Archive for October 27, 2022

« Older Entries

Breaking: Musk Appears To Have Taken Over Twitter….. Many Top Execs Gone

Posted in Commentary with tags , on October 27, 2022 by itnerd

It appears to be official. Elon Musk appears to have taken over Twitter. And the bloodshed has begun:

Twitter CEO Parag Agrawal and chief financial officer Ned Segal have left the company’s San Francisco headquarters and will not be returning.

Musk had until Friday to complete his $44 billion acquisition of Twitter or face a court battle with the company.

Well, that didn’t take long. Expect more changes from Musk to come. Not all of them good. And expect unhappy users to flee the platform.

1 Comment »

Cybersixgill Finds Compromised Sports Streaming Credentials On the Underground

Posted in Commentary with tags on October 27, 2022 by itnerd

Cybersixgill has found that hackers are selling compromised sports streaming passwords on the underground. Specifically, over the past 2 years, Cybersixgill has found 31,324 posts sharing or selling streaming accounts on underground forums, markets, and messaging platforms and 17,978 posts in access markets that included credentials for a streaming service of pro sports leagues such as the NBA, NFL, MBL, and NHL.

Knowing that games have been increasingly broadcasted on cable television and subscription-only networks that cost hundreds of dollars, hackers are broadening their scope of techniques to harvest credentials. 

You can find out more about this here.

Leave a comment »

New CISA Cybersecurity Performance Goals For critical Infrastructure Announced By DHS

Posted in Commentary with tags , on October 27, 2022 by itnerd

This morning, the Department of Homeland Security released the new Cross-Sector Cybersecurity Performance Goals (CPGs) to provide baseline cybersecurity goals that are consistent across all critical infrastructure sectors. The CPGs identify and prioritize the most important cybersecurity practices for critical infrastructure operators and provide an approachable common set of IT and OT cybersecurity protections to improve cybersecurity across our nation’s critical infrastructure. 

The security directives were developed by CISA, in coordination with NIST, following the mandates set out in the Biden administration’s July 2021 national security memorandum to improve cybersecurity for critical infrastructure control systems.

Robert M. Lee, CEO and Co-Founder of Dragos had this commentary on these security directives:

“CISA has shown their commitment to working alongside the industrial cybersecurity community with the release of the common baseline Cross-Sector Cybersecurity Performance Goals (CPGs). CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance – exactly the type of support the community has been requesting. It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. Most of the CPGs map closely to the critical controls needed for strong OT cybersecurity—namely, having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management. This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community’s advancement.”

This is the sort of thing that will help to make us all safer and I hope that this is adopted widely so that things like ransomware and other sorts of attacks become less prevalent.

UPDATE: I have a second comment from Yotam Perkal, director of vulnerability research for software security firm, Rezilion:

General impression from the document:

I think the direction CISA chose to take with the CPG is very good. I hope that having the document written in an approachable language, easy to digest, and focused on the fundamentals, will help with adoption. The main underbelly in terms of cybersecurity risk are not the mature, modern enterprises with huge security budgets and an abundance of security controls. Rather, it is the long tail of organizations, without mature cyber programs or procedures in place. For these organizations, a resource such as the NIST Cybersecurity Framework might be overwhelming. If these organizations adopt and implement the bare-minimum recommendations in the GPG, it could go a long way in terms of improving the overall security posture across the US. I also like the fact that CISA is promoting discussion around the guidelines and soliciting for feedback using the discussion page on GitHub

Specifically regarding the Vulnerability Management section:

I think the recommendations are valid and are reasonably straightforward to implement. That said, in order to implement some of them (such as “mitigating known vulnerabilities” and “no exploitable services on the internet”) there is a preliminary stage that isn’t mentioned in the guidelines which is having visibility into your organization’s exploitable attack surface. Assuming that the long tail of less mature organizations have that visibility is a stretch.We have seen evidence to that when we did our Vintage Vulnerabilities research which found over 4.5 million internet-facing devices that are vulnerable to vulnerabilities discovered between 2010 to 2020 that are known to be actively exploited in-the-wild (on the CISA known exploited vulnerabilities catalog). Specifically in the critical infrastructure domain, Security professionals have to be also aware of the capabilities and limitations of their vulnerability scanning tools. As we have shown in our latest research both open-source and commercial scanners and SCA tools are prone to a significant amount of false-positive and false-negative results. For example, when scanning OT assets, a vulnerability scanner without the ability to identify vulnerable components within compiled code will have significant blindspots when it comes to the known vulnerabilities it will be able to identify.

UPDATE #2: Tyler Reguly, senior manager, security R&D at HelpSystems, says:

“The most important take away there is that these goals were selected to address risks to the nation as well as individual entities. This is a big shift from other well-known baseline documents, such as the CIS Benchmarks or the NIST Security Guidance. At the same time, this is not a complete guide, it is a starting point to ensure organizations are all starting on the same footing.”

Leave a comment »

New Research Finds 73% of Organizations will Increase AppSec investment in 2023 as Log4j Anniversary and Recession Looms

Posted in Commentary with tags on October 27, 2022 by itnerd

Invicti has released the firm’s latest research report, which found:

  • 73% of organizations anticipate that they’ll increase their AppSec investments in 2023.
  • 97% of DevSecOps teams say they ignore a real vulnerability at least once a month because they assume it is a false positive.
  • Developers are pushing code with known vulnerabilities due to pressure to deliver.

With the upcoming Log4j anniversary in early December, the 2 year anniversary of the SolarWinds attack and a recession pressuring security budgets, Frank has found that application security is a top priority for CISOs as nation-states, like China, scan for vulnerabilities as a prime attack vector.

You can read that research report here.

Leave a comment »

Michigan Medicine Discloses Email Account Breach

Posted in Commentary with tags on October 27, 2022 by itnerd

Michigan Medicine has notified patients of an employee email account breach which exposed health information of about 33,850 patients. 

From August 15th through August 23rd, a cyber attacker targeted Michigan Medicine employees with an email phishing scam, luring employees to a webpage designed to get them to enter their Michigan Medicine login ingo. Four employees entered their info and then inappropriately accepted MFA prompts, allowed the attacker to access their email accounts.

Ooops.

John Stevenson, Director of Product at Cyren had this to say:

     “The fact that four separate employees followed the phishing link and accepted multi-factor authentication prompts shows how sophisticated these attacks can be. It is as a stark reminder that phishing continues to plague the healthcare industry. Of the 684 breaches of healthcare data reported to the US Government, 41% of them resulted from email incidents. The majority of those email incidents (74%) were from phishing vs. malware or accidental disclosure.

Many companies might blame the user in situations such as this for not heeding the lessons of the corporate Security Awareness Training (SAT) program. However, the reality is that SAT must be augmented with the right inbox security. What is needed is additional assistance for the user such as Scan and Report buttons within the Outlook inbox that empower the user to put the lessons learned from SAT into practice then and there, taking a proactive approach to email security.”

This illustrates the fact that people are the weakest point in cybersecurity. And organizations need to focus on making that a non factor to stop incidents like this from happening.

Leave a comment »

Koodo Introduces New Customizable Pick Your Perk Plans

Posted in Commentary with tags on October 27, 2022 by itnerd

Today, Koodo launched its Pick Your Perk plans, a new line-up of customizable rate plans that lets customers personalize their plan with a free feature of their choosing. Pick Your Perk plans start at $45 per month, and enable customers to choose one free perk – with different rate plans offering different perk options to select from.

There are five perks for customers to choose from, including Premium Voicemail, Unlimited International SMS, Rollover Data, Speed Boost, and Unlimited Long Distance Pack. Whether customers choose Rollover Data to roll-over unused data into the next month, or an Unlimited Long Distance Pack to stay connected to loved ones overseas with unlimited talk time to the US, China, Hong Kong, India, Mexico, Bangladesh, and the UK — there’s a perk for everyone.

At Koodo, it’s all about choice. These new rate plans are just another way Koodo helps customers create a plan that’s just right for them.

To learn more about the new Pick Your Perks plans, visit koodomobile.com

Leave a comment »

New Cybersecurity VC Firm Research: Q3 Reveals Decline in Cyber Valuations as Recession Takes Hold

Posted in Commentary with tags on October 27, 2022 by itnerd

DataTribe, a cybersecurity seed investor, has released the firm’s Q3 2022 Insights Report highlighting how cybersecurity investing is trending this quarter compared to last year and the previous quarters.

According to the report, Q3 marked a continued decline in valuations across nearly all stages. The current economic headwinds are pressuring private capital markets like public markets. The exception is Seed investment activity in cybersecurity, which increased 37.5% from 24 to 33 deals YoY. 

You can read the full report here.

Leave a comment »

Apple Exec Confirms That Apple Will Go USB-C On The iPhone… Why You Should Not Get Excited Just Yet

Posted in Commentary with tags on October 27, 2022 by itnerd

In the last few days, the EU confirmed that any mobile device such as a mobile phone needs to have USB-C. Since pretty much every mobile phone out there has USB-C already, this means that Apple will have to ditch the 12 year old Lightning standard and go to USB-C. Yesterday, Greg Joswiak, also known as “Joz” confirmed in a Wall Street Journal interview that Apple would be complying with this law. I have the video posted below and I encourage you to watch the whole video as a whole number of topics were covered and it makes for interesting viewing:

Now. Apple finally ditching Lightning after 12 years is a good thing. I am all for that as that’s one less cable that I have to remember to carry on my next trip. But before you stop traffic and hold a parade, consider this. The European Union only addressed the physical connection. And that’s where the potential problems start. USB-C can be used for everything from USB 2.0, which would make the transfer speeds no faster than they are, to Thunderbolt 4. The latter would be a massive boost for transfer speeds and make a lot of people who use iPhones to shoot Pro Res video in 4K very happy. But only if Apple goes that route.

Consider these scenarios:

  • Apple ditches ports entirely, which would in theory comply with the EU law the way I read it. Now there have been rumours of Apple going this route for years to avoid being forced to use USB-C. But I don’t see them doing that. At least not yet.
  • Apple switches to USB-C but they also keep the USB 2.0 speeds that Lightning has. That way they can plausibly say that they comply with the new EU law. Plus for bonus points they may also introduce their own “feature” for fast data transfers off iPhones.
  • Apple switches to USB-C but they also keep the USB 2.0 speeds that Lightning has for the “regular” iPhones. And they go to Thunderbolt 3 or 4 for the “Pro” iPhones. That way they force people who care about fast data transfer speeds to spend more money.
  • Apple switches to USB-C but they go to Thunderbolt 3 or 4 for the all the iPhones. I don’t see them doing that as that would not be the Apple way of doing things since they couldn’t make extra money by doing so. But I am free to be surprised.

Beyond that, USB-C also opens up the possibility of faster charging speeds. So the iPhone could be like many Android phones that do 40W, 50W or even 100W or more of charging. But would Apple go that route or would they stick to the 20W charging that has been on iPhones for a while now? That’s a good question. My guess is no they won’t because Apple really cares about battery health. But again, I am free to be surprised.

These are all things that I suspect will not be addressed until this time next year when the new iPhone appears because Apple isn’t the sort of company to put their cards on the table so to speak. Thus while this move to USB-C is a good thing, you may have to temper your enthusiasm until more details surface in regards to what that means for iPhone users.

Leave a comment »

Hackers Spoof Scanner Notification Emails to Attach Malicious Trojans in Phishing Campaign: Avanan

Posted in Commentary with tags on October 27, 2022 by itnerd

Researchers at Avanan, a Check Point Company, discovered how hackers are using scanner notification emails to send malware to end-users. 

In this attack, end-users are sent a spoofed notification that they have received a scanned message. To spark high interest, the subject line of the email was titled “Commission Receipt”, and the email contained a scanned document appearing as a .htm file, but in fact, was a malicious trojan waiting to be clicked on to take over the end-user’s computer. 

You can read more about this novel attack here.

Leave a comment »

Review: Technaxx Pro TX-168 Universal Car Alarm

Posted in Products with tags on October 27, 2022 by itnerd

I live in Toronto Canada, and car thefts are on the rise around here. Seeing as your car is the second most expensive investment that you’ll make, it makes sense to take steps to protect it. An aftermarket alarm is one of the ways to go and I’ve got one of those to review today. Specifically the Technaxx Pro TX-168 Universal Car Alarm.

The Technnaxx Pro TX-168 car alarm is made up of these parts:

This USB or accessory socket-powered device is the “brains” of the alarm system. I would plug it into a 12V outlet and leave it there as that’s the cleanest setup possible. It has a built in battery that takes about 2 hours to charge and lasts about 2 weeks. You’ll also note that it has USB-A and USB-C connections to charge your phone which is handy. A blue LED under the dome that’s on the right side of the picture indicates charging is in process. The LED also flashes blue when the battery is low, multiple colors when pairing, and green when charged. Red blips (with audible beeps) indicate when activating and deactivating, flashing red every five seconds to indicate the system is active, or solid red to indicate when the alarm has gone off. It detects motion via a passive IR sensor and activates this speaker:

When that motion is detected, it sends a wireless signal on the 2.4 GHz band to activate this remote siren that when I tested it registered 101 dB on my Apple Watch. The siren lives in your engine bay which makes it hard to get to for bad guys. Thus this hopefully should make the more opportunistic thieves run away if they set the alarm off.

The alarm is activated and deactivated with an included key fob powered by a CR2032 battery that is included. Personally, if two people drive the same car, you need two key fobs. Thus I would have like to have seen two fobs in the box. Though I should note that you can pair up to three key fobs. One thing to note is that the key fob does double duty as a panic alarm that registered 97 dB on my Apple Watch when I tested it. The fob has a maximum range of about 10 meters (30 feet) and will work through the vehicle’s windows. If the button is held for about 4 seconds, the alarm chirps four times and the alarm is disabled.

Setup isn’t hard, but you might want to grab a friend who is comfortable under the hood of a car if you are unsure about doing this. The setup process is well documented in a really thick manual that is in multiple languages and only took me about 10 minutes to finish. I should also note that I can see a scenario where you can move this from car to car as it’s easy enough to do.

I would recommend this for someone who has an older car. By that I mean more than 6 or 7 years old as this would be an easy enough upgrade to make that car less desirable to thieves. The only downside that I can see is that the system will only stay live for up to 14 days because that’s how long the battery lasts. So if you were on vacation for a couple of weeks, that might be an issue. But at a cost of 70 Euros or $95 Canadian, it’s a cost effective means to secure the second most expensive purchase that you will make.

Leave a comment »

« Older Entries