Author:

Solar power is the largest source of new US electricity generation for the sixth month in a row, Microsoft is hiking prices on Dynamics 365 business apps by up to 16.7%, VMware’s Desktop Virtualization products rebranded as “Omnissa”, Tesla is laying off over 10% of global workforce amid delivery slump and the U.S. government gets some scathing criticism over Microsoft’s cybersecurity failures

All this and more on the “price might not be right” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

New data shows solar power is rapidly expanding its share of electricity generation capacity across the United States.

According to the latest figures from the Federal Energy Regulatory Commission or FERC, solar was the number one source of new utility-scale electrical generating capacity in the U.S. for the sixth straight month in February.

Solar accounted for over 83% of the new capacity added that month, with 29 new solar units totaling over 1,000 megawatts coming online. Wind took second place, making up 16% of the new additions.

For the first two months of 2024, solar represented almost 80% of all new generating capacity installed, with wind at over 20%. Natural gas lagged far behind at just 1%.

The new solar projects have increased solar’s share of total installed U.S. utility-scale generating capacity to 8.2% – surpassing hydropower for the first time and moving into fourth place behind natural gas, coal and wind.

Ken Bossong, Executive Director of the SUN DAY Campaign, says solar is clearly on a major growth trajectory that is exceeding official forecasts.

“Without question, solar is on a roll as it surpasses FERC’s expectations and leads all other energy sources in providing new generating capacity.”

According to FERC projections, if just their “high probability” projects proceed as planned, utility-scale solar capacity could triple by 2027 and surpass both coal and wind to become the second largest source after natural gas.

When factoring in distributed solar like rooftop installations, total solar capacity may reach close to 20% within three years.

Renewables as a whole, including wind, solar, hydropower, biomass and geothermal, could see their combined share rise from the current 29% to over 35% – rapidly closing in on natural gas.

Canada’s solar industry has also seen growth, although perhaps not a these levels, but for 2021, the latest numbers we could find solar power increased by 13.6%.

If there are any experts out there on how Canada is really comparing, we’d love to hear from you.

Sources include: Renewables Now

A major cybersecurity incident was narrowly avoided at LastPass, one of the world’s leading password management companies.

LastPass revealed this week that threat actors recently targeted one of its employees in a sophisticated voice phishing or “vishing” attack using deepfake audio technology to impersonate the company’s CEO

The employee received a series of calls, texts and at least one voicemail featuring an AI-generated audio replica of the CEO’s voice attempting to initiate an urgent request. However, the attack failed because the employee recognized hallmarks of a social engineering scam, such as the unusual communication channel of WhatsApp, and reported it.

Mike Kosak, a LastPass intelligence analyst, said quote: “Due to the employee’s suspicion…our employee rightly ignored the messages and reported the incident so we could mitigate the threat.”

While deepfake audio is still an emerging threat, experts warn these types of AI-enabled impersonation attacks are on the rise. A recent global study found 25% of people have encountered an AI voice scam or know someone who has.

The U.S. government issued alerts last week warning healthcare organizations about cybercriminals using deepfake voice cloning to target IT help desks. The FBI and Europol have also cautioned that deepfakes may become a common tool for fraud, evidence tampering and other cybercrimes.

LastPass says it shared details of this incident to raise awareness, as the attacker likely used publicly available videos of their CEO to train the deepfake model. The company was previously targeted in data breaches last year.

Security experts advise organizations to have robust verification protocols, require supervisor approval for sensitive requests, and provide training to help staff detect deepfake social engineering attempts.

Sources include: Bleeping Computer

VMware’s suite of end-user computing products for desktop and application virtualization is getting a new brand identity – “Omnissa” – following their recent $4 billion sale to private equity firm KKR.

The products, which allow delivery of remote desktop experiences to PCs, tablets and mobile devices, were divested by VMware’s new owner Broadcom, which deemed them non-essential after acquiring the virtualization giant.

Signs point to KKR pushing ahead with rebranding the former VMware offerings as “Omnissa”, with official documentation and online resources for users already referencing the new name.

The rebrand comes as the remaining VMware product lines brace for a major system migration initiated by Broadcom that will temporarily pause support, training and purchasing services over the first weekend of May.

According to VMware, numerous customer-facing tools and portals will go offline starting April 30th as the company transitions from SAP to Broadcom’s Oracle software environment – a migration window extending until May 5th.

The tight turnaround for the backend system overhaul coincides with Broadcom’s fiscal quarter close, putting added pressure on teams to complete the complex data migration without disrupting any sales or revenue activities.

It also represents one of the first major tests for Broadcom in delivering on its promised support model bundling VMware’s virtualization products with services.

Any missteps during the transition could prompt backlash from VMware customers already facing rising costs under Broadcom’s revised contractual terms.

As Omnissa emerges as KKR’s newly-acquired brand for end-user computing, the fate of its former VMware siblings rests on Broadcom’s ability to execute a challenging system integration without sacrificing the seamless support experience it’s pledged for its VMware portfolio.

Sources include: The Register

In a major round of job cuts, Tesla is reducing its global workforce by more than 10% according to an internal memo from CEO Elon Musk.

The electric carmaker, which employs over 140,000 people worldwide, is eliminating thousands of roles just weeks after disappointing delivery numbers raised concerns about slowing demand.

In the memo, Musk wrote the painful but necessary move will allow Tesla to become “lean” and hungry again for its next growth cycle.

It comes after Tesla’s first quarter deliveries fell 20% from the prior quarter and over 8% year-over-year – the company’s first annual sales decline since 2020.

Tesla blamed the slump on production challenges with its updated Model 3, as well as supply chain disruptions from the conflict in the Red Sea region and an arson attack at its Berlin factory.

The staff reductions follow months of rumors about impending layoffs, with reports Tesla had instructed managers to identify the most critical roles and delayed some employee performance reviews earlier this year.

It’s not the first time Musk has dramatically cut headcount at Tesla to reduce costs during leaner periods. The company conducted multiple previous rounds of layoffs, including cutting staff working on its self-driving software last year.

The latest cuts also mirror Musk’s move to slash around half of Twitter’s workforce after acquiring the social media platform in 2022.

As Tesla faces intensifying competition and tries to ramp up production of new models like the Cybertruck, and that Cybertruck has had some very bad early reviews, the company is turning to headcount reductions despite Musk previously warning 2024 could see a sales slowdown.

With concerns mounting over cooling demand for its electric vehicles, investors will be watching closely whether the staff purge helps reset Tesla’s cost base ahead of its next targeted wave of growth.

Sources include: Business Insider

VMware’s suite of end-user desktop and application virtualization products is getting rebranded as “Omnissa” following their $4 billion divestiture to private equity firm KKR.

The move comes as the remaining VMware portfolio braces for a major transition shifting customer services from SAP to new owner Broadcom’s Oracle software environment in early May – a migration window that will temporarily pause support, training and purchase capabilities for several days.

As Omnissa emerges under new ownership and VMware products integrate deeper into Broadcom’s operations, customers impacted by both the pricing changes and platform shifts will be watching closely for any disruptions that could hinder the seamless user experience both tech giants have committed to providing.

Sources include: The Register

Microsoft has announced significant price increases coming this fall for its Dynamics 365 suite of cloud-based business applications.

In an update last week, the tech giant said it will raise prices across its Dynamics product line by between 9.26% and 16.67%, representing the first hike in five years.

The highest increase of nearly 17% will apply to the Finance, Supply Chain Management, and Commerce editions of Dynamics 365.

Other products like Sales, Customer Service, Field Service and core operations licenses face bumps of around 10% when the new pricing takes effect October 1st.

Microsoft’s corporate vice president Bryan Goode justified the increases by citing ongoing upgrades like AI-powered customer insights, data analytics capabilities and process automation added to Dynamics annually.

However, the software maker did not explain the varying degrees of price inflation across its different Dynamics product SKUs.

For U.S. government customers, the price hikes will be staggered over two phases in compliance with regulations, with a 10% jump first in October followed by another increase in 2025.

The increases follow similar moves by rival Salesforce last year and come as Microsoft prepares a new wave of AI-driven feature updates across Dynamics 365 powered by technologies like its Copilot assistant.

While inflation has been a factor over the past five years, the extent of these latest price increases from Microsoft may prompt some reassessment from Dynamics customers on the overall value proposition, especially for products facing the highest percentage bumps.

Sources include: The Register

Here’s another Microsoft story where I want to walk lightly, because it’s easy to bash on large companies, but it is a story that raises some critical questions.

A recent article in Wired reports that security experts and critics are accusing the U.S. government of giving Microsoft a free pass, despite the tech giant’s long track record of major cybersecurity lapses that have exposed sensitive government systems to hacking threats.

The story quotes a new report from the federal Cyber Safety Review Board slams Microsoft’s “inadequate security culture” after a 2022 incident allowed Chinese state hackers to breach the company’s systems and access government email communications.

It’s just the latest in a string of high-profile breaches impacting Microsoft customers over several years, including Russian hackers stealing source code and corporate secrets earlier this year.

Though heavily critical of Microsoft, the report is unlikely to spur any meaningful accountability from the U.S. government, which relies overwhelmingly on Microsoft products to power its operations.

Microsoft has become effectively “untouchable” according to experts, due to the government’s deep dependence on its software, its critical role supporting federal cybersecurity efforts, and its sophisticated strategy of positioning itself as a defender of digital safety.

This has allowed Microsoft to sidestep any consequences even as lawmakers fume over its security failures and practices like charging extra for basic threat monitoring that experts say should be included.

Administration officials have refused to criticize Microsoft openly, with some experts accusing the government of lacking the leverage to compel real changes at a company that represents a potential single point of failure for essential services.

Others argue the White House’s own national cybersecurity strategy calls for shifting more security burden to major tech firms like Microsoft that have the resources to invest heavily in defensive measures.

But so far, the U.S. government has demonstrated an inability or unwillingness to stand up to one of the world’s largest tech companies and enforce accountability, despite the risks Microsoft’s vulnerabilities pose to America’s digital infrastructure.

So, here’s my question.  We did a story on “cloud lock-in” recently where the UK government was concerned that without a meaningful alternative, even a government was effectively “locked in.”  With Microsoft’s dominance in so many areas from productivity suites to cloud and now security and even AI, how is the “competitive market” – or how is anybody – supposed to keep it in check?

Sources include: Wired

And that’s our show for today.  Love to hear your opinions as always. You can reach me at therealjimlove@gmail.com or our new editorial address – editorial@technewsday.ca

Our show notes are now also posted at TechNewsDay.ca or .com take your pick – along with other stories. Check it out.

I’m your host Jim Love, have a Terrific Tuesday.

The post US government faces criticism over Microsoft security failures: Hashtag Trending, Tuesday April 16, 2024 first appeared on IT World Canada.

Solar power is the largest source of new US electricity generation for the sixth month in a row, Microsoft is Hiking Prices on Dynamics 365 Business Apps By Up to 16.7%, VMware’s Desktop Virtualization Products Rebranded as “Omnissa”, Tesla is Laying Off Over 10% of Global Workforce Amid Delivery Slump and the U.S. Government gets some scathing criticism over Microsoft’s Cybersecurity Failures

All this and more on the “price might not be right” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

New data shows solar power is rapidly expanding its share of electricity generation capacity across the United States.

According to the latest figures from the Federal Energy Regulatory Commission or FERC, solar was the number one source of new utility-scale electrical generating capacity in the U.S. for the sixth straight month in February.

Solar accounted for over 83% of the new capacity added that month, with 29 new solar units totaling over 1,000 megawatts coming online. Wind took second place, making up 16% of the new additions.

For the first two months of 2024, solar represented almost 80% of all new generating capacity installed, with wind at over 20%. Natural gas lagged far behind at just 1%.

The new solar projects have increased solar’s share of total installed U.S. utility-scale generating capacity to 8.2% – surpassing hydropower for the first time and moving into fourth place behind natural gas, coal and wind.

Ken Bossong, Executive Director of the SUN DAY Campaign, says solar is clearly on a major growth trajectory that is exceeding official forecasts.

“Without question, solar is on a roll as it surpasses FERC’s expectations and leads all other energy sources in providing new generating capacity.”

According to FERC projections, if just their “high probability” projects proceed as planned, utility-scale solar capacity could triple by 2027 and surpass both coal and wind to become the second largest source after natural gas.

When factoring in distributed solar like rooftop installations, total solar capacity may reach close to 20% within three years.

Renewables as a whole, including wind, solar, hydropower, biomass and geothermal, could see their combined share rise from the current 29% to over 35% – rapidly closing in on natural gas.

Canada’s solar industry has also seen growth, although perhaps not a these levels, but for 2021, the latest numbers we could find solar power increased by 13.6%.

If there are any experts out there on how Canada is really comparing, we’d love to hear from you.

Sources include: Renewables Now

A major cybersecurity incident was narrowly avoided at LastPass, one of the world’s leading password management companies.

LastPass revealed this week that threat actors recently targeted one of its employees in a sophisticated voice phishing or “vishing” attack using deepfake audio technology to impersonate the company’s CEO

The employee received a series of calls, texts and at least one voicemail featuring an AI-generated audio replica of the CEO’s voice attempting to initiate an urgent request. However, the attack failed because the employee recognized hallmarks of a social engineering scam, such as the unusual communication channel of WhatsApp, and reported it.

Mike Kosak, a LastPass intelligence analyst, said quote: “Due to the employee’s suspicion…our employee rightly ignored the messages and reported the incident so we could mitigate the threat.”

While deepfake audio is still an emerging threat, experts warn these types of AI-enabled impersonation attacks are on the rise. A recent global study found 25% of people have encountered an AI voice scam or know someone who has.

The U.S. government issued alerts last week warning healthcare organizations about cybercriminals using deepfake voice cloning to target IT help desks. The FBI and Europol have also cautioned that deepfakes may become a common tool for fraud, evidence tampering and other cybercrimes.

LastPass says it shared details of this incident to raise awareness, as the attacker likely used publicly available videos of their CEO to train the deepfake model. The company was previously targeted in data breaches last year.

Security experts advise organizations to have robust verification protocols, require supervisor approval for sensitive requests, and provide training to help staff detect deepfake social engineering attempts.

Sources include: Bleeping Computer

VMware’s suite of end-user computing products for desktop and application virtualization is getting a new brand identity – “Omnissa” – following their recent $4 billion sale to private equity firm KKR.

The products, which allow delivery of remote desktop experiences to PCs, tablets and mobile devices, were divested by VMware’s new owner Broadcom, which deemed them non-essential after acquiring the virtualization giant.

Signs point to KKR pushing ahead with rebranding the former VMware offerings as “Omnissa”, with official documentation and online resources for users already referencing the new name.

The rebrand comes as the remaining VMware product lines brace for a major system migration initiated by Broadcom that will temporarily pause support, training and purchasing services over the first weekend of May.

According to VMware, numerous customer-facing tools and portals will go offline starting April 30th as the company transitions from SAP to Broadcom’s Oracle software environment – a migration window extending until May 5th.

The tight turnaround for the backend system overhaul coincides with Broadcom’s fiscal quarter close, putting added pressure on teams to complete the complex data migration without disrupting any sales or revenue activities.

It also represents one of the first major tests for Broadcom in delivering on its promised support model bundling VMware’s virtualization products with services.

Any missteps during the transition could prompt backlash from VMware customers already facing rising costs under Broadcom’s revised contractual terms.

As Omnissa emerges as KKR’s newly-acquired brand for end-user computing, the fate of its former VMware siblings rests on Broadcom’s ability to execute a challenging system integration without sacrificing the seamless support experience it’s pledged for its VMware portfolio.

Sources include: The Register

In a major round of job cuts, Tesla is reducing its global workforce by more than 10% according to an internal memo from CEO Elon Musk.

The electric carmaker, which employs over 140,000 people worldwide, is eliminating thousands of roles just weeks after disappointing delivery numbers raised concerns about slowing demand.

In the memo, Musk wrote the painful but necessary move will allow Tesla to become “lean” and hungry again for its next growth cycle.

It comes after Tesla’s first quarter deliveries fell 20% from the prior quarter and over 8% year-over-year – the company’s first annual sales decline since 2020.

Tesla blamed the slump on production challenges with its updated Model 3, as well as supply chain disruptions from the conflict in the Red Sea region and an arson attack at its Berlin factory.

The staff reductions follow months of rumors about impending layoffs, with reports Tesla had instructed managers to identify the most critical roles and delayed some employee performance reviews earlier this year.

It’s not the first time Musk has dramatically cut headcount at Tesla to reduce costs during leaner periods. The company conducted multiple previous rounds of layoffs, including cutting staff working on its self-driving software last year.

The latest cuts also mirror Musk’s move to slash around half of Twitter’s workforce after acquiring the social media platform in 2022.

As Tesla faces intensifying competition and tries to ramp up production of new models like the Cybertruck, and that Cybertruck has had some very bad early reviews, the company is turning to headcount reductions despite Musk previously warning 2024 could see a sales slowdown.

With concerns mounting over cooling demand for its electric vehicles, investors will be watching closely whether the staff purge helps reset Tesla’s cost base ahead of its next targeted wave of growth.

Sources include: Business Insider

VMware’s suite of end-user desktop and application virtualization products is getting rebranded as “Omnissa” following their $4 billion divestiture to private equity firm KKR.

The move comes as the remaining VMware portfolio braces for a major transition shifting customer services from SAP to new owner Broadcom’s Oracle software environment in early May – a migration window that will temporarily pause support, training and purchase capabilities for several days.

As Omnissa emerges under new ownership and VMware products integrate deeper into Broadcom’s operations, customers impacted by both the pricing changes and platform shifts will be watching closely for any disruptions that could hinder the seamless user experience both tech giants have committed to providing.

Sources include: The Register

Microsoft has announced significant price increases coming this fall for its Dynamics 365 suite of cloud-based business applications.

In an update last week, the tech giant said it will raise prices across its Dynamics product line by between 9.26% and 16.67%, representing the first hike in five years.

The highest increase of nearly 17% will apply to the Finance, Supply Chain Management, and Commerce editions of Dynamics 365.

Other products like Sales, Customer Service, Field Service and core operations licenses face bumps of around 10% when the new pricing takes effect October 1st.

Microsoft’s corporate vice president Bryan Goode justified the increases by citing ongoing upgrades like AI-powered customer insights, data analytics capabilities and process automation added to Dynamics annually.

However, the software maker did not explain the varying degrees of price inflation across its different Dynamics product SKUs.

For U.S. government customers, the price hikes will be staggered over two phases in compliance with regulations, with a 10% jump first in October followed by another increase in 2025.

The increases follow similar moves by rival Salesforce last year and come as Microsoft prepares a new wave of AI-driven feature updates across Dynamics 365 powered by technologies like its Copilot assistant.

While inflation has been a factor over the past five years, the extent of these latest price increases from Microsoft may prompt some reassessment from Dynamics customers on the overall value proposition, especially for products facing the highest percentage bumps.

Sources include: The Register

Here’s another Microsoft story where I want to walk lightly, because it’s easy to bash on large companies, but it is a story that raises some critical questions.

A recent article in Wired reports that security experts and critics are accusing the U.S. government of giving Microsoft a free pass, despite the tech giant’s long track record of major cybersecurity lapses that have exposed sensitive government systems to hacking threats.

The story quotes a new report from the federal Cyber Safety Review Board slams Microsoft’s “inadequate security culture” after a 2022 incident allowed Chinese state hackers to breach the company’s systems and access government email communications.

It’s just the latest in a string of high-profile breaches impacting Microsoft customers over several years, including Russian hackers stealing source code and corporate secrets earlier this year.

Though heavily critical of Microsoft, the report is unlikely to spur any meaningful accountability from the U.S. government, which relies overwhelmingly on Microsoft products to power its operations.

Microsoft has become effectively “untouchable” according to experts, due to the government’s deep dependence on its software, its critical role supporting federal cybersecurity efforts, and its sophisticated strategy of positioning itself as a defender of digital safety.

This has allowed Microsoft to sidestep any consequences even as lawmakers fume over its security failures and practices like charging extra for basic threat monitoring that experts say should be included.

Administration officials have refused to criticize Microsoft openly, with some experts accusing the government of lacking the leverage to compel real changes at a company that represents a potential single point of failure for essential services.

Others argue the White House’s own national cybersecurity strategy calls for shifting more security burden to major tech firms like Microsoft that have the resources to invest heavily in defensive measures.

But so far, the U.S. government has demonstrated an inability or unwillingness to stand up to one of the world’s largest tech companies and enforce accountability, despite the risks Microsoft’s vulnerabilities pose to America’s digital infrastructure.

So, here’s my question.  We did a story on “cloud lock-in” recently where the UK government was concerned that without a meaningful alternative, even a government was effectively “locked in.”  With Microsoft’s dominance in so many areas from productivity suites to cloud and now security and even AI, how is the “competitive market” – or how is anybody – supposed to keep it in check?

Sources include: Wired

And that’s our show for today.  Love to hear your opinions as always. You can reach me at therealjimlove@gmail.com or our new editorial address – editorial@technewsday.ca

Our show notes are now also posted at TechNewsDay.ca or .com take your pick – along with other stories. Check it out.

I’m your host Jim Love, have a Terrific Tuesday.

The post US government faces criticism over handline Microsoft cybersecurity failures: Hashtag Trending for Tuesday April 16, 2024 first appeared on IT World Canada.

Act fast to a plug hole in Palo Alto Networks firewall, Canadian comedy festival loses over $800K in email scam, and more.

Welcome to Cyber Security Today. It’s Monday, April 15th, 2024. I’m cybersecurity reporter Howard Solomon.

A critical vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS operating system has been exploited at several organizations at least as far back as March 26th. That’s the finding by researchers at Volexity who discovered the hole. A threat actor has in some cases deployed a custom backdoor written in the Python language by using the vulnerability. Then the attacker stole credentials and other files. Palo Alto Networks was expected to have delivered a patch yesterday. Volexity says the skill and speed used in the attacks suggest a highly capable threat actor with a clear playbook of what to access,. Network administrators using GlobalProtect firewalls should either install the patch or recommended mitigations. The vulnerability has a CVSS score of 10.

UPDATE: This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available this week.

The organization that produces Montreal’s Just For Laughs comedy shows was stung last year for just over $813,000 after falling for a business email compromise scam. The Quebec news service La Press discovered court documents showing the financial controller fell for emails pretending to be from a company shareholder instructing a switch of the bank account where management payments should go. The scammer was convincing because they created an email account with an extra ‘s’ at the end of the sender’s domain that came close to the spelling of a real email account. Unfortunately there are no protections in the global internet registry system to stop domains from being created with almost identical names to real companies. It’s imperative financial department employees confirm in independent ways any changes in payment procedures requested by email, voice mail or video calls. Staff shouldn’t use email messages or phone numbers in the email from the sender asking for the change to get confirmation.

A former senior IT security employee has been sentenced to three years in prison by an American judge for hacking into smart contracts of cryptocurrency exchanges two years ago. The man stole over US$12 million in digital coin. Shakeeb Ahmed received the sentence Friday after pleading guilty to computer fraud. According to the news site HackingButLegal, Ahmed worked for Amazon.

A threat actor has posted data stolen from a partner of Canadian retailer Giant Tiger. The BleepingComputer news service said the database was posted on a hacker forum with information allegedly on 2.8 million customers. It’s available to any hacker forum member for the price of eight credits. Members get credits for doing something as simple as commenting on a post or contributing a new post.

Are you worried about the recently discovered compromise of the maintainer of a critical Linux package? That’s the scheme where a threat actor took three years to gain the confidence of those helping to oversee the package before switching it for a malicious version. Well, the U.S. Cybersecurity and Infrastructure Security Agency issued a reminder that it has been working on improving open-source security for a while. It backs the Secure by Design initiative with steps for developers on building safe applications using open-source components.

The city of Toronto has budgeted $1 million to cover the costs of last October’s ransomware attack on the Toronto Public Library system. Reporter John Lorinc says the number includes almost $770,000 for cybersecurity experts and related IT system remediation and restoration costs. It also includes $160,000 in legal costs and $74,000 for credit monitoring services for employees who had their data stolen. All of the library system’s 500 computers had to be wiped and rebuilt. Meanwhile the city also has to deal with a January ransomware attack on the Toronto Zoo. In that attack data of current and former employees was stolen.

Speaklng of ransomware, one of the ways of crushing ransomware gangs is to take the money out of their attacks. The problem is forbidding — or even begging — unprepared organizations not to pay a ransom isn’t working. So last week the Ransomware Task Force, a group of public and private sector experts, released a plan to reduce the need to ban ransomware payments. It will take several years, the Task Force admits. But only after all the steps in its plan have been met should governments think about prohibiting ransomware payments. Briefly, the plan says ‘Don’t institute a payment ban until organizations have cybersecurity maturity.’ Here are some of the recommended steps:

–Develop a ransomware framework to provide a national standard for ransomware preparation. The framework would be adapted for organizations of different sizes, maturity and risk profiles;

–provide financial incentives for organizations to comply with the framework;

–mandate limited baseline security measures for critical infrastructure providers including utilities, banks and hospitals;

–form an international law enforcement partnership to target ransomware gangs;

–require cryptocurrency exchanges and over-the-counter trading desks to comply with existing financial transaction tracking controls;

–create a ransomware response fund to help victim organizations recover from attacks;

–work with cyber insurers;

–and end the tax deductibility of ransomware payments.

The Task Force believes things like this could take two years to implement. Only then should governments think about banning ransomware payments.

Meanwhile, nothing stops your organization from toughening its cybersecurity defences.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 15, 2024 – Act fast to a plug hole in Palo Alto Networks firewall, Canadian comedy festival loses over $800K in email scam, and more first appeared on IT World Canada.

Early Saturday morning listeners may have missed my weekend interview segment with Senator Colin Deacon. If you did, it was totally my fault. A typo in my posting instructions meant we didn’t get it online til late Saturday morning. But if you didn’t get a chance to listen, it’s still there, and it’s really worthwhile.

Google Enhances Browser Security with AI and announces a New Paid ‘Premium’ Version, Google users report account lock outs that beat their two-factor authentication. Google Blocks California News Access Amid Fight Over a Journalism Payment Bill and Gen Z Ditching Google for TikTok and YouTube Searches**

All this and more on the “too much Google” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

Before we start, I have to say, I didn’t set out to write an all Google edition, maybe it’s because of Google’s major event last week, but when I evaluated the tech stories over the weekend, these hit the top of the pile.

Google is rolling out major new security enhancements for its hugely popular Chrome web browser used by billions worldwide.

At its Cloud Next conference last week, the tech giant revealed it has developed custom artificial intelligence language models specifically trained to detect and block spam, phishing and other malicious content targeting Gmail users.

Deployed late last year, Google says these AI defenses are already yielding big results – catching 20% more spam in Gmail, reviewing 1,000% more reported spam each day, and responding 90% faster to new phishing threats in Google Drive.

The company says the AI models are uniquely adept at identifying semantically similar malicious content at a massive scale across over 3 billion Google Workspace users.

While highly effective so far, Google admits it is “very focused” on innovating further to tackle the remaining 0.1% of spam and malware that slips through its advanced filters.

In a separate move, Google is introducing a new premium version of its Chrome web browser specifically geared towards enterprise user

Called Chrome Enterprise Premium, the paid tier adds enhanced data loss prevention controls as well as deep malware scanning missing from the existing free Chrome browser.

While the core free version will continue receiving general malware and anti-phishing protections, the premium edition aims to provide businesses with an extra level of security and administrative features.

This new AI-powered data protection will cost $10 per user per month on top of existing Workspace subscriptions.

The launch comes as Google also explores giving all Chrome users more control over limiting website permissions like access to keyboard, mouse and other device inputs.

Sources include:  Android Police and Forbes

The need was never greater – another story in Forbes this week reported that a number of users were reporting that their two factor authentication had been by-passed giving away access to the their Google accounts.

How do they do this? Apparently they don’t hack the two factor authentication process itself, but the employ something called “session cookie hijacking”

The technique typically starts with a phishing email delivering malware designed to capture the authentication cookies that allow users to seamlessly resume active sessions on sites like Gmail.

If attackers manage to steal these session cookies after a user has logged in, they can then replay the cookies to impersonate the legitimate user – tricking the service into letting them bypass any further 2FA prompts.

As far as Google’s systems are concerned, the attacker has already successfully authenticated using the hijacked cookie data.

Once they gain access to the account, the hackers can lock the real owner out of the account.

These attacks are reported to start with phishing lures, most notably crypto get rich schemes. But the attacks can also potentially leverage vulnerabilities that expose session cookies or allow session hijacking on unpatched systems.

Security experts warn session hijacking remains a critical risk capable of undermining popular multi-factor authentication protections relied on by billions.

Remedies include more widespread use of hardware 2FA security keys, as well as shorter lifespans for session cookies to reduce hijacking windows.

Major providers are also working on other mitigations, but users remain advised to stay vigilant against phishing and keep software patched to prevent falling victim to these attacks subverting account two factor authentication.

Sources include: Forbes

And can you stand one more Google story?

In a battle that will seem eerily familiar to our Canadian listeners, Google is now wrangling with. California lawmakers. Google has started restricting access to news articles from the state for some users in a hardball tactic against a proposed law that would force tech companies to pay publishers for content.

The move comes as the California Journalism Preservation Act, which cleared the state assembly last year, is being revived. The bill would require digital giants like Google and Meta to compensate news outlets when their articles and links get displayed on the tech platforms.

In a blog post, Google executive Jafar Zaidi said the legislation represented an “unworkable” tax on linking to news sources that has already prompted “significant changes” to services it can offer Californians.

Zaidi wrote that the company has temporarily blocked news from appearing in search results for an unspecified “small percentage” of California users in anticipation of the bill potentially passing.

Google claims the proposal is the “wrong approach” to bolstering the struggling U.S. news industry, which has suffered waves of layoffs and newspaper closures amid skyrocketing digital ad revenues for big tech.

Bill supporters argue it would provide a crucial lifeline to California’s publishers, with over 100 outlets shuttering in the state over the past decade as advertising income plummeted.

The legislation aims to direct a slice of the billions in digital ad revenues captured by technology giants like Google and Meta toward compensating journalists and publishers for reusing their content.

With over 70% of digital ad dollars now going to just those two companies, advocates say they have a responsibility to support the news industry they have disrupted and profited from.

Critics, however, argue such link taxes represent an unworkable model that undermines principles of the open internet.

The aggressive move by Google mirrors past tactics deployed when facing similar pay-for-journalism rules in Canada and Australia. After initial threats to block news, the company ultimately struck deals with publishers.

As California’s bill regains momentum, the fight over compensating news outlets appears headed towards an increasingly acrimonious showdown between lawmakers and the tech giants dominating digital advertising markets.

And although Google ultimately reached a deal of sorts with Canada, Meta continues to block Canadian news stories on its platform. This story may continue for some time to come.

Sources include: Axios

It turns out while Google was top of the news last week, the giant may want to watch where it’s search engine dominance is going. There is no doubt that Chrome is the dominant browser by a country kilometre – okay, a country mile still sounds better.

But it has some threats to its dominance. We did some stories last week to show that when given a real choice, people in Europe were opting for other browsers.

And although Google is trying experiments in the UK to add AI to its search, the early reviews on that are not spectacular with reports that junk content is more likely to hit the top of search.

For others, using AI search like Perplexity.ai is proving to be far more reliable and informative than Google. But now, a generational divide is evolving.

For Gen Z, it turns out even Canadians call the GenZ, Google is no longer the default starting point when searching for information online. Instead, many young people are turning to social media platforms like TikTok and YouTube as their go-to search engines.

New data from youth research firm YPulse reveals a stark generational divide emerging. While 58% of millennials aged 25 to 39 still begin their internet queries on Google, that falls to just 46% among those aged 18 to 24.

For Gen Z, 21% are initiating searches directly on TikTok, with another 5% heading straight to YouTube – a clear break from the Google-centric behavior of older demographics.

The shift highlights how social media has evolved from just connecting with friends into a vast “information superhighway” for the first truly digital native generation.

Gen Z users cite a preference for the more relatable, authentic results surfaced through human-curated videos and posts compared to Google’s algorithms heavily featuring sponsored content.

There’s also an innate comfort and affinity with social platforms fostered by younger users having no memory of Google’s earlier era of search dominance.

The trend represents a growing headache for Google and its parent Alphabet, which derives the bulk of its nearly $2 trillion valuation from digital advertising tied to search traffic.

In response, Google has rolled out new features aimed at Gen Z, including AI tools to generate more personalized search feeds and better highlight social media conversations.

However, many remain dissatisfied with the quality of Google results plagued by excessive ads and search engine optimization tactics.

As Gen Z increasingly eschews traditional search engines, established tech giants will be forced to adapt to changing behaviors ushering in a generational shift in how information is discovered and consumed online.

Picture this – sometime in the future, somebody born in 1990 will be my age, they’ll mention some 90’s rock group, get a blank stare and say “TikTok” it.

Hey, there’s no longer a Kleenex tissue. There could be a world where search is not Google.

And that’s our show for today…

And tomorrow, I promise, unless the sky falls in with a monumental story, we’ll be Google free.

I’m your host Jim Love, have a Marvelous Monday.

The post Google users say two-factor authentication didn’t protect them. Hashtag Trending for Monday, April 15th first appeared on IT World Canada.

Welcome to Hashtag Trending The Weekend Edition. I’m your host, Jim Love. I can understand that many of you might get frustrated about politics. What we see for the most part is a lot of BS.

Ask a politician a simple question. You get a lot of non answers, talking points, ways their political opponents have it wrong. Yep. That’s true. Even in Canadian politics. So what can we do? We can get involved and try to change the process. I’ve certainly done that. I worked for every political party at one point. I’ve worked for the NDP, Neil Young, not the musician, unfortunately. He was a great guy though.

And Bob Ray. I’ve worked to support the Liberals under Stéphane Dion, one of the most incredible people I’ve ever met. I’ve been a writing president for a progressive conservative riding which led me to have the honour to meet Joe Clark and to understand the authentic person he is,  I know what you’re thinking.

What’s wrong with this guy? Can’t he take a side? And the clear answer is no, I, I can’t take sides. There’s only one side and that’s what’s best for Canadians. I’ve never been a believer in party labels. I wanted to work with authentic people who wanted to make Canada a better nation and make a better future for our children.

And the need was never greater. Canada is in crisis. Our productivity numbers are plummeting. Regardless of what you get fed from government sources, we are not a leader in AI, or in digital governance, or anything else digital for that matter. But equally, the stuff that the opposition parties are feeding you?

It’s nonsense as well. The reality is, if you strip away the party lines, if you talk to the smartest people in Ottawa, you’d know the truth. We are in crisis. Our future standard of living is in real jeopardy, and yet, We are an incredibly resilient people. We have so much going for us in multiculturalism, in diversity, in intelligence, and in many other areas that if we could just get it together, we could fulfill that quote of Wilfrid Laurier.

The 21st century belongs to Canada. So what do we do? Fortunately, we have a structure in our government where parties don’t really have to matter. It’s called the Senate. For my American listeners, you have a Senate as well. It’s called the same thing as ours, a body of sober second thought. The difference in Canada is our senators are actually sober.

I say that in jest, but in our Senate,

and I’m not taking political sides, but credit where credit is due, our Prime Minister Justin Trudeau said he would no longer make political appointments to the Canadian Senate. He would appoint knowledgeable people and challenge them to challenge the government’s thinking. In other words, he would make the Senate truly a body of sober second thought.

A place where nonpartisan citizens could join with only the best interest of the country at heart. A place where people who weren’t politicians could offer their experience and their expertise to the government of our nation. And there’s nobody that you will meet that embodies this more than my guest, Colin Deacon.

Senator Deacon is a serial entrepreneur and someone who knows technology and knows how to build businesses that export to the world in a digital economy. And we are lucky to have them both in the Senate and for this interview. I met Senator Deacon at the Digital Governance Council, another group of nonpartisan business and government leaders who also only have one objective to help Canada become a leader in the digital economy. I was totally impressed by him and I asked if he’d sit for an interview with us. I hope you’ll be as inspired by it as I was. . My guest today is Senator Colin Deacon.

There is a link mentioned in this article to the Digital Governance Council  Check it out.

Our sponsor for this week is Performance Advantage

You can find the full transcript on YouTube.

The post Senator Colin Deacon and our digital future: HashTag Trending, the Weekend Edition, April 13, 2024 first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 12th, 2024. I’m Howard Solomon.

In a few minutes David Shipley, head of Beauceron Security, will be here to discuss recent news. We’ll talk about more hot water for Microsoft, a second look at the scare facing the Linux community, an alert to the healthcare sector on IT help desk scams and a warning to LG smart TV owners.

Before we get to the discussion, here are other highlights from this week:

LastPass released a report describing a deepfake audio call to an employee impersonating its CEO.

Classes at New Mexico Highlands University remain cancelled because of a ransomware attack that started April 3rd. Classes will resume this coming Monday, April 15th. Despite the loss of over a week of classes the university term won’t be extended. Graduation ceremonies will continue as scheduled.

On Tuesday the social media site that used to be Twitter began automatically modifying links in tweets that mention “twitter[.]com” to read “x[.]com.” It was another step in the re-branding of the service now called X. But the link modification strategy backfired. According to security reporter Brian Krebs, at least 60 new domains were quickly registered with names that end in “twitter[.]com.” The goal for some of these new domains was to scam internet users. So someone was smart enough — or devious enough — to create “fedetwitter[.]com”, which became “fedex.com” in tweets. Most of the new domains were registered by people who realized this mess was possible and wanted to prevent the domains from being created by scammers. But as a result of the mess X stopped truncating any domain ending in “twitter[.]com.”

AT&T is notifying over 51 million customers that personal information being pedaled on the internet came from the company. It had said in March that information on 73 million customers was involved. The difference, AT&T told Bleeping Computer, is that some people had multiple accounts.

The U.S. National Security Agency released an information sheet to help organizations implement a zero trust data protection strategy. I’m not going to repeat all of the recommendations, but it does remind IT leaders that a zero trust strategy is “centred on protecting an organization’s data through constant verification.” An essential element of this is effective cataloging, labeling and encrypting of data to limit data breaches. There’s a link to the document in the text version of this podcast at TechNewsday.com.

The U.S. Cybersecurity and Infrastructure Security Agency’s malware analysis service is now open to any IT department and security researcher who wants to submit suspect code. Until now the Malware Next-Gen portal was available only to governments and the U.S. military. You do have to register to use it.

Finally, Fortinet released security updates for multiple products including its FortiOS operating system, and the FortiProxy and FortiClient Linux applications. The vulnerability in FortiClient Linux is rated as critical and needs to be patched fast.

(The following is an edited transcript of the first of four discussion topics. To get the rest of the talk play the podcast)

Howard: Last week as, you may recall the Cyber Safety Review Board released a report highly critical of Microsoft into the ability of a threat actor to forge a counterfeit authorization token that was used to compromise Microsoft Exchange online email accounts. This week Microsoft was in the spotlight again, A cyber security company in turkey called SOCRadar discovered Microsoft employees had left an Azure storage server open to the internet that had Microsoft code, passwords and other sensitive material. It isn’t known how long the cloud server was unprotected or if anyone other than the researchers discovered it. David, there’s a couple of things here: Both of these incidents involve cloud services — the forged tokens let the attacker get into Exchange online. The open server was hosted on Microsoft’s Azure platform. What did these incidents say about cloud security in general and Microsoft security in particular?

David Shipley: Number one, cloud security is hard, even if you’re the person that makes and sells the cloud environment. That should be something we all take a moment [to think], ‘Even the people that can struggle with it.’ That’s just the reality of the situation. It is big, it is complex, and it’s also the nature of the threat environment and the ability to just find every single little flaw. Cyber is almost like that a mouse infestation in your house: You just can’t figure out all the different ways these these things can get in and just ruin your day.

I hope it’s part of the beginning of the end of the narrative that. ‘Just because it’s in the cloud it’s safer than on-prem.’

I think for Microsoft, let’s be clear — it’s easy to beat up on Microsoft. They’re the big kid in town. They’ve got the largest, most ubiquitous footprint. They’ve got the biggest target on their back. But it’s been very clear that with the great tremendous growth and success of Azure and cloud and Microsoft 365 has come with it a security liability, a cost that’s clearly starting to catch up. This is almost like a law of physics of modern day digital business: For every great business opportunity there seems to be increasingly an equal and opposite security and cost and liability side that is a tricky thing to balance. It’s a bad year for Microsoft. The hits just keep on coming, more that’s going to come out of some of these reviews, so they’re probably not going to get out of this year without a few more punches.

Howard: I’ll get deeper into Microsoft in a minute but first I want to note that the Cyber Safety Review Board Report had very pointed things to say about security to all cloud providers as well as those using cloud-based services.

David: This is not a unique problem for Microsoft. AWS has its share of problems, Google has its share of problems. We’re talking about massive, complex systems and levels of power and connectivity. We don’t really even have a track record to fully understand. It’s never been more important to fully and absolutely understand the shared responsibility model [for buyers and producers of cloud services] and to understand what your risk appetite is if you’re surrendering control over certain aspects of the threat pyramid to a cloud provider. Are you comfortable with that? Do you have the assurances from that cloud provider and the strategy of resilience if that cloud provider lets itself and you down?

Howard: On last week’s show Terry Cutler and I discussed the Cyber Safety Review Board report into the Microsoft forged token attack. As a reminder, the emails of about 500 people around the world — including the U.S. Commerce Secretary, the U.S. Ambassador to China and other important people — were compromised. The attacker downloaded about 60,000 emails over six weeks from the U.S. State Department alone. The Review Board had blunt criticism of Microsoft: It said the hack was preventable and should never have occurred. It calls Microsoft’s security culture inadequate and requires an overhaul. And it complained that Microsoft hasn’t been upfront with the public in that it still doesn’t know how or when the hacking group obtained the signing key that allowed this attack to happen. Was the board too gentle?

David: I don’t think it was too gentle. This is probably among the most severe call-outs I have ever seen from a group of a failure. But it’s not about blame. What I really love about the Cyber Safety Review Board model is it’s based off the aviation industry, which makes sure that we share transparently the key lessons learned from every air disaster. This was a cyber disaster, and we’re now picking up the pieces and telling the tale. What I thought was pretty harsh about the report was saying [to Microsoft], ‘Stop focusing on developing new features and your revenue funnel and your sales targets right now and clean your house up.’ For Microsoft this is probably one of the last off-ramps they’re going to get before they land themselves in some pretty serious heat that potentially could end up in antitrust territory around the conflict between their core businesses: Azure, Microsoft 365, the [Windows] operating system and their security business. Because there may come a time when large cloud providers like Microsoft need to be regulated because they have quasi-monopolistic levels of power. So they probably should face more additional scrutiny. Whether they should charging additional dollars for security products to fix what may in turn be fundamental flaws that should never have happened in their products in the first place, I’m going to leave that to smarter people than me. But I think if they if [Microsoft] they listen, if they act, if it’s not just a PR response to this, if they do what they did 22 years ago with Trustworthy Computing … and redo and re-plan and reinvest, they can come out of this. If they ignore this it will be at their peril.

Howard: What struck you as the worst of Microsoft’s failures in that incident?

David: The hardest part is it’s always the [failure to follow the]basics that get everybody … It’s a learning opportunity for all of us to say, ‘All of this [cybersecurity] is really, really hard and that we sometimes need to slow down how fast we’re running.’ We are running at breakneck speed to roll out new products, services, hit revenue margins. These are the pressures of running a business in a capitalist economy. But if we ignore these basics they always come back to bite us.

Howard: The incident where somebody left a server open without protection, that happens to many organizations: Someone creates and stores data in the cloud and they forget — or ignore — corporate rules on properly securing it. How how do we stop that?

David: You don’t. That’s humans and technology. You you try and create better processes, better procedures, better monitoring, better education for the people responsible for creating these things. But there is no technological silver bullet that can prevent a series of really dumb things happening because each of those dumb things on their own is likely very innocuous — and probably a very necessary part of the [business] process is to build systems and infrastructure. It’s just that sometimes we don’t even understand the full consequences of what we start and what it eventually becomes … The amount of hidden servers and data and other things that just get lost [it an IT environment] is stunning … Cloud asset and monitoring and permissions and tracking and all of this stuff isn’t sexy. It’s the basics. It’s paying attention to the details The fact that we don’t have a cyber code for companies with a set of basic standards and proof of due diligence leads to this continuous cycle.

The post Cyber Security Today, Week in Review for week ending Friday, April 12, 2024 first appeared on IT World Canada.

A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more.

Welcome to Cyber Security Today. It’s Friday April 12th, 2024. I’m Howard Solomon.

Organizations that use products from business analytics provider Sisense [SI-SENSE] are being told to reset user login credentials and digital keys. The warning comes from the U.S. Cybersecurity and Infrastructure Security Agency after the discovery by independent researchers of a compromise at Sisense. IT leaders are also urged to report suspicious access to their Sisense platform to the CISA. Sean Deuby, principle technologist at Semperis, said the fact that the CISA had to issue a warning is ominous because Sisense has a number of large customers. Among them are Verizon and Philips Healthcare.

Crooks have found a new way to spread the Raspberry Robin worm for Windows systems. According to threat researchers at HP, the malware is now being delivered through Windows WSF Script Files. The scripts use a range of techniques to evade detection. Up to now usually Raspberry Robin was spread through removable media like USB drives, RAR files and 7-zip files hosted on Discord. The malware acts as an intial foothold into systems allowing the download of other nasty attack tools. It isn’t clear how crooks are spreading the bad .wsf files. Probably it’s through phishing messages. Regardless, IT administrators should watch for unusual or unexpected .wsf files.

Threat actors are manipulating GitHub’s search function to distribute malware. That’s according to researchers at Checkmarx. Here’s the scam: Attackers create repositories with popular names and topics on GitHub. These hold malicious code in Visual Studio project files. Using tactics like automated updates and fake stars, they boost search rankings to attract unwitting victims to download the infected files. I regularly warn developers to be cautious when downloading files from public repositories. This is another example of why. Be suspicious of repositories with high commit frequencies in recently created accounts.

The cyber attack that hit Japanese optics manufacturer Hoya Corp. last week was ransomware. That’s according to several news media. The French website LeMagIT quotes Jbpress saying the Hunters International gang is responsible, and is demanding US$10 million after stealing 2TB of data.

The most common tactic threat actors use is a malicious script to automate action. That’s according to researchers at D3 Security. They recently paired incident data to the Mitre Att&ck framework and found just over 50 per cent of attacks used a command and scripting interpreter to execute malicious payload on victims’ systems. The second most common tactic was email phishing for initial access. That was used in just over 15 per cent of attacks. One lesson: watch for unusual and unexpected scripts on your network.

Finally, it can be hard for outsiders to measure the maturity of a country’s cybersecurity status. But consider these numbers from a survey by Cradlepoint of over 500 technology decision-makers at Canadian organizations: Only 45 per cent of respondents said their organization was using or familiar with multifactor authentication. Other endpoint or network security solutions with less than 50 per cent usage or knowledge include Secure Access Service Edge (also called SASE), web browser isolation, mobile device management, zero trust network access and edge security.

That’s it for now. But later today the Week in Review podcast will be out. Guest commentator David Shipley and I will discuss another cybersecurity issue at Microsoft, how IT help desks should be prepared for scammers, and more.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 12, 2024 – A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more first appeared on IT World Canada.

US Internet providers must now display clear pricing and product information. HP Ink controversy continues to stain the company’s reputation with consumers. Is the EU’s competition legislation working? Early numbers seem to show it might be. And there’s a 10 million dollar bet that Elon Musk is wrong about AI.

All this and more on the “all bets are off” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

New regulations from the Federal Communications Commission have taken effect yesterday, mandating that all broadband internet service providers clearly display labels detailing the prices, speeds, data caps and other key information about their service plans.

The rules are aimed at helping consumers make more informed choices by requiring ISPs to disclose this data in a simple, standardized format akin to nutrition labels on food products.

In addition to fees charged, the labels must also now list any monthly data caps or overage fees, upfront costs like equipment rental fees, a provider’s customer service contact information, and any other plan limitations like throttling policies.

Despite this progress, consumer advocacy group Next Century Cities   continued to push for even more information, saying that these broadband “nutrition labels” often overstate the real-world speeds customers can expect or obscures caps and fees.

Speaking to the FCC last month, one group urged that in addition to maximum speeds, the labels should show the average speeds users actually experience, as estimates of “typical” speeds are frequently overly optimistic.

While comprehensive, some experts warn the amount of required disclosures could overburden smaller ISPs with limited resources compared to industry giants. For now, only providers with more than 100,000 subscribers must comply and smaller providers have been given an additional year to comply.

The FCC is still gathering feedback on whether to mandate the display of promotional pricing periods and expiration dates, as well as taxes and fees beyond the base rate.

Next Century Cities is further advocating for a streamlined complaint process to report issues like digital discrimination in broadband deployment to the commission.

With the labeling rules now in place, the hope is that customers will be better equipped to comparison shop for broadband and avoid being misled about the true costs and capabilities of different internet packages.

Sources include: ArsTechica, Engadget, and BroadbandBreakfast

Of all of the emails I get about stories, the HP printer issue is near the top of the list. People write me, with their frustrations. And it turns out, they take these to the courts as well.

Printer owners are pushing back against HP Inc. in an ongoing class action lawsuit over firmware updates that allegedly disabled their devices from using third-party ink cartridges.

In a filing this week in an Illinois court, the plaintiffs accused HP of using software changes to monopolize the replacement ink market and “take advantage of customers’ sunk costs” in HP printers.

The consumers claim that despite never agreeing to only use HP-branded ink, recent firmware updates prevented their printers from accepting more affordable third-party cartridges.

They allege HP violated several anti-competitive statutes through this “tying scheme” accomplished via unauthorized software changes solely aimed at blocking rival ink suppliers.

The plaintiffs are seeking damages covering the cost of now-useless non-HP cartridges, as well as an injunction forcing HP to undo the firmware lockout.

For its part, HP insists it went to “great lengths” to inform buyers that its printers are designed to exclusively use HP cartridges containing security chips.

The company says the updates represent legitimate “dynamic security” measures to combat counterfeit ink, and that it does not conceal or block remanufactured cartridges reusing official HP chips.

HP also argues the plaintiffs cannot claim overcharge damages from the manufacturer under federal antitrust laws when they purchased through intermediaries.

As printer makers increasingly push subscription models, the controversy highlights long-standing tensions over the high costs of proprietary ink replacements versus third-party alternatives.

The bitter legal battle seems primed to further antagonize HP’s customer base over what critics condemn as anti-competitive practices designed to sustain lucrative ink sales.

Sources include: The Register

We’ve done a number of stories on legisltation and regulation from the EU that is aimed at increasing customer choice and promoting real competition. Is it working? In one case it seems to have had an impact.

It turns out that some alternative web browsers are reporting an uplift in user interest and downloads in the European Union following the recent enforcement of a new digital regulation called the Digital Markets Act or DMA.

The landmark rules, which took effect last month, require dominant tech gatekeepers like Apple and Google to present mobile users with choice screens displaying alternative browsers and other core apps.

The goal is to shake up competition against pre-installed defaults and make users more aware of their options beyond Safari on iOS or Chrome on Android.

While it’s still very early days, several smaller browser makers have already shared positive metrics pointing to increased attention from EU users.

Norway’s Opera says new user growth was up 63% from February to late March, while fellow Norwegian browser Vivaldi reports a 36.7% jump in EU downloads, rising to nearly 70% in the eight countries where it appears on Apple’s choice screen.

The privacy-focused Brave browser also cited a doubling of daily iOS installs in the EU compared to pre-choice screen levels.

And little-known Cyprus-based rival Aloha claimed to have seen 250% growth in new users as it jumped from the 4th to 2nd biggest EU market.

However, not all alternative browsers are seeing clear gains yet. Veteran players like Mozilla’s Firefox, DuckDuckGo and Ecosia say it’s too early to accurately assess the DMA’s impact as choice screen rollouts are still ongoing, although some claim that these browsers are purposely holding back from reporting success because they want to keep the pressure on to make the choices even more clear and easier to adopt.

For example, the are complaints that Apple’s iOS implementation in particular has significant design flaws hampering users’ ability to make meaningful choices about switching browsers.

The European Commission has open investigations into suspected cases of improper compliance by the tech giants, including Apple’s choice screen methodology.

With this continued pressure from the largest alternative browsers, and given the EUs track record, it is likely they will be monitoring closely to ensure dominant gatekeepers are genuinely opening their platforms to greater competition and consumer choice as intended.

Sources include: TechCrunch

Some tech industry CEOs are putting their money where their skepticism is when it comes to Elon Musk’s ambitious predictions about artificial intelligence surpassing human intelligence in the next few years.

During a recent interview, the billionaire claimed AI will likely exceed the cognitive capabilities of any single human by the end of 2024, with AI as a whole outstripping the combined intelligence of all humans within just five years.

But those bold forecasts are being met with raised eyebrows and big bets from some AI experts who view Musk’s timeline as wildly unrealistic.

Gary Marcus, CEO of machine learning startup Geometric Intelligence, publicly offered up $1 million to anyone, including Musk, who can prove him wrong.

That prompted Damion Hankejh, CEO of ingk.com, to raise the stakes even further, saying he’d cover a $10 million wager against Musk’s AI predictions coming true.

Marcus said Musk has not responded to the million-dollar challenges yet, but added the Tesla CEO has previously ignored Marcus’ smaller $100,000 bet that artificial general intelligence was not actually imminent, as Musk claimed.

For Marcus, the bets are about more than just money. He wants to spark a public discussion with Musk about what artificial intelligence can realistically achieve in the near-term versus the almost utopian promises that have become common from tech leaders.

Marcus argues many in the industry have a track record of making scientifically implausible claims and missing self-imposed deadlines, pointing to the ongoing challenges with self-driving cars as one example.

While large language models have made rapid advances, Marcus contends the notion they could exceed human-level general intelligence within just a couple of years is fanciful, estimating that milestone may still be decades away.

As CEOs literally gamble over contrasting AI outlooks, the high-stakes bets underscore an intensifying debate over whether too much hype is obscuring the real state and timeline of artificial intelligence development.

I don’t know. Just this once and only once. I’m putting my money on Elon being right.

As always, love to hear what you might think.

And that’s our show for today…

Thanks for those who’ve written in with comments including the person who wrote me about their trials and tribulations HP printers and ink purchases.

Keep it coming.  And don’t forget, you can find us on YouTube now. If you check us out there, please give us a like or even a subscribe as we try to build and audience there as well.

I’m your host Jim Love, have a Fantastic Friday.

The post Is EU competition working? One company shows a 250 percent increase. Hashtag Trending for Friday April 12, 2024 first appeared on IT World Canada.

Crooks are hijacking Facebook pages to spread phoney AI applications.

Welcome to Cyber Security Today. It’s Monday April, 8th, 2024. I’m Howard Solomon with a roundup of the latest cybersecurity news.

Cybercrooks are taking over poorly-protected Facebook profiles to spread links to fake artificial intelligence applications. That’s according to researchers at Bitdefender. They say the hijacked Facebook pages are designed to trick victims into downloading what they think are official desktop versions of AI software including ChatGPT, Midjourney, Sora AI, DALL-E, Evoto and others. What the downloaded apps really do is steal information from victims’ computers, including usernames, passwords, credit card numbers and crypto wallet information. One Facebook page impersonating Midjourney had 1.2 million followers until it was shut last month. Two lessons from this: People need to enforce the security of their social media pages with strong passwords and multifactor authentication to ensure they aren’t taken over and abused by crooks. Also, organizations need to remind all employees they are forbidden to download applications from unapproved places like social media sites to any computer they have that’s allowed to connect to the company network.

Cisco Systems has tweaked the update it released last month to close a vulnerability in its IOS software for Catalyst 6000 series switches. The vulnerability is rated High.

Cisco also says there’s a vulnerability in the web-based management interface of six models of its RV series of Small Business Routers. Cisco says the hole could allow the devices to be compromised. Network administrators should disable remote management on two of the models. For the four other models certain ports should also be blocked. Note that software updates won’t be released to fix the vulnerability. Four of the routers are end-of-life and shouldn’t be on a network at all.

Threat actors have found a new way to compromise Adobe Magento e-commerce servers. Researchers at Sansec say if an attacker can get into the server it installs code that adds a backdoor which is re-injected after a manual fix or setup. It takes advantage of a vulnerability discovered in February. The goal is to insert a fake Stripe payment skimmer to steal credit and debit card information. Magento administrators should search for hidden backdoors, make sure their systems have the latest patches or are running the latest versions.

An American firm that provides economic experts to law firms doing litigation has increased the number of people it’s notifying about a data breach. In a filing with the Maine attorney general’s office Greylock McKinnon Associates now says it’s notifying over 341,000 people their data was stolen last year. It’s original estimate of victims was about 5,400 people. The information, including Social Security numbers, came from the U.S. Justice Department as part of a civil lawsuit. It was stolen in a cyber attack discovered last May.

Pacific Guardian Life Insurance is notifying just over 167,000 Americans of a data breach. In a notice to the Maine attorney general’s office it says the cause was phishing, but gives no other details of the incident. The theft was discovered last September. Among the data stolen were names and credit or debit card numbers ans associated passwords or PIN numbers.

A Pennsylvania IT school is notifying almost 31,000 people of a data breach. The York County School of Technology says the data was stolen in a cyber attack just over 12 months ago. Data stolen included names well as Social Security, drivers’ licence and State ID numbers.

A threat actor has launched a phishing campaign to steal information from the American energy sector. According to researchers at Cofense, the scheme involves targeted emails allegedly from the Federal Bureau of Transportation and sent to people claiming their vehicle had been in an accident or seen leaving an accident. It alleges they are at risk of being fined. The subject line of the message may include the word ‘Urgent.’ The possibility of a fine, of course, would attract the attention of the reader, who would out of an abundance of caution want to open the attached document — which links to malware. This is a variation of similar scams that have been going on for years and prey on the fears of people of being hurt if they don’t open a document. As always, you’ve got to examine who any message with an attachment come from, and signs of a scam like incorrect grammar. The fact is government agencies don’t send email messages like this. For one thing, how do they know your email address?

Finally, as I told listeners last week, Ivanti has promised to overhaul its product security management practices after the disclosure of more vulnerabilities in its Connect Secure and Policy Secure gateways. John Pescatore of the SANS Institute, which offers cybersecurity training courses, has a suggestion: Any company that makes a security-related product should have to show to the public measurable progress in its security culture, such as third party testing of all products. The penalty: No security product company would be allowed to use the terms AI or machine learning in their marketing and advertising unless they go at least 12 months without a vulnerability that has a CVSS score above 7.

Links to details about news mentioned in this podcast episode are in the text version at ITWorldCanada.com.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 8, 2024 – Crooks are hijacking Facebook pages to spread phoney AI applications first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday April 5th, 2024. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes Terry Cutler, head of Cyology Labs will be here to discuss some of the headlines from the past seven days.

They include a highly critical report on Microsoft from the U.S. Cyber Safety Review Board, a case study of a ransomware attack and the narrow escape the Linux community faced after a researcher discovered a plot to infect a critical open-source library.

Also in the news this week, five Canadian hospitals with a common IT provider who were hit by a ransomware attack last October revealed how many people were victims: Over 320,000. They will be getting notices next week.

City of Hope, a cancer treatment and research institution with facilities in California, Arizona, Illinois and Florida notified over 827,000 people data it holds on them was stolen. The incident was discovered in October. Data copied included names, contact information dates of birth Social Security numbers, drivers’ licence numbers. medical records and financial details.

American mortgage lender On Q Financial, which has branches across the country, notified over 211,000 people of a data theft. A hacker was able to exploit a vulnerability in the company’s use of ConnectWise’s ScreenConnect remote access software. Word of the vulnerability spread in February. However, On Q says it’s system was exploited almost 12 months ago, long before warnings were issued. Data stolen includes names and Social Security numbers.

A threat actor calling itself IntelBroker claims to have stolen classified files from a U.S. government contractor belonging to the Five Eyes intelligence co-operative. That group includes the U.S., Canada, the U.K., Australia and New Zealand. The Bleeping Computer news site says the U.S. State Department is investigating.

A threat actor that researchers at Trend Micro call Earth Freybug has created a new piece of malware to hide its activity. The researchers have given it the name Unapimon. It uses defensive evasion techniques like hijacking dynamic link libraries and unhooking APIs so Windows can see the other nasty things the threat actor is doing on a compromised system.

Progress Software released patches for its Flowmon network monitoring platform to patch a critical vulnerability. An unauthenticated remote attacker could use the hole to access Flowmon’s web interface.

Finally, Google released patches for 28 Android vulnerabilities in its April security fixes. It also warned that two of them may be under limited, targeted exploitation. As usual, the patches get installed automatically in Pixel smartphones. Distribution to phones from other manufacturers depends on the company and your wireless carrier.

(The following edited transcript is the first part of the discussion. To hear the full conversation play the podcast)

Howard: The Cyber Safety Review Board released its report into last year’s compromise of Microsoft Exchange Online email accounts — including those of senior American officials. The threat actor was a China-based group that researchers call Storm-0558. The review board is an arm of the U.S. Cybersecurity and Infrastructure Security Agency, but that didn’t stop it from taking Microsoft to the woodshed. The hack “was preventable and should never have occurred,” the report says. It calls Microsoft’s security culture “inadequate and requires an overhaul.” And it complained Microsoft hasn’t been up front with the public that it still doesn’t know how or when the hacking group obtained a signing key that allowed this attack to happen. Terry, this report really whacks Microsoft.

Terry Cutler: I love that comment, “Taking them out to the woodshed.” It [the report] actually answers questions for us, because we’re always wondering why whenever we do Office 365 penetration tests there’s so much read. It’s as if Microsoft turns off security by default and you have to re-enable everything. Whenever we do penetration tests we always come across user accounts that don’t have multifactor authentication turned on, password policy is not set, is it vulnerable to email spoofing, is it capable of receiving malicious attachments in their emails, or are there vulnerable plugins? We find all these things wrong in the system which should have been on and secured by default.

Howard: This report doesn’t just focus on Microsoft. It includes security recommendations for all cloud application providers. We’ll get to that shortly. But first here’s the background of this incident: In May and June of last year the threat actor called by researchers Storm-0058 compromised the Exchange Online mailboxes of 22 organizations and 500 people around the world. These included the email accounts of U.S. Commerce Secretary Gina Raymondo, the U.S. Ambassador to China, a member of U.S. Congress and the email accounts of several members of Britain’s National Cyber Security Center. The attacker had access to some of these cloud-based mailboxes for at least six weeks. It downloaded approximately 60,000 emails from the U.S. State Department alone.

How did this happen? The attacker had somehow got hold of a digital signing key that Microsoft had created in 2016 and used it to create valid authentication tokens. For those who don’t know, signing keys are used for secure authentication. Combined with another flaw in Microsoft’s authentication system the attacker had access to almost any exchange online account in the world.

Problem number 1, the stolen Microsoft Services Account key should have been able to only sign tokens for the consumer version and not the enterprise version of Outlook Web Access. The second problem was the key was issued in 2016 and was supposed to be retired in 2021 so shouldn’t have been able to sign new tokens at all. To this day no one knows how this gang got that key. Terry what did you think when you read this narrative?

Terry: It obviously highlights the fundamental issue in the lifecycle management for cryptography keys and the fact that this key, which was only supposed to be used for the consumer version [of Outlook Online], was able to work on the enterprise level. That’s that’s a big problem. The incident also shines a light on a bigger problem around cloud security and the trust we have with them [cloud application providers]. People are always saying, ‘We’re going to move our system to the cloud,’ which is just somebody else’s hard drives. Now you’re outsourcing that cybersecurity burden to somebody else. This report shines a light on other cloud providers to reassess their cybersecurity practices. Are they practicing great identity and access management? Are they protecting their cryptographic keys and other sensitive assets?

It also highlights the fact that Microsoft needs to be more transparent [with customers about cyber incidents]. At one point there was there was a delay in Microsoft not knowing how the attackers got in. That caused a delay in disclosing [this attack] to the customers. So you need to work on prompt and transparent communication going forward.

Howard: The reason why the stolen digital key worked on enterprises as well as the consumer version of Outlook Web Access was an unknown vulnerability in the token validation system. The report says that responding to customer requests Microsoft had created a common endpoint service that listed active signing keys for both the consumer and the enterprise identity systems. But Microsoft didn’t adequately update its software development kits to differentiate between consumer and enterprise signing keys. The report says this was an unknown flaw. Does that let Microsoft off the hook?

Terry: Absolutely not. It might explain how the breach occurred but also highlights significant gaps in Microsoft security practices, particularly in the area of testing validation and oversight for the changes in critical systems. In cyber security the goal is [to follow] the principle of least privilege . These are fundamental principles. So by creating a system where the key intended for consumers could also be used in enterprise settings misses something. The oversight was not updating their SDKs.

Howard: Microsoft suspects that this attack succeeded because the gang compromised the login account of an employee who worked for a company that Microsoft bought in 2020. The gang’s access continued after the acquisition. The report says the fact that Microsoft didn’t detect this shows a weakness in its merger and acquisitions cyber security assessment practice — that is, when you’re buying a company you have to thoroughly go through it and make sure that its systems not only are cyber safe but that its employees haven’t been compromised, so when you bring them into your company you’re not exposed. This thing is a lesson for all companies.

Terry: We see this quite often. We experienced this around 2021 when one of our clients was acquiring another company. As soon as they connected the [new company’s] network there were tons of flags going off, endpoint detection with malware … So you need to really make sure that the environment is clean before you bring them [new employees in an aquisition] into your network. You want to do pre-accquisition due diligence. Make sure their cyber security assessments align with your best practices. Make sure the environment is clean from malware, any beacons and things like that. Do a penetration test on them. Plug up the network sensors to see if there are any beacons going out, if there’s any large amounts of data leaving the network. Do you have a proper incident response plan built around the new company as part of your existing plan …

Howard: Among the recommendations the review board makes is that Microsoft should consider lowering its priority on adding new cloud product features until substantial security improvements across the company have been made. That a good idea?

Terry: …The goal now is to build trust … You would think Microsoft would have all the security in place, but because they can’t secure it properly that could be lan escape for other cloud vendors to say, ‘If Microsoft can’t do it we can’t do it either…’

Howard: The review board also made a number of recommendations that any cloud application provider should follow. Among them: Cloud service providers should have modern controls around a rigorous threat model, automated digital key rotation should be a rule, adoption of a minimum standard for default audit logging to help detection, they should follow digital identity standards and they should be more transparent around incidents and notifying victims. The review board also recommends the U.S. should create a process to do special reviews of authorized government cloud providers following high impact situations. Are these recommendations tough enough?

Terry: It’s definitely a great step in the right direction. I think the problem we’re going to see is do we have enough knowledgeable [cybersecurity] staff to help implement all these solutions that we want? Is it going to be affordable? Because you know if it’s extremely expensive that cost has to be sent back to the customers. What we’re seeing now is that a lot of customers don’t want to spend all the time, money and resources to deal with cybersecurity. So they’re they’re going to outsource this piece — but the cloud providers better have a good solution in place that can really detect threats.

Howard: Before this episode was recorded I asked for comment from the Cloud Security Alliance, which is an industry group that that includes Microsoft, which recommends best security practices to cloud providers. Kurt Seifried the group’s chief innovation officer said that there’s no excuse for Microsoft to have used servers without hardware security modules to protect this particular signing key. It uses hardware security modules to protect other keys, he noted. He also added that last November Microsoft announced that under its Secure Future Initiative it’s moving management of identity signing keys to an integrated Azure infrastructure that has hardware security modules.

I also asked Microsoft for comment on the review board report. A spokesperson said “Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyber to act from well-resourced adversaries Microsoft has mobilized its engineering teams to identify and mitigate legacy infrastructure improve processes and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us and detect and repel the cyber armies of our adversaries.” Microsoft will also review the final report for additional recommendations.

I think this is a report that everyone who works in IT or is studying for a career in IT should read.

The post Cyber Security Today, Week in Review for week ending Friday, April 5, 2024 first appeared on IT World Canada.