Archive for August, 2023

New York City Transit Has A Flaw Where You Can Be Tracked Via Your Credit Card Number… And Apple Pay Is Affected By This Flaw

Posted in Commentary with tags on August 31, 2023 by itnerd

From the “what the actual hell” department comes this story from 404 Media where a flaw in the New York City transit system fares system allows anyone to track anyone if they know the credit card and the expiry date.

In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day. 

During all this monitoring, I wasn’t anywhere near the rider. I didn’t even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system.

With their consent, I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system. After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required.

That’s bad to say the least. But what makes this worse is that Apple Pay which is supposed to be immune from this sort of attack is affected by this:

404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay. Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems. Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.

This is unacceptable because Apple advertises Apple Pay as being safer to use than your credit card because Apple is supposed to provide a one time and unique representation of your credit card to the merchant. And through some magic on the back end, it’s supposed to reconcile everything to your actual card. In short, the merchant should not have access to your actual card number. But in this case they clearly do. So is Apple lying about how Apple Pay works? That sounds harsh, but it’s a question that one must ask based on the facts above. And it would be in Apple’s interest to answer those questions quickly and transparently.

An Update To A Bell HH4000 Firmware Update Breaking Advanced DMZ Functionality For Yours Truly

Posted in Commentary with tags on August 31, 2023 by itnerd

Earlier this week a firmware update that was pushed to my HH4000 modem that powers my Bell Fibe Internet broke the ability for it to use the Advanced DMZ functionality that I have been using for almost a year now. That forced me to resort to a  double NAT setup which was not ideal. But it kept me from being killed by my wife.

At the time I figured that there was some sort of issue between that firmware, and an ASUS firmware update that came out in May that caused similar issues. Now I am not so sure about that. Instead my current theory is that Bell might have been doing something to how the Advanced DMZ functionality works that caused this setup to break. I say that because Bell doesn’t put out release notes for their firmware updates. And even if they did, there’s no way to block firmware updates from happening or roll them back if you don’t like what you read. So you’re kind of at the mercy of Bell. But to be fair, that’s true for Rogers as well as any other ISP.

In any case, back to my experience since this firmware update came out. I have things working now. And this is how I did it:

  • Go to using a browser and be prepared to type in your HH4000 password
  • Click on “Advanced Tools and Settings”
  • Click on “DMZ”

At this point I removed my router from the “Active Device” section as illustrated from the picture below by clicking the “x” to the right of the device:

Once I did that, I removed the checkmark next to “Advanced DMZ” and turned off “DMZ” and clicked save. Then I rebooted the HH4000. Once I did that, I then did the following, which by the way, will eventually become my new recommendation in terms of how to enable the Advanced DMZ functionality. Once I get around to rewriting the instructions:

  • Go to using a browser and be prepared to type in your HH4000 password
  • Click on “Advanced Tools and Settings”
  • Go to “DHCP” and ensure that your router has a IP address.
  • Click “Cancel”
  • Click on “DMZ”
  • Turn on “DMZ”
  • Put a checkmark next to “Advanced DMZ”
  • Under the word “Device”, find the MAC (Media Access Control) address for your router. That address is usually looks something like this: 2C:54:91:88:C9:E3. And it is likely located on the back or bottom of your router. Once you find it, click the “>” so that there is not only a checkmark next to it (as is the case with the first item in the screen shot), but it also gets copied to the right as pictured in the screen shot under the words “Active Device”. Alternately, you can look for the IP address that you confirmed earlier to find it.
  • Click save.

At this point, pull the power to the HH4000 and wait a minute or two before plugging it back in.

That’s what enabled me to get my setup working without issues. Again, that implies to me that Bell changed something in this firmware. But like I said earlier, I have no way of confirming this. Thus why this happened in the first place is still a bit of a mystery to me.

A request to Bell users who have the Advanced DMZ setup and who have an HH4000, did this firmware update break things for you? Or was it a non-issue? I’d love to know to see if I am an edge case, or if there’s something going on here. Please leave a comment share your experience.

78% of healthcare orgs experience cybersecurity events: Claroty 

Posted in Commentary with tags on August 31, 2023 by itnerd

Claroty has reported in its 2023 Global Healthcare Cybersecurity Study that 78% of surveyed healthcare professionals reported experiencing at least one cybersecurity incident with 60% of those having a moderate or substantial impact on care delivery and 30% having sensitive data impacted in the past year.  

Also noteworthy is that more than 25% of organizations that experienced ransomware attacks paid the ransom, with more than a third reporting upwards of $1 million in recovery costs.

Meanwhile, 51% of respondents globally reported an increase in security budgets over the last year and intend to prioritize the following threats:

  1. Patching medical device vulnerabilities  
  2. Improving asset inventory management  
  3. Segmenting medical devices

“As healthcare organizations undergo digital transformation and technological innovation revolutionizes the industry, regulatory requirements become increasingly complex and are frequently evolving. Keeping up with standards and understanding guidelines can be challenging, but the survey shows that organizations hold these regulations in high regard and value the guidance,” the report noted.

Jan Lovmand, CTO, BullWall had this to say:

   “With 78% of healthcare operators reporting at least one cybersecurity incident in the past year, this is a full-on battle. Ransomware attacks on healthcare facilities pose a grave threat to public health and safety. These assaults not only shut down delivery of critical medical services, causing delays in essential surgeries and treatments that jeopardize patients’ lives, but they also breach the sanctity of sensitive patient data. The aftermath of such attacks can be catastrophic, leaving hospitals grappling to recover their data and regain control over their systems. Whether the ransom is surrendered or not, the toll in both financial losses and compromised patient care deals a crippling blow to these already strained institutions.”

   “Hospitals and healthcare organizations have a bullseye painted on them in the eyes of cybercriminals. A heavy reliance on technology to manage a huge range of functions, from patient records to surgical equipment, provides a vast attack surface of uniquely susceptible targets. This vulnerability is further exacerbated by their meager resources allocated for bolstering cybersecurity defenses. However, with ransomware showing no sign of abating, it is imperative to invest in countermeasures that can stop these attacks without necessitating a complete shutdown of IT systems and healthcare services. A good Ransomware containment defense and off-site backups are table stakes.”

Dave Ratner, CEO, HYAS adds this comment:

   “This attack further proves that no one should consider themselves safe from being targeted. We live in a world where every organization can and will be breached, and the only solution is to focus on proper operational resiliency, business resiliency, and business continuity.  As part of this, visibility and observability into anomalies on the network and the early detection of the digital exhaust from a breach is critical so that an attack can be detected, mediated, and rendered inert before widespread damage ensues. CISA and the NSA don’t just recommend Protective DNS for governments and critical infrastructure — it’s increasingly clear that this is a vital component for every organization and network.”

This report paints a very scary picture. And it’s a picture that needs to change before 78% of healthcare organizations getting pwned goes to 100% of healthcare organizations getting pwned.

Fisker Releases Additional Details for Fisker Pear

Posted in Commentary with tags on August 31, 2023 by itnerd

Fisker Inc. today released additional details on the Fisker PEAR, an innovative and affordable crossover priced at $29,900.

Fisker PEAR 2023

Fisker showcased PEAR, which is planned to be built in the US in collaboration with Foxconn at a factory in Ohio, on August 3 at the company’s first-ever Product Vision Day.

Fisker has also announced that a production-intent PEAR will be exhibited publicly at the Fisker Lounge Munich (Kaufingerstrasse) on September 4-10, concurrent with the IAA Mobility 2023 event in Munich.

The PEAR is using a new light steel body structure; Fisker’s engineering and design departments have worked on reducing the parts count by 35%. The approximately 15-foot-long vehicle (4550mm) is smaller than the Fisker Ocean SUV, which began deliveries in 2Q 2023. It features a unique Houdini trunk that enables owners to load and unload in tight street parking situations and to avoid damage in parking structures with low ceilings. The trunk lid and glass move down behind the rear bumper beam and are therefore protected in case of a rear crash. (The Houdini trunk was activated at slow speed on Aug. 3 to allow the feature to be captured on video, the production version will move at high speed up and down.)

Additional features include a drawer-like front boot, or “froot,” that could be used to store anything from delivery pizza to sweaty workout gear, thereby keeping odors out of the cabin; it will be offered with an insulated option to keep food hot or cold. The cabin itself is designed to be extremely durable, with no fragile moving parts – excellent for car-sharing applications, busy families with kids or people who like a lot of storage space everywhere.

The PEAR will also have a Lounge Mode, with all seats folding flat including the rear seat folding backwards into the trunk area, to create a large lounge space for watching a movie or taking a rest. PEAR will come with an optional 17.1-inch rotating screen for entertainment in Lounge Mode. The five-seat vehicle will have an option to seat six people, with a large two-seat bench replacing the single front passenger seat and center console.

The interior will feature recycled and bio-based materials to help make PEAR a leader in sustainability in its segment. The PEAR will also be the basis of Fisker’s aim to create a carbon neutral vehicle by 2027. The vehicle has been presented in its final production form, except for the exterior camera mirrors, which are still under review.

Two battery options will provide an estimated range of either 180 miles, aimed at being the lightest and most sustainable version, or an estimated 320 mile-range for longer trips. (320-560 km WLTP estimate)*. The vehicle is projected to deliver a base 0-60mph time of 6.3 seconds and a 0-100 km/h of 6.8 seconds. The PEAR will be offered in both rear wheel and all-wheel drive, ride on standard 20-inch wheels and be outfitted with low rolling resistance tires and optional 22-inch wheels with high performance tires. A high-performance variant, the Fisker PEAR Extreme, will also be in the lineup.

The PEAR will be the first Fisker vehicle to implement the company’s in-house-designed High-Performance Computer, the Fisker Blade, that will offer a completely new connected and digital customer experience for the era of software-defined vehicles. Built to be fast, energy-efficient, safe, and cybersecure, the Fisker Blade is packaged in a slim, modular, and fully upgradable unit. The Fisker Blade delivers up to 6.2 TFLOPs and up to 25% more performance per watt used. The system uses an asymmetric processing architecture to achieve more power efficiencies. The vehicle features a multi-gigabit internal Ethernet network that connects the rest of the vehicle systems to Fisker Blade for high-speed networking and diagnostics. The 5G/Wi-Fi6 wireless network turns PEAR into a cloud-connected mini data center, with Fisker designing and developing both the vehicle system software and data pipeline for highly efficient cloud and in-car analytics.

Manufacturing and deliveries are expected to commence in July 2025. New photos of the PEAR are available here.

Go to to place a reservation.

University of Michigan’s has its first day of school offline after a cyberattack

Posted in Commentary with tags on August 31, 2023 by itnerd

As announced on University of Michigan’s (U-M) website, the day before the new academic year, all its systems and services were taken offline to deal with a cybersecurity incident which caused a widespread impact on online services for classes starting the next day.

Starting on Sunday, a cybersecurity incident caused IT outages and disrupted access to wired and WiFi campus internet, vital online services and email. Despite U-M’s IT team’s attempts to restore the impacted systems, the administration felt it was safest to disconnect the U-M network from the internet due to the severity of the event.

  • “We took this action to provide our information technology teams the space required to address the issue in the safest possible manner,” reads the status update from Sunday.

Students rely on the currently offline systems to access class information and to navigate the large campus. Due to the lack of access, various accommodations will be made for students for August.

Emily Phelps, Director, Cyware had this comment:

   “It is a significant decision for any organization to take its systems offline following a cyberattack. For a large university to make this call the day before classes began illustrates the severity of the attack. Whether an organization’s systems are taken down by the attack itself or following the attack to address it safely, the outcome is the same: operational disruption, economic impact, and potential panic. As an industry, we want to enable institutions to move from a reactive to a proactive posture to minimize the need to take their systems offline.”

Dave Ratner, CEO, HYAS follows with this:

   “This attack further proves that no one should consider themselves safe from being targeted. We live in a world where every organization can and will be breached, and the only solution is to focus on proper operational resiliency, business resiliency, and business continuity. As part of this, visibility and observability into anomalies on the network and the early detection of the digital exhaust from a breach is critical so that an attack can be detected, mediated, and rendered inert before widespread damage ensues.  

   “CISA and the NSA don’t just recommend Protective DNS for governments and critical infrastructure — it’s increasingly clear that it is a vital component for every organization and network.”

Education is a high value target in a world where everyone is a high value target to some degree. But they because of being constantly cash constrained don’t often have the resources to make sure that they are fully protected from a cyberattack. That needs to change as this particular attack was pretty crippling. And I can see other attacks at other educational institutions being equally as crippling.

Visa Announces Appointment of Dan Iwachiw as Vice President, Head of Canada Products

Posted in Commentary with tags on August 31, 2023 by itnerd

Visa Canada announced that effective today, Dan Iwachiw will assume the role of Vice President, Head of Canada Products. An industry veteran with 20+ years in the financial services sector, Iwachiw will oversee the growth, adoption and evolution of Visa Canada products and solutions spanning consumer products, digital, risk, installments, and loyalty. 

Based in Toronto, Iwachiw will report directly to Stacey Madge, President and Country Manager of Visa Canada, as well as Dan Sanford, Head of Regional Product Solutions for North America. 

Dan brings in-depth knowledge of the payments industry to the role.  Over the course of his 11-year tenure with Visa, he has held various roles across Consulting & Analytics, Strategy & Operations, Business Development and Financial Partnerships. He also serves as executive chair for the Visa Canada Employee Engagement committee. Prior to his journey at Visa, Iwachiw spent 11 years at American Express Canada.

Guest Post: Big tech doesn’t care about your digital rights

Posted in Commentary with tags on August 30, 2023 by itnerd

Big tech companies talk a big game about privacy and freedom of expression, but their policies and practices often undermine it.

According to the data presented by the Atlas VPN team, Twitter scored the best on its policies and practices affecting people’s rights to freedom of expression and privacy. While Amazon and Tencent got the worst ratings for their actions on people’s digital rights. However, none of the companies earned a passing grade.

Twitter (currently X) received the best score of 56% on practices and policies they have on governance, freedom of expression, and privacy. The company took the top spot for its detailed content policies and public data about moderation of user-generated content.

Yahoo got 54% on the digital rights scorecard. Microsoft received 50% on its practices and policies around digital rights. Microsoft lacks comprehensive policies protecting freedom of expression. 

Google scored 47%, but its score declined for the second straight year due to outdated policies. Meta got 46% despite releasing a new human rights policy. Apple, which often boasts about its privacy commitments, scored 44%. 

On the flip side, Amazon and Tencent scored an awful 25% due to significant shortcomings in policies and practices affecting digital rights.

Cybersecurity writer at Atlas VPN, Vilius Kardelis, shares his thoughts on people’s digital rights:

“Big tech’s relentless data collection and algorithms working without oversight threaten privacy and freedom of expression. Individuals should educate themselves, minimize data sharing, and use privacy tools to take more control of their digital rights in their own hands.”

To read the full article, head over to:

Chinese Disinformation Network Dismantled By Facebook

Posted in Commentary with tags on August 30, 2023 by itnerd

Facebook is dismantling a significant and highly sophisticated disinformation network supporting the People’s Republic of China (PRC).

Meta, the parent company of Facebook, announced that it had identified connections between individuals linked to Chinese law enforcement and a long-standing yet largely ineffective pro-China “Spamouflage” influence campaign. “We assess that it’s the largest, though unsuccessful, and most prolific covert influence operation that we know of in the world today,” said Meta Global Threat Intelligence Lead Ben Nimmo.

In its quarterly security report, the social media giant disclosed that it had taken down approximately 7,700 Facebook accounts and numerous pages, groups, and Instagram accounts associated with this campaign. Some aspects of this operation had been active since 2018.

Meta said these fake accounts are managed from various regions within China, but they shared common digital infrastructure and followed apparent work schedules, including designated breaks for lunch and dinner based on Beijing time.

The campaign was active on more than 50 platforms and forums, including Facebook, Instagram, X (formerly Twitter), YouTube, TikTok, Reddit, Pinterest, Medium, Blogspot, LiveJournal, VKontakte, Vimeo, and dozens of additional smaller platforms and forums.

Jason Keirstead, VP of Collective Threat Defense, Cyware had this comment:

   “One of the ways in which social media companies could more effectively combat disinformation campaigns is through more effective collaboration and coordination, made possible by using frameworks such as those provided by the DISARM foundation ( Cybersecurity practitioners should be encouraging large social media companies to become more actively involved in the work of the foundation, and of the disinformation sharing standards it supports such as DAD-CDM ( Development and support of these standards will allow government and industry to work together to combat disinformation campaigns more effectively.”

David Mitchell, Chief Technical Officer, HYAS:

   “China appears to be playing a PR campaign to shine their activities in a positive light, especially when it comes to Taiwan and human rights. While this campaign doesn’t appear to have made an impact, it shows that they are tuning their capabilities to mimic what the Russians have previously pulled off. 

   “Based on the ties to Chinese law enforcement, this also could be an op to target and identify ex-pats overseas that do not agree with their views — potentially to relay to the Chinese police stations discovered in US and other cities. 

   “Security personnel, whether executive level or operators, should pay attention to disinformation campaigns just as they would an attack campaign. Disinformation can target a company (Anheuser-Busch InBev) and the links may also include phishing or malware that employees may click on, if the targeted message fits their views.”

   “While it is fantastic that Meta is finally taking a proactive stance against disinformation campaigns, this problem is going to continue to get worse during geo-political strife and election seasons. Because these platforms do not verify the identity of accounts, nor charge for their services, they are rife for coordinated nation state abuse. Dealing with these campaigns will always be a global form of whack-a-mole and will not change until social media networks change how they are monetized & valued – just a few dollars per user per month significantly increases the barrier to entry for malicious actors.”

Every social media platform needs to step up and do more to combat this sort of disinformation. If Facebook/Meta can do this, there’s zero excuse for other platforms to not do so as well.

Purfoods Pwned…. 1.2 Million People Affected

Posted in Commentary with tags on August 30, 2023 by itnerd

Purfoods has notified more than 1.2 million people that their personal and medical data such as names, SSNs, driver’s license numbers, financial account and/or payment card information, medical information, health information, and DOB may have been stolen from its servers during a cyber-attack occurring between January 16th, 2023, and February 22nd, 2023.

Purfoods, a health-focused food-delivery company that does business under the name Mom’s Meals, works with more than 500 health providers including governments and managed-care organizations in the US and delivers meals to those covered under Medicare and Medicaid, as well as individuals not covered.

The company identified “suspicious account behavior” on February 22nd, 2023, and, according to the notification letter, the attackers gained access to the Purfoods’ network on January 16th. It is still unclear how the criminals accessed the network.

Dave Ratner, CEO, HYAS had this to say:

   “It’s still unclear how the criminals breached the network, but it actually doesn’t matter. Bad actors will continue to create and obfuscate their techniques. The attack demonstrates yet again that no one is safe, and that organizations need to think more about business and operational resiliency than pure prevention. Deploying anomaly visibility and detection as part of a depth-in-depth strategy, such as Protective DNS, is clearly critical today to protect PII and other critical data from being stolen.”

This is bad as this is all the information that a threat actor requires to launch identity theft attacks. Hopefully there’s a full accounting of what happened and what Purfoods is going to do to protect those who are affected.

FBI Pwns Qakbot Ransomware Network

Posted in Commentary with tags on August 30, 2023 by itnerd

The FBI has managed to take down the infamous Qakbot ransomware network. And this is no minor takedown by the feds:

The FBI and international partners disrupted the Qakbot botnet — a grouping of computers infected by a malware program that was used to carry out the cyberattacks — and are now working to disable the program on thousands of victim computers, law enforcement officials said.

Dubbed “Operation Duck Hunt,” the effort to take down the botnet system also seized nearly $9 million in cryptocurrency that was collected in criminal ransomware campaigns.

Qakbot’s victims totaled 700,000 across the globe in 2023, according to the Justice Department, with approximately 200,000 located in the U.S. Small businesses, healthcare providers and government agencies including a defense manufacturer base in Maryland were harmed by attacks linked to the network.


As part of “Operation Duck Hunt,” the FBI gained access to the QakBot infrastructure and “redirected” the cyberactivity to servers controlled by U.S. investigators, according to senior FBI and Justice Department officials. Investigators were then able to inject the malware with a program that released the victim computer from the botnet, freeing it of the malicious host.

Law enforcement officials said Tuesday they’re still trying to determine how many of the more than 700,000 computers infected this year were freed from Qakbot’s control and credited close partnership with European investigators for the operation’s success. No one has been arrested as a result of the international probe, but 52 servers were seized, and the investigation is ongoing.

Ken Westin, Field CISO, Panther Labs had this comment on the takedown:

It is interesting the FBI essentially deployed something that almost resembles “hacking back”  to redirect traffic to their servers and ran a script to uninstall the malware on remote systems. It is rare that law enforcement would deploy such measures as there are potential risks of executing commands on remote systems, however, the risk may have been minimal in this case given the threat posed by Qakbot to networks and critical infrastructure. It will be interesting to learn more about the legal case for when such activities can be taken to execute scripts on remote systems when dealing with malware and threats to national security.

In short, the FBI has pwned them. Ingenious. And I have to admit that I am impressed. Clearly even the bad guys are vulnerable to being pwned due to the fact that they didn’t take the proper measures to avoid being pwned. Just like their victims fail to sometimes do.

UPDATE: Dave Ratner, CEO, HYAS had this comment:

   “We applaud the FBI for taking control of the Qakbot malware command-and-control infrastructure; unfortunately, without any arrests, it’s likely that the criminals will setup new adversary infrastructure in the near future.  With dwell time being as little as 24 hours, these attacks highlight once again how critical it is for organizations to have immediate visibility into anomalous network traffic communicating with adversary infrastructure so that they can take control before ransomware impacts operational resiliency, as recommended by CISA and the NSA via Protective DNS solutions.”