Archive for the Commentary Category

HP Announces New Spectre And Envy Laptops

Posted in Commentary with tags on May 19, 2022 by itnerd

HP Inc. today debuted its newest HP Spectre and HP Envy laptops built with the flexibility to create and live seamlessly in today’s hybrid world.

The last few years have seen the rise of the creator economy, introducing endless possibilities for people topursue their passions as a part-time or full-time opportunity. Sixty-eight percent of creators started or expanded their freelance business during the pandemic, with 98% of them monetizing their content creation part-time. These hustlers need tools that allow them to collaborate with others easily as 56% of creators feel less engaged with the speaker if their video is turned off. And performance equals productivity, which is why 60% of creators prize performance in a computer.

Create in a smooth, seamless, and collaborative way with the newest lineup of Spectre and Envy PCs. These devices are built with HP Presence and HP GlamCam to deliver amazing video and audio call experiences, with features like:

  • A 5 MP camerafor picture-perfect claritywhen collaborating with colleagues or pitching clients.
  • HP Auto Frame and HP Dynamic Voice Leveling for an interactive video and sound experience no matter where you are in the room.
  • Backlight Adjustment to autocorrect video images in any environment where you may be taking a call.
  • Appearance Filter for the 60% of us who are more self-conscious on camera than in real life. This feature allows you to easily touch up skin, teeth, and eyes.
  • Bi-directional AI noise reduction, directional beamforming mics, and quad speakers for a superbsound experience during video or audio calls.
  • Network Booster fornetwork bandwidth optimization to reduce screen freezes and dropped calls.
  • AI-based privacy alerts to collaborate and create in public spaces, blurring the screen when someone is behind you.

No matter what type of creator you are, performance is key. The newest Spectre and Envy PCs offer a wide range of options including processors, displays, and more to make sure your device fits how you want to use it. This includes:

  • Up to a 4K OLED display for a more natural viewing experience, and a 120 Hz display for a 2x faster display refresh rate for smooth, response actions.
  • A touch display to leverage multi-gestures like pinch-to-zoom, double tap, and press and hold to create and easily manipulate drawings and other creative content. Easily take notes or sketch with pen-abled PCs.
  • A variety of screen sizes and aspect ratios offer the best fit for your creative flow. Choose from a3:2 aspect ratio device for web browsing and productivity tasks; a 16:9 aspect ratio for watching videos and entertainment; and a 16:10 for video and audio editing.
  • Intel® Evo™ platforms featuring 12th Gen Intel® Core™ processors for improved multi-tasking and performance.

Not only do creators need great battery lifeto power their creations, they also need all the tools at their disposal to extend the charge on their battery. Available on devices with Intel processors, HP offers intelligent power management features:

  • Power Saver mode extends the battery life whenever there is a concern about charging accessibility.
  • In-bag detection leveraging Intel® Dynamic Tuning Technology to adjust the PC’s power to avoid overheating or battery drain when put in a bag.
  • Adaptive Battery Optimizer monitors battery temperature, battery-charging status, and usage time to preserve your battery’s health.
  • Smart Sense optimizes a device’s performance, temperature, and more based on the application being used.

Creation isn’t just limited to one device.More than 60% of creators use more than two devices to create. And 60% said that computers can go from good to awesome through great software. The new Spectre and Envy devices all come with HP Palette pre-installed, a proprietary digital workspace to help simplify the creative flow and allows you for smooth cross-device collaboration.Find any face in photographs with HP PhotoMatch. Enjoy infinite, flexible sketching with Concepts. Drop anything to any device seamlessly, wirelessly with HP QuickDrop. Expand your workspace, connect to another device for more creative options with Duet for HP.

Today everybody is a creator, and HP has created the perfect device for you to create and collaborate that fits the way you work and play:

  • The new HP Spectre x360 13.5-inch 2-in-1 Laptop PC looks great and sounds great anywhere. The HP Spectre x360 13.5” engineered on the Intel® Evo™ platform is expected to be available for purchase on May 19at HP.com for a starting price of $1,249.99. The device will also be available at BestBuy.com and select Best Buy retail locations.
  • The HP Spectre x360 16-inch 2-in-1 Laptop PC engineered on the Intel® Evo™ platform Is newly refreshed with the latest 12th Gen Intel® Core™ processors and up to Intel®Arc™ Graphics, bringing you the best in AI-based hands-free controls along with AI-based Privacy Alert, and screen time and distance reminders. The HP Spectre x360 16” is expected to be available for purchase on May 19 at HP.com for a starting price of $1,649.99. The device will also be available at BestBuy.com and select Best Buy retail locations.
  • The HPEnvy x360 13.3-inch 2-in-1 Laptop PC designed on the Intel® Evo™ platform was co-engineered and optimized with Intel® to offer up to 20.5 hours of battery life for all-day creation. The HP Envy x360 13” is expected to be available be available for purchase on May 19 at HP.com for a starting price of $899.99. The device will also be available at BestBuy.com and select Best Buy retail locations.
  • The HP Envy x360 15.6-inch 2-in-1 Laptop PCis available with the latest Intel or up to AMD Ryzen™ 7 processors. The HP Envy x360 15.6” with AMD is expected to be available be available for purchase on May 19 at HP.com for a starting price of $849.99; the Intel version is expected to be available for purchase on May 19 at HP.com for a starting price of $899.99. Both versions will also be available at BestBuy.com (AMD Ryzen™ 5, AMD Ryzen™ 7, Intel® Core™ i5, and Intel® Core™ i7) and select Best Buy retail locations.
  • The HP Envy 16-inch Laptop PC offers up to Intel®Arc™ Graphics or NVIDIA® GeForce RTX™3060 Laptop GPU. Coupled with DDR5 memory support and a gaming grade thermal solution, this device delivers optimal performance for multitasking, rendering 3D models, or when using powerful creative tools like Adobe Photoshop. The HP Envy 16” is expected to be available for purchase on May 19 at HP.com for a starting price of $1,399.99. The device will also be available at Amazon and other NA retailers.
  • The HP Envy 17.3-inch Laptop PC gives you the power to create on a big screen. The HP Envy 17” is expected to be available for purchase on May 19 at HP.com for a starting price of $1,099.99. The device will also be available at BestBuy.com and select Best Buy retail locations.

Sixty-six percent ofconsumers consider sustainability when they make a purchase and 81% expect to buy more environmentally friendly products over the next five years. Building on the world’s most sustainable PC portfolio, all of today’s announced PCs are crafted from recycled metal and ocean-bound plastics and are EPEAT® Gold Certified and ENERGY STAR® rated.

Approov Announces Runtime Secrets Protection 

Posted in Commentary with tags on May 19, 2022 by itnerd

Approov, creators of advanced mobile app and API shielding solutions, today introduced Approov Runtime Secrets Protection, enabling comprehensive protection of the API credentials and secrets that are typically targeted by threat actors for malicious exploitation.

Recent breaches have highlighted the risk of stolen keys and secrets being exploited by hackers. It is clear that such secrets are not being effectively protected at rest and in transit, resulting in bad actors acquiring them and exploiting them to access APIs and applications.

The wide use of third-party APIs by mobile apps adds another dimension to the problem. Mobile app developers can suffer both financial losses and brand reputation damage if they are seen to be the cause of 3rd party app breaches or service disruptions caused by Distributed Denial of Service (DDoS) attacks using stolen secrets.

Recent research from Osterman Research illustrates the extent of the issue:

“Upcoming Osterman findings show that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code,” Michael Sampson, senior analyst at Osterman Research, said. “These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be. The new functionality from Approov allows API keys to be managed and updated dynamically and ensures they are never extractable from the app. This is a major step forward in protecting APIs from abuse.”

Developers have frequently been urged not to store hard coded keys in a mobile app or device, but as the research shows this “best-practice” is not widespread, since up to now, there has been no easy way to conveniently store such secrets safely outside the app code.

Introducing Approov Runtime Secrets Protection: Just in Time Keys Secrets That Thwart Mobile API Attacks

This is why Approov is releasing new functionality in Approov 3.0 which addresses this issue by making management of API keys and other secrets easy and secure, at rest, or in transit.

Approov Runtime Secrets Protection manages and protects all the secrets a mobile app uses. The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive API secrets are not being continuously stored or delivered to unsafe places, such as fake apps or into malicious hands.

All secrets are stored by the Approov cloud service and are easy to manage dynamically. If changes to these are needed, they are easily and immediately changed across all deployed apps, preventing abuse.

This approach marks a major improvement over keys that are hard coded in the app itself, because should those keys be “leaked” the app must be updated with an entirely new version – a process which is complex and time-consuming, and involves juggling new and old keys during the time it takes for the installed base to be transferred to the new version.

Upcoming Webinar

Join the live webinar from Approov on June 9th “Best Practices for Secure Access of 3rd Party APIs from Mobile Apps” which will discuss the reputational and financial risks associated with API use and how to mitigate those risks. Sign up here.

Pricing and Availability

The pricing of the Approov solution is designed to be completely aligned with your business growth, based on the number of genuine active apps in a monthly billing period. Approov 3.0 is available now.

U.S. Warns Businesses Against Inadvertently Hiring IT Staff From North Korea

Posted in Commentary with tags on May 19, 2022 by itnerd

I have to admit that reading this story from The Guardian was not on my bingo card when I woke up this morning. U.S. officials have warned businesses against inadvertently hiring IT staff from North Korea, claiming that rogue freelancers were taking advantage of remote work opportunities to hide their true identities with the intent of earning money for Pyongyang.

An advisory issued by the state and treasury departments and the FBI said the effort was intended to circumvent US and UN sanctions, and bring in money for North Korea’s nuclear weapons and ballistic missile programs. The officials said companies who hired and paid such workers may be exposing themselves to legal consequences for sanctions violations.

“There are thousands of DPRK IT workers both dispatched overseas and located within the DPRK, generating revenue that is remitted back to the North Korean government.

“These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and east Asia.”

North Korean workers pretended to be from South Korea, Japan, or other Asian countries, the advisory said. It laid out a series of red flags that employers should watch for, including a refusal to participate in video calls and requests to receive payments in virtual currency.

Kevin Bocek, VP, Security Strategy and Threat Intelligence for Venafi had this comment:

“Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organisations. They are often well funded, highly sophisticated, and – as we’re seeing with this FBI warning – capable of thinking outside the box to find new ways to attack networks, as we’re now seeing with rogue freelancers hacking from within. Our recent research shows that cybercrime has become a primary means of revenue generation in North Korea, and APT groups are helping it to work outside of international sanctions, funding political and military gains. In fact, it’s estimated that up to $2bn makes its way directly into North Korea’s weapons program each year as a result of nation state cybercrime.

“Ultimately, there’s no telling what these rogue freelancers are after. The targets that spring to mind are data theft or potentially funds, but we’ve seen in the past that North Korean APT groups have made use of stolen code signing identities in devastating nation state attacks, so they’re likely to be on the table as well. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in software supply chain attacks.

“Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer. For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense. Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands.”

It does beg the question if other countries with dodgy reputations like Russia and China are doing something similar. I’d be interested in knowing that answer as it likely would influence how safe we all are.

Canadian SMBs Optimistic About the Future: Zoho

Posted in Commentary with tags on May 19, 2022 by itnerd

A newly released survey by Zoho Corporation – the Zoho SMB Outlook Survey – reveals that Canadian small and medium-sized business leaders are optimistic about their company’s prospects. 

The survey – which queried 750 business people across Canada – found that 66.7% of respondents are optimistic about the next six months, with 74.2% of those surveyed forecasting upwards of 20-percent growth. This positive outlook stems, in part, from productivity, as more than three-quarters of respondents expressed satisfaction with their output.

Key Survey Findings:

Productivity

  • 77.7% of respondents are satisfied with productivity
    • 83.9% of Quebec’s respondents are satisfied 
    • 73.7% of Alberta’s respondents are satisfied

Optimism

  • 66.7% of businesses are moderately to very optimistic about the next 6 months
    • 14.8% very optimistic; 20.8% moderately optimistic; and 31.1% optimistic
    • 71.4% of Quebec’s respondents are optimistic
    • 64% of Ontario’s citizens are optimistic
  • 39.1% expect their business to grow by 1-10% during the next six months
    • 51.3% of Albertan respondents anticipate growth of 1-10%
    • 32.1% of respondents in Quebec anticipate growth of 1-10%
  • 22.5% expect their business to grow by 11-20% during the next six months
    • 26.8% of respondents in Quebec anticipate growth of 11-20%
    • 15.8% of Albertan respondents anticipate growth of 11-20%
  • 12.6% expect their business to grow by 20+% during the next six months
    • 15.8% of Albertan respondents anticipate growth of 20% or more
    • 14.3% of respondents in Quebec anticipate growth of 20% or more

Hiring/Retention

  • 42.4% of businesses are hiring and 52.7% are neither hiring nor laying people off
    • Only 4.9% anticipate layoffs
  • 42.5% have struggled to retain employees
  • The majority of respondents have retained more flexible work options, with hybrid work accounting for 36.8% and at-home work accounting for 29.7%. Only 33.5% of respondents are working in-office.
    • 39.3% of Quebec’s respondents have a hybrid workplace model and 21.4% work from home; 39.3% work in the office
    • However, 53.9% of Albertans work in the office, while 32.9% use a hybrid workplace and 13.2% work at home

Return To Workplace / Mask Mandates     

  • 64.5% of businesses have already returned to the office, while 13.6% are planning to return in the Fall
    • In Alberta, 81.6% of respondents have returned to the office while only 58% Quebec’s respondents have gone back
  • 38.4% of all respondents will maintain a mask mandate
    • 41.4% in Ontario
    • 32.1% in Quebec
    • 17.1% in Alberta
  • 44.7% of all respondents won’t maintain a mask mandate
    • 68.4% won’t in Alberta
    • 41.1% won’t in Ontario
    • 32.1% won’t in Quebec
  • 46.3% of all respondents will require employees to be vaccinated
    • 48.2% in Quebec
    • 46.2% in Ontario
    • 34.2% in Alberta

IT Highlight

  • 76.1% of IT respondents are optimistic about the future of their business, positioning them as the most optimistic vertical

Report Methodology

Conducted in March 2021 by Zoho Survey, this study contacted 750 individuals across Canada. Participants in the study included a range of business leaders, from manager roles to the C-level, at small and large enterprises across a variety of industries.

Hackers Spoof Community And School Meetings; Tricking Users To Download Fake Zoom Invite: Avanan

Posted in Commentary with tags on May 19, 2022 by itnerd

Avanan, a Check Point Company, has revealed its latest analysis in which hackers spoof legitimate popular community and school meetings to trick users to click and download fake Zoom invitations, executing malware in the process.

In this attack, hackers gather public records to send out email reminders of upcoming community and school board invitations. These emails contain a PDF of what looks like and is expected to be a Zoom invitation. Clicking on the PDF attachment doesn’t open a Zoom invite; rather, links to a downloadable malware.

You can read the report here. It has valuable suggestions as to how to protect yourself from this attack.

New Security Research Discovers Unusual Uptick in Malicious Traffic from China: Cequence Security

Posted in Commentary with tags on May 19, 2022 by itnerd

Each month, the Cequence Security Research team shares API threat statistics and unique threat patterns that they have observed. The latest Cequence Security State of API Security Activity Monthly Bulletin is out and Cequence Security is seeing an unusual uptick in traffic from China spiking at a 200% increase.

The percentage of overall traffic from China was observed across multiple organizations in the US and EMEA. The Cequence Threat Research team tracked and tracked a sophisticated recon effort as a threat actor abused business logic to attempt to commit fraudulent purchases on stolen credit cards through automated account creation. The research also observed malicious infrastructure providers showing potentially new bulletproof proxy vendors appearing. 

You can read the report here, and it does make for some interesting reading.

New Compliance Report Finds Explosive Use of Automation, Overwhelming Ransomware And Zero Trust Focus

Posted in Commentary with tags on May 18, 2022 by itnerd

A-LIGN, a cybersecurity compliance and audit firm, has released its second annual benchmark report, highlighting organizational compliance year-over-year as executives emphasize such programs and their significance in accelerating corporate growth. There are sereveal critical themes surrounding automation, ransomware, and zero trust including:

  • 72% of organizations now utilize a form of software for conducting audits compared to only 25% of businesses reporting the use of automation in 2021
  • 85% of businesses can focus on critical security issues and controls essential for corporate growth and regional expansion by streamlining compliance and consolidating auditing processes 
  • 98% of companies plan to develop and implement zero-trust strategies and ransomware preparedness programs 

This benchmark report should be considered required reading by enterprises as it can serve as a roadmap as to where you focus your efforts. The report can be viewed here.

India To VPN Companies: Do What We Want Or Get Out Of India

Posted in Commentary with tags on May 18, 2022 by itnerd

You might recall that I did a story on India wanting VPN companies to retain data on who uses their services, and VPN companies considering their options including leaving the company. India has now escalated this by saying the following:

The Indian Computer Emergency Response Team clarified (PDF) on Wednesday that “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” shall follow the directive, called Cyber Security Directions, that requires them to store customers’ names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years.

And:

Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services “will have to pull out.” He also said that there won’t be any public consultation on these rules.

Keep in mind that India is the second largest Internet market on the planet. So I am guessing that the Indian government is counting on the fact that VPN providers will comply rather than give up doing business in that market. And even if some or most of them do leave, the Indian government will win anyway because it will leave the VPN companies that do comply with their directive. That of course assumes that Indian citizens don’t just go out and get a VPN service from outside the country. After all, it’s not like we haven’t seen that happen before.

This will be interesting to see as I suspect that the push back will be substantial from both sides, and only one side will win. Let’s see which side that is.

Is It Time To Make The Internet An Essential Service And Hold Canadian Telcos Accountable For Providing That Service?

Posted in Commentary with tags , on May 18, 2022 by itnerd

Back in 2016, the CRTC said that high speed Internet was “essential”. This is what they meant by that at the time:

As part of declaring broadband a “basic” or essential service, the CRTC has also set new goals for download and upload speeds. For fixed broadband services, all citizens should have the option of unlimited data with speeds of at least 50 megabits per second for downloads and 10 megabits per second for uploads — a tenfold increase of previous targets set in 2011. The goals for mobile coverage are less ambitious, and simply call for “access to the latest mobile wireless technology” in cities and major transport corridors.

The CRTC estimates that some two million Canadian households, or 18 percent of the population, do not currently have access to their desired speeds. The $750 million government fund will help to pay for infrastructure to remedy this. The money will be distributed over five years, with the CRTC expecting 90 percent of Canadians to access the new speeds by 2021. 

The new digital plan also touches on accessibility problems, with CRTC mandating that wireless service providers will have to offer platforms that address the needs of people with hearing or speech disabilities within six months. Blais said this timeline was necessary, as the country “can’t depend on market forces to address these issues.”

Fast forward to 2022 and this really doesn’t go far enough to address what I think “essential” means to Canadians. Given that a lot of us still work from home, and the Internet is the difference between earning a paycheque and not earning one, or learning and not learning, I think that this needs to change. Now Public Safety Canada has a list of what it defines as “Essential Services” which it defines as this:

Canada’s National Strategy for Critical Infrastructure defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. 

And while this list does list “Information and Communication Technologies” as part of this, I think it needs to go further to include not only the Internet specifically, but it should also include telcos like Rogers, Bell, and Telus so that they are responsible for maintaining and resolving issues to a high standard. As in resolving issues within hours and not days. And having a minimum uptime guarantee that said telcos are held accountable to. Now I know that Rogers, Bell, Telus and others would say that this isn’t required and they go above and beyond for their customers. But while I agree that these telcos do the best that they can to resolve customer issues in what they consider to be a timely manner, I don’t think that’s good enough. When the Internet goes out for a single home or a group of homes, even for a few hours, there are people who aren’t learning or making a living. That affects the economy. That alone makes it worthwhile to explore this idea and to take action to make it reality. And perhaps if something like this came into effect, telcos would spend a lot more time and effort to ensure that their networks were resilient enough so that outages became corner cases. That would be good for all Canadians.

What do you think? Should Canada do more to make the Internet an “essential service” as I’ve described above? Please leave a comment and share your thoughts.

Infosec Institute Unveils New Role-Guided Cybersecurity Training Roadmaps 

Posted in Commentary with tags on May 18, 2022 by itnerd

Infosec Institute, a leading cybersecurity education company, today unveiled Infosec Skills Roles, pre-built training roadmaps aligned to the 12 most in-demand cybersecurity roles including SOC Analyst, Penetration Tester, Security Engineer and Cybersecurity Beginner. Hosted in the Infosec Skills training platform, Infosec Skills Roles helps organizations upskill and cross-train talent for open security roles while also improving engagement and performance.

Today there are over 600,000 unfilled cybersecurity roles in the U.S., with more than half requiring at least one certification. As critical cybersecurity roles remain unfilled and technology change continues to outpace skill development, organizations are increasingly vulnerable to today’s record number of cyber threats. Additionally, security leaders face increasing pressure to prevent and mitigate cyberattacks with overburdened cyber teams, inadequate training programs and limited resources.

To help cyber leaders upskill and cross-train talent quickly, Infosec Skills Roles provide training recommendations for 12 of the most common cybersecurity positions, enabling enterprises to upskill and reskill cyber talent at scale and individuals to break into the industry. Backed by the research of skills requested by employers and a panel of cybersecurity subject matter experts, each of the 12 Infosec Skills Roles clearly outline which training and certifications are needed so learners can laser focus on the most important areas to strengthen and security leaders fill skill gaps on their teams. 

Recently named a Leader in IT Training by IDC Marketscape, the Infosec Skills platform offers 1,400+ hands-on cybersecurity courses and cyber ranges mapped to the NICE Workforce Framework for Cybersecurity and MITRE ATT&CK® Matrix. Infosec Skills helps cyber leaders prepare teams for ATT&CK tactics, guide team development and fast-track certification, with over 80% of learners reporting improved skills and abilities. 

Infosec Skills Roles will be showcased at the upcoming RSA Conference, June 6-9 in San Francisco, CA and Gartner Security & Risk Management Summit June 7-9, in National Harbor, MD. Individuals are encouraged to explore Infosec Skills Roles firsthand and take Infosec’s new #MyCyberRole quiz with a custom role recommendation and a trial Infosec Skills subscription to start training towards their newly matched role. 

Explore Infosec Skills Roles.