More Than One-in-Three Canadian Organizations Experienced a Security Breach in the Past Year: CDW

Posted in Commentary with tags on April 12, 2023 by itnerd

CDW Canada has published findings from its 2023 Penetration Testing Survey to coincide with CDW’s annual National Penetration Testing Day.

The research found that more than one-in-three (36 percent) Canadian organizations experienced a security breach in the past year. While the vast majority (80 percent) involved an external breach originating from outside an organization’s infrastructure, three-in-five (61 percent) reported an internal breach. The high frequency of internal security breaches highlights the crucial importance of implementing and maintaining a strong cybersecurity posture and ensuring employees are educated and trained on security best practices.

The survey also revealed the most common types of security breaches Canadian organizations report being victimized by in the past two years, which included ransomware attacks (34 percent), business email compromises (34 percent) and phishing attacks (33 percent). Amongst companies/organizations that have shifted to a remote or hybrid work model, more than half (54 percent) of Canadian IT professionals report that the shift has increased their organization’s security risk. Awareness, training and resources remain paramount to combatting cyberthreats.

Now in its second year, the CDW survey summarizes the sentiment of 500 Canadian IT decision-makers regarding cybersecurity and the posture of their organizations.

To learn more about the state of penetration testing in Canada, please click here.

Leave a comment »

Securi Details WordPress Balada Injector Campaign

Posted in Commentary with tags on April 12, 2023 by itnerd

WordPress vulnerabilities have been in the news lately. Today I am discussing the Balada Injector campaign that has been attacking WordPress’s Elementor Pro plugin for the past six years. Here’s the details from Securi:

The vulnerability allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.

Since WooCommerce websites allow registration for customer accounts, any website with user registration enabled with the Elementor Pro plugin and WooCommerce installed is liable to be exploited if using the vulnerable version.

The plugin uses the update_option function which is used by WordPress to change database values for website settings, such as allowing shop admins to change some options within their site database. However, this recent vulnerability results from user input not being validated properly and the function does not check whether only high-privileged users are using it.

When both the Elementor Pro and WooCommerce plugins are active (a rather common combination within WordPress websites) this can lead to arbitrary wp_options changes such as:

  • siteurl value
  • default user role
  • user registration

We have also observed multiple users reporting that their administrator user name was changed to ad@example.com after this vulnerability was exploited on their website, as well as new administrator users added using the pattern wpnew_*** within the database.

Now you might have noticed the word “WooCommerce” in the above statement. That’s because you might have heard about another WordPress vulnerability that leverages WooCommerce.

David Maynor, Senior Director of Threat Intelligence, Cybrary has a very detailed comment on this:

   “The most frustrating discussion a security person can have is the talk with sales/marketing where the need for WordPress is brought up. I am a long tome security researcher and I have the opinion that WordPress cannot be made secure.

   “WordPress dates back to 2003 with the goal of replacing the need for developers to make changes to a website.  Things like website themes, plugins that will do almost anything, adapting content to a number of browsers and platforms like mobile devices. WordPress has been institutionalized by pretty much everyone to be the de facto CMS.

   “Because of this overwhelming adoption for critical needs like customer facing web pages an entire developer ecosystem sprouted up around developing themes, tools, and plugins to make WordPress even easier to use. This is the equivalent of building a bad roof on a shaky foundation for a house in an earthquake zone. 

   “If you haven’t worked with sales and marketing departments before you might not be aware of the absolute dominance WordPress has in its market. There are entire tools and marketing platforms based on analyzing and optimizing WordPress content for data collection, targeted advertising, and customer insights.

   “Targeting a market for non-technical people to minimize technical needs leads WordPress users to often know nothing about a system other than the WordPress interface. WordPress is a popular bundled application for site hosting platforms to bundle in with a hosting subscription. The mixture of lack of technical knowledge or not being aware you may have WordPress on your hosted platform combines with PHP development and outdated security practices to make WordPress a perfect target for threat actors to steal data or use a compromised site to trick unsuspecting users into malicious interactions that look legitimate.

   “I say all this to address the questions of why WordPress is a rich target and why it keeps being the target if malicious campaigns. It is low hanging fruit that is trivial to pop. It’s so popular as a target it is often the target newbie hackers start with.

   “So now to Balada. Why is it so large? A mixture of low hanging fruit and exploitable targets that can often be found with Google dorking, and attackers using compromised hosts as currency leads to a long dwell time for attackers on a victim. 

   “This campaign is so large and lengthy due to the attackers taking advantage of many uses of WordPress like targeting specific platforms with specific code or easily hiding backdoors in pirated plugins. This group is the multi-headed hydra of attacks by varying exploits and post compromise activities.

   “In addition to tooling and techniques the rise of encryption everywhere blinds many network based detection tools with the same technology TLS used to make sure a hacker at a coffee shop isn’t sniffing a unsuspecting Wi-Fi users website credentials.

WordPress is a de facto content management solution with an entire ecosystem of developers writing themes, plugins and tools. Often this 3rd party software is the source of compromise.

   “This campaign is large because the attackers have multiple attacks and post compromise tooling that allows them to stay a few steps ahead of WordPress admins.

   “Website owners often go to WordPress because it allows quick and easy content development without the need for a team of coders. These are the users least likely to notice they have been comprised.

   “I don’t think WordPress and its ecosystem can be secured. Popular WordPress security apps often don’t try to stop intrusions but rather focus on cleaning out an attacker by rolling to a previously known good version. If the security experts don’t think they can stop attackers why would anyone else?”

This scares me as I use WordPress for this blog. I’ve spent a lot of time going through the configuration of this blog to assure that it is as secure as possible. Hopefully WordPress can step up and improve security with its product as that combined with individual WordPress users doing all they can to improve security on their end may be the only hope of mitigating these attacks.

Leave a comment »

New Research On Detection Of AirTag & Tile Stalking Posted By Cybrary

Posted in Commentary with tags on April 12, 2023 by itnerd

The Cybrary Threat Intelligence Group has just published findings on detecting Bluetooth stalking and actionable threats to IIoT and IoT-enabled assets in two new blog posts this morning:

To briefly summarize Cybrary’s work and findings:

  • Bluetooth trackers relay their location and can use just about everything in their ecosystem to act as a bridge to the internet, and can put both personal safety and the integrity of IIoT-connected resources, such as those found throughout critical infrastructure, at high risk.
  • Manufacturers’ Security Steps – Limits to Effectiveness: In December 2022, The Cybrary Threat Intelligence Group noted Apple’s updated effort to limit the use of AirTags in stalking, and undertook research to determine whether the device was still capable of misuse, and if so, what could be done to thwart such use. Manufacturers have taken steps to prevent misuse. Nonetheless:
    • Tile lets a Tile owner evade detection in exchange for personal data.
    • Newer iPhones disclose when an AirTag is near, but often not until several hours after detecting it – precious time during which a stalker could act.
    • Detecting cross-platform surveillance – such as if an iPhone user is surveilled with a Tile – is even more difficult.
  • Cybrary Research Approach: To demonstrate manufacturers’ detection flaws and enable actual device detection, regardless of device type, the Cybrary Threat Intelligence Group used several approaches and wireless Pentesting tools, knowledge of RF protocols, and blackbox analysis skills to examine, duplicate, and port the findings to the Swiss army tool for RF HACKERS,  the Flipper Zero. The Flipper Zero is a small device that lets users interact with all manner of RF devices such as TV controllers and key fobs. Its antennas read a wide range of common signals, and it has an extensive and actively contributing user community.
  • Method: Cybrary isolated the radio signals from each brand of tracking device, stored those signatures, and built an application that enables users to immediately detect any brand of Bluetooth tracker – including Tile, despite its offered option to hide the tracker from detection. 
  • Implications: The implications of this are significant, both for thwarting stalkers and as IoT and especially IIoT are being installed across the oil and gas industry, regional water systems and other critical infrastructure. We determined that:
    • ​​​​​​​Cybrary R&D developed detection means to advance both personal privacy, safety and CI security; and
    • Importantly, we codified that aspects of planning attacks on IoT and RF devices can be almost identical in method to planning attacks on networks. Defensive training to protect IoT and IIoT environments and resources against intrusion is just as important as that to protect against intrusion of corporate networks, and even more critical for IoT and IIoT security against intrusion.
    • Moreover, in the short term, there may be debate on whether the availability of “tracker scans” in public gathering places has a role to play in the prevention of stalking and its catastrophic harms. Cybrary does not take a stance for or against this as it is outside of its scope of research.

Here are links to the blog posts:

Cybrary Counter-Stalking Initiative

Cybrary Threat Intelligence Group (CTIG) IoT Research

Leave a comment »

Rogers FINALLY Admits That It Has Issues With Their Email Offering… Not That It Helps Any Of Their Customers

Posted in Commentary with tags on April 12, 2023 by itnerd

I’ve been covering a long standing issue with Rogers and their email offering which is powered by Yahoo for weeks now. If you’re new to this, here’s the TL:DR: Users of Rogers email service (in other words they have a @Rogers.com address) can’t get their email on any device or application that they choose. And this has dragged on for weeks. This is in part due to the fact that Rogers requires users to create  App Specific Passwords via Rogers Member Center on each program or device that an email address is used on. The creation of new app specific passwords doesn’t work and existing app specific passwords appear to have been deleted in many cases. That pretty much breaks your applications that rely on them. There is a workaround, but that workaround is sub optimal to say the least. And it’s led me to recommend to my many clients who are affected by this is to dump Rogers as an email provider.

Today, after weeks of official silence on this issue, Rogers has finally admitted that it has a problem. Sort of. As of this morning, if you try to generate a App Specific Password, you will now get this error message:

Why Rogers didn’t add this weeks ago is beyond me. It might have saved them a bunch of tech support calls as well as mitigated the frustration that their user base has at the moment. But even then, this isn’t a substitute for a proper announcement from the Canadian telco that they have an issue and that there’s a timeline to fix it. But I suspect that this is because Rogers has no clue when it will be fixed because they have no clue about how to fix it. So they’ve just pretended that the problem doesn’t exist unless someone calls into tech support. And when that didn’t work, they added this message.

#Fail.

The only thing that is perhaps new is the fact that the message points you to this document which details how to set up Rogers email on an iOS or Android device. I tested this with a client this morning on their Android phone and it does work. And I assume that it will work for iOS devices as well. But this does nothing to help people using Outlook, Thunderbird, or any other email program on their desktop or laptop computer. And as I have said many times before, using a web browser as the primary means to check your email is sub optimal. Thus this response from Rogers is still pretty bad. And doesn’t change the situation for any of their customers in any meaningful way.

This whole situation is going to bite Rogers as I can say that over the last few weeks, I have been working to transition people off of Rogers email using this method, and then when Rogers eventually figures out how to fix this issue I will be archiving that email for the clients in question so that they can dump Rogers as a telco. Though there seems to be a few clients who are so fed up with this that they are willing to sacrifice their email and just switch to another telco because they are so fed up with Rogers handling of this situation. And I have to say that I don’t blame them. Rogers has really mishandled this, and when their churn rates start to increase, they will only have themselves to blame.

2 Comments »

OneStep Group Solutions Consultant First to Achieve Cradlepoint Partner Pioneer Status Globally

Posted in Commentary with tags on April 12, 2023 by itnerd

Cradlepoint, the global leader in cloud-delivered LTE and 5G wireless network solutions, today announced the first individual to achieve ‘Pioneer Partner’ status globally is Joe Myatt, Solutions Consultant from Melbourne, Australia-based network delivery and managed services provider, OneStep Group. The Pioneer Partner status is given to those partners that successfully complete Cradlepoint technical training and deliver technical presentations that demonstrate expertise and deep understanding, as part of Cradlepoint’s Partner Mountaineer Program.

The Cradlepoint Mountaineer Program, which is open to all partners, provides training and certifications designed to accelerate technical users and encourage creative applications of Cradlepoint solutions.

Partners that become ‘Mountaineers’ can progress up three levels — Discoverer, Explorer, and Pioneer ­­­­— with each level requiring partners to complete virtual courses in Cradlepoint University and demonstrate increasingly advanced competencies. At the final stage of completion, Pioneer Mountaineers are required to perform a live, virtual customer scenario presentation to a panel of Cradlepoint SEs, SAs, and leadership. 

OneStep provides a managed service with Cradlepoint solutions to Cleanaway, Australia’s leading total waste management organization. One of the key operations Cleanaway uses is connected weighbridges, which enable the organization to weigh waste and charge customers accordingly, however, connectivity in some areas was unreliable. To mitigate connectivity dropouts and provide network visibility, OneStep demonstrated deep technical knowledge of Cradlepoint solutions capability and designed and implemented a vigorous network transformation in Cleanaway. OneStep Group deployed an edge network solution that leverages both wired and mobile networks through Cradlepoint’s hybrid WAN routers at dozens of fixed sites. At almost every location, a cellular broadband service is configured as the primary WAN link.

Cradlepoint was identified as the vendor of choice because of its leadership in LTE and 5G connectivity, as well as the company’s ability to configure and enable management of all devices from a single pane of glass.  

OneStep Group provides a managed service for Cleanaway, in which both teams can use Cradlepoint NetCloud Manager to easily monitor uptime and manage configurations centrally, with little need for in-person, on-site evaluation. 

The Partner Mountaineer Program includes partner incentives, from branded merchandise to solution demo kits. For those that achieve Pioneer level, there is an opportunity for an invitation to the Cradlepoint Tech Summit, which provides engagement with Cradlepoint’s solution engineering global leadership team, as well as in-person training.

Partners interested in joining Cradlepoint Mountaineers can register via Cradlepoint’s Partner Portal or enquire with their Partner Account Manager. 

Leave a comment »

Hackuity’s New Smart Exposure Explorer Provides Unified Vulnerability Encyclopedia

Posted in Commentary with tags on April 12, 2023 by itnerd

Hackuity, the risk-based vulnerability management provider, today announced the newest feature to its platform to help organizations evaluate the real threats associated with CVEs. 

Smart Exposure Explorer (SmartEx2) will serve as a unified encyclopedia for open-source and non-public vulnerability information, providing a more up-to-date and in-depth analysis of CVEs to Hackuity’s customers and partners.

Hackuity’s Exposure Management (EM) users will now have full access to SmartEx2, enabling security teams to evaluate real threats posed to their attack surfaces by each of the known 200,000 CVEs and innumerable non-CVE vulnerabilities. Hackuity’s SmartEx2 collects extensive information from Vulnerability Open-Source Intelligence providers as well as via Hackuity bots that monitor the dark web and deep web for advanced vulnerability intelligence.

SmartEx2 will provide even greater granularity regarding publicly and non-publicly disclosed vulnerabilities to give organizations the insights that matter most, including:

  • Real Exploitability, clearly indicating whether the CVE is exploitable by attackers. 
  • Exploit Maturity, based on the number of exploits available to APTs or ransomware gangs.
  • Threat Intensity, derived from public social networks, the dark web, and the deep web to determine if attackers are using the CVE at that very moment.

Learn more about SmartEx2 at https://hello.hackuity.io/fr/feature/smartex2

Leave a comment »

NPR Dumps Twitter… While The BBC Speaks To Elon Musk

Posted in Commentary with tags on April 12, 2023 by itnerd

Last week, Twitter and their leader Elon Musk labeled both the BBC and NPR as “government-funded media” That move put them into the same category as Chinese media directly controlled by the Communist Party. Elon later walked that back after the predictable outrage. But it seems that the damage has been done. At least with NPR:

NPR will no longer post fresh content to its 52 official Twitter feeds, becoming the first major news organization to go silent on the social media platform. In explaining its decision, NPR cited Twitter’s decision to first label the network “state-affiliated media,” the same term it uses for propaganda outlets in Russia, China and other autocratic countries. 

The decision by Twitter last week took the public radio network off guard. When queried by NPR tech reporter Bobby Allyn, Twitter owner Elon Musk asked how NPR functioned. Musk allowed that he might have gotten it wrong. 

Twitter then revised its label on NPR’s account to “government-funded media.” The news organization says that is inaccurate and misleading, given that NPR is a private, nonprofit company with editorial independence. It receives less than 1 percent of its $300 million annual budget from the federally funded Corporation for Public Broadcasting. 

Yet by going silent on Twitter, NPR’s chief executive says the network is protecting its credibility and its ability to produce journalism without “a shadow of negativity.”

This could be the start of other news organizations dumping Twitter. Which will add to the death spiral that Twitter is already in as nobody wants to go someplace where there is no content to view. Perhaps Elon should have thought about that before he decided to slap “government-funded media” labels on both NPR and BBC.

Speaking of the BBC, they managed to somehow score a one hour interview with Elon where he goes into all sorts of detail about buying Twitter, his ill advised Tweets, and his claim that Twitter is making money and how Apple “feels comfortable” advertising on Twitter. I won’t pick any of that apart here. Instead, you can watch the full 1 hour interview here if you are in the UK or you have access to a VPN. Or you can watch the highlights here and judge for yourself:

UPDATE: Elon responds to NPR dumping Twitter with his usual maturity.

3 Comments »

Inside-Out Defense Announces Industry’s First Platform to Provide Real-Time Detection, Remediation to Privilege Access Abuse

Posted in Commentary with tags on April 12, 2023 by itnerd

Inside-Out Defense, the cybersecurity industry’s first platform to solve privilege access abuse, emerged today from stealth funded by Bain & Company to provide real-time detection and remediation to today’s most prolific attack vector – privilege access abuse.

99% of all cyber breaches are due to human error, emphasizing privilege abuse through a compromised identity or malicious insider. Today’s cybersecurity market is flushed with point solutions that only look for a few known privilege abuse signatures and are reactive in nature, only detecting these abuses days to months after the event. The industry solutions focus has been focused on plugging access vulnerabilities instead of breaking the attack chains.

Inside-Out Defense is a SaaS, agentless Privilege Access Abuse detection and remediation platform that supports all environments and applications and is built for ‘Continuous Validation of Trust’™. The platform complements existing Identity Access Management (IAM), Privilege Access Management (PAM), and custom identity solutions. The platform enables the determination of the gaps between known and unknown abuse behaviors, thereby stopping privilege abuse in real-time, at scale. 

Key Features:

  • Privilege Abuse Remediation: Real-time detection of privilege access abuse behaviors and in-line remediation of malicious privilege access through a kill switch. 
  • Access Intent: Customers get a 360-degree profile of malicious access requests, their context, and intent, offering a real-time view of the organization’s access posture.
  • Coverage Across the Entire Organization: Inside-Out Defense provides complete coverage across the organization’s environments, including infrastructure (cloud & on-prem), applications (SaaS, managed, unmanaged), APIs, and human/ non-human users. It complements existing customer security tooling, including IAM, PAM, SIEM, Workflow tools, etc. Non-invasive integration with customer environments and operational within minutes. 

Inside-Out Defense’s initial customers include global  Pharma, Manufacturing, Healthcare, and Fintech organizations. The product solves the most challenging access abuses in the digital supply chain, saving millions of dollars due to potential breaches while eliminating the need for post-breach analysis and laborious access audits.  

Founded by Ravi Srivatsav, CEO, and Venkat Thummisi, CTO, the company is funded by Bain & Company, where Ravi was formerly a partner. Before joining Bain & Company, Ravi was Chief Product & Commercial Officer at telecom giant NTT Group and Founder and CEO of ElasticBox, which powers agile application delivery on public and private clouds and was acquired by CenturyLink in July 2016. 

Before joining Inside-Out Defense, Venkat started his journey with cybersecurity while at MIT and was the Chief Architect & Product Manager of RSA NetWitness and Archer. He has held similar roles at Schneider, EMC, and most recently, he was the Senior Vice President and Chief Product Officer at leading healthcare provider TriZetto.

Inside-Out Defense will be at the RSAC Early Stage Expo. Please visit them at Booth #11

Leave a comment »

Rise of AI Lowers Barrier to Entry for Cybercriminals as ChatGPT Bans Spread Through Europe

Posted in Commentary on April 12, 2023 by itnerd

With ChatGPT’s ban now spreading across Europe, regulators and law enforcement recognize the potential risk associated with AI. 

With that in mind, Delilah Schwartz, cybersecurity strategist at threat intelligence firm, Cybersixgill, has released the “State of the Cybercrime Underground” report analyzing the entire volume of collected intel from 2022. The report identifies how AI and applications fueled by AI are creating a lower barrier to entry into the cybercriminal world, and where cryptocurrency sanctions are failing – instead offering new financial fraud vehicles for cybercriminals. 

You can read the report here.

Leave a comment »

Guest Post: 60% Of E-Shop Phishing Scams Exploit Apple’s Brand Name

Posted in Commentary with tags on April 12, 2023 by itnerd

Due to its ease of access and efficacy, phishing remains one of the most common types of cybercrime. By purchasing pre-made phishing kits, fraudsters may easily start phishing operations with very little technical knowledge.

Data presented by Atlas VPN reveals that e-shop brands were the most often utilized lure by phishers in 2022. E-shop phishing scams accounted for 42% of financial phishing cases in 2022. 

Companies in the banking and payment system industries were also imitated, but they comprised only around 10% of all financial phishing occurrences each.

The data comes as a courtesy of Kaspersky and is extracted from the devices of Kaspersky security product users. Users voluntarily made the data available, and the data was anonymized. 

Globally, the popularity of online shopping is increasing, and as a result, more companies are being imitated by phishers.

Yet one brand is imitated much more often than any other. With approximately 60% of e-shop financial phishing threats in 2022, Apple continues to be the brand that fraudsters most frequently impersonate.

Another brand that is favored by cybercriminals is Amazon. Amazon, with 15%, stayed in second position as the most imitated brand in e-shop phishing sites and emails. Together with Apple, these two brands appear in around 75 out of 100 phishing attacks.

While Mercari, MercadoLibre, and eBay brands are also used in phishing scams, they only appear in around 6 out of 100 cases. 

Watch out for emails from PayPal

According to current data, while the vast majority of financial phishing scams imitate e-shop brands (42%), payment systems (10%) are also used as a lure by phishing artists.

In the world of electronic payment methods, PayPal has long been a favorite target for con artists. The vast majority (84.23%) of phishing URLs for electronic payment systems target PayPal.

As a result, the shares of other payment systems have fallen precipitously, with American Express falling to 2.02% in 2022, Visa decreasing to 3.10%, and MasterCard declining to 3.75%.

To read the full article, head over to: https://atlasvpn.com/blog/60-of-e-shop-phishing-scams-exploit-apples-brand-name

Leave a comment »

« Older Entries
Newer Entries »