESG) performance in the telecommunications sector for the 21st year in a row by the Dow Jones North American Index; awarded the Terra Carta Seal for leadership on climate change energy transition; featured in Sustainability Magazine’s Top 100 Companies in Sustainability, ranking #8; recognized by Corporate Knights in its Global 100 Most Sustainable Corporations, and as one of the Best 50 Corporate Citizens in Canada in 2021.

Powered by purpose, TELUS is helping drive change across the globe. The Buy One, Plant One offer, is another way TELUS is using the power of our technology to make the world a better place. To learn more, visit telus.com/CPO and to learn more about TELUS’ commitment to a more sustainable future, visit telus.com/sustainability

Leave a comment »

Nearly Three-Quarters of Canadian Organizations Think They’ll Be Breached in 2022: Trend Micro

Posted in Commentary with tags on April 18, 2022 by itnerd

Trend Micro Incorporated today announced the findings of its latest global Cyber Risk Index (CRI) for the second half of 2021, standing globally at -0.04, which is an elevated risk level with North America being at -0.01. Canada received a score of 0.16, which shows that the country has a moderate cyber risk level in comparison to global and North American (NA) organizations. The research also found that Canada is more prepared than all of North America to handle cyber risk (at a score of 5.41 vs. 5.35 in NA). However, respondents revealed that nearly three-quarters (74%) of Canadian organizations think they’ll be breached in the next 12 months, with 30% claiming this is “very likely” to happen.

Cyber Risk Index Ratings
RangeInterpretation
5.01 to 10Low Risk
0.1 to 5.0Moderate Risk
0 to -5.0Elevated Risk
-5.01 to -10High Risk
Cyber Preparedness Index Ratings 
RangeInterpretation
7.51 to 10Low Risk
5.01 to 7.50Moderate Risk
2.51 to 5.0Elevated Risk
0 to 2.5High Risk

The biannual CRI report asks pointed questions to measure the gap between respondents’ preparedness for attacks and their likelihood of being attacked*. In Canada, 83% of organizations claimed to have suffered one or more successful cyber-attacks in the past 12 months, with 32% saying they’d experienced seven or more.

Ransomware, phishing/social engineering, denial of service (DoS) and botnets top the list of key concerns, with negative consequences of a breach including stolen or damaged equipment, lost revenues and costs of outside consultants/experts.

When it comes to IT infrastructure, Canadian organizations are most worried about security risks in relation to mobile/remote employees (score of 7.55/10), third-party applications (score of 7.25/10), and mobile/ smart phone devices (6.55/10). 

While digital investments were necessary to support remote working and drive business efficiencies during the pandemic, this report brings to light the increasing corporate attach surface and ongoing challenges business face securing such investments.

In Canada, the highest levels of risk were around the following statements:

  • My organization’s IT security function strictly enforces acts of non-compliance to security policies, standard operating procedures, and external requirements 
  • My organization’s IT security function supports security in the DevOps environment
  • My organization makes appropriate investments in leading-edged security technologies such as machine learning, automation, orchestration, analytics and/or artificial intelligence tools. 
  • My organization’s IT security function complies with data protection and privacy requirements.
  • My organization’s IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.

This clearly indicates that more resources must be diverted to people, processes, and technology to enhance preparedness and reduce overall risk levels.

As organizations and security teams struggle to manage the increasing complexity introduced by digital transformation, data privacy, compliance, and more, the need for a platform-based approach will be critical.

An index value is calculated from this information based on a numerical scale of -10 to 10, with -10 representing the highest level of risk. In this report, the Canada CRI stood at 0.16 versus -0.01 for North America and -0.04 for global, indicating a moderate level of risk.  

Leave a comment »

Musk Considering Bringing In Partners To Help Him to Buy Twitter

Posted in Commentary with tags on April 17, 2022 by itnerd

This keeps getting better and better. Elon Musk is apparently come up with a new plan involving partners which could be announced within days according to a NYPost report:

One possibility, the sources said: teaming with private-equity firm Silver Lake Partners, which was planning to co-invest with him in 2018 when he was considering taking Tesla private.

Silver Lake’s Co-CEO Egon Durban is a Twitter board member and led Musk’s deal team during the 2018 failed effort to take Tesla private, sources said. Silver Lake declined to comment.

Whether Musk would present Twitter with an entirely new offer — perhaps raising his current bid — or whether new partners would simply go in on a purchase with him isn’t clear. A Musk spokesperson declined to comment.

And about that “poison pill” strategy that Twitter has adopted. Well, he’s got a plan for that too:

For its part, Twitter on Friday adopted a so-called poison pill — a corporate move that prevents Musk from acquiring more than 15% of the company.

But that pill may not stop other entities or people from acquiring their own shares of up to 15% of the company. Those owners could partner with Musk to force a sale, make changes in the executive ranks or push for other overhauls of the company.

So clearly this isn’t a passing thing with Musk. He’s clearly in it to win. The question is, can he actually pull it off?

Leave a comment »

Second Suitor Approaches Twitter With A Buyout Offer

Posted in Commentary with tags on April 17, 2022 by itnerd

It seems that interest in Twitter is growing. 24 hours after coming up with a “poison pill” strategy to thwart Elon Musk’s attempt to buy the company, a second suitor has emerged with the intention to buy Twitter:

Thoma Bravo, a private equity firm that had more than $103 billion in assets under management as of the end of December, has informed Twitter that it is exploring the possibility of putting together a bid, the sources said. It is not clear how much Thoma Bravo would be prepared to offer and there is no certainty that such a rival bid will materialize, the sources cautioned, asking not to be identified because the matter is confidential.

There’s nothing in the “poison pill” strategy to stop Twitter from taking a look at this offer. It will be interesting to see how Twitter reacts to this, and if this starts a bidding war to land Twitter. Stay tuned for more on this as this is getting interesting.

Leave a comment »

Cisco WebEx Phones Home Audio Home Even When Muted…. WTF?

Posted in Commentary with tags on April 16, 2022 by itnerd

If you use Cisco WebEx to meet with people, you should be aware that it will phone home audio telemetry according to some research performed on the most popular conferencing apps out there and reported by The Register. And muting the app has zero effect on this:

Among the apps studied — Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord — most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. “We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted,” the paper says. “Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button.” They found that Webex, every minute or so, sends network packets “containing audio-derived telemetry data to its servers, even when the microphone was muted.” 

This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities — e.g. cooking, cleaning, typing, etc. — in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system’s socket interface, Webex did not. “Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API,” the paper says, noting that the app’s monitoring behavior is inconsistent with the Webex privacy policy. The app’s privacy policy states Cisco Webex Meetings does not “monitor or interfere with you your [sic] meeting traffic or content.”

Well, clearly what is in their privacy policy is at best inconsistent with what they actually do. And at worst it’s a lie. But don’t worry, Cisco “fixed” this after it was pointed out to them:

Cisco told The Register that it altered Webex after the researchers got in touch so that it no longer transmits microphone telemetry data.

“Cisco is aware of this report, and thanks the researchers for notifying us about their research,” said a Cisco spokesperson. “Webex uses microphone telemetry data to tell a user they are muted, referred to as the ‘mute notification’ feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex.”

No it’s not a vulnerability. But it’s pretty bad from an optics standpoint and from a trust standpoint. Hopefully they don’t have anything else in their products that someone can trip over and call them out on. Because that’s won’t end well from a PR standpoint.

Leave a comment »

Twitter Serves Up “Poison Pill” To Thwart Elon Musk’s Takeover Bid

Posted in Commentary with tags on April 15, 2022 by itnerd

Elon Musk is trying to buy Twitter and take it private. Twitter said that they would consider it. And now here’s their answer. They are telling Musk to take off:

Twitter, Inc. (NYSE: TWTR) today announced that its Board of Directors has unanimously adopted a limited duration shareholder rights plan (the “Rights Plan”). The Board adopted the Rights Plan following an unsolicited, non-binding proposal to acquire Twitter.

The Rights Plan is intended to enable all shareholders to realize the full value of their investment in Twitter. The Rights Plan will reduce the likelihood that any entity, person or group gains control of Twitter through open market accumulation without paying all shareholders an appropriate control premium or without providing the Board sufficient time to make informed judgments and take actions that are in the best interests of shareholders.

The Rights Plan does not prevent the Board from engaging with parties or accepting an acquisition proposal if the Board believes that it is in the best interests of Twitter and its shareholders.

The Rights Plan is similar to other plans adopted by publicly held companies in comparable circumstances. Under the Rights Plan, the rights will become exercisable if an entity, person or group acquires beneficial ownership of 15% or more of Twitter’s outstanding common stock in a transaction not approved by the Board. In the event that the rights become exercisable due to the triggering ownership threshold being crossed, each right will entitle its holder (other than the person, entity or group triggering the Rights Plan, whose rights will become void and will not be exercisable) to purchase, at the then-current exercise price, additional shares of common stock having a then-current market value of twice the exercise price of the right.

The Rights Plan will expire on April 14, 2023.

So in short, this is a “poison pill” strategy that would effectively dilute Musk’s stake in Twitter which would make it far more difficult, but not impossible to buy Twitter and take it private. Now we’ll have to see if Musk is truly serious about buying the company. And what will happen if he can’t.

Stay tuned folks. This is about to get interesting.

2 Comments »

Elon Musk Wants To Buy Twitter For Just Over $40 Billion… Oh My…

Posted in Commentary with tags on April 14, 2022 by itnerd

You might recall that recently Elon Musk bought 10% of Twitter stock. Then he was named to the board of Twitter, but only briefly as he pulled out of that days later. At the time I said this:

So where does this go from here? Maybe he goes away. Or maybe he decides to do a hostile takeover of Twitter. I don’t know. But I’ll be watching as this story is far from over.

It appears we’re going with the takeover play:

Elon Musk has made an offer to buy Twitter (TWTR) and take it private, saying he believes it needs to be “transformed.”

According to an SEC filing, Musk has offered to acquire all the shares in Twitter he does not own for $54.20 per share, valuing the company at $43.4 billion. That represents a 38% premium over the closing price on April 1, the last trading day before Musk disclosed that he had become Twitter’s biggest shareholder, and an 18% premium over its closing price Wednesday.

Musk said the cash offer was his “best and final offer,” according to the SEC filing, adding that if it’s not accepted he would have to reconsider his position as a shareholder.

The Tesla CEO sent an offer letter to the company Wednesday night, according to the filing.

Twitter had this to say:

Twitter issued a statement Thursday confirming that it had received the offer. It said its board would carefully review the proposal “to determine the course of action that it believes is in the best interest of the company and all Twitter stockholders.”

Having Twitter become a private company under the control of Musk would likely create chaos. It could cause staff to leave, it could cause the platform to be less relevant. Truly, anything can happen. And that would also be true if Twitter does not accept his offer as he would be likely to leave a trail of destruction going out the door. While I would normally say that you should get your popcorn ready to watch the fireworks, there’s really no good ending to this that I can currently see.

2 Comments »

« Older Entries
Newer Entries »