Images Related To Members Of A UK HealthClub Leaked

Posted in Commentary with tags on June 17, 2024 by itnerd

Nearly 500K images belonging to Total Fitness, a UK based chain of health clubs were leaked according to cybersecurity researcher Jeremiah Fowler. 

The key findings are as follows:

  • 474,651 images with a total size of 47.7 GB;
  • Facial images of gym employees, members, and children, some of them taken in the facilities during the membership process;
  • Some of the most concerning images uploaded by users contained highly sensitive information, including passports, credit cards, and utility bills

If this data was discovered by ill-intentioned hackers, it could have put members at risk of identity theft, financial fraud, and many other online threats.

You can get more details here: https://www.vpnmentor.com/news/report-totalfitness-breach/

Leave a comment »

Quebecor Files A Complaint With The Competition Bureau About Loblaws And Glentel Shutting Them Out Of Loblaws Stores

Posted in Commentary with tags on June 16, 2024 by itnerd

Quebecor who owns Freedom Mobile has filed a complaint with Canada’s Competition Bureau against grocery store chain Loblaws, which incidentally along with grocery chain Sobeys is the subject of another Competition Bureau investigation, and Glentel who runs retail brands including WIRELESSWAVE and tbooth wireless and manages Costco Canada with WIRELESS etc. Here’s why Quebecor has gone this route:

Quebecor has filed a complaint with the Competition Bureau regarding an agreement between Loblaw and wireless carriers Bell and Rogers, through their joint venture Glentel, that would give them exclusive selling rights at The Mobile Shop. This agreement would shut Freedom Mobile out of 180 Loblaw-owned grocery stores and further strengthen the stranglehold of the telecom oligopoly which, based on available data, would henceforth control 62.5% of all third-party retailers in the Canadian wireless industry.

Quebecor is confident that the Competition Bureau will investigate the grocery giant’s practices and the business model of joint ventures such as Glentel, which create further concentration to the detriment of Canadian consumers.

Well, I have to admit that I was skeptical when Freedom Mobile was bought by Quebecor after Rogers was forced to sell the carrier when they bought Shaw. But I have to admit that Quebecor is seriously trying to be a big player in the wireless space in Canada. Something that Canada desperately needs. And assuming that their claims are accurate, it appears that they are making the “big three” telcos nervous. Thus here we are talking about it. I will be keep an eye on this as if this moves forward, some people will have some explaining to do.

Leave a comment »

Sonos Appears To Have Changed Its Privacy Policy To Allow It To Sell Your Data

Posted in Commentary with tags on June 15, 2024 by itnerd

From the “this is a new low” department comes an apparent privacy policy change by speaker maker Sonos that seems at first glance to give it the right to sell your data. This was spotted by YouTuber Louis Rossman and you can watch the video here:

If you didn’t watch the video, this will act as a TL:DR. Here is the relevant section of the former privacy policy:

Sonos does not and will not sell personal information about our customers. However, certain data practices described throughout this Privacy Statement may constitute a “sale” or “sharing” of data under California and/or other US state laws. See the below CA Addendum for more information applicable to CA residents. We want you to understand that information about our customers is an important part of our business. We only disclose your data as described in this Statement

And now here is the relevant section of the updated policy:

Certain data practices described throughout this Privacy Statement may constitute a “sale” or “sharing” of data under California and/or other US state laws. See the below CA Addendum for more information applicable to CA residents. We want you to understand that information about our customers is an important part of our business. We only disclose your data as described in this Statement

I had a look online and didn’t see anything from Sonos trying to explain this. Instead I saw a lot of people complaining that Sonos has broken their app. So maybe a response from Sonos will be inbound once this makes its way around the Interwebs. And it will be interesting to see what the company says.

Leave a comment »

Microsoft Recall Has Been Recalled

Posted in Commentary with tags on June 15, 2024 by itnerd

Well, after coming out with a feature that everyone said was a security disaster, and trying to make it better to make their problems go away, it appears that Microsoft has thrown in the towel when it comes to Recall. At least for now. Microsoft has posted this revised blog post late yesterday:

Update: June 13, 2024: Today, we are communicating an additional update on the Recall (preview) feature for Copilot+ PCs. Recall will now shift from a preview experience broadly available for Copilot+ PCs on June 18, 2024, to a preview available first in the Windows Insider Program (WIP) in the coming weeks. Following receiving feedback on Recall from our Windows Insider Community, as we typically do, we plan to make Recall (preview) available for all Copilot+ PCs coming soon.  

We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security. This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users. Additionally, as we shared in our May 3 blog, security is our top priority at Microsoft, in line with our Secure Future Initiative (SFI). This is reflected in additional security protections we are providing for Recall content, including “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS), so Recall snapshots will only be decrypted and accessible when the user authenticates. The development of Copilot+ PCs, Recall and Windows will continue to be guided by SFI. 

When Recall (preview) becomes available in the Windows Insider Program, we will publish a blog post with details on how to get the preview. To try Recall (preview) WIP customers will need a Copilot+ PC due to our hardware requirements. We look forward to hearing Windows Insider feedback.   

If you want my take on this, “soon” may mean anywhere from weeks or months from now to never. Microsoft has really dropped themselves in this and this delay, if you want to call it that, for Recall was likely the least worst option. Frankly, I would not be shocked if this feature never sees the light of day outside of Microsoft. And I have to wonder how much the announcement of Apple Intelligence which promises to be private played into this? I say that because Apple has created a clear contrast between themselves and Microsoft that doesn’t make Microsoft look good. We’ll never know if that’s the case. But I for one am happy that Recall has been Recalled.

1 Comment »

Gradio Vulnerabilities Enable Hugging Face Theft of Secrets

Posted in Commentary with tags on June 15, 2024 by itnerd

Horizon3.ai Chief Architect Naveen Sunkavally has just published “Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces” 

On Friday, May 31, the AI company Hugging Face disclosed a potential breach where attackers may have gained unauthorized access to secrets stored in their Spaces platform.

Naveen said:

“This reminded us of a couple of high severity vulnerabilities we disclosed to Hugging Face affecting their Gradio framework last December. When we reported these vulnerabilities, we demonstrated that they could lead to the exfiltration of secrets stored in Spaces.

“Hugging Face responded in a timely way to our reports and patched Gradio. However, to our surprise, even though these vulnerabilities have long been patched, these old vulnerabilities were, up until recently, still exploitable on the Spaces platform for apps running with an outdated Gradio version.”

As background, Gradio is a popular open-source Python-based web application framework for developing and sharing AI/ML demos. The framework consists of a backend server that hosts a standard set of REST APIs and a library of front-end components that users can plug in to develop their apps. A number of popular AI apps use Gradio such as the Stable Diffusion Web UI and Text Generation Web UI. Users have several options for sharing Gradio apps: hosting it in a Hugging Face Space; self-hosting; or using the Gradio share feature, which exposes their machine to the Internet using a Gradio-provided proxy URL similar to ngrok.

The Horizon3.ai blog post demonstrates an exploitable path, and Naveen offers recommendations to users for remediation – whether they are using Gradio in a Hugging Face Space or self-hosting.

Leave a comment »

Ascension Health Pwned Via A Malicious File Downloaded By An Employee

Posted in Commentary with tags on June 15, 2024 by itnerd

In an update on the recent Ascension Health care breach, officials say the breach was caused by an employee downloading “a malicious file.” 

“An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake.”

The breach caused Ascension’s EHR system to be taken offline, forcing staff to revert to manual, paper-based processes for recording patient information, ordering tests, and managing medications. Patient care was delayed for days.

In the Wednesday update, Ascension said that some services were still being impacted, more than a month after first detecting the breach on May 8th.

On an encouraging note, the provider said that the attackers were only able to steal data from seven of the approximately 25,000 servers in their network.

“At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. These servers represent seven of the approximately 25,000 servers across our network.”

Brett Hansen, CGO, Cigent had this to say:

   “It is naive to presume that people are not going to make mistakes and detection and response will prevent incidents.  Employee education and EDR have long  proven to be insufficient – organizations need to augment to include proactive protection of data with technologies including zero-trust access controls.”

Emily Phelps, Director, Cyware follows with this:

   “Like with cybersecurity, in the healthcare industry, trust is everything. This increased transparency could stem the need and ability for healthcare entities to provide more transparency, more quickly. Regulatory requirements and the potential for severe penalties have undoubtedly played a role, but there is also a heightened awareness of the reputational damage that can arise from mishandled incidents.”

This is a prime example of your defences needing to be Muti-layered. As in having multiple layers of defence so that you are way less likely to be pwned by a threat actor. Because by not doing that, you get this exact result.

Leave a comment »

Calling all wellness enthusiasts… the Samsung Galaxy Watch FE is here

Posted in Commentary with tags on June 14, 2024 by itnerd

Yesterday Samsung announced the release of its new Galaxy Watch FE – the perfect watch for every health and wellness enthusiast.

Equipped with Samsung’s advanced BioActive Sensor, the Galaxy Watch FE provides an array of powerful fitness and wellness functions that deliver personalized and actionable tips around the clock. From supporting better sleep to tracking workouts to sending you motivational messages throughout your wellness journey, this watch is with you every step of the way.

Please see below some highlights of the Galaxy Watch FE’s capabilities:

  • Monitors sleep patterns and provides sleep coaching
  • Tracks over 100 different workouts
  • Provides advanced running analysis, helping users not only analyze overall running performance but provides insights and guidance to help prevent injuries and help users meet their goals

The Galaxy Watch FE is also highly customizable, offering a variety of new watch faces and a one-click band that makes it easy to mix and match bands to meet users’ style. It is also made from Sapphire Crystal glass, offering durability and helping protect against scratches during day-to-day use.

Beginning June 26th, the Galaxy Watch FE will becoming available in Canada in a variety of colours including Black, Pink, Gold and Silver. There will also be new watch bands available featuring distinct blue and orange stitching. 

Leave a comment »

Luma AI Launches Dream Machine

Posted in Commentary on June 14, 2024 by itnerd

There’s yet another new AI tool out there. It’s called Dream Machine and it’s made by a company called Luma AI. Here’s what the company promises:

It is a highly scalable and efficient transformer model trained directly on videos making it capable of generating physically accurate, consistent and eventful shots. Dream Machine is our first step towards building a universal imagination engine and it is available to everyone now!

I experimented with it briefly by typing in the following phrase:

“A Hacker dancing down the street celebrating his latest hack”

This is what I got:

This is kind of interesting. I’ll share my thoughts later. But right now I have a comment from Kevin Surace, Chair, Token & “Father of the Virtual Assistant” on this:

Right now the current group of video generators creates very cool very short videos (in this case 5 seconds). This isn’t storytelling and it’s not movie making nor even shorts, and they can’t talk. It’s just in the toy category. Fun to play with. But you cannot do much with a 5 second clip that’s valuable. Being a filmmaker and an applied AI leader for 25 years…my bar is high.

Of course anything A16Z backs gets attention. So it doesn’t hurt. But the question again is what is the current usefulness of this? And at this point the GPU cost of generation is high. And so is their service cost. They promise to generate 5 seconds of video in 2 minutes but for now it’s taking more than 20 minutes. The GPU costs and load are tremendous. I suspect 99% of users won’t renew given the limited usefulness.

A 5 second deep fake is unlikely to convince anyone. And it’s hard to get these models to utilize an ACTUAL living human in them. If someone can jailbreak them, perhaps a 5 second clip might convince someone…but these also all have built-in technology to ID they were AI-generated. I think the risk here is very low.

Deep fakes can hurt company and exec reputations. The biggest concern is around live deep fakes on Zoom and we will all be using wearable biometric check-ins to be sure that whomever we are talking to is the real deal.

This is a valid point. At some point these gimmicky tools will become useful and dangerous. And we need guardrails in place before that happens. Or this will not end well.

Leave a comment »

Horizon3.ai Has A Deep Dive & POC For Ivanti Endpoint Mgr. SQL Injection RCE Vulnerability

Posted in Commentary with tags on June 13, 2024 by itnerd

Horizon3ai Chief Attack Engineer Zach Hanley and the Horizon3.ai Attack Team have just published “CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability.” Their POC can be found here

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that enables centralized management of devices within an organization. Ivanti is a widely deployed secure access solution across enterprise functions and divisions to reduce costs, optimize service performance, and help support a secure and  agile environment. 

On May 24, 2024, the Zero Day Initiative (ZDI) and Ivanti released the advisory  “Ivanti Endpoint Manager RecordGoodApp SQL Injection Remote Code Execution Vulnerability” describing a SQL injection resulting in remote code execution with a CVSS score of 9.8.

Leave a comment »

For The Second Day In A Row, Elon Musk Gets Trolled On Twitter

Posted in Commentary with tags on June 13, 2024 by itnerd

Hot on the heels of Elon Musk getting community noted and trolled on Twitter over his rants about the Apple Intelligence/OpenAI partnership, he’s getting trolled again on Twitter. This time it’s about hiding likes so that you can’t see what Twitter posts a particular user liked. I wrote about this here. Well that went into effect in the last 24 hours or so. And the backlash is epic.

You have to believe that in some corner of a Tesla or Twitter office, Elon must bewildered by this response. But to be frank, you can’t be surprised that this is happening. Elon has once again done something that has opened himself up to this sort of response. And most normal people after the first or maybe second time that this happens to them would reconsider their life choices and course correct. But Elon isn’t normal and seems to relish this attention. Why I don’t know because I’m a computer nerd and not a mental health professional. But I will be curious to see if and how Elon reacts to this because that will be interesting to watch.

Leave a comment »

« Older Entries
Newer Entries »