Sustainable Tech Gift Ideas For The Conscious Consumer From HP

Posted in Commentary with tags on October 28, 2022 by itnerd

Every year consumers are becoming more mindful of a gift’s journey they give to their loved ones, such as where the gifts are made, who they’re made by and what impact they have on the environment. This year, Canadians can take it one step further by purchasing gifts that are built with sustainability in mind and give back to the planet, too.

Listed below are a few gift ideas from HP for everyone on your list:

HP ENVY Inspire: For the family who is always on the go

Whether it’s printing a holiday recipe or making a festive craft, this versatile printer is designed for every kind of family fun. The HP ENVY Inspire delivers one-of-a-kind printing capabilities with custom two-sided printing and never lets you run out of ink with HP Instant Ink. This smart ink subscription automatically detects when your printer is running low and orders ink cartridges right to your door. The cartridges are smart for the planet too, as they require less packaging and fewer shipments – reducing energy usage by 69% and water usage by 70%.

Starting at $209.99

HP Laser Jet Pro: For the loved one with an entrepreneurial mind

Designed for small business owners, the HP LaserJet Pro Series printers have business-ready features that create a hassle-free printing experience and allow the entrepreneur in your life to focus on the things that matter most to their business. Combined with HP+, this secure and smart printing system is built with sustainability in mind, as for every page printed HP protects or restore forests through their Forest First initiative for the life of the printer.

Starting at $579.99

HP ENVY x360For the student in need of a laptop upgrade 

The HP ENVY x360 is a portable 2-in-1 laptop with a flexible 360 design, so the student in your life can level up both their work and creativity no matter where they are. As part of the world’s most sustainable PC portfolio, this ENERGY STAR certified laptop is also made with sustainable materials like ocean-bound plastics and recycled aluminum.

Starting at $1399.99

OMEN Gaming Laptop: For the gamer who is looking for a dynamic gaming experience 

HP’s OMEN Gaming Laptops are the perfect gift for the gamer who works hard and plays harder on your holiday list. This high-performance laptop brings a dynamic experience to gaming and is designed with ocean-bound plastics as well as recycled plastic and aluminum.

Starting at $1999.99

Leave a comment »

Elon Musk Gets Called Out By The EU Commissioner On Twitter…. This Might Be Fun To Watch

Posted in Commentary with tags on October 28, 2022 by itnerd

Elon Musk hasn’t owned Twitter for 24 hours yet and already he’s getting called out by people because of his takeover of the social media platform. A reader pointed me towards this interesting Tweet from European Commissioner Thierry Breton with a response from Musk:

One thing to point out is that earlier this year, Breton had reminded Musk that his free-speech focus on Twitter would be limited by the EU’s own content-moderation laws. Something that I suspect didn’t go over well with Musk. Breton then traveled to Texas in May where the two said there was “no disagreement” over their approach to content. Here’s proof of what came out of that meeting:

But here’s the headwind that Musk is facing. The EU’s Digital Services Act gives the EU the power enforce rules governing how tech companies moderate content and to decide when they must take down illegal content. If Twitter under Musk’s control doesn’t comply, Twitter will face fines of as much as 6% of annual sales and could even be banned. Which would be expensive for Musk as the EU is a huge market that Musk cannot simply decide to ignore. And the EU decided to remind Musk of this, via a Tweet:

Thus I suspect this might be the start of a fight between Musk and the EU once Musk starts to push his free speech at all costs agenda. And if he gets into a fight with the EU, he’ll lose. Just ask Google and Microsoft who fought the EU and lost.

This might be fun to watch.

Leave a comment »

Guest Post: Analysis of malware exploiting Android accessibility services

Posted in Commentary with tags on October 28, 2022 by itnerd

On Android and iOS, accessibility features are available to help people use their smartphones: audio comments, subtitles, custom display… Some mobile applications designed with an inclusive approach are compatible with accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more and more cybercriminals are leveraging it to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, the Pradeo Security solution neutralized an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the android.permission.BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, moves…) as well as the keyboard, read what is displayed and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers such as unofficial application stores and messaging services (SMS) do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analyzed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The “QR-Code Scanner” application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorized, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data that the user types or displays on his screen (login, password, credit card numbers …) and intercepting the temporary authentication code sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is manipulated by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with his credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, he bypasses all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

  • Spy on users activity
  • Grant and prevent the rejection of the permissions it needs
  • Prevent removal of the application, either from the homepage or from the settings
  • Prevent factory reset, even from a third-party device
  • Prevent sleep or shutdown of its process
  • Launch at startup

The permissions used by the malware are the following:

android.permission.QUERY_ALL_PACKAGES

android.permission.QUICKBOOT_POWERON

android.permission.RECEIVE_LAUNCH_BROADCASTS

android.permission.GET_TASKS

android.permission.SYSTEM_ALERT_WINDOW

android.permission.RECEIVE_SMS

android.permission.READ_SMS

android.permission.WRITE_SMS

android.permission.SEND_SMS

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

android.intent.action.BOOT_COMPLETED

com.htc.intent.action.QUICKBOOT_POWERON

android.intent.action.QUICKBOOT_POWERON

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean that they must be used (on the developer side) and authorized (on the user side) with due consideration.

Today, only a few tools and remediation actions are effective to neutralize the analyzed malware:

  • Blocking the application before launching it with Pradeo Security
  • Forcing the uninstallation of the application with Pradeo Security for Samsung
  • Uninstalling via a device management solution (UEM, MDM)
  • Uninstalling via ADB command

Leave a comment »

Breaking: Musk Appears To Have Taken Over Twitter….. Many Top Execs Gone

Posted in Commentary with tags , on October 27, 2022 by itnerd

It appears to be official. Elon Musk appears to have taken over Twitter. And the bloodshed has begun:

Twitter CEO Parag Agrawal and chief financial officer Ned Segal have left the company’s San Francisco headquarters and will not be returning.

Musk had until Friday to complete his $44 billion acquisition of Twitter or face a court battle with the company.

Well, that didn’t take long. Expect more changes from Musk to come. Not all of them good. And expect unhappy users to flee the platform.

1 Comment »

Cybersixgill Finds Compromised Sports Streaming Credentials On the Underground

Posted in Commentary with tags on October 27, 2022 by itnerd

Cybersixgill has found that hackers are selling compromised sports streaming passwords on the underground. Specifically, over the past 2 years, Cybersixgill has found 31,324 posts sharing or selling streaming accounts on underground forums, markets, and messaging platforms and 17,978 posts in access markets that included credentials for a streaming service of pro sports leagues such as the NBA, NFL, MBL, and NHL.

Knowing that games have been increasingly broadcasted on cable television and subscription-only networks that cost hundreds of dollars, hackers are broadening their scope of techniques to harvest credentials. 

You can find out more about this here.

Leave a comment »

New CISA Cybersecurity Performance Goals For critical Infrastructure Announced By DHS

Posted in Commentary with tags , on October 27, 2022 by itnerd

This morning, the Department of Homeland Security released the new Cross-Sector Cybersecurity Performance Goals (CPGs) to provide baseline cybersecurity goals that are consistent across all critical infrastructure sectors. The CPGs identify and prioritize the most important cybersecurity practices for critical infrastructure operators and provide an approachable common set of IT and OT cybersecurity protections to improve cybersecurity across our nation’s critical infrastructure. 

The security directives were developed by CISA, in coordination with NIST, following the mandates set out in the Biden administration’s July 2021 national security memorandum to improve cybersecurity for critical infrastructure control systems.

Robert M. Lee, CEO and Co-Founder of Dragos had this commentary on these security directives:

“CISA has shown their commitment to working alongside the industrial cybersecurity community with the release of the common baseline Cross-Sector Cybersecurity Performance Goals (CPGs). CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance – exactly the type of support the community has been requesting. It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. Most of the CPGs map closely to the critical controls needed for strong OT cybersecurity—namely, having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management. This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community’s advancement.”

This is the sort of thing that will help to make us all safer and I hope that this is adopted widely so that things like ransomware and other sorts of attacks become less prevalent.

UPDATE: I have a second comment from Yotam Perkal, director of vulnerability research for software security firm, Rezilion:

General impression from the document:

I think the direction CISA chose to take with the CPG is very good. I hope that having the document written in an approachable language, easy to digest, and focused on the fundamentals, will help with adoption. The main underbelly in terms of cybersecurity risk are not the mature, modern enterprises with huge security budgets and an abundance of security controls. Rather, it is the long tail of organizations, without mature cyber programs or procedures in place. For these organizations, a resource such as the NIST Cybersecurity Framework might be overwhelming. If these organizations adopt and implement the bare-minimum recommendations in the GPG, it could go a long way in terms of improving the overall security posture across the US. I also like the fact that CISA is promoting discussion around the guidelines and soliciting for feedback using the discussion page on GitHub

Specifically regarding the Vulnerability Management section:

I think the recommendations are valid and are reasonably straightforward to implement. That said, in order to implement some of them (such as “mitigating known vulnerabilities” and “no exploitable services on the internet”) there is a preliminary stage that isn’t mentioned in the guidelines which is having visibility into your organization’s exploitable attack surface. Assuming that the long tail of less mature organizations have that visibility is a stretch.We have seen evidence to that when we did our Vintage Vulnerabilities research which found over 4.5 million internet-facing devices that are vulnerable to vulnerabilities discovered between 2010 to 2020 that are known to be actively exploited in-the-wild (on the CISA known exploited vulnerabilities catalog). Specifically in the critical infrastructure domain, Security professionals have to be also aware of the capabilities and limitations of their vulnerability scanning tools. As we have shown in our latest research both open-source and commercial scanners and SCA tools are prone to a significant amount of false-positive and false-negative results. For example, when scanning OT assets, a vulnerability scanner without the ability to identify vulnerable components within compiled code will have significant blindspots when it comes to the known vulnerabilities it will be able to identify.

UPDATE #2: Tyler Reguly, senior manager, security R&D at HelpSystems, says:

“The most important take away there is that these goals were selected to address risks to the nation as well as individual entities. This is a big shift from other well-known baseline documents, such as the CIS Benchmarks or the NIST Security Guidance. At the same time, this is not a complete guide, it is a starting point to ensure organizations are all starting on the same footing.”

Leave a comment »

New Research Finds 73% of Organizations will Increase AppSec investment in 2023 as Log4j Anniversary and Recession Looms

Posted in Commentary with tags on October 27, 2022 by itnerd

Invicti has released the firm’s latest research report, which found:

  • 73% of organizations anticipate that they’ll increase their AppSec investments in 2023.
  • 97% of DevSecOps teams say they ignore a real vulnerability at least once a month because they assume it is a false positive.
  • Developers are pushing code with known vulnerabilities due to pressure to deliver.

With the upcoming Log4j anniversary in early December, the 2 year anniversary of the SolarWinds attack and a recession pressuring security budgets, Frank has found that application security is a top priority for CISOs as nation-states, like China, scan for vulnerabilities as a prime attack vector.

You can read that research report here.

Leave a comment »

Michigan Medicine Discloses Email Account Breach

Posted in Commentary with tags on October 27, 2022 by itnerd

Michigan Medicine has notified patients of an employee email account breach which exposed health information of about 33,850 patients. 

From August 15th through August 23rd, a cyber attacker targeted Michigan Medicine employees with an email phishing scam, luring employees to a webpage designed to get them to enter their Michigan Medicine login ingo. Four employees entered their info and then inappropriately accepted MFA prompts, allowed the attacker to access their email accounts.

Ooops.

John Stevenson, Director of Product at Cyren had this to say:

     “The fact that four separate employees followed the phishing link and accepted multi-factor authentication prompts shows how sophisticated these attacks can be. It is as a stark reminder that phishing continues to plague the healthcare industry. Of the 684 breaches of healthcare data reported to the US Government, 41% of them resulted from email incidents. The majority of those email incidents (74%) were from phishing vs. malware or accidental disclosure.

Many companies might blame the user in situations such as this for not heeding the lessons of the corporate Security Awareness Training (SAT) program. However, the reality is that SAT must be augmented with the right inbox security. What is needed is additional assistance for the user such as Scan and Report buttons within the Outlook inbox that empower the user to put the lessons learned from SAT into practice then and there, taking a proactive approach to email security.”

This illustrates the fact that people are the weakest point in cybersecurity. And organizations need to focus on making that a non factor to stop incidents like this from happening.

Leave a comment »

Koodo Introduces New Customizable Pick Your Perk Plans

Posted in Commentary with tags on October 27, 2022 by itnerd

Today, Koodo launched its Pick Your Perk plans, a new line-up of customizable rate plans that lets customers personalize their plan with a free feature of their choosing. Pick Your Perk plans start at $45 per month, and enable customers to choose one free perk – with different rate plans offering different perk options to select from.

There are five perks for customers to choose from, including Premium Voicemail, Unlimited International SMS, Rollover Data, Speed Boost, and Unlimited Long Distance Pack. Whether customers choose Rollover Data to roll-over unused data into the next month, or an Unlimited Long Distance Pack to stay connected to loved ones overseas with unlimited talk time to the US, China, Hong Kong, India, Mexico, Bangladesh, and the UK — there’s a perk for everyone.

At Koodo, it’s all about choice. These new rate plans are just another way Koodo helps customers create a plan that’s just right for them.

To learn more about the new Pick Your Perks plans, visit koodomobile.com

Leave a comment »

New Cybersecurity VC Firm Research: Q3 Reveals Decline in Cyber Valuations as Recession Takes Hold

Posted in Commentary with tags on October 27, 2022 by itnerd

DataTribe, a cybersecurity seed investor, has released the firm’s Q3 2022 Insights Report highlighting how cybersecurity investing is trending this quarter compared to last year and the previous quarters.

According to the report, Q3 marked a continued decline in valuations across nearly all stages. The current economic headwinds are pressuring private capital markets like public markets. The exception is Seed investment activity in cybersecurity, which increased 37.5% from 24 to 33 deals YoY. 

You can read the full report here.

Leave a comment »

« Older Entries
Newer Entries »