Archive for January, 2023

Apple Is Now Up To FOUR Lawsuits Over Privacy Issues On The iPhone

Posted in Commentary with tags on January 31, 2023 by itnerd

To recap this story, you may recall that last year that a security researcher named Tommy Mysk discovered that regardless of whether you allowed your iPhone to send analytics data to Apple or not, iPhones and specifically Apple apps were sending that data anyway. That led to a lawsuit. Which then became two lawsuits, then three lawsuits. Now we have the fourth lawsuit as spotted by The Register:

The complaint [PDF], filed in Northern California District Court on behalf of plaintiff Julie Cima, claims Apple captures iPhone customer data despite device settings declaring a preference that information should not be shared.

“Apple records consumers’ personal information and activity on its consumer mobile devices and applications (‘apps’), even after consumers explicitly indicate through Apple’s mobile device settings that they do not want their data and information shared,” the complaint, filed this week, says. “This activity amounts to an enormous wealth of data that Apple collects and uses for its financial gain.”

I’ve said this before and I will say it again. Apple trades on being more private than the other guy. The other guy being Android. And these lawsuits really take that perception and rips it to shreds. And as more of these lawsuits get filed, because you know that there are more lawsuits coming, that’s only going to get worse for Apple. Thus they really need to speak to this, and do so quickly. The problem is that Apple isn’t going to do that, and that will make things worse for the folks at Apple Park.

Sucks to be you Apple.

GitHub Revoking Code Signing Certificates That Were Stolen By An Unknown Threat Actor

Posted in Commentary with tags , on January 31, 2023 by itnerd

GitHub is disclosed that unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. Details of this can be found over at Bleeping Computer:

So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.

“On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” GitHub said.

“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”

The company added that there is no risk to services due to this security breach and that no unauthorized changes were made to the affected projects.

However, the compromised certificates will be revoked to invalidate the GitHub Desktop for Mac and Atom versions signed using them.

Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi explains the impact of this: 

GitHub is hugely valuable for developers: over 100 million developers use the platform, and the Fortune 500 and every major software developer from Microsoft to Google rely on it. It’s no surprise that it’s become a focus point for attackers too. Unknown threat actors have stolen code-signing machine identities after gaining access to some of its development and release planning repositories. This enables attackers to masquerade their software as coming from GitHub. 

In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is a powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.

This is one more example of how engineering teams moving fast can create new opportunity for attack. Machine identity management is no longer optional. Code signing machine identities can’t be left unguarded with constant observability and control. The ability to rapidly find and reissue machine identities is impossible to do manually. To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management. By doing so they continuously protect machine identities from theft and avoid manual rotation, replacement, and revocation that slows down engineering teams and leads to shortcuts that create breaches.

GitHub has this advice for affected users:

“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.

“We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.”

I would be taking that advice and acting upon it as soon as possible.

Zoho Introduces Team Pipelines In Bigin

Posted in Commentary with tags on January 31, 2023 by itnerd

Zoho Corporation, a leading global technology company, is today unveiling the latest version of Bigin, the company’s CRM solution for small businesses.  As the preferred CRM solution for small businesses, Bigin offers a simple yet powerful CRM  without the high barrier of entry and cost. Today’s product updates further support small and micro businesses by providing users the tools and insights they need to maintain and grow meaningful and high-value relationships with customers in a challenging economic environment. 

Since Bigin’s launch in 2020, it has stood out as a robust, easy-to-use, and welcoming CRM solution thanks to its 30-minute set up promise. Zoho has observed that around 65% of Bigin’s customers have never used a CRM previously, making it the ideal choice for business owners who are looking to move away from spreadsheets. When they outgrow Bigin, Zoho also offers them an easy migration to Zoho’s full-fledged CRM solution. Bigin now boasts 20K customers and continues to help small and micro businesses manage all of their customer-facing operations within a unified platform. 

Bigin’s latest version includes the introduction of Team Pipelines, which allow customer-facing teams to manage their distinctive operations using a distinct set of pipelines and sub-pipelines within a single Bigin account. Competitive offerings often cater only to a single function — like sales — whereas Bigin is an efficient solution for all customer-facing teams. New features compile customer operations into one place, and enable tighter alignment and collaboration between individuals and teams without compromising the simplicity that makes Bigin stand out. 

Key Product Updates

  • Team Pipelines: The most significant addition to Bigin, Team Pipelines brings together various customer operations into a single 360-degree view. Businesses can connect key customer processes such as deal management, onboarding, delivery, training, ticket management, refund requests, customer testimonials, etc. thereby ensuring small businesses manage their day-to-day processes in an easier way. Businesses can now enjoy a complete CRM that goes beyond sales management and offers them a single source of truth when it comes to analyzing customer data. 
  • Connected Pipelines: Alongside Team Pipelines, Bigin introduced a new way of connecting customer records across different processes. With Connected Pipelines, businesses can automate the movement of customer data across various pipelines, enabling them to deliver seamless end-to-end customer experiences. For example, once a deal is won, sales teams can automate the creation of a connected record in the customer onboarding pipeline. This way, businesses spend less time entering repetitive customer information and have more time to focus on actual customer conversations. 
  • ToppingsAdditional functionalities and third-party integrations can be added on-demand to address business needs that go beyond the standard offering. For example, the ‘Email-In’ topping ensures emails sent to different email aliases in an organization are automatically mapped to the relevant customer records in each pipeline. Similarly, the ‘File Cabinet’ topping automates the process of file collection where customers can manage all their documents through unique, secure links.
  • Mobile Capabilities: In response to the increased adoption of Bigin’s mobile app, Zoho is ensuring all new features are available across iOS, iPadOS, Android, and macOS. This makes for seamless employee experiences and is further enhanced with a new Dynamic Display which helps users customize the look, style, and visibility of records in their pipelines. Bigin also recently updated its apps for the Apple’s iOS16 and Samsung Galaxy Z Fold 4 launches, where it was an exclusive launch partner. 
  • Developer Center: Bigin now opens its developer platform to a network of global app developers and partners who are looking to create custom solutions for unique business needs. With various developer tools and components like custom fields, buttons, links, widgets, related lists, and REST APIs, developers can create new Toppings which can be monetized in the Bigin Marketplace. 


Bigin by Zoho CRM starts at CAD $9/user/month (billed annually) for the Express edition and goes up to CAD $15/user/month (billed annually) for the Premier edition. There is also a free edition available. Publishes POC & Deep Dive For VMware vRealize Log Insight RCE

Posted in Commentary with tags on January 31, 2023 by itnerd has just published “VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive” on the new CVEs affecting VMware vRealize Log Insight, which were reported by ZDI. 

Three of these CVEs can be combined to give an attacker remote code execution as root, and the vulnerability is exploitable in the default configuration for VMware vRealize Log Insight. The team has successfully reproduced the exploit and would like to provide the technical details about how this vulnerability works. The team’s POC can be found on GitHub.

VMware vRealize Log Insight is used across enterprises to collect logs and provide analytics. This vulnerability poses moderate risk to organizations, allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with any stored credentials. The Attack Team has published the data so users can determine if they have been compromised. Exploit Developer James Horseman noted when issuing indicators of compromise: “This vulnerability is easy to exploit, however, it requires the attacker to have some infrastructure setup to serve malicious payloads. Additionally, since this product is unlikely to be exposed to the internet, the attacker likely has already established a foothold somewhere else on the network. 

   “This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

VMware has released an advisory and patches and workarounds for these vulnerabilities and the team urges all VMware users to heed the VMWare advisory and patch or apply the workaround immediately.

New Survey from Intuit Shows How Gen Z Is Redefining Personal Finance

Posted in Commentary with tags on January 31, 2023 by itnerd

Generation Z, the first generation of digital natives who are more than twice as likely to compare themselves to others on social media, feel like they are falling behind their peers financially, according to a new survey by Intuit, the global financial technology platform that makes TurboTaxCredit KarmaQuickBooks and Mailchimp

Just as heavily doctored images of beauty on Instagram contribute to insecurities, ‘filtered finances’ are having a massive impact on 18 to 25-year-olds. Increasingly, honest conversations around formerly taboo subjects are the norm. But new data shows that Gen Z’ers would rather talk about politics, parenting struggles, sex and infertility than debt, their salaries and bad investments. In fact, despite their modern lives, they are part of the 55% of Canadians who would rather talk to their children about sex than speak to them about their own finances.

Survey data also identified a new trend: “soft saving” —the financial spinoff of the boundary-setting ‘soft life’ trend focused on comfort and minimizing stress. Currently taking over TikTok feeds, this philosophy extends to money. A stark departure from the F.I.R.E. (Financial Independence, Retire Early) movement, hustle culture and the Girlboss ethos dominating the past decade, Gen Z is embracing “soft saving.”  Three in four Gen Z’ers say they would rather have a better quality of life than extra money in the bank. In fact, experiences matter more than money to Gen Z, as  68% say they are only interested in finances as a means to support their current interests.

Gen Z has more access to financial information than any other generation, but this doesn’t always translate into decision-making. From financial tips on TikTok to Reddit forums on investing, the survey illustrates that Gen Z is frequently paralyzed by conflicting advice and could benefit from new ways to save:

  • Nearly three in four say they know how to make a budget and track their income, but haven’t done it (74%).
  • Nearly three in four know it’s important to invest, but they don’t know how (73%).
  • 65% say they have financial knowledge, but are unsure how to use it.
  • Nearly half bought cryptocurrency even though they don’t fully understand blockchain (49%).
  • Two-thirds say they’re not sure they’ll ever have enough money to retire (64%).

Additional Canadian survey findings include: 

  • Quality of life is being held hostage by poor finances, especially for Gen Z, the generation that values quality of life the most. 62% of Gen Z feel like they will never have the things they want in life because of their financial situation.
  • 59% of Canadians feel anxious going with friends to restaurants and bars they know they can’t afford (70% for Gen Z).
  • 53% of Canadians say giving a gift for a special occasion would put a strain on their monthly finances (67% for Gen Z).
  • Nearly half of Canadians (45%) say they have spent less time with friends or family due to financial constraints (56% for Gen Z).

*Statistics from 2022 Intuit survey of 1,500 Canadian consumers ages 18+. Gen Z is three times as likely to compare themselves to others on social media(30% vs. 10% Canadian general population).

Survey Methodology

The Intuit Prosperity Index Survey was conducted Dec. 2‑Dec. 9, 2022, via a 15‑minute online questionnaire. Intuit surveyed 1,500 Canadians ages 18+ plus an additional oversample of Gen Z (ages 18-25) in order to discover current attitudes around money and personal finance.

New Credential Phishing Attack Targeting 10,000 Inboxes Disguised As DocuSign To Exfiltrate Personal Credentials

Posted in Commentary with tags on January 31, 2023 by itnerd

Armorblox has released its latest research analyzing a credential phishing attack that impersonated the well-known brand, DocuSign, intending to exfiltrate sensitive login credentials.

These emails targeted more than 10,000 end users across multiple organizations and various industries counting on the trust and legitimacy people have in the company.

How it works: In this attack, victims receive an email from what appears to be from DocuSign. 

Attackers instilled a sense of urgency within the body of the email attack to encourage victims to open the new document for review and approval. When clicked, victims were navigated to a fake landing page designed to impersonate a Proofpoint Storage application login.

You can read the research here.

DH2i Awarded 2022 TMCnet Zero Trust Security Excellence Award

Posted in Commentary with tags on January 31, 2023 by itnerd

DH2i, the world’s leading provider of always-secure and always-on IT infrastructure solutions, today announced that TMC, a global, integrated media company, has named DxOdyssey as a 2022 TMCnet Zero Trust Security Excellence winner presented by TMCnet

The TMCnet Zero Trust Security Excellence Award recognizes the leaders and pioneers in the industry with the best and the brightest providers, offering the most innovative, effective solutions. DxOdyssey (DxO) software was honored for its ability to enable its users to create a direct connect Software-Defined Perimeter (SDP) with application-level Zero Trust Network Access (ZTNA) tunnels. With DxOdyssey users don’t need to trust an outside vendor with their data because DxOdyssey is never “in the middle” of the data stream. DxOdyssey gives servers, storage, applications, IoT devices and users direct access to the data endpoints they need — no more, no less. Deploying DxO:

  • Eliminates lateral network attacks
  • Improves data transfer rates up to 3x faster
  • Gives users total control over their data stream

Ready to push downtime and security holes to zero? Ready to eliminate VPN vulnerabilities? Try DxOdyssey for free here: 

Aptum Earns Microsoft Azure Expert Managed Service Provider Recognition

Posted in Commentary with tags on January 30, 2023 by itnerd

Aptum, a hybrid multi-cloud managed service provider (MSP), today announced it has been recognized by Microsoft as an Azure Expert MSP. This designation identifies Aptum as a qualified global partner to deliver Azure solutions to customers.

Aptum is among a group of MSPs globally to earn this certification, having completed an extensive auditing process by an independent third party. The certification process consisted of a rigorous audit of 66 controls in areas such as:

  • Business Health and Managed Service Focus
  • Microsoft Services
  • Assessment and Design
  • Build and Migration
  • Cloud Operations and Service Management 
  • Security and Governance
  • Cloud SLAs, Customer Satisfaction, and Cost Optimization
  • Continual Improvement and Process Optimization

Aptum also provided multiple customer references for projects successfully delivered over the last 12 months. 

As an Azure Expert MSP, Aptum is strongly equipped to help organizations meet their evolving technology needs and achieve their business objectives. The company recently earned other Microsoft partner designations, highlighting its commitment to training and accreditation, as well as its expertise. 

  • The Microsoft Solutions Partner for Data & AI (Azure) designation demonstrates Aptum’s ability to assist customers with the management of their data across multiple systems to build analytics and AI solutions
  • The Microsoft Solutions Partner for Digital & App Innovation (Azure) certification establishes Aptum’s capability to help customers build, run, and manage applications across multiple clouds, on premises, and at the edge, with frameworks and tools customers choose
  • As a Microsoft Solutions Partner for Infrastructure (Azure), Aptum is identified as a partner that can help customers accelerate migration of key infrastructure workloads to Microsoft Azure.

Developers Are Fleeing Twitter For Mastodon

Posted in Commentary with tags on January 30, 2023 by itnerd

There’s been a fair amount of news about the fact that users are fleeing Twitter for Mastodon. But what’s now starting come to light is the fact that developers are doing the same thing. They’re being driven by the ban of third party clients on the platform, and as a result are looking for a new place to call home:

When Twitter quietly updated its developer policies to ban third-party clients from its platform, it abruptly closed an important chapter of Twitter’s history. Unlike most of its counterparts, which tightly control what developers are able to access, Twitter has a long history with independent app makers.

Now, the developers of some Twitter clients are turning their attention to another upstart platform: Mastodon. This week, Tapbots, the studio behind Tweebot, released Ivory, a Mastodon client based on its longtime Twitter app. Matteo Villa, the developer behind Twitter app Fenix, is testing a Mastodon client of his own called Wooly. Junyu Kuang, the indie developer behind Twitter client Spring is working on a Mastodon app called Mona. Shihab Mehboob, developer of Twitter app Aviary, is close to launching a Mastodon client called Mammoth.

The one-time Twitter developers join a growing group of independent app makers who have embraced Mastodon, the open-source social network that’s seen explosive growth since Elon Musk took over Twitter. The decentralized service now has more than 1.5 million users across nearly 10,000 servers. That, coupled with Mastodon’s open-source, “API-first” approach, has attracted dozens of developers eager to put their own spin on the service.

I question the number of users on Mastodon that is quoted in the article because an account on Mastodon which tracks the number of users on the platform says this:

But besides that, developers moving to Mastodon will help to grow the platform as it not only gives users more choice in terms of the Mastodon client that they use, but drives innovation of the platform. Those will help to make Mastodon a much better option than Twitter for those who want to be on some form of social media as there’s no innovation going on at Twitter at the moment. And you can only use their client or their web page to see Tweets. And to be frank, Twitter’s native client sucks and third party clients were always a much better option to access Twitter.

Bottom line: You can add this to the list of reasons why Twitter is a train wreck next to a dumpster fire.

Microsoft Posts Report On Last Week’s Outage

Posted in Commentary with tags on January 29, 2023 by itnerd

Last week, Microsoft had a major outage that affected a lot of their services including:

  • Teams
  • Xbox Live
  • Outlook
  • Microsoft 365 
  • Minecraft
  • Azure
  • GitHub
  • Microsoft Store

At the time, Microsoft said that a networking change caused this. And at the time, I said this:

My question for Microsoft, which I hope they answer is what specifically happened and what will they do to ensure that it doesn’t happen again. Microsoft does give some version of this information out, so I for one will be interested to see what they say.

And now Microsoft has a Preliminary Post Incident Review that goes into more detail that answers the questions that I had:

We determined that a change made to the Microsoft Wide Area Network (WAN) impacted connectivity between clients on the internet to Azure, connectivity across regions, as well as cross-premises connectivity via ExpressRoute. As part of a planned change to update the IP address on a WAN router, a command given to the router caused it to send messages to all other routers in the WAN, which resulted in all of them recomputing their adjacency and forwarding tables. During this re-computation process, the routers were unable to correctly forward packets traversing them. The command that caused the issue has different behaviors on different network devices, and the command had not been vetted using our full qualification process on the router on which it was executed.

And this is how they responded:

Our monitoring initially detected DNS and WAN related issues from 07:12 UTC. We began investigating by reviewing all recent changes. By 08:10 UTC, the network started to recover automatically. By 08:20 UTC, as the automatic recovery was happening, we identified the problematic command that triggered the issues. Networking telemetry shows that nearly all network devices had recovered by 09:00 UTC, by which point the vast majority of regions and services had recovered. Final networking equipment recovered by 09:35 UTC.

Due to the WAN impact, our automated systems for maintaining the health of the WAN were paused, including the systems for identifying and removing unhealthy devices, and the traffic engineering system for optimizing the flow of data across the network. Due to the pause in these systems, some paths in the network experienced increased packet loss from 09:35 UTC until those systems were manually restarted, restoring the WAN to optimal operating conditions. This recovery was completed at 12:43 UTC.

And this is how they will stop this from happening again:

  • We have blocked highly impactful commands from getting executed on the devices (Completed)
  • We will require all command execution on the devices to follow safe change guidelines (Estimated completion: February 2023)

This is all good and I really wish that other companies would do the same thing as you’re more likely to trust a company who is open and transparent. Kudos to you Microsoft.