Archive for the Commentary Category

Review: Mujjo Full Leather Case For iPhone 14 Pro

Posted in Commentary on September 22, 2022 by itnerd

I am someone who customizes the look of the tech depending on what I am doing. For example, if I am doing hiking or something athletic, then I want an iPhone case that is more protective. But if I am want an iPhone case with more style. For the latter use case, that’s where the Mujjo Full Leather Case For iPhone 14 Pro comes in. It will give me some style along with some protection. But let’s have a look at the case from the front and the back.

This fits the space black iPhone 14 Pro that I own. It’s made of vegetable-tanned Ecco leather which in colours other that black will age well. But in black I am unlikely to notice anything different about it unless I scratch it or something like that. Some observations include the fact that there is a 1mm raised leather bezel protects screen from abrasive surfaces. And on the back there’s a raised rear-camera bump protects the lenses. One advantage of this is that it allows the iPhone 14 Pro to sit flat on a table.

One very upscale touch is the addition of metal buttons which works very well.

The inside of the case has Japanese microfibre which gives it a really upscale feel. You’ll also note the MagSafe circle for quick and easy wireless charging. And the magnet strength was great as it passed my “hang from a MagSafe charger” test with flying colours. I should note that in my testing, regular wireless charging works fine too.

The embossed logo at the back is a nice touch.

Now I like the feel of this case. It’s thin and I have no problem holding the case. I also felt that it wasn’t going to slip out of my hand. Fingerprints are a total non-issue as well. As for drop protection, I would guess that this would allow your iPhone 14 to survive some types of drops. But I wouldn’t count on it to survive all sorts of drops. Now that’s not a negative at all because this case wasn’t designed to provide a lot of protection. Thus if you want a case that will give you some style for a hot date or an important business meeting, then the $77 CDN that this case costs is money well spent.

Morgan Stanley Gets Slapped With $35 Million Fine After Failing To Wipe And/Or Encrypt Hard Drives That Eventually Were Resold

Posted in Commentary with tags on September 22, 2022 by itnerd

Well, this is one hell of a screw up.

A reader pointed out to me that the SEC has fined Morgan Stanley $35 million. The press release that the SEC put out has these details:

The Securities and Exchange Commission today announced charges against Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.

The SEC’s order finds that, as far back as 2015, MSSB failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers. Moreover, according to the SEC’s order, over several years, MSSB failed to properly monitor the moving company’s work. The staff’s investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII. While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.

The SEC’s order also finds that MSSB failed to properly safeguard customer PII and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh program. A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.

Wow. There are a lot of #fails her. And quite honestly if I were a Morgan Stanley customer, I would be pissed.

Yes I said it.

The fact is that in 2015 never mind 2022, this is completely unacceptable. Companies need to handle Personally Identifiable Information or PII with the upmost of care. Morgan Stanley didn’t and it’s cost them. Though seeing as they agreed to pay this fine to make this problem go away as I suspect they figured out that they were in deep trouble when the SEC knocked on their door.

Hopefully, companies who handle PII are paying attention to this and hopefully the SEC doles out more punishment like this to send the message that if you screw this up, you will pay.

Hackers Amplify Phishing Attacks By Creating Multiple Profiles From Compromised Accounts And Use Auto-Delete To Cover Their Tracks: Avanan

Posted in Commentary with tags on September 22, 2022 by itnerd

Researchers at Avanan, a Check Point Company, have discovered threat actors using stolen credentials to create more user profiles to send credential harvesting emails. By doing so, hackers are able to multiply the effect of credential harvesting scams.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are compromising accounts, creating more user profiles to send out more attacks, then auto-deleting email trails. 

The campaign presents users with an email from Microsoft’s Office 365 notifying them that a form has been shared. Clicking on the link to the form directs users to a malicious site where credentials are stolen. The hacker, now with access to the account, creates more user profiles within the larger admin and sends out phishing emails to over 4,000 addresses. The emails are then set to be auto-deleted from the compromised accounts to cover their tracks. 

You can read the attack brief here.

A New @Microsoft Email #Scam Is Making The Rounds

Posted in Commentary with tags on September 22, 2022 by itnerd

A new email scam that is likely a phishing scam that is using Microsoft as its hook is making the rounds. Here’s the email in question:

The first hint that this is a email scam is that this email does not fit Microsoft’s brand design. But there is a simpler way to tell that this is a email scam:

There’s looking at the email address. In this case, this did not come from Microsoft as this is not a Microsoft domain that is being used. That’s a #fail right out of the gate and should cause you to delete this email immediately.

Going further going down the rabbit hole, it references a Microsoft update. Specifically KB40341836081 which doesn’t exist. Microsoft update numbers are six digits at present and this one is way too long. The English is also horrible. Example “perhaps you may experience difficulties signing into your account following a restart or sign-out.”

It also encourages you to log into a website to fix this. And serves up a lot of technically incorrect information to push you to go to this website. It also tries to reassure you by saying that you don’t have to download anything which will reassure you that you won’t get infected by a virus or something. Finally, it offers a site where you can stop or change these “security alerts”. But that site isn’t actually a link so it’s just there to reassure you that this email is legit, which of course it isn’t.

As for the website that it takes you to, well I couldn’t get it to load. Perhaps it’s been taken out by Microsoft? Or maybe because I did this on a Mac it wouldn’t respond to me because it was looking for a PC to perhaps load malware on it? It’s hard to say.

Regardless, if you see this email show up in your inbox, delete it.

It Seems That @RBC Is Now Being Used As Part Of An Email #Scam To Get Your Banking Credentials

Posted in Commentary with tags on September 22, 2022 by itnerd

A new scam that is targeting RBC customers is making the rounds. This is the email that will hit your inbox:

So this is clearly a phishing scam. How can I tell that? Let’s start with the sender.

The email address that it is sent from is not RBC as the domain for this email address is not rbcroyalbank.com. Thus right out of the gate you should be deleting this email. But there’s other ways to tell. The quality of the English is another example.

Can you pick out all the grammatical errors in this paragraph? And what the hell is or are Mesh Manges? The bottom line is that scammers don’t sweat the details in their scams. Especially about what they write in their scam emails.

So let’s say that you actually click on the link that the email says you should click on, which you should never do, this is what you will get:

You’ll note that the URL bar doesn’t have a URL that is associated with RBC as it is not some form of rbcroyalbank.com. So that’s a #Fail. But what’s interesting is that it has a Captcha. And it actually works.

I tried to pick plants that were not hanging from the ceiling and that would not work. That’s impressive as while these scammers didn’t get the English right, they got this part right to suck you into falling for this scam. Once you get past that Captcha, you get this:

It’s not an exact replication of the real RBC website. But it’s likely good enough to fool some people. Here’s where it falls apart. When you enter your card number and password, it just loops back to this page. But I am guessing that the scammers have snatched your credentials at this point and they are well on their way to draining your bank account.

So I’ll close off as I always do with scams. If you see this email hit your inbox, delete it.

By they way, this scam will be reported to RBC so that they can take action.

Property Giant RioCan Defends Huge Development In Downtown Toronto With Darktrace AI

Posted in Commentary with tags on September 22, 2022 by itnerd

Darktrace, a global leader in cyber security artificial intelligence, today announced that RioCan, one of Canada’s largest real estate investment trusts, has selected Darktrace to defend “The Well,” Canada’s most ambitious multi-use real estate project.  

Set to open in 2023, The Well will host approximately 11,000 people daily. Located in downtown Toronto, this expansive development will comprise more than 200 retail, commercial, and residential spaces across 7.7 acres of land. 

RioCan selected Darktrace’s DETECT and RESPOND technologies in 2021 to defend Network and Cloud infrastructure across its commercial office spaces and retail property investments. The property investor is now deploying Darktrace’s AI to defend this three-million-square-foot project in Toronto from sophisticated and disruptive cyber-threats. 

As cyber-crime proliferates, attackers continue to target real estate organizations both to exfiltrate confidential data, including the financial information of property buyers and sellers, and to disrupt operations and demand hefty ransoms from investors and agents. With AI-powered defenses, RioCan is able to protect its IT estate as well as its operational technology, including elevators, thermostats, and appliances.  

Darktrace delivers complete AI-powered solutions in its mission to free the world of cyber disruption. We protect more than 7,400 customers from the world’s most complex threats, including ransomware, cloud, and SaaS attacks. Darktrace is delivering the first-ever Cyber AI Loop, fueling a continuous security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace has 115+ patent applications filed. Darktrace was named one of TIME magazine’s “Most Influential Companies” in 2021. 

Guest Post: Trojans Targeting Mobile Banking Grew By Over 110% In H1 2022

Posted in Commentary with tags on September 22, 2022 by itnerd

The majority of the population in developed countries has integrated mobile banking into their everyday lives surprisingly quickly and seamlessly. The adoption of mobile banking was successful because financial institutions and fintechs ensured that the applications were user-friendly, convenient, and extremely secure.

However, since financial gains from finding loopholes in mobile banking applications tend to be sky-high, hackers are working day and night to figure out how to break into these apps.

While the mobile banking industry is in its golden age, the amount of attention from cybercriminals is also at an all-time high. 

According to Atlas VPN investigation, the number of mobile banking trojans reached a record-breaking 109,561 detections in H1 2022, representing a 117% increase over the 50,450 detections in H2 2021.

The data for the analysis was extracted from Kaspersky’s official website, where the company shares data collected from its users. 

Nearly half (49.28%) of the detections in H1 2022 were part of the Trojan-Banker.AndroidOS.Bray family. This malware type is considered to be a severe threat to the infected system. 
 

Mobile trojans are designed to target mobile financial applications in order to commit on-device fraud and siphon cash straight from victims’ accounts.

Victims (sometimes) get their funds back

Cybercriminals tend to backward-rationalize their fraudulent acts by stating that their victims usually get their funds back, so the actual losses are incurred by the banking institutions instead. 

To read the full article, head over to: https://atlasvpn.com/blog/trojans-targeting-mobile-banking-grew-by-over-110-in-h1-2022

NexTech Batteries Earns Milestone UN/DOT Safety Certification

Posted in Commentary with tags on September 22, 2022 by itnerd

NexTech Batteries, the global leader in proprietary lithium-sulfur (LiS) battery technology, received UN/DOT 38.3.5 safety certification for its patented semi-solid-state lithium-sulfur 5.4 amp hour cell – exceeding test standards required for air transportation and other modes of transit. 

Before any lithium battery can be transported, it must pass specialized safety tests that simulate real-world transportation conditions like low pressure, impact, temperature, shock and more. UN/DOT 38.3.5 details environmental, mechanical and electrical requirements for all lithium cells and batteries. The UN/DOT 38.3.5 standard is required for transporting lithium batteries in the U.S. and is the international standard for air and sea transit across international waters and boundaries. With this certification, NexTech demonstrates compliance in the design and manufacture of its groundbreaking Lithium-Sulfur battery cells – which are being actively tested by major global automotive manufacturers, state energy commissions in the U.S. and consumer technology companies. 

NexTech’s first-to-market semi-solid-state lithium-sulfur chemistry brings real solutions to the immense demands of the world economy for reliable, powerful, safe and sustainable battery technology. Having introduced a lithium-sulfur cell approved under the UN 38.3.5 safety standard, the first of its battery cells to earn the certification, NexTech is ramping up activity with domestic and international partners and rapidly preparing additional cell capacities for UN/DOT testing. The company is accelerating the crucial battery evolution demanded by the next generation of consumer electronics and e-mobility.

NexTech Lithium-Sulfur Cells: Flying Through UN 38.3.5 Safety Tests

  • T1 Altitude – simulates how the cell behaves during air transport under low pressure conditions whereby the cell could swell in size or burst.
  • T2 Thermal – validates the cell’s perimeter vacuum seal and internal electrical connections to remain intact during rapid and extreme temperature changes.  
  • T3 Vibration – that simulates a series of vibration effects that may be apparent during transportation.
  • T4 Shock – validates the robustness of the cells against shock and extreme acceleration and deceleration that can be transportation or application related.
  • T5 External Short Circuit – simulates an external short of the terminals without going into thermal runaway or exceeding 170C and avoiding rupture.
  • T6 Crush/Impact – simulates any mechanical abuse from an impact or crushing event that may result in thermal runaway or the cell bursting.
  • T8 Forced Discharge – evaluates the ability of a primary or rechargeable cell to withstand a forced discharge condition and not result in thermal runaway.

Indonesia Passes A Really Great Data Privacy Law

Posted in Commentary with tags on September 21, 2022 by itnerd

Indonesia legislators Tuesday passed the data protection bill, making data handlers liable for up to five years in jail and a maximum fine of 5 billion rupiah ($334,000) for leaking or misusing private information. Reuters have the details:

The bill’s passage comes after a series of data leaks and probes into alleged breaches at government firms and institutions in Indonesia, from a state insurer, telecoms company and public utility to a contact-tracing COVID-19 app that revealed President Joko Widodo’s vaccine records.

Lawmakers overwhelmingly approved the bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data.

The biggest fine is 2% of a corporation’s annual revenue and could see their assets confiscated or auctioned off. The law includes a two-year “adjustment” period, but does not specify how violations would be addressed during that phase.

The legislation stipulates individuals can be jailed for up to six years for falsifying personal data for personal gain or up to five years for gathering personal data illegally.

Users are entitled to compensation for data breaches and can withdraw consent to use their data.

Noris Ismail, Managing Director of Breakwater Solutions has this to say:

     “Indonesia experienced a rollercoaster journey and huge learning & relearning curve whilst drafting and debating the Bill. It’s not surprising given President Joko Widodo’s vision to accelerate Indonesia’s digital economy transformational journey (being the 4thpopulous nation in the world which contributed 40% of Southeast Asia’s 2021 e-commerce gross Merchandise Value (GMV), at $70 billion based on the 2021 e-Conomy Southeast Asia report) and mushrooming reported data breach cases in public and private sectors. Like other evolving data privacy legislative landscape in ASEAN Member States, some of the requirements partly mirror the GDPR (but with Indonesia gravitas, persona, and legislative identity). Global organisations that are processing Indonesian dataset (inside or outside Indonesia) have 2 years to kicking off assessment and remediation leading to ‘Business As Usual (BAU)’ implementation phase. Some organisations might accelerate the latter due to lessons learned from the GDPR experience and journey – subject to existing governance, business strategy, growth, process and data processing activities. Some organisations might require a tactical approach to assess top 5-10 risks and prioritise to remediate leading to aspired defensible compliance positions (due to resource, budget, and technology constraints). Pushing forward to 2 years, we’re very keen to learn Indonesia Personal Data Protection Act (PDPA)’s regulatory enforcement approach and their ‘global data interoperability’ guidance notes particularly in data localisation and PDPA adequacy determinations (from Indonesia’s lens, in addition to, the European Commissions’ lens). It might take more than 2 years and beyond to progress, evolve and mature”

Hopefully, this sort of sort of bill gets copied in other places as this will hopefully help to reduce the number of data leaks that we see.

Witness Blanket Goes Digital To Share Truths And Memories Of Residential School Survivors 

Posted in Commentary with tags on September 21, 2022 by itnerd

Today, the Canadian Museum for Human Rights (CMHR), Indigenous artist Carey Newman (Hayalthkin’geme), and TELUS celebrated the launch of a new online platform which invites all Canadians to bear witness to the experiences of residential school Survivors. 

Witnessblanket.ca shares stories from the Witness Blanket, a powerful work of art made from over 800 items reclaimed from residential schools, churches, government buildings and other important cultural sites across Canada. The artwork was created by master carver and Indigenous artist, Carey Newman, as a national monument to recognize the atrocities of the residential school era, honour the children, Survivors, and symbolize ongoing reconciliation. 

Users can explore 10 original stories that weave together video testimony from Survivors with information about a piece of the artwork. These stories share the significance of items that carry a deep personal and cultural connection to the residential school era and its legacy such as braided hair, a mush hole bowl, Inuvik stone, and letters. Users can also explore the full artwork, including individual pieces, where they were located and who contributed them. Digitizing the Witness Blanket has made it accessible to audiences around the world. Through witnessblanket.ca, thousands more each year will recognize the atrocities of the era, remember the children who didn’t return home, and honour Survivors. 

The digital Witness Blanket project was created through a partnership between Newman, the Canadian Museum for Human Rights, Animikii Indigenous Technology, Media One Inc., and TELUS. It was made possible by a $1 million dollar commitment from TELUS and the TELUS Friendly Future Foundation, and an additional $100,000 from the Entwistle Family Foundation. Its development was guided by a Survivors Circle brought together through the National Centre for Truth and Reconciliation (NCTR). The launch of witnessblanket.ca represents the first phase of this partnership. Moving forward, it will leverage TELUS’ technological expertise to create augmented reality, virtual reality led by Camosun Innovates, and projection mapping experiences that will further expand the reach of the Witness Blanket.

A core feature of the platform is a new resource guide for teachers, created in consultation with an advisory group of teachers across Canada. The guide includes foundational teaching strategies, guidance on how to welcome Elders, Survivors and Indigenous community members into the classroom, and detailed lesson plans for teaching about residential schools to students of all ages.

In addition to digitizing the Witness Blanket, the Canadian Museum for Human Rights has launched an initiative by the Vancouver Public Library to create stations in two branches – including a children’s branch at the Central Library – where visitors can explore the Witness Blanket digitally.

Central to TELUS’ Reconciliation Commitment, TELUS is leveraging their world-leading technology to support the diverse needs of Indigenous Peoples, build relationships between Indigenous and non-Indigenous businesses, help to grow the economy and enable prosperity for Indigenous Peoples. In 2021, TELUS committed $8 million to stand in solidarity with Survivors and their families by supporting Indigenous-led entrepreneurs, projects and initiatives. This commitment includes a $1 million gift to digitize, promote and distribute the Witness Blanket as well as investments from the TELUS Pollinator Fund in Indigenous-led businesses, and grants from the TELUS Community Boards and TELUS Friendly Future Foundation.