Discover how mastering email communication can boost business efficiency, avoid common pitfalls, and ensure secure, respectful online interactions.
Turkey Revenge
The turkeys are pissed this Thanksgiving they are seeking revenge.
Germs Infest 60% of Americas Phones
60% of Americans sleep with their phones, harboring germs. Cleaning regularly with UV sanitizer or alcohol wipes can help keep your phone and bed germ-free.
Smartphone Sanitizing: A Practical Guide
Securely erase personal data from your old smartphone before recycling. Protect your identity from hackers—easy steps to follow.
Why Soft Skills Matter in Today’s Job Market
Boost your career with essential soft skills like communication, teamwork, and emotional intelligence. Learn why they’re crucial for workplace success.
Church Wearable Device Very Holey
The Vatican recently launched a holey wearable app onto the Internet of Things (IoT). The Church’s wearable IoT device, Click To Pray eRosary, is a bracelet of rosary beads along with a smart cross. The device is part of the Vatican’s mission to pray for peace. But the app is bedeviled by what sources call a “significant cybersecurity flaw.”
The $110 device syncs with Click to Pray, the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.
The Verge reports the gadget, designed by GadgeTek, a division of Acer, and pairs with an iOS or Android app you can download. The device can be bought through Amazon Italy or , the specs include:
Six-axis inertial sensing- Bluetooth 5.0
- IP67 water and dust resistance
- Wireless charging
- a 15mAh lithium-ion battery
- 10 black agate beads and 11 hematite beads
The “smart cross” stores all technical data. The app, however, appears to handle all of the actual user-interaction — the “smart cross,” does not appear to interact directly with the user. Engadget claims that the device also tracks health-related information. It’s basically an adapted fitness tracker, and it still doubles as a fitness tracker.
The Click To Pray eRosary is an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world. It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content…
Its target audience is:
the peripheral frontiers of the digital world where the young people dwell (rb- Maybe something got lost in translation)
The Catholic Church proved it is merely mortal when it comes to the Internet of Things. Like Most things IoT it was released with security holes. Sopho’s Naked Security blog explains that Fidus Information Security discovered a flaw in the prayer app’s authentication mechanism. The pious can safely log in via Google and Facebook but in the good catholic tradition, any alternatives cause issues.
The flaw rises when a user resets their account using the Click to Pray app. it makes an API call to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.
The researchers say they used this method to easily log in and obtained phone numbers, height, weight, gender, and birth dates. CNet says the Android version of the app also asks for access to location data and permissions to make calls.
Also, there was no limit to the number of login attempts, which is a dream for any hacker who wants to make automated, or brute force, attempts to break in.
Security researcher Elliot Alderson not only found the eRosary vulnerability, but he also reported it to the Vatican first. And of course, the Vatican respond via Twitter with appreciation. The Vatican’s representative, a self-described “Digital Jesuit in Rome,” Father Robert Ballecer, understood the significance of having a security researcher attempting to contact the Vatican.
The church’s developers reportedly patched the eRosary within 24 hours.
rb-
The quick response by the Vatican is more than we can say for most organizations. So when it comes to the security of the Vatican’s new wearable device, it’s a good thing the Digital Jesuit is on the team.
They moved pretty fast for an organization that took 350 years to forgive Galileo.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2019, Authentication, Fail, Fidus Information Security, Internet of Things, IOT, Prayers, Sophos
VC Buys Sophos – Start of Bubble?
Cyber-security firm Sophos
has been acquired by private equity firm Thoma Bravo for $3.9 billion. The firms disclosed the deal on Oct 14, 2019. Sophos Group (SOPH.L) was founded in 1985 and is a FTSE 250 company. The cybersecurity firm is based in Abingdon near Oxford and employs 3,400 people. Sophos has 400,000 clients around the world including Pixar, Ford, Under Armour, Northrop Grumman, and Toshiba.
The Sophos board accepted the deal and would unanimously recommend the offer from Thoma Bravo. The deal is subject to shareholder approval. Some speculate that the timing of the deal is to take advantage of the pound’s weakness around BREXIT.
The deal continues Thoma Bravo’s buying spree gathering technology companies that offer cybersecurity and business management tools. Thoma Bravo also has ownership stakes in cyber-security firms Barracuda Networks, Imperva, McAfee, and Veracode and remote managing and management (RMM) firms ConnectWise, Continuum, SolarWinds, and LogRhythm, among others. It is the first acquisition outside the U.S. for the Chicago-based buyout firm.
The Sophos acquisition is one of many transactions affecting the endpoint security market, which is consolidating. Rik Turner, the principal analyst at Ovum, told Dark Reading, “There are probably too many vendors coming at this market in different ways, so a degree of simplification is in order.”
Among some of the notable endpoint deals thus far are VMware‘s acquisition of Carbon Black, Blackberry‘s purchase of Cylance, and HP’s acquisition of Bromium, for example.
So the question is the cybersecurity space in a bubble? Have valuations and VC investments grown too rich? TechCrunch recently wrote that security may be in a bubble, but it is not about to burst. Here are the arguments they laid out.
TechCrunch explains the bubble part of the equation is building:
The landscape of cybersecurity solutions and services is strikingly saturated. Still, this busy frontier continues to attract founders and investors alike, with 300+ new startups launching every year and VCs investing in cybersecurity at a record high of $5.3 billion in 2018. Further, many cybersecurity startups are able to raise large rounds of funding, with exceedingly high valuations, despite having little market traction.
However, the demand side of the equation is also growing and shifting according to TechCrunch:
The global cybersecurity market is booming: Cybersecurity-related spending is on track to surpass $133 billion in 2022, and the market has grown more than 30x in 13 years. Moreover, security is often integrated into new business initiatives and used as a competitive advantage.
rb-
I wonder what the looming Trump trade-war-induced recession will do to the cyber-security bubble. We know that consolidator means job losses and recessions men more jobs are lost. To quote the great American philosopher Yogi Bera – It’s déjà vu all over again for those of us who lived thru Webvan and dot-bomb.
Related articles
- What Happens To Enterprises If the Cybersecurity Bubble Pops? (ITSP Magazine)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2019, Mergers and Acquisition, Security, Sophos, Tech bubble, Thoma Bravo
How Secure are Your Printers?
Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.
Vulnerabilities in printers
The research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:
- Denial of service attacks that could crash printers;
- The ability to add back-doors into printers to maintain attacker persistence on a network.
- The ability to spy on every print job sent to vulnerable printers.
- The ability to forward print jobs to an external internet-based attacker.
Matt Lewis, research director at NCC Group told ComputerWeekly,
Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.
Who to blame
There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.
Building security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.
End-users have to take some of the blame as well according to NCC Group
Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.
Impacted printer models
The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.
The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.
HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.
The vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.
The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.
NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.
The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.
NCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.
All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Quantum Supremacy
There are reports are that Google (GOOG) has demonstrated quantum supremacy. In quantum computing, quantum supremacy means that a quantum computer is able to perform a calculation that is practically impossible for a classical computer. Before we fear and weep for the western dream, ScienceAlert explains that we can’t be sure of the claim.
Shortly after the research article was uploaded to the NASA site it was withdrawn for unknown reasons. The news was originally broken by the paywalled Financial Times, which reported both seeing the paper and also that it was subsequently taken down. Now there are only copies of the original paper available online. Further, Google has not officially explained to anybody what’s going on, sparking no end of speculation online about what has or hasn’t happened.
Assuming the briefly released paper, is real – why is this important? Wired explains that the Google researchers used a quantum processor called Sycamore, with 54 qubits. It tackled a random sampling problem – that is, checking that a set of numbers has a truly random distribution. ScienceAlert says the experimental quantum processor took about 200 seconds to solve a particular computational problem.
As part of the experiment, they set a version of the same challenge to some powerful Google server clusters, as well as to the current world’s fastest supercomputer, the IBM-built Summit supercomputer at Oak Ridge National Lab. The state-of-the-art supercomputer would require approximately 10,000 years to perform the same task.
According to copies (PDF) of the vanished report,
This dramatic speedup relative to all known classical algorithms provides an experimental realization of quantum supremacy on a computational task and heralds the advent of a much-anticipated computing paradigm
In the Wired article, John Preskill, the Caltech professor who coined the term “quantum supremacy,” calls the breakthrough, if accurate, ”truly impressive achievement in experimental physics.” But he and other experts, and even Google’s own paper, caution that the result doesn’t mean quantum computers are ready for practical work. Professor Preskill explains, “The problem their machine solves with astounding speed has been very carefully chosen just for the purpose of demonstrating the quantum computer’s superiority.”
Professor Preskill told Wired, it’s unclear how long it will take quantum computers to become commercially useful; breaking encryption—a theorized use for the technology—remains a distant hope. “That’s still many years out,” says Jonathan Dowling, a professor at Louisiana State University and New Scientist said although that is impressive, there is no practical use for it.
Will Oliver, a quantum specialist at MIT, told Technology Review, the computing milestone is similar to the first flight of the Wright brothers at Kitty Hawk in aviation. He said it would give added impetus to research in the field, which should help quantum machines achieve their promise more quickly.
New Scientist says there are plenty of hurdles left to overcome before quantum computing hits the big time. The author cites a number of steps:
For a start, the processors need to be more powerful. Google’s Sycamore quantum computer, consisted of only 54 qubits. For quantum computers to really come into their own, they will probably need thousands. Scaling up the number of qubits won’t be easy. Qubits must be isolated from vibrations as they can be easily disturbed.
Next quantum computers need error-correcting codes. Classical computers have mechanisms to make sure that when little mistakes happen they are automatically rectified.
The same will be needed for quantum computers, especially considering the delicate nature of qubits. The challenge now is to build a quantum computer that has quantum supremacy, as well as error-correcting codes.
The final, biggest step is to actually do something useful. Google’s quantum computer tackled a task specifically tailored to prove quantum supremacy, not do anything useful.
New Scientist called the achievement impressive, there is no practical use for it. Ciarán Gilligan-Lee at University College London said, “We shouldn’t get too carried away with this … but there’s still a long way to go.”
rb-
This bench-marking task is a proof of concept. SkyNet is not coming – yet.
Combining quantum with machine learning and AI may be a different story. But for a year or so we are probably safe. Unless of course, some TLA that is already using quantum computing made the paper disappear.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Data Privacy End Run
In an attempt to end-run stricter data privacy regulation the Business Roundtable, an association of CEOs of America’s largest companies, sent an open letter to the U.S. House and Senate urging the politicians to pass a comprehensive national data privacy law. According to CircleID, the heart of the letter is the creation of federal privacy laws that the companies argue should replace various state-level laws that have already been passed.
The CEOs want one law that governs all user privacy and data protection across the U.S., which would simplify their lives. From the letter:
Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws.
Among the items hidden deep in the CEO’s “consumer privacy framework [more here]” are some onerous provisions.
- Private individuals should not be allowed to sue companies if those companies violate the data privacy law itself.
- Potential pay-for-privacy schemes and
- Overriding existing state data privacy protections already signed into law.
The Data Privacy Blog points out that in 2019, a number of states passed new and expanded data breach notification laws, including:
- California.
Illinois,- Maine,
- Maryland,
- Massachusetts,
- New Jersey,
- New York,
- Oregon,
- Texas, and
- Washington.
Also, since July 1, 2019, Delaware, New Hampshire, and Connecticut have enacted laws imposing new cybersecurity requirements on insurance companies.
ZDnet points out that many privacy advocates (and even some tech CEOs) believe the CEOs aren’t really looking after users’ interests, but their own. There’s a belief that companies are trying to aggregate any privacy lawmaking in Congress, where lobby groups can water down any meaningful user protections that may impact bottom lines. Open Secrets reports that the Business Roundtable has spent over $6.6M lobbying in D.C. so far in 2019. As followers of the Bach Seat know, money talk and citizens walk in D.C.
Among the CEOs who were involved in the end run included;
- Amazon
(AMZN) CEO Jeff Bezos, and the world’s richest man. - AT&T (T) CEO Randall Stephenson, insider data breach.
- Comcast (CMCSA) CEO Brian Roberts has several data leaks.
- Dell (DELL) CEO Michael Dell is another data leaker.
- FedEx CEO Frederick W. Smith is another firm with a recent data breach.
- JP Morgan Chase, CEO Jamie Dimon who oversaw a data breach affecting 76m households
- Marriott (MAR) CEO Arne Sorenson oversaw one of the largest data breaches to date.
- Target Brian Cornell CEO of one of the original mega data breachers.
- Walmart (WMT) CEO Doug McMillon, chair of the Business Roundtable and CEO of the largest company in the U.S.
The Data Privacy Blog points out the coincidence that the CEO’s framework comes just months before the California Consumer Protection Act is set to go into effect in 2020.
Followers of the Bach Seat know many companies make money by selling customers’ personal or device-usage data. Privacy policies with too many teeth could prevent companies from selling your data to pay the CEO’s average salary of $17.2M. The LA Times reports that compensation for American chief executives increased by 940% from 1978 to 2018, while pay for the average worker rose only 12% over the same 40-year period.
rb-
Seems to me that the goal of this proposal of the leading CEO’s is not to protect our privacy. Their goal is to centralize the rule-making in the D.C. swamp and throw money at the politicians to do the Business Roundtable’s bidding. Then the CEOs will be able to maintain the status-quo and normalize the existing digital surveillance system that serves them well.
The CEO’s sudden interest in data privacy has more to do with the growing wave of real reform at the state level and the calculation that Trump will be booted from office and less business-friendly POTUS will take his place in 2020. And little to do with citizen’s privacy.
The digital rights organization Electronic Frontier Foundation supports a private right of action for any national consumer privacy law, as such a right would further enable members of the public to fight back against companies that violate the law.
The EFF wrote the best way to protect ordinary people’s privacy is action.
It is not enough for government to pass laws that protect consumers from corporations … to ensure companies do not ignore them … empower ordinary consumers to bring their own lawsuits against the companies that violate their privacy rights.
Signatures from Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook were notably absent from the list although both have, in the past, supported a comprehensive federal privacy law.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2019, Amazon, California Consumer Protection Act, CEO, Data breach, Electronic Frontier Foundation, Lobbying, Privacy, Security, Target, Walmart