So There’s An “Unfixable” Bug In Apple Silicon… What Does That Mean For You?

Posted in Commentary with tags on March 26, 2024 by itnerd

Last week ARS Technica published a report of an “unfixable” bug in Apple M series processors. While I do encourage you to read the report, I’ll give you the TL:DR here:

The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

Here’s the translation:  The threat allows someone to extract security keys from these chips, breaking encryption as a result. And it can’t be fixed because doing so will make these insanely fast processors slower. In short, this is really bad. But to be fair, and before those who don’t like Macs and instead support PCs and Windows all the things chime in, Intel and AMD have had their share of similar issues. This one and this one come to mind. While there are mitigations that Apple could take such as trying to shuffle encryption tasks away from the performance cores of M series processors to the efficiency cores of said processors, like I said earlier, this flaw is basically not patchable. It also means that much like when Intel and AMD had issues like these, researchers and threat actors will start poking around M series processors to see if they can find any other flaws.

So, what can you as a Mac user do to protect yourself? Well, other than keeping your software up to date, not much really. Everything that I have read on this doesn’t point to any proof of concept code or any easy to execute attack. So this isn’t a today problem for Mac users at the moment. But that doesn’t mean it won’t become a problem later. Thus you might want to just keep an eye on this to see if new information pops up about this.

Leave a comment »

Legit Security Launches AI-Powered, Enterprise-Grade Secrets Scanning Product 

Posted in Commentary with tags on March 26, 2024 by itnerd

Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced the launch of its standalone enterprise secrets scanning product, which can detect, remediate, and prevent secrets exposure across the software development pipeline. An AI-powered solution that enables secrets discovery beyond source code, Legit’s offering is built to meet the needs of even the most complex development organizations.

This new offering provides CISOs and their teams with enterprise-grade security capable of addressing the needs of the world’s largest and most complex organizations. Security teams can now identify, remediate, and prevent the exposure of secrets across developer tools, such as GitHub, GitLab, Azure DevOps, Jenkins, Bitbucket, Docker images, Confluence, Jira, and more. Legit’s AI-powered accuracy also drives highly accurate results; false positives are reduced by as much as 86%.

Secrets, such as API keys, access keys, passwords, and personally identifiable information (PII), are valuable assets and a focal point for attackers. At the same time, applications and developers are using more and more secrets and non-human credentials to function. According to IBM’s 2023 Data Breach Report, secret leak risks are the second most common initial attack vector. Protecting secrets is mission-critical, as just one disclosure can lead to multiple breaches that are costly and often difficult to remediate. With Legit, organizations can identify, remediate, and prevent the loss of secrets across various developer tools and platforms.

Key benefits of Legit’s enterprise secrets scanning product include:

  • Performance and scale: Organizations receive enterprise-grade secrets scanning capabilities suitable for large-scale organizations to scan thousands of developer assets within minutes.
  • Going beyond source code: CISOs and their teams can identify, remediate, and prevent the loss of secrets across developer tools, ranging from GitHub, GitLab, Azure DevOps, and Bitbucket to Docker images, artifacts, Confluence pages, and more. 
  • AI-powered accuracy: Legit delivers more accurate results through its continual learning engine. In addition, extensive context and prioritization capabilities limit the impact of false positives.
  • Centralized management: Organizations can seamlessly create custom policies, manage exceptions, and execute secrets scanning across all products, systems, and teams.
  • Continuous developer attack surface visibility: Legit discovers and analyzes dev assets such as code, build systems, artifacts, and more. This approach ensures no corner is left unchecked and adds context, such as exposure vectors, to the findings.

With enterprise secrets scanning from Legit, customers can start with secrets scanning and, based on future needs, expand to other use cases, such as vulnerability management, compliance, and software supply chain security. 

Highlighting the effectiveness of Legit’s enterprise secrets scanning, a leading financial services organization recently found the security of its software supply chain significantly improved after deploying Legit’s solution. The comprehensive scanning and integration capabilities provided insights into potential risks, leading to more informed decision-making and strengthened security practices.

Legit Security’s new product is available now to new and existing customers. For more information, visit www.legitsecurity.com. To learn more about how Legit tackles secrets detection across, join a webcast – “Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture” – on Thursday, March 28, 2024 at 2:30 pm ET. Register for the event here.

Leave a comment »

New Report By CDW Canada Finds Three-in-Five Canadian Organizations Are Open to Using AI

Posted in Commentary with tags on March 26, 2024 by itnerd

CDW Canada today released new research about the attitudes, concerns and adoption patterns of artificial intelligence (AI) technology in Canada. The Evolution of AI Adoption in Canadian Businesses: Perceptions and Trends contains research conducted among members of the Angus Reid Forum, including over 300 IT decision-makers across businesses of varying sizes and industries throughout Canada.

Organizations recognize the benefits of AI adoption

As Canadian organizations navigate the rapidly advancing AI landscape, a sense of cautious optimism persists. Three-in-five organizations (61 percent) are open to using AI and over half (58 percent) believe that incorporating AI enhances productivity and efficiency. Despite this openness, only half (51 percent) feel comfortable about its current use.

The most common benefits Canadian organizations expect following investment in AI include increased productivity and efficiency (58 percent), increased data/information availability (48 percent) and financial benefits or cost reductions (42 percent).

Understanding Al creates challenges for integration

Lack of knowledge and education are the primary obstacles Canadian organizations face when embracing AI and data analytics tools, despite the recognized benefits.

While half (52 percent) of IT decision-makers whose organizations have implemented AI for specific tools consider the process easy, only one-in-five (21 percent) IT decision-makers feel confident in their organization’s ability to implement them effectively. This highlights a significant gap in education and governance between those responsible for overseeing AI integration, the organizations they work for and assumptions about the complexity of AI tools.

Organizations are just scratching the surface of AI tools

Most organizations are only scratching the surface in exploring the capabilities of data analytics and AI tools.

The most widely used AI tools are natural language processing (NLP) tools. While useful, NLPs are not representative of AI’s full scope and capabilities. One-in-five organizations use machine learning and deep learning platforms (20 percent) and automation and optimization tools (19 percent) compared to half (50 percent) that use NLP and interaction tools. For Canadian organizations to remain competitive there needs to be greater education on AI’s full potential.

Public and private sectors have differing paths to AI adoption

The landscape of AI adoption varies between the public and private sectors, with each facing distinct challenges and opportunities. Both are open to AI adoption, but a higher portion of public sector respondents (64 percent) express openness for AI adoption compared to the private sector (58 percent).

The public sector places stronger emphasis on security, privacy and data protection, with over half (57 percent) citing these as high-risk factors, along with personal data breaches (54 percent). By comparison, the private sector is more concerned with issues such as biased inputs/user programming (42 percent), ethical implications (41 percent) and unclear legal regulations (40 percent). This discrepancy underscores the public sector’s heightened sensitivity to the potential consequences of breaches and its commitment to safeguarding Canadians’ data and privacy.

Learn more about the state of AI adoption among Canadian organizations and download the report here.

About the Survey

These are the findings of an online survey conducted by CDW from February 1 to February 8, 2024, among a sample of 309 IT decision-makers who are members of the Angus Reid Forum. The survey was conducted in English. For comparison purposes only, a probability sample of this size would carry a margin of error of +/-6 percentage points, 19 times out of 20.

Leave a comment »

CISA, The FBI, And MS-ISAC Release DDoS attack Guidance For The Public Sector 

Posted in Commentary with tags on March 26, 2024 by itnerd

In a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.

The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks. 

  • The guidelines emphasized that there are steps that can be taken to mitigate the possibility of being hit. These include:
  • Use risk assessments to identify potential vulnerabilities
  • Implement robust network monitoring tools and detection systems 
  • Integrate a Captcha challenges
  • Configure your firewalls to filter out suspicious traffic 
  • Regularly patch and update all software, operating systems and network devices
  • Train employees about DDoS attacks, and how to recognize and report suspicious activities

The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.

   “For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”

A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.

Leave a comment »

HYAS Threat Intel Report Is Now Out

Posted in Commentary with tags on March 25, 2024 by itnerd

HYAS Infosec has just issued the Threat Intel Report March 25 2024in which HYAS Threat Intelligence Security Engineer David Brunsdon details:

  • Top ASNs Under Observation
  • The most active malware families during the week that’s just ended.

The Report includes specific details on each ASN,  including organizational description and location, recent activity, organization type (hosting, ISP, telco) and recommendation for protecting organizations. 

For the Top Malware Families Under Observation, the report provides descriptions of each threat, recent activities, specific risks and potential impacts, and recommendations for mitigation and tightening security posture against the threat.

Leave a comment »

Nursing Home Provider Files For Bankruptcy After Getting Pwned Twice

Posted in Commentary with tags on March 25, 2024 by itnerd

Last week, Illinois-based Petersen Health Care, known for its extensive network of nursing homes across the US, has filed for bankruptcy following the impacts of two cyberattacks on its systems and defaults on its loans.

Petersen Health Care operates over 90 nursing homes with nearly 4,000 employees and a capacity to accommodate 6,796 residents with services ranging from assisted living to hospice care in Illinois, Missouri, and Iowa. While the company had more than $339 million in revenue last year its debts were more than $295 million.

In October 2023, a cyberattack claimed by the Cactus ransomware gang compromised the company’s network and led to the exposure of sensitive information. 

Petersen had attempted to restructure its debt, but the cyberattack forced the company to replace its servers, email addresses, and software and consequently caused the company to lose a significant amount of its business records resulting in an “incredible difficulty and delay” in its attempts to bill customers and insurers, according to court filings.

Furthermore, the ransomware attack on UnitedHealth Group’s Change Healthcare, a major payor for Petersen, further exacerbated Petersen’s financial difficulties. 

In the fallout of the two ransomware attacks, Petersen missed payments on $45 million of HUD loans, causing lenders to place 19 of its locations into receivership. Petersen has worked to transition those locations to the receiver’s control but has struggled to keep up with “demand-after-demand from the receiver” while also working to address its larger debt issues, further disrupting the company’s operations, compounding its financial woes.

Steve Hahn, Executive VP, BullWall:

   “This is the first of many to come. Blackcat (AlphV), the largest player in the Ransomware space, has specifically said they will focus most of their attention on US Healthcare organizations as a result of the FBI lead attack on Blackcat’s infrastructure. The FBI claimed they “took down” Blackcat but within 24 hours Blackcat proved otherwise. Continuing attacks and saying specifically that US healthcare would be targeted more as a result. Considering this group is Russia based, there are economic principals at play here as this group has likely pulled in close to a billion dollars in Ransom in 2023, but it is also geo-political as many members of Blackcat have ties to former KGB bosses running the criminal underground and Putin was the head of the KGB. We believe he provides them cover in exchange for targeting the sectors Putin wants targeted. 

   “Their attacks have been financially ruinous to many. United Healthcare recently paid 22 million to this group to decrypt their data after being hit with Ransomware, but that’s peanuts compared to the billions in lost prescription refills caused by the attack. Truly, the impacts of this will likely be over $5 billion dollars when the dust settles. Attacks on hospitals, such as the Lehigh Valley Health Network not only encrypted data but the threat actor extorted the hospital for millions more, threatening to release hundreds of photos of breast cancer patients in states of undress. They trickled these out in batches as they demanded payment. It’s not certain how much they paid to the threat actor group, but the lawsuits will be ruinous to that health network as a result. 

   “Healthcare networks are easy targets. Massive numbers of IOT devices, doctors accessing systems with personal devices, thousands of connected providers and a sprawling attack surface make them sitting ducks. On top of that they have to pay to get their systems up and running or there will be loss of life. 

   “Another group of hospitals was recently hit in the Northeast and had to suspend operations as they transferred patients to other providers. It’s unknowable how many people have lost their life in 2023 because of these attacks but we know healthcare will continue to be the top target, that healthcare services will be impacted and the financial strain on these systems will cost hundreds of billions for our economy. Exactly what Russia wants. 

   “For healthcare, it’s not a matter of “if” it’s a matter of “when”. And they need backup plans, recovery plans and rapid containment plans to limit the effects. They can’t stop these, but they can minimize their impact.”

Getting pwned has a cost to it. And that cost could be anything from expensive to terminal for a business. This is why every organization needs to wrap their heads around prevention and mitigation as a strategy to avoid finding out what the cost of getting pwned is for them.

Leave a comment »

Two Municipalities Pwned In Cyberattacks In The Last Week

Posted in Commentary with tags on March 25, 2024 by itnerd

Jacksonville Beach joins a growing list of municipalities to suffer a cyberattack, disclosing just last week that 48,949 people had their names and social security numbers disclosed during a January cyberattack. 

“On or about January 29, 2024, [City of Jacksonville Beach] began experiencing information system issues as a result of a cybersecurity event,” the city said.

The LockBit ransomware group claimed the attack back in February. In statement posted to their website last week, the City confirmed the LockBit claim and said they are still working with federal law enforcement on the investigation. 

“This investigation determined that certain files in COJB systems were subject to unauthorized access and that information may have been taken from the network between January 22, 2024 through January 29, 2024. As a result, COJB began a thorough review of the data stored within these files to determine the type of information was contained within them and to whom the information relates.”

Another Florida city,  Pensacola, announced a cyberattack earlier in the week that caused serious issues for the local government making it the 21st U.S. municipality to suffer a cyberattack this year, according to cybersecurity expert Brett Callow.”

BullWall Executive, Carol Volk had this to say:

“This Jacksonville cyberattack echoes the severity of similar incidents like the one in Dallas, TX last fall and in Oakland, CA earlier that year. Just like those attacks, this not only disrupted essential services but also compromised sensitive personal data. With 48,949 individuals’ names and social security numbers exposed, the repercussions are profound.

   “Data breaches of this magnitude lead to identity theft and financial losses for both citizens and institutions. The perpetrators’ demand for ransom adds another layer of complexity, potentially causing further financial and reputational harm to the municipality. The week-long disruption to city services underscores the immediate impact, while the long-term effects on infrastructure and security cannot be overlooked. We’ve all seen the consequences when critical services like hospitals are incapacitated for days.

   “This incident emphasizes the urgent need for robust cybersecurity measures to defend against evolving threats. Implementing proactive strategies and response protocols including response and containment measures to safeguard against such attacks, as there is no end in sight to these sorts of attacks.”

To be clear, it isn’t just US municipalities who are the targets of cyberattacks. Hamilton Ontario and Huntsville Ontario here in Canada have been pwned too. That illustrates not only the fact that this is a huge problem, but municipalities need to wrap their heads around it or this will get out of control quickly like we’ve seen in the healthcare space.

Leave a comment »

Someone Is Targeting Apple iCloud Users With A High Effort Attack To Take Over Apple iCloud Accounts

Posted in Commentary with tags on March 25, 2024 by itnerd

A series of targeted attacks designed to hijack iCloud accounts by doing something that causes the user’s device to be inundated with One Time Password requests is apparently making the rounds. The key word is targeted as at the moment it appears that only specific individuals are being targeted with this attack.

The attack goes something like this:

  • You are flooded by password change requests on your various iDevices. The logic by the threat actors is that if they send enough requests, the target might eventually click yes either by accident or because you want to make the prompts stop.
  • If that doesn’t work, the target will get a phone call from “Apple Support” which isn’t really Apple Support. But they will spoof the actual Apple Tech Support number to pretend to be Apple Support.
  • “Apple Support” will then use open source intelligence to present you with information that they are trying to “validate” and then proceed to talk you into accepting a One Time Password request or giving them the One Time Password code. If you do that you’ll have your Apple iCloud account taken over.

One person who was targeted by this attack posted his experience on Twitter. I encourage you to click below to read the whole episode:

To be clear. Apple would never behave in this manner. They would never call you, nor would they ever ask you to hand over a One Time Password code. Or put another way, you should never give anyone that code. EVER. Thus every Apple user needs to be on guard for this attack as today it might be a highly targeted attack. But in the future it could broaden out to anyone which makes it highly dangerous. In the meantime, I wonder what if anything that Apple could do about it. They can’t do anything about a spoofed number, but the attack vector has to be something that perhaps they can do something about.

Leave a comment »

Apple Released Some Updates Last Week Without Telling You What Security Issues They Fix…. Why?

Posted in Commentary with tags on March 24, 2024 by itnerd

On Thursday, Apple released a bunch of updates. Specifically:

  • iOS 17.4.1 and iPadOS 17.4.1
  • iOS 16.7.7 and iPadOS 16.7.7
  • visionOS 1.1.1

And if you look at what the update said, you saw this:

Okay. So this has bug fixes and security updates with the word “important” in this description. That’s interesting. I wonder what the security updates are. Let’s look at Apple’s Security Updates Page to find out:

Under those updates, it says “Details coming soon”. Now Apple has done this before, but this isn’t an everyday occurrence. Thus it’s captured a lot of attention. And it’s resulted in a bunch of emails hitting my inbox asking why Apple wouldn’t release the details of what security issues they’ve fixed in this update. In my mind, there are three reasons why that hasn’t happened:

  • You’ll note that there are no watchOS or macOS updates. One thing that Apple might be doing is that they are waiting for those updates to ship so that whatever security issues that these updates fix aren’t then instantly exploited.
  • Another reason is that Apple wants a critical mass of people to install these updates so that when they release the details it won’t be instantly exploited because it’s that serious.
  • All of the above.

Now in my years of covering tech, I’ve only seen Apple do something like this a handful of times. Thus you need to take this seriously and install the updates for iOS and visionOS ASAP. And then if there are watchOS and macOS updates that ship in the next week. You should install those too. Clearly whatever security issue(s) that these updates fix are serious enough for Apple to take this route. And I’ll also point out that it is entirely possible that Apple may go weeks before releasing the information about whatever these updates fix. But that shouldn’t stop you from going ahead and updating all the things. Security these days should be your top priority so the fact that Apple isn’t speaking to this in public just yet shouldn’t stop you from staying as secure as possible.

UPDATE: It turns out my first thought was the correct one. Apple released macOS 14.4.1 on Monday and the security releases page got updated just after that.

1 Comment »

Guest Post: What You Need to Know to Protect Your Identity and Finances This Tax Season

Posted in Commentary with tags on March 23, 2024 by itnerd

By Valimail

Recent tax scams, as highlighted by the IRS and the FBI, continue to pose significant threats to taxpayers, exploiting various schemes to commit fraud and identity theft. The IRS’s “Dirty Dozen” list for 2023 underscores the variety of scams taxpayers and tax professionals should be wary of, not only during the tax season but throughout the year. 

Among these scams, the misuse of the Employee Retention Credit (ERC) has been notably aggressive, with scammers luring ineligible individuals with promises of significant refunds. Other popular cons are “professionals” offering to set up your IRS accounts (to steal your data), lying about fuel tax credits you can get, or fake charities exploiting your kindness to pocket donations. Other scammers try to bait people through phishing emails and texts, pretending you need to simply “update personal info” or something else seemingly non-nefarious. 

Like always, it’s smart to keep your personal info safe and be cautious of any surprise emails or calls pretending to be from the IRS or similar tax organizations. One small piece of advice: if you ever get questionable requests, check the IRS and/or FBI website for scam alerts to protect yourself, no matter how convincing the communication sounds. 

Sound rather daunting? Help is on the way…

Google and Yahoo’s New Requirements 

The biggest vector for abuse happens when a bad actor can fraudulently use a business’s trusted emailing domain to send legitimate-seeming messages to their employees, partners, or users. Google and Yahoo have set new requirements that began taking effect in February 2024, focusing on enhancing authentication and anti-spam measures for emails, to stop spam, phishing, and fraud. These rules require emailers to secure their domains from fraudulent usage and apply to nearly every business that sends email to Gmail or Yahoo inboxes. 

These rules, once fully in effect, should make it much harder for scammers to leverage trusted domains to defraud users. However, it’s important to note that these changes won’t be fully implemented for this tax season. Google and Yahoo will gradually enforce these rules to give senders ample time to comply. This means that while some improvements in email security might be noticed, the full benefits of these new requirements in curbing tax scams and other phishing attempts will be more fully realized in future tax seasons.

How to Avoid Tax-Related Phishing Attempts THIS Season

Before the upcoming regulations fully take effect, forward-thinking businesses are proactively elevating their security measures, especially during tax season. Valimail is at the forefront of this movement – creating ways to keep brands reliable and customers feeling safe. Here’s how Valimail can assist.

Valimail Align keeps you in step with the changing delivery rules of major providers such as Google and Yahoo, giving you peace of mind about your compliance across various services. With our automation platform, you can effortlessly align SPF and DKIM, ensuring your emails are delivered smoothly without gaps.

Valimail Enforce offers a smarter and more efficient path to DMARC enforcement. Our dedication lies in crafting top-tier automation solutions that ensure ongoing enforcement without the hassle of manual SPF and DKIM setups.

With our market-leading products, you can safeguard your domains and enhance email deliverability. We provide sophisticated sender intelligence, unlimited SPF lookups, and insightful analytics, all bundled into an easy-to-use application suitable for anyone.

Leave a comment »

« Older Entries
Newer Entries »