Yesterday in partnership with the DHS, the FBI and numerous international agencies, CISA released a joint guidance document to help civil society organizations and individuals reduce the risk of cyber intrusions and encourage software manufactures to actively commit to implementing Secure by Design practices to help protect vulnerable and high-risk communities.
“Civil society, comprised of organizations and individuals such as– nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalist, dissident, and diaspora organizations, communities involved in defending human rights and advancing democracy–are considered high-risk communities. Often these organizations and their employees are targeted by state-sponsored threat actors who seek to undermine democratic values and interests,” CISA’s release read.
Civil society organizations and individuals are encouraged to implement the following best practices as defined by CISA’s Cross-Sector Cybersecurity Performance Goals:
Keep software and applications updated on devices and IT infrastructure
Use multifactor authentications and use strong passwords
Audit accounts and disable unused and unnecessary accounts
Disable user accounts and access to organizational resources for departing staff
Apply the Principle of Least Privilege
Exercise due diligence when selecting vendors, such as cloud services and MSPs
Manage architecture risks
Implement basic cybersecurity training
Develop and exercise incident response and recovery plans
Use encryption measures to protect all communications
Software manufacturers are strongly encouraged to embrace Secure by Design principles and mitigations to improve the security posture for their customers include:
Vulnerability management. Working to eliminate entire classes of vulnerability in their products
Enabling MFA by default in all products
Provide logging at no additional charge and alert customers of suspicious or anomalous behavior
Implement alerts so customers are aware of unsafe configurations, suspicious behavior, and malware
Include details of a Secure by Design program in corporate financial reports.
“Security by design is a good practice to implement and goes hand-in-hand with the equivalent for enterprise network design — designing for cyber resiliency. Too often security is an after-thought; with both security by design for software engineering, and cyber resiliency design for networks and organizations, the overall design becomes foundationally secure, and that’s exactly what is needed going forward to combat the continued onslaught of new and innovative attacks and risks.“
What I like about this initiative is that it is targeting a group of people who likely don’t spend a lot of time and effort to make sure that they are secure. Yet they are low hanging fruit for threat actors. Hopefully this generates results and civil society organizations and individuals are better protected as a result.
HP has announced that they have a new partnership with Google. With more than half of meaning and intent communicated through body language versus words alone, an immersive collaboration experience plays an important role in creating authentic human connections in the evolving hybrid work framework, Project Starline is a breakthrough communications technology by Google leveraging AI, 3D imaging, and other technologies to offer a genuinely realistic meeting experience. HP’s expertise in computing, combined with investment in Poly audio and video technology, make it the right choice to deliver this new collaborative solution to the global market.
A few days ago, I wrote about my use of virtual machines and I mentioned this:
Now, earlier on I did mention that I currently run two virtual machine software. That’s going to change as I am going to migrate to UTM for all my virtual machines. I’m doing that because since VMware has been acquired by Broadcom, their level of support has nosedived. You can take a scroll through the VMware Sub-Reddit to see the complaints about this acquisition that people have. And a lot of my clients are looking to move their enterprise level virtual machines off of the VMware platform for greener pastures like Microsoft Hyper-V, Nutanix or Citrix as a result of the chaos caused by the Broadcom acquisition. That lessens my need to run VMware’s software. Also UTM has much broader support for classic operating systems such as Windows XP and Windows 7. Which is something that VMware doesn’t offer. Thus it makes sense for me to transition to UTM.
Well I may be rethinking this move because The Register is reporting that VMware or more accurately Broadcom who owns VMware now is going to offer Workstation Pro for PC and Fusion Pro for Mac are now going to be offered for free… For personal use. Now part of me thinks that this is a trap as this is an honour system. Meaning that if you’re some kid in their college dorm, Broadcom won’t care. But some company will likely play fast and loose with this and I can see Broadcom doing an audit and catching out a company on this front. I’m thinking this because the acquisition of VMware by Broadcom has been a clown show.
Anyway, the transition from the VMware customer portal to the Broadcom version is something that’s currently ongoing and is scheduled to end today. Assuming that happens on schedule, which given that this whole acquisition has been a clown show as mentioned previously I question if that is going be the case, I’ll be able to get a license key and test out Fusion Pro. Then I will be able to make a call as to if I should move to UTM. Right now I can’t see any of my VMware license keys in the customer portal, and I can’t make new ones to get Fusion Pro working. But let’s see if that changes.
UPDATE#2: I just got a chance to try updating to version 13.5.2 of VMware Fusion. It didn’t work and I am still stuck on VMware Fusion Player. I did some checking around and I found this post from the Product Manager of VMware Fusion Michael Roy who states that he is coming up with details on how to convert to Fusion Pro if you have Fusion Player installed. But the linked post walks you through how to install Fusion Pro as a new user.
UPDATE #3: I now have the Pro version of VMware Fusion installed. What I did is use a utility called AppCleaner to get rid of the current install of VMware Fusion Player. Then I downloaded version 13.5.2 from the Broadcom site and installed it. When you do that, you get the option to use the Pro version for personal use after the install is finished. This is pretty dumb as I should not have to delete the app to get this to work. It should simply work via an upgrade to 13.5.2. Clearly VMware or likely Broadcom didn’t have this scenario in their test plans. In any case, you won’t lose any of your virtual machines by doing this. Though you will have to go to File –> Scan For Virtual Machines to add them back.
Posted in Commentary with tags HYAS on May 14, 2024 by itnerd
HYAS Infosec, an adversary infrastructure platform provider that offers unparalleled visibility, protection and security against all kinds of malware and attacks, and Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, today announced a partnership. Under the agreement, Carahsoft will serve as HYAS’ Master Government Aggregator®, bringing the company’s industry leading HYAS Protect protective Domain Name System (DNS) and HYAS Insight threat intelligence and investigation platforms to the Public Sector through Carahsoft’s reseller partners and NASA Solutions for Enterprise-Wide Procurement (SEWP) V, Information Technology Enterprise Solutions – Software 2 (ITES-SW2), National Association of State Procurement Officials (NASPO) ValuePoint and OMNIA Partners contracts.
HYAS solutions help Government agencies align to DNS security requirements set forth by Cybersecurity Infrastructure Security Agency (CISA), National Security Agency (NSA) and Department of Defense (DoD). Considered a “must-have” by CISA and the NSA, Protective DNS is an essential component of the Public Sector’s security posture, as well as a critical element of the Cybersecurity Model Maturity Certification (CMMC) framework.
Globally recognized independent research institute AV-TEST GmbH tested HYAS Protect and found it provides exceptionally high levels of cybersecurity protection. The solution leverages intelligence and data derived from the HYAS Adversary Infrastructure Platform to uniquely analyze and correlate data points together for increased efficacy and deeper insights.
HYAS solutions include its award-winning HYAS Insight threat intelligence and investigation platform and HYAS Protect Protective DNS solution, available through Carahsoft’s SEWP V contracts NNG15SC03B and NNG15SC27B, ITES-SW2 Contract W52P1J-20-D-0042, NASPO ValuePoint Master Agreement #AR2472 and OMNIA Partners Contract #R191902. For more information, please contact the Carahsoft Team at (703) 871-8548 or HYAS@carahsoft.com; or visit the Carahsoft HYAS webpage to learn more about HYAS’ solutions.
Posted in Commentary with tags Apple on May 14, 2024 by itnerd
Apple released iOS 17.5 yesterday, and one of the highlight features that iOS users should care about is the fact that it expands its ability to protect you from Bluetooth trackers. Up until yesterday, an iPhone could detect an AirTag or a FindMy compatible Bluetooth tracker. However if a threat actor used some other Bluetooth tracker, it would fly under the radar. That of course is a huge loophole. But that loophole gets closed if you update to iOS 17.5. Here’s how Apple described it in a press release issued yesterday:
With this new capability, users will now get an “[Item] Found Moving With You” alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with.
If a user gets such an alert on their iOS device, it means that someone else’s AirTag, Find My accessory, or other industry specification-compatible Bluetooth tracker is moving with them. It’s possible the tracker is attached to an item the user is borrowing, but if not, iPhone can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it. Bluetooth tag manufacturers including Chipolo, eufy, Jio, Motorola, and Pebblebee have committed that future tags will be compatible.
In short, the functionality to find an unwanted tracker works the same way as iOS users are used to. I should also note that if you are on team Android, as long as you’re running Android 6 or higher, you’ll get this functionality as well. That way you’re protected from unwanted trackers. So if you’re an iOS user, and you haven’t updated to iOS 17.5, you might want to do it now to protect yourself from stalkers, car thieves, and other evil doers from tracking you.
Late last week, after threat actors posted evidence of a hack on BreachForums, Dell started warning 49 million customers that a threat actor has obtained their personal information through a data breach using a partner portal API they accessed posing as a fake company. The breach was first reported by DailyDark Web. The data includes detailed customer information on Dell system purchases s between 2017 and 2024. With a huge portion of Dell’s $88.4 billion in annual revenue coming from sales to the US government, this reaches deeply into that sector.
The data includes customer information of purchases made from Dell in the US, China, India, Australia, and Canada. Data stolen includes:
The full name of the buyer or company name
Full address
Unique seven-digit service tag of the system
Shipping date of the system
Warranty plan
Serial number
Dell customer number
Dell order number
The threat actor known as Menelik put the data up for sale on the Breached hacking forum on April 28th and told BleepingComputer that they were able to steal the data from a portal for Dell partners, resellers, and retailers. All Menelik had to do was register multiple accounts under fake company names and he had access within two days without any additional verification.
“It is very easy to register as a Partner. You just fill an application form,” Menelik said.
“You enter company details, reason you want to become a partner, and then they just approve you, and give access to this “authorized” portal. I just created my own accounts in this way. Whole process takes 24-48 hours.”
The threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.
The threat actors said they emailed Dell on April 12th and 14th to report the bug to their security team but apparently Dell never replied to the emails and didn’t fix the bug until approximately two weeks later, around the time the stolen data was first put up for sale on the Breach Forums hacking forum.
Ted Miracco, CEO, Approov Mobile Security had this to say:
The breach was conducted via an API accessible through the partner portal, which Menelik accessed using the fake accounts. The ability to generate 5,000 requests per minute for an extended period without being flagged or blocked by Dell’s security systems points to inadequate rate limiting and abnormal activity detection on Dell’s APIs, beyond the blatantly lax vetting process for registering partners. This lack of robust API security controls such as proper throttling and anomaly detection mechanisms exposed Dell to prolonged unauthorized data extraction. The breach impacts customers across multiple major markets, including the US, China, India, Australia, and Canada, potentially exposing Dell to regulatory scrutiny and fines under various data protection laws like GDPR, CCPA, and others. Moreover, the breach should erode trust among Dell’s customers and partners, affecting its reputation negatively.
Dell has a lot of explaining to do. There is no way that this should have happened. I hope that Dell gets smacked silly by authorities everywhere so it send a message that companies have to make every effort to protect customer data without fail. And that there’s going to be punishment if that’s not happening.
Posted in Commentary with tags Asus on May 13, 2024 by itnerd
As many of you know, I own a few ASUS products. Specifically, this gaming PC that I use for cycling indoors on Zwift. And this ZenWiFi XT8 mesh router that I’ve been using for a few years now. But today, I am going public with this statement.
Anyone who reads this blog should not buy ASUS products. Ever.
There’s a pair of reasons that drove me to make this statement. The first is their technical support. Which is abysmal. The second is that there’s an increasing pattern of ASUS not supporting their customers warranty claims by bullying them into paying for repairs that they don’t need.
Let’s start with their tech support. Or rather lack of it. I have had my own issues with their tech support as evidenced by this interaction with them where they couldn’t understand and help me with setting up a PPPoE connection that worked well. I ran around in circles with them for about two weeks before I got fed up with their incompetence. At the time, I said this:
What is worse is that all this troubleshooting was done via email which is the absolute worst way to provide tech support. Especially with complex issues like this. Getting onto a Zoom session or a phone call would have likely resulted in some sort of positive progress, and maybe even a solution. But they didn’t go that route and the net result of this rather negative experience is that it drove me to look at other options that avoided the use of PPPoE to get better performance from the XT8. It also made me decide that I won’t be recommending ASUS gear to my home and prosumer clients anymore. And chances are, my next router at home won’t be an ASUS product. While ASUS has great hardware, their support doesn’t meet the mark. Having competent tech support adds to the value of the gear that a vendor like ASUS makes. Or in this case, not having competent support detracts from the value of the gear that ASUS makes. So if the people at ASUS are reading this, they might want to look at this negative situation and make changes internally to make sure that they’re not on the wrong side of a public post like this as this sort of #Fail reflects poorly on ASUS as a brand. And will likely affect their future sales.
Since I wrote that, I’ve received dozens of emails from people that have had similar experiences with their tech support. That’s not a good look for ASUS because a company is only as good as the support they provide your customers. And if they provide bad support to their customers, those customers will get fed up and not be their customers any longer. And they will tell their friends, or someone like me who has the reach to tell a whole lot of people about how bad that ASUS tech support is. ASUS should consider that and change course before they have no customers to speak of.
That brings me to the second point. Which is ASUS not supporting their customers warranty claims by bullying them into paying for repairs that they don’t need. YouTube channel Gamers Nexus has investigated the bad behaviour of ASUS in the past. And their latest video details what looks like a systemic pattern of ASUS trying to extract cash from users who send in their hardware for warranty repairs by bullying them into paying for extra repairs that they don’t need. I would set aside 30 minutes to watch this video to get the full story:
The thing is, this isn’t the first time that ASUS has been caught doing something shady. If you do a search for “Gamers Nexus ASUS” on YouTube, you can see all the shady stuff that they have been caught doing. In addition, right to repair advocate and YouTuber Louis Rossmann has his own take on this:
If that’s not enough, there’s actually more. A Reddit thread surfaced in the last few days where ASUS quoted a Canadian customer a mind blowing $2799 USD to repair an RTX 4090 GPU that needed its 16-pin power connector replaced. The price is insane because the card had been purchased two week before this happened for $2050 USD. To say that the behaviour of ASUS is a bit suspect in this is an understatement.
On top of the fact that YouTuber JayzTwoCents dumped them as a sponsor to his channel because of their shady behaviour a while back. Here’s the video that details why he did that:
This is pretty bad for ASUS. When A YouTuber dumps you, you know you’re in a bad place.
Now in my case, I’ve been doing some dumping of ASUS products of my own. The PC that I mentioned earlier has been removed from service and replaced by this M2 Pro Mac mini. The PC in question is now sitting in my storage locker waiting to be sold. If you’re interested, I’ve got a fresh install of Windows 11 and it’s ready to go. Email me and we can take it from there. Now while I do have my issues with Apple, they support their customers and they don’t have a reputation for shady behaviour like ASUS does. Thus I will continue to buy products from Apple as they have largely demonstrated that they deserve my money.
Next up is my mesh router. While the XT8 mesh router has been generally reliable, the shady behaviour of ASUS combined with my negative tech support experience will mean that a mesh router from from another company will take its place when it’s time for me to go to WiFi 7. Right now the leading contender to replace the XT8 is Netgear who used to be suspect in terms of how they handled security issues, but have very much improved on that front after being called out on that front repeatedly. Though I have to admit that I’m looking at other companies as well, and I will base my decision on what I go with on the following criteria:
Security posture: In other words, how well they deal with security issues. Such as deploying patches and how fast they go public in terms of letting their customers know about severe issues that need immediate attention.
Performance: I want my router to give me top notch performance at all times because I want to maximize the speed of my Internet connection at all times.
Product Support: As I said earlier, a product is only as good as its support. So this is going to factor into what I get.
I’m hoping to do this switch this year. But one of the things that I am waiting on is WiFi 7 routers to appear in quantity so that I get a fair amount of choice before serving up my credit card to pay for it.
The only other thing that I’ve done is that I stopped recommending ASUS products to my home and prosumer customers. In fact, that happened about a year and a half ago when I had that negative experience with ASUS tech support. The reason I stopped recommending them is that when I recommend something, it has to be something that I would be willing to stake my reputation on. I can’t stake my reputation on recommending ASUS products. No way, no how.
Finally if you have had an issue with ASUS when it comes to the warranty repair of a product, report it as per the advice of Louis Rossmann and Gamers Nexus. In the US you can file a report using this link:
If I find a similar reporting vehicle for Canada, I will post it here. The point is that if enough people report the behaviour of this company to the feds, then ASUS will have a whole lot of explaining to do.
So in short, I am done with ASUS. Given the issues with ASUS that have been exposed by others, and the issues that I’ve personally experienced, the only conclusion that you should come to is that ASUS doesn’t deserve your money. And one of the best ways to drive that point home to ASUS other than to report their behaviour to the feds is to not buy their gear. After all, ASUS may not care about how consumers feel about them. But they sure will care about their bank account getting smaller and smaller as consumers don’t buy their products. Maybe then ASUS will change course and become a company that cares about consumers rather than appear to screw them over at every opportunity. Though I am not holding my breath on that front given how they have behaved up until now. But I suppose anything is possible.
Posted in Commentary with tags Tango on May 13, 2024 by itnerd
Tango, a leader in the global digital rewards and payouts space, today launched an important new product called Global Choice Link. This game-changing solution offers recipients their choice of digital gift cards and prepaid cards instantly—without the operational headaches of managing complex geographic and currency management issues.
This launch represents a considerable leap forward for Tango—and the industry at large—in ease of use and global capabilities. Until now, sending rewards globally could be challenging even for well-established providers as they struggled to find attractive rewards in emerging countries, worked to localize language, managed unstable supply chains, and dealt with currency conversions. Global Choice Link removes these hassles for our business customers. With Global Choice Link, you send one product to recipients wherever they happen to be on the globe, and they have immediate access to rewards that are relevant and impactful for them.
Upon receiving the Global Choice Link, the recipient selects their country and currency and chooses from a relevant list of rewards available in their local area. This is simply awesome for the recipient.
To learn more about Global Choice Link or request a demo, visit Tango’s website.
Reddit’s announced that they’ve appointed Jyoti Vaidee as their new VP of Ads Product. Jyoti was previously the Director of Product Management at Google where she spent 11 years leading ads products like Google’s Display Ads and monetization efforts. In this new role, Jyoti will drive ads product strategy, execution, and management of the Ads Product organization.
Investigating scams is not a risk free business. For example a scam website might be a vector for malware or viruses. Which means if I use my MacBook Pro to test something, that there’s a risk that I could blow it up and be out of business for days. Fortunately, there’s a way around that. I use virtual machines.
A virtual machine is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. In my case, I currently run two pieces of virtual machine software to do my investigations:
For Windows I run the free VMware Fusion Player. This has the ARM version of Windows 11 Professional which is always fully patched.
For Mac I run the free UTM virtualization software. This has macOS Sonoma which is always fully patched.
So why not have a simply have an extra computer or two lying around to do this sort of thing? We’ll, there’s several advantages for me:
Because it’s on my MacBook Pro, this is portable. Which means that I can use these on a client’s site at home or abroad.
Virtual machines have the advantage of being able to be cloned or snapshotted depending on the virtual machine software that you’re using so that you can save the current state of the the virtual machine so that if a virus blows it up, you can simply restore from the clone or snapshot and be back in business.
You can fully isolate the virtual machine from the real computer. So any infections that a virtual machine gets won’t spread.
Now running virtual machines requires a powerful computer to do it properly. In my case I run a 16″ MacBook Pro with the M1 Pro processor. Between the powerful processor and the 32 GB of RAM, I have no issues. But when it comes time to replace this computer, which as I wrote here I don’t see the need to do currently, I’ll likely be bumping up the RAM to 64GB and maybe increase the storage from 1TB to 2TB to accommodate additional virtual machines. I should note that if you’re on PC, you will likely need a Core i7, Core i9, Ultra 7 or Ultra 9 processor with 32 to 64 GB of RAM to do what I do.
Now, earlier on I did mention that I currently run two virtual machine software. That’s going to change as I am going to migrate to UTM for all my virtual machines. I’m doing that because since VMware has been acquired by Broadcom, their level of support has nosedived. You can take a scroll through the VMware Sub-Reddit to see the complaints about this acquisition that people have. And a lot of my clients are looking to move their enterprise level virtual machines off of the VMware platform for greener pastures like Microsoft Hyper-V, Nutanix or Citrix as a result of the chaos caused by the Broadcom acquisition. That lessens my need to run VMware’s software. Also UTM has much broader support for classic operating systems such as Windows XP and Windows 7. Which is something that VMware doesn’t offer. Thus it makes sense for me to transition to UTM.
So that’s my current virtual machine setup. After I do my transition to UTM, I’ll be doing a follow up to walk you through my setup and how I did it. Stay tuned for that and please leave any questions or comments below.
CISA, FBI, DHS Release Guidance For Limited Resourced Civil Society Organizations
Posted in Commentary with tags CISA, DHS, FBI on May 15, 2024 by itnerdYesterday in partnership with the DHS, the FBI and numerous international agencies, CISA released a joint guidance document to help civil society organizations and individuals reduce the risk of cyber intrusions and encourage software manufactures to actively commit to implementing Secure by Design practices to help protect vulnerable and high-risk communities.
“Civil society, comprised of organizations and individuals such as– nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalist, dissident, and diaspora organizations, communities involved in defending human rights and advancing democracy–are considered high-risk communities. Often these organizations and their employees are targeted by state-sponsored threat actors who seek to undermine democratic values and interests,” CISA’s release read.
Civil society organizations and individuals are encouraged to implement the following best practices as defined by CISA’s Cross-Sector Cybersecurity Performance Goals:
Software manufacturers are strongly encouraged to embrace Secure by Design principles and mitigations to improve the security posture for their customers include:
Dave Ratner, CEO, HYAS had this to say:
“Security by design is a good practice to implement and goes hand-in-hand with the equivalent for enterprise network design — designing for cyber resiliency. Too often security is an after-thought; with both security by design for software engineering, and cyber resiliency design for networks and organizations, the overall design becomes foundationally secure, and that’s exactly what is needed going forward to combat the continued onslaught of new and innovative attacks and risks.“
What I like about this initiative is that it is targeting a group of people who likely don’t spend a lot of time and effort to make sure that they are secure. Yet they are low hanging fruit for threat actors. Hopefully this generates results and civil society organizations and individuals are better protected as a result.
Leave a comment »