Security Researcher Finds That Microsoft Recall Is A Bigger Disaster Than We All Thought

Posted in Commentary with tags , on June 3, 2024 by itnerd

Along with the release of Windows laptops using the Snapdragon X Elite processor, Microsoft released a bunch of new AI features for Windows 11. Including something called Microsoft Recall which literally takes snapshots of everything that you do on the PC. At the time, I said this:

Here’s where things get sketchy. While Recall apparently encrypts everything that it is taking a picture of, Recall with the default settings is taking pictures of everything. So if you do online banking, enter your SIN number online, or do anything else that is sensitive, Recall will likely know about it. Think of the fun a threat actor could have if they somehow managed to pwn the PC and got access to that data. And don’t think that threat actors aren’t thinking about giving that a shot as they know that it’s a potential gold mine of information that they can sell on the dark web. Never mind use against you. Now at this point a threat actor would likely have to have physical access to the device as this info is stored locally. But the one thing that I have learned over the years is that threat actors are creative and crafty individuals. So if there’s another attack vector out there that will allow them to grab this data, they will find it. And exploit it. 

Well, it now seems that this might be worse than previously thought. The Verge has surfaced just how vulnerable Recall actually is:

Despite Microsoft’s promises of a secure and encrypted Recall experience, cybersecurity expert Kevin Beaumont has found that the AI-powered feature has some potential security flaws. Beaumont, who briefly worked at Microsoft in 2020, has been testing out Recall over the past week and discovered that the feature stores data in a database in plain text. That could make it trivial for an attacker to use malware to extract the database and its contents.

“Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder,” explains Beaumont in a detailed blog post. “This database file has a record of everything you’ve ever viewed on your PC in plain text.”

Beaumont shared an example of the plain text database on X, scolding Microsoft for telling media outlets that a hacker cannot exfiltrate Recall activity remotely. The database is stored locally on a PC, but it’s accessible from the AppData folder if you’re an admin on a PC. Two Microsoft engineers demonstrated this at Build recently, and Beaumont claims the database is accessible even if you’re not an admin.

Well that’s just incredibly horrible. Because now that we know that pwnage is possible, threat actors around the globe will be figuring out how to pwn anyone who is running this feature. Even if technical details are being withheld.

But I am not done yet. It actually gets worse:

Beaumont has exfiltrated his own Recall database and created a website where you can upload a database and instantly search it. “I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something,” he says.

You would think a company the size of Microsoft would have had a few security researchers try to find vulnerabilities in this feature before even announcing it? But I guess not. It truly sounds like to me that Microsoft needs to do a recall of Recall, because it’s simply not something that users can trust to be secure. Thus it’s not ready for primetime.

1 Comment »

HYAS Experts Warn Of Active Remcos RAT Campaign

Posted in Commentary with tags on June 3, 2024 by itnerd

Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.

Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.

The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.

The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.

HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.

About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:

  • identifies the origins of malicious traffic, 
  • pinpoints hosting providers associated with malware distribution, 
  • surfaces and traces connections between threats and entities that otherwise seem unaffiliated, and 
  • attributes malware campaigns to specific threat actors or groups, defend against active campaigns and thwart future ones.

Leave a comment »

Is TikTok Preparing Itself For Sale? Reuters Thinks So

Posted in Commentary with tags on June 2, 2024 by itnerd

In one of the last times that I talked about TikTok, I mentioned this:

A Reuters report that was posted late yesterday has blown my mind. In short, ByteDance who’s back is against the way because of Congress all but banning TikTok if ByteDance doesn’t sell it, actually prefers that that the app be banned in the US if legal options fail 

The reason being is that TikTok’s Chinese corporate masters ByteDance doesn’t want anyone to get the algorithm that runs TikTok. Here’s my thoughts on that:

Assuming that this is true, I have to wonder what do those algorithms do? Every social network except Mastodon has them. But they’re usually to present you with stuff that you’re interested in. Or try to target advertising towards you. The cynic in me says that they do a lot more than that, and ByteDance doesn’t want anyone to find those details out. That also suggests to me that TikTok and ByteDance fighting to keep the app alive in the USA is not about users or free speech or anything like that. Which makes this ban the right decision as clearly ByteDance has something to hide that likely is counter to their core agreements.

Fast forward to today and according to Reuters, that might be changing:

TikTok is working on a clone of its recommendation algorithm for its 170 million U.S. users that may result in a version that operates independently of its Chinese parent and be more palatable to American lawmakers who want to ban it, according to sources with direct knowledge of the efforts.

The work on splitting the source code ordered by TikTok’s Chinese parent ByteDance late last year predated a bill to force a sale of TikTok’s U.S. operations that began gaining steam in Congress this year. The bill was signed into law in April.

The sources, who were granted anonymity because they are not authorized to speak publicly about the short-form video sharing app, said that once the code is split, it could lay the groundwork for a divestiture of the U.S. assets, although there are no current plans to do so.

The company has previously said it had no plans to sell the U.S. assets and such a move would be impossible.

TikTok initially declined to comment. After publication of this story, TikTok in a posting on X said “The Reuters story published today is misleading and factually inaccurate,” without specifying what was inaccurate.

That’s interesting. TikTok and ByteDance wouldn’t be doing this for giggles. And I can see them wanting to keep this on the down low as it undercuts one of their main arguments about the algorithm. All of this assumes that this is true. Which you have to at least consider that this story is at least plausible as I really cannot see any scenario where ByteDance simply allows TikTok to be banned in the US. Which in turn would likely lead to bans in other countries.Thus they have to have a plan B of some sort. Regardless, it’s not going to take long to find out if this is true or not.

Leave a comment »

Spotify Appears To Be Quietly Walking Back How It Is Handling The Car Thing Fiasco

Posted in Commentary with tags on June 2, 2024 by itnerd

You might recall that I along with Spotify users of their Car Thing product called them out for deciding to brick perfectly good devices because they didn’t want to support it anymore. I am guessing that some PR expert at Spotify told management that this wasn’t a good look because Engadget is now saying that Spotify will offer refunds if you have a valid receipt:

The company told Engadget on Thursday that, as of last Friday, customers with proof of purchase (like an emailed invoice) can contact customer service and get their money back for the vehicle streaming device.

If that’s you, then you need to find that receipt and contact Spotify. While this about face is a good thing for users of Car Thing, it honestly shouldn’t have taken this backlash for Spotify to do the right thing. On top of that, I tripped over this by accident. Thus I have to assume that Spotify isn’t wanting this to be widely known. But that’s the cynic in me talking becauseI’m sure that Spotify is a company that always wants to do the right thing.

Leave a comment »

Snowflake Data Breaches Makes The News This Week

Posted in Commentary with tags on June 1, 2024 by itnerd

Threat group ShinyHunters, who recently claimed responsibility for Santander and Ticketmaster breaches, claimed they stole data from cloud storage company Snowflake after hacking into an employee’s account. They have also claimed to gain access to data from other high-profile Snowflake customers. I wrote about Ticketmaster here, and Santander here if you want to get up to speed on those.

I gathered up some commentary from industry leaders on this week’s events:

Glenn Chisholm, Co-founder and Chief Product Officer, Obsidian Security

“This year, we have seen a sequence of breaches that have affected major SaaS vendors, such as Microsoft, Okta, and now Snowflake. The commonality across these breaches is identity; the attackers are not breaking in, they are logging in. In IR engagements we have seen through partners like CrowdStrike, we see SaaS breaches often starting with identity compromises–in fact 82% of SaaS breaches stem from identity compromises such as spear phishing, token theft and reuse, helpdesk social engineering, etc. This includes user identities as well as non-human (application) identities.

SaaS is now a very active space where attacks are occurring across the spectrum, from targeted APTs to financially motivated attackers, and every company needs to carefully review its SaaS security program. Ensure the correct application posture to minimize risk, protect their identities which form the perimeter of your SaaS applications, and secure their data movement. These must be a continuous program since your applications evolve, configurations change, identities get introduced, and attackers change their patterns. In other words, you need automation to scale this across all your SaaS applications.”

Will Lin, co-Founder and CEO, AKA Identity and Author, The VC Field Guide and former Venture Partner, ForgePoint Capital

“This breach is so complicated and simple at the same time. Simple that the attack vector was stolen privileged credentials. ‘Bad actors don’t hack in, they log in.’ Complicated because it involves multiple parties who can only do so much to prevent this from happening. The predicament that the world has today is that credentials have been the number one cause of data breaches since the DBIR started tracking them. The modern world has been set up to fail without good data and visibility into their most important trust boundary: identities and access management.”

Avishai Avivi, CISO, SafeBreach

“The latest Snowflake breach surfaces multiple troubling aspects about the potential impact of shifting to massive data lakes hosted on a cloud provider. Combine this with compromised credentials and a session cookie hijack, and you have the perfect storm. It’s important to understand that we are still in the early stages of identifying the specifics of this incident. Hudson Rock’s insightful blog post provides some understanding. The attacker seems to have gained initial access through a combination of stolen credentials from a sales engineer and session hijacking.

At this point, we have to shift to some educated hypothesis and conjecture. The malicious actor then used a single set of credentials with access to a single backend cloud-based platform, ServiceNow, that Snowflake uses to effect a breach on dozens, potentially hundreds, of Snowflake’s customers.

The ability to leverage this single entry vector to access the data of multiple customers indicated:

  • Initial infection by a known malware – It appears that credentials were compromised by the Lumma malware back in October 2023. Indicating the EDR control failed to detect it.
  • Multifactor Authentication (MFA) was not deployed uniformly – MFA makes the ability to use stolen credentials in this way very difficult.
  • Continuous vs. Just-In-Time (JIT) privileged access – It seems like, at best, the authorized session the malicious actor was able to take advantage of was not following best practices and did not force refreshed authentication.
  • A deficient segregation of duties – a single sales engineer should not be able to access dozens of customers’ data.
  • The malicious actor was able to exfiltrate customer data – The fact that massive amounts of customer data were exfiltrated indicates lax egress traffic monitoring and control.

Aside from the actual breach, the alarming aspect is that Snowflake appears to have a very robust security program. They claim to have all the proper security certifications their customers may require. This breach reinforces the point that implementing the right technology controls is just the first step; the only way to know the efficacy of those technologies is to continuously test them using a comprehensive security control validation program. Traditional penetration testing programs are not sufficient either. Organizations must test the ability of a malicious actor to move laterally throughout its environment and then leave with the data they were able to access.”

Leave a comment »

Rogers Starts Expanding 5G Network To The Rest Of Toronto’s Subway System

Posted in Commentary with tags on May 31, 2024 by itnerd

You might recall that Canadian telco Rogers bought the company that put cellular infrastructure in Toronto’s subway system. But at the same time, they all but shut out competitors like TELUS and Bell. That is until the federal government forced Rogers to open things up after a significant uptick in violence on the subway system. As part of that, Rogers had to agree to expand the network with milestones in 2025 and the second in 2026 that they had to hit. Fast forward to today. I got this in my inbox saying that they were starting the process of hitting those milestones:

The expansion work began this week in the tunnels between Kennedy and Warden stations on Line 2. Together with the TTC, Rogers is expanding the network in phases to connect the remaining 36 kilometres of unconnected tunnels. Work is being done during overnight and weekend construction windows to minimize disruption for riders.

When complete, the modernized and expanded 5G network will deliver seamless wireless coverage with mobile voice and data services in all 75 stations and tunnels across Toronto’s subway system, part of Rogers commitment to expand connectivity for Torontonians.

You know what? It’s amazing what a corporation like Rogers will do if the right levers are pulled. As in the feds forcing them to do this. I say that because I am certain that Rogers would not have done this on their own as they’ve never been and never will be that sort of company. Nor would they have opened up this network to non-Rogers customers if they were not forced to do so by the feds. So if you’re in Toronto and you suddenly get cell service in the subway system where you never had it before in the weeks and months ahead, you can thank Rogers for putting in the work to make that happen. But you should also thank the feds for forcing Rogers do the right thing as well.

Leave a comment »

AHEAD & Wiz Announce Partnership 

Posted in Commentary with tags , on May 30, 2024 by itnerd

AHEAD, a leading provider of enterprise cloud, data, and platform solutions, has announced a partnership with Wiz, an AI and cloud security company and Cloud Native Application Protection Platform (CNAPP) provider. Together, they are offering a comprehensive and integrated approach to securing cloud environments, empowering enterprises to confidently harness the potential of AI and cloud.

In today’s rapidly evolving enterprise cloud landscape, organizations face significant challenges in maintaining a robust security posture across their cloud environments. The complexity of cloud architectures, the pace of change in cloud services, and the growing sophistication of cyber threats make it increasingly difficult for organizations to effectively secure their cloud assets.

AHEAD’s Cloud Security Accelerator, powered by Wiz, addresses these challenges by providing a comprehensive and integrated approach to securing cloud environments. The solution offers precise identification of security posture deviations, robust mitigation of vulnerabilities, comprehensive auditing of development and deployment landscapes, and streamlined processes.

AHEAD’s Cloud Security Accelerator allows organizations to take control of their cloud security posture, mitigate risks, and achieve compliance, ultimately enabling them to confidently leverage the power of cloud computing while maintaining a secure and resilient IT environment.

Leave a comment »

TELUS Expands Mobility For Good Program

Posted in Commentary with tags on May 30, 2024 by itnerd

Nine in 10 Canadians who have children 18 and under have reported that their costs of living have significantly increased over the past year, with 61 per cent of families having to adjust their day-to-day expenses (source: Abacus Data). 

To help families stay connected to each other and to services and information that matter most, today, TELUS is launching its Mobility for Good for Low Income Families program, expanding its program to support families across the country receiving the maximum Canada Child Benefit. The program enables families to receive discounted access to TELUS’ Mobility for Good plans, bringing them critical access to connectivity.

Mobility for Good as a whole is already open to 500,000 Canadians, including youth aging out of foster care, low-income seniors, Indigenous women at risk of violence, government-assisted refugees and other marginalized individuals. With today’s expansion, 800,000 families eligible to receive the maximum Canada Child Benefit from the federal government are now able to benefit from TELUS’ Mobility for Good program and can immediately apply through the TELUS’ website

With 97 per cent of Mobility for Good participants reporting the program makes it easier to stay connected to friends, family and support workers and 86 per cent reporting the program helped them find resources in a crisis, this offering couldn’t be more important than it is now.

Leave a comment »

Canadian Business Optimism Wanes Amid Economic Challenges: Zoho

Posted in Commentary with tags on May 30, 2024 by itnerd

The newly released Zoho Canada Business Outlook Report by Zoho Corporation, a leading global technology company, indicates a decline in business optimism among Canadian business leaders due to ongoing economic challenges. The report shows that 61.2% of respondents remain optimistic about the remainder of 2024, compared to 74.1% in the previous Q4 2023 report. Additionally, 32.9% cite the economy as their biggest challenge, and 51.9% indicate a decline in customer spending.

The survey, conducted in April 2024, included 1,000 Canadian business leaders (C-level to manager) and explored business performance, staffing trends, economic impacts, and technology usage. The report also highlights mixed priorities regarding Artificial Intelligence (AI), with 45.4% of respondents not considering it the most critical technology for their business, and moderate concerns about AI replacing existing roles (34.6%).

Key Survey Findings:

  • Respondents continue to be somewhat optimistic about their business with 63.1% of respondents anticipating growth of 1-20% (74.1% in Q4, 2023)
  • Staffing is holding steady with 57.2% of businesses planning to maintain current workforce levels (64% in Q4, 2023)
  • The integration of AI is a mixed priority with 45.4% of people not seeing it as the most critical technology.
  • 51.9% of respondents feel that customer spending is down
  • 24% of businesses indicate that cybersecurity is a technology priority, closely followed by collaboration tools (21.1%) and CRM (20.9%)
  • The availability of employee well-being programs skews towards the negative with 52.1%  of respondents indicating that none exist at their workplaces.

Employee Wellness

Employee wellness initiatives are critical for fostering a resilient and productive workforce, but there’s room for improvement – less than half of respondents indicated that wellness programs exist.

Employee wellness initiatives are split, with:

  • 52.1% of businesses lacking initiatives and 47.9% having some in place
  • Work-life balance is encouraged through flexible work hours (36.3%), remote work options (25.9%), regular breaks (22.4%), and paid time off for mental health days (15.4%).
  • 37.8% have observed a noticeable increase, reflecting a positive shift towards better mental health support

Business Outlook

  • 61.2% of businesses are optimistic
  • 28.6% are neutral
  • 10.2% are pessimistic 

Economic Impact and Customer Spending

Looking ahead, small businesses feel that the economy and a decline in customer spending are most likely to affect their business performance:

  • 32.9% of businesses cite the economy as their biggest challenge
  • 19.7% cite cash flow issues 
  • 14.0% cite funding/capital concerns 
  • Customer spending behavior has been negatively affected, with 51.9% observing a decrease in spending and only 22.3% seeing an increase
  • Ontario respondents indicate a slightly higher decrease of 53.5%, while Quebecers are less at 41.2%

Staffing

Staffing levels remain stable, with businesses planning to maintain their current workforce. However, there are concerns about AI’s impact on employment, with moderate worries about job replacement.

  • 57.2% of businesses plan to maintain their current workforce levels
  • 34.5% intend to hire more staff
  • 8.3% are planning layoffs
  • Concerns about AI replacing existing roles are moderate, with 22.7% somewhat concerned, 22.5% not very concerned, and 18.3% not concerned at all. 14.5% are very concerned.

Technological Integration and AI

While AI is recognized as important by some, many respondents do not consider it the most critical technology for their business. Among the primary factors driving AI adoption are increasing productivity, competitiveness, and reducing headcount/employee costs.

  • 45.4% do not consider AI as the most critical technology for their business, whereas 36.4% recognize its importance
  • The primary driving factors for AI adoption include increasing productivity (49.2%), increasing competitiveness (16.1%), and lowering headcount/employee costs (10.4%)
  • Technological priorities: 24.0% cybersecurity; 21.1% collaboration tools; 20.9% CRM

Report Methodology

Conducted in April, 2024, using Zoho Survey and Zoho Analytics, this study contacted 1,000 individuals across Canada. Participants in the study included a range of business leaders, from the C-level and owner/operators to managers, at small and large enterprises across a variety of industries.

Report Dashboard

Click here for the report dashboard.

Leave a comment »

Coach Atlantic Leverages Cradlepoint to Improve Customer Experience 

Posted in Commentary with tags on May 30, 2024 by itnerd

 Cradlepoint, part of Ericsson, the global leader in cloud-delivered LTE and 5G wireless network and security solutions, today announced that Coach Atlantic Maritime Bus, the largest motorcoach transportation provider in Atlantic Canada, has selected Cradlepoint as its technology provider to deliver internet connectivity onboard its fleet of 250+ vehicles across Prince Edward Island, Nova Scotia and New Brunswick.

Coach Atlantic serves a variety of customers including tours and school sports teams, and has been delivering Wi-Fi to its passengers for over 10 years in line with the company’s dedication to offering great service and amenities. However, over time the company found it was running into issues with the connectivity solution it was using. Uptime was becoming problematic, and maintenance and troubleshooting became more difficult and time consuming — causing frustration for drivers and the IT department, while also costing more money. 

The company made the decision to look at a different solution, and after reviewing several options selected Cradlepoint’s IBR1700 dual modem ruggedized router to roll-out across its fleet, including NetCloud Service for management, service updates and more. The solution delivers access to passengers and drivers on one network.

Providing full-featured routing, security and Wi-Fi, the IBR1700 is a Gigabit-Class LTE networking offering that extends connectivity across a wide range of in-vehicle solutions used by fleets including mass transit, commercial trucks, first responders and near-shore vessels. NetCloud is included with the IBR1700 as an all-in-one subscription, providing a complete cloud management platform with specialized features for connecting, tracking, managing and troubleshooting in-vehicle networks. NetCloud allows Coach Atlantic to manage devices, set limits on data consumption, create web browsing content filters, and manage performance in real-time.

Better connectivity is on the minds of many Canadian business leaders over the next year, according to the recent State of Connectivity report, which found 25 per cent of Canadian business leaders expect improving their organization’s connectivity will grow their organization’s revenue by 10 to 14 per cent. 

Learn more about how Cradlepoint is working with Coach Atlantic in this case study

Leave a comment »

« Older Entries
Newer Entries »