Archive for the Commentary Category

BlackFog Releses The State of Ransomware For November 2022

Posted in Commentary with tags on December 2, 2022 by itnerd

BlackFog today released the November State of Ransomware Report. Key findings for the month of November from Dr. Darren Williams, CEO and Founder, BlackFog:

  • “Unusually, November saw the second highest number of ransomware attacks this year, a 180% increase year over year with a total of 42 attacks. There seems to be no end in sight, with recent insurance statistics demonstrating a general lack of preparedness. In fact, providers are now mandating more serious levels of protection before underwriting any new cybersecurity policy.
  • The biggest changes this month saw the persistent use of data exfiltration at 89% and a further increase in the use of PowerShell, now utilized in 86% of all attacks.
  • The greatest increases by industry involved Healthcare and Manufacturing with increases of 26% and 25% respectively. Smaller increases were observed in Education and Government, with 14% and 13% respectively, but continue to be the most targeted industries. Typically, these organizations struggle due to financial and skill shortages (please refer to BlackFog’s latest research article @ https://www.blackfog.com/cybersecurity-leaders-consider-quitting/). 
  • LockBit easily took the lead this month in terms of variants with a 33% increase in successful attacks followed by BlackByte and BlackCat with increases of 25% and 14% respectively.”

Today’s full report can be found here: https://privacy.blackfog.com/wp-content/uploads/2022/12/BlackFogRansomwareReport-Nov-2022.pdf

Major Web Browsers Drop Sketchy Certificate Authority

Posted in Commentary with tags , on December 2, 2022 by itnerd

Here is something that got my attention. All the major web browsers, meaning Firefox, Chrome, and Edge, have decided to drop a certificate authority that has ties to a US military contractor.

Mozilla’s Firefox and Microsoft’s Edge said they would stop trusting new certificates from TrustCor Systems that vouched for the legitimacy of sites reached by their users, capping weeks of online arguments among their technology experts, outside researchers and TrustCor, which said it had no ongoing ties of concern. Other tech companies are expected to follow suit.

“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a mailing list for browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”

The Post reported on Nov. 8 that TrustCor’s Panamanian registration records showed the same slate of officers, agents and partners as a spyware-maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communication interception services to U.S. government agencies for more than a decade. One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.

That would qualify as sketchy as this company makes software that should ring alarm bells. Pratik Selva, Lead Security Engineer at Venafi added this:

When considering security, one of the areas that is still not given due focus by many organizations is Certificate Authorities (CAs). CAs are / should be a key component in any corporate security strategy as they are machine identity enablers. A root CA is the most significant piece in that hierarchy as it holds the potential to impact the security and the trust of the entire certification hierarchy due to any abuse or compromise. This view needs to be factored in when organizations conduct threat modeling or assessments.  

Additionally, there can be also compliance implications if there are weak or non-existent checks and balances in place for ensuring the security of a CA. What is more alarming is that CA compromise has been found to be achieved using living-off-the-land (LOTL) techniques and tools. LOTL attacks are problematic from a detection standpoint and are an incident response (IR) nightmare. As root CAs pose a cascading risk, they have been a favorable target of nation state APT actors aiming to mount a crippling attack.”

My advice would be to make sure your browsers are up to date as that is how the removal of this certificate authority would take place. But this also underscores that you need to be on your toes when it comes to security and privacy.

Kayne West Gets Suspended From Twitter Again

Posted in Commentary with tags on December 2, 2022 by itnerd

This guy doesn’t get it.

Apparently Kayne West, or Ye, or whatever this clown calls himself posted a picture of a swastika last night. And that resulted in him getting suspended from Twitter again.

Rapper Kanye West is on yet another a timeout from Twitter after testing the limits of owner Elon Musk’s free speech policy. Twitter issued West, who has legally changed his name to Ye, a 12-hour suspension late Thursday after Ye tweeted a picture of swastika inside a Star of David with the caption “YE24 LOVE EVERYONE #LOVESPEECH”.

West turned to the platform Truth Social to post a picture of a notification informing him of the suspension due to his violation of Twitter’s rules. Musk confirmed on Twitter that West’s suspension was due to “incitement of violence.” It had nothing to do, he added, with the unflattering photos Ye had tweeted of Musk wearing swimwear on a yacht. “Frankly, I found those pics to be helpful motivation to lose weight,” Musk said.

A 12 hour suspension isn’t enough. He’s proven to be anti-semitic by his words and actions. Thus his timeout from Twitter should be forever. But clearly Elon doesn’t see things that way. Perhaps it will take even more advertisers bailing out on the platform to change his mind?

Impact-Driven Vancouver Biotech Startup Wins $100k+ Investment

Posted in Commentary with tags on December 2, 2022 by itnerd

As Spring Activator‘s Women-led Impact Investor Challenge, presented by the TELUS Pollinator Fund came to a close Tuesday evening, we are excited to announce Dr. Karolina Valente of Voxcell BioInnovation Inc. was awarded a $100k+ investment from a cohort of both experienced and emerging impact investors.  

VoxCell BioInnovation Inc. is creating fully vascularized, human-like cancer tissue models by combining a custom high-resolution 3D bioprinter, advanced vascularization software, and proprietary bioinks. VoxCell aims to accelerate the development of life-saving anti-cancer drugs by providing tissue models that can identify viable candidates earlier in the drug-development pipeline.

The Impact Investor Challenge was created to help impact-driven businesses receive the capital and knowledge needed to succeed.The Pitch Finale is the pivotal moment in which we collectively make this happen for one impact venture! 

More details can be found here.

Elon Musk Begs People To Tweet And Other Oddities Of Life

Posted in Commentary on December 2, 2022 by itnerd

Yesterday, I resolved to go a full day without writing about the train wreck next to a dumpster fire that is Twitter. And I while I did manage to do that, a lot happened while I was off covering other things.

Let’s start with this Forbes article where Elon Musk is trying to get advertisers back onto the platform:

Elon Musk’s tumultuous five-week tenure as Twitter CEO continued to take a strange path Thursday, with the world’s wealthiest man pleading for users to post more on the social media site as the firm reportedly dangled a lucrative offer to advertisers who drive a majority of the company’s revenue but have soured on Musk’s vision for Twitter.

Companies who spend more than $500,000 on Twitter ads will receive a 100% match on their spending in equivalent marketing value up to $1 million, according to an email sent to advertisers viewed by the Wall Street Journal.

It’s “the most aggressive ad spend incentive” ever, according to an internal message from a Twitter executive viewed by Platformer editor Zoe Schiffer, explaining it’s intended to “make it worth it to get any paused advertisers to reactivate.”

It smells of desperation to me. And so does this:

Now why would he post this? I am guessing that he needs people actively Tweeting, and Tweeting a lot to convince advertisers to do ad buys as advertisers won’t go where the are no eyeballs to see their ads. That too sounds like desperation.

Elon really needs to wrap his head around why advertisers are fleeing the platform like passengers fleeing the Titanic. Let’s start with exhibit “a”:

WHEN ELON MUSK wanted to bring Donald Trump’s account back to Twitter, he turned to one of the platform’s most familiar features to legitimize the move—a poll. 

A narrow 51.8 percent of his audience voted to “Reinstate former President Trump,” leading the billionaire CEO to reinstate the infamous account. A week later, Musk once again turned to a Twitter poll to ask his followers whether to jailbreak the hordes of accounts suspended for posting far-right content, Qanon conspiracy theories, and lies about the 2020 election and the Covid-19 pandemic. 

There’s just one problem, multiple former Twitter employees say. The social network’s polls are magnets for bots and other inauthentic accounts. They’re literally designed to be spammed and gamed. 

“One of the first products I worked on was polls. And one of the big discussions was around the tradeoffs between integrity and privacy – keeping logs [or each user’s vote] or not. We landed on the side of privacy,” Yoel Roth, Twitter’s former Head of Trust and Safety who resigned this month, told Rolling Stone. 

“Polls are more prone to manipulation than almost anything else [on Twitter]. It’s interesting, given his [Elon’s] use of polls,” he added. Several other ex-Twitter employees gave similar assessments.

So for a guy who raged against bots, he relies on something that is full of bots to make his decisions. That’s more than a bit “sus” to say the least.

This circus is clearly getting bigger every day.

Propagate joins TELUS Pollinator Fund as newest portfolio company

Posted in Commentary with tags on December 2, 2022 by itnerd

Propagate, a commercial agroforestry platform, has closed a $10M Series A led by Belgium-based The Nest. Other investors included Agfunder, the TELUS Pollinator Fund for GoodTechstars, and Neglected Climate Opportunities, a wholly owned subsidiary of the Jeremy and Hannelore Grantham Environmental Trust, and more.

Propagate is a software, development and financing ecosystem that makes it easy for farms to transition acreage to agroforestry. Their platform provides access to agronomic insights, technical assistance, and financing so that farms can reduce risk while integrating fruit, nut, and timber trees with animal or crop farming systems.

Founded in 2017, Propagate is a Techstars-backed company, a portfolio company of Elemental Excelerator as well as a partner of USDA’s Partnerships for Climate Smart Commodities. Propagate currently advises over 20,000 acres of agroforestry, supporting over 760,000 trees & shrubs. The company also actively manages over 600+ commercial acres, and growing, through its regional agroforestry hubs.

Today, the startup works with farmers, agribusinesses, and service providers to design and install tree-crop systems that work in tandem with existing farm operations. The Propagate ecosystem of products & services includes regenerative farm planning and management software (Overyield), commercial agroforestry development (Propagate Farm Services), and equity investments for agroforestry transition (Agroforestry Partners).

Overyield is a SaaS-based agroforestry farm planning and management software that provides farm design, crop suitability as well as agronomic insights so that the cost, revenues, yield projects, and labor assumptions are transparent by crop by year in order to make implementation easier. This platform can take a project idea from computer screen to productive agroforestry in a matter of hours. As a testament to this timeline, it used to take 80 hours to map out an installation but with Overyield’s project assessment and profitability scoping tools, it only takes eight.

This fundraise will support the company’s efforts to roll out profitability and production forecasting tools within Overyield, hire more experts to the team, and ultimately plant more trees onto the 158 million acres of farmland that are suitable for tree crops in the US. This capital injection follows some serious momentum for the maturing startup. The company raised a $1.5 million seed round in 2020 and in the past year, it has doubled business while planting an additional 37,000 trees in 2022 on farms in NY, Ohio, Kentucky, and Hawaii to name a few locations as well as being awarded as a partner in a $60 million grant from the USDA Climate-Smart Commodities program.

Now the opportunity to scale agroforestry is larger than ever. With $9 trillion earmarked for funding of ESG opportunities between 2022 – 2025, and increasing commitments from corporations to reduce emissions, agroforestry is the most effective climate solution that exists today for the food & ag industry.

Steinberg notes that a 2-3x net increase in profitability per acre is possible with agroforestry. While the long term business case offers an attractive return, overcoming the financing gap is paramount to realizing agroforestry’s value. The Propagate team looked to the solar industry for inspiration, and recently launched Agroforestry Partners to support the growing industry’s project finance needs.

With a comprehensive platform that is already being put to work to institutionalize agroforestry, Propagate is continuing to bring its software, development and financing products to market while supporting tree crop types from shrub fruits like blackcurrant and elderberry to chestnut to timber. The team is also working on Mediterranean and tropical crops with an eye towards global agroforestry needs and plans to expand its team.

Desjardins Insurance teams up with TELUS Health to expand access to health and wellness services

Posted in Commentary with tags on December 1, 2022 by itnerd

Desjardins Insurance and TELUS Health have announced today a new collaboration that will bring TELUS Health’s leading health and well-being services to members and other eligible individuals from group insurance plans administered by Desjardins. With access to hundreds of health professionals and other certified advisors, Desjardins will now be able to offer an improved range of services that will better support a positive work-life balance at every step of the wellness journey.

As Canada’s largest Employee and Family Assistance Program (EFAP) provider, TELUS Health was able to quickly customise a solution for Desjardins when they were in search of a new supplier, taking into account the unique needs and expectations of members of Desjardins’ group insurance plans. The joint effort with Desjardins is an ideal example of how TELUS Health can work alongside its clients to build healthy communities across Canada.

Building upon their long-standing business relationship, TELUS Health successfully and rapidly extended its Employee and Manager Assistance Programs (EAP/MAP) for Desjardins to include:

  • Mental Health Support: access to a range of clinical professionals to address growing mental health concerns such as anxiety and depression;
  • Crisis Management: broad support options in case of personal crises, traumatic events or workplace incidents;
  • Legal and Financial Support: general advice from certified professionals;
  • Referral Services: connections to a wide variety of ancillary services, including finding the right care for their loved ones, whether that be a daycare or a senior’s residence.

Apple Phishing Attack Targets 10K Mailboxes Coming off Record-Breaking Shopping Weekend

Posted in Commentary with tags on December 1, 2022 by itnerd

Today, researchers at Armorblox released their latest blog on a credential phishing attack that spoofed a consumer favorite among cyber deals, Apple, in an attempt to steal victims’ user credentials. 

In this attack, targeting over 10,000 mailboxes, emails were crafted to convince recipients that they were receiving legitimate email communication from Apple, Inc, notifying them that their account was going to be suspended unless their card was validated. Clicking on the provided link led users to a fake landing page created in order to exfiltrate sensitive user credentials.

The timing of this technique was particularly effective, playing off consumer’s sense of urgency to score valuable gift card offers during the biggest holiday shopping days of the year.

The link to the live blog is here and it is well worth your time to read.

Cars Can Be Pwned Via Flaws In SiriusXM And Other Software: Report

Posted in Commentary with tags , on December 1, 2022 by itnerd

Every car these days comes with a SiriusXM receiver. And depending on what car you have, that might be an attack vector for hackers to pwn your car. This according to this article:

Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.

An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.

Initial tests were conducted on the NissanConnect mobile application, which led to the discovery of a vulnerability that could allow a remote hacker to obtain a vehicle owner’s name, phone, number, address and car details simply by knowing their VIN, which is typically visible on the windshield. The attacker would need to send specially crafted HTTP requests containing the victim’s VIN in a certain parameter.

Further analysis showed that the same vulnerability could be exploited to run vehicle commands, including locate, unlock and start a car, as well as to flash headlights and honk the horn.

The researchers determined that such an attack could be launched against Honda, Nissan, Infiniti, and Acura cars.

Sirius XM immediately patched the vulnerability after being informed of its existence. The company said it released a patch within 24 hours and noted that it has no evidence of any data getting compromised or unauthorized modifications being made.

That’s not good. But neither is this

In a separate Twitter thread this week, Curry reported a different vulnerability, one that allowed researchers to control some functions of Hyundai and Genesis vehicles — including locks, engine, horn, headlights and trunk — by knowing the email address the victim had used to register a user account.

The attack allegedly worked on vehicles made after 2012. Hyundai and Genesis also released patches after being notified.

So upon reading this article, I looked at the research and it illustrates that connected cars are subject to the same sort of problems that everything else is. Thus car companies and SiriusXM need to up their game to keep car owners safe. And they need to be held accountable for making sure that cars are secure. Preferably by a third party.

Remember That LastPass Hack Back In August? The Company Now Admits That Hackers Got Access To Customer Data

Posted in Commentary with tags on December 1, 2022 by itnerd

Back in August, LastPass was pwned by hackers. At the time the company said this:

Earlier this week, LastPass started notifying its users of a “recent security incident” where an “unauthorized party” used a compromised developer account to access parts of its password manager’s source code and “some proprietary LastPass technical information.” In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.

It now turns out that this wasn’t the case as the company now admits that user data was accessed by the hackers who pwned them:

We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. 

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. 

We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here

Well, that’s not good. And it highlights why entrusting your passwords to a third party may not be a good idea. While I do use a password manager and do my best to practice good password hygiene, I don’t entrust my passwords to a third party. Instead the password file is encrypted and stored on my NAS at home, or on some cloud provider so that I can get access to it on the road as well as sync it with all my devices. If one of those cloud providers gets pwned, all they will get is an encrypted file that they can’t do anything with.

In any case, LastPass needs to be completely transparent about what happened here and how much it affects end users as that’s the only way they will maintain the trust of their customer base.

UPDATE: Yoav Iellin, Senior Researcher, Silverfort offers this advice:

“Given the vast amount of passwords it protects globally, Lastpass remains a big target.

The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear but, typically, It’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.

For worried users, ensure you watch out for updates from the company and take time to verify these are legitimate before taking any action. In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security. “

UPDATE #2: Chad McDonald, Chief of Staff and CISO, Radiant Logic provides this comment:

    “We’ve seen today another hack of the credential wallet vendor, LastPass which isn’t at all surprising. This isn’t an indictment of LastPass by any means, rather a criticism of the underlying problem that has driven vendors like LastPass to be very successful and effectively a staple both for home users and the enterprise. Any software, given enough time and effort, is crackable or hackable, and LastPass is certainly no exception. While LastPass’s Zero Knowledge strategy with regard to password encryption seems to have kept the attackers from accessing passwords, this didn’t keep them from apparently accessing source code. Attackers will always find a way to defeat security controls–always. Technology practitioners will work to harden code, applications and networks, but in the end given time and resources the attackers will get in.   

One of the problems I see with simply continuing to harden the IT stack is that it fundamentally doesn’t acknowledge what is driving ongoing reliance on password wallets for so many people.  IT sprawl and more specifically identity sprawl have driven most of us mad with the number of credentials we need to manage simply to get through our personal and professional lives everyday. Assuming we’re trying to be good netizens, we’ll also try to juggle complex passwords and potentially multi-factor authentication. This additional complexity exacerbates the identity problem.  We’re effectively left with no choice other than to archive our credentials in a wallet like LastPass or god forbid a notebook somewhere.  (Please tell me you aren’t keeping your passwords on the bottom of your keyboard.). 

On a personal level, it isn’t realistic to expect a home user to implement an IAM strategy. The enterprise, however, should have an IAM strategy that limits identity sprawl, provides adequate credential security, and limits the need for its users to manage countless sets of credentials in the workplace.  Corporations really do themselves and their users a disservice when they continue to push down responsibility for broad credential management to staff. It’s really a recipe for disaster. Consolidation, protection, and effective management of identities and credentials by the enterprise drives internal productivity, deflects Helpdesk calls, and reduces friction on staff that should be focused on their core responsibilities, rather than tracking down their 14th set of credentials and a 20 character password to log in to the CRM system.  

While LastPass was the latest victim here, it won’t be the last.  I expect that the organization will recover quickly and again work to harden processes and code, but I think the enterprise should do its part as well.  Let’s focus on our own IAM strategies so that we can ideally be a bit less reliant on credential wallets in the first place.”