Posted in Commentary with tags Fortra on July 17, 2024 by itnerd
Fortra announced today that it has released several new enhancements to its integrated cloud-based email security solution (ICES), Cloud Email Protection. New features include QR code threat detection, active content detection, and additional AI models.
The following enhancements to Cloud Email Protection are now available:
Optical Character Recognition (OCR) – detects malicious content in images (such as QR code threats)
Active Content Detection – uncovers malicious code and other active content in messages, links, and attached files
AI Detection of Service Abuse – protects against email threats sent from legitimate online services
AI Detection of Spam Accounts – further protects against abusive spamming and related malicious activity
Dashboard improvements – includes new trending visuals and sorting that displays recent brand imposters, spoofed domains, and most attacked individuals
Posted in Commentary with tags Hacked on July 16, 2024 by itnerd
It costs money to have good defences against cyberattacks. But it costs way more money to when you actually get pwned by hackers. United Healthcare who’s Change Healthcare unit got in a massive way a few months ago reported their Q2 2024 numbers. And in it was an update on the fact that they got pwned:
Cyberattack Update
The company has restored the majority of the affected Change Healthcare services while continuing to provide financial support to the remaining health care providers in need. To date, the company has provided over $9 billion in advance funding and interest-free loans to support care providers.
Total cyberattack impacts in the second quarter were $0.92 per share. This included $0.64 per share to support direct response efforts such as the Change Healthcare clearinghouse platform restoration and increased medical care expenditures. Additionally, Change Healthcare business disruption impacts, reflecting lost revenue and the costs of maintaining full readiness of the affected Change Healthcare services, were $0.28 per share in the second quarter.
The company currently estimates the total full year 2024 impact at $1.90 to $2.05 per share. Within this, direct response costs are estimated at $1.30 to $1.35, an increase of $0.40 to $0.45 from the initial estimate. The change is due to the company’s care provider financial support initiatives and consumer notification costs. Business disruption impacts are estimated at $0.60 to $0.70 per share.
To say that those are non-trivial numbers is an understatement. John Gunn, CEO, Token had this comment:
Today’s disclosure of the full cost of the Change Healthcare breach is a screamingly loud wake-up call to every organization to stop being penny-wise and dollar-foolish in not adopting phishing-resistant MFA. A small investment in next-generation MFA would have saved United Healthcare more than $2 billion. This disclosure should also allay the fears of those who fear the recent SCOTUS ruling overturning the Chevron deference will weaken the strength of cybersecurity regulations and lessen companies’ motivation to implement proper cybersecurity measures. The avoidance of massive losses such as this are the greatest motivators of all for CISOs, CEOs, and boards.
So, here’s my advice to any company who thinks that they can skimp on cybersecurity. Spend the money. Because if you don’t, you will eventually be the next United Health. And that’s not a good place to be.
Posted in Commentary with tags Hacked on July 16, 2024 by itnerd
In an email on Monday to CNN, a hacktivist group claimed it stole roughly 1.2 terabytes of information from Disney’s Slack including information about unreleased projects, raw images computer codes and some logins.
Nullbulge, the Russian hacktivist group, claimed it have gained access through “a man with Slack access who had cookies.”
“The user was aware we had them, he tried to kick us out once but let us walk right back in before the second time,” the email said.
The group also stated that its intention is to protect artists’ rights and compensation for their work in the age of AI.
“Disney’s over-reliance on Slack for internal communications and data sharing highlights the supply chain risks that parallel the concerns raised by the Snowflake breach. Reliance on a single communication platform like Slack creates a centralized point of vulnerability, and a single compromised user can expose a vast amount of sensitive information.
“The recent breach of Disney’s Slack environment by the Russian hacktivist group Nullbulge raises several critical security concerns as it could have been easily avoided with better organizational cybersecurity practices. The breach was facilitated by an individual with legitimate Slack access who had their session cookies compromised. Using session cookies to gain unauthorized access points to insufficient security measures around session management. Implementing measures like short-lived session tokens, regular re-authentication, and stringent monitoring for anomalous session activities could mitigate such risks. The incident highlights the need for securing backend systems and APIs, as front-end security alone is insufficient.”
I suspect that Disney will have to do a lot explaining on multiple fronts. It will be interesting to see how they respond to this alleged hack, and how they will explain what’s out there in terms of information.
Posted in Commentary with tags Cyware on July 16, 2024 by itnerd
Cyware has today released the findings of its anonymised 2024 Threat Intelligence and Collaboration Survey. Conducted with security professionals at the recent Infosecurity Europe 2024 exhibition, the research reveals that the overwhelming majority of organisations recognise the crucial importance of collaboration and information sharing in the fight against cybercrime, but most struggle to effectively combine insights across teams and security platforms.
Specifically, 91 percent of respondents said collaboration and information sharing are very important or absolutely crucial for cybersecurity. In addition, 70 percent believe their organisation could improve threat intelligence sharing, with 19 percent saying they could share significantly more. However, over half of the research respondents (53 percent) said their organisation does not currently utilise an Information Sharing and Analysis Centre (ISAC), underlining the shortcomings of the way most security teams approach threat intelligence. Over a quarter (28 percent) said they were unaware of the existence and role of ISACs altogether. This is despite the proven value ISACs deliver in enabling organisations to manage risk, backed by trusted analysis and effective coordination.
When asked to identify the weakest link in their approach to cybersecurity information sharing and collaboration, over half (51 percent) said people are the main barrier to improvement, followed by processes (21 percent) and technologies (11 percent). Taking all these factors into account, nearly half of the survey respondents (49 percent) said that their organizations struggle to combine and derive actionable insights across multiple security tools, such as threat intelligence platforms, SIEM, asset management, and vulnerability management platforms.
Looking at the emerging role of AI in improving or reducing an organization’s ability to share threat intelligence, 65 percent thought it would improve their organization’s ability to share information, with over a third (35 percent) saying the technology is already having an impact.
Other key research findings include:
70 percent said their organisations could share more threat intelligence, while only 23 percent said they are currently sharing the right amount of information. Only 2percent thought they were sharing too much.
Asked which teams are least likely to share threat intelligence with other departments, DevOps (31 percent) emerged as the top answer, followed by Security Ops (17 percent), Threat Intelligence (16 percent) and IT Ops (15 percent).
23percent of teams share threat intelligence on a daily basis, 21percent in real-time, 17 percent weekly and 14 percent monthly.
Posted in Tips with tags Presto on July 16, 2024 by itnerd
For a while now, Metrolinx who is the transit agency for the Greater Toronto And Hamilton Area has had the ability to have your PRESTO Card which is the contactless transit card that the agency prefers that you use on your Android phone. Apple users have wanted equal treatment, and today they finally got that equal treatment.
PRESTO card in Apple Wallet is here! Now it’s even easier to take transit with more ways to pay your fare across the region. pic.twitter.com/idZeqhjM00
Now there is a catch that you should be aware of. There is a process to take a physical PRESTO Card and convert it to one that can be used in Apple Wallet. But the problem with that is it will “kill” the physical card. As in the physical card will no longer work after you go through this conversion process. Now for some, that’s no big deal. But it potentially leaves you without an option if you want to say, lend a card to someone who needs to travel on transit. Or perhaps you simply want a backup. And the fact that a new physical card is $10 isn’t exactly cool either. Thus, what I will do is walk you through two options. One being the conversion of a physical card to a card inside your Apple Wallet. And the second where I will show you how to create a brand new card in Apple Wallet.
There’s another thing that I should point out. OC Transpo which is the mass transit provider in Ottawa Ontario does not support paying for transit via this method. So if you use OC Transpo, do not follow these steps.
The prerequisite to doing some of this is that you need to have the latest version of the PRESTO app on your phone.
The version that I have is version 2.10. That came out a few hours ago. The second prerequisite is that you need a PRESTO Account that has your cards in it already. So if you don’t have a PRESTO Account with your cards in it, now is a good time to create one via the app.
Let’s start with creating a new card. And there seem to be two ways to do this. The quickest way to do this is to go Apple Wallet and click on the “+” in the top right. I’ve circled it in red to highlight it.
That will take you to this screen:
Click on Transit Card. Which takes you to this screen.
Choose PRESTO card, which takes you here.
Click on Continue. That takes you to this screen.
Here you can load funds onto the card via Apple Pay. In this example, I will add $10. Then I will click Add in the top right corner.
This is where I get prompted to add funds via Apple Pay. After I pay, I get this screen:
Now this seemed to take about three minutes to actually add the card to my iPhone. So be patient.
And the card is added to my iPhone. I will also note that this method appears not to require the PRESTO App to be installed on your iPhone.
Now I am not sure how I feel about Express Mode being enabled by default as I am big believer that you should authenticate to pay for something 100% of the time. So I may disable that later. Having said that, I am not done yet. I will need to add this to my Apple Watch. I’ll get to that later because I want to explore the other option to add a new card via the PRESTO App. Start with opening the app and clicking Add Card on the right.
Next choose PRESTO in Apple Wallet and click the button below it.
You get a tutorial that you can skip if you so choose.
You then need to Load Funds or Load A New Pass. The latter option is if you want to add a monthly student pass or some other pass for example as those passes can save you money. For this example, I will do the former.
I am going to add $10 to this card and click buy now. You’ll then be prompted to pay with either Apple Pay or via a credit or debit card that is in your account. Again, it took me a few minutes before the card was added to Apple Wallet.
So which option should you use? If you simply need a PRESTO Card, I’d use the first option. If you want to add a transit pass to said PRESTO Card, I would use the second option.
Now, back to adding your PRESTO Card to your Apple Watch. And it’s a bit odd because unlike credit and debit cards on your iPhone which replicate to your Apple Watch, the PRESTO card doesn’t do that. What you’re actually doing is moving it to your Apple Watch from your iPhone. And you can move it back from your Apple Watch to your iPhone if you so choose. It appears that PRESTO can only deal with one unique card and can’t support what I will call “cloned” cards. For example, the debit or credit card that you add to your iPhone gets “cloned” to your Apple Watch. But no such support exists for PRESTO cards. That would explain why PRESTO “kills” the physical card if you convert it to a digital one. It also means that if you want to have a PRESTO card on your Apple Watch, you either have to move it to the watch and forget about using it on your iPhone. Or you need to put a second card on your Apple Watch and manage two cards. Now let me play Devil’s Advocate. This approach makes sense because Apple Watch users are always wearing their Apple Watches. Thus they can tap their watch on a PRESTO card reader and pay for transit without taking out their phone. And seeing that smartphone thefts are on the rise in Toronto, that’s likely going to help to keep your phone safe.
With that out of the way, if you want to move your PRESTO card to your Apple Watch, you start the process with opening the Apple Watch app on your iPhone and clicking on Wallet & Apple Pay.
You can see the PRESTO card that I just added to my iPhone. Click the ADD button.
Here’s where you get warned about the fact that this process only moves the card but doesn’t clone it. Clicking Next gets you to this screen:
Adding the card seemed to take about 90 seconds. After that, I got this screen.
If you see this screen, the process worked. As for Express Mode being enabled by default, I am still not a fan of this. But the use case makes a bit more sense because I can just tap my Apple Watch on a PRESTO reader and hop onto a bus, streetcar or subway train. But if you want to put the card back on your iPhone, here’s how you do it:
Open the Apple Watch app on your iPhone
Pick the PRESTO card
Scroll down until you see “Add card to (insert name of your iPhone here)” and follow the prompts which are similar to the ones above.
Finally, let’s cover how to convert a physical PRESTO card over to a digital one. And I will remind you that once you convert the physical PRESTO card to a digital one, it will “kill” the physical card. So if you want a physical card for whatever reason, do not follow these instructions.
Converting a physical card to a digital one only seems possible via the Presto App. Assuming that you also have a PRESTO account with PRESTO cards in it, here’s what you need to do.
Pick the card from the list of PRESTO cards that appear in the app.
Next tap the Convert To Apple Wallet button.
Here you will see the warnings that not only that this process will “kill” your physical card, but using these cards with Apple Wallet isn’t supported by OC Transpo. Click Convert To Apple Wallet. At that point you will have to click through another warning about this. Nobody can say that Metrolinx hasn’t warned you about what’s going to happen next.
Next you need to hold your physical PRESTO card to the back of the iPhone. In my case, near the top of the iPhone worked for me. And taking off the case really helps with this. Then it will prompt you to add the card to Apple Wallet. When you see this prompt, the card is dead, and you are forced to complete the process of converting the physical card over to being a digital one which only takes a couple more clicks.
Now I put this together over a few hours after this functionality was announced by Metrolinx. So if you see ways that this can be improved, or anything that I got wrong, or even feedback on how this was done, please let me know in the comments and I will get back to you as quickly as I can.
Posted in Commentary with tags DMARC on July 16, 2024 by itnerd
So what is a shipping scam? It is one where you get an email from say Canada Post that says that you need to pay a trivial amount of money to get a package delivered. Here’s an example of such a scam. But what the threat actor is actually after is your credit card or banking details.
Usually I see a lot of these shipping scams that aren’t well executed. But this one is. Let me start with the email that you will get, which is supposedly from Intelcom which is a courier company here in Canada:
Now before I get to the nuts and bolts of this scam, this email is in both English and French. And the quality of both is pretty good. That’s an indication that the threat actor behind this actually put some time and effort into executing this scam. Here’s another area where this also true:
It actually uses an Intelcom email address instead of something like a Hotmail or Gmail address. Because they are spoofing the domain so that they can make the scam more likely to succeed simply by pretending that the email came from a legitimate source. And I can tell you how the threat actor did this.
This is MXToolbox which I use to troubleshoot email deliverability issues. And in the case of Intelcom, they don’t have a DMARC policy enabled.
Here’s a closer look at that:
You can see that other than DMARC being enabled, there’s no DMARC policy whatsoever. In a way, they might have well not even bothered to have a DMARC policy as it’s not doing anything useful. If you have a DMARC policy enabled, then spoofing wouldn’t be possible because the receiving email server would simply reject the email or at worse, put it in the junk mail folder or quarantine it. Either way, it wouldn’t reach the inbox. And scams can’t succeed if they never reach the inbox. But in this case, Intelcom has pretty much guaranteed that it will be associated with scams because they haven’t enabled a DMARC policy. If I were Intelcom, I’d be dropping everything that I was doing and fix this as this is pretty bad on their part.
Sidebar: If you want to go down the rabbit hole of DMARC, click here to see my journey in terms of implementing DMARC for my domains.
Even though Intelcom has made it a whole lot harder to spot that this is a scam, there is still one thing that makes it clear that this is a scam:
If I hover my mouse over the words “Receive my delivery”, I can see that this is not going to a server controlled by Intelcom. As in the domain is intelcom.ca or something similar. Thus this is clearly a scam and this email should be deleted the second it hits your inbox.
So what is this scam after? Not that you should do this, but if you click on “Receive my delivery”, it went to a site that was entirely written in Arabic after being redirected from another site. Weird. I am guessing that this site was going somewhere else, but that changed by the time I got to it. Either way, this illustrates that you need to be on your toes to keep yourself safe.
I’ll be reaching out to Intelcom to tell them about this scam. Because as I mentioned earlier, they are wide open to being used in scams because they have no DMARC policy. Thus it is in their interest to address this so that this is no longer the case.
Legit Security has published its new State of GitHub Actions Security report, which unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
Legit’s researchers explore multiple aspects of GitHub Actions security, including vulnerabilities found in GitHub Actions workflows, protection of the building blocks of GitHub Actions workflows, and security of custom GitHub Actions. Most of the Actions there are not verified, maintained by one developer, and have low-security scores based on the OpenSSF Scorecard.
The report’s key findings include:
Researchers uncovered interpolation of untrusted input in more than 7,000 workflows, execution of untrusted code in over 2,500 workflows, and use of untrustworthy artifacts in 3,000-plus workflows.
Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning; 86% of workflows do not limit token permissions.
Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most.
It has been announced that all major retail banks in Singapore must phase out the use of one-time passwords (OTPs) within the next three months. This initiative is being mandated by the Monetary Authority of Singapore (MAS) and was developed in collaboration with the Association of Banks in Singapore (ABS). The move is intended to protect consumers from phishing and other scams.
The National Institute of Standards and Technology (NIST, US Department of Commerce) deprecated the use of SMS for 2FA as early as 2016 and the move away from OTP’s has been picking up steam since then.
CEO Ted Miracco of Approov, a mobile security company, offers insight:
“OTPs, once seen as a robust two-factor authentication (2FA) method, are now frequently targeted by cybercriminals using advanced social engineering tactics and Android malware. Android malware can exploit permissions to intercept OTPs sent via SMS. Android users are often targeted by phishing campaigns that mimic legitimate banking apps or websites, tricking users into revealing their OTPs. Despite improvements in app store security, these fake apps can still infiltrate and deceive users while Google’s efforts to restrict certain permissions, malicious apps continue to find ways to bypass these controls.
“The shift to digital tokens aims to offer a more secure alternative to OTPs, but it comes with its own set of challenges. Despite the significant security enhancements, ensuring the integrity of banking apps requires robust measures such as mobile app attestation and runtime application self-protection (RASP) to prevent tampered or cloned apps from functioning.
“The long overdue phase-out of OTPs is a positive step towards enhancing the security of online banking in Singapore. However, banks must remain vigilant and proactive concerning Android vulnerabilities, to protect their customers effectively.
Posted in Commentary with tags Uber on July 15, 2024 by itnerd
Seat belts save lives and wearing them is the most effective way for Canadians to protect themselves during a collision.
Yet 45% of riders indicate that they don’t always buckle up when they take a trip with Uber. According to Transport Canada, 300 lives can be saved every year if everyone wore seat belts. Seat belts worn correctly can reduce the chance of death in a collision by 47% and the chances of serious injury by 52%.
That’s why Uber wants to remind riders to buckle up by launching a brand new safety feature across the country tomorrow—audio seat belt reminders.
Here’s how it works:
Once a rider’s trip has started, an audio reminder stating “Please use your seat belt for your safety” will play on the driver’s phone shortly after the start of the trip.
At the same time, the rider will receive a push notification on their phone, reminding them to put their seat belt on.
This feature will be enabled on a rider’s first trip once it is launched. After that, it will be enabled every 10th trip.
Here’s a video of this feature in action:
And here’s the audio reminder:
Uber’s message is simple—no matter where you’re seated in the vehicle, you always need to buckle up. Whether you are going a few blocks, a few kilometres or a long distance trip, your seat belt must be worn at all times. Using Uber’s technology to remind riders to buckle up, they hope to increase seat belt use and potentially save lives.
Buckling up could even affect your Uber rating. Drivers have shared that not buckling up is one of the reasons they may rate riders less than five stars. Through this feature and raising awareness about seat belt safety, Uber wants to help protect both drivers and riders on the road.
The Uber platform is built with safety in mind. For a list of all their safety features, please visit here.
Last week, news came to light that AT&T had been pwned and literally every customer had been affected. Now there’s even worse news:
US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.
The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company’s own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.
A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.
WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. AT&T did not respond to WIRED’s request for comment.
I’ve been very clear that paying a ransom is something that you should never, ever do as it only encourages more of this behaviour from threat actors. This news really sucks for someone like me as I want these sorts of attacks by threat actors to end.
Fortra Releases New Cloud Email Protection Features to Protect Against Advanced Email Threats
Posted in Commentary with tags Fortra on July 17, 2024 by itnerdFortra announced today that it has released several new enhancements to its integrated cloud-based email security solution (ICES), Cloud Email Protection. New features include QR code threat detection, active content detection, and additional AI models.
The following enhancements to Cloud Email Protection are now available:
Fortra continues to garner acclaim for email security since the launch of Cloud Email Protection in late 2023. In addition to being named a Top Player in Email Security by The Radicati Group, Fortra has also been recognized with a Cybersecurity Excellence Award for Email Security.
Leave a comment »