Archive for January 12, 2023

States Introduce New Privacy Laws… With Different Ways That They Are Applied

Posted in Commentary with tags on January 12, 2023 by itnerd

From the start of the new year, we’ve seen the introduction of new privacy laws in California and Virginia. The new legislation in California brings changes to the existing 2018 California Consumer Privacy Act, and Virginia is currently the only other state to also bring in new privacy laws. But they won’t be the last. Connecticut’s and Utah’s privacy laws both come into effect later this year, with Colorado following in 2024. Thus it seems that the ball is starting to roll when it comes to ensuing that privacy is by default in the US. Though there appear to be a lot of variance as to how these laws are applied.

Wade Barisoff, Director of Product, Data Protection, at cybersecurity software and services provider Fortra had this comment:

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country. 

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action. 

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant.  Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Hopefully, there will be a move to have a consistent standard for privacy laws across the US as that benefits consumers and companies. Though I fear that such a move is years away which is bad for both parties.

Hackers Continue to Abuse Microsoft Customer Voice in Phishing Campaign – But With a Twist

Posted in Commentary with tags on January 12, 2023 by itnerd

A few months ago, researchers at Avanan, a Check Point Software Company, wrote about how hackers are utilizing Microsoft’s Dynamics 365 Customer Voice platform to send phishing links.

Avanan has released its latest blog on how hackers are changing up their tactics with a new variation of this attack that continues to leverage Microsoft Voice.

This email campaign starts with what appears to be a new document (a fax notification) sent from SharePoint alerting the user that the document contains “particularly sensitive or confidential information.” and will expire in 14 days. Following the prompts directed end-users to a OneDrive look-alike page where login credentials are entered and stolen. 

You can read about the evolution of this attack here.

Aptum Acquires CloudOps

Posted in Commentary with tags on January 12, 2023 by itnerd

Aptum, a hybrid multi-cloud managed service provider, today announced its acquisition of CloudOps, a Montreal, Canada-based cloud consulting, managed services and software company focused on open source, cloud native platforms, networking and DevOps. This strategic acquisition will further enable Aptum to deliver comprehensive hybrid multi-cloud solutions and services, which include advanced cloud migration services and DevOps, to its customers in 43 countries. 

CloudOps has grown from an operations managed services shop since 2005 to a leader in cloud computing, cloud networking, and DevOps solutions. Aptum intends to retain a separate CloudOps unit within its business, and to combine select teams — including the Advisory and Consulting Services, Support Services and DevOps — to provide strengthened, streamlined solutions and services to customers. 

CloudOps’ leadership teams and employees will join with Aptum; its headquarters will remain in Montreal. 

Aptum will enhance its Hybrid Cloud Management Portal by leveraging CloudMC’s API-driven, modular and extensible, edge orchestration platform. It will accelerate the existing development of a single pane of glass for hybrid multi-cloud workload management.

Additionally, the amalgamation of resources from both companies will extend product opportunities across multiple sectors beyond telecommunications to include technology and business services, media and communications, retail, financial services, manufacturing, energy and utilities, hospitality, education, transportation, among others. This acquisition will fortify Aptum’s vendor-agnostic approach, solutions, and services in Canada, U.S. and the U.K across multiple clouds including Azure (Aptum recently earned the Microsoft Azure Expert MSP Certification), AWS, Google, Hypertec Cloud and Cox Edge. 

The transaction was completed on January 5, 2023.  Terms of the deal will not be disclosed.  

Car Companies Have Not Learned That They Need To Focus On Making Their Cars Secure….. Sigh

Posted in Commentary with tags on January 12, 2023 by itnerd

For years I’ve argued that the auto industry has to step up its game in terms of security or something serious is going to happen to car owners. The best example of this that I can think of is when researchers took control of a Jeep remotely and was able to gain complete control of the car. That led to a recall to fix this along with a class action lawsuit and senate action. But clearly this continues to be an issue. Case in point is this work by Sam Curry.

We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.

At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

I really encourage you to read this. It’s not eye opening to me, but you’ll be shocked by what Curry has discovered and how many companies are affected by API vulnerabilities. Giora Engel, the CEO and Co-Founder of Neosec has this commentary:

“APIs are used to connect virtually every business and today they are largely unprotected. For most organizations they don’t even have an inventory of which APIs they created and expose to the outside and have no idea if any API is being abused. The reality is that for most businesses, the impact of API vulnerabilities and any abuse of that API results in data theft or monetary loss, which are certainly damaging. But in an automotive vehicle, the problem of abuse of any API is potentially physically dangerous to drivers on the road. Protecting APIs from behavioral abuse in the automotive industry is no longer optional. It is essential.”

Honestly, the car makers in this blog post by Sam Curry really need to up their game. Because if you buy a car, you should be assured that it is safe from being pwned by hackers. And what really bothers me is that the Jeep hack was in 2015. Thus you would have thought that this would be either less of an issue or a non issue by now. But I guess I expect too much from car makers who clearly don’t have security as their top priority.