Adyen Enables Tap to Pay on iPhone for Merchants to Accept Contactless Payments in Canada

Posted in Commentary with tags on May 23, 2024 by itnerd

Adyen has announced that it now enables its Canadian businesses to seamlessly and securely accept in-person contactless payments with Tap to Pay on iPhone. Tap to Pay on iPhone accepts all forms of contactless payments, including contactless credit and debit cards, Apple Pay, and other digital wallets, using only an iPhone and a supported iOS app – no additional hardware or payment terminal is needed.

In tandem with the new feature, Adyen has welcomed prominent retailers including Mackage, by partnering with NewStore, to its merchant base. Mackage can now accept contactless payments from customers using only an iPhone, providing an added level of convenience for customers. Mackage customers can experience Tap to Pay on iPhone at all stores across Canada, where they can “check out” without having to wait in line at the cashier. Canadian shoppers now have access to a fast, efficient, and easy shopping experience at their fingertips.

Using Tap to Pay on iPhone is easy, secure, and private. With Tap to Pay on iPhone, merchants will simply prompt the customer to hold their contactless payment method near the merchant’s iPhone, and the payment will be securely completed using NFC technology.

Apple’s Tap to Pay on iPhone technology uses the built-in features of iPhone to keep the merchants’ and customers’ data private and secure. When a payment is processed, Apple doesn’t store cards or transaction information on the device or on Apple servers. Tap to Pay on iPhone will enable Adyen’s customers to stay at the forefront of innovation by:

  • Simplifying in-person payments by removing the dependence on payment hardware to accept transactions, providing a complementary way to accept payments for line-busting.
  • Getting up and running quickly with installation and onboarding, allowing businesses to scale up their payment operation.
  • Providing secure and fast checkout experiences that increases mobility on location.
  • Allowing for a convenient and private way to pay for customers since transactions are encrypted and payment data is protected by the same technology that makes Apple Pay private and secure.

Adyen customers can contact their Account Manager to learn more about enabling Tap to Pay on iPhonefor their business. To learn more, visit https://www.adyen.com/devices/tap-to-pay-on-iphone.

Leave a comment »

ARPA-H Offers $50M Challenge To “UPGRADE” Hospital Cyber Defences 

Posted in Commentary with tags on May 23, 2024 by itnerd

The US government’s Advanced Research Projects Agency for Health (ARPA-H) has committed over $50 million to developing technology aimed at automating the security of hospital IT environments.

The initiative, named Universal PatchinG and Remediation for Autonomous DEfence, or UPGRADE, will bring together equipment manufacturers, cybersecurity experts, and hospital IT staff to create a customized and scalable software suite for enhancing hospital cyber-resilience. 

The program’s goal is to secure entire systems and networks of medical equipment, ensuring mitigation measures can be deployed on a large scale.

UPGRADE will concentrate on four key technical areas:

  1. Creating a platform for vulnerability mitigation
  2. Developing high-fidelity digital twins of hospital equipment
  3. Establishing methods to swiftly and automatically detect software vulnerabilities
  4. Creating defences for identified vulnerabilities

This week, the agency invited teams to apply for funding, totalling tens of millions of dollars, to develop and implement UPGRADE.

Stephen Gates, Principal Security SME, Horizon3.ai had this comment:

   “In the context of rapidly and automatically detecting software vulnerabilities, the UPGRADE program tends to miss the point of exploitable vulnerabilities – and other weaknesses. Addressing exploitability appears to be the missing link here.

   “Software vulnerabilities are nothing new and vulnerable software discoveries will never cease to challenge organizations’ rapid patching efforts. Simply put, all software has hidden vulnerabilities but not all vulnerabilities are exploitable.

   “What medical organizations (and any other organization) need today is a proven methodology of uncovering blind spots in their security postures that go beyond known and patchable vulnerabilities, such as easily compromised credentials, exposed data, misconfigurations, poor security controls, and weak policies. These issues are the catalysts that most often enable successful cyber-attacks.

   “Today, autonomous cyber risk assessment technologies are readily available to continuously test any organizations’ infrastructure to safely expose where they are at risk of exploitation by threat actors. Without this visibility, organizations will continue to remain at least one step behind attackers with no end in sight.

   “The challenge is that the majority of organizations have zero visibility into what is exploitable in their environments and what is not. They continue to be reactive to every vulnerability announcement, instead of being proactive by finding what threat actors can actually exploit. Throwing every defensive measure at the problem will not solve a condition of exploitability either, as it often just hides it. Once exploitability is proactively addressed, measurable security improvement will be the result.”

I’ve been saying for a long time that the health care sector is low hanging fruit for threat actors. Hopefully initiatives like this one will tip the scales in favour of the good guys as the status quo of health care organizations getting pwned is not sustainable.

Leave a comment »

Epson Says That This Father’s Day, Don’t Make Dad An “Afterthought”

Posted in Commentary with tags on May 22, 2024 by itnerd

When it comes to gifting, it’s truly the thought that counts. But according to a 2023 study from Retail Council, 50% of Canadians will tack on finding a Father’s Day gift to an existing shopping trip. 

As you prepare Father’s Day, consider that dad should never be treated as an afterthought – he’s a priority! Whether he’s reaping the rewards of a life of hard work, or he’s still out there hustling, dad deserves something special this year that shows he’s truly appreciated.

ET-4850 Wireless Colour All-in-One Cartridge-Free Supertank Printer (MSRP: $599.99 CAD)

With 20% of Canadians currently involved in owning a side business, and one in four considering or planning to start their own business in the next year (Angus Reid), the need for a proper home office setup has never been higher. If the grind never stops for Dad, then neither should his printer ink. The Epson ET-4850 comes with up to 2 years of ink in the box, also helping dad do one of his favourite things – save money. If Dad has a side hustle or his own small business, families can deck his home office out with this printer and watch him maximize his productivity with its high-capacity ink tanks and robust paper handling.

Where to Buy:

ET-2850 Wireless Colour All-in-One Cartridge-Free Supertank Printer (MSRP: $299.99 CAD)

Even if dad doesn’t have his own business or side hustle, he still needs a printer to help keep up with day-to-day printing tasks. The ET-2850 will make these tasks easier with auto-duplex printing, a high-resolution flatbed scanner and convenient colour display. Plus, this product provides impressive print quality and offers up to a 90% savings with replacement ink bottles vs. ink cartridges, so dad can happily print away alongside the family without having to worry about running out for refills.

Where to Buy:

EpiqVision Mini EF12 Smart Streaming Laser Projector (MSRP: $1,299.99 CAD)

If Dad is hard to shop for because it seems like he has everything, the Epson EpiqVision Mini EF12 is an awesome pick. This projector is perfect for the dad looking to upgrade his home theatre, living room or outdoor entertaining space. This product offers stunning picture quality up to 150″ and has built-in Android TV, so Dad can steam his favourite shows, movies and sporting events. Plus, it’s portable, making it easy for Dad to stream bright images from virtually anywhere in the home, or even outside for a luxurious cottage weekend!

Where to Buy:

Leave a comment »

New Research From Scalable Software Finds That Bad Tech Is Costing Millions Of Workers Almost 4 Hours Per Week

Posted in Commentary with tags on May 22, 2024 by itnerd

New research from Scalable Software has revealed that IT departments are struggling to evolve and adapt to the new hybrid digital workplace, leading to significant loss of productivity for millions of workers. The survey of 400 US and UK IT decision makers (ITDMs) found that, on average, employees lose nearly four hours a week (3.78) because of digital employee experience (DEX) failings. Despite being aware of the impact poor digital experiences and digital friction have on productivity, IT teams lack the data to identify problems and optimize experiences.

An overwhelming majority (90%) of ITDMs in both the US and UK say their organization suffers from “productivity paranoia” over hybrid working. Yet, the research finds many businesses still use traditional productivity measures which are not relevant in hybrid digital workplaces – so in reality are unable to accurately assess productivity or identify where blockers occur. For instance, businesses are relying on insufficient metrics such as work output (67%), line manager assessments (56%), time tracking software (51%), and employee self-assessment (48%). The risk of relying on such limited and subjective methods is conflating an output or being present online with being productive.

Previous research from Scalable Software found that 43% of knowledge workers say poor digital employee experience (DEX) has reduced their job satisfaction, while 29% say it has made them want to quit. Moreover, ITDMs and knowledge workers both identify the same top three causes of poor DEX; having to toggle between applications repeatedly to complete a task, applications that repeatedly freeze, crash or load slowly, and too many communication channels to manage resulting in “notification overload”. However, while there is a common understanding between workers and ITDMs of the major challenges, IT departments are still largely using reactive metrics to analyze DEX, including volume of IT support tickets/requests (67%), service desk performance (60%) and employee self-assessment (48%).

To successfully analyze productivity through improved DEX, organizations need to deploy platforms that can collate and distill data from every endpoint so that IT departments can accurately measure and analyze all workflows across the enterprise, regardless of whether staff work from home or in the office. These capabilities enable IT departments to proactively deliver exceptional digital experiences that help keep all employees productive and engaged.

To download the full report, The evolution of the IT department: From break/fix to the backbone of the modern enterprise, please visit: https://www.scalable.com/2024-digital-employee-experience-new-research

Methodology:

The research was commissioned by Scalable Software and conducted by independent research company, Sapio Research. Fieldwork was conducted in March and April 2024. Respondents consisted of 400 senior IT decision makers in organizations with more than 1,000 employees across the UK and the US.

Leave a comment »

Nuspire Launches New Incident Response Readiness Service

Posted in Commentary on May 22, 2024 by itnerd

Nuspire today announced the launch of its new Incident Response Readiness Service. The service equips organizations with the tools and expert-led training necessary to effectively handle and mitigate cybersecurity threats through realistic simulations and scenario-based training.

The newly launched Incident Response Readiness Service provides a dynamic and interactive environment where organizational teams can test and enhance their incident response strategies. By engaging in tailored cybersecurity scenarios that reflect the specific risks faced by each organization, teams are better prepared to tackle potential security breaches.

Key features of Nuspire’s Incident Response Readiness Service include:

  • Scenario-Based Preparation: Custom scenarios mirror the unique risks each organization faces, helping teams practice and refine their response to cyber threats.
  • Tabletop Exercise Integration: This method utilizes tabletop-style exercises to provide interactive incident response simulations, testing teams’ decision-making, communication and policy application skills in a controlled environment.
  • Comprehensive Analysis and Reporting: Insightful post-exercise debriefs offer detailed analysis of team responses, highlighting strengths and pinpointing critical areas for improvement.
  • Continuous Improvement and Alignment: The service promotes a unified approach to cybersecurity, engaging key stakeholders across various departments to ensure a cohesive and robust defense strategy.

Learn more about Nuspire’s new Incident Response Readiness Service.

Leave a comment »

Microsoft Recall Is A Privacy Nightmare

Posted in Commentary with tags on May 22, 2024 by itnerd

Microsoft recently had a bunch of major announcements at Build 2024. The one that we’re going to talk about today is a new feature called Recall. The feature operates in the background and takes screenshots of what you’re doing on your PC while you use it. Whenever you perform a search with Recall, it pulls from all these screenshots to find relevant moments in your PC activity history that might be what you’re looking for, stitching them together into a scrollable timeline. That way you can look through that timeline to find something that you’re looking for. This feature runs on Microsoft’s new PCs that have dumped Intel processors for ARM processors. Like this one or this one, or a new Surface device for example.

Here’s where things get sketchy. While Recall apparently encrypts everything that it is taking a picture of, Recall with the default settings is taking pictures of everything. So if you do online banking, enter your SIN number online, or do anything else that is sensitive, Recall will likely know about it. Think of the fun a threat actor could have if they somehow managed to pwn the PC and got access to that data. And don’t think that threat actors aren’t thinking about giving that a shot as they know that it’s a potential gold mine of information that they can sell on the dark web. Never mind use against you. Now at this point a threat actor would likely have to have physical access to the device as this info is stored locally. But the one thing that I have learned over the years is that threat actors are creative and crafty individuals. So if there’s another attack vector out there that will allow them to grab this data, they will find it. And exploit it.

So it’s not all sunshine and roses for Recall. And the news gets worse for Microsoft as Recall has already gotten the attention of the UK government who are looking into it:

The UK data watchdog says it is “making enquiries with Microsoft” over a new feature that can take screenshots of your laptop every few seconds.

Microsoft says Recall, which will store encrypted snapshots locally on your computer, is exclusive to its forthcoming Copilot+ PCs.

But the Information Commissioner’s Office (ICO) says it is contacting Microsoft for more information on the safety of the product, which privacy campaigners have called a potential “privacy nightmare”.

Microsoft says Recall is an “optional experience” and it is committed to privacy and security.

According to its website, users “can limit which snapshots Recall collects”.

“Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access,” the firm said in a statement.

And it said a would-be hacker would need to gain physical access to your device, unlock it and sign in before they could access saved screenshots.

But an ICO spokesperson said firms must “rigorously assess and mitigate risks to peoples’ rights and freedoms” before bringing any new products to market.

“We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy,” they said.

If the UK is making these enquiries, then it’s a safe bet that the EU won’t be far behind. Microsoft is already in a bit of a fight with them over not responding to a request for information related to their generative AI features. Thus having Recall pop up on their radar screens would likely be a bad thing for Microsoft. And you have to wonder how many others are going to be knocking on Microsoft’s door in regards to Recall.

My personal thoughts go something like this. This is a feature that I would instantly turn off the second that I got one of these new Microsoft PCs. I simply don’t want something actively recording anything and everything that I do in the background as I simply could not trust it to not pick up something that I don’t want recorded. And while I could tweak settings to try and mitigate what Recall does, I still wouldn’t trust it. Microsoft in my opinion needs to rethink Recall. While it is something that does sound kind of cool on the surface (pun intended), it is also concerning at best because of the privacy implications. And until Microsoft demonstrates that this feature is safe for uses, it’s a feature that I will be avoiding. And you should as well.

4 Comments »

Beyond Identity Launches Industry’s First Secure Access Platform 

Posted in Commentary with tags on May 22, 2024 by itnerd

Beyond Identity, the leading provider of passwordless, phishing-resistant MFA, today announced the release of its Secure Access Platform, a secure-by-design solution engineered to protect organizations from the sophisticated and evolving landscape of credential and access-based attacks. This announcement comes at a critical time when industry-trusted Single-Sign-On (SSO) and Identity and Access Management (IAM) tools are increasingly compromised, as evidenced by recent high-profile breaches involving major players like Okta and Microsoft. 

Beyond Identity’s Secure Access Platform is a game-changer, crafted to be a standalone alternative to legacy SSO/IAMs or an integrated platform built to harden the security posture of existing SSO/IAMs. It addresses urgent security needs by combining passwordless, phish-resistant MFA with innovative SSO and risk detection capabilities, ensuring thorough management and mitigation of access risks with a platform that can make security guarantees. 

Innovative Features Addressing Modern Security Needs

  • Secure Single Sign-On (SSO): Optimized for zero-trust architectures, providing a secure by design, simple to administer, and easy-to-use passwordless user experience.
  • Continuous Authentication: Validate user and device security compliance before authentication and continuously, even during active sessions, to account for risk over time, setting a new standard in access security.
  • Passwordless, Phish-Resistant MFA: Eliminate phishing as a threat to organizations even if users and admins click on malicious links. 
  • Device Posture Assurance: Gain visibility and control over security compliance across all devices, including unmanaged devices, providing comprehensive defenses against external threats
  • Robust Integration Ecosystem: Get more out of your security stack investments by using all risk signals to make risk-based access decisions. Shift security left by not only adding detection and response capabilities to prevention. 

Discover the power of Beyond Identity’s Secure Access Platform by signing up at https://www.beyondidentity.com/products/secure-workforce. Join them for live demonstrations at the Gartner Security & Risk Management Summit 2024, booth #843, from June 3 – 5 in National Harbor, MD.

Leave a comment »

EPA Issues Enforcement Alert For Water Systems In The US

Posted in Commentary with tags on May 22, 2024 by itnerd

On Monday, the EPA released an enforcement alert encouraging water systems to take immediate action to protect the nation’s drinking water as cyberattacks against water utilities across the country are escalating in frequency and severity:

This Enforcement Alert provides community water systems (CWSs) with information on immediate steps they can take to ensure compliance with SDWA Section 1433 and to reduce cybersecurity vulnerabilities.

Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.

Implementing basic cyber hygiene practices can help your utility prevent, detect, respond to, and recover from cyber incidents. Because water utilities often rely on computer software to operate their treatment plants and distribution systems, protecting information technology and process control systems from cyberattacks is vital. Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.

Here’s some insights from Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec that I got in my inbox on Tuesday:

“Yesterday, the EPA issued an enforcement alert due to the increase in attacks on United States critical infrastructure. The EPA outlined the existing rules and regulations governing drinking water systems and cyber security and effectively put operators on notice that they are increasing inspections and enforcement. This alert is simply that – an alert, to the rules and regulations that are already in place. While it is a step in the right direction, it does not go far enough to secure our nation’s critical infrastructure. While cyber domain borders are ambiguous due to the very infrastructure the internet is built on, there must be a clear line drawn with defending critical infrastructure, and the government must make clear that attacks on a drinking water system operator are attacks on the United States.

Not only should the EPA enforce the existing rules on the books, but until the punishments of ignoring the rules outweigh the cost of actually hiring cybersecurity professionals to work on these systems, these clear lapses in cyber hygiene will continue. In many cases, smaller operators simply do not have the budget or the education to secure their networks. The federal, state, and local governments must provide more resources, and quickly, to enable private operators to secure our cyber borders before we do see damage to equipment and harm come to the people consuming water from these systems.”

Threat actors will always go for the soft target and it looks like drinking water systems are on the list. That’s not good as a well placed attack will harm a lot of people. Hopefully the people who run these systems are paying attention so that this critical infrastructure is properly secured.

Leave a comment »

CISA Issues Urgent Warning Regarding Mirth Connect

Posted in Commentary with tags on May 22, 2024 by itnerd

CISA has added a critical security flaw impacting NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2023-43208, has been actively exploited in the wild.

Mirth Connect is an open-source data integration platform extensively used in the healthcare industry to facilitate standardized data exchange between various systems. It handles over a billion transactions daily across thirty countries. 

The vulnerability allows unauthenticated remote code execution and stems from an incomplete patch for another significant flaw, CVE-2023-37679, which carries a CVSS score of 9.8. Details of CVE-2023-43208 were first disclosed by Horizon3.ai in late October 2023, with additional technical information and a proof-of-concept exploit released in January 2024. 

According to security researcher Naveen Sunkavally, CVE-2023-43208 is linked to the insecure use of the Java XStream library for unmarshalling XML payloads, making it easily exploitable.

CISA has not released details regarding the specific nature of the attacks exploiting this flaw or the entities responsible for weaponizing it. The timing of these exploitations also remains unclear. However, federal agencies are mandated to update to a patched version of the software, specifically Mirth Connect version 4.4.1 or later, by June 10, 2024.

The aforementioned Naveen Sunkavally, Chief Architect, Horizon3.ai had this to say: 

   “It’s not surprising that CVE-2023-43208 was added to the CISA KEV catalog. Back in April, Microsoft threat intelligence reported that CVE-2023-43208 was being exploited by China-based threat actor Storm-1175 for initial access. And there have been reports of exploitation prior to that.

   “We work with a lot of healthcare companies. While Mirth Connect may not be a familiar name, the data we have backs up the fact that it is a widely adopted technology. Our data is what led us to research Mirth Connect for vulnerabilities in the first place last summer. Our own pentesting product, NodeZero, routinely exploits CVE-2023-43208 in client environments, both for initial access and lateral movement.

   “The inclusion of CVE-2023-43208 in the CISA KEV catalog is a reminder that attackers are inherently opportunistic and will exploit anything that seems valuable – not just VPNs, Microsoft Exchange, and Confluence. We highly encourage companies to check for Mirth Connect in their environments and patch to the latest version.”

While patching all the things isn’t a guarantee that it will keep the bad guys from pwning you, it’s a great start as vulnerabilities that have patches available are low hanging fruit for threat actors.

Leave a comment »

Highlights From Google Marketing Live 2024

Posted in Commentary with tags on May 21, 2024 by itnerd

Coming out of  Google Marketing Live, Google showcased the latest product innovations across Google Ads and Commerce to help businesses thrive. 

Key announcement highlights included: 

  • New Performance Max creative controls. Soon, advertisers can share their font and color guidelines, as well as provide helpful image reference points to generate new asset variations. We’re introducing new image editing capabilities so advertisers can try adding new objects, extending backgrounds, and cropping to adapt to any format, size and orientation. 
  • New immersive Shopping Ad experiences. Advertisers will soon be able to enhance their Shopping ads with immersive visuals, including Virtual Try-On and generated 3D spinning ads, and later this year, we’re introducing a feature that lets shoppers dive deeper into an ad to see product videos, summaries and similar products provided by the advertiser.
  • Driving results and visual storytelling through Demand Gen: Beyond visually immersive ads, there are opportunities to connect with consumers on our most visually immersive channels — YouTube, Discover and Gmail. We launched Demand Gen last year, helping advertisers drive demand and conversions, and soon we’ll roll them out to even more advertisers on Display & Video 360 and Search Ads 360.
  • New opportunities for consumers. Ads have always been an important part of consumer’s information journeys. Soon, we’ll start testing Search and Shopping ads in AI Overviews for users in the U.S. In addition, we will start testing a new ad experience in Search to help guide people through complex purchase decisions.

Read about these and more on Google’s Keyword blog:

Leave a comment »

« Older Entries
Newer Entries »