Archive for May, 2022

Rogers & Shaw Hit Pause On Their Merger

Posted in Commentary with tags , on May 31, 2022 by itnerd

In a move that will be seen as good news to many, Rogers and Shaw have agreed to pause their merger via agreeing to a preliminary injunction until the Competition Tribunal decides if the deal can go ahead. Here’s a quote from the Competiton Bureau website:

Today Rogers and Shaw agreed to a preliminary injunction that prohibits them from closing their proposed merger until the Commissioner’s challenge is heard and decided by the Competition Tribunal.

As part of an agreement that will be registered with the Tribunal, Rogers has also agreed not to enforce any condition in its agreement with Shaw, or any other agreement entered into in connection with the proposed merger that limits Shaw’s ability to operate, maintain, enhance or expand its wireless business.

Rogers and Shaw have also agreed to the Commissioner’s request for an expedited hearing process before the Tribunal. The Commissioner sought an expedited process given the ongoing harm he has alleged is already occurring in the market. The expedited schedule will be set by the Tribunal with input from the Commissioner and the parties.

This isn’t really good news or bad news in my opinion. Though some will see it as good news. In reality it’s just part of the process of the Competition Bureau trying to stop this deal. Because they know that what Canadians from coast to coast to coast know. This is a bad deal and Canadians will lose if it goes ahead as it creates less competition and not more. The only thing that is interesting is that the Competition Bureau is trying to expedite things. That part is good as this needs to be sorted sooner rather than later. And I am hoping that by “sorted” it means that this deal is shot out of the sky.

Guest Post: Apple’s Safari Browser Now Has More Than 1 Billion Users Says Atlas VPN

Posted in Commentary with tags on May 31, 2022 by itnerd

Browsers can connect you to any place on the internet. Nowadays, you can choose from an extensive range of programs. However, some browsers can be better for your privacy and security.

According to the findings by the Atlas VPN team, 1,006,232,879 internet users (19.16% of all internet users) now use the Safari browser, making it the second browser with over a billion users. Nevertheless, Google Chrome firmly remains at the top as the most popular browser.

Safari browser now has more than 1 billion users. Apple developed browser is automatically installed on every iPhone and Mac computer. Safari has implemented several privacy features to ensure its users’ security.

Google Chrome is the most popular browser worldwide, with over 3.3 billion users. Application driven design of Chrome attracted more and more people to try out the browser. Web applications including YouTube, Drive, Calendar, Docs, Earth, Maps, and others became a gateway into Google’s ecosystem of online services.

Compared to last year’s statistics, Microsoft Edge overtook Firefox for the third most popular browser with over 212 million users. Since the release of Windows 11, Microsoft set it as the default browser on all devices and made it difficult for users to change to their preferred option.

Firefox browser ranks fourth with 179 million internet users. Firefox is oriented towards more privacy-concerned users as it offers quite a few features for their protection.

Samsung Internet browser found on the companies’ smartphones and tablets is used by more than 149 million users. At the same time, over 108 million users are utilizing the Opera browser for their everyday tasks.

Cybersecurity writer at Atlas VPN Vilius Kardelis shares his thoughts on browsing safely online:

“Ultimately, user cybersecurity education is the most essential for browser security. Many cyberattacks use social engineering techniques to trick users into downloading malware. Users can protect themselves from threats by adopting safe practices such as keeping browsers up to date, blocking pop-ups, and ensuring the sites they enter use HTTPS.”

To read the full article, head over to: https://atlasvpn.com/blog/apples-safari-browser-now-has-more-than-1-billion-users

Microsoft Discovers Security Flaws In Android Apps Provided By Canadian Telcos Among Other Telcos

Posted in Commentary with tags , , , , , on May 30, 2022 by itnerd

This isn’t a good look for Rogers, Bell, Freedom Mobile, TELUS and a few other telcos. According to BleepingComputer, Microsoft has found some serious vulnerabilities in Android apps that they distribute:

The researchers found these vulnerabilities (tracked as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks.

The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system applications on devices bought from affected telecommunications operators, including AT&T, TELUSRogers CommunicationsBell Canada, and Freedom Mobile.

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team.

“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

Well, that’s not good. But these apps have been fixed. Sort of. Microsoft reached out to the relevant parties and these vulnerabilities were fixed. But the at-risk framework is likely used by numerous other service providers who may still have apps out there that aren’t fixed. Which means that threat actors can still launch attacks.

To protect yourself, search for the package name com.mce.mceiotraceagent on you Android device. If you find it, delete it ASAP if you can. I say that because you might need root access to delete it.

Trend Micro Discovers Linux Based Malware That Targets VMware Servers

Posted in Commentary with tags , on May 29, 2022 by itnerd

Bad news for those who run VMware, as if they needed any more bad news that’s VMware related. Researchers at Trend Micro have discovered a Linux based malware that targets VMware ESXi servers:

We recently observed multiple Linux-based ransomware detections that malicious actors launched to target VMware ESXi servers, a bare-metal hypervisor for creating and running several virtual machines (VMs) that share the same hard drive storage. We encountered Cheerscrypt, a new ransomware family, that has been targeting a customer’s ESXi server used to manage VMware files.

Here’s why this is dangerous. It makes the job of ransomware attackers far easier because they can encrypt the VMware ESXi server and then encrypt every guest VM it contains. In effect it’s one shot pwnage for a threat actor. And that can be catastrophic for an enterprise. There’s really no specific mitigation strategies that are offered up by Trend Micro, but I have one. Have multiple backups and snapshots and store them off line so that they can’t get pwned. Also do regular test recoveries because Backus mean nothing if you can’t use them to recover from something like this.

Review: Specialized ANGi Crash Sensor

Posted in Products with tags on May 28, 2022 by itnerd

July 21, 2021 is a day that I’m going to remember for a very long time. I decided to go out for a quick 35 KM bike ride on a route that I’ve done many, many times before. About 10 KM into the ride I was riding on a bike path that borders Pearson Airport in Toronto. Part of the path crosses a street that is designed for cyclists, meaning that cars are not allowed to turn right on red. Except that one car, a black Nissan Sentra didn’t get the memo. Because as I was crossing on a green light, the Sentra ran the red light, clipped my back wheel and launched me into the intersection. The crash destroyed my rear wheel, but more importantly it left me with three cracked ribs. I ended up in hospital for a few hours after taking a trip there in the back of an ambulance. Beyond that, there was a bigger issue. I have this Garmin cycling computer which has a feature called “Incident Detection”, which didn’t activate and alert my wife to my accident. I ended up calling her from the back of the ambulance. She declared that to be unacceptable and decided to fix that for me. And the way she fixed that was to buy me a new helmet from Specialized which gives you the option to add the Specialized ANGi Crash Sensor. Let’s start with the helmet.

This is the Specialized S-Works Prevail II helmet. Any Specialized product with the word “S-Works” in it is the best stuff that Specialized makes and is one of the helmets that is used by all their sponsored pro riders from teams like QuickStep, TotalEnergies and Bora Hansgrohe. It’s designed to provide maximum protection for your head by using a MIPS system to protect your brain from severe injury while keeping your head cool. In fact, there is this sticker inside the helmet that illustrates that the helmet is designed to keep you cool:

It’s also light and fits really well. But this review isn’t about the helmet, it’s about what’s on the back of the helmet.

If you look at the bottom left of the helmet, you will see a black rectangle. That’s the Specialized ANGi Crash Sensor. It uses what looks to be red 3M tape to stick to a special section of the helmet. Let’s get a closer look at the ANGi Crash Sensor.

The ANGi Crash Sensor is a Bluetooth device that is powered by a CR2032 battery that lasts about six months. You pair it to the Specialized Ride App for iOS or Android devices. And you use it like this:

  • When you start a ride, you use the Specialized Ride App to activate the sensor. The app then sends a message via email or text to contacts that you choose that you’re starting a ride. In my case, that’s my wife.
  • At this point you start your ride and the app tracks your current location in the background using GPS on your phone. You do have the option to let the app record the ride. But I don’t use that functionality as the Garmin does that for me.
  • If the sensor detects a crash, it commences a countdown on your phone that, if you’re ok, you can stop the countdown and keep riding. If, however, you don’t stop the countdown, it’ll send an alert to your selected contacts with your last known GPS coordinates and a message that you’re in need of help. It detects this via using a number of accelerometers that are built into the sensor.
  • If your ride is uneventful, you use the app to turn off the sensor. Your contacts will then be notified that your ride is over.

The app has additional functionality like recording rides, communicating with other riders who use the app, but I don’t use any of that functionality. But it’s there if you choose to use it. You can also use the app to test the sensor and apply firmware updates to the sensor.

During my usage of this helmet and the ANGi Crash Sensor, I have had no false alerts and I have had no issues activating and deactivating the sensors when start and finish rides. My biggest challenge has been remembering to activate and deactivating the sensor before or after a ride. But that’s an issue that will go away the more that I use this sensor as I am on the bike almost every day.

The Specialized ANGi Crash Sensor works best with Specialized helmets of course as they are designed to have the sensor, but it can work with other brands of helmets. It goes for $65 CDN and there a no fees for the monitoring service. Given that an accident can happen to anyone, this is a cost effective way to provide peace of mind for yourself and your loved ones.

A Security Researcher Provides His Initial Thoughts On The Verizon DBIR

Posted in Commentary with tags on May 28, 2022 by itnerd

A few days ago the Verizon Data Breach Investigations Report hit the streets. I covered that here and it should be considered required reading by anyone who is responsible for keeping their enterprise secure. I wanted to get another view on the DBIR. Thus I am fortunate to get the initial thoughts of Keatron Evans, principal security researcher at Infosec Institute.

Supply Chain is still top of mind and a serious threat. When we look at the other top items on the list from this report, they are intrinsically linked to the supply chain. Several high-profile Ransomware attacks were at the hands of vendors or suppliers. Several intrusions not involving Ransomware were due to vendors and suppliers. It’s great to see this report finally confirm this, but we’re still not any closer to a solution than we were when the “Winds of Solar” supply chain breach shook the world. 

NOTE: Keatron will be speaking about securing the supply chain at RSA.

82% of actual breaches had a human element to them according to the DBIR. Social Engineering, primarily phishing still leads the way for most data breaches. Credentials fall right behind it. But it’s worth mentioning the relationship between the two. Often times the reward of successful phishing is credential harvesting. This keeps end-user security awareness, Endpoint protection and EDR solutions in the lead as the best weapons to defend against the leading breach avenues. There is also a mention of Pretexting and Business Email Compromise being key drivers for this. I can cite our own internal numbers. Out of all of my clients, companies with 100 or more employees, we’ve had to assist with Business Email Compromise attacks against at least one executive at each organization. So this mirrors what we are seeing at our own micro-level. 

It’s no surprise that training has its own section in the report.  There is a very timely mention of how long training can take depending on the outcomes. I tell students all the time. Getting certifications can happen quickly, learning how to do something could take considerably longer than “quickly”, and changing will inevitably take much much longer than “quickly”.  In an article I published last year, I proposed that doing intense skills training for IT and cybersecurity staff had a greater net improvement impact on cybersecurity than end-user awareness training does. The statements made in this report about training developers and engineers on security since they build the systems are timely statements and I believe they are right on point. This again echos my own data from our customers for whom we both train and provide penetration testing and other services. 

One of my main concerns with the findings is that while we are improving on remediation, we are still remediating the same things. The vulnerabilities being exploited are not often zero-day in nature and they’re well known and mostly patchable. A lot of the web application attacks which seem to remain high are based on stolen credentials which blurs the actual issue, which is credentials are being stolen instead of bypassed by some advanced zero-day or next-generation attack. I think there are many great pieces of data uncovered by this report. We have to stay diligent in removing low-hanging fruit vulnerabilities because even advanced threat actors are using them. We must make sure we keep our people trained up to be able to combat the latest threats. And lastly, Ransomware is there to stay. It’s become too profitable and too easy. 

My Home Office Setup – The 2022 Edition

Posted in Products on May 27, 2022 by itnerd

For most of this pandemic, I’ve been working in the living room or bedroom of our condo. And my wife has been working in our den. But on the urging of my wife, I’ve changed that by spending a lot of time, as in months, getting my workspace in the den upgraded so that I can work from there. What you’ll see here is a result of that effort. And as a side effect, my wife has decided that she needed to upgrade her workspace setup as well. I’ll show you that in a later article. But for now let’s focus on my setup.

First of all, I almost completely started from scratch with this setup with the goals being that I would have a workspace that I could work from with comfort and ease, and had enough storage so that there wasn’t any clutter. As an added bonus, I had to organize my storage so that I knew where everything was. That meant a new desk, shelves, chairs and other items. Let’s start with the office chair that is part of this setup:

This is the ergoCentric tCentric Hybrid Task Chair. Now this isn’t a cheap chair as this particular one cost me $971.50 CDN. But it’s worth every penny as it is the most comfortable office chair that I have ever owned due to the broad range of adjustability that it offers. But in addition to that, I took the following steps to make sure that I had the right chair. First, on the urging of my wife who has a chair from the same company, I went down to ergoCentric’s showroom in downtown Toronto to have one of their experts walk me through the chairs that they offer and the options that they have. That’s important as I discovered that what I thought I wanted was an all mesh chair as I thought would be easier to sit in because of the increased airflow that mesh offers. But it wasn’t all that comfortable as having a mesh bottom just didn’t work for me. Thus they were able to customize this chair so that I had a foam seat and a mesh back. This was the ticket for me to getting great comfort while working at my desk. I also thought that I wanted a headrest. But after trying a chair with one, I found that this was a non-starter for me as well as that didn’t feel comfortable. Next, I discovered that my wife’s chair which I thought was fine was one size smaller than what I bought. And buying the proper size chair has a huge influence on comfort. Finally, they were able to help me to dial in the set up of the seat, arms, back, lumbar support and the height of the chair before I rolled it out of the showroom to put in the back of my SUV. In short, they did everything to ensure my comfort. Though I did later do my own minor tweaks using this video as a guide to make it perfect for my needs.

What I learned by buying this office chair is that you can’t rely on the opinions of YouTubers, or just buying a well known brand name chair in hopes that you are going to get a comfortable office chair. Nor can you just by a cheap office chair as I tried to do that and couldn’t find a chair that worked for me. It’s important that you try out a number of chairs guided by an expert who can help you find what you need. And then get ready to pay as comfort doesn’t come cheap. One other thing, you also want a substantial warranty just in case something goes wrong with your office chair. This office chair from ergoCentric has a twelve year warranty which is in line with the best office chairs on the market. The bottom line is that the cash that you put into your chair now, will help with your comfort later on.

Next is the desk, this is the FlexiSpot Electric Height Adjustable Standing Desk which has the ability to raise or lower at the push of a button. That means that I can dial in my perfect position that is ergonomically correct. Underneath the desk is a Gry Mattr Three Drawer Cabinet that I got at Staples. This holds my files and assorted stuff like external hard drives. It also can be locked which is a big plus for me. On top of the cabinet is a plastic tray from Amazon that I will go into more detail about shortly. The one thing that you will note about this desk is that there are few cables showing. Here’s how I got that result:

On the left leg of the desk I have a power bar attached to it with 3M tape that has the AC adapter for my phone along with the AC adapter for a wireless charger that I will show you later. This layout gives me four places to plug items in temporally should I need to. The cable for the power bar then follows this path:

I got a box of these cable management raceways and stuck them underneath the desk along the back. Because they are black and the desk is black, you don’t notice them. You’ll also notice some clips that help to guide the cables. I used these clips from Amazon to get that done.

I then used another cable management raceway on the right leg of the desk along with another clip to guide the cables down to the floor. Then I used these velcro cable ties to bundle the cables together and make things somewhat neat. Everything is plugged into this APC BackUPS 600. In my condo, I have UPS units all over it to protect my various electronics as a UPS or Uninterruptible Power Supply will keep your gear running if there is a blackout thanks to the built in battery. Plus it will protect you from power surges (which is too much current) and sags (which is too little current) thanks to said battery. It also has a USB-A cable that connects to your computer so that if the UPS needs to shut down your computer due to a power event, it can use that cable to send that command to your computer. Though I should point out that UPS based shutdown doesn’t work on portable Macs. Which is still fine for me as it still protects my gear. The UPS along with the cables are hidden by the cabinet. The net result is that you only see a pair of cables going to the power outlet.

Top Tip: If you do any sort of cable management on a standing desk, do it while the desk is at the maximum height so that you can not only figure out if you need longer cables to make your setup work, but you can make sure that your cables don’t get pinched or stretch excessively. Speaking of longer cables, I needed two to make my setup work. Specifically a longer power cable for my monitor, and this USB-C cable from Anker which provides power to a Kensington USB-C hub that I will talk about shortly.

Let’s move on to the plastic tray. I got this one from Amazon and most of my every day carry stays in here when it’s not in my pockets. I can push it out of sight, but still have easy access to it. And as a bonus, none of these items occupy any desk space which reduces clutter on my desk. It had a tendency to slide around way too much, but I fixed that by using some cork with an adhesive backing to create some traction on the bottom of the tray.

Now let’s move on to the desk. The problem with having a black desk is that it picks up fingerprints and dust is an issue. To mitigate some of that, I got this desk mat from a Toronto company called Uncrowned Kings. It’s made of vegan leather, it doesn’t move around on the desk, feels very upscale, and best of all only cost me $21 CDN on Amazon.

To the left I have my VTech cordless desk phone which is 20 plus years old and which will likely be replaced in the next year or so. But more importantly there’s this Kensington USB-C Hub which connects my UPS and my monitor to my computer along with having 85W power delivery to charge my MacBook Pro from a Kensington 100W GaN power adapter that is plugged into my UPS. The power adapter required the Anker USB-C cable that I referred to earlier due to the fact that the cable that came with the adapter was too short when the desk was at its full height.

The dock gives me two USB-A ports along with a SD card slot and MicroSD card slot. In short, it’s a one cable solution to not only increase my productivity, but to reduce clutter on my desk. For bonus points, I’ve used 3M tape to attach the USB hub to the desk. That way it not only doesn’t slide about, but it allows me an easier way to connect and disconnect cables.

Attached to this phone I have this Panasonic headset that allows me to talk to people hands free. It’s hanging from a 3M Command hook that’s attached to the shelf that’s next to my desk.

Moving to the right, you see both my 16″ 2021 MacBook Pro which is attached to a  Acer Nitro XV271 Z 27″ Gaming Monitor. This setup works well for me as It gives me two screens while taking up minimal desk space. I only had to add a longer power cable to the monitor to get that to work when the desk was at its full height. Now you’re likely wondering where are the speakers in this setup. The thing is that the built in speakers in the MacBook Pro are so good I decided not to get any. Which in turn saves desk space. Ditto for an external keyboard as the built in keyboard is that good.

The monitor is attached to this Vivo Monitor Mount that takes up a minimal amount of space my desk and is designed for standing desks like this one.

On the right of my desk is a Kensington SureTrack wireless mouse along with a DeltaHub Carpio 2.0 wrist rest which I simply cannot live without as it makes using my mouse way more comfortable.

Moving right I have an Apple Watch charger that’s mounted to this Spigen stand that sticks to my desk without using adhesive. Beside that is an Uncrowned Kings metal tray that holds the wireless earbuds that I typically use. Namely the AirPods Pro, the Taotronics SoundLiberty 79, and the Creative Outlier Air V3 earbuds. This tray was another thing that slid around my desk too much for my liking. But that problem was easily solved with some cork with an adhesive backing on the bottom of the tray.

To the right of that I have my Ember Mug 2 for coffee. Because nothing good happens in my universe without a cup of coffee that tastes great and it is at the perfect temperature. You’ll note that I have a stainless steel charging coaster for it. I got that because I accidentally broke the charging coaster that came with it, and silver was the only colour that I liked out of the ones that were available for replacements that were on offer.

Zooming out, you can see that I have a holder for my pens, a red stapler which is a bit of a shoutout to The Office, a stress release ball, and some coasters to hopefully keep my desk clean when I have a drink on my desk.

To save space on my desk, I have an InvisQi wireless charger which is placed under the desk so that I can charge my iPhone 12 Pro or AirPods Pro as you see here.

To the left of my desk, I have a pair of Ikea Kallax shelves with drawer inserts. I store all of my tools, cables, peripherals, and the like in the drawers. On the shelves, I store things like my accessories from my laptop bag and other random items.

I’ll zoom in on the top where besides having “Darth Tater” which is a funny Mr. Potatohead figure that my wife gave me, a culturally correct Raggedy Ann Doll which is another item that my wife gave me, and a transformable fighter jet from the Japanese animated movie Super Dimensional Fortress Macross: Do You Remember Love? which is a throwback to my teenage years which were in the 1980’s, I have a node from my ASUS ZenWiFi AX XT8 setup along with an Apple HomePod mini. You’ll also notice that the HomePod mini is sitting on a stand which is from Spigen and makes a marginal difference in terms of how any music that the HomePod is playing music as it minimizes vibrations which could introduce distortions into the music that I am listening to. I have these on all my HomePods which now total four in the home.

Beside the shelves is a metal utility rack that I use for a variety of purposes.

The bottom shelf has my Brother HL-L2390 DW Laser Printer/Scanner, as well as my QNAP TS-431 NAS which I am looking to replace because of QNAP’s string of security issues. You can also see another UPS, which is made by CyberPower, which is connected to the NAS so that it can shut down gracefully in the event of a power outage, and power back up the NAS when power comes back. Underneath that shelf is space for my toolboxes. The black one is for my bike tools, the other one is for general purpose tools. There’s some other crap that I’ve shoved under there as well.

The next two shelves are largely storage for pens, paper, blank DVD’s, and other random items. But you’ll notice that I have also set up a charging station on the right side.

Here is a closer look at that charging station. I am using a Topvork 60W PD 6-Port USB Charging Hub which allows charge any device I need to as it supports fast charging as well as “normal” charging. You’ll also notice a bunch of power banks in the corner. This is where I store them so that if I need one, I can grab one and go as they are all charged, and every once in a while I check on them to make sure that they are charged and top them off as required.

On the left side of this until shelf I installed a pair of Ikea SKÅDIS pegboards with some accessories for said pegboard to store random items. Such as pens, cables, USB sticks, and one of my wife’s spare bicycle wheels.

Lighting is taken care of via the Sylvania Smart+ A19 Full Colour LED Bulb which I covered in my HomeKit setup. While these bulbs were not the most stable when I first got them, I haven’t had any issues with them since. Touch wood. I have them set up like this:

This creates a brightness level that achieves three things. One it creates a brightness level that works well for Zoom or Teams calls. Second, it isn’t harsh on the eyes. Third, it works well with the natural light that comes into the den. As long as these bulbs continue to work, I’ll be very happy to use them.

So that’s my home office setup. All of this has really helped me to have a much more functional workspace that I want to use and spend time in. But I’m not done yet. As mentioned earlier, I am working on getting my wife’s setup in order. That’s taking a bit more time. But when it’s done, you can expect a post on it so that you to see what the result looks like. But in the meantime, i’m open to suggestions as to how that I can make my setup even better. If you’ve got suggestions, please leave a comment and share your thoughts.

HelpSystems Cybersecurity Week 2022 – A Vehicle To Up Your Cybersecurity Game

Posted in Commentary with tags on May 27, 2022 by itnerd

HelpSystems held their annual Cybersecurity week on May 17-19

May 17-19), the company will hold “Cybersecurity Week 2022”, a 3-day event covering:

  • Expert insights on the cybersecurity and the threat landscape  
  • Today’s most pressing cybersecurity threats  
  • Up-to-date cybersecurity trends and best practices  
  • Data compliance regulations  
  • Education on HelpSystems’ modular cybersecurity solutions 

And what’s even better is that if you missed this, HelpSystems has made the session recordings freely available for anyone to check out. You can see them here, and I have to applaud HelpSystems for making them available. When it comes to improving your cybersecurity game, knowledge is power. And these videos which are between 20 and 40 minutes in length are really good at increasing your knowledge. The speakers are engaging and knowledgeable. I guarantee that you will get something out of these sessions. I viewed a couple of these last night and I’ll be going through the rest over the weekend. If you’re responsible for cybersecurity in your organization, you should set aside some time and have a look at these videos as well.

VMware Vulnerability Inner Workings Shown In Horizon3.ai “Deep Dive”

Posted in Commentary with tags , on May 26, 2022 by itnerd

Horizon3.ai has just published VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive. The detailed analysis of the inner workings of a critical authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation products (CVE-2022-22972). This vulnerability allows an attacker to login as any known local user.

Horizon3.ai Exploit Developer James Horseman notes in his summary: “CVE-2022-22972 is a relatively simple Host header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability.” Horseman cites results of a Shodan.io search indicating “the healthcare, education industry, and state government sectors all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.”

If you haven’t done so already, you should apply the updates that are available to mitigate this vulnerability.

The list of affected products are: 

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

There is also a workaround detailed here for those who can’t patch all the things immediately.

Shimano Bullies Hammerhead Into Removing Support For Di2 In Their Cycling Computers

Posted in Commentary with tags , on May 26, 2022 by itnerd

The title might not make sense to you unless you are a cyclist. So I’ll help you with that. Starting with the players in this story:

  • Shimano: Shimano is a company that is widely known for two things. Fishing equipment and cycling parts. In terms of the latter, they are the world’s largest cycling parts company on the planet. Most of the race teams at the top of the sport use their parts. And I use their parts on my race bike.
  • Hammerhead: They make cycling computers that are used by many out there including the Israel Premier Tech cycling team. And one of their investors is the four time Tour de France winner Chris Froome who happens to race for that team. They were recently bought by SRAM who is the second largest cycling parts company on the planet. Keep that in mind as I tell this story.

With that out of the way, here’s the story. Most cycling computers have some sort of integration between them and the Shimano Di2 electronic shifting system which I happen to own on my bike. You can use your cycling computer to see the battery status of the Di2 system, see what gear your in, as well as use some buttons on the brake levers of my bike to switch screens on my computer without taking my hands off the handlebars. In fact, Shimano advertises this integration here. Now Hammerhead was one of those companies who had a licensing agreement with Shimano to do this integration. But that ended today when Shimano terminated their licensing agreement. That means that after a upcoming firmware update that is due in June, Hammerhead users won’t have access to this info unless they buy another cycling computer. Here’s what Hammerhead had to say:

THE ADJUSTMENTS COME ON THE REQUEST OF SHIMANO. SHIMANO OFFERED A LICENSE SETTLEMENT WHEREBY HAMMERHEAD WAS GRANTED PERMISSION TOGETHER WITH TECHNICAL PARTICULARS ENABLING THE CONNECTING OF THE HAMMERHEAD UNITS WITH THE DI2 SYSTEM. HAMMERHEAD PROVIDED TO PROCEED SUPPORTING DI2 CUSTOMERS WITH FULL PERFORMANCE AFTER THE SRAM ACQUISITION, HOWEVER IN THE END, SHIMANO RECOGNIZED SRAM AS A COMPETITOR AND THE CONTRACT WAS TERMINATED AT SHIMANO’S REQUEST.”

As an aside, the article that I linked to talks about how this integration works, and why Shimano can act like this. If you really want to go into the weeds, I’d give this article a read. But back to the topic at hand. So let’s boil this down to the relevant facts:

  • SRAM who competes with Shimano buys Hammerhead.
  • Shimano terminates their licensing agreement with Hammerhead because they are owned by SRAM and compete against Shimano.

That pretty much sums it up. The thing is that this is pretty short sighted by Shimano as they’ve just angered every Hammerhead owner on planet Earth, and I am going to go out on a limb and say that a lot of them will get SRAM parts on their next bike rather than Shimano parts just to get that integration. It’s also going to make anyone who doesn’t own a Hammerhead computer and who wants to buy a Shimano equipped bike think twice about doing so.

But there’s more. I own this Garmin cycling computer which has this integration. Will Shimano go after Garmin, or Bryton, or Stages, or any other company that makes a cycling computer that has this level of integration? My guess is no. But I am hedging on that as Shimano bought Pioneer’s cycling division a while back. That included getting access to Pioneer’s cycling computers. Thus if Shimano is thinking of coming out with their own cycling computers, I can see them trying to take out anyone who uses this integration to make the Shimano offering look better. Though I will point out that if Shimano tries this with Garmin, Shimano will get destroyed as Garmin is a much bigger company with much deeper pockets.

The bottom line is that this is a PR disaster by Shimano. I get why they thought they had to do this, but it’s still a dumb move. Shimano would do well to find a way to walk this back and do so quickly as this really doesn’t look good.

UPDATE: A quick browse Twitter shows the PR disaster in progress for Shimano: