Posted in Commentary with tags Hacked on July 16, 2024 by itnerd
In an email on Monday to CNN, a hacktivist group claimed it stole roughly 1.2 terabytes of information from Disney’s Slack including information about unreleased projects, raw images computer codes and some logins.
Nullbulge, the Russian hacktivist group, claimed it have gained access through “a man with Slack access who had cookies.”
“The user was aware we had them, he tried to kick us out once but let us walk right back in before the second time,” the email said.
The group also stated that its intention is to protect artists’ rights and compensation for their work in the age of AI.
“Disney’s over-reliance on Slack for internal communications and data sharing highlights the supply chain risks that parallel the concerns raised by the Snowflake breach. Reliance on a single communication platform like Slack creates a centralized point of vulnerability, and a single compromised user can expose a vast amount of sensitive information.
“The recent breach of Disney’s Slack environment by the Russian hacktivist group Nullbulge raises several critical security concerns as it could have been easily avoided with better organizational cybersecurity practices. The breach was facilitated by an individual with legitimate Slack access who had their session cookies compromised. Using session cookies to gain unauthorized access points to insufficient security measures around session management. Implementing measures like short-lived session tokens, regular re-authentication, and stringent monitoring for anomalous session activities could mitigate such risks. The incident highlights the need for securing backend systems and APIs, as front-end security alone is insufficient.”
I suspect that Disney will have to do a lot explaining on multiple fronts. It will be interesting to see how they respond to this alleged hack, and how they will explain what’s out there in terms of information.
Posted in Commentary with tags Cyware on July 16, 2024 by itnerd
Cyware has today released the findings of its anonymised 2024 Threat Intelligence and Collaboration Survey. Conducted with security professionals at the recent Infosecurity Europe 2024 exhibition, the research reveals that the overwhelming majority of organisations recognise the crucial importance of collaboration and information sharing in the fight against cybercrime, but most struggle to effectively combine insights across teams and security platforms.
Specifically, 91 percent of respondents said collaboration and information sharing are very important or absolutely crucial for cybersecurity. In addition, 70 percent believe their organisation could improve threat intelligence sharing, with 19 percent saying they could share significantly more. However, over half of the research respondents (53 percent) said their organisation does not currently utilise an Information Sharing and Analysis Centre (ISAC), underlining the shortcomings of the way most security teams approach threat intelligence. Over a quarter (28 percent) said they were unaware of the existence and role of ISACs altogether. This is despite the proven value ISACs deliver in enabling organisations to manage risk, backed by trusted analysis and effective coordination.
When asked to identify the weakest link in their approach to cybersecurity information sharing and collaboration, over half (51 percent) said people are the main barrier to improvement, followed by processes (21 percent) and technologies (11 percent). Taking all these factors into account, nearly half of the survey respondents (49 percent) said that their organizations struggle to combine and derive actionable insights across multiple security tools, such as threat intelligence platforms, SIEM, asset management, and vulnerability management platforms.
Looking at the emerging role of AI in improving or reducing an organization’s ability to share threat intelligence, 65 percent thought it would improve their organization’s ability to share information, with over a third (35 percent) saying the technology is already having an impact.
Other key research findings include:
70 percent said their organisations could share more threat intelligence, while only 23 percent said they are currently sharing the right amount of information. Only 2percent thought they were sharing too much.
Asked which teams are least likely to share threat intelligence with other departments, DevOps (31 percent) emerged as the top answer, followed by Security Ops (17 percent), Threat Intelligence (16 percent) and IT Ops (15 percent).
23percent of teams share threat intelligence on a daily basis, 21percent in real-time, 17 percent weekly and 14 percent monthly.
Posted in Tips with tags Presto on July 16, 2024 by itnerd
For a while now, Metrolinx who is the transit agency for the Greater Toronto And Hamilton Area has had the ability to have your PRESTO Card which is the contactless transit card that the agency prefers that you use on your Android phone. Apple users have wanted equal treatment, and today they finally got that equal treatment.
PRESTO card in Apple Wallet is here! Now it’s even easier to take transit with more ways to pay your fare across the region. pic.twitter.com/idZeqhjM00
Now there is a catch that you should be aware of. There is a process to take a physical PRESTO Card and convert it to one that can be used in Apple Wallet. But the problem with that is it will “kill” the physical card. As in the physical card will no longer work after you go through this conversion process. Now for some, that’s no big deal. But it potentially leaves you without an option if you want to say, lend a card to someone who needs to travel on transit. Or perhaps you simply want a backup. And the fact that a new physical card is $10 isn’t exactly cool either. Thus, what I will do is walk you through two options. One being the conversion of a physical card to a card inside your Apple Wallet. And the second where I will show you how to create a brand new card in Apple Wallet.
There’s another thing that I should point out. OC Transpo which is the mass transit provider in Ottawa Ontario does not support paying for transit via this method. So if you use OC Transpo, do not follow these steps.
The prerequisite to doing some of this is that you need to have the latest version of the PRESTO app on your phone.
The version that I have is version 2.10. That came out a few hours ago. The second prerequisite is that you need a PRESTO Account that has your cards in it already. So if you don’t have a PRESTO Account with your cards in it, now is a good time to create one via the app.
Let’s start with creating a new card. And there seem to be two ways to do this. The quickest way to do this is to go Apple Wallet and click on the “+” in the top right. I’ve circled it in red to highlight it.
That will take you to this screen:
Click on Transit Card. Which takes you to this screen.
Choose PRESTO card, which takes you here.
Click on Continue. That takes you to this screen.
Here you can load funds onto the card via Apple Pay. In this example, I will add $10. Then I will click Add in the top right corner.
This is where I get prompted to add funds via Apple Pay. After I pay, I get this screen:
Now this seemed to take about three minutes to actually add the card to my iPhone. So be patient.
And the card is added to my iPhone. I will also note that this method appears not to require the PRESTO App to be installed on your iPhone.
Now I am not sure how I feel about Express Mode being enabled by default as I am big believer that you should authenticate to pay for something 100% of the time. So I may disable that later. Having said that, I am not done yet. I will need to add this to my Apple Watch. I’ll get to that later because I want to explore the other option to add a new card via the PRESTO App. Start with opening the app and clicking Add Card on the right.
Next choose PRESTO in Apple Wallet and click the button below it.
You get a tutorial that you can skip if you so choose.
You then need to Load Funds or Load A New Pass. The latter option is if you want to add a monthly student pass or some other pass for example as those passes can save you money. For this example, I will do the former.
I am going to add $10 to this card and click buy now. You’ll then be prompted to pay with either Apple Pay or via a credit or debit card that is in your account. Again, it took me a few minutes before the card was added to Apple Wallet.
So which option should you use? If you simply need a PRESTO Card, I’d use the first option. If you want to add a transit pass to said PRESTO Card, I would use the second option.
Now, back to adding your PRESTO Card to your Apple Watch. And it’s a bit odd because unlike credit and debit cards on your iPhone which replicate to your Apple Watch, the PRESTO card doesn’t do that. What you’re actually doing is moving it to your Apple Watch from your iPhone. And you can move it back from your Apple Watch to your iPhone if you so choose. It appears that PRESTO can only deal with one unique card and can’t support what I will call “cloned” cards. For example, the debit or credit card that you add to your iPhone gets “cloned” to your Apple Watch. But no such support exists for PRESTO cards. That would explain why PRESTO “kills” the physical card if you convert it to a digital one. It also means that if you want to have a PRESTO card on your Apple Watch, you either have to move it to the watch and forget about using it on your iPhone. Or you need to put a second card on your Apple Watch and manage two cards. Now let me play Devil’s Advocate. This approach makes sense because Apple Watch users are always wearing their Apple Watches. Thus they can tap their watch on a PRESTO card reader and pay for transit without taking out their phone. And seeing that smartphone thefts are on the rise in Toronto, that’s likely going to help to keep your phone safe.
With that out of the way, if you want to move your PRESTO card to your Apple Watch, you start the process with opening the Apple Watch app on your iPhone and clicking on Wallet & Apple Pay.
You can see the PRESTO card that I just added to my iPhone. Click the ADD button.
Here’s where you get warned about the fact that this process only moves the card but doesn’t clone it. Clicking Next gets you to this screen:
Adding the card seemed to take about 90 seconds. After that, I got this screen.
If you see this screen, the process worked. As for Express Mode being enabled by default, I am still not a fan of this. But the use case makes a bit more sense because I can just tap my Apple Watch on a PRESTO reader and hop onto a bus, streetcar or subway train. But if you want to put the card back on your iPhone, here’s how you do it:
Open the Apple Watch app on your iPhone
Pick the PRESTO card
Scroll down until you see “Add card to (insert name of your iPhone here)” and follow the prompts which are similar to the ones above.
Finally, let’s cover how to convert a physical PRESTO card over to a digital one. And I will remind you that once you convert the physical PRESTO card to a digital one, it will “kill” the physical card. So if you want a physical card for whatever reason, do not follow these instructions.
Converting a physical card to a digital one only seems possible via the Presto App. Assuming that you also have a PRESTO account with PRESTO cards in it, here’s what you need to do.
Pick the card from the list of PRESTO cards that appear in the app.
Next tap the Convert To Apple Wallet button.
Here you will see the warnings that not only that this process will “kill” your physical card, but using these cards with Apple Wallet isn’t supported by OC Transpo. Click Convert To Apple Wallet. At that point you will have to click through another warning about this. Nobody can say that Metrolinx hasn’t warned you about what’s going to happen next.
Next you need to hold your physical PRESTO card to the back of the iPhone. In my case, near the top of the iPhone worked for me. And taking off the case really helps with this. Then it will prompt you to add the card to Apple Wallet. When you see this prompt, the card is dead, and you are forced to complete the process of converting the physical card over to being a digital one which only takes a couple more clicks.
Now I put this together over a few hours after this functionality was announced by Metrolinx. So if you see ways that this can be improved, or anything that I got wrong, or even feedback on how this was done, please let me know in the comments and I will get back to you as quickly as I can.
Posted in Commentary with tags DMARC on July 16, 2024 by itnerd
So what is a shipping scam? It is one where you get an email from say Canada Post that says that you need to pay a trivial amount of money to get a package delivered. Here’s an example of such a scam. But what the threat actor is actually after is your credit card or banking details.
Usually I see a lot of these shipping scams that aren’t well executed. But this one is. Let me start with the email that you will get, which is supposedly from Intelcom which is a courier company here in Canada:
Now before I get to the nuts and bolts of this scam, this email is in both English and French. And the quality of both is pretty good. That’s an indication that the threat actor behind this actually put some time and effort into executing this scam. Here’s another area where this also true:
It actually uses an Intelcom email address instead of something like a Hotmail or Gmail address. Because they are spoofing the domain so that they can make the scam more likely to succeed simply by pretending that the email came from a legitimate source. And I can tell you how the threat actor did this.
This is MXToolbox which I use to troubleshoot email deliverability issues. And in the case of Intelcom, they don’t have a DMARC policy enabled.
Here’s a closer look at that:
You can see that other than DMARC being enabled, there’s no DMARC policy whatsoever. In a way, they might have well not even bothered to have a DMARC policy as it’s not doing anything useful. If you have a DMARC policy enabled, then spoofing wouldn’t be possible because the receiving email server would simply reject the email or at worse, put it in the junk mail folder or quarantine it. Either way, it wouldn’t reach the inbox. And scams can’t succeed if they never reach the inbox. But in this case, Intelcom has pretty much guaranteed that it will be associated with scams because they haven’t enabled a DMARC policy. If I were Intelcom, I’d be dropping everything that I was doing and fix this as this is pretty bad on their part.
Sidebar: If you want to go down the rabbit hole of DMARC, click here to see my journey in terms of implementing DMARC for my domains.
Even though Intelcom has made it a whole lot harder to spot that this is a scam, there is still one thing that makes it clear that this is a scam:
If I hover my mouse over the words “Receive my delivery”, I can see that this is not going to a server controlled by Intelcom. As in the domain is intelcom.ca or something similar. Thus this is clearly a scam and this email should be deleted the second it hits your inbox.
So what is this scam after? Not that you should do this, but if you click on “Receive my delivery”, it went to a site that was entirely written in Arabic after being redirected from another site. Weird. I am guessing that this site was going somewhere else, but that changed by the time I got to it. Either way, this illustrates that you need to be on your toes to keep yourself safe.
I’ll be reaching out to Intelcom to tell them about this scam. Because as I mentioned earlier, they are wide open to being used in scams because they have no DMARC policy. Thus it is in their interest to address this so that this is no longer the case.
Legit Security has published its new State of GitHub Actions Security report, which unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
Legit’s researchers explore multiple aspects of GitHub Actions security, including vulnerabilities found in GitHub Actions workflows, protection of the building blocks of GitHub Actions workflows, and security of custom GitHub Actions. Most of the Actions there are not verified, maintained by one developer, and have low-security scores based on the OpenSSF Scorecard.
The report’s key findings include:
Researchers uncovered interpolation of untrusted input in more than 7,000 workflows, execution of untrusted code in over 2,500 workflows, and use of untrustworthy artifacts in 3,000-plus workflows.
Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning; 86% of workflows do not limit token permissions.
Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most.
It has been announced that all major retail banks in Singapore must phase out the use of one-time passwords (OTPs) within the next three months. This initiative is being mandated by the Monetary Authority of Singapore (MAS) and was developed in collaboration with the Association of Banks in Singapore (ABS). The move is intended to protect consumers from phishing and other scams.
The National Institute of Standards and Technology (NIST, US Department of Commerce) deprecated the use of SMS for 2FA as early as 2016 and the move away from OTP’s has been picking up steam since then.
CEO Ted Miracco of Approov, a mobile security company, offers insight:
“OTPs, once seen as a robust two-factor authentication (2FA) method, are now frequently targeted by cybercriminals using advanced social engineering tactics and Android malware. Android malware can exploit permissions to intercept OTPs sent via SMS. Android users are often targeted by phishing campaigns that mimic legitimate banking apps or websites, tricking users into revealing their OTPs. Despite improvements in app store security, these fake apps can still infiltrate and deceive users while Google’s efforts to restrict certain permissions, malicious apps continue to find ways to bypass these controls.
“The shift to digital tokens aims to offer a more secure alternative to OTPs, but it comes with its own set of challenges. Despite the significant security enhancements, ensuring the integrity of banking apps requires robust measures such as mobile app attestation and runtime application self-protection (RASP) to prevent tampered or cloned apps from functioning.
“The long overdue phase-out of OTPs is a positive step towards enhancing the security of online banking in Singapore. However, banks must remain vigilant and proactive concerning Android vulnerabilities, to protect their customers effectively.
Posted in Commentary with tags Uber on July 15, 2024 by itnerd
Seat belts save lives and wearing them is the most effective way for Canadians to protect themselves during a collision.
Yet 45% of riders indicate that they don’t always buckle up when they take a trip with Uber. According to Transport Canada, 300 lives can be saved every year if everyone wore seat belts. Seat belts worn correctly can reduce the chance of death in a collision by 47% and the chances of serious injury by 52%.
That’s why Uber wants to remind riders to buckle up by launching a brand new safety feature across the country tomorrow—audio seat belt reminders.
Here’s how it works:
Once a rider’s trip has started, an audio reminder stating “Please use your seat belt for your safety” will play on the driver’s phone shortly after the start of the trip.
At the same time, the rider will receive a push notification on their phone, reminding them to put their seat belt on.
This feature will be enabled on a rider’s first trip once it is launched. After that, it will be enabled every 10th trip.
Here’s a video of this feature in action:
And here’s the audio reminder:
Uber’s message is simple—no matter where you’re seated in the vehicle, you always need to buckle up. Whether you are going a few blocks, a few kilometres or a long distance trip, your seat belt must be worn at all times. Using Uber’s technology to remind riders to buckle up, they hope to increase seat belt use and potentially save lives.
Buckling up could even affect your Uber rating. Drivers have shared that not buckling up is one of the reasons they may rate riders less than five stars. Through this feature and raising awareness about seat belt safety, Uber wants to help protect both drivers and riders on the road.
The Uber platform is built with safety in mind. For a list of all their safety features, please visit here.
Last week, news came to light that AT&T had been pwned and literally every customer had been affected. Now there’s even worse news:
US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.
The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company’s own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.
A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.
WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. AT&T did not respond to WIRED’s request for comment.
I’ve been very clear that paying a ransom is something that you should never, ever do as it only encourages more of this behaviour from threat actors. This news really sucks for someone like me as I want these sorts of attacks by threat actors to end.
Posted in Commentary with tags Epson on July 15, 2024 by itnerd
I have to admit that I didn’t know what to expect when Epson sent me the EpiqVision Mini EF12 Projector to review. But what I found was a very capable projector in a really compact size that allows you to take it anywhere so that you can stream your content anywhere. But before I get to the streaming part, let’s look at the projector:
Here’s a look at the business end of the projector.
This projector is tiny. I measured it to be 6.8 inches square 5.3 inches high. The fabric speaker enclosure with a logo that says that the sound is powered by Yamaha gives it a kind of retro vibe.
Connectivity is present and correct with the following:
2 HDMI ports. One of which has eARC support.
2 USB ports: one USB-A port and one mini USB port, the latter of which is for servicing only based on my Google searches.
A Kensington lock to prevent theft.
Bluetooth and Wi-Fi.
There’s also a power brick, a remote control, and a pair of AAA batteries for said remote control in the box as well.
In terms of resolution, this is an HD projector. So that is going to put off some who insist on 4K resolution. But here’s why you should consider this projector. For starters it’s powered by Android TV. It felt snappy navigating through menus and starting up apps. Plus it has ChromeCast built in which I can see how that can be useful. The second reason is the picture quality. The laser-powered picture is colourful and clear, with a distinct lack of blurring in fast-moving images. Mostly. I tried playing a game via this projector and that didn’t go so well because there was a significant amount of lag. But that was one of the few areas that I could get this projector to trip up. Watching the European Football Championship Final was fine.
You’re best to use this projector in an environment where it is roughly 80 inches or less from the screen. I say that because picture quality seemed to suffer for me when I got beyond 80 inches. What I found really cool was the fact that when you first turn it on, or moving it while switched on, it will auto-keystone. Plus there’s auto focus which will work better than any human trying to focus will. Both of those features will help to keep the picture sharp at all times. The EF12 is bright enough to project in a room that isn’t completely blacked out. Which given the fact that this projector puts out 1000 lumens is a big plus. The projector supports HDR and to test that, I ran a couple of HDR movies using Netflix on this projector. HDR content that is really dark isn’t going to wow you. In fact, I found some scenes to be way darker than the SDR version of the same content. But everything else that I tried was pretty great.
In terms of sound, speech and music are both clear and crisp. There’s honestly nothing to complain about with the Yamaha powered sound. And for bonus points you can use the projector as a Bluetooth speaker.
There only one thing that I should point out. And that is the fact that there’s no optical zoom. Which means that you have to move the projector back or forth to get the picture size that you want. It’s not a deal breaker by any means as I wonder how you could put optical zoom in a projector this small. But other than that, I really have nothing negative or quasi negative to say about this projector.
The EpiqVision Mini EF12 Projector is $1000 CDN. But if you look around, you can find it for less. Like I said at the start of this review, I wasn’t sure what I was expecting going into this review. But on the other side of this review I can say that I was impressed by this projector as it is small yet mighty.
Posted in Commentary with tags Bell on July 14, 2024 by itnerd
Frequent readers will know that I will praise Bell for the tech that they offer customers. But at the same time, I will criticize them for their customer service. More specifically how bad it is. This isn’t a new complaint. But this story that popped up last week really highlights how bad Bell’s customer service is. The top line headline is that Bell has been ordered to pay a Montreal customer $1000 for bad customer service:
A Quebec Court judge has ordered Bell Canada to pay a Montreal customer $1,000 after ruling he was subject to a “Kafkaesque” experience while trying to cancel his satellite television plan.
“Requiring a customer to endure a 75-minute telephone conversation in order to resolve a problem that, on the surface, seems relatively simple creates undue inconvenience,” Huppé ruled.
If you read the details of what this customer went through, it really sounds horrific. No customer should ever have to go through that. And I have to admit that I have experienced Bell’s bad customer service first hand. So while I am horrified by the experience, I am not surprised. And I will repeat something that I have previously said in the when I had my rather bad customer experience:
If I were Mirko Bibic the CEO of Bell, I’d be doing everything possible to improve the customer experience as my experience with their call centre reps was not that good. And improving the customer experience should include ending their practice of outsourcing and offshoring their customer service staff. I say that because Rogers doesn’t have outsourced and offshore staff, and their customer experience is far better than Bell’s. And that was enough for my wife and I to hang in with them despite the fact that their Internet offering was substandard in comparison to what Bell offers. That was until their outage issues forced us to Bell. But to be clear, if Rogers somehow is able to get their act together and come up with an Internet offering that is actually competitive with Bell and actually reliable, and Rogers customer service continues to better than Bell, then they may have the means to lure us back. Because having great customer service is what matters. And right now, Bell doesn’t have that. At least not at the call centre level.
I am bringing my negative experience up because that experience was two years ago, which if you consider that this customer’s experience was in 2019 strongly suggests that Bell has not fixed anything when it comes to customer service. That really reflects poorly on Bell. And it’s beyond time that Bell actually start doing something about addressing their customer service issues. Because experiences like the one that this customer had should never, ever happen.
Disney Allegedly Pwned By A Hacktivist Group
Posted in Commentary with tags Hacked on July 16, 2024 by itnerdIn an email on Monday to CNN, a hacktivist group claimed it stole roughly 1.2 terabytes of information from Disney’s Slack including information about unreleased projects, raw images computer codes and some logins.
Nullbulge, the Russian hacktivist group, claimed it have gained access through “a man with Slack access who had cookies.”
“The user was aware we had them, he tried to kick us out once but let us walk right back in before the second time,” the email said.
The group also stated that its intention is to protect artists’ rights and compensation for their work in the age of AI.
Ted Miracco, CEO, Approov:
Here are comments from a security angle…
“Disney’s over-reliance on Slack for internal communications and data sharing highlights the supply chain risks that parallel the concerns raised by the Snowflake breach. Reliance on a single communication platform like Slack creates a centralized point of vulnerability, and a single compromised user can expose a vast amount of sensitive information.
“The recent breach of Disney’s Slack environment by the Russian hacktivist group Nullbulge raises several critical security concerns as it could have been easily avoided with better organizational cybersecurity practices. The breach was facilitated by an individual with legitimate Slack access who had their session cookies compromised. Using session cookies to gain unauthorized access points to insufficient security measures around session management. Implementing measures like short-lived session tokens, regular re-authentication, and stringent monitoring for anomalous session activities could mitigate such risks. The incident highlights the need for securing backend systems and APIs, as front-end security alone is insufficient.”
I suspect that Disney will have to do a lot explaining on multiple fronts. It will be interesting to see how they respond to this alleged hack, and how they will explain what’s out there in terms of information.
Leave a comment »