ASUS Finally Seems To Have A Firmware For The ZenWiFi XT8 That Works

Posted in Commentary with tags on February 20, 2023 by itnerd

Over the last few months, I’ve been telling out to either avoid or be cautious about firmware updates for the ASUS ZenWiFi XT8. And in the latter case, I said this:

ASUS really needs to get a firmware release out that stabilizes things for the vast majority of their users. And unfortunately, this specific firmware doesn’t seem to be it. Based on what I am reading in the Reddit threads that I linked to above, some people are getting fed up with being treated as “beta testers”. That in the long term will affect the probability that these users will buy another ASUS product in a negative way. Thus ASUS would be well advised to get on getting a firmware out that is stable for all.

Well we might, key word MIGHT have that firmware. Last week ASUS rolled out version 3.0.0.4.388.22525 of their firmware and it from all reports has been stable for most. Specifically, the connection between the nodes which has been a source of grief for many. I’ve been testing this for the last few days and have found zero issues with it myself. But I should note that I found zero issues with the last firmware that ASUS put out before Christmas, while many other had issues. But what gives me hope that this is stable is that looking at places like SNB Forums, the majority of users seem to be having a good experience with this firmware.

My firmware upgrade process for ASUS routers is as follows: 

  • Log into the router using a computer and a web browser
  • Backup the configuration using these instructions
  • Update the firmware.
  • After updating I do a factory reset of the router using these instructions
  • Using a computer and a web browser, connect to the router and using the advanced options in the setup wizard, upload the backup of the configuration that I saved in the first step.

I do this because I have found that simply upgrading to the latest ASUS firmware can create problems. And doing this while taking up to 30 – 40 minutes to perform results in zero issues.

I would be very interested to hear the experience of other XT8 owners with this firmware. Is it better? Is it worse? Please leave a comment and share your thoughts.

2 Comments »

Here’s How To Keep Your Twitter Account Secure Without Paying Elon Musk $8 A Month

Posted in Commentary with tags on February 20, 2023 by itnerd

In a pretty naked attempt to generate revenue, Twitter announced that if you want to use two factor authentication or 2FA via text message, you’re going to have to hand over $8 a month to Elon Musk. To be frank, Elon forcing users to pay to secure their Twitter account is shameful, and is one more reason for you to dump Twitter. But if you must be on Twitter, here’s how you can secure your account without giving Elon any of your money. Specifically, you should use an authentication app or security key. Here’s a quick explainer as to what they are:

  • A security key is a small, portable device that you plug into your computer authenticate an online account. It can also take the form of a fob that generates seemingly random numbers to do the same thing.
  • An authentication app uses a similar approach of a fob that generates seemingly random numbers, but instead of a separate physical device, the app is on your phone.

I would recommend the latter as there are many apps out there that do this sort of thing such as Microsoft Authenticator, Duo Mobile, or Google Authenticator. They’re free in the App Store of your choosing. From there you can use one of these resources below to set up 2FA:

  • Duo has instructions on how to set up 2FA with its app here.
  • Cloud Insights has a really good how to guide on setting up 2FA with Microsoft Authenticator here.
  • Beebom has a really good how to guide on setting up 2FA with Google Authenticator here.
  • Twitter itself has general instructions here to set up 2FA on Twitter.

One bonus of not using text message based 2FA is that text message 2FA is vulnerable to SIM swap attacks where an attacker takes over the SIM card in your phone to get access to your online accounts. In general it is a good idea to move away from text message based 2FA to protect all your online accounts. Which makes me wonder why Elon is wanting to charge for something that is generally believed to be less secure than other 2FA methods. I guess it’s his desperation to make money that is at work here as like other moves that he’s made with Twitter, he clearly hasn’t thought this through. And it makes me wonder if he’ll find a way to do the same thing with other methods of 2FA once enough people point out to him that this won’t make him any money by doing this. But until that happens, I’d suggest changing your method of 2FA to something more secure and free while you can.

Leave a comment »

Meta Decides To Copy Twitter And Offer Their Own Subscription Based Verification System…. And Unlike Elon Musk They Actually Thought This Through

Posted in Commentary with tags on February 19, 2023 by itnerd

I am not sure what they’re smoking at Meta. Perhaps it’s the weed that Twitter is now peddling. But they’ve decided to offer their own subscription based verification system. The announcement was made by Mark Zuckerberg himself on Facebook. Here’s the details:

  • This is coming to Instagram and Facebook
  • Australia and New Zealand will get this first
  • You get verify your account with a government ID
  • You get a blue badge
  • You get extra impersonation protection against accounts claiming to be you
  • You get direct access to customer support.
  • Meta Verified starts at $11.99 / month on web or $14.99 / month on iOS

All of this sounds so much more thought out versus the half baked verification system that Twitter came up with. Though they must have missed the part that Twitter has had almost zero traction with Twitter Blue. Thus I question how much success Meta will have with this. As always, Meta is free to prove me wrong on that front. And seeing as they’re still a public company, we’ll find out in the next few quarters how well this scheme does or doesn’t work.

Leave a comment »

Twitter Yet Again Takes A Dirt Nap… But That’s Not The Worst Thing That’s Happened On Twitter In The Last Day

Posted in Commentary with tags on February 18, 2023 by itnerd

Outages at Twitter are clearly becoming more and more frequent. Besides this outage and this one during the Super Bowl as well as this one last week, we have another one today as documented by Down Detector:

This highlights the fact that Twitter is extremely unstable and Elon Musk is unwilling or more likely unable to rectify the situation. Thus you should fully expect these sort of outages to become the norm. And Elon’s life to become more difficult.

Having said that, this was not the worst thing to happen to Twitter users in the last 24 hours. This was:

Twitter Blue subscribers will be the platform’s only users able to use text messages as a two-factor authentication method, Twitter announced Friday

The change will take place on March 20. Twitter users will have two other ways to authenticate their Twitter log-ins at no cost: an authentication mobile app and a security key. 

Two factor authentication, or 2FA, requires users to type in their password and then enter a code or security key to access their accounts. It is one of the primary methods for users to keep their Twitter account secure. 

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors,” the company said in a blog post Friday. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

To be frank, that’s likely BS. What is more likely to be true is that Elon is trying to find new ways to force people to sign up to Twitter Blue, seeing as next to nobody has subscribed. Making a security feature something that you have to pay for is incredibly cynical. But it shows how desperate Elon is for cash.

By the way, there’s also this:

Twitter said non-subscribers will have 30 days to disable the text method and enroll in another way to sign in using 2FA. Disabling text message 2FA won’t automatically disassociate the user’s phone number from their account, Twitter said.

To borrow an Among Us phrase, that sounds a bit “sus“. Twitter got into serious trouble prior to Elon taking over for using phone numbers associated with 2FA for purposes other than 2FA. If Elon is even considering going down that road again, I am 99% sure that it will end badly for him. But I guess we’ll see what he’s up to. And whether the blow back from this will force him into yet another u-turn.

2 Comments »

GoDaddy Gets Pwned…. Again…. And This Time It’s Really Bad

Posted in Commentary with tags , on February 18, 2023 by itnerd

GoDaddy is saying that it suffered a data breach where unknown attackers stole source code and installed malware on its servers. GoDaddy discovered the breach in early December of 2022 following customer reports the domain is being redirected but apparently the attackers had access to the network for multiple years. Which of course is bad. Very bad.

What’s worse is that by my count, this is the third time that GoDaddy has been pwned. The first was in 2020, the next one was a year later, and now this one. If I am a GoDaddy customer, I’d be very concerned.

Brad Hong, Customer Success Lead at Horizon3ai had this to say:

   “Beyond all the buzzwords in the breach notification, at the core, the attackers didn’t “hack” their way into GoDaddy, but rather used known compromised credentials to log in and leave vectors for reentry.

   “Supply chain management has gotten immensely more complex as any company providing any service to any internet user, especially with the increasing use of infrastructures-as-a-service, is now a part of this often omitted evaluation. This includes web hosts like GoDaddy and WordPress and picking vendors based on their security efforts, usually out of expertise for the layman.

   “This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents. Was it that this APT Group was that skilled or that GoDaddy’s security is that bad?

    “The call for Federal-level legislation comes from a place of frustration from the consumer-level as virtually no persons are now untouched by data breaches and the pressure continues to build in an already whistling kettle of company apologies.

   “Companies collect, digest, and even sell our data as data custodians, right up until they lose it and with little incentive or punishment for improvement, or lack thereof, consumers are going to continue to see more incidents like this and the impact will only get worse.

   “As standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free “Website Security Deluxe and Express Malware Removal” services instead of fortifying their own kingdom time and time again. Maybe they should’ve used it themselves?

   “Every organization takes on the responsibility of serving as a protector of data when a person does business with them and as such should continuously be validating their security controls and tools through testing, from every perspective and blast radius, and ensure blue teams are not at max capacity just playing whack-a-mole but making valiant strides to future-proof the security stack.”

I think the message here is clear. If you’re a GoDaddy customer, I would strongly consider hosting with another provider. Clearly GoDaddy has security issues that they can’t fix, and they’re leaving to their customers to keep themselves safe. Which is a #fail all day and every day.

Leave a comment »

Supply Chain Attack Costs $250 Million

Posted in Commentary with tags on February 17, 2023 by itnerd

Applied Materials is saying that a breach at one of its suppliers would cost them $250 million in sales in the second quarter:

In the second quarter of fiscal 2023, Applied expects net sales to be approximately $6.40 billion, plus or minus $400 million, which includes ongoing supply chain challenges and a negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers. Non-GAAP adjusted diluted EPS is expected to be in the range of $1.66 to $2.02.

A clue was dropped in the earnings call:

“Very recently, one of our major suppliers encountered a disruption that will impact our second-quarter shipments,”

Though not named in the announcement, the supplier is believed to be MKS instruments of Andover MA. MKS instruments was hit by a cyber-attack on February 3rd. The attack caused the company to shut down operations at certain facilities while it tries to assess the damages. The company’s website was still down as of Thursday afternoon. The company has had to reschedule its fourth quarter earnings call and said the ransomware event had a material impact on its “ability to process orders, ship products and provide service to customers” in its vacuum and photonics divisions.

Here’s the connection between the two. In addition to Applied Materials, MKS supplies the world’s largest chip manufacturers with products, including Samsung Electronics and Taiwan semiconductor manufacturing the world’s two largest chip makers. Intel and ASML Holding NV are also customers. Meaning that this is very, very bad for a whole lot of people.

Ted Miracco, CEO, Approov:

   “The semiconductor supply chain remains one of the most complicated and most critical supply chains that underpin the entire global economy. As we witnessed last year, interruptions in the semiconductor market can have long term consequences that impact everything from automobiles to the price of food. 

   “With the ongoing “Chip War” between the US and China, we should expect more disruptions like this in the future, and quarterly earnings should be the least of our concerns. These attacks on the semiconductor supply chain deserve a lot more attention than the latest balloon incidents.”


Monti Knode, Director of Customer Success, Horizon3.ai:   

   “It’s interesting that MKS called out “had a material impact”, almost like they had to announce and clarify that a cyberspace attack could and did have a tangible outcome. We’re seeing this realization more in both public and private industry, especially in our Department of Defense which viewed as cross-domain operations; Russia has been doing this for years, and now the world is seeing it live in Ukraine and even here in the US (ref https://www.mirror.co.uk/news/us-news/breaking-russian-hackers-target-hospitals-29053567).

   “The days of presuming this to be an IT or cybersecurity problem are long gone.”

This is a clear example of what a supply chain attack can do to you if you and your partners aren’t careful. Thus you and those you work with have to make sure you’re on the same page from a cybersecurity standpoint. Otherwise, this is the sort of thing that can happen to you.

Leave a comment »

In An Attempt To Bolster Ad Revenues, Elon Musk Allows Weed Ads Onto Twitter

Posted in Commentary with tags on February 17, 2023 by itnerd

The desperation is strong with Elon Musk.

I say that because Twitter, who really needs money from advertisers is now allowing cannabis ads onto the platform:

The company previously only allowed ads for hemp-derived CBD (Cannabidiol) topical products, while rival platforms Facebook, Instagram, and TikTok hold fast to a “no cannabis advertising policy” since marijuana is illegal at the federal level.

A nationwide push toward allowing the sale of recreational cannabis has been ongoing. As of January 2023, 31 states and the District of Columbia have decriminalized low-level marijuana possession offenses, and recreational weed is legal in 21 states, D.C., and Guam.

“As the cannabis industry has expanded, so too has the conversation on Twitter,” the company says(Opens in a new window). “In certain US states we have taken measures to relax our Cannabis Ads policy to create more opportunities for responsible cannabis marketing—the largest step forward by any social media platform.”

Moving forward, Twitter will allow advertisers to promote brand preference and informational cannabis-related content for CBD, THC (Tetrahydrocannabinol), and cannabis-related products and services. Some restrictions do apply: Advertisers must be licensed and pre-authorized, and may only target customers over the age of 21 in certain jurisdictions.

I guess when about half your advertisers have stopped advertising on your platform, you’ll take money from any source that will give it to you. Now to be clear, I am not saying that cannabis is bad or anything like that. What I am saying is that if every other social media platform doesn’t allow this product to be advertised on their platforms, there must be a logical reason behind that. And Elon is so desperate for cash that he’s clearly ignoring whatever logical reason that might exist in terms of restricting cannabis advertising on Twitter. Thus I fully expect that besides seeing Elon’s Tweets flooding your Twitter feeds, I also expect weed ads to flood your feeds as well.

Groovy.

1 Comment »

Belgium Introduces National Legal Vulnerability Disclosure Framework & Policies

Posted in Commentary with tags , on February 17, 2023 by itnerd

The Centre for Cyber Security Belgium has just enacted nation-wide vulnerability disclosure policies and a reporting framework, including several obligations for security researchers such as:

a) You must limit yourself strictly to the facts necessary to report a vulnerability – you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability

b) You must act without fraudulent intent or design to harm

c) As soon as possible after the discovery of the potential vulnerability, you must inform the organization responsible for the system, process or control of the vulnerability

You can read the announcement here, and the policy here.

Chloe Messdaghi, Managing Director at Impactive Partners had this comment:

   “Belgium is offering a good example of where every country needs to be with their vulnerability disclosure policies. Unfortunately, the US is still piecing together our VDP legal framework, although in 2022, the DOJ revised its policies under the Computer Fraud and Abuse Act (CFAA) to help protect “good-faith” security research from being prosecuted, and the US Army actively encourages researchers to participate in its VDP.

   “With cyber threats growing exponentially over the last several years, it’s past time to actually require that certain types and sizes of organizations across the US – and especially including all Federal agencies and NGOs – have robust protective, active vulnerability disclosure policies.  VDPs have been viewed by security-aware organizations as must-have for many years. The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them – this is why we need VDPs. 

   “Remember back in 2021 when the UN disclosed a data breach exposing over 100K UNEP records? We applauded Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted. This was a great example of how vulnerability disclosure policies work, and underscored the value of working closely with independent researchers, i.e., hackers.”

Christopher Vaughan, VP, Technical Account Management at Tanium follows up with this comment:  

“This is a welcomed development and having such laws in place will make Belgium a more secure country as a whole.  Further, it will help position Belgium as go-to destination for security research with a corresponding benefit of cultivating a greater number of homegrown talent.   

“We can also expect to see some ambiguity around what’s considered legal and not.  There isn’t a huge sample size of where policies such as this have been enacted on a national level, so it will be interesting to see a program of this scale in action. 

I really like the fact that Belgium is doing this and I hope that other countries will do something similar as actions like this will make us all safer.

Leave a comment »

Targus Releases New Global Study To Find Out How People can Empower Their Lives Inside And Outside Of Work

Posted in Commentary with tags on February 16, 2023 by itnerd

Targus has released the results of its annual 2023 Global Workplace Study, which examines the key factors, tools, and trends that are important for improving employee wellbeing, engagement, and productivity.  

According to the survey among 1,000 senior business decision makers and 6,000 workers across North America and Europe, the top three wellbeing priorities are: flexible working (47 percent), rewards and recognition (43 percent), and cost of living support (40 percent). In fact, 88 percent of business decision makers globally agree that flexible working positively impacts their staff retention and recruitment, an 11-point increase from 2021.  

Here are some of the study’s key findings:

  • Flexible and hybrid working remains the norm, with 58 percent of respondents in the U.S. stating that they do not work from an office full time and 51 percent stating that they only work in an office between two and four days per week.
  • Having the right tools to work from anywhere is extremely important. Specifically, 80 percent of U.S. workers and 82 percent globally believe their job satisfaction and productivity would be negatively impacted without the right tech accessories to do their work. However, many businesses supporting flexible working conditions do not supply their employees with the tech accessories they need to work well remotely, such as a keyboard, mouse, headphones, additional monitor(s), and hub. An annual budget to purchase accessories ranked in the top five ways to enhance wellbeing at work.
  • Businesses and consumers increasingly prioritize sustainability, with more than 53 percent of global respondents stating that sustainable attributes influence their purchasing considerations for tech accessories. In the U.S., alone, 62 percent of people say they are happy to pay more for sustainable products that last longer, and 72 percent say they buy less fast fashion products and invest in long-lasting products.

Read the complete 2023 Global Workplace Study for more valuable insights on the state of the workplace.

Leave a comment »

Emsisoft Says Hackers Are Spoofing Its Certificates

Posted in Commentary with tags on February 16, 2023 by itnerd

Hackers are using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses:

We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers. The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.

The attack failed – our product detected and blocked it – but we are issuing this alert so that both our customers and users of other company’s products are aware of the tactics that were used in this case. 

Kevin Bocek, VP Ecosystem and Community at Venafi had this to say:

“Spoofing has been an issue for companies for a long time, but more commonly associated with website spoofing linked to phishing – so it’s interesting that the same ‘change one letter’ approach is being applied to code signing machine identities. The fact that we’re seeing threat actors impersonating companies with fake code-signing certificates is a sign of the times, as we are increasingly seeing threat actors targeting machine identities, due to the level of trust they have within the network. Threat actors understand that being granted trusted access to a company’s system via fake machine identities is akin to being ushered through the digital front door. In this instance the spoofed identity was detected and flagged, but it could easily have been overlooked.

“The continued adoption of cloud native technologies is creating huge levels of complexity around machine identity management, it’s harder than ever for teams to make decisions on what can and can’t be trusted to run – especially given the speed of development environments. With the number of machine identities across an organization growing exponentially, organizations need a control plane to automate the management of machine identities. This provides teams with the observability, consistency and reliability needed to effectively manage their machine identities and spot any bad actors from trying to spoof their way in.”

This is yet another thing for you to keep your eyes out for as the attack surface that threat actors use is clearly evolving.

1 Comment »

« Older Entries
Newer Entries »