Archive for August 1, 2023

BREAKING: Twitter And Elon Musk Actually Sues A Non-Profit That Tracks Hate Speech On Twitter

Posted in Commentary with tags on August 1, 2023 by itnerd

Yesterday, I posted a story on Twitter/Elon Musk threatening to sue a non-profit that tracks hate speech on the platform. At the time I said this:

What this is really about is that Elon has been called out in public for not only having hate speech on Twitter, but doing nothing to stop it. What Elon really needs to do is to change course on that. But he’s not going to do that as he’s fine with hate speech being on Twitter. And I suspect that he’s not actually going to sue as he has a track record of threatening to sue, but not actually doing so.

Well, it seems that Elon is actually suing this non-profit. From the Twitter blog:

Despite our continued progress, the Center for Countering Digital Hate (CCDH) and its backers have been actively working to assert false and misleading claims encouraging advertisers to pause investment on the platform. X is a free public service funded largely by advertisers. Through the CCDH’s scare campaign and its ongoing pressure on brands to prevent the public’s access to free expression, the CCDH is actively working to prevent public dialogue.

Recently Brandwatch made X aware that the CCDH gained access to X’s data without Brandwatch’s authorization, and that the purported CCDH “research” cited in a Bloomberg article “contained metrics used out of context to make unsubstantiated assertions about X (formerly Twitter).” Additionally, the CCDH has recently scraped X’s platform, which is a violation of our terms of service.

That’s why X has filed a legal claim against the CCDH and its backers. X not only rejects all claims made by the CCDH, but, through our own investigation, we have identified several ways in which the CCDH is actively working to prevent free expression. 

This is a joke. Twitter is a cesspool of hate speech under Elon Musk. This isn’t even a question. It’s a fact. If there’s a legal defence fund for this organization, I’ll donate to it. Because Elon Musk needs to be slapped silly in the legal system and shown for what he really is.

1 Comment »

An Update On Rogers Fixing Their Long Standing Email Issues

Posted in Commentary with tags on August 1, 2023 by itnerd

Yesterday I posted that there seemed to be some hope in terms of Rogers finally fixing their email issues that have plagued users of Rogers email offering for months. I also asked for some help in validating this and as usual, the readers of this blog responded. And that response has helped me to construct this update so you have all the information that you need to use Rogers email offering if you wish to do so. Which I wouldn’t if I were you. More on that later.

First of all, Rogers or more accurately Yahoo! who Rogers gets its email services from have apparently implemented OAuth which is defined as follows:

OAuth (short for “Open Authorization“) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, GoogleFacebookMicrosoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

I suspect that Yahoo! has implemented OAuth because their security when it comes to their email offering has been at best suspect for years as evidenced by numerous people getting their Yahoo! email accounts hacked over the years along with the company suffering some really bad security breaches. Thus going this route mitigates a lot of those issues. Maybe. That’s the cynical side of me saying that. But to be fair, Gmail has used OAuth for years and they don’t have the sort of security issues that Yahoo! has. Thus perhaps Yahoo! will get the same result.

Now the catch with OAuth is that your email client needs to have support for it. Microsoft who makes the Outlook email client appears to be rolling out support for OAuth on Yahoo! as per this document. However this support hasn’t appeared on Microsoft Office 365 product as of yet (Unless you want to run beta software, which I would not recommend). It however has started to appear on Microsoft’s one time purchase version of Office (where you pay once and you get the software forever unlike Office 365) as I have had reports of Rogers email all of a sudden starting to work or needing to be reconfigured before it starts working again, along with the fact that I have personally witnessed this working. I have also confirmed that the Mozilla email client Thunderbird seems to work as well.

So in short, to make this work you need the following:

  • Your rogers email address which ends in @Rogers.com
  • The password that you use for either the Rogers Member Center or Rogers Webmail
  • Your Outlook email client updated to the latest version possible of Outlook or Mozilla Thunderbird

I will keep you updated as to developments on this front as I know that this is a top of mind issue for many Rogers customers.

Now, here’s why I wouldn’t bother doing any of this and instead encourage you to abandon Rogers email offering and use something else. The majority of my reasons can be found in this article. But my main reason for not recommending that you use Rogers email offering is that Rogers has really dropped the ball here. They have not communicated with their clients who pay them money for this. Which makes this issue, as bad is it is, much worse. Clearly Rogers hasn’t learned the lessons from last year’s massive outage about how to communicate to customers. Thus as a result, I would not trust them with your email.

1 Comment »

BankCard USA Pwned By Black Basta…. And Gets Advice On How Not To Get Pwned After Paying The Ransom

Posted in Commentary with tags on August 1, 2023 by itnerd

On July 26th, after a month of negotiations, BankCard USA (BUSA) Paid a $50,000 ransom to prevent the release of their stolen files by the ransomware group Black Basta. SuspectFile.com followed the negotiation chat between BUSA and Black Basta from day one and reports that hundreds of other people were able to follow the evolution of the negotiation live. The entire chat transaction, including samples of the stolen data, was available as it unfolded. The initial ask of $1,5 million dollars was whittled down to $50,000 in bitcoin, and in return for payment, the thieves promised to meet BUSA’s requests: 

  1. Decryptor for all Windows machines;
  2. Non recoverable removal of all downloaded data from their side with deletion log
  3. No publication of any kind
  4. No selling of their data
  5. No giving their data away
  6. Security report on how they were hacked to fix their vulnerabilities and avoid such situations in future.
  7. Guarantee BlackBasta will not attack their company again.

 The ransomware group also provided BUSA with a helpful list of how to prevent future attacks: 

  1. Use sandbox to analyze the contents of letters and their attachments.
  2. Use the password security policies
  3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
  4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
  5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
  6. Block kerberoasting attacks
  7. Conduct full penetrations tests and audit
  8. Use and update Anti-virus/anti-malware and malicious traffic detection software
  9. Configure group policies, disable the default administrators accounts, create new accounts.
  10. Backups. They must have offline backups that do not have access to the network.

So, if the whole world can view the process and payment and data shared, just how much faith should victims put in the attacker’s promises?

Carol Volk, EVP, BullWall:

“That’s an awfully expensive consultant they’ve got there! Their list of 10 recommendations is a good start, but as soon as organizations become better at plugging holes, new holes will appear. It’s never-ending. While plugging the holes is important, more effort needs to be put towards containing active attacks; not just trying to prevent them by staying one step ahead of ransomware groups. Imagine if the attack was immediately contained and Black Basta wasn’t able to get the data to begin with?”  

Willy Leichter, PV of Marketing, Cyware   

“Paying a ransom and relying on the integrity of cybercriminals to “return” your data is a dubious strategy. This is still a data breach and requires the same level of public disclosure. Getting the data back may help the bank maintain its operations, but it offers little comfort to the customers whose data has been compromised.     “To improve resiliency, organizations should:

  1. Enable security controls such as multi-factor authentication 
  2. Implement regular security awareness training for employees
  3. Invest in context-rich intelligence and/or partner with intelligence sharing organizations 
  4. Develop, maintain, and run through an organizational incident response plan 
  5. Keep all systems patched and software updated”

Stephen Gates, Principal Security SME, Horizon3.ai:   

“According to the report on Suspectfile.com, it’s interesting what Black Basta recommends Bankcard USA (BUSA) do in the future to help thwart similar attacks. The recommendations the hacking group provides in the back-and-forth correspondence are actually quite good since they highlight some of the issues autonomous penetration testing can easily find in many organizations’ networks. Surprisingly, the hacker group even says, “conduct full penetrations tests and audit” which is really good advice for all organizations.   

“One last thing… As of July 31st, 0900 hours EDT, it appears the security certificate for https://www.bankcardusa.com/ expired 2 days ago. If anyone were to override their browser protections and log into their account right now, their traffic would not be encrypted.” 

It shouldn’t take you getting pwned by hackers to figure out what you need to do to secure yourself. You should be taking proactive measures to avoid getting pwned, and spending whatever you have to to ensure you’re secure as possible. Because that’s way better than what happened here.

Leave a comment »

Biden Administration Releases National Cyber Workforce And Education Strategy To Address Cyber Workforce Needs

Posted in Commentary with tags on August 1, 2023 by itnerd

The Biden Administration has released the National Cyber Workforce and Education Strategy, aiming to reduce the cyber workforce gap and to encourage individuals to enter the cyber workforce:

Technology and humanity are intertwined. Technology itself does not have a value system; rather it carries the values of its owners and operators. Cyberspace is composed not only of technology and protocols, but also people. People are an integral part of cyberspace, both in creating and using it. In less than a generation, technology has transformed our daily lives – among other things, we pay bills, connect with families and friends, build businesses, and build communities. We rely on cyberspace for our national security, economic development, and innovation. More than any other domain – air, space, sea, or land – people conceived of and created cyberspace and will continue to improve it. The Biden-Harris Administration’s 2023 National Cybersecurity Strategy establishes an affirmative, values- driven vision for a secure and resilient cyberspace that enables us to achieve our collective aspirations. To achieve a vision aligned with our values, we must ensure that people are appropriately equipped. This National Cyber Workforce and Education Strategy provides a critical element of the President’s approach to securing cyberspace.

I have secured some commentary on this strategy, which I have printed below:

Debbie Gordon, Founder and CEO, Cloud Range

We are excited to see the Biden Administration addressing the critical cyber workforce needs. While this is a significant step forward in direction, there are some areas where “the how” or more guidance could be beneficial. For example, in section 2, under Transform Cyber Education, it mentions “expand competency-based cyber education.” Expanding competency-based cyber education is only attainable by utilizing simulation based training to overcome the age-old conundrum of you can’t get experience without a job and you can’t get a job without experience. The only way to do this is to incorporate experiential learning in the form of advanced simulation into cyber education programs. Too many people are coming out of universities and community colleges with degrees or certifications that they still can’t get a job because they have no practical experience. Utilizing simulation based training to augment traditional cybersecurity training will enable students to be prepared to be productive on the job from day one, and will give employers the confidence that they have experienced candidates at the ready.

Sherron Burgess, VP Strategy, Cyversity

The National Cyber Workforce and Education Strategy sets a direction for both workforce and education, while taking an ecosystem-focused approach. This strategy builds on previous efforts from the administration—holistically approaching the gap—engaging stakeholders across education, industry, research, etc. and spanning federal and industry workforces.The Biden Administration’s strategy also represents an innovation in transforming cyber education, which is absolutely necessary in engaging underrepresented groups through new and existing initiatives. Finally, we commend the strong focus of the strategy on lifelong skills—and removing some of the conventional barriers to entry to cybersecurity.  And, importantly, the strategy follows the newly released GAO Cybersecurity Workforce report, “National Initiative Needs to Better Assess Its Performance” on NIST’s NICE program, highlighting its strengths and the shortcomings.   

Candy Alexander, President, ISSA

The cyber skills shortage has been an ongoing issue for more than 20 years and with the digital footprint encompassing all areas of our lives this comes at a great time. Current education does not provide hands on skills-based readiness to bring entry level and those changing careers to a real work situation. With the combination of skills needed in the industry and communities of individuals in need of skills and career paths, the National Cyber Workforce and Education Strategy  couldn’t be timelier. 

ISSA has long been studying the life and times of the cybersecurity professional for the past 7 years and has seen little change in the skills gap. In fact, it is widening. The Biden Administration’s strategy is exactly what the industry needs and addresses what we have been advocating for: the collaboration of education institutions, government programs, corporate organizations, and the cyber association communities to build pathways to bridge the gap between pure education and employment.

This is a good move by the Biden administration as having a skilled workforce enables so much when it comes to cyberspace.

UPDATE: I have one more comment:

Emily Phelps, Director, Cyware:  

“We’re encouraged to see the Biden-Harris Administration recognize and take action to address the cybersecurity skills and diversity gaps that have continued to impact organizations and individuals. Improving diversity among cybersecurity professionals will not only help increase the volume of cybersecurity experts, but diversity of perspectives and backgrounds will make the industry more effective overall.  

“In cybersecurity, we must think about our work as the industry vs. the adversary. Improving accessibility to cyber education, diversifying the cyber workforce, bolstering cybersecurity understanding, and increasing collaborative partnerships will help establish a strong foundation to close the skills gap and support resiliency.”

Leave a comment »