Ontario School Boards Suing TikTok, Meta, And Snapchat For $4.5 Billion

Posted in Commentary on March 28, 2024 by itnerd

Well, I must admit that I did not see this coming. CP24 and The Toronto Star are both reporting that Meta, Snapchat and TikTok are being sued by for Ontario school boards. This is what the Toronto Star had to say:

In four separate but similar cases filed Wednesday in Ontario’s Superior Court of Justice, the public boards in Toronto, Peel and Ottawa and the Toronto Catholic board allege the popular social media platforms were “designed for compulsive use (and) have rewired the way children think, behave, and learn” and are calling on the companies to make improvements, say their statements of claim. 

School boards have had to bring in staff, resources and programming to mitigate the “significant impacts that these addictive platforms are having on our students,” said Colleen Russell-Rawlins, director of education at the Toronto District School Board, the country’s largest. 

“We’re managing mental health challenges, loneliness and … discrimination — the slurs that we’re seeing students use, some of that emanates from what’s on social media,” she added.

“We really want to raise awareness and ultimately get these companies to acknowledge and to make these things safer,” added Brendan Browne, director of education for the Toronto Catholic District School Board.

The social media companies in question haven’t said anything to either The Toronto Star and CP24, but I can’t imagine that they aren’t going to be happy. If this succeeds, it’s likely to be copied by other school boards in other places. Which means that this could become a huge problem for all of these companies. It’s also bad press for these companies that I am pretty sure that they don’t need right now.

What I am watching for in the coming days or weeks is to see how the social media companies respond to this. Specifically how they delay or stop this from moving forward as that likely is going to be how they respond to these lawsuits.

Get the popcorn ready.

Leave a comment »

New Attack Path Exploits Microsoft SCCM: Researchers Discover Undocumented Way to Compromise Account Privileges

Posted in Commentary with tags on March 28, 2024 by itnerd

GuidePoint Security has unveiled the discovery of an undocumented way to compromise an account and elevate privileges inside an SCCM (System Center Configuration Manager) – aka Microsoft Endpoint Configuration Manager (MECM) – network. 

GuidePoint Security’s Threat & Attack Simulation (TAS) team detected SCCM exploitation for account compromise, finding the conditions that can compromise SCCM client push and machine accounts through automatic site-wide client push installation and Active Directory system discovery. 

Due to the permissions these accounts hold, this can lead to an SCCM site takeover or, in the case of the SCCM push account, administrative privileges over numerous computer objects within the domain.

The TAS researchers are the first to find this novel attack path across the industry in SCCM, an endpoint management tool. 

With certain conditions explained, an attacker may be able to retrieve the hashed credentials for all configured SCCM push accounts, meaning they may be able to access admin privileges.

You can read about this here.

Leave a comment »

CISA Seeks Input on Cyber Incident Reporting For Critical Infrastructure Act (CIRCIA)

Posted in Commentary with tags on March 28, 2024 by itnerd

The CISA has just published Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), an unpublished Proposed Rule by the Homeland Security Department on 04/04/2024. 

CIRCIA speaks all the way back to the Presidential Policy Directive 21 (PPD-21) of 2013 which includes:

“This directive establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as “critical infrastructure owners and operators”). This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.”

And today’s comments from CISA Director Jen Easterly, in the announcement: 

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure, It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”

Ted Miracco, CEO, Approov had this comment:

   “CIRCIA marks a significant advancement in the collective cybersecurity effort, however what constitutes a “significant cyber incident” still presents an ambiguity that could lead to underreporting which is undesirable. Also, the tight reporting windows, while crucial for rapid response, may put pressure on entities to report before fully understanding the scope of an incident. 

   “Successful implementation will hinge on clear guidance, support mechanisms for covered entities, and ongoing dialogue between the public and private sectors. Overall CIRCIA could well set a precedent for cybersecurity collaboration and incident response, not just within the United States but globally.”

Craig Harber, Security Evangelist: Open Systems follows with this comment:

   “I believe the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), if implemented correctly is a big deal, a significant step towards protecting the nation’s critical infrastructure. It is really a collective defense strategy that requires the owners and operators of critical infrastructure to share threat intelligence with CISA in real-time. CISA will use this information to assist all members of the critical infrastructure community. Frankly, this collective defense strategy allows for broader collaboration of a limited set of highly skilled resources across all industrial sectors to identify and defeat cyber threats.”

I’m all for having playbooks like these as it will start to ensure that incidents are handled in a consistent manner and everybody works together. Sure it’s not perfect, and it needs work, but let’s not let perfect be the enemy of good.

Leave a comment »

330% & 150% Surges In VPN Demand In Spain Amid Anti-Government Protest & Telegram Ban 

Posted in Commentary with tags on March 27, 2024 by itnerd

VPN Mentor just published a research concerning two significant increases in VPN demand in Spain. 

Their research team conducted an analysis of user demand data in Spain both before the anti-government demonstration in Madrid on March 9th and after the temporary ban on Telegram imposed by the high court on March 22nd. On the day preceding the demonstration and the day following the Telegram ban, they observed a surge of 300% and 150%, respectively, in VPN demand in Spain. 

You can find all the details of their findings here: https://www.vpnmentor.com/news/vpn-demand-surge-spain/

Leave a comment »

Nikon Releases the NIKKOR Z 28-400mm f/4-8 VR Full-Frame Super Zoom Lens

Posted in Commentary with tags on March 27, 2024 by itnerd

Nikon Canada Inc. announced the release of the NIKKOR Z 28-400mm f/4-8 VR, a supremely versatile high-power super-zoom lens for Nikon Z series full-frame/FX-format mirrorless cameras. This latest addition to the expanding line of NIKKOR Z lenses offers the highest zoom ratio in its class, making it a must-have for travel, sports, backyard wildlife and more.

The NIKKOR Z 28-400mm f/4-8 VR is a high-magnification zoom lens that covers a broad range of focal lengths — from 28mm to 400mm. Whether up close or far away, from landscapes to distant vistas, users will appreciate the extreme versatility and powerful capabilities of the 14.2× zoom. Although it is a super-telephoto zoom lens with a range up to 400mm, it’s also the lightest in its class, weighing only approximately 1.6 lbs (725 g), making it easy to carry when travelling.

This new lens also has a remarkably close minimum focus distance of only 7.8 in. (0.2 m) at the maximum wide-angle position and 3.9 ft. (1.2 m) at the maximum telephoto position. The maximum reproduction ratio of 0.35x lets users capture close-ups at short distances for food, flowers and animals. When shooting far away, users can fill the frame with their subject and still have a pleasing blurred background.

The NIKKOR Z 28-400mm f/4-8 VR uses a stepping motor (STM), which enables fast and quiet autofocusing, allowing rapid focus on moving subjects. The lens also features a vibration-reduction (VR) function with performance equivalent to 5.0 stops, which helps achieve sharp photos and stable video with ease, even when handheld.

Primary features of the NIKKOR Z 28-400mm f/4-8 VR

  • Covers a broad range of focal lengths — from 28mm to 400mm, with a 14.2× zoom which is a first among NIKKOR Z lenses.
  • A minimum focus distance of 0.2 m at the maximum wide-angle position and a maximum reproduction ratio of 0.35× allow users to get closer to their subjects for dynamic expression.
  • A total length of approx. 5.57 in. (141.5 mm) and a weight of approx. 1.6lbs (725g) – the lightest lens in its class – make this an easy lens to carry and shoot hand-held. 
  • Stable VR performance equivalent to a 5.0-stop increase in shutter speed effectively reduces blurring in dimly lit surroundings and with hand-held shooting. When paired with a compatible camera, Synchro VR can be activated to achieve up to 5.5-stop stabilization4 by combining in-camera VR and lens VR.
  • Stepping motor (STM) enables high-speed AF drive.
  • Support for linear MF drive enables smooth focusing, which is especially useful for video shooting.
  • Comes with a compact, square lens hood that combines superior performance and usability.
  • Designed to be dust- and drip-resistant with thorough sealing on various portions including movable parts of the lens barrel to keep dust and water droplets from entering the lens.5

Price and Availability
The new NIKKOR Z 28-400mm f/4-8 VR lens will be available in mid-April for a manufacturer’s suggested retail price of $1,699.95. For more information about the latest Nikon products, including the vast collection of NIKKOR Z lenses and the entire line of Z series cameras, please visit www.nikon.ca

Leave a comment »

Introducing #ModTheVeg: Powering Up Veggies in the Gaming Universe

Posted in Commentary with tags on March 27, 2024 by itnerd

Ever wonder why veggies get the short end of the stick in the gaming world? Knorr, the global food brand, has joined forces with gaming legends like Ninja and Jordy2D to spotlight how veggies are often overlooked in top video games through a revolution called #ModTheVeg.

After all, why should munching meat give players +15HP, but cabbage only +10HP? It’s time for veggies to level up, and Knorr is leading the charge to give good food a boost in the virtual world. With veg-powered mods, now available for play, we’re making veggies the MVP (most valuable produce) in gamers’ inventory.

The epic unveiling will take on Monday, April 1st between 4-6pm EST on Twitch, where Jordy2D and top gamers across Canada will showcase the veggie-powered mods.

Canadians can also visit Knorr.ca to be part of the movement, play the mods and sign the petition urging gaming publishers to give veggies the recognition they deserve.

Leave a comment »

Canada’s Plan To Phase Out Gas Powered Cars By 2035 Is Unworkable… Here’s Why

Posted in Commentary with tags , on March 27, 2024 by itnerd

Last December, the Canadian Government announced a plan to phase out gas powered cars by 2035. In short, what the Canadian Government wants is to have all of us driving zero emission vehicles (which is another way of saying electric vehicles) by that point or shortly after that point. This is an attempt to reduce emissions and allow Canada to hit their climate change goals. Now to be clear, I am all for making the environment better and reducing the effects of climate change. But this plan to shift drivers to electric vehicles is not workable for a number of reasons.

Let’s start with the fact that a robust and easily accessible charging infrastructure doesn’t exist. While some homeowners who own electric vehicles have level 2 chargers at home, there are a lot who don’t or can’t do so. Yours truly for example lives in a condo that doesn’t have any charging infrastructure whatsoever. And that’s the same for those in apartments as well. And many building management companies aren’t willing to budge on that. So what that means is if I want to charge an electric vehicle, it may be a challenge as illustrated by this search that I did on Apple Maps:

You’ll see a lot of big green dots and smaller green dots indicating where a EV charger is located. Compare that to simply searching for gas stations:

There’s a lot more blue dots (gas stations) that are big and small versus green dots (EV chargers) big and small. That means many people will find it a challenge at best to charge an electric vehicle. And that will hamper the sales of electric vehicles because humans will only adopt something if it is as easy or easier than whatever it is replacing. And right now if someone can’t just pop out to a charger that’s a five minute drive down the road and get a charge that gets their car to at least 80% in well under an hour, they’re not going to get an electric vehicle.

That brings me to my next point, electric vehicles are too expensive. Anyone that I know who has an electric vehicle is also someone who is willing and able to spend luxury car money on a gas vehicle. Even the cheapest electric vehicles out there are out of the price range of the average consumer who typically buys a Honda Civic or something in that price range. And that factors in government rebates for buying or leasing an electric vehicle. Now I get why this is the case. Car companies aren’t selling them in high enough volume to enable them to bring the price of these vehicles down to affordable levels. In fact, some companies have shifted away from producing more electric vehicles to producing more hybrids as those are actually selling. Until that changes, the needle on electric vehicle sales is going to move very slowly.

Sidebar: You should take Tesla out of the mix when it comes to companies who are shifting to making more hybrids as all Tesla makes are electric vehicles. Thus they have economies of scale working for them. Unlike every other car company that makes electric vehicles.

The next point that I’d like to bring up is the range of these vehicles. My 2016 Hyundai Tucson gets about 600KM on a single tank of gas. Sometimes more if I drive in a more “subdued” manner. That’s important as buyers like me who want to drive electric vehicles want to get a similar range relative to we get now with. a gas powered vehicle. In fact a KPMG study revealed that 80 per cent of Canadians wouldn’t “consider buying an EV unless it has a minimum 400 km range fully charged.” The problem is that many electric vehicles don’t get that range. Part of that is due to the fact that Canada is very cold for six months of the year. And cold weather has a negative effect on electric vehicles. Part of that is that you get reduced range in cold weather. Some people say about 30% less range. But there’s also the fact that the car might not work at all if it is too cold. I cite this example where many Tesla cars in Chicago wouldn’t work because it was too cold. Another somewhat related factor is that the range that an auto maker gives is often in “ideal” conditions. And none of us drive in “ideal” conditions because those “ideal” conditions are in a lab or a test track. Which is another way of saying that you’re going to be unlikely to see the range that the auto maker says you should get. Thus this is something that needs to be sorted before electric vehicles get adopted broadly.

Finally, there’s reliability. Electric vehicles generally are reliable than gas powered cars and this Consumers Reports article goes into the weeds on that. But let me cut to the chase here. Nobody is going to move to technology that is less reliable than what they have now. And that lack of reliability will slow electric vehicle adoption.

All of this makes Canada’s plan to move to zero emission vehicles by 2035 a non starter in my mind. I honestly would love to be proven wrong on this. But as things stand right now, I don’t think so. The only way I might be proven wrong on this is if there’s a major course correction to make electric vehicles more affordable, more reliable, improve the charging infrastructure, and make the range more in line with gas powered cars. This is something that all parties in this space, meaning government and the car industry need to tackle. And they need to start doing that today if meeting that 2035 deadline is to be achieved.

Do you agree with me? Do you disagree with me? Leave a comment below and share your thoughts.

1 Comment »

Facebook Spied On Snapchat, Amazon, And YouTube Users…. WTF?

Posted in Commentary with tags on March 27, 2024 by itnerd

People often ask my why I refuse to have a Facebook account. Or why I killed my Instagram account a few years ago. As well as why I haven’t got onto Threads. The answer is pretty simple. Meta, the company that owns all of those platforms are pretty evil and simply can’t be trusted. Here’s today’s example of why they can’t be trusted:

In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers. The goal was to understand users’ behavior and help Facebook compete with Snapchat, according to newly unsealed court documents. Facebook called this “Project Ghostbusters,” in a clear reference to Snapchat’s ghost-like logo.

On Tuesday, a federal court in California released new documents discovered as part of the class action lawsuit between consumers and Meta, Facebook’s parent company.

The newly released documents reveal how Meta tried to gain a competitive advantage over its competitors, including Snapchat and later Amazon and YouTube, by analyzing the network traffic of how its users were interacting with Meta’s competitors. Given these apps’ use of encryption, Facebook needed to develop special technology to get around it.

One of the documents details Facebook’s Project Ghostbusters. The project was part of the company’s In-App Action Panel (IAPP) program, which used a technique for “intercepting and decrypting” encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon, the consumers’ lawyers wrote in the document.

The document includes internal Facebook emails discussing the project.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

Facebook’s engineers solution was to use Onavo, a VPN-like service that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

If some of that sounds familiar, it should as I’ve written about Onavo before. But here’s the bottom line. Even for Meta, that’s a new low. And it illustrates how untrustworthy Mark Zuckerberg and Meta are. They clearly will stop at nothing to grab as much information about you as they can so that they can find new ways to make money. I for one refuse to be the product. Thus you will not see me use a Meta product for that reason. Meta is a company that needs some government intervention in the US because it’s clear from this example and others that they will not alter their behaviour unless they are forced to.

Leave a comment »

There’s A Sophisticated Phishing Attack Out There That’s Targeting Meta Business Accounts According to Fortra

Posted in Commentary with tags on March 27, 2024 by itnerd

While the recent Meta outages have grabbed headlines, the latest research from Fortra analysts reveals a chilling development in the cyber threat landscape: a large-scale phishing attack aimed at compromising Meta Business Accounts

The campaign incorporates several atypical tactics to carry out the attack, including expertly crafted phishing emails, deceptive live support chats, and manipulation of Google notifications and QR codes. Fortra analysts have so far detected thousands of phishing emails associated with this campaign targeting a broad range of industries.

The targeting of Meta for Business brings into focus the high value compromised businesses on social channels hold for cybercriminals. While individual accounts often bear the brunt of such attacks, the ramifications of a breach in a business context are far-reaching, with potentially devastating consequences for both reputation and financial security.

I sent some questions over to Michael Tyler, Senior Director of Security Operations for Fortra to get some more insight on this campaign. Here’s what he said:

Can you describe the campaign and who the targets are?

  • Meta Business Suite, also known as Meta for Business, is a set of tools around managing a business’ presence on the Facebook and Instagram platforms.  Access to Meta Business Suite is granted through an underlying Facebook or Instagram account.   This campaign is leveraging a sophisticated phishing attack in order to obtain access to accounts with access to Meta Business Suite.   Targets are organizations of every size.   Fortra observed and blocked thousands of threats matching this campaign targeting several dozen organizations over a period of several weeks.   In some cases, the phishing emails were sent specifically to members of the marketing team at the organization, indicating that the adversary had done research to know which employees were most likely to have the target credentials.

How novel is the attack that is used by the threat actor(s)?

  • The concept of phishing itself is nothing new.  However, this campaign had several notable points.
    • The first is the impersonation of Meta for Business, combined with the tailored recipient list noticed at some organizations.  While not novel in and of itself it indicates that the adversary launching this campaign went to at least some degree of effort to deliver a targeted attack, as opposed to a shotgun style approach typically seen in low-complexity phishing attacks.   The hypothesis that this was a tailored attack is also supported by the phishing website itself, which is the next novel point.
    • The phishing site itself was very advanced and contained several unusual features.  Chief among these was that the phish was interactive. . . upon providing your username you would be placed in a live chat with a purported member of Meta’s “Security Team”.  In reality, the phishing site was initiating a connection to a Telegram channel controlled by the adversary, who was able to communicate with the victim in real time.  Part way through the interaction, the “live chat” would freeze and the victim would be required to provide their password to “reauthenticate”, whereupon the victim would be prompted by the security team members for any MFA codes or access authorizations that may be required to gain control over the account.  This is a particularly devious social engineering technique; by delaying request for the password until after the victim is already invested in a conversation with the fake support agent, it greatly increases the chance that the victim will provide this information so that they can complete the interaction they’ve already started.

What do you believe is the end goal of the campaign?

  • It’s difficult to say exactly what the end goal of a particular campaign is.  What is clear is that Meta for business accounts have specific value to adversaries.   Fortra has observed several adversary behaviors that could be end goals of a campaign such as this.
    • The simplest is resell.  The adversary launching this campaign could simply intend to sell access to any captured accounts on the dark web.  The buyer would then use the account for their own purposes, which might include one of the below endgames.
    • An adversary might use the account to impersonate the organization.  This could take several forms, from attempting to use DMs or other on-platform features to pivot into even more valuable accounts, or using the account to post disinformation for some purpose (perhaps motivated by geopolitical, financial, or hacktivism factors).  Additionally, if your Meta Business account is based off of a Facebook account, an adversary could impersonate you on any program using the “Login with Facebook” authentication method.
    • An adversary could lock the original owner out of the account, and then attempt to ransom access to the account back to the original owner.   This tactic can be particularly effective when employed against organizations who use social media as their primary marketing channel.
    • An adversary may also attempt to use the account to post ads for counterfeit goods.  As social media companies have continued to refine their targeting algorithms, more and more goods purchases are initiated over a social media ad.  Counterfeiters have taken notice; Fortra has observed a large increase in the advertisement of counterfeit goods via social media platforms over the past several years.  By using an already verified business account, adversaries can bypass some of the social media platform’s fraud controls and have a generally higher success rate.  If the account has payment methods established, the adversary can use the victim’s funds to launch their ads as well.

What can businesses do to mitigate this attack?

  • Best practices around Email Security and end-user Security Awareness Training are paramount.  By using a multi-layered email security solution that can block malicious emails from being delivered to end users and educating end users on how to identify and report suspicious emails that evade security you greatly decrease the risk of having your credentials compromised
  • Additionally, businesses should take care to secure their Meta for business account using the most advanced identity features available to them (MFA, Security Keys, and unrecognized device alerts as of this writing).  They should also limit access to account credentials to those individuals who absolutely require them.  An even more secure implementation is to consider having different individuals control different authentication factors.  For example, have the main user of the account own the password, but a separate individual own the device which receives MFA codes.   This may not be feasible in some organizations, but forcing multiple individuals to be involved in a login attempt gives more opportunity for someone to recognize a scam.

Leave a comment »

Sekoia Details A MFA-Bypass Phishing Kit That Targets MS 365 & Gmail Users

Posted in Commentary with tags on March 27, 2024 by itnerd

The latest version of the AiTM phishing kit “Tycoon 2FA” has become one of the most widespread AiTM phishing kits over the last few months, leveraging more than 1,100 domain names as tracked from late October 2023 through February 2024.  This new phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Gmail accounts.

The most recent version that appeared in February “enhances its obfuscation and anti-detection capabilities and changes network traffic patterns”, bypassing 2FA protection using an adversary-in-the-middle (AitM) attackto steal session cookies.

Discovered by Sekoia researchers in October 2023,  Tycoon 2FA was found to have been active since August 2023, when was offered for sale on private Telegram channels.

“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies”, allowing the attacker to replay the session, bypassing MFA,

Sekoia outlined six stages of the attack:

  • Stage 0 – Spreading phishing pages: Customers of the Tycoon 2FA PhaaS distribute their phishing pages using redirections from URLs and QR code.
  • Stage 1 – Cloudflare Turnstile challenge: User clicking on the phishing URL are redirected to a page embedding a Cloudflare Turnstile challenge to prevent unwanted traffic. 
  • Stage 2 – Email extractor: a JavaScript code is executed in the background and redirects the user to another page depending on the presence of an email address.
  • Stage 3 – Redirection page redirects to another web page of the phishing domain.
  • Stage 4 – Fake Microsoft authentication login page and sockets: Embeds a deobfuscation function and obfuscated HTML code, which is the fake Microsoft authentication page.
  • Stage 5 – 2FA relaying: Code builds and displays the Microsoft 2FA page.
  • Stage 6 – Final redirection: Redirects the user to a legitimate URL so they don’t realize the previous page was malicious.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “While Multi-Factor Authentication (MFA) increases security compared to single-factor authentication, sophisticated attacks involving Adversary-in-the-Middle (AiTM) techniques exemplified by the “Tycoon 2FA” phishing kit, can easily bypass most MFA protections. Some forms of MFA are more resistant to phishing attacks than others. Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process. 

   “Certificate pinning is effective against attackers attempting to intercept or manipulate secure connections by presenting a fraudulent certificate. However, it does not prevent phishing attacks where the user is tricked into entering credentials into a malicious website or application.”

A move towards a passwordless solution would also help as it would likely take away this attack vector as well. Which once again shows that the world needs to shift towards solutions that provide protections from increasingly aggressive threat actors who will stop at nothing to achieve their aims.

Leave a comment »

« Older Entries
Newer Entries »