Archive for the Commentary Category

TikTok Doesn’t Belong On Your Phone Because It Is A Privacy & Security Nightmare Says Security Researcher

Posted in Commentary with tags , , on July 3, 2020 by itnerd

According to a security researcher who posted to Reddit, TikTok is one app that if you value your privacy and security, you need to delete ASAP. Here’s why:

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.

  • Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)
  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
  • Whether or not you’re rooted/jailbroken
  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC
  • They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

The stuff that I’ve listed above is pretty bad. But it gets worse:

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are f**king huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.

This is just downright scary. And this Reddit thread is gaining attention. Security company Zimperium had its own look at TikTok and it says its a security risk. Anonymous has said to “delete this Chinese spyware now.” The Pentagon advises that TikTok should be deleted from phones. Something that the US Army has taken heed of. And while this likely has more to do with a border issue between China and India, the latter has banned a pile of Chinese apps, which includes TikTok.

The point is that it’s pretty clear that TikTok is a security risk of epic proportions. If you value your security, I would read the Reddit thread and then make your own decision as to if TikTok deserves a place on your smartphone. Or your kids smartphone for that matter.

Terranova Security Releases Enhanced Mobile Responsive Version Of Security Awareness Training Library

Posted in Commentary with tags on July 3, 2020 by itnerd

Terranova Security, a global leader in security awareness training, announced mobile responsive security awareness training content enhancements for its platform.

This release allows organizations to train their users on any device, allowing them to access security awareness training modules from their smartphone, tablet, laptop, or desktop. A user’s training progress is always saved to their unique platform profile, ensuring that no learning momentum is lost. These enhancements underscore the Terranova Security dedication to delivering a fun, engaging, powerfully effective omnichannel learning experience.

Major mobile responsive features in this release include:

  • Enhanced flexibility and convenience: Terranova Security is recognized for its high-quality content, strong customer support, its customizable learning material and for ensuring that its content is available to all users. The company has continued to deliver in this area, with security awareness training content that can be enjoyed on any device via an improved mobile-responsive design. This release reinforces the Terranova Security commitment to bring security awareness training to all users on their preferred device for a more flexible, comfortable learning experience.
  • Seamless training access on all devices: Terranova Security is committed to making security awareness training programs engaging and easy to use. This mobile responsive release from Terranova Security enables users to save their progress to their unique platform profile that’s accessible in their favorite browser, regardless of the device being used. This makes switching between a desktop and a smartphone or tablet effortless, uncomplicated, and free of any training data loss.
  • Enhanced mobile responsiveness, same high-quality awareness courses users love: The Terranova Security mobile responsiveness measures included enhancements made to the company’s information security awareness course library. This high-quality training content has become the Terranova Security hallmark and is now available across all devices, giving users the freedom to complete security awareness training modules at a time and on a device that works for their schedule and lifestyle.

The recent explosion mobile device usage has magnified the importance of mobile learning as a vital part of any security awareness training program. Studies show that 70% of learners feel more motivated when training on a mobile device, while smartphone learners tend to complete course material 45% faster than those using a desktop computer.

These trends won’t be fading anytime soon. As of 2019, there are more cellphones on Earth than human beings. By 2025, 72% of internet users will access the web using only their smartphones, making their inclusion in security awareness training more crucial than ever.

The English mobile-responsive version of the Terranova Security security awareness trainingcourse material is available now to new and existing customers. The Terranova Security mobile responsive content will be available in additional languages by the end of 2020.

Read more in their mobile learning blog post.

2/3 of Canadians More Aware Of Cybersecurity Policies Since Lockdown: Trend Micro

Posted in Commentary with tags on July 3, 2020 by itnerd

Trend Micro Incorporated today released survey results that show how remote workers address cybersecurity. Nearly three quarters (72%) of remote workers say they are more conscious of their organisation’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints.

Trend Micro’s Head in the Clouds study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee cybersecurity awareness. The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.

The results indicate a high level of security awareness, with 85% of respondents claiming they take instructions from their IT team seriously, and 81% agree that cybersecurity within their organisation is partly their responsibility. Additionally, 64% acknowledge that using non-work applications on a corporate device is a security risk.

However, just because most people understand the risks does not mean they stick to the rules.

For example:

  • 56% of employees admit to using a non-work application on a corporate device, and 66% of them have actually uploaded corporate data to that application.
  • 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit.
  • 39% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
  • 8% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.

Productivity still wins out over protection for many users. A third of respondents (34%) agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29% think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’

The Head in the Clouds study looks into the psychology of people’s behaviour in terms of cybersecurity, including their attitudes towards risk. It presents several common information security “personas” with the aim of helping organizations tailor their cybersecurity strategy in the right way for the right employee.

European Advertisers Whine Like Babies About iOS 14 Ad Tracking Warnings For Users

Posted in Commentary with tags on July 3, 2020 by itnerd

Reuters is reporting that a group of European digital advertising associations has criticized Apple for requiring apps in iOS 14 to seek additional permission from users before tracking them across other apps and websites:

Sixteen marketing associations, some of which are backed by Facebook Inc and Alphabet Inc’s Google, faulted Apple for not adhering to an ad-industry system for seeking user consent under European privacy rules. Apps will now need to ask for permission twice, increasing the risk users will refuse, the associations argued.

You’ll note that some of these marketing associations are backed by Google and Facebook. Both of whom are companies who make tons of money off advertising. That likely goes a long way to explain why they are upset. But what these clowns don’t get is that users want control over what companies know about them. Companies should not have the right to do whatever they want and I for one am perfectly fine with Apple blocking them from tracking me in any manner that they feel like. I criticize Apple for a lot of things, but this isn’t one of them. I say good on Apple for making these companies whine like babies because they will not get the data that they want when iOS 14 ships this fall.

Beware! A New Type Of Dangerous Mac Ransomware Is Making The Rounds

Posted in Commentary with tags on July 2, 2020 by itnerd

Wired has a story on a new type of Mac ransomware that is out there. Now if you don’t download pirated software, this isn’t a threat to you. At least not at the moment. But that is likely to change given how sophisticated this ransomware is:

The threat of ransomware may seem ubiquitous, but there haven’t been too many strains tailored specifically to infect Apple’s Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. […] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

Clearly this is pretty sophisticated stuff and the means of distributing it will likely become more targeted over time as I cannot see the authors of this ransomware sticking with the method of hoping that you will download pirated software. I say that because whoever designed this clearly has something more “interesting” in mind.

Here’s some general advice for you. Back you your files every single day. That way if you get infected by ransomware, you can just nuke the computer and restore your files and go on with your life without paying the ransom. Which by the way, paying the ransom is something that you should never, ever do as it only encourages the scumbags who make ransomware. And you might not get your files back either. Which means that you handed these scumbags your money for no good reason.

Person Who Discovered A macOS Security Bug Goes Public After Months Of Apple Not Fixing It

Posted in Commentary with tags on July 1, 2020 by itnerd

Software developer Jeff Johnson discovered and told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur. This he thought was the responsible thing to do. But that was over six months ago. And the best Apple could come up with was that it was “investigating” what he reported. So after feeling that the folks at 1 Apple Park weren’t taking this security issue seriously, he’s decided to go public via this blog post that went online yesterday. In this blog post he’s laid out the timeline in terms of when it was reported and what happened next. Then he says this:

For technical reasons, I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future. 

Well, that’s a pretty damming statement when it comes to Apple’s Security Bounty program. If people don’t have confidence that Apple will act on the things that they report, then they won’t use it. And what is really bad is that  he revealed a similar issue last October after reporting it in February of that year and waited eight months for Apple to fix it without success.

Besides that, he gives readers this to think about:

Should you be worried about this issue? That depends on how you feel in general about macOS privacy protections. Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you’re not any worse off now than you were on High Sierra and earlier. My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I’m disclosing, and that other security researchers have also found. I feel that if you already have a hostile non-sandboxed app running on your Mac, then you’re in big trouble regardless, so these privacy protections won’t save you. The best security is to be selective about which software you install, to be careful to avoid ever installing malware on your Mac in the first place. There’s a reason that my security research has focused on macOS privacy protections: my goal is to show that Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits. In that respect, I think I’ve proved my point, over and over again. In any case, you have the right to know that the systems you rely on for protection are not actually protecting you.

Here’s my $0.02 worth. Apple makes a lot of noise about privacy and security. But reading the above statement makes it appear that Apple is only paying lip service to privacy and security. If Apple were actually serious about this, they would not only respond to this developer in public and address his claims in public, but they would also make a statement about why users of their products should trust in their products to keep them secure, and what they are going to do to walk the walk as opposed to just talking the talk. But I am not naive. That won’t happen because Apple isn’t that sort of company. They never have been. And clearly they never will be. And that will come back to haunt them sooner or later.

The Belkin NetCam Is Dead…. And This Will Haunt Belkin For A Very Long Time

Posted in Commentary on July 1, 2020 by itnerd

I have been reporting for a while now about Belkin’s plans to end of life the back end services that run their NetCam products. By killing the back end services, Belkin in effect have taken perfectly working cameras and made them useless. While they did get a bit of a reprieve, the back services finally went dark overnight. Much to the dismay of users like this one:

Now if Belkin was hoping that the blowback from this decision would eventually go away, they might want to reconsider that belief.

For starters, they did this in the middle of a pandemic. And there are many who bought these cameras to keep an eye on cottages, second homes, and the like. Now these people are left high and dry. And if their location is still in the middle of some sort of lockdown related to the pandemic where traveling is heavily restricted or outright illegal, they can’t easily drive out to these properties to install new cameras. At least not without potentially breaking the law. That’s #Fail number one.

Second, this whole experience was badly handed by Belkin on multiple fronts. They gave users very little notice and only extended the kill date when the blowback became epic. Most companies tend to broadcast this sort of thing many months or years in advance so that users don’t react the way that NetCam users have. That’s #Fail number two.

Then there’s their plan to refund people who might have recently bought these cameras. From what I see, that didn’t work so well:

That’s #Fail number three. But the major #Fail is the fact that Belkin really didn’t give users any other option in terms of using their cameras. It clearly is possible to use these cameras without Belkin’s back end service as there is a GitHub project that was published by Vladimir Sobolev in 2018 that is out there. And if Belkin really wanted to avoid the level of blow back that is seen here, they might have considered it:

But clearly Belkin went the route of not even considering any way to let users keep using their cameras. And as a result, I’m here talking about it. And I am going to go out a limb and say that Belkin isn’t going to get a whole lot of angry NetCam camera owners buying Belkin products in the future.

Now while there’s a bit of a lesson to be learned here. Specifically that if you buy any sort of IoT gear, you have to be aware that this scenario can be the result. But even with that, the way this was handled this was craptastic. Based on the fact that the two stories that I did on this got thousands upon thousands of page views, I am certain that his is going to haunt Belkin for a very long time. The NetCam may be dead, but in the process Belkin may have harmed their reputation for a very long time.

Apple Rumored To Be Dropping Earphones And Chargers From The Packaging Of The iPhone 12

Posted in Commentary with tags on July 1, 2020 by itnerd

Rumors have been circulating for a week or so that Apple is about to make some radical changes as to what comes in the box of the iPhone 12. The rumors come from a couple of reliable sources. The first being Ming-Chi Kuo who is a reliable source for this sort of information. The second is a Twitter user that goes by the handle of L0vetodream who is a recent entrant into the Apple rumor game and has an excellent track record in terms of accuracy. His latest tweet is below:

Now Apple dropping the earphones makes sense on a number of fronts. First of all, I am going to go out on a limb and suggest that only a handful of people use the earphones that come from the box. Most users will use their own earphones because they have better sound quality, and/or they are wireless. Thus the supplied earphones that come with iPhones are wasted a lot of the time. Plus if people really wanted them, they could easily buy them as an add on when they get their iPhone. Or they could by AirPods or Beats headphones when they get their iPhone. Regardless, I don’t see this as being a big deal.

Now not including a charger in the box is a big deal. Apple has taken flack for not including a fast charger in the box in the past. This despite the fact that modern iPhones are fast charge capable if you use a Lightning to USB-C cable and a USB-C fast charger. They sort of fixed that when the iPhone 11 Pro and Pro Max came out by including those items in the box. But I guess that because the iPhone 11 wasn’t a “Pro” device, they left it out of that. Still, there was a charger in the box.

I have to assume that Apple either has a reason related to the environment, or a reason related to cost (as in they want to use this as a vehicle to lower the cost of the iPhone) as to why they would ever consider going this route. In terms of the former, I am guessing that they would argue that people charge wirelessly using third party wireless chargers, or they buy third party fast chargers. So there’s no need for a charger to be put into the box. Now there is some truth in that. But not enough truth in my opinion to omit a charger from the box. The latter reason is simply cynical on Apple’s part if they are actually thinking that.

Here’s why this is a big deal. It is handy to have a wired charger for traveling, or for emergency reasons. Plus with all of us working from home because of the pandemic, it is simply faster to use a wired charger to give your phone a quick jolt of energy before your next conference call. And that doesn’t include first time iPhone users who get a phone and are shocked to find that there’s no charger in the box. Imagine how they would feel and how they would perceive Apple. Thus including one in the box is in my mind something that Apple should do as a matter of course.

Potentially not including a charger in the box of future iPhoens is a step too far for Apple as far as I am concerned. They are a company that will take bold moves like this and try to convince us that it’s for our own good. But this isn’t bold. It’s stupid. And hopefully Apple will reconsider this move before it’s too late.

OVHcloud Announces New Range Of Web Hosting Offerings In Canada

Posted in Commentary with tags on June 30, 2020 by itnerd

Dedicated to its commitment to make its customers succeed wherever they are and to comply with their local regulations, OVHcloud is responding to the challenges of its North American community by introducing a new all-in-one solutions offering – from web hosting to domain names – all from its data centre in Beauharnois, Quebec. Whether they run a small website or a sophisticated ecommerce platform, Canadian businesses have the guarantee of optimizing their online presence with a high level of availability and the best price/performance ratio, OVHcloud ensuring their data is protected and managed properly.

A secure offer, a predictive price

From servers to the fiber optic network, everything is built, operated and managed by OVHcloud, maintaining the integrity of the entire chain in order to generate maximum value, ease of use and security.

Since 1999, OVHcloud has established itself in Europe, North America and Asia as the cloud alternative, perfecting an open, reversible and transparent model that places freedom of choice and data protection at the heart of its priorities. Today, the European leader in cloud solutions powers more than 3 million websites and 18 million applications in its 30 data centres around the world, with strict respect for the digital sovereignty of each of its users.

OVHcloud is enhancing its Canadian portfolio of cloud solutions by adding domain names and web hosting offers to dedicated servers, Private Cloud and Public Cloud offerings. With a diverse set of tools, OVHcloud’s offerings are easy to use and scale for a wide variety of users, ranging from small companies to large multi-faceted organizations. OVHcloud helps support professional websites, blogs, online retailers, web agencies – any project that needs the support of the cloud to launch and scale.

In Canada, OVHcloud’s range of web hosting includes three offerings: Personal, Pro, and Performance, suitable for a wide range of users and guaranteeing optimal online visibility and centralization of all services. Each of these offers can be deployed in just a few clicks from the OVHcloud control panel and allows users to stay focused on their core business, while OVHcloud takes care of all the necessary security requirements and updates. These offerings include unlimited monthly traffic, anti-DDoS protection, free domain name for the first year, free Let’s Encrypt SSL certificate, choice of 4 CMS modules and many default features to allow users to deploy a powerful web project without any compromise.

Personal Hosting

The ideal choice to start your web project and share your passion at the best price. The Personal hosting package will satisfy casual bloggers, students or young entrepreneurs who want to create their first website. The Personal package includes:

  • 1 free domain name
  • 100 GB of disk space
  • 10 email addresses
  • Optimized for WordPress

Pro Hosting

Aimed at self-employed entrepreneurs, professional bloggers and small businesses who want to grow their digital presence without compromise. The Pro offering makes it possible to deploy a professional website capable of handling a large volume of traffic, all in a secure environment. The Pro package includes:

  • 1 free domain name
  • 250 GB of disk space
  • 50 email addresses
  • Optimized for WordPress, Joomla and Drupal

Performance Hosting

Designed for the most complex or growing web activities, including multi-site or ecommerce site, the Performance package allows the easy adjustment of resources to manage the most demanding projects, on an ad hoc basis using the Boost option or permanently leveraging the four performance levels. These adjustments ensure users always have the resources guaranteed to them and help to absorb peak loads. In an all-inclusive offer (CDN, SSL, SQL), the Performance offer will ideally support the development of online stores, web agencies and developers, SMEs, SaaS publishers, resellers and corporate websites. High performance and ultra-competitive hosting include these features:

  • 1 free domain name
  • 500 GB of disk space
  • Boost Option
  • Up to 1000 email addresses
  • Optimized for WordPress, Joomla, Drupal and Prestashop

An idea, a project, a domain name

Every web project starts with a domain name that is included* across all hosting options. With over 800 extensions available (generic, thematic, geographic), individuals, professionals and distributors can build a project in their own image. They also benefit from OVHcloud’s security expertise to safeguard their digital identity and protect against fraudulent transfers.

Additionally, their ultra-competitive price and the absence of hidden fees upon renewal makes OVHcloud domain names the ideal offer to optimize the lifespan of online projects. Advantages of OVHcloud domain names include:

  • DNSSEC: protection against cache poisoning (DNS server poisoning)
  • Easy Redirect: simplified implementation of a redirection from your domain name to a social network, for example
  • DNS zone management for greater flexibility and customization
  • Renewal without hidden fees

Beyond Canada and Europe, the web hosting and domain name offers are now also available in Latin America, from the OVHcloud’s Canadian data centre and will be available in Asia before the end of the month. This is an opportunity for OVHcloud to support its clients’ international development.

For those just starting out, OVHcloud has published a complete 5-step guide to launch their business and quickly develop their digital presence online: consult the guide.

*Free domain name offered for the first year on all hosting offers

Commvault & Microsoft Team Up To Deliver SaaS & Cloud Technology For Data Management

Posted in Commentary with tags , on June 30, 2020 by itnerd

Commvault today announced that it has entered into a multi-year agreement with Microsoft that tightly integrates go-to-market, engineering, and sales of Commvault’s Metallic Software-as-a-Service (SaaS) data protection portfolio with Microsoft Azure – delivering ultimate scale and trusted security with simple SaaS management.

Commvault and Microsoft are bringing together two technologies – Azure and Metallic SaaS – to meet the need for proven data protection backed by powerful scale and multi-layered security. Metallic enhances protection of Microsoft Office 365 data in the case of accidental deletion, corruption, and malicious attacks. Metallic also offers a range of additional options from VMware and Microsoft SQL database backup to Endpoint protection.

This new phase of the collaboration builds on Commvault’s longstanding use of Azure capabilities including application and data migration, long-term retention, and Azure Blob Storage for its scale, durability and security. The new agreement includes plans to build a SaaS offering of Metallic Cloud Storage on Azure Blob Storage and other deep product integrations with native Azure services.

One of Metallic’s strengths is that it was built in the cloud, using the best of Azure’s native capabilities while leveraging Commvault’s market-leading enterprise technology – the same technology stack that large enterprises have entrusted to protect their mission-critical apps and data. As part of the agreement, Metallic will be a featured app for SaaS data protection inthe Azure Marketplace for public cloud and hybrid IT customers. Commvault will also continue to support choice for customers who request alternative clouds based on business requirements. Metallic™ Backup & Recovery for Office 365 is now available on the Azure Marketplace.