Archive for January, 2023

« Older Entries
Newer Entries »

HomePod OS 16.3 Has Been Released And It Activates Hidden Climate Sensors… Here’s What That Looks Like For You

Posted in Tips with tags on January 24, 2023 by itnerd

Today Apple released HomePod OS 16.3. And part of that release includes code to active climate sensors that have been hidden in the HomePod mini since the day that they were released in 2020. I believe that Apple intends that these will be used to monitor the temperature and humidity in rooms, and run automations based on that. I just updated my HomePod minis and here’s what I saw.

First of all, I noted that it took about 30 minutes per HomePod mini to update which is a bit longer than I was used to. I have four HomePod minis and I did the update on all of them at the same time to save some time. During the update, I noted a new tab was added to the Home app:

There’s now a Climate tab that allows you to see what the HomePod mini is detecting in terms of temperature and humidity. But once the update was completed, I wasn’t able to use this right away. Instead I saw this:

All the temperature and humidity sensors were in a “calibrating” state. That took about 30 minutes to complete. After that, I was able see this:

Now I don’t have anything like HomeKit compatible fans or anything of the sort. So I can’t use for anything useful myself. Other than perhaps ask Siri what the temperature is in a room. But if you have a HomeKit compatible fan or something of the sort, you can leverage that to turn on a fan if the temperature is too high, or turn on a HomeKit compatible humidifier if the humidity is too low. For what it’s worth, this information will also show up in widgets on the Home Screen in a summary format. Finally, I should note that the new HomePod that Apple is releasing shortly, which I can’t figure out why it exists, has similar functionality. And it is a safe bet that those will ship with 16.3 installed from the factory.

So is this new functionality in the HomePod mini something that you will leverage? Please leave a comment and share your thoughts.

Leave a comment »

Apple Puts Out A Campaign For Data Privacy Day… While Being Sued For Data Privacy Issues

Posted in Commentary with tags on January 24, 2023 by itnerd

I really find the fact that Apple is celebrating Data Privacy Day which is January 28th with a full campaign highlight that they apparently protect the privacy of its users ironic. But before I get to the ironic part, let’s get to the campaign that Apple is running. First, there are dedicated privacy-focused “Today at Apple” sessions. According to Apple, in this session, attendees will learn how they can customize each feature based on their individual privacy preferences. Which I suppose is a good thing. You can sign up for the “Taking Charge of Your Privacy on iPhone” session starting today on Apple’s website in the “Today At Apple” section in your country.

Second, there’s a short film that stars Ted Lasso star Nick Mohammed who plays “Nate the Great” on the show:

Now to the ironic part. Currently there are a total of three separate lawsuits relating to the lack of privacy on the iPhone that Apple is currently dealing with. While nothing has been proven in court, it’s clear that the “reality distortion field” is set to full strength at Apple Park as clearly they don’t see the irony here. And perhaps, maybe their MARCOMM people didn’t really think this through. Or they’re banking on the fact that the average Joe hasn’t heard of the three lawsuits in question. Either way, I am not sure that this is a good look for Apple.

Leave a comment »

ManageEngine RCE Bug Used For Pwnage By Hackers

Posted in Commentary with tags on January 24, 2023 by itnerd

Zoho ManageEngine has an extremely serious remote code execution (RCE) bug that apparently been exploited by hackers. Here’s the background that you need to know via Bleeping Computer:

Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code.

Last week, Horizon3 security researchers released a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming ‘spray and pray’ attacks.

They found over 8,300 Internet-exposed ServiceDesk Plus and Endpoint Central instances and estimated that roughly ​10% of them are also vulnerable.

One day later, multiple cybersecurity companies warned that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 exploits in ongoing attacks to open reverse shells.

​Post-exploitation activity seen by Rapid7 security researchers shows that attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.

All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against this actively exploited bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a binding operational directive (BOD 22-01) issued in November 2021.

The federal agencies have three weeks, until February 13th, to ensure that their networks are secured against ongoing exploitation attempts.

Although BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urged all organizations from private and public sectors to prioritize patching this vulnerability.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA said on Monday.

Sylvain Cortes, VP of Solutions, Hackuity had this comment:

     “Most worryingly, vulnerabilities such as these are often dangerously accessible to attackers, many of whom are state-backed groups that exploit ManageEngine flaws to target multiple critical national infrastructure sectors, including finance and healthcare.

Threat actors thrive on Remote Code Execution vulnerabilities when the SAML-based single-sign-on (SSO) was or is enabled prior to the attack, in order to execute arbitrary code.

This raises huge security concerns for all Federal Civilian Executive Branch Agencies (FCEB) in particular, who must patch their systems against this bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) list.

The access that these vulnerabilities provide to threat actors leave hundreds of thousands of users at risk for cyber attacks, malware, social engineering attacks and more. Any interruption to these systems can also have a widespread impact in terms of revenue, loss of reputational damage. Organizations must focus on patching these exposed vulnerabilities as their main priority.”

The fact that the CISA is involved shows how serious this is. And it shows that you need to take this seriously as well if you use ManageEngine. Which means that you should ensure that all ManageEngine patches are applied so that you’re not the next victim.

Leave a comment »

Venafi Announces TLS Protect For Kubernetes

Posted in Commentary with tags on January 24, 2023 by itnerd

Venafi, the inventor and leading provider of machine identity management, today introduced TLS Protect for Kubernetes. As part of the Venafi Control Plane for machine identities, TLS Protect for Kubernetes enables security and platform teams to easily and securely manage cloud native machine identities, such as TLS, mTLS and SPIFFE, across all of an enterprise’s multi-cloud and multi-cluster Kubernetes environments. By delivering increased visibility, control and automation over machine identity management within more complex cloud native infrastructures, it helps enterprises improve application reliability and reduce development and operational costs. 

Built with a fully supported version of the cert-manager open source project – the de facto cloud native solution designed by Jetstack, a Venafi company, for developers to automate TLS and mTLS certificate issuance and renewal – TLS Protect for Kubernetes provides in-cluster observability to identify and remediate security risks stemming from poorly configured certificates, as well as offers options for security controls over certificate issuance to meet the security team policy for enforcing trust. It also includes a management interface that provides full visibility of public trusted certificates for ingress TLS, as well as private certificates for inter-service mTLS for pod-to-pod and service mesh use cases. By building a detailed view of the enterprise security posture across multiple clusters and cloud platforms, including certificates that have been manually created by developers, it proactively identifies operational issues that help platform teams maintain cluster integrity and prevent outages.

Features in TLS Protect for Kubernetes include:

  • Observability – Through a comprehensive web-based management interface, security and platform teams can easily discover machine identities used across all clusters, including alerts on machine identity management infrastructure health, compliance and configuration. It provides an instant visual status of all workload certificates, including their association with Kubernetes resources and X.509 certificate configurations. This includes certificates that have been manually created by developers. The interface works as both a cluster monitoring and machine identity management tool to identify potential security holes, such as unauthorized workloads, and proactively recommend fixes for identified cluster configuration errors.
  • Consistency – TLS Protect for Kubernetes enforces machine identity policy for TLS, mTLS and SPIFFE VID across all clusters based on enterprise security policies and ensures the proper version of cert-manager is used and configured consistently.
  • Reliability – The product integrates natively with Kubernetes environments to ensure performance and scalability, including a commercially supported, FIPS 140-2 compliant and signed version of the open source cert-manager project to provide enterprise-grade machine identity management across Kubernetes environments. As each new cluster is created, security teams can empower platform teams by using TLS Protect for Kubernetes to automatically bootstrap a fully supported and hardened version of cert-manager with each new cluster. This delivers better consistency for the way security tooling is managed across multi-cluster environments and reduces the risk of security drift for production environments.
  • Freedom of Choice – TLS Protect for Kubernetes supports multi-cloud configurations, cloud platform providers and Kubernetes distributions. It also integrates with popular secrets vaults and other DevOps and cloud native solutions.

TLS Protect for Kubernetes is generally available today to all customers. To learn more about the new product, please visit https://venafi.com/tls-protect-for-kubernetes/ or join the upcoming “Using Venafi for policy and control of certificate lifecycle management in Kubernetes” webinar on February 23 at 8:00am PST/11:00am EST/4:00pm GMT. Register for the webinar at https://trust.venafi.com/automate-certificate-policy-in-kubernetes/

Leave a comment »

Nozomi Networks Delivers The Industry’s First OT and IoT Endpoint Security Sensor 

Posted in Commentary with tags on January 24, 2023 by itnerd

Nozomi Networks Inc., the leader in OT and IoT security, today introduced Nozomi Arc™, the industry’s first OT and IoT endpoint security sensor designed to exponentially speed time to full operational resiliency. Built to automatically deploy across large numbers of sites and devices anywhere an organization needs visibility, Nozomi Arc adds crucial data and insights about key assets and network endpoints. This data is used to better analyze and deter threats, as well as correlate user activity, all without putting a strain on current resources or disrupting mission-critical networks. 

Arc is a game-changer when it comes to complete asset visibility, deployment speed and reach across complex and remote OT and IT networks. Nozomi Arc is designed to:

  • Analyze endpoint vulnerabilities,
  • Identify compromised hosts,
  • Be deployed remotely; and 
  • Accelerate monitoring deployments in mission critical systems. 

According to the most recent SANS ICS security report, two of the biggest challenges facing security professionals center on the lack of security resources and the inability to track industrial control devices and applications. Nozomi Networks Arc is purpose-built to address both issues, while complementing the network-based analysis provided by Nozomi Networks’ Vantage and Guardian platforms. 

With Nozomi Arc, users benefit from:

Faster Time to Resiliency: Nozomi Arc eliminates time, resource, geographic and internal policy constraints that come with network-based deployments. It gets new sites online quickly and makes it possible to monitor and analyze once unmanaged or unreachable connections and networks. 

Lower Cyber Risk and Increased Security: Nozomi Arc is the only OT solution in the market to detect malicious hardware. It’s the first solution to provide continuous visibility into (active and inactive) network assets and key endpoint attributes as well as information about who is using them. With access to the full attack surface of host systems, Arc provides more complete threat analysis and monitors potential attack entry points than is possible with a network-based sensor alone. Additional points of visibility include attached USB drives and log files. 

Extended Visibility and Context: In addition to shining a light on more assets and devices and potential vulnerabilities, Arc identifies process anomalies as well as any suspicious user activity. This reduces the potential for insider threats or compromised hosts. Arc also adds continuous monitoring capabilities for endpoint assets, monitoring that is not possible with network sensors alone.

Lower Operational Overhead: Because Arc can be deployed remotely via software download, Nozomi Arc does not require extensive network changes to be deployed anywhere in the world – even the most remote location. There is no administrative overhead to manage thousands of endpoints across multiple sites. Deployments can be automated across environments, whether they are installed as part of a standard operating environment or periodically deployed to collect data and then removed. 

Nozomi Arc is available now via subscription from Nozomi Networks and its extensive global network of channel partners. Pricing is based on the number of assets monitored. 

For more information:

Read the Blog: Get More Insight into Endpoint Activity and Threats with Nozomi Arc 

Read the Product Overview: Nozomi Arc

Leave a comment »

Guest Post: Nearly 90% of the Pentagon supply chain fails basic cybersecurity requirements

Posted in Commentary with tags on January 24, 2023 by itnerd

The first-ever thorough analysis of the state of cybersecurity of the US defense industrial base (DIB) reveals that nearly 90% of its contractors do not meet the required security standards.

Defense contractors possess sensitive national security information and are being constantly targeted with sophisticated hacking operations led by state-sponsored hackers.

The in-depth analysis of the Pentagon supply chain was commissioned by CyberSheath, a cybersecurity compliance service provider, and was carried out by Merrill Research, a leader in providing custom, multi-methodological research services. Access the State of The Defense Industrial Base Report here

The survey questioned 300 US-based DIB contractors via an online survey in July 2022.

The supply chain of the departments in question was evaluated using the Supplier Risk Performance System (SPRS), which is the DoD’s single, authorized system to retrieve supplier security performance information.

Contractors who do not possess an SPRS score of 70 or higher are deemed non-compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) criteria.

The DFARS is a set of cybersecurity regulations the DoD imposes on its contractors. The DFARS, which has been in effect since 2017, demands a score of 110 to be considered fully compliant.

Data presented by Atlas VPN shows that a startling 89% of contractors have an SPRS score of less than 70, which means that they do not meet the legally required minimum.  

Over 25% of the supply chain received SPRS scores between -170 to -120, while only 11% of surveyed contractors received a score that is regarded as compliant.

The research conclusions show a clear and present risk to US national security.

These findings should not be easily overlooked, considering the current global political tensions and the constant barrage of attacks from state-sponsored hackers.

Areas of non-compliance

Approximately 80% of the DIB does not monitor its systems 24/7/365 and does not use security monitoring services headquartered in the United States. Using foreign cybersecurity services has a risk on its own.

Other flaws were discovered in the following areas:

  • 80% do not have a vulnerability management system.
  • 79% do not have a robust multi-factor authentication (MFA) system in place, and 73% do not have an endpoint detection and response (EDR) solution.
  • 70% of organizations have not implemented security information and event management (SIEM)

These security measures are legally required by the DIB, and if they are not satisfied, the DoD and its capacity to undertake armed defense face a major danger. 

To read the full article, head over to: https://atlasvpn.com/blog/nearly-90-of-the-pentagon-supply-chain-fails-basic-cybersecurity-requirements

Leave a comment »

Apparently Trump Wants To Ditch His Own Social Media Company To Go Back To Twitter

Posted in Commentary with tags on January 24, 2023 by itnerd

Former President Donald Trump apparently wants to go back to Twitter so bad, he wants to ditch the social media company that he helped to found, which of course is Truth Social to do it. Mind blowing isn’t it. But according to Rolling Stone, he can’t, at least not yet, and here’s why:

When Trump first founded Trump Media & Technology Group (TMTG), he agreed to a “social media exclusivity term” that required him to “first channel any and all social media communications” to his Truth Social account for six hours before posting the content to other platforms, according to SEC filings.

Since late last year, former President Trump has informed several people close to him that he doesn’t want to re-up the exclusivity agreement with his social media company, Truth Social, two sources familiar with the matter tell Rolling Stone. “There’s not going to be a need for that,” is how one of the sources recalls Trump describing his soon-to-expire contractual obligation. 

The 18-month term of that requirement is up in June — right as the Republican primary is expected to begin heating up. After that, Trump’s exclusivity term would automatically renew for six month periods “unless notice is given.” In the event his exclusivity term expires, Trump would still be “required to post contemporaneously to Truth Social.”

“He said there’s an expiration date and that he didn’t want to make commitments,” the other source says. 

Asked whether Trump planned to continue to make Truth Social his exclusive social media home, a company representative directed Rolling Stone to a recent appearance by TMTG CEO Devin Nunes on Newsmax where the former California congressman said Trump “has no interest in going back to Twitter.” 

Sure he doesn’t. But assuming that he’s going to try and run for president again, Truth Social isn’t going to cut it as a means to get his message out there. Thus he needs Twitter. And it should be pointed out that Twitter needs him and more importantly his followers a lot more than Trump needs Twitter. Having his followers follow Trump to Twitter would be the sort of shot of the arm that Twitter desperately needs to survive. But I am not sure that Twitter having to wait until June for Trump to return would help Twitter. Thus you have to wonder if Elon Musk is going to offer some sort of incentive to get Trump to jump ship earlier. After all, Elon is a desperate guy these days.

1 Comment »

Bumble & Netflix Team Up To Help You Find The Date You’ve Been Watching For 

Posted in Commentary with tags , on January 23, 2023 by itnerd

Bumble, the women-first dating and social networking app,  and Netflix have teamed up to help members Find the Date You’ve Been Watching For. The campaign inspires the well-watched to celebrate the shows they love while building connections over their Netflix knowledge in a new way.

Beginning January 30, the Bumble community can put their insider knowledge to the test by playing a Netflix-themed Question Game, “Netflix Nights In”, with their matches around some of Netflix’s biggest shows including Emily in Paris, Stranger Things, Squid Game, Selling Sunset, Love is Blind, Outer Banks and more. The Bumble community can also expect to see some familiar faces in-app and on social, such as Emily in Paris’ Ashley Park, Alexa Lemieux of Love is Blind, and Selling Sunset’s Amanza Smith, as each week’s questions will be introduced by someone from the corresponding show.

Much like being well-traveled or well-read can lead to a conversation over shared interests, being well-watched can be a catalyst for making new connections. According to Netflix, members watch an average of six different genres a month, and a recent Bumble survey found that 53% of Canadian respondents agree that it’s easier to talk to matches or dates if they’ve watched the same movies or tv shows and 56% of Canadians surveyed are more likely to match with someone if they mention a tv show or movie they like on their profile. *

Bumble’s “Netflix Nights In” Question Game requires both people who have matched to answer the question before responses are revealed. Bumble also shared the percentage of good chats is higher when the Question Game is played.

“Netflix Nights In” will be available each Monday in the Bumble app in the US, Canada, and the UK through March 13.

Leave a comment »

Is Twitter Down To 1300 Full Time Employees?

Posted in Commentary with tags on January 23, 2023 by itnerd

According to a report from CNBC, Twitter is down to full time employees after Elon Musk has taken the axe and started to randomly swing it:

Twitter’s full-time headcount has dwindled to approximately 1,300 active, working employees, including fewer than 550 full-time engineers by title, according to internal records viewed by CNBC. Around 75 of the company’s 1,300 employees are on leave including about 40 engineers.

The company’s trust and safety team, which makes policy recommendations, design and product changes with the aim of keeping all of Twitter’s users safe, is down to fewer than 20 full-time employees.

Elon clearly is sensitive about this as he Tweeted that the report was incorrect:

The thing is that Elon offered no proof of anything that he said. While on the other hand, CNBC saw documents that allowed them to write this story. Which means that they thought the proof was good enough to go to press so to speak. That gives the believability factor to CNBC. Though I will point this out. Doing some quick math, I see this:

  • If you take CNBC’s numbers at face value, Twitter’s current staff is less than 20% of the 7,500 employees that the company had before Musk’s buyout.
  • If you take Musk’s numbers at face value, the company has retained about 30% of its employees.

Honestly, neither of those numbers look good if you’re Elon. And I can see why Elon might be a wee bit sensitive about this topic as the clear implication is that he’s cut so close to the bone that bad things are going to happen. I suspect that we’ll see who’s right very shortly.

Leave a comment »

One-Year Report On The Uber / UFCW Canada Agreement Is Out

Posted in Commentary with tags on January 23, 2023 by itnerd

This week marks one year since Uber Canada and UFCW Canada signed an agreement to give over 100,000 workers on the Uber platform access to representation, and to advocate to provincial governments for new benefits and protections for all app-based workers. As a reminder, the benefits Uber is jointly advocating for are a 120% minimum earning standard, a benefits fund, notice of termination, health and safety protections, and access to workers’ rights.

Today, Uber is releasing a report that shows how this agreement has been working for drivers and delivery people over the last year. Key highlights are:

  • Through representation services offered by the agreement, UFCW Canada filed cases on behalf of 794 workers. 
  • Of those cases, 201 had a positive resolution. 72 workers regained access to the platform and 129 had an account-related issue resolved. 

I’m also sharing a couple of stories from drivers who were helped through the agreement:

Waseem from Ontario

Waseem came to Canada from Pakistan in 2003 and lives in Mississauga with his family. He’s been driving with Uber for the last six years because he gets to work for himself and does not have a fixed schedule. He also enjoys meeting people and likes how professional and easy the app is to use. In the summer of 2022, Waseem got a new vehicle and was having difficulty uploading his insurance documents. The app eventually blocked him and deactivated his account due to potential fraud. This resulted in seven weeks without earnings. Waseem turned to UFCW Canada and they helped him resolve the issue by working with his insurance company and with Uber. Now he’s back on the Uber platform with his new vehicle.

Sandeep from BC 

Sandeep has lived in Surrey, BC with his family since 2019. He started driving with Uber during the pandemic because he likes the flexible schedule and is able to make a good earning. Last year, his account was deactivated due to a misunderstanding with a rider and their drop off location. Sandeep was having a hard time getting his account reactivated through Uber’s support channels. He received an email from Uber about its agreement with UFCW. He contacted UFCW who helped take his case to Uber, and after a couple of months, his account was reactivated. Now he’s happy to be back on the road.

Leave a comment »

« Older Entries
Newer Entries »