Archive for August 15, 2022

Zoom Fixes Mac Security Bug… Until Someone Discovers The Next Security Bug

Posted in Commentary with tags on August 15, 2022 by itnerd

Yesterday I spoke of a flaw in Zoom’s update process on the Mac:

During his talk at DefCon, though, [Patrick] Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

Over the last 24 hours, Zoom has rolled out a fix for this. Version 5.11.5 of its Mac app is now available and you should go download this now to fix this issue. And the guy who found this issue, Patrick Wardle has effectively given this fix his stamp of approval:

So while Zoom was able to fix this quickly, I have to say that this is simply the latest security flaw that has been found in their app. Over the years I have covered flaw after flaw with Zoom. And then there’s the part about them lying about end to end encryption and getting caught doing so. What that says to me that their security processes are at best sketchy. If Zoom really want to shake their past daemons of playing fast and loose with security, then they need to make sure that stuff like this are edge cases and not common occurrences. But for now, this issue is closed. But rest assured they’ll be another one as I guarantee you that a lot of people are looking at their code looking for exploits. And not all of them will be like Patrick Wardle and tell them about what they find.

Leave a comment »

Another Text Messaging #Scam For You To Be Aware Of

Posted in Commentary with tags on August 15, 2022 by itnerd

I was alerted to this scam a couple of months ago. But I forgot about it until a reader of this blog alerted me to a version of this scam today. Thus in the interest of making sure that the readers of this blog are aware of new scams that are out there, I’m writing about it today.

I have to admit that on one hand it is kind of lame. But on the other hand I can see how it might be effective as it might tempt you to engage with the threat actor. It starts out with the text message:

Now if it were me, I’d delete this text message. But I can see a scenario where someone might reply and engage with the threat actor. Thus confirming to the threat actor that they have a live person and facilitating the threat actor an opportunity to try and carry out the scam. Here’s another screenshot that was sent to me by a client of mine where they did respond before thinking twice about doing so and emailing me for help:

The next thing that happened is that the initial message was followed up with a link which likely would take you to a phishing site where I am guessing that whomever is behind this scam will try to get you to hand over your banking details. In the case of my client, I didn’t get the link that they were sent. And fortunately for them, they did not click on the link. Which for the record you should never, ever do. Thus I was unable to test the link out and go down the rabbit hole to understand the scam in greater detail like I normally do with scams that are brought to my attention. But that seems like a likely hypothesis.

Based on my research, this scam has been going since April of this year and is still ongoing. Thus I would say that if you get a text that looks like the examples above, your best defence is to not respond to the text and delete it.

Leave a comment »

In Depth: StrikeReady CARA

Posted in Commentary with tags on August 15, 2022 by itnerd

Last week, I had a chance to get a briefing from a company called StrikeReady about a product called CARA which stands for Cyber Awareness And Response Analyst. Before I get to what CARA is, let me define the problem so that you can understand why CARA will make such a difference.

Right now it’s insanely difficult to get people to work as part of cybersecurity teams. And even if you get the staff, chances are that they are going to be on the junior side where experience may become the difference between catching a threat before it becomes a problem and not. On top of that, they have a ton of tools to work with and manage. In other words, cybersecurity teams have a lot of balls to keep in the air and that is difficult at times, if not impossible.

This is why CARA can make such a difference. CARA can:

  • Allow team member to ask questions in a conversational style like “what is Emotet?”
  • CARA will then answer the question within the context of cybersecurity rather than the context of Google and will include the latest information that is relevant to you and your environment. And on top of that, CARA can also check a variety of tools within your environment to see if your question is one that perhaps affects your attack surface. For example if the check of your tools reveals that you are open to being pwned by Emotet, it will let you know.
  • The next thing that CARA will do is help you to secure your environment using the tools that you have by offering remedies and mitigations that it can apply with your permission. I should note that CARA comes out of the box with a large number of integrations with popular cybersecurity tools such as Crowdstrike, IBM Qradar, and FireEye. And if you are using something that isn’t in the list of integrations, StrikeReady can help you get that tool supported by CARA within a two week or more timeline depending on the tool in question.
  • CARA can also independently monitor for threats and report on that in ways that ensures that you will action the most important info first.

In short, CARA is part of your cybersecurity team. Only CARA is working 24 hours a day to keep you safe.

This will make life much easier for cybersecurity teams. And I the demo that I got on it by Anurag Gurtu, who is the CPO of StrikeReady impressed me. For starters, he showed me how CARA processed conversations by having a debug menu on the screen the entire time. Typically, we in the media don’t get to see how the sausage is made so to speak, so the fact that he was willing to show that to me was pretty cool. Second, seeing him walking through a workflow of a cybersecurity analyst looking for information on Emotet by asking CARA about Emotet, and then having CARA show information on Emotet as well as the attack surface that existed in his demonstration environment was impressive. Then being able to reduce the attack surface with a few clicks via the tools that you already own and CARA is set up to use was equally as impressive. I can see how companies who use CARA are going to be in a much better position to respond to cyber threats than those who don’t.

CARA is a Software As Service offering that is aimed at companies that are a few thousand employees in size or bigger. That’s because companies of that size are often more mature when it comes to cybersecurity because they have tools like Crowdstrike, Radar, and FireEye at their disposal. Smaller companies typically don’t, and I would suggest that this should be a message for smaller businesses to up their cybersecurity game as I believe that they could benefit from CARA.

I’ve scratched the surface as to what CARA can do. I encourage you to look at StrikeReady’s use cases and case studies to really go in depth as to why CARA is a potential game changer for cybersecurity.

1 Comment »

Agari & PhishLabs Released Their Threat Trends & Intelligence Report

Posted in Commentary with tags on August 15, 2022 by itnerd

Agari by HelpSystems and PhishLabs by HelpSystems have released the results of their latest Quarterly Threat Trends & Intelligence Report.

In Q2, Agari and PhishLabs analyzed hundreds of thousands of phishing and social media attacks targeting enterprises, their employees, and brands. This report uses the data from those attacks to present key trends shaping the threat landscape.

Key highlights include:

  • Phishing is Steadily on the Rise: Phishing attacks are up nearly 6% in Q2 from Q1 2022
  • Social Media is an Accessible and Preferred Threat Channel: Social media attacks have increased more than 100% in a year
  • Response-Based Phishing Continues to Climb: Response-Based threats targeting corporate inboxes reached the highest volume since 2020
  • Emotet Leads Ransomware Payloads: Emotet has fully recovered, representing nearly 50% of all malware payload attacks in Q2
  • Hybrid Vishing Attack Volume Trending Up:Hybrid Vishing attacks have increased 625% in volume since Q1 2021
  • O365 Credentials Coveted by Criminals: Nearly 60% of credential theft phishing attacks targeted O365 credentials in Q2

You can read the report here.

Leave a comment »

TELUS Wants To Charge You 1.5% If You Pay Your Bill Via Credit Card

Posted in Commentary with tags on August 15, 2022 by itnerd

Canadian telco TELUS has put in an application to the CRTC to allow them to charge a 1.5% fee to those who pay their bill by credit card. The CBC has the details:

For a theoretical customer in Alberta whose cellphone bill is $100, the charge would bring their bill to $106.66 — $100 for their basic bill, plus $5 for GST, a $1.58 surcharge for the new fee on top of that, plus another eight cents in GST on the surcharge.

“The company plans to provide advance notices of the fee to its existing customers starting in mid-August,” Telus said in its letter to the regulator.

And:

Telus’ rationale for the move stems from a development this summer, when credit card firms including Visa and MasterCard agreed to a settlement that will see them refund millions of dollars worth of credit card processing fees that merchants have paid them over the years. Crucially, that settlement also gives businesses permission to start charging customers those fees directly starting in October, which is what Telus is trying to do.

Previously, many merchants weren’t allowed to charge customers directly for the fees that credit companies charge them for processing sales. Such fees can range from less than one per cent of the sale, to more than three per cent for some premium cards.

Now, I get why TELUS is doing this. From my view, this seems like a targeted cost recovery exercise for TELUS. And consumers can avoid this fee by paying via their bank, which is what my wife and I do. And I don’t really have a problem with it because there’s an option to avoid this fee. But I think they’re going about it the wrong way. Instead of penalizing customers who use credit cards, how about incentivizing customers to use other payment methods? For example, my wife and I frequent a Chinese restaurant called Congee Queen, and they incentivize us to pay via cash by giving us a 10% discount whenever we do take out, which is frequently. That’s made my wife and I always have a stash of cash lying around so that if we want take out from them, we can save some money and not have to dash to the ATM. I think if TELUS did something like that, they wouldn’t be facing this sort of backlash:

Rosa Addario, a spokesperson for telecom watchdog OpenMedia, says the plan is just the latest way for the industry to extract more revenue from cash-strapped Canadian consumers.

“All three of our telecom providers … have reported increased profits, increased revenue and increased customers for 2021,” she told CBC News in an interview. “They are doing better than ever. This is just another way to raise our bills through shady practices and extra fees and adding things on top so that we are paying even more than we already are.”

That is a valid point. Telcos in Canada are making tons of money right now. So by TELUS charging this fee, they’ve created an optics issue for themselves as being perceived as greedy. The backlash continues though:

Suze Morrison, a former Ontario MPP, is urging the CRTC to reject the proposal, noting that it will disproportionately impact people who are already financially vulnerable.

“Working class people, low income people are really struggling to make ends meet right now,” she told CBC News in an interview. “The last thing anyone needs is an additional fee just because of how they pay their telephone bill to keep their phone lines connected.”

While credit card surcharges are creeping into many businesses, she says it’s different for a telecom utility to charge them because it is a necessity.

“A consumer has a choice to go to a mom and pop restaurant or to cook dinner at home or to go to a restaurant that’s not charging fees for credit card swipes,” she said.

“But we’ve allowed so much consolidation in our telecom industry and there’s such a monopoly in the sector that it’s not like folks can say, ‘OK, well, if you’re going to charge a fee, I’m going to take my business somewhere else.’ I have nowhere else to go.”

That is a valid point. Part of the problem with TELUS charging this fee is that they create the perception that they are just like Bell and Rogers at a time where a lot of people are not doing well because of the current economic climate. And this is a company that has spent years distancing itself from Bell and Rogers via their social advocacy among other things. This again creates an optics issue for TELUS. Though I will point out that Koodo and Public Mobile which are flanker brands of TELUS won’t have this fee (yet). And I will also point out that these sorts of fees are becoming common.

And I am certain that Bell and Rogers will be putting forth applications to the CRTC to do exactly the same thing. Because having watched this sector for years, if one Canadian telco does something, the other two follow.

Leave a comment »