Archive for the Commentary Category

My Wife And I Got Our COVID Vaccines…. Here’s What That Was Like For Us

Posted in Commentary on April 13, 2021 by itnerd

Early last week my wife and I got our COVID vaccines and I wanted to take a moment to talk about what that experience was like as I got a lot of questions about it since posting this Tweet:

Here’s a recap of our experience.

First of all, there was booking the appointment. Now some friends of ours alerted us that we were eligible because we were 50 or over in a “high priority” postal code. I am going to assume that this might have something to do with the fact that there is an assisted living facility down the street from us that had a number of deaths that were due to COVID. That led us to booking an appointment with Unity Health to get our vaccine. Or at least trying to. It took three days of constantly checking the website to find a pair of appointments for us. When we did, we hurriedly booked them. One was for last Monday at the St. Joseph’s Hospital site in the west end of Toronto for myself. The other was for the next day at the St. Michael’s Hospital site in downtown Toronto for my wife. One thing that I did notice is that the booking site uses Cloudflare to stop denial of service attacks and provide load balancing. Presumably, to ensure that everyone gets a fair chance to book appointments. Thus my first piece of advice would be keep trying to book an appointment because appointments will become available. Once you book an appointment, which requires you to have your OHIP card handy, you get an email and a text message on your phone confirming your appointment. Make sure you read the email as it has a lot of handy info about the site you’re booked into. For example, parking info, whether there are washrooms available, and how early you should show up are all in that email.

On the day I had my appointment, I drove down to St. Joseph’s Hospital and arrived at the parking garage 15 minutes early. A five minute walk later, I got to the vaccine site. It was well signed and easy to find. Once I entered the clinic, I was greeted by a security guard who quizzed me about what time my appointment was. Once I replied, I was instructed to sanitize my hands and I was handed a paper mask via a pair of tongs to go on top of the cloth mask that I was wearing. I was then directed to a station where I was asked to show my OHIP card and I was quizzed about a variety of things including if I had COVID or I was exposed to anyone with COVID. I was then directed to a second station where I was quizzed again about the same items and I was asked to show my OHIP card again. After that I was asked to stand in line. There were five people ahead of me and there were clear places to show where you should stand to ensure physical distancing. I also noted that there was a booth where a woman was preparing syringes with the vaccine. Once the syringe was prepared, another person would pick up the syringe and escort the person at the front of the line to a booth. In my case, I was in line for a grand total of 5 minutes before being escorted to a booth. In the booth the Dr. quizzed me about exactly the same things that I was quizzed about by the first two booths that I had been at earlier.

I will say that they are thorough.

After that, I finally got the vaccine. Moderna in my case. Not that it really matters as the best vaccine is the one that goes in your arm. More on that in a bit. I was then escorted to a “recovery area” where I had to take a number and wait for 15 minutes to see if I had any reactions to the vaccine. The number was entered into a iPad which started an individual timer for me which is pretty slick. When my number was called, was escorted to a check out area where my information was confirmed including my email address and my cell phone number. I was then told I would get an email and text message when my next appointment was booked. I then left the facility. I wasn’t three steps out the door before my iPhone dinged and I got a text message saying that my next appointment was booked. It was booked for 112 days from last Monday. I know that because I asked Siri how many days it was until my next appointment.

Total time invested: 30 minutes.

Side effects? Well, here’s what my wife and I experienced:

  • In my case, my body temperature went up to about 99 degrees Fahrenheit after the vaccine. Also for about a couple of days, I felt lethargic. But by the weekend I was back to normal. As mentioned earlier, I got the Moderna vaccine.
  • In the case of my wife, she had bouts of dizzy spells for about a day or so and was lethargic. But was normal again by the weekend as well. I should note that she got the Pfizer vaccine.
  • In both of our cases, the injection site which was our respective left arms were sore and swollen for couple of days. But both of those things disappeared by the weekend.

So with that out of the way, I want to cover a few touchy points.

  • I’ve been asked if I had a preference in terms of vaccine brand as some vaccines, specifically the Astra Zeneca and Johnson and Johnson have been linked to rare blood clots. The answer is no. The best vaccine is the one that goes in your arm as it’s going to give you protection from COVID. And given that these blood clots happen less than 1% of the time, and your chances of catching COVID is far higher than that, I’ll take my chances with the vaccine.
  • I’ve been asked if I was hesitant in terms of getting the vaccine. The answer is no. But not everyone is like me. If you’re hesitant about getting the vaccine, that’s okay. You have the right to feel however you feel. But I would say that you need to seek out whatever information that you need from reputable sources to give you to comfort level you need to get the vaccine. I would recommend this link for reputable info if you’re in Canada. This link if you are in the US. And this link if you’re in the UK. There are likely similar links for other countries as people from over 20 countries visit this blog every single day. But like I said, seek out reputable information and make your call based on facts rather than what you see on Facebook or Twitter.
  • The most important thing that I would say is that getting the vaccine isn’t about you. It’s about those around you. Yes it is true that if you get the vaccine that your chances of having a severe COVID related outcome drops dramatically. But it’s about spreading COVID around to others. While there is still a risk of that happening even if you have had the vaccine, which is why you need to still follow public health advice after you get it, that risk drops dramatically if you get the vaccine. So in effect, you are protecting others by getting a vaccine. Specifically your friends and family. It’s also the best way that the world has at present to get out of this pandemic and get back to something approaching normality. And every vaccinated person moves the metaphorical needle closer to that goal.

In closing, if I had to grade the whole experience, I would grade it an “A-“. The minus comes from the fact that I had to try really had to get appointments for myself and my wife. The rest of the experience was top shelf. And that was cemented by the fact that my wife had pretty much the same experience the next day at the St. Michael’s site for Unity Health. Thus if you are eligible for the COVID vaccine, I would recommend getting it as soon as you can. While the process requires you to invest some time up front, the long term benefit is going to be worth it. Which is we can get on with our lives sooner.

Durham Region Government Gets Pwned By Ransomware

Posted in Commentary with tags on April 13, 2021 by itnerd

News has service that the Durham Region Government has been pwned by ransomware. IT World Canada got wind of this and when they asked Durham Region about the pwnage, they got this response:

A statement from the region’s communications department says they’ve contacted the “relevant authorities and regulators.”

“Our IT teams, working with the service provider, took immediate steps to secure our systems. The incident did not impact the Region’s core IT systems.

“Our experts are now investigating the matter to determine the information that may be involved and the impact of this incident. It is important to note that the vulnerability related to the service provider has been addressed and our systems have been secured.

“We are committed to protecting the privacy of all residents and we are taking this matter very seriously. We are sorry for the inconvenience this may cause affected parties.

This isn’t good for anyone as the damage is likely worse than they’re letting on. David Masson, Director of Enterprise Security, Darktrace had this to say:

Once again, we have seen threat actors attack regional government in Canada. In this instance, attackers struck by exploiting third-party software as a means of entry, exposing a fundamental weakness of even the most secure organizations – the supply chain. 

What this recent attack drives home is the critical need for an approach to security that stops threats even once they have penetrated the perimeter. Double threat ransomware – where data is not only encrypted, but also stolen – seems to have been used, and on this occasion the data has been exposed on the web. The adversaries behind the attack had likely been lurking in the Municipality of Durham’s systems – undetected – for some time, able to move laterally and search for sensitive data. While individuals could be hurt by data exposure, affected organizations are also likely to experience reputational damage.

With ransomware attacks ramping up, all organizations have to accept that they can no longer rely on perimeter-based tools to prevent threats, nor can they rely on their own supply chain. Organizations need solutions that can respond to threats even once they have made their way inside a digital infrastructure, which is why many Canadian organizations are leaning on self-learning AI, which is able to detect even the most subtle indicators of attack and has the ability to autonomously respond to threatening activity in real time – before the damage is done.

I know I keep saying this, but I hope this spurs companies to up their cybersecurity game to stop this sort of thing from happening as the effects are far reaching and painful.

New Dell Inspiron Family & XPS 13 OLED Announced

Posted in Commentary with tags on April 13, 2021 by itnerd

Today, Dell Technologies announced a redesigned, new line up of Inspiron laptops and there’s a device for every type of user – from students doing remote learning and parents juggling WFH to young professionals binging the latest shows, blogging, keeping up with friends, etc. Here are the highlights:

  • A variety of sizes and form factors — From 13, 14, 15 and even 16-inch screens, the new Inspiron devices come in minimalist, modern designs to fit all your computing needs.  
  • Packed with the latest PC innovations— A nearly borderless display, expansive keyboard, larger keycaps and spacious touchpad make it easier to view and navigate your content.
  • Look your best while streaming online — An HD webcam helps you look your best even in low-lit environments. Paired with the finely tuned microphone, you’ll come through crisp and clear in all your virtual hangouts. 
  • There’s also an OLED screen version of the XPS 13 for the best viewing experience

Check out the Inspiron blog post for more details.

Invicti Security Reports on Lost Year in Web Application Security

Posted in Commentary with tags on April 13, 2021 by itnerd

Invicti Security™, a global leader in web application security, today released the spring volume of its Invicti AppSec Indicator Report, which examines the prevalence of web vulnerabilities across more than 3,500 targets in every industry and more than 100 countries. The findings indicate that as organizations shifted focus to support remote work and business continuity amid the challenges of 2020, web application security suffered.

The report, released in previous years as the Acunetix Web Vulnerability Report, was developed through an examination of anonymized data collected via Acunetix, an Invicti DAST and IAST product used by thousands of companies and government organizations to discover and scan web assets for vulnerabilities and prioritize them for remediation. The large dataset includes data from more than 188,000 web scans, 173,000 network scans, and more than 290 million monthly HTTP requests provided the basis for the analysis.

Between 2016 and 2019, the number of high-severity and medium-severity vulnerabilities decreased steadily every year, with an average reduction rate of 22% in high-severity vulnerabilities year over year. If that trend had continued, the overall incidence of high-severity vulnerabilities would have decreased from 26% to about 20%. However, progress came to an abrupt halt in 2020, probably as a result of resource reallocation to address Covid-19 business impacts and enable remote work worldwide. 

Among the 2020 report’s findings:

  • The overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting, increased slightly from 26% to 27% of the targets scanned
  • Medium-severity vulnerabilities such as denial-of-service, host header injection, and directory listing, remained present in 63% of web apps in 2020, holding flat from 2019
  • Several high-severity vulnerabilities are well-understood, but did not show improvement in 2020. One example: the incidence of remote code execution, both well-known and damaging, increased by one percentage point last year.
  • Also of note: the incidence of server-side request forgery (SSRF), the primary vulnerability behind the recent Microsoft Exchange breach in 2021, as well as Capital One in 2019, has not improved year over year.

With many of the Covid-related changes to consumer and business behaviors expected to endure beyond the end of the pandemic, web application security is more critical than ever. From growing usage of business tools such as chat, web conferencing, and collaboration environments, to increased consumer adoption of e-commerce, attack surfaces continue to expand. Recent research indicates that the largest percentage of breaches in 2020 began with a web application, yet at the same time, the number and severity of a variety of other types of attacks reached new highs in 2020, diverting the time and resources of security organizations away from web application security. 

The full report is available here.

New Infosec IQ Cybersecurity Culture Survey Quantifies Security Beliefs, Sentiments

Posted in Commentary with tags on April 13, 2021 by itnerd

Infosec, the leading cybersecurity education company, today released one of the industry’s first cybersecurity culture assessment tools. The new Infosec IQ Cybersecurity Culture Survey introduces an actionable, scalable way to analyze and measure employee attitudes and perceptions towards security practices, policies and training strategies across five cultural domains.

The Infosec IQ Cybersecurity Culture Survey collects employee feedback and scores organizations across these five domains: 

  • Confidence: how employees classify their own ability to put their cybersecurity knowledge to practical use
  • Responsibility: how employees perceive their role in organizational security
  • Engagement: how willingly employees participate in an organization’s security awareness and training program and apply available resources and support to improve security behaviors
  • Trust: how employees perceive the security posture and processes at their organization
  • Outcomes: how employees perceive the consequences of a security incident at their organization

The Infosec IQ Cybersecurity Culture Survey helps security awareness managers evolve program goals and success metrics to align with recommendations from leading research firms like Forrester. According to a Forrester report authored by analysts Jinan Budge and Claire O’Malley, “Cultural change takes time and results are difficult to measure.” One technique they recommend CISOs use is “surveying the workforce to measure motivation, ability and triggers. This will allow you to quantify the strengths and weaknesses of an existing or potential SA&T [security awareness and training] program and gain insight into the current state of security culture.”1

Infosec IQ program managers can administer the Cybersecurity Culture Survey as needed and use results to guide changes to cybersecurity policies, practices or training strategies. The tool generates scores across all five domains and provides recommendations for strengthening cybersecurity culture and improving scores in each domain. Recommendations include training content and employee engagement features built within the Infosec IQ security awareness platform and suggestions for increasing the impact of security-related communications.

Click here to learn more about the Infosec IQ Cybersecurity Culture Survey.

Mobile Klinik Launches Onsite Repair

Posted in Commentary with tags on April 12, 2021 by itnerd

Today Mobile Klinik, Canada’s leading chain of professional smartphone and tablet repair stores, launched Onsite Repair Units, the first van service of its kind to offer consumers and businesses nationwide the convenience of professional smartphone and tablet repair at the location of their choice. With more Canadians working and learning from home and physical distancing protocols in place, it is more important than ever for their devices to be working without issue, and now residents and businesses in more than 100 communities nationwide can conveniently access Mobile Klinik’s Onsite Repair Unit service.

As a leader in professional smartphone and tablet repair, Mobile Klinik is committed to providing Canadians with flexible and affordable options to keep their devices for longer, servicing common issues like cracked screens, broken cameras, software updates, and battery replacements using high quality parts and state of the art diagnostics – right from inside the Mobile Klinik service van, outside their homes or place of work.

To further support Canadians throughout the Covid-19 pandemic, for a limited time, Mobile Klinik is waiving the $29.99 Onsite Repair Unit convenience fee. Customers in the following communities can book today either online or by phone to have a Mobile Klinik technician arrive at the location of their choice and service their repair in 60 minutes or less.

British Columbia

  • Vancouver
  • Surrey
  • Richmond
  • Burnaby
  • Delta
  • North Vancouver
  • West Vancouver
  • Coquitlam
  • Pitt Meadows
  • Maple Ridge
  • Langley
  • White Rock
  • New Westminster

Alberta

  • Calgary
  • Chestermere
  • Airdrie
  • Edmonton
  • St. Albert
  • Spruce Grove
  • Beaumont
  • Leduc

Manitoba

  • Winnipeg
  • Selkirk

Ontario

  • Toronto
  • Mississauga
  • Brampton
  • Oakville
  • Milton
  • Caledon
  • Ottawa
  • Nepean

Quebec

  • Gatineau
  • Montreal
  • Pointe-Claire
  • Kirkland
  • Salaberry-de-Valleyfield
  • Laval
  • Longueuil
  • Quebec City
  • Levis
  • Saint Jean Sur Richelieu

To find out if Mobile Klinik’s new Onsite Repair service is available in your community or for more information, visit: mobileklinik.ca/onsite-repair.

LinkedIn Pwned… Data Of 500 Million Online For Sale

Posted in Commentary with tags on April 8, 2021 by itnerd

Data from 500 million LinkedIn users has been scraped and is for sale online, according to a report from Cyber News. A LinkedIn spokesperson confirmed to Insider that there is a dataset of public information that was scraped from the platform. 

“While we’re still investigating this issue, the posted dataset appears to include publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies,” a LinkedIn spokesperson told Insider in a statement. “Scraping our members’ data from LinkedIn violates our terms of service and we are constantly working to protect our members and their data.” LinkedIn has 740 million users, according to its website, so the reported data scraping of 500 million users means about two-thirds of the platform’s user base could be affected. The data includes account IDs, full names, email addresses, phone numbers, workplace information, genders, and links to other social media accounts.

This is bad. As bad as Facebook’s recent issues. And I prescribe a similar solution for this. LinkedIn is owned by Microsoft and Microsoft has a market cap of over $1.83 trillion. So I suggest a fine of $80 per account. For the roughly half billion accounts exposed, that would come to $40 billion. That would really get their attention and you would bet your last dollar that LinkedIn would never, ever be this negligent again.

OVHcloud Expands Its Bare Metal Server Range With New & Improved Scale & High-Grade Ranges

Posted in Commentary with tags on April 8, 2021 by itnerd

OVHcloud is expanding its Bare Metal server offer with two new ranges of machines that provide high performance, very high capacity bandwidth and high availability. These new machines address the needs of organizations running critical workloads which require ready-to-use platforms and are optimized to work with solutions from leading software publishers. These servers will be available in OVHcloud data centers across Canada, the US and Europe.

Large corporations, banking, health, and other industry sectors are particularly well served, alongside universities and research centers. For these organizations, there is a particular need to have a better price/performance ratio, anticipate any technical risks and develop business growth. All this with a resilient, very high-bandwidth network, and availability across a wide range of geographical regions.

OVHcloud expertise for a wide range of professional use cases

Scale and High-Grade servers are optimized for complex, resource-intensive tasks. They are particularly suited to the following use cases:

  • Managing Hyper Converged Infrastructure (HCI), particularly for companies that want to consolidate their data centers.
  • Software Defined Storage (SDS), which can handle the needs associated with increasing the volume of data to be managed, while controlling costs.
  • Virtualization, containerization, and orchestration, for project deployment or application modernization while optimizing hardware and software investments.
  • Big Data and analytics, to optimize data usage.
  • Archiving and backup, as storage solutions must meet very specific needs, such as agile information flow management, fault prevention, ensuring optimal archiving of critical data, and compliance with applicable laws.
  • Virtual Desktop Infrastructure (VDI), for large-scale management of remote and virtualized work environments.

Two innovative ranges to meet the highest requirements

Scale and High-Grade ranges have all the OVHcloud commitments: the latest and most powerful computing components, the best price/performance ratio; with totally transparent and predictable pricing, OVHcloud Link Aggregation (OLA) technology, which allows users to aggregate each server’s network interfaces to boost its availability, while isolating it from the public network and any potential threats, 99.99% SLA Anti-DDoS protection included. Finally, traffic is included and is unlimited.

Supplementing the Hosted Private Cloud catalog, which was recognized as a “strong performer” in North America and a “leader” in Europe in the Hosted Private Cloud market in The Forrester Wave™: Hosted Private Cloud Services, Q2, 2020 report, both ranges are operated according to the most demanding security standards in compliance with ISO/IEC 27001.

  • Scale offers a range of 6 servers with AMD EPYC™ and Intel® Xeon® Gold CPUs. It is aimed at companies with high performance requirements. Scale provides the resilience and speed to enable these large companies to grow their business by improving their IT performance. The range offers a guaranteed bandwidth of up to 25 Gbps, and a service level agreement (SLA) of 99.99%, ensuring the best guarantees for hosting the customer’s infrastructure (on private or hybrid cloud).
  • High-Grade, consisting of a selection of 10 servers based on AMD EPYC™ and Intel® Xeon® Gold CPUs, is designed for businesses with critical availability and performance needs. The range offers guaranteed bandwidth of up to 50 Gbps and combines computing power, a very high-bandwidth network, and a large storage capacity. It is particularly well suited to use cases involving HCI, SDS or storage, and will grow into a machine dedicated to artificial intelligence.

Guest Post: Atlas VPN Says Elderly People Lost Nearly $1 Billion To Internet Crime In 2020

Posted in Commentary with tags on April 8, 2021 by itnerd

According to data presented by Atlas VPN, Americans over 60 years old lost a staggering $966 million to various types of internet scams in 2020.

Edward Garb, Cybersecurity Researcher at Atlas VPN, explains why fraudsters focus on older generations: 

“Not only do cybercriminals target victims over the age of 60 because they are believed to have significant financial resources, but also because elders tend to lack knowledge about basic internet security practices.”

Americans ages 60 and older submitted 105,301 complaints to the FBI and reported a total of $966 million in monetary damages last year. Meaning, on average, older citizens lose $9,174 per scam. Looking at monetary damages on a day-by-day basis, elders lost around $2.65 million daily in 2020.

US citizens ages 50-59 lost nearly $849 million from 85,967 reported scams in 2020. Average financial losses per scam are even bigger, amounting to an average of $9,863 per complaint.  

Next up, people ages 40-49 also lost a huge amount of money to cybercriminals, totaling $717 million from 91,568 reports. In other words, this demographic loses around $7,832 every time they fall victim to internet scams. 

Even though Americans ages 30-39 reported a similar number of scams at 88,364, their losses are substantially lower than all previous groups, at $492 million in losses in 2020. In turn, their reported losses per complaint are also smaller, reaching around $5,570.

Internet users ages 20-29 suffered over $197 million in financial losses from 70,791 reported internet crime cases, which means that generally, victims in this demographic suffer $2,788 in damages when they get scammed online. 

To read the full article, head over to: https://atlasvpn.com/blog/elderly-people-lost-nearly-1-billion-to-intern

So Why Wasn’t Tile Included In Apple’s Find My Network Announcement?

Posted in Commentary with tags , on April 8, 2021 by itnerd

Yesterday Apple announced Find My Network integration with third party products including products from Belkin, Chipolo, and VanMoof. But weird thing to many was that Tile who by far was the originator of creating trackers that can be found using crowdsourced info, and by far has the largest network to help you to find lost items if you use their trackers. You have to wonder why that was the case as surely there are tens of thousands of Tile users out there who would love to have this functionality. So why isn’t it there? Well, seeing as Apple isn’t the type of company to be forthcoming with this sort of information. So that leaves us to guess what the reason why this might be.

My first guess, and the most likely reason in my mind is this paragraph from Apple’s announcement:

Today Apple is also announcing a draft specification for chipset manufacturers that will be released later this spring. With this, third-party device makers will be able to take advantage of Ultra Wideband technology in U1-equipped Apple devices, creating a more precise, directionally aware experience when nearby.

Tile devices use Bluetooth. So it appears that based on the above, Tile devices won’t work with the Find My Network as they don’t support Ultra Wideband technology. At least not at present. Perhaps that will change in the future. And to add further weight to that argument, Chipolo has a new tracker that is shipping in June that supports the Find My Network. There’s few technical details that I can find about this tracker. But their existing trackers use Bluetooth so it suggests that this new tracker is Ultra Wideband enabled. Which also means that if Tile came out with an Ultra Wideband enabled tracker, they too could jump onto this bandwagon.

Now that’s the non-sinister reason behind this. Now over the sinister reason. Tile has accused Apple of anti-trust behavior because of some of Apple’s requirements that users give permission for the Tile app to track items in the background among other things. Apple may not have been thrilled about that and decided to exclude them from this announcement to send a message to Tile.

Finally a number of people online have suggested that Tile might have some sort of privacy issue that Apple wasn’t thrilled about. I did some research on this and didn’t find any evidence of this. For example, Mozilla has a privacy report that didn’t ring any alarm bells with me. So I doubt that’s the reason.

Whatever the reason, the omission of Tile is curious. And it will be interesting to see if Tile ever joins this program. This will be something that I will be be watching very closely.