Archive for February 21, 2024

Infinite Reality & Vodafone to Unveil Revolutionary Automotive Onboarding Service Featuring Generative AI and VR at Mobile World Congress Barcelona 2024

Posted in Commentary with tags , on February 21, 2024 by itnerd

 Infinite Reality (iR), a global leader in artificial intelligence innovations and immersive virtual experiences, together with telecommunication giant Vodafone, is thrilled to announce the unveiling of an innovative automotive original equipment manufacturer (OEM) onboarding service at Mobile World Congress 2024 in Barcelona. This pioneering product, set to redefine automotive retail and customer onboarding, will be showcased in a state-of-the-art mixed reality experience, demonstrating the advanced capabilities of Vodafone’s Pairpoint technology. 

AI-Onboard utilizes the latest in generative AI, coupled with augmented reality (AR) and virtual reality (VR), to offer an immersive and interactive experience that showcases the future of customer engagement and retail. This initiative serves as a powerful example of how Infinite Reality is reshaping customer engagement through cutting edge, immersive solutions.

This extension of Infinite Reality and Vodafone’s partnership, highlights their collective commitment to innovation and bringing forward customer-centric solutions. Building from their collaborative success at the 2023 London Tech Week, the Mobile World Congress 2024 showcase promises to be a landmark event, illustrating the transformative impact of advanced AI-driven immersive experiences with Pairpoint Technology in the retail sector.

For more information about AI-Onboard and future collaborations between Infinite Reality and Vodafone, visit the websites of Infinite Reality and Vodafone

Leave a comment »

71% Surge In Identity Exploitation As Top Access Method: IBM

Posted in Commentary with tags on February 21, 2024 by itnerd

According to IBM’s 2024 X-Force Threat Intelligence Index, data shows a 71% increase in cybercriminals exploiting legitimate credentials to access and compromise corporate networks, representing 30% of the total initial access vectors used in 2023.
 
Methods the cybercriminals use to access valid accounts include obtaining or buying credentials from the dark web and/or through infostealing malware. In 2023, X-Force observed a 266% increase in infostealing malware.
 
While 70% of attacks globally targeted critical infrastructure, 84% of observed incidents on critical infrastructure “could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening and the principle of least privilege.”
 
IBM assessed that AI hasn’t been a serious threat so far but could become one in the future. Charles Henderson, head of IBM X-Force, commented:

“While ‘security fundamentals’ doesn’t get as many head turns as ‘AI-engineered attacks,’ it remains that enterprises’ biggest security problem boils down to the basic and known – not the novel and unknown. Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.”

The 2024 X-Force Threat Intelligence Index is based on insights and observations from monitoring over 150 billion daily security events in more than 130 countries.

Dave Ratner, CEO, HYAS had this to say:

   “With so many attacks exploiting legitimate credentials for access and exploitation, the need for cyber resiliency solutions has never been greater, especially for critical infrastructure providers and MSSP/MSPs that may protect their smaller cousins.  The use of legitimate credentials means that much of the existing security stack is bypassed and ineffective — cyber resiliency solutions that see the anomalous behavior inside the environment, and track and shut down the command-and-control communication, provide security and safety regardless of the credentials being used for initial access.”


Troy Batterberry, CEO and Founder, EchoMark follows with this:

   “Employees continue to contribute to cybersecurity risks faced by organizations, either through their poor credential practices or worse, deliberate acts of theft or leakage. Organizations must holistically raise their cybersecurity bar, including through much better identity requirements for their employees and also broader insider risk programs.”

Hopefully organizations are paying attention to this IBM report because it proves where the weak points in your defences are, and where you need to invest to address them.

Leave a comment »

White House Executive Order Aims to Combat Cyber Threats To US Ports

Posted in Commentary with tags on February 21, 2024 by itnerd

Today, the White House will issue an executive order starting a rulemaking process to add cyber requirements to US ports aimed at increasing defenses through additional authorities to the Coast Guard. The administration also pledged to invest over $20 billion in port infrastructure over five years.
 
The executive order will require the maritime sector to increase digital defenses and report cyber incidents to the Coast Guard also giving the Coast Guard the authority to respond to cybersecurity incidents, such as controlling the movement of vessels that present a cyber threat.
 
With concern over Chinese companies owning almost 80% of US ship-to-shore cranes and many controlled remotely, the Coast Guard is issuing a nonpublic maritime security directive that requires cranes manufactured by China to face “a number of security requirements”.

“America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90% of all overseas trade. Any disruption to the [maritime transportation system], whether manmade or natural, physical or in cyberspace has the potential to cause cascading impacts to our domestic or global supply chains,” Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command said.

Troy Batterberry, CEO, EchoMark has this comment:

   “It is not only systems that have been infiltrated by foreign states. In my discussions with CISOs across the country, many believe there are employees within their organization that are capable of acting in alignment with foreign states. Unfortunately, 90% of organizations are completely unprepared for the risks imposed by insiders. Dealing with insider risk is the next big area of growth for the cybersecurity industry.”
 
Emily Phelps, Director, Cyware shares this thought:

   “The executive order is a good step towards securing critical national infrastructure. By mandating enhanced cyber defenses and incident reporting in the maritime sector, we’re addressing a significant vulnerability in our national security framework. The focus on the maritime sector, especially given the strategic importance of ports to our economy and supply chain, is timely and essential. This move, coupled with the substantial investment in port infrastructure, demonstrates a proactive approach to cybersecurity, ensuring the resilience of vital assets against emerging threats.”

Neal Dennis, Senior Threat Intelligence Specialist, Cyware had this to say:

   “This completely makes sense. However, this threat is nothing new overall. Government extension of authority to support mitigating the threat is just a sign of validation on the reality of the threat.”

Hopefully this executive order forces those in this sector to improve their preparation for cyber threats both new and old. Because critical infrastructure is a prime target for threat actors.

Leave a comment »

ConnectWise ScreenConnect Authentication Bypass POC, IOCs Released

Posted in Commentary with tags on February 21, 2024 by itnerd

On February 19, 2023, ConnectWise published a security advisory for their ScreenConnect remote management tool. In the advisory, they describe two vulnerabilities, an authentication bypass with CVSS 10.0 and a path traversal with CVSS 8.4 (both currently without assigned CVE IDs). 

The first vulnerability (auth bypass) was disclosed with a critical base CVSS scoring of 10, as it enables access to the path traversal vuln, which in turn enables unauthorized file access.

James Horseman, Horizon3.ai Exploit Developer, has just published ConnectWise ScreenConnect: Authentication Bypass Deep Dive which dives into the technical details of the authentication bypass, provides indicators of compromise, and includes a link to a Horizon3.i proof of concept auth bypass vulnerability on GitHub here.

Leave a comment »

PKI Solutions Host Web Seminar on Avoiding Pentesting Pitfalls

Posted in Commentary with tags on February 21, 2024 by itnerd

 PKI Solutions will host a PKI Insights Series Web Seminar to help IT security professionals avoid common mistakes prior to scheduled Penetration Testing and better secure important PKI system.  Mark B. Cooper, president and founder of PKI Solutions, and Nick Sirikulbut, director of business development will host this event on Thursday, February 22, 2024 at  11-11:30am MST.  The PKI Spotlight event will cover real world case studies to highlight common mistakes that lead to PKI failures and cover steps teams can take immediately to better manage their PKI environment.

To register for the PKI Insights Web Seminar, go to https://www.bigmarker.com/pkisolutions/PKI-Insights-Avoiding-Pen-Test-Pitfalls.

Leave a comment »

Gayming Awards Moves 2024 Host City To LA

Posted in Commentary with tags on February 21, 2024 by itnerd

Now in its fourth year, the Gayming Awards, the world’s only LGBTQ video game award show, returns on April 7th, 2024, from Los Angeles, hosted by DEERE and MiladyConfetti.

The celebration of queer geek culture is continuing its journey to become a key player on the global video game stage by heading over to California, the home of the video game industry, with a broadcast set in Los Angeles. The ceremony also recognizes television and film moments in a brand-new category, LGBTQ Geek Entertainment Moment of the Year – celebrating The Last of Us, Doctor Who, Harley Quinn, Nimona, Scott Pilgrim Takes Off, and The Legend of Vox Machina.

Building on the huge success of the 2023 Awards which were hosted in New York City and saw the honors of the night being shared amongst an incredibly diverse lineup of games, content creators and companies, the Gayming Awards are set to grow even more as it pivots to a virtual, pre-recorded show.

The show is being produced by the creative powerhouse of Nathan Noyes and Ian Devoglaer (The Boulet Brothers’ Dragula) and will broadcast on April 7th at 2pm PT (5pm ET/10pm UK) on Gayming Magazine’s Twitch and TikTok accounts. There will also be a Spanish language co-stream on TikTok and a captioned stream on YouTube, greatly increasing the accessibility and reach of the Gayming Awards. 

Nominees, celebrities, industry professionals and press will gather and celebrate at an exclusive VIP event hosted in Los Angeles on the award’s day itself.

The contenders for the coveted Game of the Year title encompass an impressive lineup with Baldur’s Gate 3, Final Fantasy XVI, Legend of Zelda: Tears of the Kingdom, Thirsty Suitors, Spider-Man 2, and Stray Gods: The Roleplaying Musical

In recognition of outstanding contributions and commitment to inclusivity in the gaming industry, the nominees for the Industry Diversity Award showcase a remarkable array of companies and organizations trailblazing the way for diversity: Humble Games, Larian Studios, Latinx In Gaming, Qweerty Gamers, Roll7 and Women in Games International.

In honor of the vibrant streaming community, where gamers unite to share their passions, the nominees for the LGBTQ+ Streamer of the Year Award are Apothicdecay, Eevoh, Elix, EspeSymone, Halfmoonjoe, MysticKittenn, Sheilur, and SpringSims.

The Gayming Awards are sponsored by TikTok, Devolver Digital, Logitech G and Art & Rev, and supported by Humble Games, Zynga, Out Making Games, Qweerty Games and NYC Gaymers. 

Full nominations for the Gayming Awards 2024 were announced on January 9, 2024.  For more information, head to gaymingawards.com and follow Gayming Magazine on all socials @gaymingmag 

Leave a comment »

Woman Sues Sex Toy Company For Collecting Her Sex Toy Searches…. No I Am Not Making This Up

Posted in Commentary with tags on February 21, 2024 by itnerd

Following on the heels of this story, I have another story about the dark side of sex toys and the Internet. Which to be clear isn’t really about sex toys. But it is about your privacy.

404 Media is reporting on a lawsuit where a woman is suing Adam & Eve for collecting details of her searches sex toys on their site. Brace yourself for the details:

A woman just brought a class action lawsuit against one of the biggest online retailers for sex toys, Adam and Eve, claiming that the site gave Google information about her searches for 8-inch dildos and strap-on harnesses. 

The plaintiff, who isn’t named in the complaint but goes by “Jane Doe,” claims that Adam and Eve uses Google Analytics, which has an anonymization feature that obscures IP addresses of users, but that the site didn’t have that feature enabled. She’s suing PHE, the owner of Adam and Eve, as well as Google, for allegedly disclosing her “sexual preferences, sexual orientation, sexual practices, sexual fetishes, sex toy preferences, lubricant preferences, and search terms” without her consent.

“By using the Google Analytics tool without anonymized IP feature, PHE is sharing with Google Plaintiff’s online activity, along with her IP addresses, even when consumers have not shared (nor have consented to share) such information,” the complaint claims.

Specifically, the plaintiff takes issue with PHE telling Google that she was browsing the site’s categories for “lesbian toys,” women’s sex toys, and realistic dildos. The complaint describes her online shopping trips in detail, claiming that Analytics captured her looking at listings for “Kingcock Strap-on Harness With 8-Inch Dildo” and showed that she added a “Pink Jelly Slim Dildo” to her cart. It also claims that “any information submitted by consumers through the search bar on the site’s homepage is shared with Google,” which in her case was a search for “strap-on dildo.” 

“The above information, combined with the consumer’s IP address, enables Google to identify the person who has interacted with PHE’s Website or has submitted information through the site,” the complaint claims. “Website consumers did not know that the communications between them and PHE would be shared with a third party, Google. PHE did not obtain consent or authorization of Website consumers to disclose communications about their Private and Protected Sexual Information. The surreptitious disclosure of Private and Protected Sexual Information is an outrageous invasion of privacy and would be offensive to a reasonable person.”

She’s suing PHE and Google for violations of the California Invasion of Privacy Act, which prohibits services from communicating information about users to third parties without their consent. Someone doesn’t have to have suffered “actual damages” to bring legal action under CIPA, and can sue for $5,000 per violation.

Now Google is saying that it doesn’t try to identify individuals and has policies to try and stop that from happening. And it’s really up to the retailer to do the right thing. In other words, Google is using the Shaggy excuse. As in “it wasn’t me.” Adam & Eve didn’t have anything to say to 404 Media. But let’s just take a step back and take the words “sex toys” out of this discussion. What this is really about is the fact that ANY retailer can take your shopping habits, collect that up, and use it or sell it however they see fit. If you’re on Amazon, you might not have an issue with that. But if you are shopping for something more “personal” you might have a problem with that. This really isn’t new. But it highlights the fact that your data is valuable and retailers will want to make money off of it, even if you don’t buy anything from them. That’s something that you might want keep in mind if you shop online.

Leave a comment »

Beyond Identity Introduces Device360 

Posted in Commentary with tags on February 21, 2024 by itnerd

Beyond Identity, the leading provider of passwordless, phishing-resistant MFA, today announced the release of its new Device360 solution for continuous device security posture management. Device360 is the first and only device security tool designed from day 0, offering a simple admin experience, providing visibility into security posture of 100% of devices, including unmanaged devices, and combining device security with authentication. The new tool empowers organizations of any size to instantly identify device security risks, including both vulnerabilities and misconfigurations, across both managed and unmanaged devices and stop vulnerable devices from entering the digital ecosystem to prevent breaches from happening. 

Device360 addresses the rising need for organizations to prevent risks associated with bring-your-own-device, or BYOD practices, where users and collaborators can use their computers, smartphones, and other devices for work purposes. The tool empowers organizations to quickly and easily monitor the security of an entire fleet of devices, each of which may be owned, managed, and configured differently. Until now, organizations could only gain this level of visibility and proactive security for managed devices using mobile device management (MDM) and endpoint detection and response (EDR) tools, which are costly and resource-intensive to manage.

Available as a standalone solution or as a complement to Beyond Identity’s Secure Workforce offering, Device360 can be quickly deployed without reliance on MDMs. Features include:

Centralized visibility into vulnerabilities and misconfigurations

Device360 provides an overview of vulnerabilities and misconfigurations across your entire fleet of devices, a central report to help track, assure, and prove device compliance, and the ability to drill down on risky devices to perform more in-depth diagnoses on device security posture.

Real-time and scheduled device query with managed Osquery

With 45 ready-made device queries, Device360 simplifies using Osquery, requiring no SQL knowledge or experience. It facilitates real-time and scheduled queries, ensuring continuous endpoint security and risk assessment over time.

Visibility over unmanaged devices

Device360 solves this challenge by combining privacy-preserving security assessments with authentication in a lightweight single authenticator that does not require administrative privileges to the end user’s device.

Test zero-trust access policies

Device360 enables policy simulation, allowing administrators to test access policies without affecting user authentication in production, enabling administrators to build complex policies and understand the impact of enforcing device trust policies per zero-trust authentication strategies.

Enforce device security compliance at the time of authentication

In conjunction with Beyond Identity’s Secure Workforce platform, Device360 allows administrators to go beyond visibility and enforce access policies using device security insights, ensuring that only compliant devices can access corporate resources and applications.

Beyond Identity provides the first 100 users a free year of access to Device360 in the product’s earliest stage. For more information about Device360, please visit https://beyondidentity.com/device360.

To learn more about Beyond Identity’s platform, including their Secure Workforce next-generation MFA solution and diagnostic tool offerings, please visit https://www.beyondidentity.com/get-demo.

Leave a comment »

Yazara Awarded PCI MPoC Certification for its Isolated SoftPOS SDK

Posted in Commentary with tags on February 21, 2024 by itnerd

Yazara, a global leader in SoftPOS technology and the payment acceptance industry, today announced that it is now recognized as a Mobile Payments on COTS (MPoC) certified vendor by the Payment Card Industry PCI Security Standards Council (PCI SSC). Yazara’s cloud-based SaaS point-of-sale solution provides merchants who are unable to accept digital payments with a low-cost, secure, effortless, and modern solution to support their goals of increasing sales/revenue and improving customer experience. Yazara is the first PCI MPoC-certified isolated SoftPOS SDK, which provides increased integrity, faster integrations, and lighter security assessments. MPoC certification serves as an indicator of a product that has been evaluated for compliance against the standards established by the PCI SSC. 

Powered by years of global experience in the SoftPOS and payments vertical, and with over 35 projects deployed worldwide, Yazara is well positioned to shake up the payments acceptance industry. Yazara’s payment software turns any NFC enabled smartphone into an acceptance device and provides merchants who were previously not able to accept digital payments or want to quickly augment their existing POS estate with a solution. The solution enables payment acceptance both on NFC enabled Android and Apple iOS devices such as a smart phone, tablet, or mobile device with any of the major global payment schemes, such as Visa, Mastercard, Amex, and Discover. Implementations on Apple iOS devices are currently being deployed in Europe.

The PCI Security Standards Council released the new MPoC Standard on 16th November 2022, which built on its previously established SPoC and CPoC standards. MPoC standard certification is designed to enable increased flexibility for payment acceptance and bolster the development of innovative COTS-based payment acceptance solutions.

This announcement comes on the heels of significant momentum for Yazara in recent months, including another 25+ projects currently being implemented, totaling over 60 projects globally, and with an ever-growing base of over 80,000 active devices. With new directives from international schemes about MPoC compliance for new projects, this certification becomes time critical as no new SoftPOS projects are allowed if they are not using an MPoC certified solution. 

To learn more about Yazara, please visit A Better POS Solution | Yazara.

Leave a comment »