Posted in Commentary with tags Hacked on October 27, 2024 by itnerd
Another day, another big data breach. This time it’s Landmark Admin which is an Insurance administrative services company. According to a filing with the Main Attorney General’s office, the company said that it was the victim of a cyberattack back in May and over 800,000 people have had the following information stolen:
“Based on the investigation, the following information related to potentially impacted individuals may have been subject to unauthorized access: first name/initial and last name; address; Social Security number; tax identification number; driver’s license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information,”
Well that sucks. Though what sucks more is the fact that we’re in late October and the public is only finding out about this company being pwned back in May. In any case, the company goes on to say that impacted people should monitor their credit reports and bank accounts for suspicious activity. How do you know if you’re impacted, well the company will reach out to you to let you know if you’ve been affected.
Personally, if I were affected by this, I’d want to know why it took so long to make this information public. I’m hoping that somebody is going to ask that question. As in someone in government that has the power to compel the company to serve up the answer to that question.
In August of 2024, SafeBreach labs security researcher Alon Leviev discovered Windows Downdate, which was first presented at Black Hat USA 2024 and DEF CON 32 (2024), where he developed a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. Using this downgrade ability, he discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack.
While CVE-2024-21302 was patched because it crossed a defined security boundary, the Windows Update takeover, which was also reported to Microsoft, has remained unpatched because it did not cross a defined security boundary. Alon’s follow-up research exposes a severe flaw in Windows Update that allows the reactivation of the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, permitting the loading of unsigned kernel drivers. This can be exploited to deploy custom rootkits, disable security features, and compromise system integrity.
Last week I posted a story about dumping Bell for Distributel. And I mentioned that I would have the install done today. That did happen and here’s how it went.
Distributel had scheduled Bell to come out to do the install between noon and 5PM today. And they did confirm that on Monday. But they had also sent me a box with two items in it which arrived on Monday:
This is a Deco AX3000 WiFi access point and router by TP-Link. I didn’t plug it in as I had zero intention of using it. But I could get more than one of these at the time that I ordered to deliver mesh WiFi. After that, I would have to rent them from Distributel.
This is an analog telephone adapter made by a company called Grandstream which would allow me to plug my phones into Distributel’s VoIP service. I would actually be using this as home phone service is important to us.
Now once the Bell tech arrived, he disconnected my HH4000 and did some tests. Then he went downstairs to the building’s telephone room to do something. I have no clue what. Then he came back and plugged this in.
This is a Nokia ONT or optical networking terminal. In layman’s terms, it converts fibre optic to Ethernet. And the one big plus to this is that once I plugged my router in and made some changes, I would be connected to Distributel’s Internet service. That’s more civilized than having to find ways to get past Bell’s hardware using either method to do that.
Now setting things up isn’t hard. But it’s not something the average person would do. Having said that, here’s what I did to get this working. Distributel appears to run on Bell’s fibre via its own VLAN or virtual LAN. In layman’s terms, it’s an isolated virtual network that’s part of a larger network. So if you use your own router like I am, you need to specify that inside the configuration for your router. Since I am using an Asus ZenWiFi XT8, I had to find the place inside the router’s configuration pages to specify the VLAN. I ultimately found it here:
I had to go to LAN and then click on the IPTV tab. Why Asus put it there, I have no idea. But anyway, Distributel appears to require you to enter a VID value of 40 for the Internet as pictured above after changing the ISP profile to manual. Then under special applications I set it up the way it is pictured above. I then pressed apply. Before I declare victory, there’s one more thing that I needed to do:
Because Distributel is a Bell company, they of course use PPPoE. So I had to snag my PPPoE username and password from the Distributel eCare website, which I was smart enough to register for prior to the install and enter the username and password on the page above which you get to by going to WAN on the left and Internet Connection and changing the WAN Connection type to PPPoE. The place to enter the username and password is under Account Settings.
After I did that, I was live. Though it did take about 20 minutes for the Nokia ONT to work due to multiple software updates that it required. The total time invested in this install was about 90 minutes from start to finish. And of course, I did a speed test to see what speeds I was getting.
So because I was using PPPoE, I was expecting a hit in terms of my upload speed. And based on this, the 1 Gbps downstream/750 Mbps upstream that I am paying for was leaving about 200 Mbps upstream speed on the table. That’s purely down to my Asus hardware and its inability to handle PPPoE traffic. Which is a bit of an incentive to move off of Asus hardware to something better able to handle this traffic. And in case you’re wondering why I am not using the TP-Link gear that Distributel sent me, I never use ISP hardware if I can possibly avoid it because I don’t want to be locked into their gear and whatever security issues come with that gear.
So with that part done, I needed to turn my attention to Bell. When I first called Distributel, they said that they would take care of cancelling all my services. But I had a suspicion that this wasn’t true. Thus I called back and it turns out that they would only cancel my home phone, and everything else was on me. Not the biggest deal in the world but Distributel needs to train their agents to deliver the correct information 100% of the time. In any case, I called Bell and when I pressed the options to cancel my account, I got dumped to retentions. They then asked me if I was interested in hearing what specials that they had and I blew them off. I was kind of surprised by that because my experience with my clients is that Bell is usually dismissive of customers who leave. As in if you want to leave, go ahead sort of dismissive. Then they call days or weeks later with a “winback” deal. But that seems to have have changed recently if they are trying to retain me as I am going out the door. Having said that, I am certain that I will be receiving a bunch of calls in the next few days and weeks to try and lure me back. Now beyond that, I also got via email what I needed to send my HH4000 back to them, which I will do next week.
I’ll let you know how it goes with Distributel. So far almost everything that they said that they were going to do has been delivered. I’ll be watching to see if that continues.
Posted in Commentary with tags Zoho on October 24, 2024 by itnerd
Zoho Corporation, a global technology company headquartered in Chennai, announced today that it will be leveraging the NVIDIA AI accelerated computing platform – which includes NVIDIA NeMo, part of NVIDIA AI Enterprise software – to build and deploy its large language models (LLMs) in its SaaS applications. Once the LLMs are built and deployed, they will be available to Zoho Corporation’s 700,000+ customers across ManageEngine and Zoho.com globally. Over the past year, the company has invested more than USD 10 million in NVIDIA’s AI technology and GPUs, and plans to invest an additional USD 10 million in the coming year.
Zoho prioritises user privacy from the outset to create models that are compliant with privacy regulations from the ground up, rather than retrofitting them later. Its goal is to help businesses realize ROI swiftly and effectively by leveraging the full stack of NVIDIA AI software and accelerated computing to increase throughput and reduce latency.
Zoho has been building its own AI technology for over a decade and adding it contextually to its wide portfolio of over 100 products across its ManageEngine and Zoho divisions. Its approach to AI is multi-modal, geared towards deriving contextual intelligence that can help users make business decisions. The company is building narrow, small and medium language models, which are distinct from LLMs. This provides options for using different size models in order to provide better results across a variety of use cases. Relying on multiple models also means that businesses that do not have a large amount of data can still benefit from AI. Privacy is also a core tenet in Zoho’s AI strategy, and its LLM models will not be trained on customer data.
Through this collaboration, Zoho will be accelerating its LLMs on the NVIDIA accelerated computing platform with NVIDIA Hopper GPUs, using the NVIDIA NeMo end-to-end platform for developing custom generative AI—including LLMs, multimodal, vision, and speech AI. Additionally, Zoho is testing NVIDIA TensorRT-LLM to optimize its LLMs for deployment, and has already seen a 60% increase in throughput and 35% reduction in latency compared with a previously used open-source framework. The company is also accelerating other workloads like speech-to-text on NVIDIA accelerated computing infrastructure.
Posted in Commentary with tags Hacked on October 24, 2024 by itnerd
Disability nonprofit Easterseals filed a breach notification with regulators after the Rhysida ransomware group attempted to extort $1.3 million from the organization this week.
Easterseals, which provides support to disabled children, seniors, military veterans and others, stated that on April 1 its Peoria-based Central Illinois location “experienced a network disruption that impacted the functionality and access of certain systems.”
The investigation determined that the bad actor accessed certain files from Easterseals’ network, some of which includes personal information of almost 15,000 individuals, such as:
Full names
Addresses
Driver’s licenses
SSNs
Medical information
Passports
The nonprofit serves more than 1.5 million people across the country and provides additional services to 100,000 physicians. Easterseals says that more than 80% of its fundraising is spent directly on care for the disabled.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“Nonprofits are no longer immune to cyberattacks, despite their humanitarian missions. Attackers likely target them for three main reasons: their vast stores of confidential donor data, often weak security postures, and constrained IT budgets. These organizations face the growing challenge of doing more with less.
“Now is the time for non-profits to conduct thorough assessments of their networks, identifying blind spots beyond just known vulnerabilities. Easily compromised credentials, exposed data, misconfigurations, weak security controls, and inadequate policies are significant threats. The cost of traditional, human-led risk assessments can be prohibitive, but autonomous solutions are now available to deliver affordable, efficient assessments that anyone can use.”
This of course isn’t good. But it does illustrate that any sector is a target from threat actors like these. Thus every group needs to do what they need to do to keep threat actors out, and by extension not become the next headline.
Posted in Commentary with tags Telus on October 24, 2024 by itnerd
TELUS is celebrating the 10-year anniversary of TELUS originals and a decade of empowering independent Canadian and Indigenous filmmakers creating compelling, social-purpose driven documentaries and docuseries that inspire change and connect communities. Since 2014, TELUS originals has invested more than $27 million, bringing over 350 projects to screens across Canada and highlighting the diverse stories of British Columbia and Alberta. Viewers can watch these powerful TELUS original films on Optik TV channel 8, via TELUS Stream+ and for free at watch.telusoriginals.com.
This fall alone, 10 TELUS original films, including Ari’s Theme, The Chef and the Daruma, Curl Power and Iniskim – Return of the Buffalo, were selected by top-tier Western Canadian film festivals in Vancouver, Calgary and Edmonton, underscoring the positive impact of the program for Canadian storytellers, local communities and the country’s film industry at large.
Posted in Commentary on October 24, 2024 by itnerd
EnGenius has announced the launch of two new powerful features in EnGenius Cloud and the VPN Router ESG series: Layer 7 Policy Routes and Outbound Rules. These enhancements offer a more granular level of control over your network traffic, allowing you to optimize performance, improve security, and streamline your management efforts.
Layer 7 Policy-based Route
You can create policy-based routing rules to direct specific applications to different WAN interfaces without specifying IP addresses or port ranges
The Benefits
Optimized Traffic Management: Direct critical applications to a primary WAN while routing less important traffic to a secondary WAN
Enhanced Network Performance: Improve network efficiency by balancing load between WAN interfaces based on application
Simplified Rule Management: No need to update routing rules for changing IP addresses or port ranges
Layer 7 Firewall Rules:
You can create firewall rules to block specific applications without specifying IP addresses or port ranges. This feature is particularly useful when applications frequently change their IP addresses or use multiple Ips
The Benefits
Flexible Traffic Management: Define custom rules to control outbound traffic, blocking or allowing specific destinations, applications, or protocols.
Improved Network Security: Prevent unauthorized data leakage and protect your network from external threats.
Enhanced Network Visibility: Gain deeper insights into outbound traffic patterns and identify potential security risks.
To learn more about these new features and how they can benefit your network, please click here.
Posted in Commentary with tags Cyware on October 24, 2024 by itnerd
Cyware, the leading provider of threat intelligence management, low-code/no-code automation, and cyber fusion solutions, and ECS, a leader in advanced technology solutions for U.S. public sector customers, including defense and intelligence organizations, today announce their design partnership which will serve to enhance Cyware’s Intel Exchange product enabling government entities to improve their security posture. This partnership aims to leverage ECS’s deep public-sector knowledge and cybersecurity expertise to tailor Cyware’s Intel Exchange to address the unique needs of government entities, with a focus on strengthening collective defense and securing the nation’s critical infrastructure.
To address the security challenges that impact federal entities, Cyware and ECS are working together to:
Enhance Intel Exchange’s automated Threat Intel Risk Score engine to bring flexibility and advancement in the algorithm to accommodate time sensitive government CTI operations and workflows. The new risk score is customizable based on the weightage given to the quality, credibility, relevance, and confidence level of the threat data sources, enrichment sources, and attributes of threat objects.
Introduce a custom scoring module in addition to the above Risk Score engine that will allow CTI teams to design scoring parameters tailored for government use cases for any threat data ingested into the platform and enable them to prioritize relevant threats for actioning.
Simplify triaging and operationalization of the large volume of threat data in the platform with automated rules leveraging the newly introduced scoring modules. CTI analysts can now create custom rules to score threat data depending on different priorities and perspectives.
The full range of enhanced capabilities for Intel Exchange are expected to be unveiled for the public sector in early November 2024. Cyware and ECS remain committed to supporting federal agencies through innovative and tailored cybersecurity solutions that promote collective defense and protect the nation’s most critical infrastructure.
Fortinet has confirmed a critical vulnerability in FortiManager which is being tracked as CVE-2024-47575, and has a CVSS score 9.8 which is basically the worst score you can get, is being actively exploited. Mandiant has details about what this vulnerability is and how it is exploited.
The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.
However, news of the vulnerability began leaking online throughout the week by customers on Reddit and by cybersecurity researcher Kevin Beaumont on Mastodon, who calls this flaw “FortiJump.”
Fortinet device admins have also shared that this flaw has been exploited for a while, with a customer reporting being attacked weeks before the notifications were sent to customers.
“We got breached on this one weeks before it hit “advance notifications” – 0-day I guess,” reads a now-deleted comment on Reddit.
That’s not good at all. Patches to FotiManager are either here or are coming. And I highly recommend that you install those patches ASAP. Having said that, Fortinet is going to have to answer some hard questions about how they handled this because their response seems a bit suspect to me.
According to new research (registration required) by SecurityScorecard and KPMG, the US energy sector is particularly vulnerable to supply chain attacks, with 45% of security breaches in the past year linked to third-parties.
This compares to a global average of 29% for supply chain breaches across all other industries, while 90% of attacks on energy companies breached more than once involved third parties.
Also notable, 67% of third-party related breaches involved external software and IT providers and 22% involved other energy companies.
The largest contributor to third-party breaches in the energy sector was the exploitation of the MOVEit file transfer software vulnerability in 2023, accounting for 39% of breaches.
“With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike,” Prasanna Govindankutty, Principal, Cyber Security US Sector Leader at KPMG commented.
“The rising threat to the energy sector, particularly from third-party vulnerabilities, underlines the urgent need for a collective defense approach. As cyberattacks increasingly exploit supply chain weaknesses, organizations can no longer afford to operate in silos. Collaboration between trusted companies and industries, alongside the operationalization of threat intelligence, is critical to staying ahead of attackers. By turning intelligence into actionable insights, organizations can identify risks earlier, coordinate defenses, and reduce the time it takes to respond. Proactivity is key – relying solely on reactive measures leaves critical infrastructure and businesses exposed to recurring threats. Only through shared intelligence and coordinated efforts can we address these complex, evolving risks effectively.”
We’re at a point now where every sector needs to ensure that they are taking steps to protect themselves. Because the threat landscape is only growing, which is a bad thing for all of us.
Landmark Admin Pwned…. Over 800K People Affected
Posted in Commentary with tags Hacked on October 27, 2024 by itnerdAnother day, another big data breach. This time it’s Landmark Admin which is an Insurance administrative services company. According to a filing with the Main Attorney General’s office, the company said that it was the victim of a cyberattack back in May and over 800,000 people have had the following information stolen:
“Based on the investigation, the following information related to potentially impacted individuals may have been subject to unauthorized access: first name/initial and last name; address; Social Security number; tax identification number; driver’s license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information,”
Well that sucks. Though what sucks more is the fact that we’re in late October and the public is only finding out about this company being pwned back in May. In any case, the company goes on to say that impacted people should monitor their credit reports and bank accounts for suspicious activity. How do you know if you’re impacted, well the company will reach out to you to let you know if you’ve been affected.
Personally, if I were affected by this, I’d want to know why it took so long to make this information public. I’m hoping that somebody is going to ask that question. As in someone in government that has the power to compel the company to serve up the answer to that question.
Leave a comment »