Author:

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday April 26, 2024. From Toronto, I’m Howard Solomon.

In a few minutes David Shipley, head of Beauceron Security, will be here to discuss some of the biggest news of the past week. They include the latest developments in the ransomware attack on Change Healthcare, a vulnerability found in an abandoned open source project, the next step in Canadian cybersecurity legislation for overseeing critical infrastructure and the passing in the U.S. of a law demanding China’s TikTok become Americanzied.

But before we get to the discussion here’s a review of other headlines from the past seven days:

The Top 10 countries hosting the greatest cybercriminal threats are led by the usual suspects: Russia, Ukraine and China. That’s according to university researchers. Others nations in descending order are the U.S., Nigeria, Romania, North Korea, the United Kingdom, Brazil and India. The countries in the Cybercrime Index were ranked on the professionalism and technical skill of resident threat actors. Russia was easily ahead of number two Ukraine by more than 20 points.

A threat actor has been interfering with the software update mechanism of the eScan antivirus product. According to researchers at Avast, the goal is to install backdoors and coinminers on corporate IT networks by substituting a maliicous update for a real one. Based in India, eScan is also sold in the U.S., Latin America, Germany and Malaysia. The vulnerability was supposed to have been fixed last July. Avast says it is still seeing new infections, perhaps because some eScan software on corporate computers hasn’t been updated properly.

Among the continuing problems suffered by the city of Leicester, England from a ransomware attack seven weeks ago is the inability to shut some city street lights. A local news site reports the problem is a residue of having to shut municipal IT systems. The attackers stole and published city data.

Some brands of booze in Sweden may be hard to get hold of this weekend because of a ransomware attack on a liquor distributor, the company has warned.

Pressure from police to block end-to-end encryption on common apps continues. Last week European police chiefs issued a statement urging governments and industry to stop allowing end-to-end encryption of apps and social media platforms. They say it will stop law enforcement from obtaining evidence for criminal charges. Others say end-to-end encryption protects privacy.

A veterinary clinic in Marysville, Kansas is notifying almost 26,000 customers their data was stolen when the company’s online payments page was compromised. Credit card data was among the information copied earlier this year.

The public school board of Buffalo, New York is notifying just over 19,000 people some of their personal information was seen by a hacker. The incident took place in February when two email accounts were accessed. Names, contact information and Social Security numbers could have been seen.

And the Catholic Diocese of Cleveland is notifying almost 10,000 people that personal data was copied when a hacker compromised an employee’s email account early this year or late last year. Information included names and Social Security numbers. You may recall last Friday I reported that the Catholic Diocese of Phoenix was notifying people of a data breach.

(The following is an edited transcript of the first of four topics in the discussion. For the full discussion play the podcast)

Howard: Joining me now from Fredericton, New Brunswick is David Shipley, CEO of Beauceron Security.

Let’s start with the latest from the February ransomware attack on Change Healthcare, a technology and payments provider to hospitals and clinics across the United States. On Monday parent company UnitedHealth Group acknowledged that data stolen “could cover a substantial proportion of people in America.” That’s short for “this was a huge data breach.” Data stolen included protected health information or personally identifiable information, but not doctors’ charts or full medical histories. In addition, UnitedHealth told TechCrunch that a ransom was paid to the hackers “to do all it could to protect patient data from disclosure.” This lines up with claims by an affiliate of the BlackCat/AlphV ransomware gang that Change Healthcare paid US$22 million to the gang — but the gang leaders took all of the money and didn’t pay the affiliate their cut. Meanwhile, a second ransomware gang, RansomHub, is posting data it says is from Change Healthcare. It isn’t clear if that was part of the original data theft or a new hack.

David Shipley: Keep in mind that the previous high water mark for a substantial proportion of the population was the Anthem Blue Cross breach in 2015 in which 80 million people’s records were stolen and resulted in a $117 million dollar class action settlement in which Anthem did not admit any wrongdoing. The attack was allegedly tied to nation-state level espionage and was quite sophisticated. But it was the pre-ransomware cowboy era , not the that we’re in now. So my thoughts are, this one is going to be massive.

Howard: What did you think about the UnitedHealth announcement and this whole ransomware attack — in particular where the AlphV/BlackCat gang seems to have taken all the money and then announced they were disbanding?

David: It’s not the first time bad actors have taken the money and run exit scams. I think what we’ve just discovered is number 1, when you cripple the healthcare system to the level that they just did, when you mess with the pharmacy for the U.S. military, you start thinking, ‘Maybe it’s time to get out of Dodge.’ Yes, they are probably getting a whole lot of heat. So it made sense. Essentially these are little cockroaches, though. They just scurry they hide and then they reform and they come back again a rebranded group. But there’s still the awfulness.

What I’m dying to know is did UnitedHealth get the [data] unlock keys, because if they [AlphV/BlackCat] stiffed the affiliate and they ran with the money did they at least throw them [United Health] a bone so they can lock their data? Or did they just completely run? Even though healthcare data is the one area where I’ve given a hall pass on [allowing] paying ransoms, I kind of hope they didn’t give them the key because this might finally the nail in the coffin of people thinking, ‘Paying the ransom is the sanest option for our business.’

Howard: I want to go back to the huge numbers [of potential victims]. This is 2024. Maybe organizations can’t stop every cyber intrusion but shouldn’t IT leaders know enough that that systems have to be segmented so that no more than a small chunk of data can be stolen?

David: I don’t necessarily disagree. But I think what you’re saying presumes that people can accurately simulate or test chains of consequences in the digital environment. That each on their own is not catastrophic. But when combined in very unique ways, boom! What do I mean by that? Let’s just take a story: A server that was in the testing environment that never got switched off on its own, probably not that big of a deal [if it’s compromised]. Take that server and now it’s actually in production, problematic if it’s not getting patched, if it’s being over-provisioned with way too much access. See Microsoft’s recent pain. Think if people knew things like that, where big glaring red alerts are, would they do something about it? They absolutely would act on it. I am completely convinced that we cannot accurately deal with this [cybersecurity] because of cyber chaos theory … We presume with great arrogance that we have control over increasingly complex opaque systems or systems-in-systems and that we can somehow get a handle on all the possible permutations and combinations that can lead to cyber attacks. See Microsoft’s two very painful breaches this year [as evidence] that even the biggest of us can’t do it.

Howard: Also on Monday the Wall Street Journal said that whoever broke into Change Healthcare used a stolen username and password. That’s still a highly usable weapon [for threat actors].

David: Usernames and passwords have been in play in computing for 50-plus years. Mark my words they will be around for at least another 50 years. Change is hard in technology. Change is even harder in humans. We are not even through the beginning of the end chapter when it comes to passwords. This is why people, process and culture are the root of cyber events, not just technology.

Howard: Next Tuesday, UnitedHealth CEO Andrew Witty is scheduled to testify before a committee of the U.S. House of Representatives. They won’t be in a good mood.

David: Grab your popcorn. But also in a certain sense UnitedHealth is paying the price that all of us have incurred by not demanding better when it comes to cyber hygiene for critical infrastructure, by demanding increasingly digital systems and never anticipating the negative consequences that come from the use of technologies. As a species we have a damn near fatal blind spot when it comes to the risk side of technology. We are so overly hyper-focused on all the benefits all the rewards, all the gains, or all the coolness, of something bright and shiny that we never stop to think, ‘Just because we can do something doesn’t mean we should do something.’

Howard: And this attack has been hugely expensive for the company. Last week UnitedHealth estimated that costs so far for remediating this mess is US$872 million. On top of that, it’s provided billions of dollars in advance funding and no-interest loans to healthcare institutions, their customers, that were caught short when Change Healthcare systems had to be temporarily closed …

David: Maybe the best thing that comes from that is that people will invest [in cybersecurity] because you know that $800 million remediation cost? We have a term for that: We call it ‘technical debt’ …

Howard: What if they had spent, say, $10 million [more] on increased cyber security [before the attack]?

David: The lack of independent, academic peer-reviewed studies into root cause analysis [of incidents], like a CSRB [Cybersecurity Safety Review Board] report could point at that. That is the most important thing we’re missing. In this industry we love to haul around and scare the pants off people. “Six billion dollars is going to be lost to cybercrime!” But we don’t tell them how easy it could have been to avoid, or the massive amount of ROI [return on investment] that just comes from doing it [cybersecurity] proactively.

The post Cyber Security Today, Week in Review for week ending Friday, April 26, 2024 first appeared on IT World Canada.

Patch warnings for Cisco ASA gateways and a WordPress plugin.

Welcome to Cyber Security Today. It’s Friday, April 26th, 2024. I’m Howard Solomon.

Network administrators with Cisco Systems’ ASA security appliance on their networks are urged to install the latest security patches. This comes after the discovery of two zero-day vulnerabilities that are being exploited. Cisco says the attacker is likely a government-backed threat actor. Although compromised devices were first seen in January, attack activity may have started as early as last November. Cisco can’t say right now how devices were compromised. This attack deposits a backdoor on ASA gateway devices, which have combination firewall, antivirus, intrusion prevention, and virtual private network capabilities. Cisco also says network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — Microsoft Exchange servers and network devices from other vendors.

A threat actor is hiding behind the cache of a content delivery network to deliver information-stealing malware to organizations around the world. That’s according to researchers at Cisco’s Talos threat intelligence service. Firms hit so far are the U.S., the U.K., Germany, Norway, Poland, Japan and elsewhere. The researchers suspect the threat actor is a Vietnam-based group they call CoralRaider. It’s suspected employees are tricked by phishing emails into downloading and opening a malicious ZIP file that triggers infection. Inside the ZIP file is a shortcut file that starts a PowerShell command. It eventually downloads malware for vacuuming up credentials, cookies, credit card numbers and anything else it can find.

Last September researchers at Sekoia took over a command and control server distributing the worm version of the PlugX backdoor. The goal of the takeover was to sinkhole the distribution botnet — in other words, automated requests for the malware would disappear as if into a sinkhole. However, Sekoia said this week there are still tens of thousands of internet-connected devices trying to connect to the server every day. In other words, this worm can’t be completely stopped because it’s still replicating itself. Because Sekoia controls the distribution server it thinks it could issue a command to infected computers to delete PlugX, but there are legal implications. Deleting it from infected flash drives that spread it may be harder, especially if they aren’t plugged into a computer. Because infected USB keys and storage devices are still used to spread many types of malware Sekoia urges IT administrators to prevent any file from executing from a removable device, or set Windows to deny removable devices from being used by any employee.

Threat actors are actively exploiting unpatched installations of WordPress that use a vulnerable version of the WP Automatic plug-in. That’s according to researchers at WPScan. This plug-in allows the automated posting of content to any website. The hole in the plugin — a SQL injection flaw — was revealed weeks ago and a patch is available. Slow patchers are paying the price by seeing their WordPress accounts taken over.

Despite efforts of educators and job recruiters to boost the participation of women in cybersecurity, the number of females working in the sector hasn’t budged much. That’s one of the findings of a close look at data collected in the annual global cybersecurity workforce study by the ISC2. The full report was released in February, but the analysis of the survey responses of women was released this week. The number of women in the industry is estimated to be between 20 and 25 per cent. But there’s a higher representation among workers under the age of 44. On average, respondents said 23 per cent of their security teams are made up of women. However, 11 per cent of all survey participants said there were no women on their security teams. Twenty-one per cent of men surveyed couldn’t estimate how many women were on their security teams. By comparison 13 per cent of the women respondents said they couldn’t guess how many teammates were women. The salary gap between men and women still exists. On average it’s about $5,400. The report says there are several ways employers can help increase women’s participation in cybersecurity including setting hiring, recruitment and advance metrics in the organization, and making pay equity a priority.

That’s it for now. But later today the Week in Review podcast will be out. Guest commentator David Shipley of Beauceron Security will discuss the future of TikTok, the latest in the Change Healthcare ransomware attack, the latest progress in Canada’s proposed cybersecurity law regulating some critical infrastructure sectors and more.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 26, 2024 – Patch warnings for Cisco ASA gateways and a WordPress plugin first appeared on IT World Canada.

Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more.

Welcome to Cyber Security Today. It’s Wednesday April 24th, 2024. I’m Howard Solomon.



Security teams may be getting better at finding hackers lurking in their IT systems. That’s according to Mandiant’s latest annual M-Trends report. The mean time an attacker spent on Mandiant customers’ networks before being detected dropped last year to 10 days. That’s compared to 16 days before being detected in 2022. However, the report suggests ransomware played a key in the drop because it tends to be detected more quickly than other malware. Having a hacker in your system for 10 days, though, isn’t a lot to cheer about. Here’s something else to think about: Last year 54 per cent of those surveyed who were hacked said they first learned of the compromise from an external source, like a law enforcement agency, customer or a security researcher, and not their own staff. That’s an improvement from 2022. But that number jumped to 70 per cent who learned from an outside source they’d been compromised in cases of ransomware. That’s because most organizations only learn they were penetrated by the ransom note left by the attacker.

The parent company of American healthcare payment processor Change Healthcare has acknowledged it paid a ransomware gang that hit the company in February. UnitedHealth told the TechCrunch news service that a ransom was paid to protect patient data from disclosure. The company wouldn’t confirm reports that $22 million was paid to the AlphV/BlackCat gang. The gang reportedly took all the money and didn’t pay the affiliate that stole data. That data is up for sale by a gang called RansomHub. How much data was stolen? UnitedHealth didn’t say, but does admit it “could cover a substantial proportion of people in America.”

Application developers must make sure their software doesn’t include code from abandoned open-source projects. The warning comes from researchers at Legit Security, who recently discovered a dependency confusion vulnerability in the Apache Cordova App Harness project. That project is no longer supported, but last month was still available in some open-source code repositories. Briefly, if an application included this code it could have been swapped for a malicious version with the same name that had been planted in an open-source repository. Apache has been notified and taken action. But the incident is a warning to developers to audit their codebase and replace archived or unmaintained third-party code.

The U.S. is offering a reward of up to US$10 million for the location of four Iranians who allegedly hacked American government departments, defence contractors and two New York based companies. An indictment naming the four was released Tuesday.  The attacks allegedly took place between 2016 and 2021. In one case the group compromised more than 200,000 employee records of an organization.

Separately, the U.S. is imposing visa restrictions on 13 people involved with or family members of developers or sellers of commercial spyware. This is part of a promised crack-down on the misuse of commercial spyware announced in February.

Microsoft has published new research about the tool used by a Russian gang that has been exploiting a vulnerability in the Windows Print Spooler service. The threat actor is called Forest Blizzard, Strontium and APT28 by some researchers. The tool used to exploit the vulnerability is called GooseEgg. Security teams may find the background report to help defend their environments. This hole was discovered and patched in 2022, but the gang may have been using it since 2019.

University of Calgary computer science professor Ken Barker has been named scientific director of Canada’s National Cybersecurity Consortium. He has held the position in an interim role for the past 12 months. The coalition works with the public and private sectors to encourage cybersecurity education and innovation in higher education and businesses. The consortium is currently funding 20 research projects ranging from finding ways to better protect critical infrastructure to supporting a masters degree in cybersecurity management.

Finally, a week today will be World Password Day. So start thinking if your passwords are safe. Make sure your passwords — or better, passphrases — are at least 14 characters long and include a number, a capital letter and a symbol. Use a password manager to keep track of them. That way you aren’t tempted to create a simple password that can be guessed. And IT managers should set up multifactor authentication for employees to guard against a hacker guessing or cracking passwords. Think about this: it will take 22 hours in a brute-force attack to crack an eight-character password made up of only lower-case letters. That’s according to a new calculation by Hive Systems. Twenty-two hours might deter a threat actor who wants fast results. It might not. However, the analysis assumes an organization stores the password using the latest protection algorithms. If not, a brute force attack will crack any password faster. A 14-character password with a mix of upper and lower case letters, a number and a symbol would take 805 billion years to crack in a brute-force attack. Even if it was made up of lower-case letters, it would take 766 years to crack. Passwords should never be common words like ‘elephant’ or ‘Susan’ — or ‘Susan123’ — but a phrase with two or more words that can’t be guessed. And never use the same password on different sites. This advice, of course, applies to home computers as well.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more first appeared on IT World Canada.

Vulnerability found in CrushFTP file transfer software, security updates for Cisco’s controller management application, and more.

Welcome to Cyber Security Today. It’s Monday April 22nd, 2024. I’m Howard Solomon.

A warning is going out about a vulnerability in another file transfer platform. The hole is in CrushFTP servers, which run on Windows, Linux, Unix and macs. Versions below 11.1 are open to compromise. The exceptions are servers that have a DMZ in front of their main CrushFTP servers.

Cisco Systems has released security updates to close vulnerabilities in its Integrated Management Controller, a web interface used in a number of products. A remote hacker could exploit one of these vulnerabilities to take control of a system. Products affected include 5000 series Enterprise Network Compute Systems, UCS-C, E and S series servers, and Catalyst 8300 series edge servers.

LastPass, which makes a password manager used by companies and individuals, says a phishing campaign to trick users into giving up their passwords has begun a new phase. People get a phone call claiming their LastPass account has been compromised and are asked to press 2 to block the attack. Then the victim gets a second phone call from a person pretending to be a LastPass employee, who sends them an email with a supposed link to reset their account. The link, though, goes to a fake LastPass web page where the victims’ passwords are copied so the crook can enter their LastPass account and change the access password. From there the crook can do nasty things like access bank accounts. No one will call you claiming to be from LastPass support. Or Microsoft. Or your bank. Or the government.

A new variant of the Redline information stealer has been spotted. Researchers at McAfee don’t say how it’s being distributed. But it seems to be aimed at gamers because the malware tries to install an application called Cheat Lab. But network defenders should note two things: The malware appears to be hosted on Microsoft’s official GitHub repository. As researcher Ax Sharma notes in a tweet, that takes advantage of a GitHub flaw. Defenders should also note the malware includes a Lua just-in-time compiler to help evade detection.

Administrators that use Ivanti’s Avalanche mobile device management software should consider the application as well as the laptops, smartphones and other devices they manage to be compromised. That’s the advice from commentators at the SANS Institute. It follows the release by Ivanti of security updates to patch more 17 vulnerabilities.

Separately, last week the MITRE Corp., which creates cybersecurity frameworks, admitted a threat actor used two zero-day vulnerabilities in its Ivanti Connect Secure gateway earlier this month to get past defences. Using session hijacking, the attacker was able to get past multifactor authentication. Then they dug deep into MITRE’s VMware infrastructure using a compromised admin account to steal credentials.

The latest list of American organizations notifying customers or employees of data breaches includes

–The Township of Montclair, New Jersey is notifying almost 18,000 people that some of their information was stolen in a data breach last May. Among the information copied were names, driver’s licence numbers and non-driver ID card numbers;

–Kisco Senior Living, a chain of seniors’ residences in 12 states, is notifying over 26,000 people of a data breach that happened last June. Data copied included names and Social Security numbers;

–Green Diamond Resource Company, which logs forests in five states, is notifying almost 28,000 people about a data breach last June. Data copied includes names, Social Security numbers, financial account information, full-access credentials, and driver’s license numbers or state identification numbers.

Finally, cyber defenders may be interested in a background report released last week by several law enforcement agencies on the Akira ransomware gang. It includes a list of the gang’s tactics and indicators of compromise.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon

The post Cyber Security Today, April 22, 2024 -Vulnerability in CrushFTP file transfer software, security updates for Cisco’s controller management application, and more first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 19th, 2024. I’m Howard Solomon.

In a few minutes Jen Ellis, a member of the Ransomware Task Force will be here to talk about the group’s recent report on what governments need to do before banning ransom payments. But first a look at some of the headlines from the past seven days:

Sophisticated cyber attacks aren’t new. But old-fashioned brute force credential attacks are still being used by threat actors. Researchers at Cisco Systems’ Talos threat intelligence service say brute force attacks have increased since March. The targets are wide and include virtual private network services, web application authentication interfaces and SSH services. IT leaders should make sure this type of attack is made difficult by having all employees use multifactor authentication and other defensive tactics to block brute-force logins.

Russia’s Sandworm cyber group has been upgraded to an advanced persistent threat actor by researchers at Mandiant. An arm of the Russian military, Sandworm is linked to the NotPetya data wiper that was aimed at Ukraine but escaped around the world, as well as cyber attacks in 2015 and 2016 on Ukraine’s energy grid. But Mandiant also warns this group has tools for collecting intelligence, spreading disinformation and sabotaging IT networks in any country to support Russia’s political aims.

Separately, Microsoft warned in a report that Russia has increased its anti-Ukraine disinformation messages to Americans online in the run-up to this year’s U.S. elections. This includes video commentary spread by websites that are covertly managed by Russia. The report also says China is in the game, using artificial intelligence applications to create videos and manipulated images.

At the same time the U.S. Director of National Intelligence issued an eight-page report on the latest tactics by Russia, China and Iran to undermine confidence in the upcoming U.S. elections through fake online personas on social media.

Organizations using SAP’s business applications continue to be targeted by threat actors. That’s according to researchers at Onapsis and Flashpoint. No doubt it’s because some of the biggest companies in the world use SAP software. How valuable is it to an attacker? The prices hackers are paying to buy a remote exploit for SAP applications increased 400 per cent in the past four years. What’s of concern is that many victims have SAP installations without the latest patches. IT staff in charge of patch management have been warned.

UnitedHealth, the American parent company of Change Heathcare, said in a regulatory filing that the first quarter cost of handling February’s ransomware attack came to US$872 million. The news service The Register notes that’s on top of perhaps as much as US$6 billion in advanced funding and interest-free loans UnitedHealth had to give many support care providers using its services.

An arm of the United Nations has admitted being hit recently by ransomware. The UN Development Programme told the cybersecurity news service The Record that data on current and past employees was stolen from a server. The 8Base ransomware gang has taken credit for the attack. The same gang is taking credit for a ransomware attack on the Atlantic States Marine Fisheries Commission.

A cyber attack on New York state has disrupted work printing legislation and the upcoming budget.

A Michigan health care provider is notifying over 184,000 people their data was stolen last December. Cherry Street Services, which provides primary, dental, vision and other services, says data stolen included names, dates of birth, Social Security numbers, diagnosis and treatment information, health insurance information and more.

And the Roman Catholic Diocese of Phoenix, Arizona is notifying over 23,000 people, including those in the dioceses’ employee benefits plan, their data was stolen. In the incident discovered in January, people’s names, addresses, dates of birth and Social Security number were copied.

(This transcript is an edited version of the conversation. To hear the full discussion play the podcast)

Howard: Joining me now from Cambridge, England to talk about fighting ransomware is Jen Ellis, a co-chair of the Ransomware Task Force and host of the Distilling Cyber Policy podcast.

I’ve asked you to be on the show because last week the Task Force, which is an international group of experts, issued its third report since 2021. A Roadmap to the Potential Prohibition of Ransomware Payments, outlines a roughly two-year plan for what ought to be done if governments want to institute a ban on ransomware payments. We’ll talk about that report in a minute. First tell us about yourself.

Jen Ellis: As you can probably tell [from my accent] I’m British, but I started doing policy engagement when I lived in the U.S., which I did for many years. I worked very, very closely with security researchers for a long time and started to understand that the legal environment in the U.S. was chilling research and hurting both the security industry, but also much more importantly, society as a whole by holding back security information from society. So I started to get involved in policy. It expanded really quickly from there into looking at all sorts of different areas around policy connected to cybersecurity, and also looking at how we could bridge the gap between the policy community and the technical community so that as the policy community is looking at policy around technical topics, we’re plugging in people who are actually working on the front lines who have the real technical knowledge and they understand what’s coming.

I think that bridge is super important. So fast forward to 2020 when we started looking at this ransomware issue, in the RTF [Ransomware Task Force] and pulled that together. These days I work with non-profits and with governments to one bridge that gap and to help sort of assist with developing policy positions around cyber.

Howard: It seems that because the number of reported successful ransomware attacks continues to increase that little progress is being made. The Task Force’s recent report says “the majority of organizations globally are still under-prepared to defend against or recover from a ransomware attack.” Why?

Jen: I wish there was a really simple answer. If I wanted to be flippant, the simple answer is life: Because there’s so much layers of complexity around competing demands on resources, on time and on attention, a lack of true understanding about what’s going on, there’s an inability for organizations to respond appropriately.

There’s so much noise out there, and so little of it helps organizations really understand what to do. Incentives work in the wrong direction, in many cases — for example, the incentives around companies that make technology to constantly be building really quickly and moving on to the next thing. It’s not taking your time doing it right, making sure you’ve tested for everything, going back and acknowledging vulnerabilities in your technology. All of the incentives work in the wrong direction for security to work. And so we have an ecosystem where we have the vast majority of companies can’t afford, haven’t invested, don’t have the capacity to have good preparedness or resilience. We have opportunities for attackers abounding both in terms of opportunities in the technology itself — vulnerabilities — or just the fact that it’s really easy for them to manipulate human behaviour. So there’s a lot of different factors at play.

That mean it [cybersecurity] is really hard, which is why when the [first] report came out it had 48 recommendations. We would have loved to come up with one, if we could have all agreed that this one thing would do it.

But the problem is, as we always say in security, there are no silver bullets. What we were looking at are incremental things you can do, and if you do them all together will hopefully create an impact. And while there has been progress on a number of those things, often it isn’t just about pulling the lever. It’s about maintaining focus and maintaining investment and commitment over time, which actually often is much harder than taking that first step. So we haven’t had long enough yet to see this stuff come to fruition.

I don’t know what the percentage is in the U.S., but in the U.K. our economy is 98 per cent small to medium businesses. Most of them are well below the cybersecurity poverty line. They have not invested to the degree that they need to. Meanwhile, the attackers are making big money. They’re able to invest every day if they want to. So those are some of the challenges at play.

Howard: If you’re an IT leader in a company, or in a county or municipality, are there three, five things that you really should do that that will make a real impact?

Jen: There are plenty of documents out there that will provide guidance. The RTF created one in partnership with CIS [the Center for Internet Security] aimed specifically at small to medium businesses called the Blueprint for Ransomware Defence which tries to make it more bite-sized for small to medium businesses.

I’m going to tell you five things. When we rattle them off as a list of five things it sounds really straightforward. But the reality is each one of them is a really time-consuming major thing. And it’s not like one and done. You don’t do it and then you’re done. It’s an ongoing commitment, so it’s not like you get up and say, “On Monday I’m going to institute patching, and on Tuesday I’m going to institute identity and access management, and on Wednesday I’m going to make sure that I’ve got offline backups, and I’m going to check that they’ve not been poisoned in some way.” It’s more like, “My major goal for this year is going to be to get a proper, functioning vulnerability management program off its feet. That’s going to be a big investment of time and effort and understanding and configuration and buy-in across my organization and talking to the IT team.”

So it is really important to understand when we go through what the things are [to be done] that they’re not simple easy lifts. But I’ll give you three:

— patching. You need to have a vulnerability management program. If you’re listening to this and you’re wondering about how to get started, a really good resource for you is CISA’s Known Exploited Vulnerabilities Catalogue, which specifically highlights the vulnerabilities that they know are being exploited in the wild;

— an identity and access management program. You want to make sure that people [employees] only have the ability to access things that they need to access. The program also has to have a secondary factor of [login] authentication; so that if somebody gets tricked into giving away credentials, that it’s not easy for the attackers to use those credentials.

–resilience. Having backups of all of the stuff that you care about the most, not just your data but your systems as well. You backups have to be offline so they’re not easy to access [by a hacker]. You also need to check backedup data regularly to make sure that there’s no sign of any dodgy behaviour …

Howard: What are the biggest roadblocks you hear from business and IT leaders about not being able to implement Task Force recommendations for fighting ransomware in their firms?

Jen: You could put it very simply and say it’s about capacity or capability. What that boils down to is a lack of understanding or a lack of resources. Either the organization that doesn’t really understand the threat, doesn’t really understand its relevance to that organization. Or it is unable to invest. Sometimes you have organizations that both are true or one affects the other …

You [as management] can’t do everything you want to do, and you have a responsibility to your employees, your customers and your investors to not do everything that you want to do. So they have to make difficult decisions. They have to decide how to prioritize. And because they don’t understand the threats, they may choose other, more urgent, pressing priorities in other areas, they make choices away from spending on cybersecurity …

Howard: Why are some organizations still paying ransoms?

Jen: Because it’s so hard. Say you’re the CEO of a regional, smallish manufacturing company and you’re a third-generation owner, right? The company’s been in your business for three generations, and you have dedicated your entire life to this business. You employ a bunch of people in your region. You don’t have a lot of money to invest in cybersecurity. It’s probably not something you really think about a huge amount. and you’re super reliant on five major customers that you’ve got contracts with to create whatever widget for them. You get hit by a ransomware attack and it takes your business offline, and all of a sudden your business grinds to a halt. Your customers have deadlines and those deadlines can’t be shifted just because you can’t provide that service. So all of a sudden, the situation [attack] is existential for your business. If you cannot provide the service, you’re going to lose those contracts. Customers are going to go elsewhere. Your reputation is shot, you might get sued by them … People who are in a situation like that say, “How do I make this problem go away as quickly, as painlessly as possible?”

… Nobody says, “What I really want to do with my hard-earned money is give it to a criminal in a foreign state who doesn’t care about anything to do with me, and takes pictures of himself riding around in his Lamborghini …They’re doing it out of desperation.”

Howard: What are the pros and cons of a ransomware payment ban?

Jen: The first theory is ransomware is a crime that exists in interests of making money for criminals. If you take away the money, then you take away the impetus for doing it and it goes away. Number two, is because giving money to these criminals is disgusting, unethical. And lot of these organized criminal gangs are involved in other types of organized crime. Nobody wants to think that they’re funding the drug trade or the weapons trade or human trafficking.

The third reason that policymakers want a ban is because they have tried to push the needle on building [business] preparedness but it’s not going quickly … so they think, “We’ve tried the carrot and the carrot hasn’t got anywhere. Maybe now we try the stick in the form of saying to people, ‘You will not be able to pay a ransom.’ Therefore you [governments] have to get ahead of this. You have to have preparedness [for a payment ban] because there is no parachute ..

I don’t think gangs will suddenly turn away from illegal activity. I think it’s far likelier that before they do that they will test the mettle of organizations. If I was a ransomware attacker what I would do is shift to focusing specifically on critical infrastructure and small businesses because I know that they’re the least likely to withstand my demands for ransom … So I think there has to be a plan for how to help them get themselves ready for a ban.

Howard: Which do you think of the recommendations [for preparing businesses for a payments ban] are the easiest and which are the hardest to implement?

Jen: The ones that are somewhat easier are the stuff that government does itself. For example, collaborate with other governments … The government can institute sanctions. They can clarify [incident] reporting [to regulators]. You can have law enforcement work with law enforcement around the world. The takedown of the LockBit gang was a collaboration of law enforcement around the world. What’s much, much, much harder is stuff that is outside of the government’s direct operational field. Things like reaching into millions of small to medium businesses and driving them to take action is really hard because you don’t want to make it a regulatory thing

… The other thing that’s really hard is that cyber criminal gangs have for a long time thrived in what we call safe havens or harbour nations — countries that protect them.

Howard: Among the recommendations is to create a ransomware response fund to help victims organizations recover. Another is to end the tax deductibility of ransomware payments. Doesn’t it seem a little bit nuts to you that you can give money to criminals and then you can take that as a tax writeoff?

Jen: I can’t think of another space where that would be the same thing, right? Like when I do my tax return, I’m like, “Here’s all the money I gave to charity this year.” And, “Here’s all the money that I gave to criminals this year. I would like a [tax] benefit for both, please.” That seems kind of crazy to me … If you had to pay tax on it [ransomware payment] maybe that money could be used to help with the fund [for victims].

Howard: Finally, I’m an IT or security leader. I don’t have enough money or people to fight cyberattacks, including ransomware. How do I persuade my boss to give me more?

Jen: There is a saying that we use in security, which is, never let a crisis go to waste.

You can do a lot by scouring the headlines and highlighting relevant [cybersecurity] stories [for management]. There has to be a little bit of education. But also, if you seem disconnected from the realities of the business, your business leaders will never take you seriously. So if you want to tell them all the things going on in security and you completely ignore the fact that the business is also worried about the economy or facilities or investors, employee well-being, changing laws then you’re going to have a conversation that is so far removed from what they actually focus on and think about that they’re not going to take you seriously. Education is a two-way street. You have to educate yourself on what the business cares about, get to know the business leaders in the organization and talk to people who are leaders of sub-areas in the business …

Maybe you could take lower-down department heads for lunch and learn what it is they focus on and what their priorities are. Then you’ll get a view of how the business goes together and what the competing priorities are. That gives you a much better position to have that conversation with your leadership, because you understand a lot more about what they’re weighing. This is also an opportunity to help them understand why you care about what you do and why they should care about it …

One of the things that can be helpful is find stories [in the media or from cybersecurity research] about people. It helps to make it real to your leaders to say, “This is what a cyber crime gang looks like. Here’s this guy and he has been doing this for this long. These are the things that he’s accused of. Here he is driving around in his Lamborghini.

The post Cyber Security Today, Week in Review for week ending Friday April 19, 2024 first appeared on IT World Canada.

Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more.

Welcome to Cyber Security Today. It’s Friday, April 19th, 2024. I’m Howard Solomon.

The Europol European police co-operative says one of the largest phishing-as-a-service platforms has been severely disrupted. This week law enforcement agencies from 19 countries including the U.K., the United States and Canada shut the IT infrastructure of LabHost. They also arrested 37 suspects. For a monthly subscription the site sold access to phishing kits, infrastructure for hosting phony web pages and more. An estimated 10,000 crooks around the world used its services. Singapore-based cybersecurity firm Group-IB says there was a Canadian angle to LabHost. The service was actively promoted in a Canadian channel on the Telegram messaging service by three users. One of those users owns the service LabHost Refunds, which only operates in Canada. This user also sold profiles of Canadians for creating credit cards or opening bank accounts. Europol said four of the 37 people arrested were in the U.K. and allegedly ran the site, including the alleged original developer.

A virus has been sitting undetected since 2015 on some Windows systems in Ukraine, say researchers at Cisco Systems. As part of a regular threat hunting in open-source repositories for infected documents, Cisco found over 100 infected documents with potentially confidential information about government and police activities in Ukraine. The documents could only be spread by being shared through removable media like USB memory sticks. It isn’t known who created the virus.

So you’ve got cyber insurance. But do you have enough? Maybe not, says CYE, a company that measures cyber risk of organizations. Looking at a dataset of 101 data breaches, CYE says 80 per cent of those with insurance didn’t have sufficient coverage to pay for their full data breach costs. On average three-quarters of insurable costs weren’t covered.

Finally, a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international. That’s according to researchers at Kaspersky. It says organizations in the U.S., Canada, Japan, the Netherlands, Luxembourg and South Korea have submitted examples of the malware to a virus scanning service, suggesting IT people in those countries have come across it. Kaspersky calls this campaign DuneQuixote. The goal is to install a memory-only backdoor using either a regular dropper or tampered installer files for a legitimate tool called Total Commander. What’s unique is the use of snippets from Spanish poems in the code to help evade detection by anti-malware tools.

That’s it for now. But later today the Week in Review podcast will be available. My guest will be Jen Ellis, a member of the Ransomware Task Force, who will talk about its recent report on steps governments should take before passing laws forbidding organizations from paying ransoms.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more first appeared on IT World Canada.

Just how real is quantum computing? We have an amazing guest on our Weekend Edition who will talk about how she is helping people prepare for IT careers using quantum computing.

Meta’s new AI release sparks a debate about open versus closed source AI, major legislation expanding US government surveillance capabilities goes largely unnoticed, big questions about how accurate these AI launch videos are, and before you book that next business trip, a former Boeing manager says he won’t fly on some Boeing planes.

All this and more on the “flying under the radar” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

Meta has released a compact version of its latest open-source AI model called Llama 3, as well as an updated version of its AI assistant that can now answer questions using real-time web information.

These launches have reignited the debate around the future control and accessibility of powerful AI systems.

The company says the new Meta AI assistant, available across its apps like WhatsApp and Instagram as well as a website, is the “most intelligent” free AI aid of its kind. It includes new capabilities like generating custom images and animated GIFs based on text prompts.

But in a separate but related interview, Meta’s chief AI scientist Yann LeCun argued for these types of AI platforms and models to remain open-source and decentralized – warning of the dangers of having a small number of companies control everyone’s “digital diet.”

LeCun said “Eventually all our interactions with the digital world will be mediated by AI assistants…this means they will constitute a shared infrastructure like the internet. We cannot have a small number of AI assistants controlling what everybody sees – this will be extremely dangerous for diversity of thought, for democracy, for just about everything.”

LeCun advocated for a future with many different open AI models that can be customized for various cultures, languages and use cases – preventing what he called monopolistic “echo chambers” over AI-powered knowledge.

The push reflects a philosophical divide in the AI industry, with some firms like OpenAI keeping their models closed and proprietary, while others position themselves as open-source champions.

Meta stated goals include not just making their model open, but making its latest model more multilingual over time. LeCun also argued the importance of diverse AI assistants emerging to reflect society’s diversity.

As these systems become conduits for how people interact with digital information and services, the debate around centralized control versus democratized access of this transformational technology will certainly intensify.

Sources include: Axios and Analytics India

For anyone following US political news you may have missed this story in the light of the trials, impeachment inquiries and the crisis over Ukraine funding, but there is a major debate and the U.S. Senate is set to vote on Thursday on renewing and potentially expanding controversial government surveillance powers.

Privacy advocates are sounding alarms over proposed changes that could compel a vast range of companies and individuals to hand over electronic communications to intelligence agencies.

At issue is the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act, or FISA. This provision currently allows U.S. spy agencies to conduct warrantless surveillance of communications involving foreigners outside America who may pose national security threats.

FISA has long been criticized for also sweeping up data on American citizens, which intelligence agencies can then search domestically without a warrant – a practice that civil liberties groups consider unconstitutional.

Last week, the House passed a bill reauthorizing Section 702 for 8 more years. But it contained an amendment drastically broadening who could be legally defined as an “electronic communications service provider” – a classification that can compel companies to share private user data.

Oregon Senator Ron Wyden warned this could conscript millions into becoming “agents for Big Brother” – from office cleaners to any business with computer servers or wifi routers on their premises.

Wyden noted “The legislation gives the government unchecked authority to order millions of Americans to spy on behalf of the government…anyone with access to a server, wire, cable box, router, phone or computer.”

Privacy advocates like the American Civil Liberties Union and tech industry groups are urging the Senate to reject this provision, citing risks to digital privacy and US competitiveness if user data is exposed by government demands.

The White House and others maintain that in a world full of terrorist threats and instability that FISA provides tools necessary to intercept threats and protect American citizens.

As the Senate deliberates the renewal, it will need to weigh enhanced national security powers against public unease over eroding civil liberties protections in the digital age.

Given the other hub-bub and the speed at which this is moving, it’s unlikely that anyone will get a chance to hear a clear and reasoned debate of these exceptionally important issues.

Sources include: The Register

And for those whose job or even personal lives take them into airplanes for travel, we’ve covered apps that tell you which type of plane you might be one.

For those who think that’s just alarmist, you might want to check out another US senate subcommittee where a former Boeing manager, Ed Pierson has repeatedly talked about safety issues on the Boeing 737 Max jet like the one involved in the recent Alaska Airlines incident where a door blew off in midair.  He said that, once, when he realized he had been booked on a 737 Max, he got off before the plan could take off.

When the 737 Max 9 lost its door in midair, leaving a gaping hole in the plane, the National Transportation Safety board found that bolts designed to secure it were missing. The same report said that they door plug had been removed in a Boeing factory to fix some broken rivets but Boeing told the board that it didn’t have documentation for this work.

Pierson testified that a whistle-blower at Boeing gave him documents that indicate a “criminal cover-up” related to the door incident. Boeing has reportedly claimed that there’s no documents of work done on the door plug that came off the 737 Max jet.

Pierson said on Wednesday: “Records do in fact exist. I know this because I personally passed them to the FBI.”

Pierson was a senior manager at Boeing’s 737 factory and retired in 2018 before the first Boeing 737 Max 8 crash.

Pierson said, “I’m not gonna sugarcoat this, this is a criminal conspiracy.”

The FBI is looking into whether criminal charges should be brought in this case and passengers from the Alaska Airlines flight were reportedly sent letters from the FBI saying they might be victims of a crime.

For anyone who has ever sat beside an exit door, it adds a totally different meaning to that speech the flight crew makes when they ask if you are “prepared to act in the event of an emergency.”

Sources include: Business Insider

Major tech companies like Amazon are facing scrutiny over claims that some of their highly touted artificial intelligence systems are actually relying heavily on offshored human labor. Critics argue this amounts to traditional outsourcing being repackaged under the banner of AI. Meanwhile, the companies deny the allegations, saying their AI capabilities are indeed automated and that human reviewers play only a limited role.

Controversy erupted recently when reports emerged that Amazon’s “Just Walk Out” cashier-less checkout system utilizes human workers in India reviewing surveillance footage to verify purchases. This raised accusations that the tech giant had overstated the AI automation behind this system that was marketed as allowing customers to simply grab items and leave the store.

In a recent article, author Janet Vertesi argues that much of what is being branded as AI is really just old-fashioned labor outsourcing in a new guise.

Vertesi said, “AI is just today’s buzzword for outsourcing, and it comes with the same problems that have plagued outsourced companies for decades…behind the curtain is the familiar phenomenon of outsourcing – expensive skilled labor traded for cheap, unskilled labor abroad.”

However, Amazon has forcefully pushed back on this perception. The company’s VP overseeing Just Walk Out, Jon Jenkins, told Axios in a recent interview that human reviewers in India only analyze a “small percentage” of cases after the fact to improve the AI’s accuracy – not watch live shoppers.

Jenkins said, “This notion that there are human reviewers watching live shoppers – that is completely not true…way less than 1,000 people help make sure automatically generated receipts are accurate.”

Jenkins argues Just Walk Out utilizes advanced sensors, cameras and AI to enable the grab-and-go experience, while admitting there’s still work to do in scaling the technology efficiently across more locations.

The debate speaks to the broader challenge of separating AI hype from reality. A number of AI products, not just Amazon, have let’s say “enhanced the performance of their systems” by editing the video. Google got caught editing one of its AI launches to enhance the appeared performance. Yesterday, we covered scathing reviews of a of Humane’s AI pendant where the actual performance of the device was nothing like what the video demo showed – and this infuriated reviewers. When you start digging, there are many examples to be found.

But the Amazon case also raised concerns around tech firms cutting costs by outsourcing labor overseas under the veneer of automation.

As AI enables even more sophisticated simulations, look for this problem to intensify. In answer to what Groucho Marx said, “are you going to believe me or your lying eyes?” Maybe there is another saying, “there ought to be a law…”

Sources include: Techpolicy.press and Axios

And that’s our show for today…

Hashtag trending goes to air five days a week with a weekend interview show. And we are also on YouTube.

Find us at our new home at technewsday.ca or .com – you pick. And you can reach me with comments, suggestions or even criticism at therealjimlove@gmail.com or at editorial@technewsday.ca

I’m your host Jim Love, have a Fabulous Friday.

The post Meta’s new release sparks debate about open versus closed source AI: Hashtag Trending for Friday, April 19, 2024 first appeared on IT World Canada.

More Windows PCs previously blocked are now able to upgrade to Windows 11. Apple has fallen to number two in terms of iPhone market share. Salesforce makes news with a possible acquisition of Informatica. And a new AI wearable device gets savage reviews.

All this and more on the “winners and losers” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

Some Windows users who were previously blocked from upgrading to Windows 11 may finally be able to make the switch. Microsoft has lifted a compatibility hold that prevented certain PCs with 11th generation Intel processors from installing the latest version of its operating system.

The hold was put in place over two years ago due to an issue with Intel’s Smart Sound Technology drivers causing problems when running Windows 11 on those chips. But now, with updated drivers from Intel to resolve the bug, Microsoft says affected systems should be offered the option to upgrade in the next 48 hours.

However, this doesn’t represent a change to the strict minimum hardware requirements for Windows 11 that have left many older but still capable PCs unable to officially update. The move from Microsoft comes as it is beginning to phase out support for Windows 10, with commercial customers soon having to pay increasing fees for security patches after the October 2025 end-of-support date

For users with computers stuck on the previous operating system version, upgrading hardware may be the only path to Windows 11, unless Microsoft expands the update eligibility in the future.  But for that subset affected by this specific driver issue, the path to Microsoft’s latest OS is now clear after over two years of waiting.

Sources include: Windows Central

Apple is facing more troubling signs for its iPhone business. Global shipments of the company’s flagship smartphone dropped nearly 10% in the first quarter of 2024 compared to a year ago. It has once again lost the number one position to rival Samsung, but this time, they have a tougher struggle to regain leadership in terms of sales.

Market intelligence firm IDC reports that in Q1 global iPhone shipments fell to just over 50 million units. Apple’s share of the worldwide smartphone market also slipped from 20.7% down to 17.3%.

The declines come despite an overall recovery in the broader smartphone market.  It represents an ongoing challenge for Apple in the face of rising competition from Chinese manufacturers like Xiaomi and Transsion. Xiaomi’s shipments surged nearly 34% in the quarter, while Transsion’s jumped 85%.

We often forget that China was and still remains a major market for iPhones and with greater competition and tension with the US at an all time high, Apple continues struggling in the critical Chinese market.  iPhone revenues expected to drop again in the current quarter as Beijing workers are increasingly pressured to avoid foreign-branded phones.

The iPhone maker is also contending with a series of other issues – from declining iPad and wearables sales to high-profile antitrust battles with regulators in the U.S. and Europe over its tight control of the App Store ecosystem.

Apple’s stock is down more than 8% so far in 2024 as investors grow concerned about the tech giant’s near-term outlook and challenges from rivals abroad.

Some potential relief could come later this year if Apple impresses with its expected unveiling of new AI capabilities at its developer conference in June. But for now, the latest shipment numbers underscore the mounting pressures facing Apple and the all-important iPhone business.

Sources include: Yahoo Finance

A potential major acquisition could change the landscape with regard to company data and artificial intelligence. Salesforce, the cloud computing giant known for its customer relationship management software, is reportedly in advanced talks to buy data integration firm Informatica for $11 billion.

If completed, the Informatica acquisition would be the latest in a string of major purchases by Salesforce aimed at expanding beyond its core CRM business into a comprehensive data management and AI platform.

Founded in 1993, Informatica specializes in integrating data across different sources like databases, applications and social media. Its software enables companies to combine this disparate information while ensuring accuracy and quality.

Salesforce has already rolled out its new generative AI product called Einstein Copilot to automate tasks using conversational prompts. But analysts say adding Informatica’s data integration capabilities could significantly elevate Salesforce’s AI innovations by improving the quality of data being fed into its models.

The acquisition would complement Salesforce’s previous billion-dollar deals for companies like Tableau for data visualization, MuleSoft for application integration, and most recently its purchase of Slack.

Tying it all together, Salesforce aims to create an end-to-end “data journey” platform that collects information, cleans and transforms it, then allows businesses to analyze it through products like Tableau while leveraging generative AI like Einstein.

In an AI-driven future, ensuring high quality and properly integrated data will be crucial to developing accurate predictive models and natural language processing tools. If the Informatica deal goes through, it could give Salesforce a powerful advantage over rivals like Oracle and SAP in the enterprise AI market.

Sources include:  Analytics India

And there’s proof that just because it’s AI enabled, not every product is going to work.

A much-hyped new artificial intelligence wearable device from a startup founded by former Apple executives has been absolutely and even brutally panned by tech reviewers.

The AI Pin, a smart brooch that can answer questions, take photos and send messages through voice commands, is being criticized as an outright flop that fails to deliver on its promised reimagining of how we interact with technology.

The $700 device made by the company Humane has been scorched by prominent reviewers like Marques Brownlee, who said in a 25-minute video critique that the AI Pin is “bad at almost everything it does, basically all the time” – describing it as the worst product he’s ever reviewed.

Issues cited include poor battery life requiring constant recharges, visible heat buildup while wearing it, and a hand projection display that’s difficult to see, especially in bright light. While meant to operate independently of a smartphone, reviewers found the AI Pin lacking basic functions and integration.

Writing for The Verge, David Pierce bluntly stated “the one and only thing I can truly rely on the AI Pin to do is tell me the time.”

The startup raised nearly $250 million to develop the gadget, which was aimed at pioneering new AI-driven hardware experiences beyond the smartphone. But based on the scathing initial reviews, it appears to have missed the mark.

Humane’s founders have acknowledged the software needs significant updates, vowing not to be deterred by the negative coverage as they continue refining the AI Pin throughout the summer.

This should be a warning for every AI product developer out there. You can’t have automatic success just by saying you have AI in your product. People are looking for the solutions to real problems and expecting a phenomenal user experience. Without, there could be a backlash.

But even if this one device fails, the idea of a wearable device won’t go away, another AI firm called Limitless just announced a new wearable device at the amazing price of 99 dollars. We’ll cover that device and its different approach in the next few days.

And that’s our show for today…

Hashtag trending goes to air five days a week with a weekend interview show. And we are also on YouTube.

Find us at our new home at technewsday.ca or .com – you pick. And you can reach me with comments, suggestions or even criticism at therealjimlove@gmail.com or at editorial@technewsday.ca

I’m your host Jim Love, have a Thrilling Thursday.

The post first appeared on IT World Canada.

More suspicious attempts to take over open source projects, a data theft at a Cisco Duo partner, and more.

Welcome to Cyber Security Today. It’s Wednesday, April 17, 2024. I’m Howard Solomon.

The recent takeover of an encryption utility used by Linux may not be an isolated incident. The OpenJS Foundation, home to open JavaScript projects, says it recently detected an attempt by a threat actor or actors to designate them as a new maintainer of a project to correct any vulnerabilities. After that the OpenJS recognized two other JavaScript projects not hosted by the Foundation had similar takeover attempts. This follows on the discovery by a Microsoft developer earlier this month of a three-year effort by a threat actor to persuade maintainers of the XZ Utils compression tool to take over that project. In that case some Linux distributors actually included a malicious version of that utility in development versions of Linux that contained a backdoor uploaded by the new overseer. If a threat actor takes over a JavaScript project they, too, could use their access to upload a malicious code that would end up in hundreds or thousands of IT systems. The OpenJS and Open Source Security Foundations are warning project maintainers to be wary of email requests from unknown members of the open source community to be elevated to maintainer status.

Another major company has been stung by a data breach at a partner. This time it’s Cisco Systems. According to Bleeping Computer, organizations using the Cisco Duo multifactor authentication platform for accessing corporate IT systems are being notified of an April 1st incident. A hacker compromised the system of a telecom provider Cisco uses to send MFA codes to individuals by SMS text or voice over IP calls. Cisco didn’t name the provider. Nor is it saying how many individuals were affected. How was the telecom provider hacked? An employee fell for a phishing email, allowing the attacker to get their login credentials. They then downloaded message logs. The logs don’t have personal information. But they include phone numbers of those who use Duo, including company employees. A hacker could use those numbers to call employees and trick them into giving out sensitive things like passwords.

Delinea has released security updates for its platform as well as for on-premise and cloud versions of its Secret Server access management suite. The updates plug a critical vulnerability in the SOAP messaging API that could allow an attacker to bypass access authentication to IT networks. This comes after a researcher published a report last week on discovering the flaw. He publicly released his findings because he’d been trying unsuccessfully since February to get Delinea’s attention. It wasn’t until last Friday the company acknowledged the finding. In a statement Delinea said patches for older versions of Secret Server are coming.

IT administrators whose firms use the open-source PuTTY utility for file transfer, or who use applications with the PuTTY client such as FileZilla, WinSCP and TortiseGit, are urged to update the applications immediately. This comes after the discovery of a critical vulnerability that could allow a threat actor to recover a private key and then forge digital signatures allowing access to any server the key is used for. Administrators should revoke their existing keys and generate new keys to replace them.

Omni Hotels, with properties in the U.S., Canada and Mexico, says “limited information” of a subset of customers was involved in last month’s cyber attack. The data doesn’t involve personal payment details, financial information or Social Security numbers. But, the company says, it may include names, email and mailing addresses. According to Security Week, the Daixin Team ransomware gang has claimed responsibility.

Three Canadian school boards have signed up for Fortinet’s Security Awareness Curriculum. The free, bilingual program has modules for K-12 students covering how to be safe online and how to protect privacy. The three boards are in Ontario.

Threat actors use multiple tricks to get login credentials to private Zoom video conferencing sessions of organizations. A report this week from Abnormal Security notes six tactics. These include creating fake login pages that look like the official Zoom website and then spreading links to them in phishing emails; tricking employees into downloading malware that steal Zoom credentials; and just plain credential stuffing with passwords bought on the dark web. The report could be used by IT departments in security training.

Automated bad bots are increasingly taking up internet traffic. That’s according to a new report from Imperva. Automated traffic is costing organizations billions of dollars by attacks on websites, APIs and applications. Bot do everything from web scraping, account takeovers, spreading spam and launching denial of service attacks. The report says IT leaders can blunt this threat by fortifying website defences, strengthening website employee and customer login processes; securing exposed APIs and mobile applications and watching for suspicious traffic.

Finally, a North Korean spying group is ramping up its activity. That’s according to researchers at Proofpoint. They issued a report this week on a group security experts call by a number of names including TA 427, Emerald Sleet, APT43, Thallium or Kimsuky KIM-SUCK-IE. Usually the group targets experts on American and South Korean foreign policy by impersonating a member of a think tank, a reporter or an academic. Targets are sent emails with the hope of starting an online conversation. One tactic: Taking advantage of an organization’s lax email protection, particularly failing to enforce the strict use of the DMARC protocol. That’s allowing this group to impersonate senders in email addresses.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, April 17, 2024 – More suspicious attempts to take over open source projects, a data theft at a Cisco Duo partner, and more first appeared on IT World Canada.

YouTube clamps down on third party apps that block ads. Experts predict a new cyber-war between Iran and Israel. Elon Musk backs down on his fight with the Brazilian government and Broadcom makes concessions in the face of customer outrage and European regulatory scrutiny of its new VMWare pricing.

All this and more on the “who blinks first” edition of Hashtag Trending. I’m your host, Jim Love. Let’s get into it.

YouTube is escalating its battle against ad-blocking software and extensions. The video streaming giant has announced it will now crack down on third-party apps that allow users to skip ads on YouTube videos.

If you watch YouTube videos through a third-party app specifically designed to block advertisements, you may start encountering some issues. In an update this week, YouTube says users accessing its content through these ad-blocking apps could face video buffering problems or even an error message preventing them from watching at all.

It’s an expansion of YouTube’s existing efforts to discourage viewers from using ad blockers when watching videos on the platform. Last year, YouTube started displaying error messages and disabling videos for users with ad-blocking browser extensions enabled.

The company argues that third-party apps stripping out ads prevents creators from being compensated for the content they produce. In a statement, YouTube says it only allows apps that follow its API terms of service, which require showing advertisements.

While the ad-blocking app AdGuard says it is not affected by this latest policy change since it doesn’t use YouTube’s API, many other apps that scrape ad-free YouTube videos could face blockages.

Of course, YouTube still offers its premium ad-free subscription as an alternative for viewers who want to skip commercials. But this crackdown likely won’t be welcomed by those who prefer watching YouTube through adblocking software and mobile apps.

As more entertainment shifts to streaming platforms, the tension between companies seeking ad revenue and users trying to avoid advertisements seems destined to escalate further.

Sources include:  The Verge

There’s been a reversal from Elon Musk’s social media company X, formerly known as Twitter, over its stance on complying with court orders in Brazil regarding content moderation. After initially vowing to challenge rulings by Brazil’s Supreme Court, lawyers for the platform have now told the court it will follow all its decisions.

A legal battle has been brewing between Elon Musk’s X company and Brazil’s top court over the removal of certain accounts accused of spreading misinformation and hate speech. Last week, Musk said he would challenge an order from Supreme Court Justice Alexandre de Moraes demanding X block some accounts in the country.

But in a letter to Moraes seen by Reuters, lawyers for X have now reversed course, stating the platform will comply with every ruling issued by the Supreme Court or Brazil’s top electoral authority.

This marks a shift from X’s Brazilian subsidiary, which had previously claimed it could not control whether the U.S. parent company followed the Brazilian court’s orders.

The Supreme Court justice has been leading investigations into alleged coup attempts and digital militias accused of spreading disinformation, particularly during the presidency of Jair Bolsonaro.

Musk, who has branded himself a free speech absolutist, had called Moraes’ orders unconstitutional and demanded he resign – prompting the justice to open an inquiry into Musk for potential obstruction.

The reversal by X’s lawyers likely aims to defuse tensions with Brazilian authorities. However, the U.S. House Judiciary Committee has now subpoenaed X for information about the Brazilian court’s content moderation orders.

As social media’s role in democracies remains hotly contested, US social media giants are finding that they are not immune to government regulation in other countries.

Sources include: Reuters

A former security executive at the ride-sharing company Uber is taking on a new role advising other corporate leaders on how to properly handle cyber-attacks and data breaches. Joe Sullivan was convicted last year for his actions in covering up a 2016 data breach at Uber and obstructing a federal investigation into it.

A federal judge sentenced him to three years probation and community service His case is believed to be the first time a U.S. security executive faced criminal charges related to mishandling a data breach.

Sullivan is now working with a cybersecurity firm to help prevent other executives from making the same mistakes he did.

Since then, Sullivan has been reflecting on his experiences and sharing advice with other security leaders on how to properly respond when cyberattacks happen. He’s now joining the cybersecurity firm BreachRx as a senior advisor.  The company provides a platform to automate and document a company’s response in the crucial first hours after a breach is detected.

Sullivan says security executives are facing growing legal risks as regulators crack down on poor cybersecurity practices and demand more accountability from companies hit by data breaches. But he argues chief security officers are often underfunded and understaffed, making it difficult to properly secure their networks.  Sullivan hopes his case will prompt companies to finally invest more in cybersecurity – though he’s concerned some recent regulatory actions may be prompting an overcorrection, with security chiefs now afraid to take responsibility during incidents.

And with that hanging over them, is it any wonder companies struggle to find senior security talent?

Sources include: Axios

Tensions are high between Iran and Israel following a missile attack over the weekend. As both sides weigh their next moves, cybersecurity experts are warning a cyberbattle could be looming as part of the conflict.

Israel and Iran have a long history of cyberwarfare, launching destructive computer viruses and hacking attacks against each other over the years. But this weekend’s missile strike from Iranian territory into Israel marks an unprecedented escalation in the overt hostilities between the two nations.

And as both sides now contemplate retaliation, cybersecurity analysts say we should brace for a potential onslaught of high-stakes cyberattacks.

Andrew Borene, a cyber analyst with the security firm Flashpoint says that “The overt hostility and the overt physical aspects of the state-on-state confrontation moved things into a different sphere.”

He says cyberattacks could allow Iran and Israel to strike back at each other without risking mass casualties from further missile launches.

Both countries have highly sophisticated cyber capabilities. Iran has used data-wiping malware against other nations. A decade ago, the U.S. and Israel jointly deployed the Stuxnet computer virus to disrupt Iran’s nuclear program.

The cyberwarfare has already begun spilling over from the latest missile exchange. Hacking groups linked to Iran, Russia and others have recently taken down Israeli emergency services apps and news websites as part of the ongoing conflict with Palestinian militants in Gaza.

Cyber warfare is increasingly used by nation states. Since that time there have been many examples of state sponsored attacks. Recently, after France committed greater support to Ukraine, they were hit by a massive cyber-attack. And now, we risk an all-out cyber war between Iran and Israel.

The problem is that these attacks often spill over to become a much wider threat. The malware that is created escapes into the wild and provides new tools for the armies of hackers who threaten our corporate and civic infrastructure.

While officials claim to have so far seen no major cyberattacks stemming from the weekend’s missile strike, analysts expect that could change quickly as Israel weighs its response and both sides enter uncharted territory in their bitter, long-running dispute.

Sources include: Axios

There’s been a potential reprieve for some VMware customers unhappy with the new licensing policies put in place by the company’s new owner, semiconductor giant Broadcom. The move comes as regulatory scrutiny of the changes intensifies in Europe.

When Broadcom acquired VMware last year in a massive $61 billion deal, it announced plans to shift VMware’s product licensing to a subscription model and bundle the virtualization software into a new enterprise IT platform.

The changes drew an angry backlash from many VMware customers accustomed to perpetual licensing and concerned about higher long-term costs. A number of them demanded Broadcom preserve perpetual licensing options.

Now, Broadcom’s CEO Hock Tan says the company is offering some concessions in response to that customer feedback.  In a blog post, Tan announced that Broadcom will provide free security patching for some supported versions of VMware’s products, even for customers persisting with older perpetual licenses rather than new subscriptions.

Tan also acknowledged Broadcom has granted renewal extensions to many VMware customers to give them more time to adapt to the new model.

The moves come as European antitrust regulators have started questioning Broadcom over its licensing changes following complaints from some tech associations. Analysts believe it could also be an effort by Broadcom to stem a potential mass customer exodus from VMware’s products.

The research firm Gartner recently predicted that VMware’s market share in hyperconverged infrastructure – which combines storage, computing and networking – is poised to plummet from 70% currently down to just 40% by 2029 as customers look to revirtualize and switch vendors.

As the tech world’s latest mega-merger continues shaking out, this could mark the first significant compromise by Broadcom in its controversial effort to overhaul the VMware business.

Sources include: The Register

And that’s our show for today.  Love to hear your opinions as always. You can reach me at therealjimlove@gmail.com or our new editorial address – editorial@technewsday.ca

Our show notes are now also posted at TechNewsDay.ca or .com take your pick – along with other stories. Check it out.

I’m your host Jim Love, have a Wonderful Wednesday..

The post Broadcom backs down on VMWare pricing: Hashtag Trending for Wednesday, April 17, 2024 first appeared on IT World Canada.