Archive for November 15, 2022

Sobeys Employees Detail The Chaos Inside Sobeys Stores After They Were Pwned By Ransomware

Posted in Commentary with tags on November 15, 2022 by itnerd

Last week word started to filter out that Canadian grocery chain Sobeys got pwned by ransomware. The chain claimed that they had an “IT issue”, but by the end of the week there was proof that they had been pwned. Now CBC News is giving us an inside look at the chaos that ensued after the chain was pwned:

“Somebody higher up got an email and basically clicked a link they weren’t supposed to,” said the front-end Safeway employee. “I don’t know the exact dollar figure, but I know it was like millions, like several millions.”

The troubles began overnight Thursday, Nov. 3 into Friday, Nov. 4.

When employees arrived for work on Friday, their computers took longer than usual to boot up, and when they finally did, “nothing came up other than this big white block in the middle of the screen that said ransomware, please comply before proceeding, or something like that,” said a worker in a meat and seafood department at a Safeway store.

“I saw the word ransom and that scared me right away.”

And:

The computer issues have also disrupted Empire’s ability to maintain its usual scheduling and payroll systems.

“I literally went into work and there was like a schedule written down on a piece of paper and I’m like, what is this?” said a worker.

Some employees are being asked to write down their hours in a logbook.

Employees in the chain are paid every other week, and some were told last week they would not get paid last Thursday, their scheduled payday.

However, workers later told the CBC the company found a workaround: since the first week of the two-week pay period occurred before the ransomware attack, employees would receive the same amount of pay for the second week, even if they did not work the same number of hours. Each employee also received an extra $100 on Thursday to compensate for any extra hours they may have worked the second week.

Once the payroll system is functioning again, any worker who was overpaid will be expected to return overpayments.

And:

Many customers are likely unaware of the difficulties employees are dealing with. But some impacts have been clear.

On the first day of the outage, some self-checkout machines weren’t working.

“The lineups at the tills, because people aren’t used to that and we pump a lot of people through these self checkouts — so, a lot of pissed-off customers over that,” said a Safeway worker.

Customers have been unable to use gift cards or redeem Scene loyalty points, and stores have been unable to process Western Union transfers — causing frustration for some, one employee said. 

The company has not officially told employees the cause of the outage. They have been instructed to simply tell customers it’s an IT issue.

“You kind of feel bad having to like just you know, water it down, what’s really going on, to customers,” said an employee. “You feel like you’re deceiving everybody because there’s more going on behind the doors than what they’re trying to make it out to be.”

This shows the sort of carnage that being pwned by ransomware can cause. It also shows what happens when you don’t have a remediation strategy in place in case you do get pwned. Clearly Sobeys had a huge hole in their cybersecurity plan. Or they didn’t have a plan. Either way, I say parliament should find out. Sobeys is the second largest grocery retailer in the country, which means that this is a non-trivial event. And Canadians deserve answers as to how and why they got pwned and how they will avoid getting pwned again in the future.

Symantec Tracks And Documents A Threat Actor Named “Billbug”

Posted in Commentary with tags on November 15, 2022 by itnerd

Symantec has released a blog post detailing a new threat actor named “Billbug” which appears to be a nation state actor that is going compromised a certificate authority as well as government agencies:

Symantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009. Symantec has previously published on this group’s activity in 2018 and 2019 under the Thrip name, but following our 2019 investigation, we determined that Thrip and Billbug were most likely the same group so now track all activity under the Billbug name.

In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity.

The victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.

The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.

This activity has been ongoing since at least March 2022.

Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi had this to say

“The compromise of a digital certificate authority (CA) is bad news. CAs are a vital centerpiece in the system of identity that keeps our online world running securely. A CA issues companies with TLS certificates – a type of machine identity that enables secure machine-to-machine communication. This identity tells other machines that it can be trusted. It is this system that enables the green padlock we are all so familiar with now. If a CA is compromised, all the identities associated with it come into question. 

In this particular case, the attack on the CAs has all the tell-tale signs of a sophisticated nation state attack. However, this doesn’t just impact the CAs – every business, consumer and government that relies on these CAs to know whether a digital service is real or fake, and whether communications are private or tapped, is impacted. An attacker could use this position of power to conduct man-in-the-middle attacks, to intercept encrypted traffic, or to issue identities for malicious or fraudulent services to enable them to be trusted by major browsers and operating systems. We’ve seen this play out with attacks such as DigiNotar in the Netherlands.  

To remediate the problem, just as you change your passwords if they are breached, CISOs, CIOs and CEOs must do the same for machine identities. In today’s age of businesses running in the cloud, organizations must quickly identify and remove all certificates associated with unknown and untrusted CAs, and replace them with new certificates from trusted sources. Yet an organization could have hundreds, if not thousands of identities to replace. This is why organizations need to invest in a control plane that can automate the management of machine identities.” 

Sitaram Iyer, Senior Director of Cloud Native Solutions, Venafi had this to add:

“This compromise of a certificate authority (CA) highlights the importance of managing all machine identities in an enterprise. If the compromised were to be the root CA, then the attacker can potentially gain full control over the entire PKI infrastructure and compromise the trust in the system. Revocation of all the certificates issued by this CA must be revoked and replaced. This certainly comes at a high-cost effort – and in most cases, credibility of the organization.  

This can be even more catastrophic as organizations create subordinate CAs that are used for signing workloads in cloud native environments for managing pod or mesh identities. The sheer volume of these identities and the need to revoke all subordinates, recreate them and issue identities for workloads is a huge effort.  

Protecting and managing all the machine identities, irrespective of where and how it’s used, is critical for creating an enterprise security posture. Manual processes need to be eliminated, and all machine identity management should be 100% automated with security teams having the right kind of observability.” 

Clearly this is a threat actor that needs monitoring as they aren’t going away. In fact it seems that the longer they are around, the more sophisticated that they get.

Hackers Using Steganography For Malware Attacks 

Posted in Commentary with tags on November 15, 2022 by itnerd

In early September 2022, researchers identified a threat group called Worok that targeted many victims, including government entities around the world, to gain access to devices. They concealed malware used to steal information inside PNG images by least significant bit (LSB) encoding which attaches malicious code to the LSB in the image’s pixels.

To get a view of this attack from the security industry, I have Alyn Hockey, VP Product Management at cybersecurity software and services provider Fortra:

“It’s a hack that’s easily undetected and the old technique is increasingly used to hide malware payloads. So, when an image is viewed by a member of an organization, the payload, otherwise known as a virus, worm or Trojan, can start work immediately – resulting in damage to systems and loss of data.

Steganography examples can be traced back as early as 5 BC when used as a defense tactic by Histiaeus, a Greek ruler of Miletus. Histiaeus shaved and tattooed a man’s head with messages that would go unnoticed once his hair grew back. The alleys, aware of the practice, found the warning messages on the man’s scalp.

Fast forward to 2022 when an employee of General Electric was convicted of conspiracy to commit economic espionage. While this sounds like something out of a thrilling motion picture, the former employee simply used steganography. He was able to take company secrets in files by downloading, encrypting, and hiding them in a seemingly mundane sunset photo. He used his company email address to email the image to his personal email address. According to court documents, the encryption process took less than 10 minutes. 

Again, while not as common as other cyberattacks, the shocking and quick way it can fly under the radar is reason enough to have a security solution that protects not only from external threats like malware but keeps data safe through effective data loss prevention methods. Organizations can apply an anti-steganography feature to sanitize all images as they pass through the secure email gateway. Anti-steganography removes anything hidden within the image, which will not visually alter the image but make it impossible for recipients to recover hidden information – including accidental opening of malware. While this will cleanse all images, it mitigates the overall risk thereby keeping the organization safe – doing so in milliseconds, so the flow of business won’t be disrupted.”

The Bleeping Computer story that I linked to has a lot of detail that is very much worth reading.

NSA Releases Guidelines On Mitigating Software Memory Safety Issues

Posted in Commentary with tags on November 15, 2022 by itnerd

Yesterday the NSA released released guidelines on how organizations can implement protections against  software memory safety issues Here’s an snippet from the press release on the topic:

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.
 
“Memory management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”
 
Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program’s performance over time, and program crashes.

I got commentary from Yotam Perkal, Director, Vulnerability Research at Rezilion on this guidance:

Regarding the NSA guidelines, it is true that the majority of exploitable vulnerabilities in languages such as C and C++, are due to memory issues. That said, these languages are still extremely widely used especially in applications that are performance oriented. In the latest StackOverflow developer survey, close to 40% of developers claimed to be using either C or C++ in their daily work, even in open source projects over 15% of the code is still written in these languages (see here). Hence, I don’t see them disappearing any time soon. 

It is also important to note that even with a memory safe language, memory management is not entirely memory safe as most of these languages allow the developers the flexibility to perform potentially unsafe memory management tasks. Moreover, for an existing project, migration of code from one language to another isn’t a trivial task and requires skilled workforce in both the source and target language. So all in all I think while the recommendation is valid, I don’t believe it will be widely adopted. 

Organizations that do have applications written in memory unsafe languages, should definitely take efforts to make sure they perform proper testing (SAST and DAST) as part of the development cycle in order to identify potential memory issues before code makes its way to production. They should also make sure to enable various binary hardening mechanisms such as ASLR, CFG, NX bit and others while compiling code written in memory unsafe languages.These mechanisms make potential exploitation far more complex. There are open-source tools that enable evaluation of binary hardening status for existing binaries such as checksec.sh. 

For open-source projects, there is a possibility to check eligibility to enroll to Google’s OSS-Fuzz project which aims to make common open source software more secure and stable by performing automated fuzzing.

I would recommend that software developers read this guidance and take Mr. Perkal’s advice to make sure that their applications are less exploitable. Because these are dangerous times that we live in, and anything that one can do to minimize the risk of an application that can be exploited is a good thing.

Guest Post: Fraud Awareness Week: Tips for Staying Safe During the Cyber Holidays

Posted in Commentary with tags on November 15, 2022 by itnerd

By Hank Schless, Senior Manager of Security Solutions at Lookout

This week is Fraud Awareness Week and the conversation is all about knowing how to best protect ourselves in a constantly evolving and quite scary cyberworld. According to the Better Business Bureau’s naughty list of the top 12 holiday shopping scams this Christmas season, the two most prevalent scams are misleading social media ads and social media gift exchange scams. 

The Internet Crime Complaint Center’s (IC3) 2021 reported that non-payment or non-delivery scams cost people more than $337 million. Credit card fraud accounted for another $173 million in losses. Lookout, the leader in delivering integrated Security, Privacy, and Identity Theft Protection solutions, is here in time with the perfect gift for keeping your wallet and data safe this season.  

Tips To Stay Safe This Holiday Season

Exercise Savvy Shopping

  • If you’re purchasing from a company for the first time, do your research and check reviews.
  • Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.

Watch for “Red Flags” When Paying Online

  • Avoid paying for items with prepaid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item. 
  • Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Avoid Shipping Pitfalls 

  • Always get tracking numbers for items you buy online, so you can make sure they have been shipped and can follow the delivery process.
  • Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Enable Security Protection To Block Shopping Scams & Threats

  • Run security protection on your mobile devices – like Lookout’s security application – which is an app you can download from Google Play or the App Store. Security protection will automatically monitor and identify scam URLs in email, text messages, and on the web and block you from threats that can do harm.
  • Gift Card Scams:
    • CVS, Walmart & Home Depot 
    • The FTC reports that around $10 million a month has been lost globally to these scams. 
    • About one in four people who tell the FTC they lost money to fraud say they paid with a gift card.(1) In fact, gift cards have topped the list of reported fraud payment methods every year since 2018. During that time, people reported losing a total of nearly $245 million, with a median individual loss of $840.(2)
    • https://www.kiplinger.com/personal-finance/603028/beware-of-gift-card-scams 

All consumers can scan their email for FREE on Lookout’s website to learn about breaches that may have occurred & take action to secure their data.

Industry Experts Provide Their 2023 Security Industry Predictions

Posted in Commentary with tags on November 15, 2022 by itnerd

As 2022 comes to a close and people look forward to 2023, one has to wonder what’s on the horizon in terms of information security. To that end I have gathered some executive quotes from cybersecurity company Fortra who under their umbrella have Alert Logic, Digital Guardian, Cobalt Strike, Tripwire, Digital Defense, Agari, PhishLabs, Core Security, and other well-known software and services providers:

Donnie MacColl, Senior Director of Technical Support / GDPR Data Protection Officer

  • We are already seeing many organizations taking action and consolidating their vendors. However, a large number of businesses are also making the decision to consolidate and merge their solution providers. Companies are becoming very aware that, after reviewing and understanding the functionality of their solutions, one supplier is capable of providing much more value than they are currently receiving from two separate ones. Organizations can then combine solutions together, creating a much stronger proposition. For example, a vulnerability management solution can pass prioritized vulnerabilities to an automation tool to perform remediation tasks, as opposed to displaying the vulnerability on a screen and waiting for a person to manually step in.
  • When it comes to laws and regulations, I suspect we will start seeing countries introducing more granular, local regulations. For example, in the UK, there is already talk that the Data Protection and Digital Information Bill will be refined or replaced by the “British GDPR”. By introducing more country-specific regulations, organizations will not only protect personal data but will also simplify international business operations by removing a considerable amount of red tape.
  • Outsourcing will increase in Managed Security Services, as we saw with operations many years ago. Companies are realizing that IT takes resources away from their core business – particularly when it comes to data protection and security which is difficult and challenging to maintain. In addition to this, Managed Security Services will broaden to become Vulnerability Management, Managed Detection and Response, Penetration Testing and Red Teaming, likely on a more “buy what you need” model.

Nick Hogg, Director of Technical Training

  • Security Awareness and Compliance Training – Organizations will be re-evaluating their security awareness and compliance training programs to move away from the traditional once-a-year, ‘box-ticking’ exercises that have proven to be less effective. The goal is to deliver ongoing training that keeps security and compliance concerns front and center in employees’ minds, allowing them to better identify phishing and ransomware risks as well as reducing user error when handling sensitive data.
  • DLP and Compliance – Organizations will be using digital transformation and ongoing cloud migration initiatives to re-evaluate their existing DLP and compliance policies. The goal is to ensure stronger protection of their sensitive data and meet compliance requirements, while replacing complex infrastructure and policies to reduce the management overhead and interruptions to legitimate business processes. It’s important to gather metrics to build confidence in executive leadership and ensure that changes to policy and systems do not have a negative impact on business processes or increase any form of risk.
  • Email Security – Organizations will be looking to plug gaps in their Microsoft 365 defenses to combat increasingly sophisticated phishing, ransomware and spyware attacks, while reducing the time spent by busy security teams triaging and responding to reports of suspicious messages. The goal is to prevent attacks such as sophisticated credential theft or business email compromise from making it into employees’ mailboxes. In 2023, it will be important to provide security teams with automated analysis of risks within reported messages, along with identification of other messages that have entered the organization as part of the same phishing campaign, in order to reduce time spent on triage and remediation.

Chris Reffkin, CISO

  • Security as a Business Enabler – People, processes and technology controls are all key to a good security program. Where people and technology controls will be tied to the size of an organization, organizations of any size can focus on processes to positively impact their security program’s capabilities. As all parts of an organization overlap with security, it could benefit all other functional areas such as support, manufacturing, design, services, delivery, to enhance revenue and increase positive customer outcomes. This creates a unique role for security to enhance business operations whilst increasing its security posture.

Wade Barisoff, Director of Product – Data Protection

  • Data Centric Security – As companies moved collaboration to cloud-based providers, the natural reaction was to extend what was already understood, which was attempting to control access to the containers where the data was stored rather than the data itself. As the use of cloud rapidly expanded, organizations had large volumes of customer and company data that was not well understood, in environments they may have had some access control over. Today, global organizations are starting to focus more on access to the data rather than the containers, as that is easier for business groups to understand. Tools that help secure data regardless of repository are coming into focus, as poorly maintained access control lists to repositories, that have been failing internally for decades, are now being pushed to cloud environments.
  • Data Classification Standards – Interoperability – For the last decade, data classification has slowed to zero adoption, primarily utilized by government and military organizations in any scale. File classification, for the most part, is a one-way street, where labels or tags only mean something to the company that created the data, but if shared, those classifications are lost on any external organization. There are a number of discussions (NIST for example) that are looking to create a standardization of labels in use to extend value beyond a single company. As a result, companies in the same industry can apply proper protections to the data shared with them and avoid labeling and re-labeling the same data, leading to systems such as data loss prevention having consistent actions on the content.

Tom Huntington, Executive Vice President of Technical Solutions

  • Open Source Creates More Targets – As more organizations deploy open source worldwide, this creates a larger target for bad actors to find loopholes in poorly engineered modules. Vulnerability scans and penetration testing efforts need to be taken seriously to help find where organizations are still running vulnerable code. The process of automating the deployment of patches through RPA can help to alleviate the shortages of staff.

John Grancarich, EVP, Strategy

  • Supply Chain Attacks on Organizations Will Increase – Between 2020 to 2021, supply chain attacks increased four-fold across the globe. As organizations get better at protecting themselves, sophisticated attackers will increasingly look more broadly at the end-to-end value chain of an organization for an opening. These supply chain targets will include everything from raw material providers to the retail channels that deliver goods to customers.
  • Attack Surface Management Evolves Into Critical Surface Management – We are all familiar with the term ‘attack surface management’, which is the process of continuously assessing and improving the security of an organization’s assets. However, this is inconsistent with how value is created in an organization – for example, is a development test server in a remote office as valuable as the intellectual property associated with a firm’s new invention? Organizations will evolve from a ‘how much can I protect’ approach to a ‘what is most critical to protect first’ mindset, improving the allocation of resources and value preservation in the process. Zero Trust architecture will play a critical role in this evolution.
  • A Shift From Product to Platform – We often hear from our customers that there are too many vendors, too many products, not enough integration and not enough optimization. This is a big reason why the cybersecurity industry is trying to hire 3 million more people around the world. It’s a broken paradigm, and the way to fix it is for the industry to shift to modular platforms which offer a simpler user experience and a more comprehensive and interoperable/integrated set of capabilities. Done well, organizations will be able to solve the majority of their cybersecurity challenges, with far fewer vendors than they typically use today.

Tom Huntington, Executive Vice President of Technical Solutions

  • Dismal Economy Strives Security Fatigue – As managements worries about the economy in 2023, the continued attempts by the bad actors of the world creates a security fatigue in the market. End users and IT teams are worn out by trying to keep up on a depleting battery. Now more than ever managed security offerings in DLP (Data Loss Prevention), File Monitoring, Email, MDR (Managed Detection and Response) and Digital Risk Management have become popular as security teams can’t keep up with their desired management needs. CISOs realize it is the right time to turn to a managed offering.

Tom Gorup, Vice President, Security Operations, Alert Logic by Fortra

  • Struggle to Bridge the Talent Gap – Demand for security will skyrocket in 2023 driven by economic downturn, consumer expectations and new compliance requirements. Meanwhile the talent pool for addressing the demand will remain depleted. This mismatch of security expectations and lack of quality talent supply will drive businesses to seek out third parties to solve their problems. As a result, we will experience choice overload in the MDR, MSPs and MSSPs spaces, seeking to fill the gaps for companies that don’t have the resources or in-house expertise to manage their own security challenges.
  • Security Complexity Grows – Security tools as standalone solutions are failing to enable businesses to effectively protect themselves. Tools that lack integration, offer complicated metrics and reporting, and generate exorbitant volumes of alerts, incidents, and telemetry are complicating the lives of CISOs and their teams. Even with the grandiose promises of Artificial Intelligence and Machine Learning technologies, designed to deliver increased efficiency and insight, security operations remain tough. Economic downturns will exacerbate these problems as organizations seek to reduce their expenses and turn to more 3rd parties for help. Businesses will begin to better understand the value of Managed Detection and Response services which are purpose-built to standardize and solve these operational challenges.
  • Ransomware Attacks Rise in Economic Downturn – Don’t expect ransomware attacks to abate any time soon – not only are they simply too lucrative and have a high potential for success, but, as we experience economic downturn, digital crimes will increase at an alarming rate. As a result, the demand for security solutions will rise dramatically.

Eric George, Director, Solutions Engineering, Digital Risk Protection and Email Security

  • Phishing As A Service use will expand – PaaS platforms simplify the creation and execution of credential theft phishing attacks which target the customers or employees of enterprise brands. These platforms cater to the lesser experienced threat actors and therefore have the potential to significantly expand the number of criminals conducting phishing attacks. 
  • Impersonation scams will increase and become more complicated and believable – 2022 saw a substantial amount of brands and individuals impersonated to add legitimacy to an assortment of online scams. And, in 2023, this will only increase in volume and complexity. We’re already beginning to see the possibilities of ‘deep fake’ on social media platforms and the Open Web, but as technology improves, these scams will become more common and harder to combat. 
  • MFA Platforms Targeted by phishers – Compliance requirements are making MFA more prevalent among enterprise organizations and, as such, it’s likely that attackers will follow suit. By compromising MFA, threat actors can potentially access multiple enterprise applications. 
  • Mobile device targeting increases – SMS phishing is much more difficult for the security community to track and respond to than traditional phishing attacks. In 2023, these attacks will likely continue to increase as our society continues to move toward mobile. 
  • Is this the year for web 3 or other decentralized platforms (such as blockchain domains) scams to grab the spotlight? Scams leveraging web 3 or other decentralized platforms haven’t yet targeted the bigger brands in a notable way, but it’s only a matter of time.

Guest Post: Americans lost a record $2.7 billion to investment scams in 2022

Posted in Commentary with tags on November 15, 2022 by itnerd

With the appearance of new promising technologies, like NFTs and blockchain, many unique investment opportunities have sprung up in the last couple of years. Unfortunately, a significant portion of those companies do not have the investor’s best interests in mind.

The rapid evolution of the world wide web and the commercial world in general outpaced security measures that were supposed to protect individuals from getting abused in these types of deals.

A study carried out by Atlas VPN reveals that issues pertaining to online fraud are most severe in the business investment category.

The most recent figures from the Federal Trade Commission show that US citizens lost a whopping $2.66 billion to various types of investment scams in Q1-Q3 2022, representing a 50% increase over $1.77 billion lost in 2021.

From an even wider perspective, investment fraud in the US skyrocketed by 28 times in the last 5 years
 

In other words, since 2018, investment fraud has been growing by, on average, 149% per year.  

The increasing severity of the issue is also seen in the number of complaints submitted to the FTC. 

In the first three-quarters of 2022, the FTC received nearly 80 thousand investment fraud reports, out of which 74% indicated a financial loss. 

In contrast, in 2018, FTC received less than 15 thousand complaints, with 54% of them noting damages.

Social media and crypto payments

Most investment fraud victims transfer funds in the form of cryptocurrencies, which are notoriously hard to track down and get back because the whole system is based on anonymity and decentralization. 

In addition, threat actors can employ various services, like cryptocurrency tumblers, to cover their tracks to the point of virtually becoming untraceable. 

In these cases, privacy granted by the blockchain system is working against the victims and in favor of criminals. 

To read the full article, head over to: https://atlasvpn.com/blog/americans-lost-a-record-2-7-billion-to-investment-scams-in-2022

It Seems That Elon Musk Ignored His Trust And Safety Team When It Came To Twitter Blue

Posted in Commentary with tags on November 15, 2022 by itnerd

Well, if it wasn’t clear that Elon Musk has really gotten in over his head and is only listening to himself when it came to the Twitter Blue fiasco, this Platformer report that a reader pointed me towards has the inside scoop on what happened with that dumpster fire. And make it clear that Elon Musk is basically destroying Twitter:

Days before the Nov. 9 launch, the company’s trust and safety team had prepared a seven-page list of recommendations intended to help Musk avoid the most obvious and damaging consequences of his plans for Blue. The document, which was obtained by Platformer, predicts with eerie accuracy some of the events that follow.

“Motivated scammers/bad actors could be willing to pay … to leverage increased amplification to achieve their ends where their upside exceeds the cost,” reads the document’s first recommendation, which the team labeled “P0” to denote a concern in the highest risk category. 

“Impersonation of world leaders, advertisers, brand partners, election officials, and other high profile individuals” represented another P0 risk, the team found. “Legacy verification provides a critical signal in enforcing impersonation rules, the loss of which is likely to lead to an increase in impersonation of high-profile accounts on Twitter.”  

On November 1, when the document was circulated internally, Musk was considering a $99-a-year annual subscription for Blue; only later, after an exchange online with writer Stephen King, did he lower the cost. The move wound up increasing the risk for scams, as the desire to make fun of brands and government officials became an impulse buy at $8.

The team also noted removing the verified badge and its related privileges from high-profile users unless they paid, coupled with the heightened impersonation risk, would potentially drive them away from Twitter for good. “Removing privileges and exemptions from legacy verified accounts could cause confusion and loss of trust among high profile users,” they wrote. “We use the health-related protections … to manage against the risk of false-positive actions on high-profile users, under the assumption that the accounts have been heavily vetted. If that signal is deprecated, we run the risk of false positives or the loss of privileges such as higher rate limits resulting in escalation and user flight.” 

The team identified several other risks for which Twitter has yet to identify any solutions. For starters, the company lacks any automated way to remove verified badges from user accounts. “Given that we will have a large amount of legacy verified users on the platform (400K Twitter customers), and that we anticipate we’ll need to debadge a large number of legacy verified accounts  if they decide not to pay for Blue, this will require high operational lift without investment.”

(And this was before the company laid off 80 percent of its contractors, but we’ll get to that.)

The company’s trust and safety team did win support for some solutions, including retaining verification for some high-profile accounts using the “official badge.” 

For the most part, though, the document offers a wish list for features that would make the product safer and easier to use, most of which have not been approved.

It was presented to Esther Crawford, a director of product management at the company who in recent weeks has risen to become one of Musk’s top lieutenants. Musk was briefed as well, sources said, as was his attorney Alex Spiro. And while Crawford appeared sympathetic to many of the concerns in the document, sources said, she declined to implement any suggestions that would delay the launch of Blue. (Crawford did not respond to a request for comment.)

Despite the warnings, the launch proceeded as planned. A few hours later, with the predictions of the trust and safety team largely realized, Musk belatedly stopped the rollout.

Well DUH! It didn’t take a rocket scientist to see what was going to happen with Twitter Blue. But strangely, a guy who launches actual rockets into space didn’t see this coming. Or perhaps Musk simply didn’t care because he is too desperate to make a buck from Twitter. Or perhaps he hasn’t got the smarts to run Twitter. No wonder Twitter is a hellscape that no advertiser wants any part of. And users are running to Mastodon as a result (here’s how you can do that if you need some help running from Twitter). And to add to the list of reasons why nobody wants to have any part of Twitter is the fact that Musk breaks stuff and Twitter is at best on shaky ground due to the downsizing of staff. I strongly, and I do mean STRONGLY recommend that you read the entire article from Platformer. It will show you that Elon really can’t manage Twitter, and this platform is likely doomed to extinction because of him.

The Department of Navy Selects Radiant Logic to Create Naval Identity Service

Posted in Commentary with tags on November 15, 2022 by itnerd

Radiant Logic, the enterprise Identity Data Fabric company, today announced that the Department of Navy (DON) has selected the RadiantOne Intelligent Identity Platform to modernize its identity data systems, enabling the cohesive creation and structure of the Naval Identity Services (NIS), the DON’s planned Enterprise ICAM, Credential and Access Management (ICAM) solution. This initiative is designed to make NIS available whether located ashore or in Delayed/Disconnected, Intermittently-Connected and Low-bandwidth (DDIL) environments, providing ubiquitous access aligned with Zero Trust principles.           

By consolidating identity across the DON, RadiantOne enhances the agency’s overall network cybersecurity posture, including all network systems from tactical to enterprise. RadiantOne enables a cloud-based master identity for every individual within the agency, no matter what role they play or where they are stationed, as well as mission partners conducting joint operations with service members. Ultimately, this identity consolidation will enable the DON to rethink identity creation, usage, and management, further automating and modernizing threat monitoring and prevention.

This announcement builds on a successful history of Radiant Logic deployments in the federal sector. Earlier in 2022, Radiant Logic was selected to deliver the identity data foundation for the DISA’s Enterprise Identity, Credential, and Access Management (ICAM) design.  Radiant Logic is FIPS 14-2 certified, and was included in 2021 to participate in NIST’s NCCoE Zero Trust Architecture.

72% of SMBs say the 2022 holiday season is more important to their financial health than 2021: Intuit Study

Posted in Commentary with tags on November 15, 2022 by itnerd

As inflation levels remain high and consumer confidence becomes more fragile, new research shows that 84% of Canadians plan to reduce their spending this year if the economy worsens, while 72% of small businesses in Canada say the 2022 holiday season is more important to their financial health than last year.

The results of Intuit QuickBooks Holiday Shopping Survey reveals holiday spending with Canadian small businesses could hit up to $10 billion if consumers shop local – leaving the fate of small businesses riding in the hands of Canadians shopping from local businesses.

What consumers are wishing for this year: 

  • More than seven out of 10 consumers want small businesses to make it easy for them to buy online this holiday season. They will spend more money at small businesses with guaranteed deliveries and returns, quick and easy checkouts, and price-match guarantees.
  • 52% of consumers say they will spend even more money at small businesses in-person that offer holiday promotions and discounts. 
  • 36% of consumers are purchasing products from small businesses through social media marketplaces.

To help Canadian small businesses succeed during the most important sales season, Intuit QuickBooks has created a gift guide featuring Canadian small businesses from coast-to-coast that consumers can support. 

In addition, with small businesses relying on the holiday season to produce up to 65% of their annual revenue, Intuit QuickBooks has curated resources and tips in The QuickBooks Holiday Hub to help small businesses unwrap success this year.