Author:

Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL vulnerabilities, and more

PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL vulnerabilities, and more.

Welcome to Cyber Security Today. It’s Friday, March 29th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



I’ve reported before that threat actors are increasingly uploading malicious code into open-source repositories like GitHub and NPM. Well, things got so bad yesterday that the Python Package Index, known as PyPI, had to temporarily suspend new project creation and new user mitigation. According to researchers at Checkmarx, the administrators likely had to do this because someone automated the uploading of malware-filled Python code. A favourite tactic is to give the bad code a file name similar to a legitimate package that developers regularly look for. If a developer unknowingly plants malicious code in their application it can be exploited by the threat actor to steal data from software users or the developer. As I’ve said before, anyone downloading code from an open-source library has to take precautions. Make sure you’re not downloading something that’s infected.

The U.S. is offering a reward of up to US$10 million for information about anyone connected to the AlphV/BlackCat ransomware gang. This comes after the gang claimed responsibility for the February attack on American medical billing services provider Change Healthcare. According to some news reports the company paid US$22 million to the gang to get access back to scrambled data. Since then there have bveen reports the gang is dissolving.

A new Linux version of the XDealer remote access trojan has been discovered. It’s also called DinodasRAT by some researchers. Kaspersky says the new variant of this backdoor largely targets servers running Red Hat and Ubuntu Linux. There’s no detail in the report about how servers are infected. So far compromised servers have been seen in China, Taiwan, Turkey and Uzbekistan.

U.S. cyber authorities are begging application developers to stop creating software with SQL injection vulnerabilities. Ways of doing that have been around for 20 years. But software companies are still releasing products open to SQL compromise. Example number one: Progress Software’s MOVEit file transfer application, which the Cl0p ransomware gang leveraged last year to steal personal data on 94 million people from over 2,700 organizations around the world. Here’s a link to the advice to safely create applications.

Companies operating in critical infrastructure sectors in the U.S. have just under two months to comment on proposed regulations for cyber incident and ransom payment reporting to the Cybersecurity and Infrastructure Security Agency. Briefly, the proposed rules says some 316,000 organizations would have to report certain incidents within 72 hours after discovery, and within 24 hours of paying a ransom. Hospitals with under 100 beds would be exempt.

Also this week the Agency warned that threat actors are actively exploiting a code injection vulnerability in Microsoft SharePoint Server. This vulnerability was revealed 12 months ago. There’s no reason why IT departments haven’t installed a patch by now.

The Vulture malware that steals bank login information from Android devices has added new features. Researchers at NCC Group/Fox-IT say that among other things the malware can now disable Keyguard to bypass lock screen security on infected devices. Often victims are suckered into downloading the malware by falling for a text message that asks them to call a number if they didn’t authorize a large financial transaction or purchase.

Finally, a number of companies issued security patches for their products this week:

Splunk issued upgrades for Splunk Enterprise, Cloud Platform and Universal Forwarder. Cisco Systems patched the IOS and IOS XE software for multiple vulnerabilities., as well as its Access Point software. Nvidia released a software update for its ChatRTX artificial intelligence chatbot for Windows to close two holes. And the Cybersecurity and Infrastructure Security Agency released four advisories for industrial control systems. Three are for products from Rockwell Automation involving its PowerFlex 527, Arena Simulation and FactoryTalk ViewME products. The other is for Automation-Direct’s C-MORE display system.

Later today the Week in Review podcast will be available. Guest David Shipley of Beauceron Security will discuss his company’s latest State of Security Awareness report, what World Backup Day should mean to IT pros, a call for the U.S. healthcare sector to meet mandatory minimum cybersecurity standards, and more.

Follow Cyber Security Today on Apple Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL vulnerabilities, and more first appeared on IT World Canada.

40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024

A new cyberthreat is taking down home routers. Germany passes a law insisting on end to end encryption. Reports expose the craziness of tech hiring practices, the US government has had it with SQL injection attacks and Elon Musk gets a smackdown from a federal judge as we see more from the X files – The Musk is out there

These stories and more on the “check your references” edition of Hashtag Trending. I’m your host, Jim Love, let’s get into it:

A major new cyber threat has been uncovered that is targeting routers and smart home devices around the world. Researchers at communications company Lumen Technologies have revealed details of a widespread hacking campaign that has already infected tens of thousands of vulnerable devices.

A notorious botnet known as TheMoon, which researchers thought was taken down years ago, has been resurrected by hackers. In just a 72-hour period earlier this month, it infected more than 6,000 Asus routers.

But that’s just the tip of the iceberg. Lumen’s investigation uncovered that from January through February, TheMoon compromised over 40,000 routers and smart devices across 88 countries.

Many of these infected gadgets are now being used to power a criminal proxy service called Faceless, allowing users to disguise their identities and malicious internet activities.

Experts believe TheMoon’s revival is linked to cybercriminals seeking new ways to cover their tracks as law enforcement ramps up investigations into online crime rings. Nearly 7,000 new users are joining the Faceless network weekly.

While the specific hackers are unknown, it’s a disturbing broader trend. Lumen has seen seven separate campaigns just in the last two years exploiting vulnerabilities in routers and other smart home technology with poor security controls.

For consumers, the advice is clear – keep your router software updated with the latest security patches. Lumen has blocked access to the infected devices on its networks for now, but this evolving threat underscores how prevalent outdated and insecure connected devices have become.

Sources include: Axios

In a stark contrast to efforts by many governments to undermine digital privacy, Germany is taking a totally different approach by enshrining the “right to encryption” into law.

While the United States, United Kingdom and others push for ways to weaken encryption in the name of security, the German government is taking the opposite approach – drafting first-of-its-kind legislation to make end-to-end encryption mandatory for messaging, email and cloud service providers.

The proposed law, published this week by Germany’s Ministry for Digital and Transport Affairs, would require tech companies to use strong encryption wherever technically feasible to guarantee confidentiality and protect users’ fundamental rights.

Digital rights activists are applauding the draft bill as a landmark win for online privacy and data protection – areas where Germany has historically been a leader with its strict data laws.

The legislation specifies that “individual messenger services” can no longer forgo full encryption or only partially encrypt, unless there are legitimate technical limitations.

Maximilian Funke-Kaiser, digital policy spokesperson for Germany’s Free Democratic Party, says it’s a “necessary measure” to prevent future erosions of encryption after anti-encryption efforts like the controversial “Chat Control” proposals.

While the draft law still needs to pass Parliament, likely in 2025, its intent is being celebrated by privacy proponents as Germany bucks the global trend of governments seeking encryption backdoors or client-side scanning capabilities.

Ten years after encrypted email service Tutanota launched in Germany, the country is now poised to be the first in the world to enshrine digital secrecy and “the right to encryption” as fundamental citizen rights in federal law.

Sources include: Tuta

The U.S. government is cracking down on SQL injection flaws once and for all.

SQL injection attacks have plagued websites and applications for decades, allowing hackers to maliciously access and manipulate backend databases. Now, U.S. authorities say they’ve had enough of companies shipping products with these “unforgivable” vulnerabilities.

In a new alert, the FBI and the Cybersecurity and Infrastructure Security Agency are pressuring software vendors to launch formal code reviews and build security into their development lifecycles from the ground up.

Their call comes after last year’s massive supply chain hack against Modefit file transfer software, enabled by a SQL injection zero-day flaw that exposed data on 95 million individuals.

SQL injection holes exist when user input isn’t properly sanitized, allowing it to modify back-end database queries maliciously.

While a well-known issue for over 15 years, the government says such vulnerabilities are still prevalent and indefensibly included in new software releases.

Vendors are being advised to incorporate “secure by design” principles – using techniques like parameter binding that separate code from user input – rather than relying on brittle sanitization filters easily bypassed by hackers.

Beyond pushing for better coding practices, the alert urges transparency, telling companies to properly disclose SQL flaws using the standard CVE system so customers can track their exposure.

Analysts say the government message is clear – businesses dragging their feet on well-established security basics are jeopardizing the economy and national security.

Sources include: The Register

A federal judge has dismissed a high-profile lawsuit from Elon Musk’s social media platform X against an anti-hate group in a ruling is seen as a victory for free speech over the billionaire’s attempts to stifle criticism of his company’s policies.

The lawsuit against the Center for Countering Digital Hate, an organization that has been highly critical of the social network’s handling of hate speech and misinformation under Elon Musk’s ownership.

In a scathing ruling, Judge Charles Breyer said X’s motivation was clear – “to punish the defendants for their speech” criticizing the company, and perhaps “dissuade others” from similar criticism in the future.

The Center had published reports blasting X, formerly known as Twitter, for failing to act on hateful content posted even by premium users. It also alleged racist and antisemitic posts went unaddressed.

Musk’s company sued the non-profit last year, claiming it had waged a “scare campaign” that drove away advertisers and cost X tens of millions in lost revenue. It accused the Center of unlawfully scraping data from the platform.

But Judge Breyer dismissed the breach of contract and illegal scraping allegations, saying X did not adequately show any actual losses. He stated that if the Center’s reports were defamatory, that would be one thing – but X carefully avoided claiming they were.

The Center says the landmark ruling will embolden public interest researchers to ramp up efforts holding social media companies accountable for hate and misinformation they host.

It’s a stinging rebuke of Musk’s scorched-earth legal tactics against one of his chief critics – the very kind of speech his self-professed “free speech” stance claimed to uphold.

Sources include: The Verge

Is tech hiring is broken? The tech industry’s hiring practices are facing intense scrutiny.

It’s a tale of two extremes when it comes to hiring at Big Tech.

On one side, you have Google’s notoriously grueling interview process that has rejected highly skilled engineers. Ironically, one that they rejected is the creator of the popular Homebrew package manager, that a lot of Google teams use.

At Google, countless would-be employees talk about interviews that fixated on theoretical problems and rote memorization over practical troubleshooting abilities.

On the other, you have Meta reportedly hiring candidates for critical AI roles without any interviews at all, such is the company’s desperation to rapidly onboard talent amid the artificial intelligence arms race.

And Meta has CEO Mark Zuckerberg personally recruiting from rivals like DeepMind and offering extravagant counteroffers just to stanch the AI brain drain caused by the company’s push into generative AI.

However, the rush to hire has Meta employing candidates sight-unseen based on credentials alone, raising eyebrows about vetting standards.

The dysfunction isn’t limited to those two companies either. Accounts also depict Amazon discarding engineers every two years in a philosophy of constantly refreshing its workforce with new, wide-eyed talent.

Big tech’s hiring insanity is putting talent through the wringer or failing to properly evaluate it at all.  And then, of course, there’s the layoffs.

Just checking – anybody think there’s a correlation between Google’s hiring process and its failure to get traction with anything that grabs public imagination?

In a world where we know that your big advantage is your team and culture, this situation is nuts. I’ve said it before and I’ll say it again – we are smart people, with emphasis on people. We can do better than this.

Sources include: IndiaToday

And finally, the Daily Beast did a story on how older people are falling for AI generated fakes on Facebook.

According to a research report quoted in the article, older people are much more likely to be fooled by AI generated pictures and voices.

We used to dread the “talk” we had to have with our kids. Well, there’s another “talk” youhave to have – with your parents.

There’s one scam in particular that is growing – the fake kidnapping of a child.

If you think it can’t happen to you, I’ll tell you, my dad – a smart man – was fooled by a similar scam where someone told him my brother was being jailed and needed bail to get out. He sent them money. When he told me about it, he said, he knew it could be fake, but could he take the chance?

Now with AI and deep fakes, anyone could be fooled and they are being. So here’s out public service announcement and most our audience may be pretty savvy, but tell your friends – get a password with your kids and if you don’t have one, and god forbid you ever get one of these calls, ask for what the cops call proof of life – some piece of info only your kids or grandkids would know – not something they’d put on Facebook. Think about it now – not when you or your parents get a call in the middle of the night.

Sources include: The Daily Beast and WCPO TV

And that’s our show for today…

Remind your friends that they can get us anywhere you get audio podcasts Google, Apple, Spotify, wherever, and even on their smart speakers – and remind yourself that if you like the podcast, please give us a good review – it matters. And as I’m sure you know, there is a copy of the show notes at itworldcanada.com/podcasts

I’m your host, Jim Love. Have a Wonderful Wednesday.

 

 

The post 40 thousand routers compromised: Hashtag Trending for Wednesday, March 27th, 2024 first appeared on IT World Canada.

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from open source repositories

A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from open source repositories.

Welcome to Cyber Security Today. It’s Wednesday March 27th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



Despite repeated warnings that old internet-connected devices are being compromised by threat actors, organizations and individuals continue to keep these devices online and inadvertently help spread malware. The latest alert comes from researchers at Lumen, who say a network of 40,000 infected small and home office routers and other devices are part of a criminal botnet. The botnet creates a network dubbed Faceless to anonymize the attacks of crooks. This botnet, in operation since 2014, is infecting these unpatched devices with malware that looks for and infects other devices. In the first week of March the botnet targeted over 6,000 Asus routers in less than 72 hours. Many small organizations and individuals install a router or internet-connected video camera and forget about it for years. They can’t. Like desktop computers and smartphones, any internet-connected device has to be regularly checked to see if security updates are available. And if updates aren’t available any more, these devices have to be replaced.

Attention owners of Apple devices running the iOS and macOS operating systems: New security patches are available to close a vulnerability.

Canadian discount retail chain Giant Tiger continues dealing with the theft of customer information earlier this month. That data was stolen from a company that manages its customer marketing. Giant Tiger is telling affected customers that their names, email addresses, street addresses and phone numbers are among the information that may have been copied. Victims subscribed to Giant Tiger email advertising, registered in a loyalty plan, or placed an order for home delivery or store pickup. No payment card data or passwords were stolen.

Threat actors are going after what some believe is a critical vulnerability in Anyscale Ray, a widely used open source artificial intelligence framework. Researchers at Oligo say it’s one of five recently discovered holes in Ray. Four were patched, but one issue hasn’t been addressed so has been exploited for the last seven months. All organizations using Ray are urged to review their IT environments to ensure they haven’t been compromised.

A new malware loader has been spotted that can bypass antivirus defences. Researchers at Trustwave, who spotted the loader, say at the moment it’s distributing the Agent Tesla malware. Agent Tesla executes in memory and steals data such as passwords from infected computers. In the incident Trustwave investigated an employee of an organization got an email with an attachment purporting to be a payment receipt from a bank. That tactic may change to other themes, all of which are aimed at getting a victim to click on the attachment. Every organization has to have a strategy of regularly reminding employees of suspicious signs to watch for before accepting email attachments.

Here’s another reminder to be careful downloading code from open-source repositories. Researchers at ReversingLabs recently discovered a suspicious package in the NuGet repository for .NET packages. This .dll may be targeting developers working with apps for a Chinese company called Bozhon Precision Industry. It makes a wide range of consumer and industrial products. If installed in an application this suspicious package takes screenshots from infected devices. Is the purpose to spy on Bozhon and steal data? To spy on its customers? Or was it created by a Bohzhon developer to help their work? No one knows. But it has been downloaded 2,400 times. As I said, it’s another example to be careful what you download.

Open-source repositories of code are targets for hackers because it’s a great way to spread malware. This week researchers at Checkmarx described a complex campaign by a threat actor to infect software supply chains. It includes compromising a GitHub community of developers and taking over accounts, and creating a mirror of the Python PyPi registry to publish an infected version of the popular ‘Colorama’ package. The malware that’s being spread harvests browser cookies, login credentials, credit card numbers, data from cryptocurrency wallets and more. Again, developers have to take great care in downloading packages for their applications even from trusted sources.

May 31st of every year is World Backup Day. This year it falls on Sunday. Regardless, the purpose is to remind senior corporate and IT leaders to review their data backup and recovery plans. Data backup is a vital part of any organization’s cybersecurity defence strategy. Start with identifying where your sensitive data is. It’s not just in the server or servers where data is initially stored. Sensitive data can be copied multiple times by staff for analysis, so it can be on employees’ desktop computers, sitting in individuals’ email folders or copied onto file transfer servers. You’ve got to know where data is to protect it, and then to back it up. Then decide how often data needs backing up in line with the organization’s recovery objectives. Some firms need to do it every minute, others at the end of the day. Whatever your needs are, data has to be backed up in several places — one copy on prem and one copy in the cloud at the very least. Finally, data backups and recovery have to be tested regularly not only for integrity but also so the IT staff involved have the practice down pat. You’ll find lots of advice on backups from government sources like the National Institute on Standards and Technology and the U.S. Cyber Security and Infrastructure Security Agency. On this Friday’s Week in Review podcast guest commentator David Shipley and I will discuss more about backups.

Finally, crooks continue to use phone scams to scare families for cash. One of the latest was reported Monday by a Cincinnati TV station, which said a local appliance store owner got what he thought was a hysterical call from his daughter. Then a man got on the line and demanded US$5,000 or his daughter would be harmed. Fortunately, a store employee heard what was happening and phoned his daughter, who was safe in school. This was a so-called virtual kidnapping. It may be helped by technology that can impersonate a voice. There are variations of this scam. For example, a supposed family member calls and says they’ve been in a car accident and need money immediately for a lawyer, or to be released on bail. The crooks may want money wired to them. Or they may want the victim to pay in cryptocurrency or a prepaid gift card. These are prime signs the call is a scam. How can you protect your family from being taken by scams like this? First, if you have a second phone call the family member who’s supposedly in trouble. If they answer the phone and say they are safe hang up on the scammer. Also, agree on a family codeword to be used in case there is trouble. Your family member has to give the codeword as proof they really are in trouble.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from open source repositories first appeared on IT World Canada.

Apple gets hammered by the EU again: Hashtag Trending for Tuesday, March 26, 2024

Apple gets hammered by the EU once again while there’s a threat in the US of breaking up the big tech giants. Google appears to have another problem AI implementation, Steve Wozniak is back as an unlikely critic of the TikTok ban, a new open source AI that runs on your computer an an Amazon executive has a different take on Artificial General Intelligence.

These stories and more on the “Breaking up is hard to do” edition of Hashtag Trending. I’m your host, Jim Love, let’s get into it:

Big tech is taking a big beating on a number of fronts, with some asking if the ultimate end game isn’t the breaking up of some of the giants – Meta, Google and even Apple.

Apple got hammered in the European Unio again this week. The EU announced that it’s not satisfied that Apple’s App Store changes are compliant with the Digital Markets Act and the company is now officially under investigation for non-compliance.

What it really all boils down to is that the EU is not convinced that Apple is complying with their anti-trust laws. These laws are supposed to ensure that tech giants can’t use their market dominance to give their products and services an unfair advantage over their competitors.

Apple has been flagged for some of what the EU regards as anti-competitive behaviour in the way it forced developers to not be able to recommend any payment method other that through the Apple store and the EU also forced Apple to allow for other stores that could sell software for iPhones and other devices.

But each time, the “solutions” that Apple offered were criticized for not, to put it kindly, being anything resembling a true compliance to the EU requirements.

The rules and restrictions were so complex that they would take regulators a lot of time to analyze.

But for some of them, when you worked through the convoluted rules, left Apple competitors worse off than before the changes. For example, one of the provisions they implemented to allow developers to participate in another app store had provisions that could bankrupt smaller developers just for being successful in attracting a lot of downloads.

So the EU is pushing back, big time, opening another investigation into Apple’s potential “non-compliance.”

This is serious stuff in the EU. Apple was fined 1.8 billion dollars for supposedly breaking rules for supposed anti-competitive behaviour in music streaming. But there’s a much bigger potential set of penalties for these latest charges.. Companies can be fined up to 10% of their world-wide sales, or “turnover” is what the legislation calls it, and this increases to 20% for repeat offences.

And to add to the bad news, Apple is under investigation in the US as the Department of Justice launched legal action along with 15 state governments against the company, again for what they feel is anti-competitive behaviour.

But unlike the EU which relies on monetary penalties, the US has had a history of breaking up companies that engage in anti-competitive behaviour. The biggest of these goes back to the breakup of AT&T in the US. AT&T was broken up into 7 different companies, the so-called Baby Bells.

But Google and Meta can’t be smug. The EU is also turning its sights on them. The news release reads:

Today, the Commission has opened non-compliance investigations under the Digital Markets Act (DMA) into Alphabet’s rules on steering in Google Play and self-preferencing on Google Search, Apple’s rules on steering in the App Store and the choice screen for Safari and Meta’s “pay or consent model”.

And while the EU leads in this area, so far the US may take time, but has traditionally moved in the same direction, like it did with Apple.

Sources include:  Reuters and 9to5Mac and the BBC

Google’s new AI-powered “Search Generative Experience” is supposed to be a big move forward in AI powered search. But it turns out that this new offering seems to be promoting scams and spam sites.

The new feature gives a summary of search queries followed by recommendations of sites to visit. But it turns out, as one SEO consultant, Lily Ray spotted, those conversational responses are making it easier for people to fall for scams and sites with malicious behaviours.

Bleeping Computer did some of its own testing and found similar results. Many sites that were part of what is called SEO poisoning, where legitimate sites are taken over and used to promote scams with seemingly legitimate ads and links. They can also be taken through a series of redirects to the scam sites.

Whatever the tactic, it appears that Google’s new feature is prone to promoting these sites, making this yet another time that Google has “stepped in it” as it tries to promote its use of AI.

Sources include: Bleeping Computer

An new open source AI caught my attention. I was recently interviewed by Red Hat for a series called Todd Talks where I talked about Open Source AI as potentially democratizing AI by making it available to everyone and then, lo and behold, I saw a story on Jan.

Jan is being described as an Open Source ChatGPT alternative that runs completely offline on a regular computer.

Developed by a team of researchers from Jan Labs intent on democratizing AI, as well as giving users greater control over the privacy of their information, Jan is described as having the “power of ChatGPT locally on the desktop.”

Jan can run on a wide range of different computers from Apple’s M series to Nvidia GPU’s.

Jan’s founders envision AI as “an extension of human intelligence” and have developed it based a four principles:

Ownership: After being freed from external data tracking or storage, users can maintain complete ownership of Jan. Jan is a tool created by users and for users that promotes independence and self-determination.
Privacy: Jan prioritizes user privacy by minimizing reliance on external servers, primarily operating in a local context. The user’s device securely stores data, providing unmatched privacy control.
User Support: Jan has a community-driven development approach, allowing users to access, alter, and add to its codebase. Because of this cooperative approach, Jan is guaranteed to change in response to user requirements and preferences.
Ethical Design: Jan upholds user welfare and agency by prioritizing ethical design principles over deceptive methods or proprietary lock-ins.

Jan is avaiable under AGPLv3 license, and is being developed via collaborative platforms like Discord and tools like Kanban boards, to foster what the team says is information sharing and creativity.

Support for Python runtimes and mobile platforms are some of the planned additions to

Sources include: Martech Post

Steve Wozniak, the co-founder of Apple Computer is back in the news as an unlikely defender of TikTok. Or at least as someone who thinks that its hypocritical to  single  out TikTok, while letting big players like Meta and Google are also gathering our data and tracking us. As he said in the CNN interview,

“If you have a principle [that] a person should not be tracked without them knowing it, you apply it the same to every company, or every country. You don’t say, ‘Here’s one case where we’re going to outlaw an app, but we’re not gonna do it in these other cases.’ So I don’t like the hypocrisy, and that’s obviously coming from a political realm.”

He went on to say,  “And tracking you – tracking you is questionable. But my gosh, look at what we’re accusing TikTok of, and then go look at Facebook and Google and that’s how they make their businesses,I mean, Facebook was a great idea. But then they make all their money just by tracking you and advertising, and Apple doesn’t really do that so much.”

Wozniak was actually quite complimentary to Apple’s “walled garden” approach as being more protective of user data and privacy.

Wozniak has always been out on the leading edge, as far back as the founding of Apple. He’s led the charge for digital rights as one of the founders of the Electronic Frontier Foundation.

But you might be forgiven for seeing him as an unlikely champion of TikTok. But actually, Wozniak says he prefers prefers it to the other social networks.

In this CNN interview he said, he largely avoids “the social web,” but gets a lot of fun out of watching TikTok “even if it’s just for rescuing dog videos and stuff.”

There was another brighter moment to Wozniak’s interview. He was hospitalized last fall in Mexico City with a stroke and much to the joy of fans (myself included) he looks like he has fully recovered.

Sources include: The Register

What is Artificial General Intelligence. Is it AI that’s smarter than us? Is it AI that is self-aware? Or is it simply, AI that can hold down a job?

The problem is that we don’t have an agreed upon standard for what differentiates what we think of as an algorithm to what we think of as a more human type of intelligence.

The lines are getting blurrier all the time. Autonomous agents, we’ve covered these, are able to plan, learn and execute tasks. If you’ve followed the conversations with Anthropic’s Claude or Inflection’s pi.ai it’s getting harder and harder to convince yourself that there is not some kind of emergent behaviour that is, at least possible.

AGI has a certain fear factor which accompanies it, with visions of it taking over from humans like some bad sci-fi novel. Even a report prepared for the US government warned of the dangers of AGI.

But while might not have agreement on what the definition of Artificial General Intelligence is, but that’s not stopping Amazon from projecting where they think it will play in our future.

To Amazon, AGI may be a more personal thing, not a monolithic intelligence, but instead a series of functions that serve humans.

Vishal Sharma, Amazon’s VP for artificial general intelligence announced at the South by Southwest conference that “the future is a personal AGI for everyone.”

It’s this idea of “ambient intelligence” which is personified, if that’s the right word, but the Alexa assistant. It’s an AI that presents itself when needed and then fades into the background.

Today with Alex, there are something in the neighbourhood of “30 models powering more than 130,000 skills,” Sharma said. And 40% of smart home interactions are initiated by Alexa, according to Amazon.

According to Sharma this is the path that will lead to what he called “embodied AI” – more than simply a speaker in your room.Amazon is experimenting with Astro, an AI powered house robot with the same name as the 1960’s futuristic cartoon the Jetson’s.

But closer to reality are services like Alexa’s “hunches” which can lock your door if you forget to.

Sharma noted that he thought we are still a ways away from AGI and that we might hit a wall in ceiling in that development where we find that our language is too abstract to train AI to achieve AGI.

But it’s brighter future than what we have been hearing, more like the Jetson’s than Terminator.

Sources include: Axios

And that’s our show for today.

Remind your friends that they can get us anywhere you get audio podcasts Google, Apple, Spotify, whereever, and even on their smart speakers – and remind yourself that if you like the podcast, please give us a good review – it matters. And as I’m sure you know, there is a copy of the show notes at itworldcanada.com/podcasts

I’m your host, Jim Love. Have a Wonderful Wozniak Wednesday.

 

 

The post Apple gets hammered by the EU again: Hashtag Trending for Tuesday, March 26, 2024 first appeared on IT World Canada.

CIOs complain of “application sprawl” – Hashtag Trending, Monday March 25th, 2024

Apple may get an unexpected penalty from the US Governments new lawsuit, survey of CIOs complains of application sprawl but proposes that the way to get out of it is “more applications”, 1% of employees cause 89% of data loss events and information surfaces about some potentially enormous developments in AI in the coming months.

These stories and more on the “sum of all fears” edition of Hashtag Trending. I’m your host, Jim Love, let’s get into it:

Even if Apple manages to win the lawsuit launched by the  US Department of Justice last week, it  may get a penalty that it fears more than fines  – disclosure.

This legal battle could force the revelation of Apple’s most closely guarded secrets, potentially exposing detailed insights into its operations, strategies, and unannounced projects during the discovery process.

Apple’s obsession with managing both its secrecy and  its public image could be hurt badly as the courtroom becomes a stage where aspects of its business, usually shrouded in secrecy, may be disclosed.

This has happened in past legal skirmishes. When Apple sued Samsung a decade ago, Apple was forced to share details of unlaunched prototypes, market research and its highly secret design process. That lawsuit brought in details that other tech companies wanted kept secret, such and Intel, Qualcomm and others filed motions to try to keep their business dealings from being part of the public record.

And in 2005, Apple was again forced to confirm unannounced products, ironically when it went to court to punish people for leaking its product info.

Perhaps with this experience, Apple’s getting better at protecting its information in lawsuits, or it could just be PR bravado, but an Apple spokesperson told Axios that “We have litigated dozens of high-profile cases over the last 15 years,” the official said. “DOJ has already had access to millions of documents during the course of the investigation. Yet they only used the same tired documents that have been part of the public record.”

We’ll see.

Source: Axios

A Harris poll claims that 84% of the CIOs they surveyed are concerned about “application sprawl.” Again according to the report the number of new applications is growing alarmingly. In 2022 the amount was 20 to 40 new applications per year. By 2024 that amount has grown to 30 to 60 new applications per year.

Not surprisingly, half of those surveyed were planning to consolidate various applications.

Where are these applications coming from? While the report doesn’t explicity state this, it would seem that a number of these are new AI applications.

90% of the CIOs sampled agree that AI tools can dramatically improve their own performance as well as the performance of their employees.

When asked what the benefits of AI applications were, half or 52% said that AI saved time on creative tasks. 50%  felt that AI helped them get data driven insights. And in an answer I couldn’t quite understand, half of them felt that AI would help them consolidate applications – my question was, would it consolidate them faster than the growth that was causing this growth in the number of applications, because despite the earlier findings on “application sprawl” 94% plan to invest in these new AI driven tools.

Some other observations? 70% claim that they have established some “guard rails” for safe use of AI in the workplace.

The study covered 1,369 CIOs in the US with approximately 150 in each country – the US, Spain, German, France, Brazil, Mexico, India and Australia.

And once more – watch how many times this happens – there’s no mention of Canada. So, we’re not going to mention who sponsored the poll. Sounds fair to me.

Source: Harris Poll

A report by security company Proofpoint reveals that the average organization has grappled with approximately 15 incidents of data loss in the past year alone, translating to more than one episode per month. A staggering 71% of the respondents pinpoint careless users as the culprits behind these breaches.

This spans a range of actions, from misdirecting emails to visiting phishing sites, installing unauthorized software, and emailing sensitive data to personal accounts. These behaviors, although preventable, suggest a significant lapse in organizational vigilance.

One of the most common, yet easily avoidable, sources of data loss is misdirected email. The report one-third of employees have sent emails to the incorrect recipient, posing a considerable risk to data security.

In a company with 5,000 employees, that would be 3,400 misdirected emails annually. These errors are not just simple operational mistakes – they could also lead to hefty fines under GDPR or other privacy legisltation due to the potential exposure of sensitive information.

The rise of generative AI technologies, including ChatGPT, Grammarly, Bing Chat, and Google Gemini, marks the fastest-growing area of concern. With these tools gaining traction these models are increasingly being used for sensitive information.

Not all data loss incidents are accidents or carelessness. About 20% of respondents identified malicious insiders, such as employees or contractors, as potentially intentionally causing breaches. These may also be presumed to have more severe consequences because of this deliberate intent.

The survey identifies departing employees as a significant risk factor. Not because individuals perceive their actions as malicious; rather, they feel entitled to take certain information with them. Data from Proofpoint indicates a troubling trend where 87% of anomalous file exfiltration among cloud tenants over nine months was attributed to departing employees.

But privileged users, such as those in HR and finance with access to sensitive data, are deemed the highest risk, with a mere 1% responsible for 88% of data loss events. This finding underscores the importance of actively managing and monitoring privileged access – something many organizations do not do effectively.

On a positive note, the survey reveals a growing maturity in organizations’ approach to data loss prevention and a move away from compliance-driven measures towards a more holistic view of data security particularly in areas that have shown great vulnerability such as healthcare and government.

Source: Proofpoint

And finally, there are reports that Open AI will release a new model, which some are calling GPT5 mid-year. Whatever the name, Sam Altman himself said in a recent speech that this will be a major upgrade.

Wes Roth, a YouTube commentator who follows OpenAI closely reported some CEO’s have had early access to this new model and one is reported to have said, “it’s materially better.”

So, what will this new development be? The speculation, again fueled by comments from those who have seen the model, is that it’s going to be autonomous agents. These intelligent agents can learn, plan, and take actions in the real world and they mark the next phase of AI development.

These autonomous agents already exist. We covered them a while ago when RabbitR1 launched with the ability to use them.

But in the past week there’s been another example of how powerful these agents can be. DevinAI is an autonomous AI agent built by Cognition Labs to be a software developer. Devin, an agent that learns from its work and its mistakes has shown to be extremely powerful and sophisticated development tool.

Ethan Millick, a professor at Wharton, asked Devin to go on Reddit and advertise its services for web development. In a thread that has since been taken down, Devin got on Reddit, was able to understand and obey the rules for how developers can solicit for assignments.

It also understood that it should try to charge for its work.

Devin got on Reddit, posted and monitored the thread for responses.

Devin’s post got 366 views and some comments and Devin asked for the API key to Reddit to respond. At that point, Mollick stopped the experiment and took down the post.

The intent was not to fool anyone or to make money, it was to demonstrate that even with the level of GPT4, you can build autonomous agents that can successfully navigate even the nuances of social media successfully.

That’s where we are today. What will the next level of autonomous agents be able to do? This is going to be a huge development. AI will no longer be a passive agent that answers questions, it will be able to take actions in the real world.

When you combine that with what is happening in robotics – buckle up, this is going to be an interesting year.

And that’s our show for today.

Remind your friends that they can get us anywhere you get audio podcasts Google, Apple, Spotify, whereever, and even on their smart speakers – and remind yourself that if you like the podcast, please give us a good review – it matters. And as I’m sure you know,  there is a copy of the show notes at itworldcanada.com/podcasts

I’m your host, Jim Love. Have a Marvelous Monday.

 

 

The post CIOs complain of “application sprawl” – Hashtag Trending, Monday March 25th, 2024 first appeared on IT World Canada.

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

A suspected China threat actor going after unpatched F5 and ScreenConnet installations.

Welcome to Cyber Security Today. It’s Monday, March 25th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



Hundreds of organizations in the U.S., Canada, the U.K., Australia and other countries are being targeted by a China-based threat actor. That’s according to researchers at Mandiant. Given the name UNC5174, this threat actor is going after unpatched installations of F5’s BIG-IP appliances, ConnectWise’s ScreenConnect, Atlassian’s Confluence servers, Zyxel Firewalls and Linux servers. The suspicion is this person used to be with a Chinese hacktivist collective and is now selling access to compromised companies it gets to China’s Ministry of State Security. IT administrators are urged to quickly take recommended remediation steps for F5 appliances and ScreenConnect software.

Over 100 companies in the U.S. and Europe have been targeted by threat actors in the latest phishing message campaign spreading the StrelaStealer malware for stealing email passwords. Researchers at Palo Alto Networks say this new campaign began in January. Some messages claim the attachment is an invoice that has to be paid. High-tech companies are particularly being targeted. Employees need to be reminded not to click on email or text attachments unless they are sure who the message comes from.

A more powerful variant of the Russian AcidRain data wiper that crippled satellite modems across Europe at the beginning of the invasion of Ukraine has been spotted. Researchers at SentinelOne call this variant AcidPour. While the first version was aimed at devices with MIPS processors, AcidPour can hit those running x86 processors. These include Linux-powered networking and IoT devices, RAID arrays and large storage devices. This new wiper is being used against internet and telecom service providers in Ukraine. IT and network administrators in critical industries in any country need to keep vital devices patched to avoid successful infrastructure attacks.

Microsoft has released an emergency Windows Server update to cure a problem with the March patches it released a few weeks ago. The problem causes Windows domain servers to crash. Bleeping Computer said the updates are for WinServer 2022, 2016 and 2012. A fix for WinServer 2019 will be released shortly.

German authorities have seized the darknet market called Nemesis as part of an operation with the U.S. and Lithuania. Founded in 2021, the Nemesis Market sold stolen data, ransomware and phishing services, and drugs. Forensic data gathered in the seizure will help investigate the over 150,000 users and 1,100 sellers on the market.

What will it take to get American hospitals and healthcare providers to get tougher on cybersecurity? Being forced to act with legislation, says American Senator Mark Warner. He introduced a bill on Friday to allow health care providers to get accelerated medicare payments if they are victims of a cyber attack — but only if they meet minimum cybersecurity standards. Those proposed standards haven’t been set yet. Warner introduced the legislation because of the impact across the U.S. on a ransomware attack on Change Healthcare, which processes payments for patients. According to the news site Cyberscoop, major American healthcare groups oppose having to meet mandatory minimum cybersecurity standards.

Mozilla, the group behind the Firefox browser, has dropped a reputation service called Onerep that it had been bundling with its Mozilla Plus subscription service. This comes after security journalist Brian Krebs reported that Onerep’s owner also owns dozens of services that do internet searches on people, including one that sells background reports on individuals. Onerep’s owner said there was no information sharing between that company, called Nuwber, and Onerep. But that didn’t satisfy Mozilla.

Here’s the latest data breach news:

Select Education Group, which runs several post-secondary schools in California and Oregon including the Institute of Technology, Bauman College, Fremont University and the National Holistic Institute, is notifying just over 67,000 people personal data it holds was stolen. The incident happened last November. Data stolen included names, Social Security numbers, billing and payment records and/or academic records.

Monmouth College of Illinois, which has a student body of about 750 students, is notifying just under 45,000 people that their personal data was exposed in a ransomware attack last December.

By coincidence — or not — nearby Henry County was hit by a ransomware attack last week. According to the cybersecurity news service The Record, the Medusa ransomware gang is taking credit for that attack.

The city of Jacksonville Beach, Fla., is notifying about 49,000 people their personal data was copied in a January cyber attack. According to a local news site, the mayor says this was a ransomware attack.

The American division of GardaWorld Cash, a cash management provider for banks and retailers, is notifying almost 40,000 people of the theft of personal data held in administrative files. It happened last fall, but it took until this month to identify and get the addresses of the victims. Data stolen included names, Social Security numbers, drivers licence numbers, dates of birth and either insurance benefits or health information.

Finally, March is when individuals in Canada, the U.S., the U.K. and other countries prepare to file their income taxes. It’s also a time when crooks unveil their latest email or text-based tax scams. Ignore emails that purport to be from a government tax agency with an attachment that’s supposed to help fill out your taxes. Also, ignore phone messages warning to you to call a number because of a tax problem. Usually the government will tell you to log into your tax account to look for a message rather than send you an email with an attachment. Scammers are also sending out emails promising to help with large refunds under certain government programs, or to help you fill out your taxes. Here’s an IRS list of common tax scams and a Microsoft report on tax scams.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.

The post Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations first appeared on IT World Canada.

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker?
The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.”
If we are to defend our infrastructure, we have to see ourselves through the eyes of the hackers who may attack us. We have to see ourselves clearly, looking for all of our weaknesses.
There is nobody better to help us do this than Nick Aleks, who describes himself as the Chief Hacking Officer at a new firm ASEC.IO
Nick is proud to call himself a hacker. Not the type of hacker who does damage, but one who has the mindset and the skills to see what hackers see and to test defences so that we can strengthen them.
Nick has been a CISO, he’s an author, he’s worked with us on hosting events, and I hope we’ll be seeing a lot more of him in the future.
Join us as Nick and I take a tour of our civic infrastructure through the eyes of a hacker.

The post A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024 first appeared on IT World Canada.

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, March 22nd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



 

In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to talk about recent news. That includes lessons learned from the ransomware attack on the British Library last year, the latest crooks in court, app developers leaving their Google Firebase instances unprotected, and advice for corporate leaders on managing their expectations of cybersecurity teams.

Before we get to the discussion here’s a quick roundup of other news that happened in the last seven days:

Crooks have been quick to exploit a recently-discovered vulnerability in the on-premise version of JetBrains’ TeamCity continuous integration development server. Trend Micro says servers that haven’t been patched are being hit with ransomware, backdoors and cryptomining malware.

Ivanti is urging administrators using its Standalone Sentry gateway to install a security patch. This is to close a remote code execution vulnerability. It’s rated 9.8 on the Common Vulnerably Scoring System.

A February ransomware attack that hit Change Healthcare, a company that processes healthcare transactions for institutions across the U.S., continues to impact healthcare providers across the company. According to SCMagazine.com, facilities say they can’t pay medical suppliers or employees, and patients have to pay out of their savings for medications. Washington is trying to help. The Health and Human Services Secretary told Congress this week that the department is issuing US$2.5 billion in advance Medicare and Medicaid payments to institutions.

Developers and IT administrators using hardware and applications that run on the Zephyr OS are reminded to update the operating system as soon as possible. This comes after researchers at Synopsys discovered serious vulnerabilities. Fixes were released in January. Word was publicly released this month.

German researchers have discovered a new type of denial of service attack that could affect 300,000 network devices. It takes advantage of vulnerabilities in communications protocols such as DNS, NTP, TFTP and some legacy protocols. Called a loop attack, it can be blunted by applying the latest security patches or mitigations such as firewalls to network equipment from Cisco Systems, Honeywell, Broadcom, Microsoft, MikroTik and more.

Mintlify, which offers a cloud service that helps developers generate code documentation on their computers or in GitHub, says a hacker has accessed 91 access tokens of customers who use the service to analyze GitHub. These were tokens stored in Mintlify databases. Those tokens have been revoked.

As I said earlier, Terry and I will talk about the dangers of misconfiguring Google Firebase. This week researchers at Tenable released a report on how they found a vulnerability in Amazon Web Services that could have been exploited with the help of a misconfiguration to take over a web management panel. AWS has fixed the problem, but it’s also a warning to other cloud providers to put in a guardrail to their domain architecture to prevent similar risks.

Finally, GitHub’s promised code scanning autofix tool is now in public beta. Developers can use the tool to identify many vulnerabilities in Java, JavaScript, Typescript and Python and suggest fixes. While it’s in beta only those with an enterprise GitHub account and use GitHub Advanced Security can access the tool.

(The following is an edited transcript of the first of the four news items Terry Cutler and I discussed. To hear the full conversation play the podcast)

Howard: I want to start with a report on lessons learned by the British Library from the ransomware attack by the Rhysida gang last October. For those who don’t know, the British Library is the national library that houses 170 million pieces of the country’s most valuable books, ancient documents, maps, sound recordings and more. It’s open to the public and researchers. Five months later it still hasn’t completely recovered from the attack. But to make sure the public understands what it has been doing for several months — and to help pass on lessons to cybersecurity and IT pros — the Library released an incident analysis.

Much of the server infrastructure was either encrypted or destroyed, with some 600GB of data copied. That was later dumped on the dark web after the Library refused to pay for decryption keys. To recover the Library has to completely overhaul its IT infrastructure, in part because some major software legacy systems aren’t supported any more by their vendors or won’t function under the new secure infrastructure.

What did you learn when you read the report?

Terry Cutler: A couple of things. So every time we come in for an incident response after a company got hacked there’s usually three things that occurred: One, no one [in IT] is watching the alerts. They’re all getting alert fatigue. We see this all the time, even when we’re doing adversarial testing we come in, do a test and nobody sees the [incident] alerts. When they do check in their emails or in their event log manager, they see that the alert was there, but nobody was watching it. Number two, they’re watching the alerts, but they aren’t skilled enough to understand that there’s an incident occurring. Or three, they’re relying on log managers to monitor the threats and these logs are coming in delayed.That usually happens a lot. That’s why we really push for full [ntework] packet capture whenever we’re doing incident response.

The other thing you need to understand is it’s very important to baseline the network [activity]. Is it normal that people are port scanning all the time? How much data is being traversed through things like external backups? You need to understand, have a baseline of what’s going on inside the network. You also need to have proper incident response protocols up to date. We see a lot of cases where there’s a short version of an incident response plan because the company outsources their IT. The plan would say, ‘Call this person.’ But then when you talk that person they have no idea how to prepare for it. They have to call another person.

The other problem too is that a lot of times they [IT] have too many tools that are trying to piece together what just happened. They’re using one vendor for one software, one vendor for servers, another vendor for EDR on the endpoints, another vendor for network monitoring. These tools aren’t necessarily made to work together. So they need to have proper technology in place that can look at all this holistically.

In a lot of cases when we do either a penetration test or adversarial test to see if the third party is actually monitoring their network, the organization isn’t being told port scanning is occurring, reconnaissance is occurring.

Howard: As you said earlier, the best evidence is that the hackers got in through a Terminal Services server that was set up to allow IT contractors to access the library network for maintenance. Those people didn’t have to log in with multifactor authentication. The interesting thing is permanent staff needed multifactor authentication to log into their email. However, the IT contractors didn’t have to use MFA. The library knew that was risky, but they thought other [login] mitigations would suffice. Apparently, they didn’t. So a lesson here, it seems to me, is multifactor authentication for everyone just can’t be put off.

Terry: It needs to be on for everybody. It doesn’t matter if you’re the janitor or the CEO. Everybody needs to have it on. And you want to have like a layered approach, right? So even though if your MFA fails, there should be other technologies in place that will help detect the problem. Just before jumping on this call I ran a dark web scan against the library’s domain and found over a thousand [British Library] leaked passwords [up for sale]. That means that the cyber criminals could log into these accounts without even getting additional security prompting for them [unless MFA was enabled] …So MFA really is important. And if you’re not sure if your organization has it on or off or who’s missing it, get an audit done. Find out who has a password set to never expire, who has never logged in before, because that happens all the time where a contractor or an employee gets hired, but then maybe quits almost immediately and the account never gets shut down. So a [password] audit is required here.

Howard: The timeline of the response of this attack is really interesting. At 7:35 in the morning, there was a realization that there was something wrong. Two hours later, the crisis management plan was evoked and that led to the library’s Gold Crisis Response Team being notified. By 10 o ‘clock, a WhatsApp video call was arranged with senior people. They were using WhatsApp because they couldn’t rely on email [after a successful breach of security controls]. This is a lesson on how a well-prepared organization planned [to respond to] a cyber attack, which is a lesson a lot of companies should learn. But what do you do if you’re a small company? You’re not going to set up a gold crisis team. You’re going to have fewer resources. So how does a small organization have an incident response plan and prepare to set up people to respond to an attack?

Terry: They had such a really great incident response plan set up — but yet they didn’t put on 2FA for everybody. That’s one of the basics. It’s step one. [But] you’re on step eight and you didn’t do step one. So listen up, small business owners: You’ve got to have even a simple incident response plan with the basics, like if an incident is detected who’s in charge of the recovery process? Who’s in charge of PR? And you also have to be doing [daily] the cybersecurity basics. Do you have proper patch management? Are you doing proper backups? Are you doing your assessments? Is IT properly equipped to rebuild the network in case there’s an incident?

Here’s a perfect example. I had a meeting recently with a customer who has pretty much a one-man IT operation inside the organization. When we asked them for his incident management plans, he says, ‘I just call this guy.’ To confirm, we called that other person, who’s the outsourced IT department, and they’re completely unprepared …

Howard: I noticed the report said that “previously approved investment updates are now being implemented.” That’s like closing the barn door after the horses escaped. You know, to me, the lesson is don’t put off getting rid of legacy equipment. Do it fast, do it now.

Terry: It’s the ‘It’ll never happen to us’ approach. So you need to really perform regular [security] assessments and [security] updates all the time … A lot of folks are still carrying Windows XP and they can’t get rid of it because it’s required to handle the door security, for example. So if they wanna upgrade that system, which has an embedded Windows XP, they have to change the whole security infrastructure. Sometimes they just don’t have the budget to do this. So they’re stuck with it. That’s why it’s very, very important that you start segmenting your network and baselining what you have. During an audit, you’ll be able to see what machines are aging, for example. So if you see machines that are seven years old you should already have a plan in place to replace or upgrade it. Because with software sometimes the vendors no longer exist and you’re stuck with it.

Howard: Another lesson I took from the report was that a lack of network segmentation is going to lead to more damage than necessary from a cyber attack.

Terry: I had that exact conversation with a person this week. Their entire network was flat. Everything was on one subnet. No, you need to segment this off because you need to contain the environment if something happens. So if an attacker breaks in, he’s not going to have access to the whole lot. You want to make sure that he’ll be limited by segment. So this way the damage is contained.

People say, ‘I got this brand new firewall.’ But hackers aren’t wasting time trying to hack your firewall. Why would they when all they have to do send an email to one of your employees [and if they fall for a scam] they [the attacker] becomes an insider.

The post Cyber Security Today, Week in Review for week ending Friday, March 22, 2024 first appeared on IT World Canada.

Cyber Security Today, March 22, 2024 – Mac CPUs are vulnerable to encrypted key theft, white hat hackers win a second Tesla, and more

Mac CPUs are vulnerable to encrypted key theft, white hat hackers win a second Tesla, and more.

Welcome to Cyber Security Today. It’s Friday, March 22nd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



 IT pros have heard about side channel attacks on Intel and AMD processors that can lead to computers and servers being hacked. News has emerged that Apple’s M-series of chips in Macintosh computers have a similar problem. According to seven American university researchers the vulnerability can allow an attacker to extract scrambled keys for encrypting data from a Mac’s memory. The attack is called GoFetch. Because the vulnerability lies inside a processor’s code it can’t be patched. The best thing Mac owners and administrators can do is make sure the applications they use have the latest security updates. Developers of cryptographic libraries can change a setting so data memory-dependent prefetching (DMP) is disabled. But that may only work on some CPUs. Apple was notified of the problem in December.

New information has been released on a malicious implant being spread by a Russian espionage group. Researchers at Cisco Systems have discovered the entire attack chain used by the gang, which it calls Turla. This information will be helpful to defenders. One tactic after gaining network access is to configure the victim’s anti-virus software to evade detection a backdoor. The gang sets up persistence through batch files that create what looks like a system device manager that hides the backdoor. Then it installs a tool dubbed Chisel to communicate back to a command and control server. The gang has already infected several IT systems in an unnamed European non-governmental organization.

KDE, which makes the Plasma front end for desktop Linux, has warned users to think twice about installing themes and widgets for the platform. That’s because a user lost data after the installation of a global theme. Themes are only supposed to change the look of Plasma. But as a result of the incident the KDE community is being asked to find defective apps in the KDE Store. This was first reported by Bleeping Computer.

Administrators with Fortinet’s FortiClientEMS enterprise management server in their environments are urged to install the latest security update. It closes an SQL injection vulnerability that is being exploited by threat actors. This vulnerability was reported last month. This week Fortinet added IPS signature information to the warning.

Finally, a team from the French cybersecurity company Synactiv won their second Tesla vehicle in a year at this week’s Pwn2Own hacking contest in Vancouver, British Columbia. They did it this time by hacking into the electronic control unit of a Tesla Model 3. For accomplishing the feat they also won US$200,000. Held in several cities throughout the year, the Pwn2Own contest sees individuals and teams challenged to find new vulnerabilities and hack into applications for cash. This year’s targets included Windows 11, Ubuntu Linux, the Chrome browser, Microsoft SharePoint, Adobe Reader and more. At the time this podcast was recorded just under US$900,000 in prizes had been awarded. The contest helps companies close unknown vulnerabilities in their applications.

That’s it for now. But later today the Week in Review podcast will be out. On this edition guest commentator Terry Cutler of Cyology Labs will discuss lessons learned from the ransomware attack on the British Library, and more.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, March 22, 2024 – Mac CPUs are vulnerable to encrypted key theft, white hat hackers win a second Tesla, and more first appeared on IT World Canada.

Cyber Security Today, March 20, 2024 – Misconfigured Firebase instances are leaking passwords, a China-related threat actor is hacking governments and more

Misconfigured Firebase instances are leaking passwords, a China-related threat actor is hacking governments and more.

Welcome to Cyber Security Today. It’s Wednesday, March 20th. 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.



 Misconfigured web services on 900 sites that use Google’s Firebase web application development platform are leaking valuable data including plaintext passwords. That’s according to three anonymous programmers. All I can tell you is one of them says they live in New Zealand. In a posting the trio said their work follows up on the discovery in January that an artificial intelligence hiring system used by many large companies called Chattr.ai had a Firebase vulnerability. Scanning the internet for misconfigured Firebase installations they found 900 vulnerable websites that allowed them to download 84 million usernames, 106 million email addresses, 20 million passwords — some of which were in plaintext — and more. Vulnerable firms include a learning management website for teachers and students, which exposed records of 27 million users. The researchers sent warning emails to the 900 websites. Of those, only 24 per cent fixed the misconfiguration by the time their blog was published.

A China-related threat actor is using unpatched vulnerabilities in OpenFire collaboration servers and Oracle Web Applications Desktop Integrator to attack government departments and companies around the world. That’s according to researchers at Trend Micro. This group, which the researchers call Earth Lusca, has been installing previously unseen backdoors through spear phishing emails in a new campaign. Once a government IT infrastructure is compromised, the attacker uses its position to host malicious payloads and send phishing emails to other government-related targets. That would take advantage of the trust message recipients would give to a government sender. The backdoors that get installed help the attackers steal credentials and data. The gang also tries to brute force Exchange servers through a list of common passwords. Trend Micro believes this latest campaign by the gang has hit 70 victim organizations in 23 countries including the U.K., Mexico, India and Brazil. Among the recommended defences: IT departments need to make sure software is updated with the latest security patches.

Researchers at Palo Alto Networks and Ukraine’s Cyber Protection Centre have released an analysis of the most recent use of a piece backdoor malware. It’s known by security researchers as Smoke Loader, Dofoil or Sharik. The reason for releasing the report is the discovery that this backdoor is being increasingly used by threat actors against government departments and financial institutions in Ukraine. However, Smoke Loader has been around since 2011 to break into Windows systems around the world. Threat actors often try to slip it into IT systems through infected emails, so security leaders need to — again — remind employees to be cautious when opening email attachments or clicking on links from unknown senders. They also need to be reminded to only download material from approved websites.

Does your firm have an operational technology network? We’re talking about networked industrial control systems and supervisory control and data acquisition systems (SCADA) that run factories, pipeline sensors and municipal traffic lights. If so a just-released report on OT cyber security by the U.K. National Cyber Security Centre may be worth reading. Among other things it has advice on making a risk-based decision to migrate a SCADA system to the cloud. You can do a full migration, a hybrid move or use the cloud just for standby or recovery. But what’s vital is making an informed decision. Here’s a link to the report.

Management frustration at a breach of security controls is only going to make it harder for an IT department to recover fast from an attack. That’s the advice Gartner analysts gave an audience this week at the advisory firm’s Security and Risk Management Summit in Australia. According to The Register, the speakers argued management has to remember that no amount of effort can stop security compromises. The quality of an IT and security team’s effectiveness is how fast they responds to an incident, the speakers argued. And they do that by having recovery plans. Does your organization have plans for recovering from different types of cyber attacks?

Finally, Fortra is publicly acknowledging that a critical vulnerability in its FileCatalyst file transfer software was reported and patched last August. The disclosure is being made now because the vulnerability has been given a number under the Common Vulnerability and Exposures system. This is just the latest in a series of vulnerabilities found in file transfer utilities such as MOVEit, Accellion, and Fortra’s GoAnywhere MFT.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

If you also want to start your day with a podcast on broader technology news IT World Canada has a daily news roundup called Hashtag Trending.

The post Cyber Security Today, March 20, 2024 – Misconfigured Firebase instances are leaking passwords, a China-related threat actor is hacking governments and more first appeared on IT World Canada.