Archive for December 1, 2022

Desjardins Insurance teams up with TELUS Health to expand access to health and wellness services

Posted in Commentary with tags on December 1, 2022 by itnerd

Desjardins Insurance and TELUS Health have announced today a new collaboration that will bring TELUS Health’s leading health and well-being services to members and other eligible individuals from group insurance plans administered by Desjardins. With access to hundreds of health professionals and other certified advisors, Desjardins will now be able to offer an improved range of services that will better support a positive work-life balance at every step of the wellness journey.

As Canada’s largest Employee and Family Assistance Program (EFAP) provider, TELUS Health was able to quickly customise a solution for Desjardins when they were in search of a new supplier, taking into account the unique needs and expectations of members of Desjardins’ group insurance plans. The joint effort with Desjardins is an ideal example of how TELUS Health can work alongside its clients to build healthy communities across Canada.

Building upon their long-standing business relationship, TELUS Health successfully and rapidly extended its Employee and Manager Assistance Programs (EAP/MAP) for Desjardins to include:

  • Mental Health Support: access to a range of clinical professionals to address growing mental health concerns such as anxiety and depression;
  • Crisis Management: broad support options in case of personal crises, traumatic events or workplace incidents;
  • Legal and Financial Support: general advice from certified professionals;
  • Referral Services: connections to a wide variety of ancillary services, including finding the right care for their loved ones, whether that be a daycare or a senior’s residence.

Apple Phishing Attack Targets 10K Mailboxes Coming off Record-Breaking Shopping Weekend

Posted in Commentary with tags on December 1, 2022 by itnerd

Today, researchers at Armorblox released their latest blog on a credential phishing attack that spoofed a consumer favorite among cyber deals, Apple, in an attempt to steal victims’ user credentials. 

In this attack, targeting over 10,000 mailboxes, emails were crafted to convince recipients that they were receiving legitimate email communication from Apple, Inc, notifying them that their account was going to be suspended unless their card was validated. Clicking on the provided link led users to a fake landing page created in order to exfiltrate sensitive user credentials.

The timing of this technique was particularly effective, playing off consumer’s sense of urgency to score valuable gift card offers during the biggest holiday shopping days of the year.

The link to the live blog is here and it is well worth your time to read.

Cars Can Be Pwned Via Flaws In SiriusXM And Other Software: Report

Posted in Commentary with tags , on December 1, 2022 by itnerd

Every car these days comes with a SiriusXM receiver. And depending on what car you have, that might be an attack vector for hackers to pwn your car. This according to this article:

Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.

An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.

Initial tests were conducted on the NissanConnect mobile application, which led to the discovery of a vulnerability that could allow a remote hacker to obtain a vehicle owner’s name, phone, number, address and car details simply by knowing their VIN, which is typically visible on the windshield. The attacker would need to send specially crafted HTTP requests containing the victim’s VIN in a certain parameter.

Further analysis showed that the same vulnerability could be exploited to run vehicle commands, including locate, unlock and start a car, as well as to flash headlights and honk the horn.

The researchers determined that such an attack could be launched against Honda, Nissan, Infiniti, and Acura cars.

Sirius XM immediately patched the vulnerability after being informed of its existence. The company said it released a patch within 24 hours and noted that it has no evidence of any data getting compromised or unauthorized modifications being made.

That’s not good. But neither is this

In a separate Twitter thread this week, Curry reported a different vulnerability, one that allowed researchers to control some functions of Hyundai and Genesis vehicles — including locks, engine, horn, headlights and trunk — by knowing the email address the victim had used to register a user account.

The attack allegedly worked on vehicles made after 2012. Hyundai and Genesis also released patches after being notified.

So upon reading this article, I looked at the research and it illustrates that connected cars are subject to the same sort of problems that everything else is. Thus car companies and SiriusXM need to up their game to keep car owners safe. And they need to be held accountable for making sure that cars are secure. Preferably by a third party.

Remember That LastPass Hack Back In August? The Company Now Admits That Hackers Got Access To Customer Data

Posted in Commentary with tags on December 1, 2022 by itnerd

Back in August, LastPass was pwned by hackers. At the time the company said this:

Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

It now turns out that this wasn’t the case as the company now admits that user data was accessed by the hackers who pwned them:

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. 

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. 

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here

Well, that’s not good. And it highlights why entrusting your passwords to a third party may not be a good idea. While I do use a password manager and do my best to practice good password hygiene, I don’t entrust my passwords to a third party. Instead the password file is encrypted and stored on my NAS at home, or on some cloud provider so that I can get access to it on the road as well as sync it with all my devices. If one of those cloud providers gets pwned, all they will get is an encrypted file that they can’t do anything with.

In any case, LastPass needs to be completely transparent about what happened here and how much it affects end users as that’s the only way they will maintain the trust of their customer base.

UPDATE: Yoav Iellin, Senior Researcher, Silverfort offers this advice:

“Given the vast amount of passwords it protects globally, Lastpass remains a big target.

The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear but, typically, It’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.

For worried users, ensure you watch out for updates from the company and take time to verify these are legitimate before taking any action. In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security. “

UPDATE #2: Chad McDonald, Chief of Staff and CISO, Radiant Logic provides this comment:

    “We’ve seen today another hack of the credential wallet vendor, LastPass which isn’t at all surprising. This isn’t an indictment of LastPass by any means, rather a criticism of the underlying problem that has driven vendors like LastPass to be very successful and effectively a staple both for home users and the enterprise. Any software, given enough time and effort, is crackable or hackable, and LastPass is certainly no exception. While LastPass’s Zero Knowledge strategy with regard to password encryption seems to have kept the attackers from accessing passwords, this didn’t keep them from apparently accessing source code. Attackers will always find a way to defeat security controls–always. Technology practitioners will work to harden code, applications and networks, but in the end given time and resources the attackers will get in.   

One of the problems I see with simply continuing to harden the IT stack is that it fundamentally doesn’t acknowledge what is driving ongoing reliance on password wallets for so many people.  IT sprawl and more specifically identity sprawl have driven most of us mad with the number of credentials we need to manage simply to get through our personal and professional lives everyday. Assuming we’re trying to be good netizens, we’ll also try to juggle complex passwords and potentially multi-factor authentication. This additional complexity exacerbates the identity problem.  We’re effectively left with no choice other than to archive our credentials in a wallet like LastPass or god forbid a notebook somewhere.  (Please tell me you aren’t keeping your passwords on the bottom of your keyboard.). 

On a personal level, it isn’t realistic to expect a home user to implement an IAM strategy. The enterprise, however, should have an IAM strategy that limits identity sprawl, provides adequate credential security, and limits the need for its users to manage countless sets of credentials in the workplace.  Corporations really do themselves and their users a disservice when they continue to push down responsibility for broad credential management to staff. It’s really a recipe for disaster. Consolidation, protection, and effective management of identities and credentials by the enterprise drives internal productivity, deflects Helpdesk calls, and reduces friction on staff that should be focused on their core responsibilities, rather than tracking down their 14th set of credentials and a 20 character password to log in to the CRM system.  

While LastPass was the latest victim here, it won’t be the last.  I expect that the organization will recover quickly and again work to harden processes and code, but I think the enterprise should do its part as well.  Let’s focus on our own IAM strategies so that we can ideally be a bit less reliant on credential wallets in the first place.”

Guest Post: Over 95% of all new malware threats discovered in 2022 are aimed at Windows

Posted in Commentary with tags on December 1, 2022 by itnerd

Windows is the most popular operating system among desktop and laptop users. It occupies around 30% of the OS market share worldwide. This may be one of the reasons why it is also the most targeted by malware.

According to the data analyzed by the Atlas VPN team, based on AV-TEST GmbH statistics, 59.58 million new Windows malware samples were detected in the first three quarters of 2022. They make up a whopping 95.6% of all new malware discovered in that period.

Linux malware takes the second spot on the list with 1.76 million new malware samples — 2.8% of the total new malware threats in Q1 through Q3 of 2022.

Following Linux is Android malware. The first three quarters of 2022 saw 938,379 newly found Android malware threats. They constitute 1.5% of the new malware in Q1 through Q3 of 2022.

Finally, 8,329 never before seen malware threats aimed at macOS were detected in the same period.

Despite various anti-malware measures that exist today, cybercriminals continuously come up with new malware threats. A total of 62.29 million new malware samples were detected in the first three quarters of 2022 across all operating systems. It comes to almost 228,164 malware threats daily.

However, compared to the same period last year, new malware has actually decreased by 34%. Even though there is a clear downward trend in new malware samples, the number of threats still remains exceptionally high.

To read the full article, head over to:

https://atlasvpn.com/blog/over-95-of-all-new-malware-threats-discovered-in-2022-are-aimed-at-windows

Hackers Spoof Amazon Notification Emails To Steal Credentials In Phishing Campaign

Posted in Commentary with tags on December 1, 2022 by itnerd

Researchers at Avanan, a Check Point Software Company, will reveal its latest analysis on how hackers send fake Amazon account notices, targeting Japanese companies, in the hopes of getting credentials.

In this attack, users are presented with an email, written in Japanese, notifying them that their Amazon Prime Auto-Renewal has been deactivated and their membership information must be verified to prevent further account restriction. Clicking on the provided link will lead users onto a fake page that will steal credentials and payment details. 

You can read the analysis here.

Guest Post: The 10 Best Warm Weather Destinations for Digital Nomads this Winter According To Wise

Posted in Commentary with tags on December 1, 2022 by itnerd

For digital nomads, the possibilities of where to work are virtually limitless. When frigid winter weather rolls around, it’s natural for those who can work remotely to start thinking about snowbirding out to a more temperate locale far from snow, ice, and frozen flurries.

After all, when the temperatures drop, it’s hard to do your best work when all you want to do is curl up in front of the fire.

That’s why Wise put together a list¹ of the best warm cities for digital nomads to visit this winter based on an evaluation of weather, safety, and cost of living data — along with their exchange rates² with.

Canadian currency so you can make the most of your budget as you chase the sun. The list includes cities within +/- one hour of continental Canadian time zones, so it will be easy to adapt your schedule and stay in touch with everyone you work with.

1. Medellin, Colombia

Nicknamed the “City of Eternal Spring” and famous for its annual Flower Festival, Medellin is an ideal place for digital nomads to go for the winter. The weather there is near-perfect during the winter months — not too hot and not too cold.

Plus, there are a variety of coworking spaces available, so you can easily find a place to set up shop and get your work done. The cost of living is very reasonable, and there are many museums, including the Museo de Antioquia, coffee farms, and nature parks to explore in your free time.

The official currency of Colombia is the Colombian peso and the exchange rate is $1,000 CAD = 3,638,960 COP

2. Quito, Ecuador

The capital of Ecuador, nestled in a valley at the base of the majestic Andes Mountains, Quito is a beautiful city built on the ruins of an ancient Incan settlement.

It’s home to a growing community of digital nomads, who are drawn to Quito for its affordable cost of living, fast internet speeds, vibrant cultural scene, and rich architectural heritage.

The city enjoys year-round mild temperatures, making it an excellent place for working remotely in the winter.

The official currency of Ecuador is the US dollar and the exchange rate is 1,000 CAD = 751.03 USD

3. Buenos Aires, Argentina

For digital nomads, Buenos Aires offers an appealing mix of mild weather, affordability, and culturally rich city life. Located in the southern hemisphere, Argentina’s bustling capital city enjoys warm weather even in the middle of winter.

While prices have been rising in recent years, Buenos Aires is still relatively affordable compared to other major cities — and for many, the chance to be surrounded by the city’s beautiful 19th-century architecture is well worth a slight cost increase.

The official currency of Argentina is the Argentine peso and the exchange rate is 1,000 CAD = 121,761K ARS

4. Bogota, Colombia

Located in the Andean mountain range and featuring a subtropical highland climate, Bogota is the sprawling capital city of Colombia and one of the largest cities in South America.

Bogota is a great place for digital nomads to go for the winter because of its temperate climate, affordable cost of living, and abundance of coworking spaces. Plus, the city is full of gorgeous colonial-era landmarks, including the Teatro Colón, and many intriguing museums and historical sites.

The official currency of Colombia is the Colombian peso and the exchange rate is 1,000 CAD = 3,638,960 COP

5. Montevideo, Uruguay

The seaside capital of Uruguay, Montevideo is an affordable city with lovely warm weather during the winter months. Revolving around the beautiful Plaza de la Independencia, Montevideo has a lively and vibrant culture, and can be an excellent place to learn Spanish.

It’s a terrific winter destination for digital nomads looking to escape the cold weather of the northern hemisphere, while still being able to work and enjoy life in a welcoming city full of fascinating Art Deco and colonial architecture.

The official currency of Uruguay is the Uruguayan peso and the exchange rate is 1,000 CAD = 29,927.60 UYU

6. San José, Costa Rica

Built on the coffee trade and brimming with elegant Victorian mansions, San José is a fantastic city for digital nomads to visit for the winter, featuring warm weather and many coworking spaces.

The cost of living is also very reasonable, and you can find apartments for rent at a fraction of the cost of what you might pay in major cities like Toronto, New York or London, while still being able to get out and enjoy world-class museums, parks, and historic buildings.

The official currency of Costa Rica is the colon and the exchange rate is 1,000 CAD = 459,990.00 CRC

7. Cali, Colombia

Cali is known for its beautiful weather, friendly people, and vibrant salsa dancing street parties. In addition, Cali is an affordable, sunny place to live a relaxed lifestyle during the winter months, with many apartments and hotels offering monthly rates.

This makes it a budget-friendly option for digital nomads who want to enjoy all that the city has to offer, including its spectacular neoclassical architecture and historic museums, without breaking the bank.

The official currency of Colombia is the Colombian peso and the exchange rate is 1,000 CAD = 3,638,960 COP

8. Mexico City, Mexico

Full of stunning historical landmarks dating back to the time of the Spanish conquistadors, Mexico City has a large community of expats and digital nomads — and there are plenty of coworking spaces, cafes, and restaurants to work from.

The weather is also perfect for spending time outdoors, and there are plenty of historic buildings, museums, and nature parks to explore. If you’re looking for a vibrant, culturally rich spot for both work and adventure this winter, Mexico City could be a great choice.

The official currency of Mexico is the Mexican nuevo peso and the exchange rate is 1,000 CAD = 14,598.10 MXN

9. São Paulo, Brazil

The sparkling financial center of Brazil, São Paulo is home to many iconic architectural landmarks, including the 1929 Martinelli skyscraper. It’s a bustling, highly populous city with a significant community of digital nomads who occupy the many co-working spaces available.

As Brazil’s richest city, São Paulo isn’t always the cheapest, but for those seeking to explore its beautiful buildings, memorable museums, and peaceful parks, it may be worth a little splurge.

The official currency of Brazil is the real and the exchange rate is 1,000 CAD =  4.002.85 BRL

10. Panama City, Panama

The capital of Panama, Panama City features a multitude of colonial-era landmarks and vibrant plazas with popular cafes that digital nomads can work from. The city’s warm weather is ideal for those who want to escape the cold, and the nightlife is vibrant.

There are also a variety of beaches to visit, and plenty of opportunities to explore the rest of Panama — or simply relax and watch the ships sailing through the city’s iconic canal. It’s the safest city on this list, although the weather isn’t always as pretty as in some other locales.

The official currency of Panama is the Panamanian balboa, and the exchange rate is 1,000 CAD = 750.75 PAB

Paying Like a Local

If you’re seeking warmer horizons this winter, there are so many exciting places where you can soak up the sun and make incredible memories, all while staying within your digital nomad budget.

Just make sure you have a good financial plan in place that enables you to pay like a local wherever you choose to roam. But adventurers beware: that’s probably not simply using your go-to Canadian bank account. From foreign transaction fees and high ATM withdrawal fees, to hidden markups in exchange rates, traditional Canadian bank accounts aren’t typically digital nomad-friendly.

Before you depart, consider setting up a Wise Account and card. Wise is everywhere money: 170 countries, 50 currencies and one card. With a Wise Account you can easily send, receive, hold, and spend money with no hidden fees³. That means paying for rent, groceries, activities and your new friends back easily in local currency.

And while many countries are digital-first, a lot of destinations — including many on this list — still prefer cash payments. With the Wise card, there’s no need to have the cash converted ahead of time. You can simply withdraw cash from local ATMs, and Wise will convert the amount automatically for you at the best conversation rate at the time for a low fee. For making purchases at places that do accept cards, the Wise Card functions like any other debit card in your wallet.

With Wise’s transparent pricing and mid-market exchange rate policy, you always know what you’re paying. That means less financial stress and uncertainty, and more time enjoying your warm weather digital nomad excursions this winter.


¹ Methodology: To compile this list, Wise looked at cities that operate within plus- or minus-one hour of continental Canadian time zones. Cities were then scored based on their rankings on third-party data sources assessing cost of living including rent (source: Numbeo), weather (source: Global Residence Index) and safety (source: Numbeo), as well as whether or not their countries offer digital nomad visas.

² Exchange rates were pulled via Wise.com on November 15, 2022.

³ Please see Terms of Use for your region or visit Wise Fees & Pricing: Only Pay for What You Use for the most up to date pricing and fee information.