For those of you who live in the Greater Toronto Area, your best way to use public transit is to use a Presto Card to pay for your trips on transit. Now Android users have had the ability to have their Presto Cards on their phones for a while now. iPhone users were out of luck. But that appears to be changing based on this Tweet:
Your iPhone and Apple Watch will soon be your PRESTO card.
I’m not sure what “soon” means to Metrolinx which is the organization that oversees transit in the Greater Toronto Area. I say that because this organization has a pretty poor track record of delivering projects on time and on budget. Thus “soon” could be next year or next week. Who knows? But the fact that they are saying something implies that maybe something is coming in the next few weeks? We will have to see and hopefully this doesn’t become another Metrolinx fiasco where they promise something but don’t deliver on time.
The report leverages VISO TRUST Platform-derived data, which includes profiles of more than 2.4 million companies, and insight from CISOs, security, and TPRM professionals across various industries.
Among key findings on legacy TPRM:
Inadequate responses: Approximately 75% of vendors responding to legacy questionnaire approaches requiring manual input either ignore or delay crucial risk assessments.
False positives: Conventional cyber risk ratings yield a 90% false positive rate, undermining their reliability.
AI-driven transformation of TPRM findings:
Efficiency gains: AI-assisted modern TPRM programs reduce vendor and partner assessment timelines from months to days.
Near-complete coverage: AI and automation achieve almost 100% coverage of third-party networks.
Significant increase in true positives: data analysis revealed a 500% rise in accurate risk identifications.
Faster assessments: Risk evaluation times have decreased from 60 to 90 days to just five to eight days.
Posted in Commentary with tags Apple on May 17, 2024 by itnerd
Apple is likely looking at this bug that appears to be widespread based on what I am seeing online. If you go to Privacy & Security –> Tracking, you’ll see this:
The allow apps to request to track is completely greyed out. You can’t change this option at all. Now the second paragraph says that this is due to the fact that my Apple ID is missing age information. Except that it isn’t. I checked that. So this is a bug.
Why should you care? If you want to control how apps track you across the Internet, then this setting is kind of important because when it’s turned on, it allows apps to request permission to do so. When it’s off, apps can’t track you at all. So in the state that this setting is currently in, you may actually be better off as it is ensuring that your app usage and the like remains private. But at the same time, I can see a scenario where this breaks some application because it can’t track your activities. Thus this needs to be fixed. And I assume that Apple will have to push out an iOS update to do that. Let’s hope that they do that soon as this bug along with a Photo’s bug where photos that were deleted have come back from the dead make it look like Apple’s QA team dropped the ball. Which of course isn’t a good look for Apple.
GuidePoint Security has published its April 2024 GRIT (GuidePoint Research and Intelligence Team) Ransomware report.
Last month, research revealed one of the year’s biggest takeaways thus far: Play, a typically smaller ransomware group, has overtaken Alphv and LockBit for the top spot in April 2024.
Additional key highlights include vertical trends as manufacturing remains the most impacted industry, with technology resurging as a frequent target, healthcare and retail/wholesale continue to be in the Top 5 most impacted industries, a notable change from previous years.
With regards to geographical distribution, the US remains the most targeted country, while attacks in the south worldwide are increasingly attributed to newer, developing groups.
Additionally, the report explores the operations of emerging ransomware groups and their innovative tactics, including using lower-quality malware and exploiting historical vulnerabilities.
Yesterday, MediSecure, an Australian, digital prescription company, announced that the medical data of its million customers is at risk after hackers accessed their systems and demanded a ransom from the company.
At this time, MediSecure’s website and phone lines are out of operation.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors,” the company said in a statement posted to its landing page.
Exactly what was taken is unknown but between 2020 and 2023, doctors issued more than 122 million digital scripts across the platforms.
MediSecure, based in Melbourne, was one of two companies awarded contracts by the federal government to provide public e-script services until late last year, when the contract was granted exclusively to another company and MediSecure transferred all publicly- funded electronic prescriptions and data to eRx.
No data appears to have been released online from the MediSecure hack and the hackers have not been identified publicly.
Stephen Gates, Principal Security SME, Horizon3.ai had this to say:
“Supply chain risks are becoming more prominent as attackers increasingly focus their efforts on smaller suppliers, who are often the weakest link. This fact poses a significant threat to the operational integrity and business continuity of buying and/or partnering organizations, making it a critical issue for CEOs, COOs, and CISOs to promptly address.
“Today’s organizations must affirm that their cyber-attack surface is no longer just their own. It now encompasses all of their third-party suppliers and partners’ attack surfaces as well. Therefore, not only do upstream buyers need to continuously assess their own cyber risk, but they also need to encourage and even demand their suppliers are doing the same.”
Another day, another third party hack. Sigh. You have to wonder what it will take for organizations to learn that they need to make their suppliers demonstrate that they are as secure as possible. Because this nonsense can’t continue.
Posted in Commentary with tags Asus on May 16, 2024 by itnerd
You might recall that earlier this week, I posted a story about ASUS doing all sorts of shady things when it came to warranty claims that were sent into ASUS by customers, and their crappy tech support. When it comes to the first part, I said this:
That brings me to the second point. Which is ASUS not supporting their customers warranty claims by bullying them into paying for repairs that they don’t need.
I encourage you to look at the original story as it goes into way more detail about this. This morning I woke up to this document from ASUS trending on Reddit. ASUS is claiming that based on the feedback that surfaced in the last few days, they will be making changes to their RMA process and they apologize for any “communication of frustration”.
The thing is that I don’t buy this at all. This is not the first time that ASUS has been in a situation like this. Last year Gamers Nexus highlighted ASUS and their questionable behaviour in terms of their motherboards and how they worked with AMD Rizen 7000 CPUs. Which at the time was not well. The TL:DR is this: Some users had problems with their Ryzen 7000 processors on Asus motherboards. And ASUS completely mishandled the situation in epic fashion, resulting in tech YouTube calling them out on it. Gamers Nexus was one of the loudest voices on YouTube calling them out as evidenced by this video:
As a result, ASUS had to do all sorts of damage control to deal with this issue. And they pledged to do better. Here’s the Gamers Nexus video that details that:
Fast forward to today and ASUS is again pledging to do better when they are caught red handed in a bad situation, and tech YouTube calls them on it. What this looks like to me is not a genuine attempt to address their issues and make things better for their customers, but more of a “let’s say something that sounds warm and fuzzy to make this go away as quickly as possible.” In other words, I am calling BS on this.
My advice from earlier this week remains the same. In short, don’t buy ASUS products as they need to be taught a lesson that this sort of behaviour isn’t acceptable and has a cost to it. And this change to their RMA process doesn’t change the fact that this company has issues that have a direct impact on you the consumer should you need assistance from them. There are plenty of other companies who have better service than ASUS. And you should make sure those companies get your hard earned money instead of ASUS.
The 2024 Emerging Technology Adoption Report reveals that 61% of CIOs say their investments are often driven by fear of missing out (FOMO), and 69% say predicting the ROI is a ‘finger in the air’ exercise. Four in five argue they have to take risks on emerging technologies or they will ‘go the way of the dinosaurs’.
Unsurprisingly – barely half (53%) of emerging tech adoption projects deliver measurable value. Other key findings of the report include:
66% of CIOs say competitors will ‘eat them for lunch’ if they don’t move quickly on AI.
Yet 65% say AI is the most high-risk technology they’ve ever invested in, and 81% feel a ‘moral pressure’ to get it right.
82% of CIOs say it’s easy to ‘AI wash’ products by implementing new capabilities, without necessarily creating any tangible business benefits.
89% of CIOs say it’s difficult to maintain visibility and control of risk, and anticipate the impact of evolving regulations in emerging technology adoption projects.
Nearly half (49%) of CIOs fear there is a risk their company could run into trouble when the EU AI Act comes into force.
68% of CIOs say if they didn’t constantly alter course, it’s unlikely any of their emerging technology adoption projects would succeed.
Posted in Commentary with tags HP on May 16, 2024 by itnerd
The Q1 Threat Insight Report is live from HP Wolf Security this morning and it reveals that cybercriminals are ‘Cat-Phishing’ users with open redirects and overdue invoice lures to infect victims with malware? Notable threats analyzed in the report include:
In an advanced WikiLoader campaign, cybercriminals directed users to trustworthy invoice sites, before sending them to malicious ones using open redirect vulnerabilities in ad embedding. This attack is almost impossible for users to spot.
A low-cost AsyncRAT campaign, saw threat actors hiding malware inside HTML files posing as delivery invoices which, once opened in a web browser, unleash a chain of events deploying open-source malware.
Attackers used Living-off-the-Land (LotL) techniques – using legitimate tools like the Windows Background Intelligence Transfer Service (BITS) to upload or download malicious files to web servers and file shares.
Other findings include:
At least 12% of email threats identified by HP Sure Click Enterprise bypassed one or more email gateway scanners.
The top threat vectors in Q1 were email attachments (53%), downloads from browsers (25%) and other infection vectors, such as removable storage – like USB thumb drives – and file shares (21%).
This quarter, at least 65% of Excel document threats relied on an exploit to execute code, rather than macros.
Conversations are now the world’s largest dataset. Millions of hours of meetings happen everyday over video conferencing platforms, and hundreds of companies try to make sense of these meetings using AI-powered meeting bots that take months to build. Today, the universal API for meeting bots Recall.ai has announced a $10 million funding round to allow engineers to integrate with any meeting platform, including Zoom, Google Meet, Microsoft Teams, Slack Huddles, and even platforms with no API. This funding round comes hot on the heels of 10x growth over the past 12 months.
The Series A funding round was led by Ridge Ventures with participation from Industry Ventures, Y Combinator, IrregEx, Bungalow Capital, Hack VC, and other existing investors. which will be used to scale Recall.ai’s product and team. This fresh investment brings the company’s total amount raised to over $12M, following a $2.7 million seed round in December 2022.
It can take over one year for a team of specialist engineers to build the infrastructure and integrations required for even the most basic AI-powered meeting bots. After they’re built, companies face the bigger and more labor-intensive challenge of hosting and maintaining the infrastructure on hundreds of thousands of servers. In comparison, Recall.ai lets a single engineer get up and running with a meeting bot in a few days, even if they don’t have expertise in real-time video processing. This lets companies focus on building their core product while Recall.ai runs, monitors, and scales complex, real-time video infrastructure.
“Recall has been a critical partner to us in rolling out Fellow.app’s new AI copilot functionality which has been a huge hit with customers,” explained Aydin Mirzaee, CEO of Fellow.app. “We love working with Recall because they are focused on the infrastructure so that we can focus on what we’re good at – solving meeting productivity for companies everywhere.”
Co-founders David Gu and Amanda Zhu launched Recall.ai as two important trends emerged: a worldwide shift to remote work, and advances in AI technology that simplified the processing of unstructured voice and video data. Gu and Zhu previously worked on a real-time transcription tool for video conferences, where the bulk of their engineering team’s effort was spent building and maintaining integrations with conferencing platforms. The duo realized companies building LLM tools to process data from virtual meetings today were running into the same integration and infrastructure hurdles they had already solved, and decided to start Recall.ai to enable the next generation of LLM-powered apps.
Over the last 12 months, Recall.ai has grown 10x and today ingests millions of hours of video meeting data for more than 300 companies. Customers are currently using the platform to build powerful tools that leverage conversation intelligence for sales enablement discussions, productivity, customer success, financial advising, telehealth applications, and virtual depositions, among other use cases. Recently, Recall also partnered with Zoom to release an official Meeting Bot Starter Kit that generates a transcript, requests a meeting summary, and provides it to participants in near real-time.
With this new funding, the company is primed for the next phase of growth. The same way that AWS provided common infrastructure that every company building a web application would need as they scale, Recall.ai is setting out to provide the common infrastructure for every company who needs to access and apply AI to conversations.
I have a pair of domains that I use for my business. There’s theitnerd.ca which is what I use for email and my website. And there’s itnerd.blog which strictly hosts my blog. That’s on top of the domain that my wife and I use for our personal email. I have been concerned for a while about someone spoofing me and my company and causing repetitional harm to my business or personal life as a result. Which is why I have been wanting to implement DMARC to stop that from happening. Now I’ve been kicking that can down the road until two things happened. The first is that I got a spoofing attack recently from someone who was pretending to have hacked my email in order to extort money from me. In fact, I have written about this sort of scam email here. But since I write about this stuff all the time, it along with the 80 copies of said email got deleted almost instantly as I recognized what it was and took the correct action as a result. But that episode showed that I could be spoofed by a threat actor. Which was of course a bad thing. The second thing was this report from Valimail about a North Korean spoofing attack where the North Koreans were taking advantage of people in my situation. That really got me to move on implementing DMARC because business email compromise as well as phishing are huge problems at the moment. And I don’t want to be part of the problem.
Now before I tell you what I did to address this, I want to explain what DMARC is and why anyone who has a domain that sends and receives email should care:
Domain-based Message Authentication Reporting & Conformance or DMARC is an email security protocol. DMARC verifies email senders are who they say that they are. And you as the sender can set things up to have receivers of emails do one of three things with any email that comes in that fails DMARC verification:
If an email fails DMARC verification, then do nothing other than report that it failed.
If an email fails DMARC verification, then quarantine it.
If an email fails DMARC verification, then reject it.
If you really want to go into the weeds on DMARC, click here to do so. The point of DMARC is to make sure that spoofed email never makes it to the inbox. Because any email that is spoofed is a hit to your online reputation. Or it leaves you open to things like the CEO email Scam or other forms of business email compromise. But the most important reason to implement DMARC is that by not doing so, it will make it harder to send people and companies legitimate emails to them. On top of all of that, Google and Yahoo are requiring DMARC to be implemented on the domains that send them email. And that’s likely to become a common thing with other organizations in the coming months and years. Meaning that if you own a domain, DMARC is a today problem for you.
Now in most cases, you may already have a DMARC policy set up in your domain name server (DNS) records as I did. But chances are that it will likely do next to nothing for you. I will use my domain as an example of this so that you can see what I mean. Here’s the DMARC records that I started out with:
The important thing to note is the “p=none” part. The “p” stands for policy. And while simply having it set to “none” meets the minimum requirements of DMARC that Google and Yahoo stipulate, it does next to nothing to stop the issues that I highlighted above. This is where I started my journey. And it was a bit bumpy from start to finish.
I started with my hosting provider to see if they could assist me. But their tech support people had no clue how to implement DMARC in a way to protect my domain from spoofing and the like. That forced me to do a fair amount of research on my own to figure out what I needed to do. Which often led to contradictory information that I had to sort through. After a few days of doing research and figuring out what was valid information and what was bogus information, I came up with this DMARC policy (click to enlarge):
You’ll notice that this is a whole lot more expansive. Here’s what’s changed:
I now have p=quarantine along with sp=quarantine. What that means that it is directing the receiver of any email claiming to come from my domain or any sub domain that I have to quarantine any email that fails the DMARC check. Now if I were really strict, I would go for the reject option. But my logic at the time, which I will admit that I am currently rethinking for reasons that I will get to in a minute is that at suspect emails won’t make it to the inbox. Thus quarantine is fine.
You’ll also notice an “rua” and “ruf” entry with a redacted email address. These are tags that are designed for reporting what’s going on in terms of email being received by other domains. Google for example. Here’s the detail on those two tags:
The “rua” tag is for aggregate data reports. The best way to explain that is that these are reports that say “this server connected to me saying that it was you and it passed or failed a DMARC check” at a very high level.
The “ruf” tag is for message-specific forensic information that is to be reported to you. As in a specific email had an issue and the receiving server is reporting on it in detail. I will admit that I am rethinking using this for reasons that I will get to in a minute.
As for the redacted email addresses, that’s the email addresses where the reports will be sent to.
Now, let’s talk about the reports that I mentioned earlier. They show up in your inbox in xml format that isn’t human readable. To solve that problem, I use the MX Tools DMARC Report analyzer which makes these reports human readable. That way I have visibility into what’s going on from an email perspective. And I set aside a few minutes every day to read these reports. I admit that it’s bit time consuming. But it ensures that I don’t find out about my bad news from CNN so to speak.
As an aside, the above is not meant to be a how to guide. I’m offering this up to help to illustrate the process of implementing DMARC. If you’re planning on doing this, you should seek professional assistance from an expert on the subject if you are not sure how to proceed.
Clearly, this is a lot of work. And I had to do versions of this for not only both my business domains, but my personal one as well. And I wished at the time that there was some sort of best practise guide or something similar that would have made it easier for me to do this. Then it dawned on me that I can’t be the only person who has this challenge. Thus I decided to reach out to DMARC experts Valimail as I had been writing about them for some time on this very topic. At the same time I could run my DMARC setup by them as they are the experts in DMARC and see what I could improve on as I admit that I kind of YOLO‘ed this. The result of that request was that Valimail or more accurately Seth Blank the CTO of Valimail was kind enough set aside some time for me to flesh out what DMARC is and why you should care, along with having a quick look at my setup.
Now I’ve already covered the what DMARC is and why you should care part above. But during our discussion, I asked him what the best practise in terms of a DMARC policy is as I could not find a straight answer on that. His answer is that in short, your DMARC policy should be set to reject any email that doesn’t come from your domain. However quarantine works as well because emails will not be hitting the inbox as well. And if emails are not hitting the inbox and being routed to being put into quarantine, people are more likely to take a more critical look at what’s in there. Or to put it another way, the receivers of your email are less likely to get compromised by a threat actor. Now using the quarantine policy is one of the things that I am rethinking at the moment as I am now toying with the idea with switching to the reject policy. That I am going to take a wait and see approach on my personal and company domains based on what’s in the reports that get sent to me. Though, on my itnerd.blog domain, I made the switch to the reject policy as I don’t send or receive email from that domain at all. Thus if anyone gets an email that ends in “@itnerd.blog”, it’s guaranteed to be a spoofed email. Making the reject policy the right choice. The other thing that Mr. Blank pointed out is that I have a “ruf” tag in my DMARC setup. The potential problem with that tag is that I am going to get reports about specific emails that have issues, and they may have information in those reports that potentially violates the GDPR. Also, the reports that this tag enables goes deep into the weeds. And chances are that going deep into the weeds will not be required 99% of the time. So I’ll be removing this tag later today.
The one thing that Mr. Blank emphasized to me was that besides brand protection and stopping things like spoofing and business email compromise is the fact that implementing DMARC properly can increase the deliverability of emails to your recipients. Mr. Blank cited the HMRC in the UK and its battle with fraudsters. Prior to implementing DMARC, fraud using the HRMC domain was out of control. And legitimate HMRC emails were not making it to the inbox. But after implementing DMARC, this happened:
HMRC was able to reduce spoofing by half a billion emails, which is fantastic. But we also improved delivery rates of genuine emails from 18% to 98%, all through the implementation of Dmarc. Nothing extra – the very same thing that reduced the spoofing also increased the delivery of genuine emails.
Now nobody should expect that stunning result by implementing DMARC, but as Mr. Blank put it, implementing DMARC reduces the noise. And forces threat actors to change their tactics as a domain with DMARC that is properly implemented is simply not as vulnerable to spoofing or business email compromise. At the same time, your legitimate emails are much more likely to hit the inbox. Meaning your communications are more likely to be seen and more likely to be effective. Thus implementing DMARC is unquestionably a worthwhile exercise.
Here’s the bottom line. If you own a .com, .ca, .biz or some other domain, you should be looking at setting up DMARC. It’s going to make sure that your emails are more likely to reach their intended recipients. And it’s going to ensure that your online reputation remains intact. Both of which are very good things.
I’d like to thank Seth Blank of Valimail for his time in terms of researching this story and his guidance in terms of getting my DMARC setup right.
Presto Card Support Coming To iPhone…. Soon…. Whatever That Means
Posted in Commentary with tags Presto on May 18, 2024 by itnerdFor those of you who live in the Greater Toronto Area, your best way to use public transit is to use a Presto Card to pay for your trips on transit. Now Android users have had the ability to have their Presto Cards on their phones for a while now. iPhone users were out of luck. But that appears to be changing based on this Tweet:
I’m not sure what “soon” means to Metrolinx which is the organization that oversees transit in the Greater Toronto Area. I say that because this organization has a pretty poor track record of delivering projects on time and on budget. Thus “soon” could be next year or next week. Who knows? But the fact that they are saying something implies that maybe something is coming in the next few weeks? We will have to see and hopefully this doesn’t become another Metrolinx fiasco where they promise something but don’t deliver on time.
Leave a comment »