Okta Pwned…. Source Code Stolen

Posted in Commentary with tags on December 22, 2022 by itnerd

Bleeping Computer is reporting that threat actors have managed to hack into Okta’s private GitHub repositories and swipe source code:

BleepingComputer has obtained a ‘confidential’ security incident notification that Okta has been emailing to its ‘security contacts’ as of a few hours ago. We have confirmed that multiple sources, including IT admins, have been receiving this email notification.

Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, states the notification.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” writes David Bradbury, the company’s Chief Security Officer (CSO) in the email.

Despite stealing Okta’s source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company. Okta’s “HIPAA, FedRAMP or DoD customers” remain unaffected as the company “does not rely on the confidentiality of its source code as a means to secure its services.” As such, no customer action is needed.

At the time of writing our report, the incident appears to be relevant to Okta Workforce Identity Cloud (WIC) code repositories, but not Auth0 Customer Identity Cloud product, given the email wording.

Well, given that Okta provides authentication services and Identity and Access Management services to major companies around the world, this isn’t good. Neither is the fact that this isn’t the first time that Okta has been pwned. Craig Burland, CISO of Inversion6 had this to say:

This continues an awful year for Okta in terms of cybersecurity, adding to high-profile issues in March and September.  While these events appear to be disconnected, it seems possible that the breaches could be part of a larger event, foreshadowing a significant supply chain attack for organizations reliant upon Okta for identity and access services.

As an Okta customer, I would be worried about three things: 1) Is there a fundamental problem with how Okta is managing their environments?  2) Has the Okta platform been somehow compromised that would threaten my operation?  3) What, if anything, can I do quickly to minimize or mitigate the risk to my organization?

How Okta responds to this event and reassures its customers will set the tone for 2023 and may be telling about Okta’s future as the premier provider in this space.

At this point, seeing as Okta can’t secure itself, you have to wonder if they can secure their customers. Because I am questioning that at this very moment.

Leave a comment »

Guest Post: Cybersquatting cases reach record highs in 2022

Posted in Commentary with tags on December 22, 2022 by itnerd

Domain names help us navigate the vastness of the world wide web and find the information and services we are looking for. However, malicious actors abuse the importance of domain names by registering ones that are identical or similar to existing trademarks, company names, or personal names, hoping to profit from the confusion. It is called cybersquatting.

According to the data presented by the Atlas VPN team based on the information provided by the World Intellectual Property Organization (WIPO), cybersquatting cases reached record highs in 2022.

In total, 5,616 cybersquatting disputes were filed to the WIPO this year — nearly a 10% rise from 2021.

If we look at the historic numbers of cybersquatting complaints, they have been steadily growing over the past six years. Compared to 2000, cybersquatting disputes have risen by a whopping 202%. 

In total, 61,284 cybersquatting complaints have been filed to WIPO from 2000 till now.

After registering the look-alike domain names, cybersquatters may attempt to sell them to the trademarks they are copying or use similarities in domain names to attract traffic to their own website. Among the latter are those that use domains to lure victims into phishing attacks.

To read the full article, head over to: https://atlasvpn.com/blog/cybersquatting-cases-reach-record-highs-in-2022

Leave a comment »

ASUS Slips Out A New Firmware For The ZenWiFi XT8 Four Days Before Christmas….. That’s Odd

Posted in Commentary with tags on December 21, 2022 by itnerd

I got pinged by a reader while I was dealing with a client this morning. I couldn’t look into it then, but when I got home I did. When I logged into my ZenWifi XT8 mesh WiFi system I say that an update was available. I clicked on it and saw this:

I also checked the ASUS website and didn’t see anything on this firmware. That was odd because ASUS usually updates the website with new firmware releases pretty quickly. Unless this slipped out by accident which I have seen a couple of times. In that case, ASUS usually releases a newer firmware to replace it. The other theory that I have is that ASUS felt that they had to roll out this firmware four days before Christmas because this firmware fix couldn’t wait until after the holidays. I point that out because companies don’t typically roll out stuff like this a week or two before Christmas due to not having staff on hand to answer phone calls or fix something if it goes off the rails. Making this an unusual release.

Since I have told you not to upgrade in the past due to serious issues with their firmware, as well as telling you when it was safe to upgrade, I decided to install it and report back to you my early impressions. And I also will follow up with you in a week’s time with longer term impressions. My upgrade process for ASUS routers is as follows:

  • Log into the router using a computer and a web browser
  • Backup the configuration using these instructions
  • Update the firmware.
  • After updating I do a factory reset of the router using these instructions
  • Using a computer and a web browser, connect to the router and using the advanced options in the setup wizard, upload the backup of the configuration that I saved in the first step.

I do this because I have found that simply upgrading to the latest ASUS firmware can create problems. For example, one firmware upgrade broke HomeKit for almost a day until I figured out that doing factory reset it followed by setting it up from scratch was the fastest and best way to resolve the issue. Since then, this has been my upgrade process and it has never failed me.

After walking through those steps I was back online and I started doing some testing. Right away I noticed that TimeMachine backups were way faster from all the Macs in the home. I also noted that when I had to do a VPN connection to fix something for a client, that was way faster as well. The reason why I put the words “way faster” in bold is because it was truly much faster than what I had been used to. I tried to run Speed Tests from my iPhone 14 Pro and didn’t find a difference in terms of WiFi speed. So my best guess is that besides what little is in the release notes, ASUS must have done something to make device to router connections faster. Other than that, I have noted no stability issues like I have seen previously. Nor have I noted any other improvements.

I’ll be running this for about a week and I will report back as it takes about that long before any serious issues become apparent. Also, if release notes do appear, I’ll be sure to link them here.

UPDATE 12/22/2022: ASUS just posted release notes for this firmware update on their website. It has more details than the screenshot above:

So these release notes explained why I am seeing the better VPN performance. But it doesn’t explain the improved WiFi performance that I am seeing. In terms of my observations, it’s the same as what I reported above. It seem stable and reliable thus far.

UPDATE #2: I have an update on this firmware here.

1 Comment »

The Guardian Newspaper Appears To Have Been Pwned By Ransomware

Posted in Commentary with tags on December 21, 2022 by itnerd

This must be a weird experience. The Guardian which is one of the U.K.’s biggest newspapers is reporting that they have been likely pwned by ransomware:

The Guardian has been hit by a serious IT incident, which is believed to be a ransomware attack.

The incident began late on Tuesday night and has affected parts of the company’s technology infrastructure, with staff told to work from home.

There has also been some disruption to behind-the-scenes services.

Online publishing is largely unaffected, with stories continuing to be written and published to the Guardian website and app.

The company said it was confident it could still produce Thursday’s print newspaper.

At least they are reporting about their own issues and not hiding anything from what I can tell. That’s better than most companies who don’t come anywhere near that level of transparency.

Dr. Darren Williams, CEO and Founder of BlackFog had this commentary:

     “As we head into the holiday season and people start to take well-deserved time off, an increase in cyberattacks is unfortunately expected. Cybercriminals certainly don’t take a break over the holiday season, as is evident by today’s news about the Guardian. While there are many unknowns about the suspected ransomware attack on the Guardian, we can be confident that data exfiltration was the motive for the attackers. While we are glad to hear the publishers will continue to operate and publish the paper in the run up to the holidays, it’s the aftermath of the cyberattack that is cause for concern. With virtually all new attacks focusing on data exfiltration to extract valuable data for extortion, the damage is often unknown for quite some time. We may be well into the New Year before we know the extent of the fallout.”

It will be interesting to see if that transparency continues and The Guardian tells the world how it was hit and how extensive the pwnage was. Stay tuned to this space.

Leave a comment »

Review: RollingSquare InCharge XL

Posted in Products with tags on December 21, 2022 by itnerd

Fun fact: Before the world started ending, I carried around a small arsenal of cables whenever I travelled or went to see clients. Besides an HDMI cable and a Ethernet cable, I had these in my tech travel bag.

From left to right I have:

  • A USB-A to MicroUSB cable
  • A USB-A to MiniUSB cable
  • A Nomad USB-A to USB-C/MicroUSB/Lightning cable
  • A Native Union USB-A to Lightning cable
  • An Anker USB-C to Lightning cable

On top of that, I also had a USB-C to USB-A adapter, and USB-A to USB-A flexible extension. My rationale for carrying all this stuff was that I never knew when I would need to use a specific cable. Thus I wanted to be ready for any eventuality. Which is to be frank overthinking what I need to carry. Now that travel is opening up again, I am rethinking this and I am moving towards having fewer cables in my tech travel bag. And the best way to do that is to go with this:

What you see here is what comes in the box of the RollingSquare InCharge XL. Staring at the top you get a carrying case, then from the left you get an extra Lightning and MicroUSB connector, the middle has a desk organizer to keep the cable handy on your desk. And finally you get the cable itself which has the following ends on it:

  • Computer end: USB-A and USB-C
  • Device end: USB-C, Lightning, MicroUSB

Here’s what that looks like:

For the record, the Lightning end also doubles as a MicroUSB connector. There’s also a cap to cover up the ends of the cable.

It comes in 1 foot, 6.5 foot and ten foot lengths. Plus there’s a choice of colours. I went with black in my case. It is not only rated for 100W charging which is good for a notebook, but it will do 18W fast charging for those of you on team iPhone. The ends snap together with magnets like this for easy storage:

If all this sounds familiar, it should. This is basically the big brother to the InCharge X that I reviewed a few months ago. Right down to the aramid fibre woven cable that is used. Testing it over the last few days brought me to the conclusion that it will perform no differently than the InCharge X. And my only concern is if it will be prone to scratches like the InCharge X is as it looks to be using the same paint as the InCharge X which isn’t that durable. I guess time will tell on that front. Having said that, one thing that I like with the InCharge XL is the fact that cap is attached to the cable. Which means your odds of losing it are pretty much zero. RollingSquare should consider bringing that feature to the InCharge X.

I got two of them in the 6.5 foot length so that I can make sure that I needed two cables for two different use cases, I have them on hand. All the cables that I had in the picture are now in my cable drawer. That should make life easier when I travel or go to see clients. Prices for the InCharge XL are as follows:

  • 1 foot: $29 USD
  • 6.5 foot: $35 USD
  • ten foot: $39 USD

If you’re always in need of different types of USB cables, the InCharge XL is a great way to cut down on the number of cables that you need to carry, but still have the cables that you need on hand. I’d check them out if you fit that use case.

Leave a comment »

Review: RollingSquare InCharge Mini

Posted in Products with tags on December 21, 2022 by itnerd

In the interest of providing a last minute stocking stuffer suggestion, I have one in the form of the RollingSquare InCharge Mini. It gives you a charging cable on your keychain. Now some of you who read this blog are going to say, didn’t you review another RollingSquare product that does the same thing? The answer is yes. That would be The InCharge X. But there are two different use cases for them. In the case of the InCharge X, that gives you any cable type that you need on your keychain. As in:

  • From the computer’s end: USB-A and USB-C
  • From the device’s end: USB-C, Lightning, MicroUSB

But the InCharge Mini gives you a single cable to stick on your keychain. Your choices are:

  • USB-A to USB-C
  • USB-C to USB-C
  • USB-A to Ligthning
  • USB-C to Lightning

So if you have a device, say an iPhone, and you never plan on using any other device, this is perfect for you as an emergency cable to charge it or connect it to a computer. Let’s have a look at what comes with the package:

Besides a keyring, you get the InCharge Mini. In my case, it’s USB-A to USB-C. It snaps together using a magnet so that it doesn’t fall off your keychain. And the cable is woven which will make it durable. The Lightning variants are MFi certified as well as they are good for data and power. In short, this is a great “just in case” cable that you can have on you at all times. One plus is that this appears to be anodized. Which implies that it will survive better in your pocket and not get scratched up like the InCharge X did when I tested that.

At $19 USD, it is a great stocking stuffer. Thus if you know what device someone has, you might want to pick one up as it is great for emergency use or for travel.

1 Comment »

Elon Musk Could Be In BIG Trouble As The FTC Shows Up On His Doorstep… And That May Not Be The End Of His Troubles…

Posted in Commentary with tags on December 21, 2022 by itnerd

I’ve been saying for a while that it’s only a matter of time until Elon has some government or government agency on his doorstep with the intent on making his life miserable in terms of the stupid stuff that he’s done with Twitter. I always assumed that it would be the European Union as they tend to be first to act on stuff like this. But it looks like the Federal Trade Commission, who has had issues with Twitter before, have beat them to the punch:

The US Federal Trade Commission is deepening an investigation it opened this fall into Twitter Inc.’s privacy and data security practices in the wake of the company’s takeover by billionaire Elon Musk, according to people familiar with the matter.

FTC lawyers questioned two former senior executives in the past month about whether Twitter has been able to comply with the agency’s 2011 consent order since Musk took over, said three people familiar with the matter, who asked not to be named discussing a confidential investigation. Musk’s Oct. 27 acquisition led to an exodus of many of the social media company’s legal, privacy and compliance executives, prompting the wider investigation.

The FTC had already opened a new inquiry into Twitter after the company’s former chief cybersecurity officer, Peiter Zatko, filed a whistle-blower complaint, said the people. Zatko testified before Congress in September, alleging the platform was a “ticking bomb of security vulnerabilities.”

And:

FTC lawyers have interrogated two former top Twitter executives in the past month – Damien Kieran, the former chief privacy officer, and Lea Kissner, the most senior cybersecurity officer, the people said. Kieran and Kissner both quit Twitter Nov. 10, alongside the head of compliance. 

The probe marks at least the third time the FTC has scrutinized the social media platform over its privacy and data security practices. The review could lead to millions of dollars in fines and a new FTC order imposing obligations on Musk himself that would apply across his companies and remain in effect even if he steps down as chief executive officer or leaves Twitter.

“Why has Bloomberg News been asleep at the switch regarding government censorship of social media?” Musk said in response to an email seeking comment about the FTC investigation.

An FTC spokesman declined to comment. The agency said in a November statement that it’s tracking recent developments at Twitter with “deep concern.”

“No CEO or company is above the law, and companies must follow our consent decrees,” FTC spokesman Douglas Farrar said at the time. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

Honestly, the FTC are the last people you want to get the attention of. Because they are the type of agency that won’t stop until they get you for something. Thus Elon is better of shutting up rather than running his mouth. Though he’s not capable of shutting up so this will end badly for him. Very badly for this reason:

Twitter paid a $150 million fine in May for violating its 2011 consent decree by misusing phone numbers that users uploaded for security purposes to instead target them with advertising. That settlement extended the FTC’s oversight of Twitter through at least 2042.

If the FTC finds something this time around, that fine of $150 million could be significantly higher. And Elon will have to pay. Plus it will likely encourage other governments and government agencies to come after him. Thus deepening his issues.

No wonder he’s looking for a CEO to replace him:

The billionaire posted an informal poll Sunday asking Twitter users if he should step down as head of the company, and a majority of the 17 million respondents voted for Musk to leave his post. He said Sunday he would abide by the results of the poll.

Twitter polls are straw polls, which means they are not comparable to professional public opinion research. Malicious bots or inauthentic accounts may also be able to register a response to a Twitter poll.

Sources told Faber that Musk’s search for a new CEO has been ongoing and began before the Twitter poll was made.

Much as I figured, he was plotting to get out of dodge long before that poll of his surfaced. Which he lost. Illustrating why he simply cannot be taken at his word. The fact is he knows that he’s about to have the boom lowered on him and he wants someone else to take the hit. Plus he also wants a puppet CEO that he can control from behind the curtain so that that CEO takes the brunt of the public anger for Elon’s decision making. Of course that may become irrelevant if the FTC decides to smack Elon silly because of his poor decision making.

Though based on this, he may be looking to stay on as CEO of Twitter:

So let’s think about this. A poll that he created on his own platform is rigged against him by bots that he said he was going to get rid of? That’s beyond laughable at this point. Or put another way, his credibility is shot. Which is likely why he’s now claiming to be resigning as CEO of Twitter when he finds a replacement. I’m not holding my breath on that front.

But his troubles don’t end with his lack of credibility. Tesla’s stock is in free fall as you know. But a reader pointed out what happened to the stock yesterday:

An 8% drop in a day isn’t trivial. It’s horrific if you’re a Tesla investor. If you look over the entire year, this is what you see:

This stock is bleeding uncontrollably like a gunshot victim. Which makes you wonder at what point does the Tesla board of directors or shareholders, or both decide to punt Elon from the CEO’s position at Tesla? I mean the stock is down over 65% versus the start of the year in an age where even a small decline in the value of a stock or the profitability of a company can cost a CEO their job. This sort of performance from Tesla’s stock should have cost Elon the CEO spot a long time ago. Considering that politicians like Elizabeth Warren are poking around Tesla and how the board of directors do their jobs, it is possible that Elon may be in deep trouble on this front as well.

It sucks to be Elon. Not that I feel sorry for him or anything.

Leave a comment »

Elon Musk Now Says He Will Resign From Twitter…. This Still Seems A Bit “Sus” To Me

Posted in Commentary with tags on December 20, 2022 by itnerd

One hour ago, Elon Musk posted this on his Twitter account:

Let’s unpack this. First of all, he has to find someone “foolish enough to take the job”. While I am free to be surprised, I don’t know anyone who would be foolish enough to take that job. After all, Elon doesn’t mention anything about divesting himself in terms of his ownership of Twitter. Which means anyone who is foolish enough to take this job would just be Elon’s puppet. So don’t hold your breath in terms of a candidate stepping forward anytime soon. It also means that without a timetable of any sort, he’ll be CEO for weeks, months, or years.

Second, he’s still going to have control of the software and servers team. Seeing as Twitter is a platform that runs on software and servers that you connect to via a client, that means that Elon still has control over Twitter. He just won’t be the CEO which gives him plausible deniability for anything that happens to be bad at Twitter.

The fact is that this is meaningless and you should not be fooled. Elon is clearly trying to engineer a situation where he looks like he’s abiding by the results of this poll that he put on Sunday. But at the same time still have control over Twitter. It’s just smoke and mirrors. And I would like to think that we’re all wise to Elon’s games by now.

Nice try Elon.

1 Comment »

Elon Musk Says That Twitter Policy Polls Will Be Limited To Twitter Blue Subscribers…. Which Likely Means He’s Not Going Anywhere

Posted in Commentary with tags on December 20, 2022 by itnerd

I’m shocked by this. I am really shocked.

Well, actually I am not. I fully expected that Elon Musk who said he would abide by his poll that he’d exit the company if it went against him, which it did, would find a way to weasel his way out of doing so. And here’s why I think that this is the case:

He also made this comment about the poll being rigged by bots… Which for the record Elon pledged to eliminate:

And then there’s this:

This sounds like a threat to me. Like he might burn Twitter to the ground or something.

All of this doesn’t sound like someone who is done with Twitter yet. Though the pressure is mounting for him to go. He’s free to prove me wrong by heading to the exit. But I don’t think that’s going to happen.

Leave a comment »

Guest Post: Actual internet speed can be up to 3 times slower than advertised

Posted in Commentary with tags on December 20, 2022 by itnerd

Internet service providers (ISPs) often advertise internet speeds that are significantly higher than the actual speeds experienced by consumers.

According to the Atlas VPN team’s analyzed data, internet speed can be up to 3 times slower than advertised. As the numbers suggest, the faster internet packages are usually far from real speeds, while the slower internet plans are more true to what is advertised.

Internet packages up to 125 Mbps deliver the speeds ISPs advertise. Some people could reach even higher speeds than advertised in the plan.

The further we go, the actual speed goes further from what is advertised in the deal. The advertised 400 Mbps packages have a median tested speed of 256 Mbps.

The most significant difference is in premium plans that offer 940 Mpbs and up. The median tested speed of the advertised 1200 Mbps deal is only 360 Mpbs. That is a 70% contrast between what is offered by the ISPs and what internet users actually get.

Cybersecurity writer at Atlas VPN Vilius Kardelis shares his thoughts on the difference between advertised and actual internet speeds:

“There are many factors that can contribute to slower internet speeds than what is advertised by ISPs. While it can be frustrating, it is important to understand that there are limitations to internet technology and that speeds can vary depending on a variety of reasons.”

Why is that?

One of the main reasons for slower internet speeds is network congestion. When a large number of people are using the internet simultaneously, it can cause the network to become overloaded and lead to slower speeds.

Another reason is that internet speeds can be slowed down by hardware limitations on a user’s device. Furthermore, many ISPs have “fair usage policies” that limit the amount of bandwidth a user can consume at any given time.

To read the full article, head over to: https://atlasvpn.com/blog/actual-internet-speed-can-be-up-to-3-times-slower-than-advertised

Leave a comment »

« Older Entries
Newer Entries »