Hitachi Energy Discloses Data Breach

Posted in Commentary with tags on March 21, 2023 by itnerd

Hitachi Energy disclosed a data breach Friday which occurred after the Cl0p ransomware gang targeted a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT). The data breach allowed for unauthorized access to employees’ data in some countries:

Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.

According to our latest information, our network operations or security of customer data have not been compromised. We will continue to update relevant parties as the investigation progresses.

Sylvain Cortes, VP of Strategy, Hackuity had this to say:

     “There are 198,000 known CVEs, and this ransomware gang just needed one to compromise Hitachi’s employee data. The scariest part? They didn’t even have to breach Hitachi’s internal systems. While the victim has since disconnected the compromised third party, this is yet another wake-up call: organizations’ attack surfaces extend far beyond the “surface”. Vulnerability Management has never needed reinventing more than in 2023.”

I have a feeling that there’s more to come from this breach disclosure. I’d not only recommend watching this space, but companies need to learn from this event so that they don’t become the next victim.

Leave a comment »

Ferrari Has Been Pwned By Hackers…. And The Car Company Won’t Be Paying Them

Posted in Commentary with tags on March 21, 2023 by itnerd

From the “I didn’t think I would be typing this” department comes this disclosure by supercar maker Ferrari that they have had a “cyber incident”, which is code for the fact that they got pwned. And the statement is very interesting:

Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details. Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.

As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.

Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.

Ferrari takes the confidentiality of our clients very seriously and understands the significance of this incident. We have worked with third party experts to further reinforce our systems and are confident in their resilience. We can also confirm the breach has had no impact on the operational functions of our company.

So let’s pick this apart. First is someone stole some client details. Which I am guessing is valuable to the threat actors as their clientele isn’t exactly poor, and some may not want their names out there. Though you gotta wonder if you’re paid for a Ferrari, you’re going to drive it. Thus your name is going to get out there regardless. But I digress. Next is that they will not pay the ransom. And that as far as I am concerns is good as paying ransoms only encourages threat actors. I did a quick check of the dark web last night and I did not see any evidence of the data the threat actors stole being shopped around. But that could change in the next day or two. It is also unknown who the threat actor is. And it is unknown if this is related to the situation that had Ferrari being pwned by RansomExx last year. So this is in short a fluid situation that will likely get updated in the days ahead as more details come to light.

UPDATE: Jason Middaugh, CISO, Inversion6 Had this comment:

This is Ferrari’s second cyber incident recently, and it’s never a good day when you suffer a data breach, but Ferrari couldn’t have handled the situation any better. Getting out in front of a breach and letting your customers know about the situation was text-book perfect. Also, not paying the ransom was another great call by their cybersecurity and executive management team. Paying a ransom for data that’s already been exfiltrated is a bad idea, especially since there’s no guarantee that after the ransom is paid the attackers just won’t release the data anyway. Post-incident, I expect Ferrari to put the pedal to the floor on their cyber program to reduce the risk of another data breach.

Leave a comment »

Uber Details Rider Ratings In Canadian Cities Along With How To Improve Your Rating

Posted in Commentary with tags on March 21, 2023 by itnerd

It’s been one year since Uber has given riders the ability to see exactly how their rating is calculated via the Privacy Center in the Uber app. Since then, revealing personal rider ratings has become a trend on socials, and many people are making a viral moment out of checking their rankings.

For the second year in a row, Uber is releasing the top five and lowest five ranked Canadian cities for rider ratings. 

Some riders took last year’s rankings to heart and turned their city’s ratings around thanks to helpful tips from drivers, while other cities dropped from the top spots. Winnipeg and Halifax entered the top five, Red Deer dropped from number two to three and London graduated from the bottom five cities. As some of the newest cities with rideshare in Canada, Sherbrooke and Trois-Rivieres in Quebec are taking the top spots. 

The below list shows the top 5 Canadian cities which have the highest average rider rating and lowest average rider rating. 

Highest average rider rating: 

  1.  Sherbrooke, QC
  2.  Trois-Rivières, QC
  3.  Red Deer, AB 
  4.  Winnipeg, MB 
  5.  Halifax, NS

Lowest average rider rating: 

  1.  Ottawa, ON 
  2.  Toronto, ON 
  3.  Montreal, QC 
  4.  Hamilton, ON 
  5.  Edmonton, AB 

For step-by-step instructions on how to find your ratings breakdown, check out this blog.

To access the Privacy Center and ratings breakdown in the app:

  • In the settings menu, tap privacy and then Privacy Center
  • In the Privacy Center, swipe to the right and click on the “would you like to see a summary of how you use Uber” tile
  • Scroll down to the “browse your data” section and tap on “View my ratings” to see the breakdown

Want to improve your rating? Drivers have shared some of the top reasons they hand out fewer stars: 

  1. Pack it in, pack it out: Drivers shouldn’t have to clean up after your mess. Always make sure to take your trash and any other belongings with you. Don’t leave a mess behind. 
  2. Buckle Up: Studies show that unbuckled passengers in the back seat can put the driver at greater risk of injury in a crash. So always remember to buckle up for your and the driver’s safety. 
  3. Be ready: Remember that drivers’ time is valuable and they shouldn’t have to wait for you. A smooth pickup is better for everyone so be ready to go when the driver arrives.
  4. Treat everyone and everything with respect: As outlined in Uber’s Community Guidelines, they want riders and drivers to feel safe, respectful, and positive. Always treat your driver and their vehicle as you would want to be treated. 
  5. Don’t slam the door! It is easy to accidentally slam a door if you aren’t thinking about it, and drivers have consistently cited door slams as a reason why they deduct stars.   

Leave a comment »

BBC To Staff: You Might Want To Remove TikTok From Your Phones

Posted in Commentary with tags on March 20, 2023 by itnerd

First it was governments banning TikTok on government employee phones. Now it’s over to private corporations. Well, in this case semi-private corporation as BBC is a public broadcaster as they’ve told this to their employees:

The BBC has advised staff to delete TikTok from corporate phones because of privacy and security fears.

The BBC seems to be the first UK media organisation to issue the guidance – and only the second in the world after Denmark’s public service broadcaster.

The BBC said it would continue to use the platform for editorial and marketing purposes for now. TikTok has consistently denied any wrongdoing.

The app has been banned on government phones in the UK and elsewhere.

So the way I read this, it’s a suggestion not a command. But that could change. Perhaps that would be based on what happens with TikTok elsewhere. But even this step by the BBC is going to get the attention of other organizations who may do this, or go further. And it will be interesting to see if TikTok or the Chinese Communist Party responds to this in any way.

Leave a comment »

Amazon To Slash 9000 More Jobs

Posted in Commentary with tags on March 20, 2023 by itnerd

On top of downsizing 18,000 of employees, it’s now making the news that 9000 more jobs are being slashed at Amazon:

Amazon will lay off 9,000 more employees in the coming weeks, CEO Andy Jassy said in a memo to staff on Monday.

The cuts are on top of the previously announced layoffsthat began in November and extended into January. That round totaled more than 18,000 employees, and primarily affected staffers in its retail, devices, recruiting and human resources groups.

Amazon made the decision to lay off more employees as it looks to streamline costs. It took into account the economy, as well as the “uncertainty that exists in the near future,” Jassy said. The company just wrapped up the second phase of its annual budgeting process, referred to internally as “OP2.”

“The overriding tenet of our annual planning this year was to be leaner while doing so in a way that enables us to still invest robustly in the key long-term customer experiences that we believe can meaningfully improve customers’ lives and Amazon as a whole,” Jassy said.

This also follows up Facebook/Meta doing a version of the same thing. Which doesn’t bode well for the tech sector as this may spur other companies to do the same thing. We’ll have to see what happens on that front, but I suspect that the next few weeks and months ahead will be very bumpy.

Leave a comment »

Silverfort recognized as a Microsoft Security Excellence Awards finalist 

Posted in Commentary with tags on March 20, 2023 by itnerd

Silverfort today announced it is a Zero Trust Champion and Security ISV of the Year award finalist in the Microsoft Security Excellence Awards. The company was honored among a global field of industry leaders that demonstrated success across the security landscape during the past 12 months.  

At the Microsoft Security Excellence Awards on April 24, 2023, Microsoft will celebrate finalists in 11 award categories honoring partner trailblazers, solution innovators, customer and technology champions, and changemakers. This is the fourth year Microsoft is recognizing partners for their outstanding work in the security landscape. All finalists are members of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their security products and services with Microsoft’s security technology.  

MISA was established to bring together Microsoft leaders, ISVs, and MSSPs to work together to defeat security threats and make the world a safer place. The industry veterans in MISA and Microsoft will vote to select the winners of the Microsoft Security Excellence Awards, providing an opportunity for colleagues to honor their peers for delivering exceptional work to our shared customers. 

Leave a comment »

Guest Post: Queen Elizabeth and Taylor Swift among most used passwords in 2022

Posted in Commentary with tags on March 20, 2023 by itnerd

The most frequently reused credentials eventually end up on breached lists accessible to purchase on the dark web, thus becoming a weak point in personal and company security when subject to brute force and password-spraying attacks.
 

Examining the most often reused passwords allows individuals to gain insights into what type of passwords to avoid when safeguarding their online journeys. 

Some passwords, like password, 123456, qwerty, and other similar basic choices, have always been and will remain some of the most insecure picks to protect one’s account.

However, the data presented by Atlas VPN, which comes as a courtesy of SpyCloud, who extracted it from various lists on the dark web, reveals that the most commonly used credentials also change year-by-year and reflect the hottest topics.  

It is no surprise that music, streaming, and celebrity culture are among the most prevalent themes in passwords in 2022. 

Celebrity names as most common passwords

Last year, hundreds of thousands of credentials included keywords connected to celebrities Taylor Swift, Bad Bunny, Jennifer Lopez, Ben Affleck, and Elon Musk. 

Swift’s 10th album, “Midnights,” which reportedly generated $230 million in sales, resulted in passwords such as taylor, taylor swift, swiftie, and midnights being used 186,000 times. 

Similarly, Bad Bunny’s status as the most-streamed artist on Spotify in 2022 inspired the use of bad bunny, titi, and verano as passwords, with the latter two being among his popular songs, appearing 141,000 times.

The acquisition of Twitter by Elon Musk inspired the use of twitter and elon musk as passwords, which were used 74,000 times. 

Additionally, Jennifer Lopez and Ben Affleck’s reunion and marriage, known as Bennifer, was reflected in passwords such as jennifer lopez, jlo, ben affleck, and bennifer, appearing 46,000 times.

Avoid streaming and family-related passwords

Other pop culture events that captured the public’s attention were also reflected in the list of frequently reused passwords. 

The growing popularity of streaming TV services was reflected in passwords such as youtube, netflix, and hulu, which were chosen 261,000 times. 

The death of Britain’s Queen Elizabeth and other news about the royal family ignited the use of queen, queen elizabeth, and royal family as passwords. In total, credentials with the aforementioned keywords were used 167,000 times in 2022, according to various databases on the dark web.  

As expected, other frequently reused passwords included russia, russian war, ukraine, ukraine war, and trump. 

To read the full article, head over to: https://atlasvpn.com/blog/queen-elizabeth-and-taylor-swift-among-most-used-passwords-in-2022 

Leave a comment »

Let’s Say You Want To Ban TikTok Outright… How Would It Be Done?

Posted in Commentary with tags on March 19, 2023 by itnerd

I’ve been talking a lot about Chinese owned TikTok being banned in various places. Most of these bans relate to devices with access to some sort of government network. But the stakes are about to go up for TikTok as the US is looking to ban the social media app outright. If that were to happen, how would such a ban be implemented? I have some thoughts on how that could work:

  1. Apple and Google would be required to stop offering the app for download: This one is easy as both companies can do this easily. Not only that, they can do this on a geographical basis. By that I mean that they could enforce a ban in the US by making TikTok “disappear” in the US. Though I suspect that any sort of ban would spread elsewhere, which means that they would have to do this in more places. But as I said earlier, this is easy for either company.
  2. Apple and Google would be required to remove TikTok from phones: This is where things start to get tricky. I can’t imagine that any ban on TikTok would be effective if the app were still on people’s phones. Thus I can see a scenario where TikTok was instantly “Thanos Snapped” off of every phone the moment that the ban went into effect. I imagine that both Apple and Google have the ability to do this as mobile device management programs that companies use to manage smartphones can do this. Where things become very tricky is that I can see a scenario where people might sue Apple, Google, or the government because they would feel that nobody has the right to remove apps from their phones. It is possible that both Apple and Google have language in their terms of service that nobody reads that allows them to do that. But even if they do, I suspect that a court will have to sort this out.
  3. Apple and Google would be required to stop people from “side loading” TikTok: Here’s another tricky part of this whole discussion. Side loading. Which is the act of loading an app that isn’t on an App Store onto your device. If you’re on team Apple, you’ll need to do a function called “jailbreaking” to get past Apple’s restrictions on this sort of thing. And that’s not a trivial task for 95% of Apple iPhone users. That to me suggests that Apple likely doesn’t have much to worry about on this front. The real challenge is with team Android who have made “side loading” a sport because it’s not all that difficult to do. Google would have to figure out how to shut that down to ensure that they comply with a ban of TikTok. Which given the diversity of the Android platform may be difficult or next to impossible to do.

Now it is entirely possible that TikTok may avoid an outright ban, making this all irrelevant. But I don’t think so. The US is really intent on taking it to TikTok, and US allies will likely follow suit. Thus I hope that Apple and Google are planning for this as I am sure that a ban of TikTok is coming, and they will need to respond.

Leave a comment »

Today Is Digital Cleanup Day

Posted in Commentary on March 18, 2023 by itnerd

Digital Cleanup Day, which is today, is dedicated to raising awareness of digital waste and its impact on the environment, and encouraging individuals, businesses, and even government agencies to do their part to declutter their digital footprint. It also reminds us that the ramifications of digital waste are significant. 

The Digital Cleanup Day site states that internet use accounts for 3.7% of global carbon emissions, equivalent to all air traffic in the world (a stat also found here). This digital pollution contributes to global warming and climate change. Additionally, as the number of personal devices and data centers grows in order to store, manage, utilize, and protect the world’s exponential data growth, which unfortunately oftentimes includes digital waste, they require more energy to operate, which can put a strain on the power grid and increase energy costs.

All of this is in addition of course to the negative consequences digital clutter has on maintaining uptime and availability, ensuring the security of data and infrastructure, and optimizing resource utilization, which in turn has the potential to hurt an organization’s ability to meet business requirements and stay competitive in the industry.

Carl D’Halluin, CTO of Datadobi, and Amit Shaked, CEO and co-founder of Laminar, had this to say about why it’s important to be mindful of our digital habits and to take steps to reduce digital waste:

Carl D’Halluin, Chief Technology Officer (CTO), Datadobi:

“Digital Cleanup Day is an initiative that encourages individuals and organizations to declutter and organize their digital lives. People are encouraged to clean up their digital devices, including their computers, data storage, smartphones, and tablets. This may involve deleting unnecessary files, organizing folders and emails, and/or uninstalling unused apps, unused cloud service subscriptions, and unused user accounts. The day’s goal is to promote better digital hygiene habits and help individuals and organizations become more efficient, productive, and secure in their digital lives. Of course, until recently, digital cleanup for enterprises was much easier said than done.

Organizations that wish to declutter on Digital Cleanup Day and maintain a clean and well-organized digital footprint moving forward should start with the biggest nut to crack. According to analyst estimates, 80%-90% of all data is unstructured. This includes but isn’t limited to unnecessary data copies, outdated data, data belonging to employees no longer with the organization, and expired data backups and archives. To tackle such a monumental task, users should seek a data management solution that is vendor-neutral and can handle all types of unstructured datasets, including file and object data, whether they are located on-premises or in the cloud. It must be able to assess, organize and act upon your data. That is, it must be able to assess and analyze metrics such as data size, date created, format, type, complexity, and frequency of access, as well as other unique factors that are important to your organization. Then, it must enable the user to organize the data into a schema that makes the most sense for that specific organization. And last critical piece of the puzzle… the solution must enable the user to act. That is, enable the user to migrate, move, replicate, sync, or delete data with a few clicks of the button.

Now that digital cleanup can be “easier done than said” with the right solution in hand, organizations can enjoy numerous benefits including optimized storage usage, streamlined data management, reduced risk of data breaches and non-compliance, and increased productivity due to better data accessibility. Moreover, digital cleanup can unlock the value of important data insights, leading to improved business decision-making and innovation opportunities.”

Amit Shaked, CEO and co-founder, Laminar:

“While Digital Cleanup Day’s main mission is to help organizations reduce carbon footprint, it also serves as an important reminder for IT, data governance and data security teams to start keeping tabs on all of their sensitive data in the cloud. Often data security teams are blind to the location, volume and types of sensitive data that lies in the cloud. Not only can unknown data lead to excess costs and digital waste, it can also introduce significant risk. 

The rapid shift to the cloud and move toward data democratization has enabled organizations to quickly spin up data stores, especially in buckets or blob storage. Unfortunately, however, many companies don’t have full visibility into where their sensitive data resides. This unknown or “shadow” data is growing, and is a top concern for 82% of data security professionals. Examples of shadow data include database copies in test environments, analytics pipelines, orphaned backups, unlisted embedded databases and more. 

To help reduce carbon footprint and the overall attack surface, organizations must start with complete observability of their data. With new agile and cloud-native tools, enterprises now have the solutions they need to clean up unnecessary data, and to keep up with today’s fast-paced, cloud environment.”

Leave a comment »

FDIC #Fails Audit Regarding Active Directory Controls Within Their Organization

Posted in Commentary with tags on March 17, 2023 by itnerd

The FDIC is reporting disappointing results after the Office of Inspector General performed an audit of its controls for securing and managing its Microsoft Windows Active Directory which it uses for central management of all IT system user credentials.

According to auditors, privileged system users didn’t practice simple password hygiene such as:

  • Reusing their passwords 
  • Sharing passwords across multiple accounts
  • Failing to change passwords for over a year

In addition, the probe found that, in over 900 cases, the accounts of users were not removed after prolonged inactivity. They also found three FDIC IT accounts with privileged access that remained privileged for almost a year after the access was no longer required for their positions.

Since the audit findings, the FDIC IG has made 15 recommendations to the agency for improving security controls such as providing password training and the removal of unnecessary privileges. This brings into question what training may have been up until now for password and credential controls, and other widely-used cybersecurity issues such as phishing, for example. 

Details of the cybersecurity concerns come as the financial regulator headlines the SVB failure, and following another report published earlier this year also by the OIG, which found that the FDIC is not doing enough to monitor cyber risks within the institutions it regulates.

Oh boy.

I have there comments on this rather shambolic audit. The first is from

Naveen Sunkavalley, Chief Architect at Horizon3.ai had this comment: 

   “The issues highlighted in the audit – password re-use, excessive account privileges, and the failure to deactivate stale accounts – are very serious and commonly exploited by threat actors. These issues make it easier for an attacker to compromise an account and then use that single account to take over many other accounts and elevate privileges, ultimately leading to full compromise of AD and all AD-managed assets.

   “The FDIC is not alone though. We see the same problems in many of the organizations we work with. And the problems can easily recur after being fixed once, as users join or leave an organization, or users change passwords. We recommend regular security assessments of Active Directory environments to identify issues and address them as soon as possible. 

Baber Amin, COO at Veridium had this to say:

This report highlights two fundamental problems.

  1. Reliance on knowledge based credentials and trusting that humans will not follow the path of least resistance. Training is important, but we now have the means to eliminate passwords for the most part. The report continues to focus on password quality rather than asking for removal of passwords. Strong passwords that are not shared or reused actually do not need to rotate or update often. There is ample evidence on this.
    • Multi factor authentication should also play a larger role than how it is treated in the report. This is the first line of defense.

Action:  Don’t put a training band aid, eliminate the problem, eliminate passwords.

  1. Orphan accounts and access, and overarching entitlements
    • I put these under the access umbrell  Organizations need to embrace the concept of least privileged access and grant only the minimal amount of access necessary for the minimal amount of time. We have multiple entitlement management products and services that can root out orphan accounts, access sprawl, and even unused or orphan access grants.  These tools need to be used on a regular basis.

Action: Limit access grants, use privileged access management tools to monitor privileged activity, use smart entitlements to limit overarching access, use smart monitoring to identify probes, and anomalies.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “The fact that privileged users were found to be reusing passwords and sharing them across accounts, as well as failing to change passwords for extended periods, indicates a lack of awareness about the importance of good password hygiene practices.

   “Moreover, the incorrect account configurations, and the discovery that user accounts were not removed after prolonged inactivity, reveals a lack of oversight in managing user accounts. These are common weaknesses that leave agencies vulnerable to cyber attacks, particularly ransomware attacks, which have only increased year over year.

   “For all their potential resources, government agencies clearly need to prioritize cybersecurity best practices and implement robust security controls. This includes providing password training to users, regularly reviewing user accounts and privileges, and removing unnecessary elevated domain privileges.”

It’s bad enough that smaller businesses suffer from these sorts of issues. But for the FDIC to have these sorts of issues is insane. Hopefully this is the wake up call that they need to move them into a much better place. And everybody else should read this report and ensure that they don’t have any of these issues as well.

Leave a comment »

« Older Entries
Newer Entries »