Welcome to 2023’s first weekly telecom roundup!

Business

New year, more Rogers and Shaw merger developments. The latest stems from the Competition Tribunal’s decision to reject the Competition Bureau’s arguments to block the merger. Now headed to the Court of Appeal, the merger can’t close until the court makes a decision.

That likely won’t be too far from now, as the court set a January 24th hearing date. Rogers and Shaw have set January 31st as their deadline to close the deal, which they may be forced to extend.

More in acquisitions, Telus International (TI) has completed its takeover of WillowTree, a U.S.-based digital product production company. WillowTree will serve TI’s 600 clients, including its telecom company Telus Corporation. WillowTree will help “Telus’ digital transformation ambitions,” Jeffrey Puritt, TI’s president and CEO, told MobileSyrup.

Bell and Snap have partnered to give Toronto Raptors fans a special AR experience. Those attending Welcome Toronto games at Scotiabank Arena will be able to access a Raptors AR Lens, letting them shoot hoops like the pros.

Deals

Koodo is texting subscribers with a $3/25GB extra data offer.  Other offers include $1/5GB or $2/10GB. More details are available here.

Best Buy is offering the Google Pixel 6 Pro for $8/month if you sign up with certain carriers. Plus, those activating with Koodo could score $500 in Best Buy gift cards. Learn more here.

Can companies integrate social purpose and action with their corporate strategy?

Companies are struggling to find strategies that allow them to not only compete economically, but also to engage and motivate employees. Some are trying to bring employees back to the office and finding real resistance to returning to the long commutes of most urban centres. While the recent tech layoffs may have mitigated some of the “great resignation” the reality is that it’s still difficult to find good tech talent. And even if the “great resignation” is not a factor, the idea of “quiet quitting” is still a real threat to employee engagement and productivity. In addition to good wages and a lifestyle, employees, at least the top employees may also be looking for more – a sense of purpose in their work.

Can companies respond with strategies that will address these issues and give them a competitive advantage? In an increasingly cynical world, can they demonstrate a sense of purpose and engagement?

This week I interviewed LSP Chadreshekar, the Canadian country manager for Zoho, a privately owned, international technology giant. I wanted to talk about the company’s focus on building a presences in smaller, often overlooked cities and towns, something it calls “transnational localism.”

Zoho, an international and private company focuses on bringing jobs to “overlooked communities” that need employment and that they appear to have built this into their corporate fabric, I was intrigued.

Zoho’s strategy runs counter to that of many technology companies who have more often gravitated towards larger municipalities, locating where it is perceived that there is a pool of talent. In some cases, companies may even look for incentives to locate their head offices in a particular location.

Zoho chose to open its Canadian headquarters in Cornwall, Ontario. Cornwall is not an obvious choice. It’s far from the the Waterloo-Toronto corridor where the majority of tech companies in Ontario are located. In fact, it’s on the opposite side of the province and more than 400 kilometres from Toronto. It’s closer to Montreal, but still a 140 kilometres drive. It has a population of approximately 48 thousand.

Yet the city was a strategic choice. Moreover, it’s not the first time that Zoho has chosen to be a presence in a smaller town or city. There are other examples in the US and around the world. According to Chadreshekar, this idea of boosting a smaller city is a core strategy that they refer to in that term “transnational localism.”

Our conversation started with exploring Zoho’s strategy, but evolved into a wider discussion of corporate social good, culture in the corporate setting and a lot more. I hope you’ll enjoy it.

The post Can companies integrate social purpose and corporate strategy? An interview with Zoho’s LSP Chadreshekar on Hashtag Trending Weekend Edition first appeared on IT World Canada.

Over the past couple of weeks, we’ve written about the top games of 2022, both from Canadian teams and developers worldwide, as well as Canadian games to look forward to in 2023.

Now, though, we want to hear what you think. With the start of the new year comes the promise of all kinds of new games. 2023, in particular, is poised to be the year this current-gen of consoles really comes alive. Between the likes of the PS5-only Final Fantasy XVI (June) and Marvel’s Spider-Man 2 (fall) or Bethesda Xbox Series X/S titles Starfield and Redfall (first half of 2023), it should finally feel as though the industry is moving past the nearly 10-year-old PS4 and Xbox One.

In a similar vein, Nintendo is finally set to release The Legend of Zelda: Tears of the Kingdom in May, a sequel to the beloved Breath of the Wild that the Switch actually launched with way back in March 2017. Other big games include February’s Hogwarts Legacy, March’s Resident Evil 4 remake, May’s Suicide Squad: Kill the Justice League and Diablo IV, and June’s Street Fighter VI. The PlayStation VR2 is also launching next month.

That’s to say nothing of smaller indie titles, including the likes of the long-awaited Hollow Knight: Silksong (TBA 2023), Jet Set Radio-esque Bomb Rush Cyberpunk (summer), South-Asia-meets-Scott-Pilgrim Thirsty Suitors (TBA 2023) and Quebec City-based Sabotage’s Chrono Trigger-inspired Sea of Stars (first half of 2023).

Personally, the first two games I mentioned are my most anticipated. Two of my favourite things, period, are Final Fantasy and Spider-Man, and getting big new PS5 titles from both franchises in the same year is beyond exciting. As a big JRPG fan, Sea of Stars is likewise hitting all of the right notes so far. March’s Star Wars Jedi: Survivor, meanwhile, looks like an excellent sequel to 2019’s Jedi: Fallen Order. Replaced, a 2.5D cyberpunk action game, also seems rad.

Of course, more games will be revealed throughout 2023, especially at both E3 and Summer Game Fest in June. For now, though, what are you most excited to play this year? Let us know in the comments.

Image credit: Square Enix

Yesterday at CES 2023 in Las Vegas, Lenovo unveiled its latest lineup of devices and other offerings it said are designed to provide both consumers and business users with a more “personalized” technology experience through new form factors and new uses of artificial intelligence (AI).

The portfolio, the company said, also demonstrates its commitment to environmental, social and corporate governance (ESG) in line with its vision of achieving net-zero by 2050, aligned to Science Based Target initiatives. It added that it “continues to focus on supporting a circular economy by increasing the use of recycled materials in its products and packaging, and collaborating with industry partners to help increase energy efficiency of its devices.”

A sample of the myriad of launches that exceed the 50-mark included the following:

A new model in the ThinkBook Plus series that the company says reimagines its strong heritage of the twistable form factor, with a dual rotating display that features an OLED panel on one side and a colourful e-Ink screen on the other.
Refreshes of its Yoga 9i (14-inch) and Yoga Slim 7i Carbon (13-inch) laptops, both featuring up to 13th Gen Intel Core processors.
Refresh of the Yoga 6 (13-inch) with the latest AMD Ryzen 7000 series processors and enhanced battery to handle longer remote work sessions.
The Lenovo ThinkPhone by Motorola, which the company says allows business end users to have seamless device integration between their phone and a ThinkPad.
A new technology known as Project Chronos, with a formal name forthcoming, that captures a user’s movement and “enables them to interact with and perform activities in 3D virtual worlds without glasses or wearables.”
The Lenovo Tab Extreme tablet, which features a dual-hinge keyboard design and protective storage compartment.
The Thinkbook 16p Gen 4 laptop, which the company said is “powered by high performance components.” The device features a Lenovo Magic Bay modular accessory bay on the top of the display, allowing expansion with accessories including Lenovo Magic Bay 4K Webcam, Magic Bay LTE or Magic Bay Light.

Further details on these and other products are available via the following link. Canadian pricing and availability had not been revealed at press time, but will be released at a later date.

The post CES 2023: Lenovo bulks up its product portfolio substantially, launches 50+ devices, services first appeared on IT World Canada.

CES is an opportunity for successful but lesser known companies, be they large or small, to make a name for themselves, and one organization that has done just that is Valeo Group.

The French-based organization, which was launched in 1923 in a workshop in Saint-Ouen-sur-Seine, a northern suburb of Paris, has proven at the show that it is far more than just a market leader in sensors for advanced driving assistance systems (ADAS) and related detection algorithms.

Even though the global automotive supplier operates in 33 countries and has partnering agreements with automakers worldwide, it is clear that its interests go far beyond its core competencies.

An example of that occurred at last year’s edition of the conference, when the company announced that had been named a CES 2022 Innovation Awards Honoree for its UV Air Purifier, an air sterilization system for bus and coach cabins.

“Upon activation, the system eliminates, in a single airflow cycle, more than 95 per cent of viruses, including Covid-19, as well as any bacteria or mold present in the air circulating in the cabin,” the company stated at the time. “The Valeo-designed modules are effective throughout the vehicle’s journey with passengers onboard.

“The Valeo UV Air Purifier is designed to be compatible with buses and coaches of all types and sizes, air conditioned or not. They can be fitted to new vehicles as well as those already on the road. To date, more than 2,000 buses are already equipped worldwide with our technology.”

This year has been no different, with the company being awarded four such awards by organizers – all in vehicle tech and advanced mobility – that included an autonomous parking system for repetitive parking maneuvers. The company also demonstrated Pantomime, an offering that uses an algorithm to understand the movements of vulnerable road users such as cyclists.

There has also been an expansion into other sectors, including:

Credit: Valeo

Valeo Cyclee, an EAB (Electric Assisted Bike) system composed of a 48V motor with an integrated gearbox to offer the best assistance to a cyclist. This system is suitable for all applications: Mountain, Urban and Cargo bikes. As in a car with an automatic gearbox, the cyclist is “free to choose between an automatic mode or a manual mode for shifting. The system is accompanied by a whole connected environment: thanks to sensors, the system predicts the environment and cyclist behavior and gives the optimum shifting to provide the perfect power.”

An agreement with ZutaCore to research and bring to market a new method for cooling data centres. The aim is to increase their performance and reduce their environmental impact.
“Data centres use increasingly powerful microprocessors that require more efficient thermal systems for cooling,” a release stated. “The solution being studied by the two partners, on display at Valeo’s stand, could consume up to five times less energy than air cooling solutions and unlock five times more computing power for a given volume.”

Last, but not least, Valeo is also premiering Smart Pole at CES, a concept it said is made possible by French technology. “Developed with partners Equans, GHM, Eclatec and Lacroix City, Smart Pole makes mobility safer for all users of the city of tomorrow: pedestrians, droids, autonomous shuttles, micro-mobility operators, etc.,” the company said.

Credit: Valeo

“Thanks to its detection sensors, Smart Pole observes the environment in real time and is able to signal whether a pedestrian can safely cross or not. This innovation can bring new services to cities and communities, such as recording the number of cars passing by in order to provide real-time road traffic information, controlling traffic lights to ease traffic flow (green wave), and facilitating parking space management.”

The post From smart poles to EABs: Valeo Group making some noise at CES first appeared on IT World Canada.

It looks like Apple’s AR/VR (augmented reality/virtual reality) headset has hit another bump in its development.

According to often reliable Apple analyst Ming-Chi Kuo, the rumoured mixed reality headset is now expected to release this coming fall. Kuo says that problems with software development tools and issues related to drop tests have pushed the headset out of its initial spring/summer WWDC release window.

Kuo goes on to say that the rumoured January media event for the VR/AR headset also likely won’t happen.

(1/3)
Apple's AR/MR headset development is behind schedule due to issues with mechanical component drop testing and the availability of software development tools, meaning that mass shipment of this device may postpone from the original 2Q23 to the end of 2Q23 or 3Q23. https://t.co/YitWBWxbRI

— 郭明錤 (Ming-Chi Kuo) (@mingchikuo) January 6, 2023

Earlier this week, The Information revealed an extensive report about Apple’s AR/VR headset, detailing its Digital Crown-like controls and the fact that it no longer features interchangeable headphones as initial rumours indicated.

Other rumoured features include a 120-degree field-of-view, dual 4K OLED displays, a 5nm CPU/GPU, and a dedicated image signal processor. The headset is rumoured to cost in the range of $3,000 USD (roughly $3,736 CAD) mixed reality headset.

Source: @mingchikuo Via: 9to5Mac

Google is envisioning an Apple AirPods-like future where transitioning between audio devices becomes seamless, and Android 13 may be the answer. Announced at CES 2023, Android 13 will notify users when a new audio device is nearby and ask if they want to swap over without interruption.

The feature works off the back of Google’s previously released cross-device software development kit (SDK). The software incorporates Wi-Fi, Bluetooth, and ultra-wideband technology. It can detect which audio devices are in close proximity to the user and suggest them based on availability.

Theoretically, a user could be walking through their home and playing music on their Pixel device. Once close enough to the Bluetooth speaker in their kitchen, for instance, the user will receive a notification and can seamlessly swap to the other device. Additionally, this feature can identify which device a user may want to use based on activity. That same transition could happen from speaker to phone if the user is answering a call and doesn’t want background disruptions.

Google is currently working with both Spotify and YouTube Music to integrate the notification feature. Google’s SDK also incorporates Fast Pair, Nearby Share and Chromecast, streamlining the use of multiple devices.

In addition, Google is working with Spotify to bring its Spotify Connect support to Android 13’s media switcher. Ideally, Google wants to give more users the ability to quickly select which Bluetooth or Chromecast built-in devices they can play their content on. As of now, this feature is available with YouTube and YouTube Music.

How Google describes its transitional audio experience is largely similar to Apple’s automatic switching feature for AirPods. Across AirPods, Powerbeats, Powerbeats Pro, and Beats Solo Pro, users can swap between listening devices like an iPhone, laptop, etc.

As of the time of writing, Google has not outlined a timeframe for when either feature will be available. However, the company claims they expect the features to release “this year.”

You can find all of our coverage from CES 2023 here.

Source: Google

Troubles in the US tech sector continue, as e-commerce giant Amazon announced Wednesday night that “a little more than 18,000” jobs will be cut.

The company had announced plans to cut some 10,000 jobs last November, but chief executive officer (CEO) Andy Jassy said the estimated number of layoffs has been revised upwards.

The CEO decided to break the news quickly after it was leaked by an employee. He specified that the employees affected “or their representatives, where necessary, in Europe” will be notified by the company on Jan. 18.

Without specifying the geographical distribution of the layoffs, he said that “the review of the annual planning has been more difficult this year given the economic uncertainty and the fact that we have hired heavily in recent years.”

He added, “Amazon has weathered uncertain and difficult economic times in the past, and we will continue to do so. These changes will help us pursue our long-term opportunities with a stronger cost structure. Businesses that last for a long time go through different phases. They’re not in massive staff expansion mode every year.”

Amazon, which is due to announce its annual results on Feb. 1, forecasted growth well below its expectations last November, with operating income for the fourth quarter predicted to be US$0-$4 billion, compared to US$3.5 billion the previous year.

Amazon isn’t the only company having to shrink its workforce. US-based Salesforce also announced on Wednesday its plan to cut just under 8,000 jobs, a reduction of around 10 per cent in its workforce.

It’s the same situation at Meta, the parent company of Facebook, which announced last November that it had to cut 11,000 jobs, about 13 per cent of its workforce.

Snapchat, meanwhile, laid off about 20 per cent of its staff last August – more than 1,200 employees – and Twitter, under the leadership of Elon Musk, recently fired half of its 7,500 employees.

The post Amazon to cut 18,000 jobs first appeared on IT World Canada.

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, January 6th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

In a few minutes David Shipley of Beauceron Security will join me to discuss recent news. But first here are some of the headlines from the past seven days:

The LockBit ransomware gang apologized for hitting Toronto’s Hospital for Sick Children. It blames an affiliate for ignoring the criminal gang’s rules against encrypting the data of hospitals. Is this apology just a PR stunt? That’s one question I’ll put to David.

We’ll also discuss the rise of the ChatGPT tool. According to one news report Microsoft and OpenAI want to integrate this chatbot into the Bing search engine to fight Google’s lead in online search. David and I will discuss how threat actors also might use this tool.

And we’ll look at the increasing trend of threat actors stealing digital tokens to get around multifactor authentication. The latest victim is the Slack instant messaging platform, which at the end of December admitted a hacker was downloaded company code from GitHub after getting hold of digital tokens of employees.

In other news, Twitter account information on 200 million users is now available for free on a hacker forum. The data was offered for sale on the dark web for US$200,000 in December.

Developers using the open-source PyTorch machine learning framework were warned they may have downloaded a compromised version of the package from the PyPI repository over the holidays. PyTorch says someone was able to add a package with a spoofed name to the nightly package it puts on PyPI. It’s just the latest example of an open-source repository being abused by threat actors.

Application developers using the CircleCI continuous integration platform were also warned to change passwords, API keys, and digital certificates stored in the system after the discovery of an unspecified security incident.

Zoho is urging IT administrators to install a security fix for ManageEngine Password Manager Pro. This is to fix a high-severity SQL injection vulnerability.

And security researchers found vulnerabilities in the remote access capabilities of vehicles from 16 car manufacturers. Not only could some vehicles be started remotely, personal information of car owners could be stolen.

(The following transcript has been edited for clarity)

Howard: We’ll start with the ransomware attack on Toronto’s Hospital for Sick Children. Known as SickKids for short, the attack started last month and the LockBit gang took credit. And then on New Year’s Eve it issued a sudden apology. An affiliate of the gang was responsible for violating a rule against hitting hospitals. The gang said it “formally” apologizes, and the partner who did this is no longer affiliated with them. Not only that, the head of LockBit sent the hospital a decryptor to help it unscramble and recover files. Oh, my gosh David. A crook with ethics!

David Shipley: More like a crook with self-preservation instincts. There’s two scenarios: First is what we’ll call the Australian scenario. Was this the kind of attack like the Medibank attack that would cause such outrage that the government would wake up and actually get its act together, form a joint police and military response and really ruin their [the attacker’s] day? And ruin the Canadian ransomware market? If so this [apology] is just business preservation. Luckily for them, Canadian politicians apparently don’t care about SickKids because haven’t heard any denunciations from any cabinet-level ministers or the PMO about this. It was a non-concern. What may have been a secondary concern [for LockBit] is this is one of those things where critical infrastructure was attacked. They’re a gang based in Russia, we’re currently at pretty high tensions now, maybe this [attack on SickKids] may upset some of the Russian government folks who don’t necessarily want to see NATO trip Article 5 [a provision where an attack on one NATO member is seen as an attack on all]. Either way I highly doubt this is altruism. These cats have hit hospitals before and and not necessarily given them the [decryption] keys. So I think this is self-preservation and and self-interest.

Howard: They very generously sent a decrypter to the hospital. A question: Should any IT department trust a decrypter sent by a crook?

David: Do you really want to trust these cats? I have the privilege of knowing really really smart folks like Brett Callow at Emsisoft [who is based in British Columbia]. They have to spend a lot of time having to build or rebuild the tools to decrypt ransomware because while the criminals are great at ruining your day they’re not so great at actually decrypting it. Even when the Irish healthcare system got their decryption tool [from the attackers] it didn’t work. It was slower than all get out. So it’s a damned if you do damned if you don’t scenario. I think it [using a gang-supplied decrypto] depends on whether there are any reasonable alternatives. If there are I would avoid it. Hopefully your backups are intact. Hopefully the data is still fresh enough that it has value. But I think you are playing a dangerous game [to use a gang-supplied decryptor]. At the twilight of the ransomware market — and we’re not there yet — when this thing finally totally starts to go completely south desperation set in these decryptors will cause additional havoc as well. That’s when you know that they’re ready to burn the [ransomware] business model and are going to evolve to something else.

Howard: Ransonware gangs, and perhaps other threat actors, have self-imposed rules which can probably change as quickly as the direction of the wind. Here’s a translated list of what LockBit says its groups are forbidden to do: Encrypting the data of critical infrastructure, especially hospitals and energy companies. But it’s okay to hack into their into these companies and steal their data for ransom or resale. I hope you get the distinction there. You can hack in, you can steal their data, you can ransom their data. You can’t encrypt their data. If gang members or affiliates are in any doubt about what’s a critical infrastructure organization they can ask the LockBit help desk. Yes, That’s right, this ransomware-as-a-service gang, like a number of criminal operations, has a help desk.

David: What also amuses me is unlike our current federal approach to securing critical infrastructure and legislation they [LockBit] recognize that hospitals are critical infrastructure. [Editor: This is a reference to proposed Canadian federal legislation overseeing critical infrastructure. Initially, it will apply to four sectors: Banking, interprovincial pipelines, telecommunications and transportation. The federal government recognizes healthcare as part of the country’s critical infrastructure in planning with provinces and industry. However, hospitals are legally a provincial responsibility.]

You’d think a pandemic would have taught us that lesson but LockBit apparently recognizes hospitals as critical infrastructure but our new federal legislation doesn’t. Which is kind of super-funny. I do think the LockBit distinction is about not crippling the hospital — ‘We don’t want to get pinned with actually killing somebody because that might actually spin up law enforcement and military response and or set off a whole series of geopolitical events. But no one’s going to go to war over leaked medical files. Even if it might ruin someone’s life.’ I remind listeners about that Medibank hack in Australia. The first set of files they leaked were about people who’d had abortions. So these groups and their scruples are questionable at best. They don’t care what havoc they cause to individuals. They care about what blowback they could get [from the public and law enforcement]. The fact that they have a help desk goes back to the ransomware- as-a-service business model working so well and generating such money.

Howard: Here’s another example of their LockBit self-imposed rules. The gang can very carefully and selectively attack pharmaceutical companies, dental clinics and plastic surgeries. Why is it a selective rule? Don’t ask. They can attack private for-profit schools but not public school boards.

Interestingly, news emerged this week of an apparent ransomware attack on a Northern Ontario Catholic school board. The gang stole data of employees. The school board now reports the gang says it has deleted that data. Whether it’s deleted it because the gang were paid by the school board or whether the ransomware gang said, ‘Oh we really didn’t need to hit a public school board,’ we don’t know yet.

David: Not all ransomware gangs subscribe to LockBit’s ‘Robin Hood’ philosophy. Some gangs don’t care. The number of school districts in the United States that have been taken down is staggering. And the number of Canadian school districts that have gone down the last 12 months is starting to add up. This is getting bad, particularly for the primary and secondary education systems. It’s not so much the sensitivity of the data on students. But it’s the theft of employee files. That gets really dangerous and damaging. And let’s be honest: teachers have had a rough couple of years here. This is not helping us retain and keep the best teaching talent. As far as dental clinics and pharmaceutical companies, I find that there’s a fascinating distinction [made by LockBit] between these things. ‘You’re not going have a heart attack [in a dental office],’ but you might not be able to get a root canal when you really need one. They apparently don’t consider that a healthcare emergency.

Howard: LockBit makes it worthwhile for crooks to join their affiliates’ team. According to a U.S. government presentation that I was able to see online, LockBit affiliates set the ransoms demanded of the victims. And they get to keep 80 per cent of payments.

David: We’ve seen that with other gangs, and that includes NetWalker and others. You’ve got to think about how much money they must be making where they’re willing to give that much margin up to their affiliate. That speaks to the rumor that LockBit has made at least $100 million in revenue [since it began]. So if they [the leaders] get 20 per cent of the total take that’s pretty staggering. The only rule of Russian-based gangs that I trust is they don’t hack inside Russia or countries in the Russian sphere of Influence. They know that if they break that rule their legs are getting broken.

Howard: Before I leave ransomware I want to mention that this week the Guardian newspaper in the United Kingdom, which was hit last month by ransomware, told staff that they cannot return to the office until at least January 23rd because they’re continuing to restore and cleanse their IT systems. Staff has to continue working from home.

David: It’s interesting how the pandemic has made us more resilient. There would have been a time where not being able to go to the office would have meant the paper couldn’t be put out.

… I also wonder how much the collapse of cryptocurrency has unretired some [ransomware] gangs and made some individuals have to work again. The other thing that makes me very concerned is the affiliate model. When you’ve got tens of thousands of employees being laid off in the biggest tech companies on the planet there are chances that someone’s feeling pretty raw about that who would know enough about their fomer organization to cause a lot of pain [by becoming a cyber gang’s affiliate]. We might be heading for a year where an organization gets hit badly because they’re tightening their belt for the recession and someone hits back.

Howard: According to a news report the ALPHV/BlackCat ransomware gang recently found a new way to squeeze victim firms. Rather than offer stolen data on its private site for crooks after hitting a financial firm this gang created a publicly available leak site that mimics that company’s website with the stolen data. It’s a public warning: ‘We want everybody in the public to know that your company allowed a data breach.

David: This is an interesting escalation, and it’s not without risk back to the gang. Creating a public website’s going to require registering a domain. They’re going to have to figure out a way to try and cover their tracks. That’s much more difficult than posting something on the dark web, so they clearly think escalating to this level makes sense. It might have been Brett [Callow] or [cybersecurity author] Alan Liskla who said this may be a site BlackCat created so when they reach out to that financial services firm’s customers they point them at the site. The customers can see just how bad it is and that just puts extra pressure on the firm to pay — although at that point it may not be about the firm paying but about pointing to other people who have yet to make the decision to pay and saying, ‘Look what we just did to these guys. You want to be next?’ They must be feeling awful confident they’re not going to get nicked by police when creating public websites.

Howard: One lesson for all IT departments that I saw from one U.S. government advisory is all cyber gangs hunt for and then exploit unpatched IT systems. These are seen as easy if not preferred targets.

David: One hundred per cent. And let me put this warning call out there: If you are still running your own Exchange environment, or if you are buying a hosted Exchange environment, make 2023 the year you get to Office 365 because the tens of thousands of organizations that have been hit by numerous Exchange vulnerabilities just continue to happen — but aren’t happening in the Microsoft 365 environment. It’s a no-brainer. The value prop versus risk equation of hosting Exchange is one of those easy wins. Get out of that business. It no longer makes any sense.

Howard: Item two: Access control. At the end of the year the Slack instant messaging platform admitted that a hacker was able to get hold of digital tokens used by employees for logging into GitHub. GitHub is where developers work on slack application code. The hacker was able to download some of that code none of it had customer data. This is a new trend: Stealing digital tokens. Slack came out with its statement fast — three or four days after the attack.

David: Their incident response on this is fantastic. Their transparency is great. What’s going to be really key now is how this incident get weaponized by attackers as they continue to target. Slack. So what we saw with the LastPass breach just before Christmas was that a previous breach used details that only insiders would know to further their attacks. It resulted in a more catastrophic breach. So just because they didn’t get customer information [from Slack] doesn’t mean that the information they took can’t be highly useful for continuing their campaign. It’s clear Slack is in somebody’s sights. How they handle the next few attacks is really going to make all the difference.

Howard: As I said this deals with the theft of digital tokens which are the snippets of code that are tucked into browsers that IT systems use for identity and access control. If hackers can get a hold of them they can be used for bypassing multifactor authentication. In fact in November Microsoft warned that it’s seeing an increase in token theft. One way that a hacker can steal a token is through a man-in-the-middle attack, which is intercepting the multifactor authentication token that’s used by an employee when he logs in. Then the hacker replays the token for their own access.

David: Microsoft has a really great article about token theft. If I can phish you and get your username and password, I’m off to the races if you don’t have multifactor authentication. If I can fish you and deliver malware to your machine and now I can be the attacker in the middle and capture the browser session cookies and then replay them, I’m laughing. One of the challenges that Microsoft highlights in their analysis that I really liked is in this rush to remote work with so many bring-your-own-device policies and so many devices that aren’t under corporate control the devices may not have the security controls, antivirus software updates etc that could actually prevent malware from getting root and causing problems. Second is there may not be the telemetry heading back into IT security to say, ‘We’ve got a problem with this device.’ So you’re missing that particular insight. The other part about the Microsoft side of things in terms of the advice is The use of physical tokens like Yubikeys etc where you can’t replay those credentials because they’re tested every time you’re authenticated. The challenge is those hard keys are useful for high-risk roles like IT admins and others. But for regular roles there’s a balance between usability and security, because if the user loses their Yubikey good luck getting them productive again for a couple of days.

Howard: The other way tokens are stolen is by stealing browser cookies. These cookies keep you signed in continuously to a website. Like a man-in-the-middle attack, a cookie theft usually starts with an email or a text phishing attack. If the victim falls for this trick malware gets installed that tries to steal the cookies from the victim’s browser. Um. The difference is in a cookie attack the Hacker doesn’t need the victim’s credentials.

David: I would say email phishing is surging again in activity. And credentials continue to be a pretty big target. The other part that that we may be missing in terms of malware delivery is just before the end of the year we also saw a warning from the FBI about the use of malicious Google ads and other things that impersonate popular websites. When you landed at these sites you could end up getting malware served to you or the ad network serving malware. So while phishing is the easiest way to target a specific individual as part of a more sophisticated attack, generic malware looking to scrape credentials for reuse and access is also surging. This gets back to making sure devices are locked down.

Howard: Our final topic is going to be ChatGPT. It’s the hot technology these days. But a few researchers say it also may be a valuable tool for threat actors. First of all, what is it?

David: ChatGPT is the latest evolution of machine learning models which have been both instructed by human beings as well as having self-taught algorithms that go out and read the Internet and then give relatively coherent responses to questions … It is a fascinating example of the extent that language models have evolved. One of the things that gets really interesting, given we were just talking about phishing, is we used to teach people that phishing emails are poorly written, that they’ll have spelling or grammatical mistakes, that they’ll lack context. Well, all the cool kids around the world who aren’t necessarily English speakers now have ChatGPT or something close to it. Some researchers have actually been able to get ChatGPT to write some pretty damn good phishing emails. And they can use some of the social engeinnering techniques that we talk about here to make a phish really compelling.

Howard: I interviewed a security researcher this week at a company called Cyberint who made the point that this chatbot could help threat actors reverse engineer anti-malware and security software, as well as just simply be used to find bugs in the code that hackers are writing.

David: I think we’re going to see this. We’ve we’ve seen criminals use other tools to understand how to protect themselves. One ransomware gang actually set up a front company to buy cybersecurity antivirus engines to test their software against before putting it on the market. Criminals are not stupid. They’re actually quite bright. It’s that they’re lazy. They don’t want to work hard for their money and they want to steal yours so they’re going to use every new technology they can get their hands on. That just makes life harder for everybody. And because ChatGPT can do code, which is another form of language, it’s going to cause headaches. It’s going to be interesting to see if it’s used to race to find zero-day bugs. I think we’re in for a bad year in 2023. ChatGPT is a harbinger of what’s coming next. It’s the moment AI starts to balance out. We’ve heard how AI has been helping defenders. Well, everything in crime is gonna have AI, too.

The post Cyber Security Today, Week in Review for Friday, January 6, 2023 first appeared on IT World Canada.

The design of the first Canadian-made EV, ‘Project Arrow,’ debuted at CES 2023. Designed by Ottawa university students, the conceptual vehicle features Canadian-sourced components and technology.

Project Arrow was first announced by Automotive Parts Manufacturers’ Association (APMA) during CES 2020. The APMA then worked with Carleton University students, who won a Canada-wide competition that year. Together, Project Arrow’s design and specs were put together. Three years later, those efforts are being realized at CES 2023.

“Today at CES, we reveal Project Arrow to the world, with 25 new technologies,” says Flavio Volpe, president of the APMA, at the event. “The Prime Minister dared us to imagine Canada’s net zero mobility future and the Premier of Ontario challenged us to build it.”

The conceptual vehicle at CES, held in Las Vegas, is a working prototype of what Canada hopes can one day be a reality for the roads. This is the first leg on a long development path that’ll aim to see Project Arrow reach mass production. Reports estimate that the final vehicle will cost roughly $60,000. Project Arrow is also expected to have a production rate of 50,000 models per year. However, it doesn’t appear mass production will start until the 2025 model year.

The EV is built using components from over 50 Canadian companies. It’s said that the project is “the biggest industrial collaboration project in Canadian automotive history,” according to the company. Project Arrow’s partners include Leddartech, which is based in Quebec. Additionally, companies specializing in LiDAR technology are also throwing in their expertise.

Funding for Project Arrow stems from several Canadian government bodies with a sum of over $8 million. The Government of Canada alone has invested $3.9 million with the Federal Economic Development Agency for Southern Ontario investing $5 million. This funding contributed to securing the support of 80 jobs and 40 suppliers.

You can find all of our coverage from CES 2023 here.

Image credit: APMA

Via: PCMag