US Internet providers must now display clear pricing and product information. HP Ink controversy continues to stain the company’s reputation with consumers. Is the EU’s competition legislation working? Early numbers seem to show it might be. And there’s a 10 million dollar bet that Elon Musk is wrong about AI.

All this and more on the “all bets are off” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

New regulations from the Federal Communications Commission have taken effect yesterday, mandating that all broadband internet service providers clearly display labels detailing the prices, speeds, data caps and other key information about their service plans.

The rules are aimed at helping consumers make more informed choices by requiring ISPs to disclose this data in a simple, standardized format akin to nutrition labels on food products.

In addition to fees charged, the labels must also now list any monthly data caps or overage fees, upfront costs like equipment rental fees, a provider’s customer service contact information, and any other plan limitations like throttling policies.

Despite this progress, consumer advocacy group Next Century Cities   continued to push for even more information, saying that these broadband “nutrition labels” often overstate the real-world speeds customers can expect or obscures caps and fees.

Speaking to the FCC last month, one group urged that in addition to maximum speeds, the labels should show the average speeds users actually experience, as estimates of “typical” speeds are frequently overly optimistic.

While comprehensive, some experts warn the amount of required disclosures could overburden smaller ISPs with limited resources compared to industry giants. For now, only providers with more than 100,000 subscribers must comply and smaller providers have been given an additional year to comply.

The FCC is still gathering feedback on whether to mandate the display of promotional pricing periods and expiration dates, as well as taxes and fees beyond the base rate.

Next Century Cities is further advocating for a streamlined complaint process to report issues like digital discrimination in broadband deployment to the commission.

With the labeling rules now in place, the hope is that customers will be better equipped to comparison shop for broadband and avoid being misled about the true costs and capabilities of different internet packages.

Sources include: ArsTechica, Engadget, and BroadbandBreakfast

Of all of the emails I get about stories, the HP printer issue is near the top of the list. People write me, with their frustrations. And it turns out, they take these to the courts as well.

Printer owners are pushing back against HP Inc. in an ongoing class action lawsuit over firmware updates that allegedly disabled their devices from using third-party ink cartridges.

In a filing this week in an Illinois court, the plaintiffs accused HP of using software changes to monopolize the replacement ink market and “take advantage of customers’ sunk costs” in HP printers.

The consumers claim that despite never agreeing to only use HP-branded ink, recent firmware updates prevented their printers from accepting more affordable third-party cartridges.

They allege HP violated several anti-competitive statutes through this “tying scheme” accomplished via unauthorized software changes solely aimed at blocking rival ink suppliers.

The plaintiffs are seeking damages covering the cost of now-useless non-HP cartridges, as well as an injunction forcing HP to undo the firmware lockout.

For its part, HP insists it went to “great lengths” to inform buyers that its printers are designed to exclusively use HP cartridges containing security chips.

The company says the updates represent legitimate “dynamic security” measures to combat counterfeit ink, and that it does not conceal or block remanufactured cartridges reusing official HP chips.

HP also argues the plaintiffs cannot claim overcharge damages from the manufacturer under federal antitrust laws when they purchased through intermediaries.

As printer makers increasingly push subscription models, the controversy highlights long-standing tensions over the high costs of proprietary ink replacements versus third-party alternatives.

The bitter legal battle seems primed to further antagonize HP’s customer base over what critics condemn as anti-competitive practices designed to sustain lucrative ink sales.

Sources include: The Register

We’ve done a number of stories on legisltation and regulation from the EU that is aimed at increasing customer choice and promoting real competition. Is it working? In one case it seems to have had an impact.

It turns out that some alternative web browsers are reporting an uplift in user interest and downloads in the European Union following the recent enforcement of a new digital regulation called the Digital Markets Act or DMA.

The landmark rules, which took effect last month, require dominant tech gatekeepers like Apple and Google to present mobile users with choice screens displaying alternative browsers and other core apps.

The goal is to shake up competition against pre-installed defaults and make users more aware of their options beyond Safari on iOS or Chrome on Android.

While it’s still very early days, several smaller browser makers have already shared positive metrics pointing to increased attention from EU users.

Norway’s Opera says new user growth was up 63% from February to late March, while fellow Norwegian browser Vivaldi reports a 36.7% jump in EU downloads, rising to nearly 70% in the eight countries where it appears on Apple’s choice screen.

The privacy-focused Brave browser also cited a doubling of daily iOS installs in the EU compared to pre-choice screen levels.

And little-known Cyprus-based rival Aloha claimed to have seen 250% growth in new users as it jumped from the 4th to 2nd biggest EU market.

However, not all alternative browsers are seeing clear gains yet. Veteran players like Mozilla’s Firefox, DuckDuckGo and Ecosia say it’s too early to accurately assess the DMA’s impact as choice screen rollouts are still ongoing, although some claim that these browsers are purposely holding back from reporting success because they want to keep the pressure on to make the choices even more clear and easier to adopt.

For example, the are complaints that Apple’s iOS implementation in particular has significant design flaws hampering users’ ability to make meaningful choices about switching browsers.

The European Commission has open investigations into suspected cases of improper compliance by the tech giants, including Apple’s choice screen methodology.

With this continued pressure from the largest alternative browsers, and given the EUs track record, it is likely they will be monitoring closely to ensure dominant gatekeepers are genuinely opening their platforms to greater competition and consumer choice as intended.

Sources include: TechCrunch

Some tech industry CEOs are putting their money where their skepticism is when it comes to Elon Musk’s ambitious predictions about artificial intelligence surpassing human intelligence in the next few years.

During a recent interview, the billionaire claimed AI will likely exceed the cognitive capabilities of any single human by the end of 2024, with AI as a whole outstripping the combined intelligence of all humans within just five years.

But those bold forecasts are being met with raised eyebrows and big bets from some AI experts who view Musk’s timeline as wildly unrealistic.

Gary Marcus, CEO of machine learning startup Geometric Intelligence, publicly offered up $1 million to anyone, including Musk, who can prove him wrong.

That prompted Damion Hankejh, CEO of ingk.com, to raise the stakes even further, saying he’d cover a $10 million wager against Musk’s AI predictions coming true.

Marcus said Musk has not responded to the million-dollar challenges yet, but added the Tesla CEO has previously ignored Marcus’ smaller $100,000 bet that artificial general intelligence was not actually imminent, as Musk claimed.

For Marcus, the bets are about more than just money. He wants to spark a public discussion with Musk about what artificial intelligence can realistically achieve in the near-term versus the almost utopian promises that have become common from tech leaders.

Marcus argues many in the industry have a track record of making scientifically implausible claims and missing self-imposed deadlines, pointing to the ongoing challenges with self-driving cars as one example.

While large language models have made rapid advances, Marcus contends the notion they could exceed human-level general intelligence within just a couple of years is fanciful, estimating that milestone may still be decades away.

As CEOs literally gamble over contrasting AI outlooks, the high-stakes bets underscore an intensifying debate over whether too much hype is obscuring the real state and timeline of artificial intelligence development.

I don’t know. Just this once and only once. I’m putting my money on Elon being right.

As always, love to hear what you might think.

And that’s our show for today…

Thanks for those who’ve written in with comments including the person who wrote me about their trials and tribulations HP printers and ink purchases.

Keep it coming.  And don’t forget, you can find us on YouTube now. If you check us out there, please give us a like or even a subscribe as we try to build and audience there as well.

I’m your host Jim Love, have a Fantastic Friday.

The post Is EU competition working? One company shows a 250 percent increase. Hashtag Trending for Friday April 12, 2024 first appeared on IT World Canada.

Crooks are hijacking Facebook pages to spread phoney AI applications.

Welcome to Cyber Security Today. It’s Monday April, 8th, 2024. I’m Howard Solomon with a roundup of the latest cybersecurity news.

Cybercrooks are taking over poorly-protected Facebook profiles to spread links to fake artificial intelligence applications. That’s according to researchers at Bitdefender. They say the hijacked Facebook pages are designed to trick victims into downloading what they think are official desktop versions of AI software including ChatGPT, Midjourney, Sora AI, DALL-E, Evoto and others. What the downloaded apps really do is steal information from victims’ computers, including usernames, passwords, credit card numbers and crypto wallet information. One Facebook page impersonating Midjourney had 1.2 million followers until it was shut last month. Two lessons from this: People need to enforce the security of their social media pages with strong passwords and multifactor authentication to ensure they aren’t taken over and abused by crooks. Also, organizations need to remind all employees they are forbidden to download applications from unapproved places like social media sites to any computer they have that’s allowed to connect to the company network.

Cisco Systems has tweaked the update it released last month to close a vulnerability in its IOS software for Catalyst 6000 series switches. The vulnerability is rated High.

Cisco also says there’s a vulnerability in the web-based management interface of six models of its RV series of Small Business Routers. Cisco says the hole could allow the devices to be compromised. Network administrators should disable remote management on two of the models. For the four other models certain ports should also be blocked. Note that software updates won’t be released to fix the vulnerability. Four of the routers are end-of-life and shouldn’t be on a network at all.

Threat actors have found a new way to compromise Adobe Magento e-commerce servers. Researchers at Sansec say if an attacker can get into the server it installs code that adds a backdoor which is re-injected after a manual fix or setup. It takes advantage of a vulnerability discovered in February. The goal is to insert a fake Stripe payment skimmer to steal credit and debit card information. Magento administrators should search for hidden backdoors, make sure their systems have the latest patches or are running the latest versions.

An American firm that provides economic experts to law firms doing litigation has increased the number of people it’s notifying about a data breach. In a filing with the Maine attorney general’s office Greylock McKinnon Associates now says it’s notifying over 341,000 people their data was stolen last year. It’s original estimate of victims was about 5,400 people. The information, including Social Security numbers, came from the U.S. Justice Department as part of a civil lawsuit. It was stolen in a cyber attack discovered last May.

Pacific Guardian Life Insurance is notifying just over 167,000 Americans of a data breach. In a notice to the Maine attorney general’s office it says the cause was phishing, but gives no other details of the incident. The theft was discovered last September. Among the data stolen were names and credit or debit card numbers ans associated passwords or PIN numbers.

A Pennsylvania IT school is notifying almost 31,000 people of a data breach. The York County School of Technology says the data was stolen in a cyber attack just over 12 months ago. Data stolen included names well as Social Security, drivers’ licence and State ID numbers.

A threat actor has launched a phishing campaign to steal information from the American energy sector. According to researchers at Cofense, the scheme involves targeted emails allegedly from the Federal Bureau of Transportation and sent to people claiming their vehicle had been in an accident or seen leaving an accident. It alleges they are at risk of being fined. The subject line of the message may include the word ‘Urgent.’ The possibility of a fine, of course, would attract the attention of the reader, who would out of an abundance of caution want to open the attached document — which links to malware. This is a variation of similar scams that have been going on for years and prey on the fears of people of being hurt if they don’t open a document. As always, you’ve got to examine who any message with an attachment come from, and signs of a scam like incorrect grammar. The fact is government agencies don’t send email messages like this. For one thing, how do they know your email address?

Finally, as I told listeners last week, Ivanti has promised to overhaul its product security management practices after the disclosure of more vulnerabilities in its Connect Secure and Policy Secure gateways. John Pescatore of the SANS Institute, which offers cybersecurity training courses, has a suggestion: Any company that makes a security-related product should have to show to the public measurable progress in its security culture, such as third party testing of all products. The penalty: No security product company would be allowed to use the terms AI or machine learning in their marketing and advertising unless they go at least 12 months without a vulnerability that has a CVSS score above 7.

Links to details about news mentioned in this podcast episode are in the text version at ITWorldCanada.com.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 8, 2024 – Crooks are hijacking Facebook pages to spread phoney AI applications first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday April 5th, 2024. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes Terry Cutler, head of Cyology Labs will be here to discuss some of the headlines from the past seven days.

They include a highly critical report on Microsoft from the U.S. Cyber Safety Review Board, a case study of a ransomware attack and the narrow escape the Linux community faced after a researcher discovered a plot to infect a critical open-source library.

Also in the news this week, five Canadian hospitals with a common IT provider who were hit by a ransomware attack last October revealed how many people were victims: Over 320,000. They will be getting notices next week.

City of Hope, a cancer treatment and research institution with facilities in California, Arizona, Illinois and Florida notified over 827,000 people data it holds on them was stolen. The incident was discovered in October. Data copied included names, contact information dates of birth Social Security numbers, drivers’ licence numbers. medical records and financial details.

American mortgage lender On Q Financial, which has branches across the country, notified over 211,000 people of a data theft. A hacker was able to exploit a vulnerability in the company’s use of ConnectWise’s ScreenConnect remote access software. Word of the vulnerability spread in February. However, On Q says it’s system was exploited almost 12 months ago, long before warnings were issued. Data stolen includes names and Social Security numbers.

A threat actor calling itself IntelBroker claims to have stolen classified files from a U.S. government contractor belonging to the Five Eyes intelligence co-operative. That group includes the U.S., Canada, the U.K., Australia and New Zealand. The Bleeping Computer news site says the U.S. State Department is investigating.

A threat actor that researchers at Trend Micro call Earth Freybug has created a new piece of malware to hide its activity. The researchers have given it the name Unapimon. It uses defensive evasion techniques like hijacking dynamic link libraries and unhooking APIs so Windows can see the other nasty things the threat actor is doing on a compromised system.

Progress Software released patches for its Flowmon network monitoring platform to patch a critical vulnerability. An unauthenticated remote attacker could use the hole to access Flowmon’s web interface.

Finally, Google released patches for 28 Android vulnerabilities in its April security fixes. It also warned that two of them may be under limited, targeted exploitation. As usual, the patches get installed automatically in Pixel smartphones. Distribution to phones from other manufacturers depends on the company and your wireless carrier.

(The following edited transcript is the first part of the discussion. To hear the full conversation play the podcast)

Howard: The Cyber Safety Review Board released its report into last year’s compromise of Microsoft Exchange Online email accounts — including those of senior American officials. The threat actor was a China-based group that researchers call Storm-0558. The review board is an arm of the U.S. Cybersecurity and Infrastructure Security Agency, but that didn’t stop it from taking Microsoft to the woodshed. The hack “was preventable and should never have occurred,” the report says. It calls Microsoft’s security culture “inadequate and requires an overhaul.” And it complained Microsoft hasn’t been up front with the public that it still doesn’t know how or when the hacking group obtained a signing key that allowed this attack to happen. Terry, this report really whacks Microsoft.

Terry Cutler: I love that comment, “Taking them out to the woodshed.” It [the report] actually answers questions for us, because we’re always wondering why whenever we do Office 365 penetration tests there’s so much read. It’s as if Microsoft turns off security by default and you have to re-enable everything. Whenever we do penetration tests we always come across user accounts that don’t have multifactor authentication turned on, password policy is not set, is it vulnerable to email spoofing, is it capable of receiving malicious attachments in their emails, or are there vulnerable plugins? We find all these things wrong in the system which should have been on and secured by default.

Howard: This report doesn’t just focus on Microsoft. It includes security recommendations for all cloud application providers. We’ll get to that shortly. But first here’s the background of this incident: In May and June of last year the threat actor called by researchers Storm-0058 compromised the Exchange Online mailboxes of 22 organizations and 500 people around the world. These included the email accounts of U.S. Commerce Secretary Gina Raymondo, the U.S. Ambassador to China, a member of U.S. Congress and the email accounts of several members of Britain’s National Cyber Security Center. The attacker had access to some of these cloud-based mailboxes for at least six weeks. It downloaded approximately 60,000 emails from the U.S. State Department alone.

How did this happen? The attacker had somehow got hold of a digital signing key that Microsoft had created in 2016 and used it to create valid authentication tokens. For those who don’t know, signing keys are used for secure authentication. Combined with another flaw in Microsoft’s authentication system the attacker had access to almost any exchange online account in the world.

Problem number 1, the stolen Microsoft Services Account key should have been able to only sign tokens for the consumer version and not the enterprise version of Outlook Web Access. The second problem was the key was issued in 2016 and was supposed to be retired in 2021 so shouldn’t have been able to sign new tokens at all. To this day no one knows how this gang got that key. Terry what did you think when you read this narrative?

Terry: It obviously highlights the fundamental issue in the lifecycle management for cryptography keys and the fact that this key, which was only supposed to be used for the consumer version [of Outlook Online], was able to work on the enterprise level. That’s that’s a big problem. The incident also shines a light on a bigger problem around cloud security and the trust we have with them [cloud application providers]. People are always saying, ‘We’re going to move our system to the cloud,’ which is just somebody else’s hard drives. Now you’re outsourcing that cybersecurity burden to somebody else. This report shines a light on other cloud providers to reassess their cybersecurity practices. Are they practicing great identity and access management? Are they protecting their cryptographic keys and other sensitive assets?

It also highlights the fact that Microsoft needs to be more transparent [with customers about cyber incidents]. At one point there was there was a delay in Microsoft not knowing how the attackers got in. That caused a delay in disclosing [this attack] to the customers. So you need to work on prompt and transparent communication going forward.

Howard: The reason why the stolen digital key worked on enterprises as well as the consumer version of Outlook Web Access was an unknown vulnerability in the token validation system. The report says that responding to customer requests Microsoft had created a common endpoint service that listed active signing keys for both the consumer and the enterprise identity systems. But Microsoft didn’t adequately update its software development kits to differentiate between consumer and enterprise signing keys. The report says this was an unknown flaw. Does that let Microsoft off the hook?

Terry: Absolutely not. It might explain how the breach occurred but also highlights significant gaps in Microsoft security practices, particularly in the area of testing validation and oversight for the changes in critical systems. In cyber security the goal is [to follow] the principle of least privilege . These are fundamental principles. So by creating a system where the key intended for consumers could also be used in enterprise settings misses something. The oversight was not updating their SDKs.

Howard: Microsoft suspects that this attack succeeded because the gang compromised the login account of an employee who worked for a company that Microsoft bought in 2020. The gang’s access continued after the acquisition. The report says the fact that Microsoft didn’t detect this shows a weakness in its merger and acquisitions cyber security assessment practice — that is, when you’re buying a company you have to thoroughly go through it and make sure that its systems not only are cyber safe but that its employees haven’t been compromised, so when you bring them into your company you’re not exposed. This thing is a lesson for all companies.

Terry: We see this quite often. We experienced this around 2021 when one of our clients was acquiring another company. As soon as they connected the [new company’s] network there were tons of flags going off, endpoint detection with malware … So you need to really make sure that the environment is clean before you bring them [new employees in an aquisition] into your network. You want to do pre-accquisition due diligence. Make sure their cyber security assessments align with your best practices. Make sure the environment is clean from malware, any beacons and things like that. Do a penetration test on them. Plug up the network sensors to see if there are any beacons going out, if there’s any large amounts of data leaving the network. Do you have a proper incident response plan built around the new company as part of your existing plan …

Howard: Among the recommendations the review board makes is that Microsoft should consider lowering its priority on adding new cloud product features until substantial security improvements across the company have been made. That a good idea?

Terry: …The goal now is to build trust … You would think Microsoft would have all the security in place, but because they can’t secure it properly that could be lan escape for other cloud vendors to say, ‘If Microsoft can’t do it we can’t do it either…’

Howard: The review board also made a number of recommendations that any cloud application provider should follow. Among them: Cloud service providers should have modern controls around a rigorous threat model, automated digital key rotation should be a rule, adoption of a minimum standard for default audit logging to help detection, they should follow digital identity standards and they should be more transparent around incidents and notifying victims. The review board also recommends the U.S. should create a process to do special reviews of authorized government cloud providers following high impact situations. Are these recommendations tough enough?

Terry: It’s definitely a great step in the right direction. I think the problem we’re going to see is do we have enough knowledgeable [cybersecurity] staff to help implement all these solutions that we want? Is it going to be affordable? Because you know if it’s extremely expensive that cost has to be sent back to the customers. What we’re seeing now is that a lot of customers don’t want to spend all the time, money and resources to deal with cybersecurity. So they’re they’re going to outsource this piece — but the cloud providers better have a good solution in place that can really detect threats.

Howard: Before this episode was recorded I asked for comment from the Cloud Security Alliance, which is an industry group that that includes Microsoft, which recommends best security practices to cloud providers. Kurt Seifried the group’s chief innovation officer said that there’s no excuse for Microsoft to have used servers without hardware security modules to protect this particular signing key. It uses hardware security modules to protect other keys, he noted. He also added that last November Microsoft announced that under its Secure Future Initiative it’s moving management of identity signing keys to an integrated Azure infrastructure that has hardware security modules.

I also asked Microsoft for comment on the review board report. A spokesperson said “Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyber to act from well-resourced adversaries Microsoft has mobilized its engineering teams to identify and mitigate legacy infrastructure improve processes and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us and detect and repel the cyber armies of our adversaries.” Microsoft will also review the final report for additional recommendations.

I think this is a report that everyone who works in IT or is studying for a career in IT should read.

The post Cyber Security Today, Week in Review for week ending Friday, April 5, 2024 first appeared on IT World Canada.

A new program called CyberTowns is setting out to identify the best communities across Canada to start and grow a career in the cybersecurity and IT fields. Launched by the Canadian Cybersecurity Network and IT World Canada, the initiative will evaluate cities on factors like job opportunities, affordability, population growth, taxes, crime rates, weather, health amenities, community support, and internet access.

The goal is to highlight the unique advantages different municipalities offer in attracting and retaining cyber and IT talent. With cybersecurity skills in high demand, CyberTowns aims to showcase the locales positioned to thrive in this increasingly crucial industry.

“Cybersecurity professionals are a precious commodity in today’s digital economy,” said Francois Guay, founder of the CyberTowns program. “This initiative will recognize the cities cultivating environments where cyber careers can truly flourish.”

The six-month evaluation process involves surveying cybersecurity and IT professionals across Canada, as well as an analysis of key statistical data. Only communities with a population over 100,000 will be considered for the rankings.

An independent review committee will assess the findings before the results are published in a comprehensive report detailing each location’s advantages, challenges, and efforts to drive cybersecurity growth. Provincial and federal policies impacting the cyber workforce will also be examined.

The culmination will be an awards ceremony at the Canadian Identity Summit in Ottawa on April 30-May 1, 2024, where Canada’s top “CyberTowns” fostering cyber talent will be celebrated.

Partnership opportunities are available for sponsors looking to support this initiative highlighting the nation’s cybersecurity hubs. Interested organizations can visit the CyberTowns website for more details on how to get involved.

As cyberthreats continue to escalate, nurturing skilled cyber professionals has become an economic and security imperative for communities across Canada. The CyberTowns program promises to shine a light on the cities rising to meet that challenge.

The post CyberTowns Initiative Aims to Spotlight Canada’s Top Locations for Cybersecurity Careers first appeared on IT World Canada.

A new ransomware gang claims 11 victims, Ivanti promises to overhaul product security, and more.

Welcome to Cyber Security Today. It’s Friday, April 5th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

A new ransomware group emerged last month. Dubbed the RedCryptoApp, researchers at Netenrich say the gang has published data allegedly stolen from 11 organizations. That includes five in the U.S., and one each in Canada, Denmark, Spain, Italy, India and Singapore. Victim firms are in the software, manufacturing, IT, education, construction and hospitality sectors. the gang has likely been in business since December.

After the discovery of several product vulnerabilities in the last three months Ivanti is promising a new era of security. CEO Jeff Abbot said Thursday that the company is looking critically at every phase of its development processes to ensure the highest level of protection for customers. The promise includes revamping of core product engineering and using secure-by-design methodology. This comes after four new holes in Ivanti Connect Secure and Policy Secure Gateways were disclosed. Patches are available now. In January Ivanti revealed two vulnerabilities in Connect Secure and Policy Secure, followed three weeks later by the disclosure of two more holes had been found. A fifth was disclosed in February. A suspected Chinese threat group is believed to be among those exploiting the vulnerabilities. Among the victims: The U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The current value to cybersecurity pros of the Common Vulnerabilities and Exposures (CVE) List and the National Vulnerability Database is being questioned. That’s partly because the U.S. National Institute of Standards and Technology, which maintains the national database and uses the CVE list, has a backlog of vulnerabilities to process. NIST hopes a consortium of industry, governments and others will help. But SecurityWeek columnist Kevin Townsend also says the CVE database, which is overseen by the not-for-profit MITRE organization has its own problems. A hundred thousand vulnerabilities have no CVE number. And not all of those that do are real vulnerabilities. There’s also a problem with rating the criticality of vulnerabilities, which impairs the ability of IT administrators to decide which bugs needs to be patched first. IT pros need to pay attention to this issue and offer solutions.

IT administrators are being warned to check with their server providers for security updates to close vulnerabilities in their implementation of HTTP/2. A number of applications are vulnerable to a denial of service attack including Red Hat and SUSE Linux, the Apache HTTP Server Project including Apache Tomcat and Traffic Server, the Go programming language, AMPHP (a library for PHP-based projects) and some products from Arista Networks. Discovered by researcher Bartek Nowotarsk,i the root cause is an incorrect handling of headers and multiple Continuation frames which ultimately leads to Denial of Service. If no fix is available admins may have to disable HTTP/2 on servers.

Finally, Sophos released its latest Active Adversary report on cybersecurity attacks its staff investigated. For the fourth year in a row the most common way threat actors got into Windows systems was by taking advantage of security holes in a remote desktop server. In 90 per cent of attacks Sophos investigated last year abuse of RDP was in some way involved. In one case, an organization was compromised four times within six months through a customer’s exposed RDP ports. How are attackers abusing RDP? The most common way in the 150 cases investigated last year was through compromised credentials. In 43 per cent cases the organizations did not have multifactor authentication to protect logins. Is your IT department securing remote access?

Later today the Week in Review podcast will be available. Guest commentator Terry Cutler of Cyology Labs and I will discuss recent news including a report highly critical of Microsoft’s security by the U.S. Cyber Safety Review Board, a case study of a ransomware attack and a plot to infect a critical Linux library.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker

The post Cyber Security Today, April 5, 2024 – New ransomware gang claims 11 victims, Ivanti promises to overhaul product security, and more first appeared on IT World Canada.

A new Linux vulnerability is found and a must-read ransomware case study.

Welcome to Cyber Security Today. It’s Wednesday, April 3rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Following on the shattering discovery of a backdoor hidden in an open-source Linux compression utility comes news of a new Linux vulnerability. It’s in the util-linux package, and it’s been around since 2013. Briefly, the vulnerability allows a users’ password to be leaked. So far, says the researcher who discovered the hole, Ubuntu 22.04 is affected. Linux administrators should check with their distribution creators to see if their servers are affected.

An organization dedicated to cybersecurity has admitted a misconfigured server led to a data breach. The Open Worldwide Application Security Project, more commonly known as OWASP, says the misconfiguration was in an old Wiki web server. Copied was a decade-old list of resumes of members who joined between 2006 and 2014. They gave their resume as part of their membership application, which included names, email addresses, physical addresses and phone numbers. OWASP no longer collects resumes when members join. The incident was discovered in late February.

You may not have realized, but Google has been collecting browsing activity when you switch into Incognito Mode. Now, to settle a class action lawsuit, it’s going to delete that data. The suit alleged browsing data was collected without the knowledge of users. According to Time, Google says it never associated this data with users who are in Incognito Mode. News that there would be a settlement was announced in December. The details were only released on Monday.

The Rhysida ransomware gang has taken credit for an attack on MarineMax, an American boat retailer with branches in 13 U.S. states. According to Security Week, the gang is auctioning allegedly stolen data.

A small Michigan school board temporarily closed its doors Monday after being hit by a cyber incident. Traverse City Area Public Schools said it disconnected access to the IT network and began a comprehensive investigation.

Finally, the authors behind the DFIR Report have produced a detailed case study of a ransomware attack in 2023 against an unnamed company that should be read. Briefly, it started with an employee clicking on an infected attachment that was hosted on a Microsoft OneNote server. Threat actors are using malicious OneNote attachments to get around email security gateways that would see OneNote as a legitimate source of messages. In this case the malicious document led to the download of a Windows dynamic link library, or DLL to maintain persistence. Interestingly, after that not much happened for 33 days. Then malware was launched, and the AnyDesk remote access software was installed so the attacker could browse through the network. Unfortunately for the victim organization the employee who inadvertently started the thing was a member of the domain administrator’s group, which helped the attacker gain access privileges. From there …. well, I’ll give away the ending: The attacker exfiltrated data, and only encrypted two of the organization’s servers: The file server and the backup server. There’s a lot more in the story. This article should be read by anyone in IT, or studying for a career in IT, on how a cyber attack is carried out. There’s a link to it — as well as to other stories mentioned in today’s episode — in the text version of this podcast at ITWorldCanada.com.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 3, 2024 – New Linux vulnerability is found, and a must-read ransomware case study first appeared on IT World Canada.

An alert about a critical Linux vulnerability, a warning about password-spray attacks on Cisco VPNs, and more.

Welcome to Cyber Security Today. It’s Monday, April 1st, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Linux administrators and developers must take fast action after the discovery of a backdoor that can compromise some Linux distributions. It’s in a malicious version of the XZ Utils compression utility. For certain this library is in some versions of Red Hat Fedora, Debian Unstable and possibly other Linux distributions. Developers, users and admins should make sure they are using a version of XZ Utils before version 5.6.0. Red Hat says the use of Fedora Rawhide and Fedora Linux 40 should stop immediately unless it uses an older version of the compression utility. Red Hat Enterprise Linux is affected. Developers and users should consult with distributors of other versions of Linux for guidance. This vulnerability is rated critical. Under the right circumstances a threat actor could exploit the vulnerability to gain remote access to a Linux system.

The U.S. Cybersecurity and Infrastructure Security Agency urges developers and users who have affected systems to move to a safe version of the operating system, then hunt for any malicious activity. Any positive findings should be reported to CISA.

Threat actors are using password-spraying tactics to infiltrate Cisco Systems’ Secure Firewall. The warning comes from Cisco, which notes that password-spraying is also being used to attack VPN concentrators used by large enterprises. One tip-off your organization has been hit: Users can’t log into the VPN. Another is a log that shows huge numbers of rejected authentication attempts. Cisco urges network admins to make sure their Secure Firewall software is running the latest version. Admins should also use certificates for authentication to Cisco Secure Firewall rather than passwords. More broadly, security admins should ensure their gateway devices are properly configured.

JetBrains released a bunch of fixes for the on-prem version of its TeamCity continuous integration server. In total 26 security problems were fixed. By the way, starting with version 2024.03, TeamCity can auto-download lightweight security patches for crucial security issues.

Makers of keycard-controlled door locks used in hotels and offices should pay attention to research released last month. White-hat hackers discovered vulnerabilities in Saflock door locks made by Dormakaba which open using an RFID wireless technology. Actually, according to an article in Wired, they discovered the holes two years ago at a Black Hat Las Vegas conference. The manufacturer was notified in 2022 and has been working with hotels to fix or replace the vulnerable locks. On releasing their research last month the team estimated only 36 per cent of installed locks around the world have been updated. By the way, part of their research involved getting hold of and reverse engineering the manufacturer’s front desk software. How did they do that? They asked around. Vendors assume no one copies their software, the researchers said. There’s a lesson in that.

AT&T is forcing over 7 million of its current customers to reset their four-digit passcodes. This comes after an investigation into the posting of stolen data two weeks ago on a dark website. The American telecommunications carrier said Saturday that information on just over 73 million customers — 65 million of them former subscribers — are involved in the data posting. It isn’t clear where the data was stolen from. AT&T says the information appears to be from 2019 or earlier. It includes names, email addresses, mailing addresses, phone numbers, Social Security numbers and dates of birth.

The Chattanooga Heart Institute has issued a fourth update on the number of people affected by a data breach just over a year ago. In a filing with Maine’s attorney general’s office it now says over data on 547,000 people was stolen. Initially it said data on over 170,000 people was copied. Data stolen included credit or debit card numbers along with the security codes passwords or PIN numbers.

Prudential Insurance of America is notifying over 36,000 people that some of the personal data it holds was stolen in early February. Data copied included names, drivers’ licence numbers or identification card numbers.

Security experts urge IT departments to move to cloud application providers where possible for a number of reasons. One is that the provider can apply security updates faster than an on-prem IT team. However, that doesn’t solve all security problems. American university researchers recently discovered a new vulnerability if an organization uses a cloud email filtering service — such as Proofpoint or Barracuda — that scans incoming mail before passing it on to the firm’s cloud email system — for example, Gmail or Exchange Online. If the email system hasn’t been configured to only accept messages from the email filtering provider then malicious email could get through to employees. A clever threat actor could identify the server user by the company’s domain’s email hosting provider and send malicious mail directly to it. In other words, the attacker bypasses the email filtering provider. The researchers believe 80 per cent of email filtering systems can be bypassed. The lesson to IT departments: Make sure your email systems are properly configured.

Follow Cyber Security Today on all major podcast distributors including Apple and Spotify.

If you want a daily dose of general IT news, we also offer Hashtag Trending every morning. Subscribe wherever you get your podcasts.

The post Cyber Security Today, April 1, 2024 – An alert about a critical Linux vulnerability, a warning about password-spray attacks on Cisco VPNs, and more first appeared on IT World Canada.

The state of AI is the second in this series prepared for the long weekend. In part one, we traced the evolution of Artificial Intelligence. In episode two, we discuss where we are today in the implementation of AI using a model developed by Jackie Fenn, a Gartner analyst who developed the “Hype Curve” – a way of understanding the introduction and maturity of technology developments and trends in a commercial setting.

We try to give some perspective on why there is such enthusiasm for AI, but so little in the way of practical implementations. In doing this we propose some reasons why companies must move forward. We also propose some ideas about how companies can move forward.

The post The state of AI: Hashtag Trending, the Weekend Edition – Documentary Part 2 first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, March 29th, 2024. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes David Shipley of Beauceron Security will be here to discuss recent news. That includes a U.S. Senator’s call for the healthcare sector to meet minimum cybersecurity standards, whether the Canadian military’s Cyber Force needs more resources, what World Backup Day should mean to IT leaders and Beauceron Security’s new State of Security Awareness report.

But before we get to the discussion a quick look at other news from the past seven days:

You might think that financially motivated hacking gangs, or countries like Russia, North Korea and China are responsible for most of the zero-day vulnerabilities exploited in the wild. Nope. According to the latest numbers compiled by Google, commercial surveillance software companies that make spyware for governments were responsible for at least 58 of the 97 exploited zero-day vulnerabilities discovered last year. China was the biggest source of government-backed exploits with 12. Another trend, which may come as no surprise from my reporting: Attackers are increasingly planting zero-day vulnerabilities in open source components and libraries like GitHub, where it is hoped they can be widely spread in finished applications. Among the report’s recommendations: Software and product vendors should prepare for how they will respond when an in-the-wild zero-day is discovered targeting their applications.

At least 17,000 Microsoft Exchange servers in Germany are vulnerable to attack because they don’t have the latest security patches or are running outdated versions. That’s according to the country’s information security agency. Threat actors are already exploiting some of these servers, the agency adds.

A Chinese-language phishing-as-a-service platform called Darcula has been detailed in a report by researchers at Netcraft. The platform has been used for many high-profile email and text phishing attacks over the past year, including package scams pretending to be from the United States Postal Service. The site sells monthly subscriptions to hundreds of templates for phishing messages, abusing the names of airlines, utilities, financial institutions, government departments and telecom companies.

A number of organizations admitted this week to being hit by ransomware:

The INC ransomware gang threatened to publish data allegedly stolen from two districts in Scotland’s health service.

The Qilin ransomware gang says it hit The Big Issue, a street newspaper distributed in the U.K. The publication’s chief executive told the news site The Record that it is dealing with a cyber incident.

In this country the town of Huntsville, Ont., said the March 10th cyber attack it suffered was ransomware. Some data was “compromised,” the town said. But it couldn’t say at this point whether that included personal information.

In the U.S., the Tarrant County Appraisal District in Texas said it was hit by a ransomware attack on March 21st. The authority appraises property for an area that includes the city of Fort Worth. The Medusa ransomware gang is demanding US$700,000.

Gilmer County in Georgia said it took some IT systems offline in response to a ransomware attack.

The city of St. Cloud, Fla., told a local news service that municipal files were locked by ransomware.

And Harvard Pilgrim Health Care has updated the number of Americans it is notifying about a 2023 ransomware attack. That number is now just over 2.8 million people, an increase of several hundred thousand over the original notification.

(The following is an edited transcript of part of the discussion. To hear the full converstation play the podcast)

Howard: Your company, Beauceron Security, just released its second annual State of Security Awareness report. One of the biggest weapons that threat actors rely on is tricking employees into doing something that they shouldn’t — Click on an infected attachment, download corrupt software, allow a password to be changed and so on. These all lead to the installation of malware and data theft. So employee cybersecurity awareness is one of the biggest defences an organization can mount. Are there encouraging numbers in this report?

David Shipley: There are very encouraging numbers that look at organizations that have been running [awareness] programs that have become progressively more mature year after year. One of the most hopeful things that I saw over three years of study we’ve done with more than 150,000 people — most of them here in Canada — was double-digit improvements in attestations by employees. They go through a process where they’re surveyed annually about their attitudes and their knowledge levels — which for the record is the only way to get insight into that: You have to ask people these questions. We see major rises in adoption and use of password managers, in avoiding risky behaviours like reusing passwords or storing organizational information in personal clouds. People will change over time, but I can back it up with quantitative data in that we’ve seen year-over-year continuous improvements in almost every single industry that we work in. There’s a few exceptions, but we can see that consistent [awareness] programs that deliver education and simulations show great results. I’m really encouraged. There’s lots in the report that helps people sort of understand what maturing looks like, what going from a compliance-oriented, ‘check the box awareness program’ to one that actually can provably, demonstrably, reduce risk and drive return on investment looks like.

Howard: What about discouraging numbers in the report? I saw, for example, that only 22 per cent of respondents said that they report a phishing email or text the day is received.

David: Report rates are an underused metric across this industry. The report rate is the number of people who were sent to a [phishing] simulation who looked at it, decided something was wrong and took an active action — clicked a button or forwarded it — to say, ‘This looks like a phish.’ It’s a far more reliable and less manipulable metric for [measuring] security program effectiveness than a click rate, which which can be subject to chance and all kinds of fun things. Report rates are a metric of resilience and educational efficacy. What’s really cool is the higher you drive that number the more confident you are that people are more likely to catch and stop something than fall victim, the more likely you are to catch a bunch of stuff that are getting by email filters.

I just ran an internal test for Beauceron and we were able to look at what our email filter provider said they stopped for phishes and then we found out how many phishes got by thanks to reporting. We realized that we had a 20 per cent leakage rate last month for all the phishes that the email filter said it had stopped. But that still left a lot of phishes landing on us. There are things there to pay attention to.

The other thing in the report we’re highlighting is we are seeing a tightening of security budgets as a result of the continued economic waves from the pandemic. One of the areas that get squeezed is security awareness, and it’s such a shortsighted move.

Howard: Metrics are vital for each organization to understand where its employees are weak in awareness and the training they need. How do you gather these metrics and what are the most important metrics to measure employee security awareness?

David: In our industry oftentimes the metrics that are most cited are activity-based or point-in-time click rates, training completion percentage success rates — What was the average score? These are useful, but they are not outcome-based. What’s extremely valuable is a qualitative survey where people tell you how they feel about things and whether they’re getting the knowledge they need. You might think you can’t trust people. Listen, if your organization is so broken that you cannot trust people at all to tell you the truth your biggest problem isn’t cybersecurity. Surveys have to be balanced, but social sciences have proven a lot of different ways that we can gain value and confidence levels from human responses. So we need to do more listening [to staff].

The other thing is we need to start coming up with really good return-on-investment models for security awareness. We’re one of the few companies saying unlimited training does not yield the business benefits that some are advocating. We’ve seen some of our sector say that you should be spending 60 minutes annually and five minutes per month. That works out to be more than two hours of security awareness training per year, and we think that that is really expensive. The incremental benefit of that versus 30 minutes spread throughout the year is pretty damn small. We’re going to work on proving that because the biggest cost of a security awareness program is not licensing a [training] platform It’s the time you’re taking from employees from their regular jobs that really adds up.

Howard: What’s effective in getting employees to change behaviour so they do things that are more cyber safe?

David: One of the most important things that we’ve learned from the work we’ve done is saying, ‘Thank you.’ Saying, ‘Job well done.’ is the most powerful motivator. The system that we design is built around the concept of a personal cyber risk score. We give people positive incentive points when they do the right thing, and demerit points when they make mistakes. We give them a chance to learn from those mistakes. We’ve seen our [suspicious email] report rates skyrocket — we’ve get an increase in report rates of 90 per cent in the first 90 days because we changed the phishing simulation game. Right now in most phishing simulation exercises there are only two states: An employee either clicked the [test] phish and they lost the exercise, or they didn’t click on it. But when you have a positive recognition when people report the phish, they succeed. Even if they report it after they fall victim to a phish you still give them some kind of a win … Then you can do some cool things like give gift cards tied to random draws for the people that reported all 12 simulations.

…

Howard: One final thing: Expecting your staff to be perfect 100 per cent of the time isn’t realistic. No matter how much awareness training you do the organization also has to have defence in depth, multifactor authentication to protect logins, robust patch management network segmentation and the list goes on.

David: Absolutely. I will be the first to say to any organization out there if you think that just buying a security awareness platform solves all of your problems and all of your dreams are going to come true — No, But we [training platforms] are an absolutely important part of driving that.

The other part is it’s not just about telling employees about password strength or what phishing is. It’s about explaining their role in protecting their organization recognizing them for doing the right thing and giving them new tools to improve their digital literacy — particularly those who are managers. That actually drives the buy-in to achieve defence in depth. So many organizations are missing the opportunity to use their awareness campaign to generate [executive] buy-in to drive their security maturity. You can’t just do that with vendor content. It is not a fire-and-forget approach. But you can do it over time. We’ve worked with lots of organizations who’ve done that. I hope folks who are listening consider downloading the report. There’s lots of great advice in there and it doesn’t matter what platform you’re using. If you take some of these practices that we’re recommending into your program I guarantee 100 per cent it’s going to improve results for you.

The post Cyber Security Today, Week in Review for the week ending Friday, March 29, 2024 first appeared on IT World Canada.

Welcome to Hashtag Trending, the Weekend Edition. I’m your host, Jim Love. On this long weekend, I thought we’d try something a little different.

I find that when I break my daily routine and get some time away, I can take a moment and reflect – see the bigger picture – and use that perspective to look forward. It’s chance to think strategically.

So, this weekend, that’s what I want to do with the issue that is dominating technology and business – Artificial Intelligence.

The road to Artificial Intelligence 

https://hashtagtrending.libsyn.com/the-road-to-ai-hashtag-trending-the-weekend-edition-for-march-29-2024

You can use this player or go to anyplace you get your podcasts and look for Hashtag Trending.

The Story

What I’ve produced is more of a documentary than an interview show and I’ve done it in two parts. The first part is a history of AI, taking it from earliest times and up to the launch of ChatGPT. It’s part historical, part philosophical. But I also think it lays a foundation for understanding our pursuit of AI and our fascination with it.

The second part or episode, is more in the current day and down to the practicalities of business and technology.

I’ll look at why what is called generative AI is transformational. Those of you who are fans of the show will know that I’m enthusiastic about technology, and I love it, but I’ve been in this game for 40 years – I try not to be caught up in the hype about any product, service or development.

So I’m not going to predict the future, all I’m going to do is talk about this like a scatter diagram. You put a lot of points on a two by two matrix and sometimes they’re all over the place. Other times, they start to show a pattern, they point in a direction.

Generative AI is like that, its seems like its all over the map, but when you connect the dots and draw the line, it leads you to what seems to me to be inevitable – one of the biggest transformations how we work and how we live in human history.

And not only is the change inevitable, but the pace of that change and the impact of that change, may be greater than we could possibly imagine.

So in our second episode, were going to take stock of what has happened the less than two years since ChatGPT was launched.  We’ll take stock of where we are now and we’ll look at what will happen over the coming months with a focus on what that will do, primarily to our businesses.

It will still take time for changes to work their way into our lives, but it will be less than you might think. And change – our ability to adapt, takes time as well.

Again, no hype – just drawing a line to the inevitable.

Here’s our first episode:

The road to Artificial Intelligence

https://traffic.libsyn.com/hashtagtrending/A_history_of_AI_episode_1.mp3The post The road to AI: Hashtag Trending, Weekend Edition – March 29, 2024 first appeared on IT World Canada.