Archive for the Commentary Category

Access To Tens Of Thousands Of Chinese Made Cameras Available For Sale By Hackers…. Yikes!

Posted in Commentary with tags on September 25, 2022 by itnerd

This is not only bad, it’s also a textbook example of why you need to stay on top of patching your IoT gear.

Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” 9.8 out of 10 rating by NIST. The higher the number, the worse it is and in this case, this is as close to worst case scenario as you can get without hitting 10.

Now here’s the problem. New research indicates that a year later, 80,000 or so cameras are out there in the world unpatched. And what’s worse, access to these cameras are for sale by hackers:

Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment.

That’s bad. Really Bad. The vendor did put out alerts for this along with firmware updates. But because people have a tendency to what I call “install and forget” about IoT gear, here we are talking about it. Thus my advice to anyone who owns one of these cameras is to drop what you’re doing and update them now. And my advice to anyone who has IoT gear of any sort is to make sure you stay on top of your firmware updates so that way nobody tries to use your IoT gear to pwn you.

Adversary Tactics Intel Group Finds Gootloader Threat Actors Use SEO Poison Technique to Exploit Gov, Legal, Real Estate, Med, Ed Victims with Highly Targeted Content

Posted in Commentary with tags on September 23, 2022 by itnerd

Deepwatch has published a new report uncovering Gootloader threat actors using the search engine optimization (SEO) poisoning technique. In the latest report from its Adversary Tactics and Intelligence (ATI) group, Deepwatch looks at a technique where threat actors are compromising legitimate websites, creating fake blog posts, and using overlays to display a fake forum page over blog posts–all to snare government, legal, real estate, medical, and education victims with highly-targeted content.

This is a very sophisticated attack and the report is well worth your time to read.

Google Analytics Declared Unlawful In Denmark

Posted in Commentary with tags , on September 22, 2022 by itnerd

Denmark yesterday declared the use of Google Analytics unlawful. The Danish Data Protection Agency concluded that the tool would require the ‘implementation of supplementary measures in addition to the settings provided by Google’. The Agency stated that the decision represents a common European position among the citizens whose personal data is protected. Here are the key details:

The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

In sort, if you’re in Denmark you can’t use Google Analytics. Full stop.

Mark Bower, VP of Product Management of Anjuna Security:

     “The ever-expanding bulk collection of consumer data and its handling will continue to land under the EU regulatory microscope, especially with the recent expansion of GDPR scope around inferred data following recent rulings in Lithuania that propagate across the union. Under this new extension, data that is derived from personal data is considered in scope. If breached, it has the same consequence as primary personal identifiers including massive fines. This has sweeping impact and risk for organizations: traditional approaches to compliance that often assume the personal data can be identified in advance of collection and then protected it may no longer work or be fit for purpose, especially with machine learning models where new derived outcomes and inference are coveted by data processors across industry, especially ad-tech, payments, financial services and retail. Organizations handling personal data must therefore look at more thorough and innovative protection strategies in addition to carefully analyze the risk of bulk collection itself. It’s no surprise then that the top of the data food chain is the first to be put in the spotlight – but they will not be the last”

You have to assume that a bunch of people at Google are not happy about this as gathering data and making money off of it is their core business. And I would not be surprised if other places on the planet start to do similar things.

Sucks to be Google.

Optus Pwned By Hackers… Personal Info Stolen

Posted in Commentary with tags on September 22, 2022 by itnerd

Australian telco Optus has disclosed that they suffered a cyber attack which resulted in the personal info of customers including names, DOBs, addresses and contact details being stolen. The attack occurred after hackers broke through the company’s firewall, accessing sensitive information of Optus’ 9.7 million subscribers. The company has confirmed the breach and exposed information but has stated that payment details and account passwords have not been compromised, and that services including mobile phones and home internet were not affected. The thing is, what was stolen is enough to start identity theft campaigns. Which makes this a non trivial event.

Mark Bower, VP of Product Management, Anjuna Security had this to say:

     “Too often we see large scale breaches where payment details and passwords were the only things protected, largely due to regulations like PCI DSS, yet massive amounts of personal data are not. That’s no longer good enough for maintaining customer trust. The types of data breached in this attack put millions of Australians at risk from phishing, social attack and phone scams which can have huge personal anxiety and financial consequences. Modern enterprises can certainly avoid this with a more holistic approach to data security given the availability of tools that can dramatically reduce impact of insiders or advanced attackers even in a total breach situation which is an inevitable and expected scenario for today’s CISO.”

Australia has been very good at investigating stuff like this. Thus I have to assume that the authorities are all over this. Which means we’ll find out how bad this is soon enough.

Review: Mujjo Full Leather Case For iPhone 14 Pro

Posted in Commentary on September 22, 2022 by itnerd

I am someone who customizes the look of the tech depending on what I am doing. For example, if I am doing hiking or something athletic, then I want an iPhone case that is more protective. But if I am want an iPhone case with more style. For the latter use case, that’s where the Mujjo Full Leather Case For iPhone 14 Pro comes in. It will give me some style along with some protection. But let’s have a look at the case from the front and the back.

This fits the space black iPhone 14 Pro that I own. It’s made of vegetable-tanned Ecco leather which in colours other that black will age well. But in black I am unlikely to notice anything different about it unless I scratch it or something like that. Some observations include the fact that there is a 1mm raised leather bezel protects screen from abrasive surfaces. And on the back there’s a raised rear-camera bump protects the lenses. One advantage of this is that it allows the iPhone 14 Pro to sit flat on a table.

One very upscale touch is the addition of metal buttons which works very well.

The inside of the case has Japanese microfibre which gives it a really upscale feel. You’ll also note the MagSafe circle for quick and easy wireless charging. And the magnet strength was great as it passed my “hang from a MagSafe charger” test with flying colours. I should note that in my testing, regular wireless charging works fine too.

The embossed logo at the back is a nice touch.

Now I like the feel of this case. It’s thin and I have no problem holding the case. I also felt that it wasn’t going to slip out of my hand. Fingerprints are a total non-issue as well. As for drop protection, I would guess that this would allow your iPhone 14 to survive some types of drops. But I wouldn’t count on it to survive all sorts of drops. Now that’s not a negative at all because this case wasn’t designed to provide a lot of protection. Thus if you want a case that will give you some style for a hot date or an important business meeting, then the $77 CDN that this case costs is money well spent.

Morgan Stanley Gets Slapped With $35 Million Fine After Failing To Wipe And/Or Encrypt Hard Drives That Eventually Were Resold

Posted in Commentary with tags on September 22, 2022 by itnerd

Well, this is one hell of a screw up.

A reader pointed out to me that the SEC has fined Morgan Stanley $35 million. The press release that the SEC put out has these details:

The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.

The SEC’s order finds that, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.

The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program. A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.

Wow. There are a lot of #fails her. And quite honestly if I were a Morgan Stanley customer, I would be pissed.

Yes I said it.

The fact is that in 2015 never mind 2022, this is completely unacceptable. Companies need to handle Personally Identifiable Information or PII with the upmost of care. Morgan Stanley didn’t and it’s cost them. Though seeing as they agreed to pay this fine to make this problem go away as I suspect they figured out that they were in deep trouble when the SEC knocked on their door.

Hopefully, companies who handle PII are paying attention to this and hopefully the SEC doles out more punishment like this to send the message that if you screw this up, you will pay.

Hackers Amplify Phishing Attacks By Creating Multiple Profiles From Compromised Accounts And Use Auto-Delete To Cover Their Tracks: Avanan

Posted in Commentary with tags on September 22, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors using stolen credentials to create more user profiles to send credential harvesting emails. By doing so, hackers are able to multiply the effect of credential harvesting scams.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are compromising accounts, creating more user profiles to send out more attacks, then auto-deleting email trails. 

The campaign presents users with an email from Microsoft’s Office 365 notifying them that a form has been shared. Clicking on the link to the form directs users to a malicious site where credentials are stolen. The hacker, now with access to the account, creates more user profiles within the larger admin and sends out phishing emails to over 4,000 addresses. The emails are then set to be auto-deleted from the compromised accounts to cover their tracks. 

You can read the attack brief here.

A New @Microsoft Email #Scam Is Making The Rounds

Posted in Commentary with tags on September 22, 2022 by itnerd

A new email scam that is likely a phishing scam that is using Microsoft as its hook is making the rounds. Here’s the email in question:

The first hint that this is a email scam is that this email does not fit Microsoft’s brand design. But there is a simpler way to tell that this is a email scam:

There’s looking at the email address. In this case, this did not come from Microsoft as this is not a Microsoft domain that is being used. That’s a #fail right out of the gate and should cause you to delete this email immediately.

Going further going down the rabbit hole, it references a Microsoft update. Specifically KB40341836081 which doesn’t exist. Microsoft update numbers are six digits at present and this one is way too long. The English is also horrible. Example “perhaps you may experience difficulties signing into your account following a restart or sign-out.”

It also encourages you to log into a website to fix this. And serves up a lot of technically incorrect information to push you to go to this website. It also tries to reassure you by saying that you don’t have to download anything which will reassure you that you won’t get infected by a virus or something. Finally, it offers a site where you can stop or change these “security alerts”. But that site isn’t actually a link so it’s just there to reassure you that this email is legit, which of course it isn’t.

As for the website that it takes you to, well I couldn’t get it to load. Perhaps it’s been taken out by Microsoft? Or maybe because I did this on a Mac it wouldn’t respond to me because it was looking for a PC to perhaps load malware on it? It’s hard to say.

Regardless, if you see this email show up in your inbox, delete it.

It Seems That @RBC Is Now Being Used As Part Of An Email #Scam To Get Your Banking Credentials

Posted in Commentary with tags on September 22, 2022 by itnerd

A new scam that is targeting RBC customers is making the rounds. This is the email that will hit your inbox:

So this is clearly a phishing scam. How can I tell that? Let’s start with the sender.

The email address that it is sent from is not RBC as the domain for this email address is not rbcroyalbank.com. Thus right out of the gate you should be deleting this email. But there’s other ways to tell. The quality of the English is another example.

Can you pick out all the grammatical errors in this paragraph? And what the hell is or are Mesh Manges? The bottom line is that scammers don’t sweat the details in their scams. Especially about what they write in their scam emails.

So let’s say that you actually click on the link that the email says you should click on, which you should never do, this is what you will get:

You’ll note that the URL bar doesn’t have a URL that is associated with RBC as it is not some form of rbcroyalbank.com. So that’s a #Fail. But what’s interesting is that it has a Captcha. And it actually works.

I tried to pick plants that were not hanging from the ceiling and that would not work. That’s impressive as while these scammers didn’t get the English right, they got this part right to suck you into falling for this scam. Once you get past that Captcha, you get this:

It’s not an exact replication of the real RBC website. But it’s likely good enough to fool some people. Here’s where it falls apart. When you enter your card number and password, it just loops back to this page. But I am guessing that the scammers have snatched your credentials at this point and they are well on their way to draining your bank account.

So I’ll close off as I always do with scams. If you see this email hit your inbox, delete it.

By they way, this scam will be reported to RBC so that they can take action.

Property Giant RioCan Defends Huge Development In Downtown Toronto With Darktrace AI

Posted in Commentary with tags on September 22, 2022 by itnerd

Darktrace, a global leader in cyber security artificial intelligence, today announced that RioCan, one of Canada’s largest real estate investment trusts, has selected Darktrace to defend “The Well,” Canada’s most ambitious multi-use real estate project.  

Set to open in 2023, The Well will host approximately 11,000 people daily. Located in downtown Toronto, this expansive development will comprise more than 200 retail, commercial, and residential spaces across 7.7 acres of land. 

RioCan selected Darktrace’s DETECT and RESPOND technologies in 2021 to defend Network and Cloud infrastructure across its commercial office spaces and retail property investments. The property investor is now deploying Darktrace’s AI to defend this three-million-square-foot project in Toronto from sophisticated and disruptive cyber-threats. 

As cyber-crime proliferates, attackers continue to target real estate organizations both to exfiltrate confidential data, including the financial information of property buyers and sellers, and to disrupt operations and demand hefty ransoms from investors and agents. With AI-powered defenses, RioCan is able to protect its IT estate as well as its operational technology, including elevators, thermostats, and appliances.  

Darktrace delivers complete AI-powered solutions in its mission to free the world of cyber disruption. We protect more than 7,400 customers from the world’s most complex threats, including ransomware, cloud, and SaaS attacks. Darktrace is delivering the first-ever Cyber AI Loop, fueling a continuous security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace has 115+ patent applications filed. Darktrace was named one of TIME magazine’s “Most Influential Companies” in 2021.