Whether you’re a skid, hockey player, or Amish, the hicks are back with Letterkenny season 11 coming to Crave on Christmas Day.

In Canada, the only way to watch Letterkenny is through to Bell’s streaming service, Crave.

A Crave subscription starts at $9.99/month for a Mobile plan, which includes access to HBO content like The Matrix Resurrections. A $19.99/month Crave Total subscription is required to stream this content on Crave’s supported devices, like Android, iOS, Apple TV, PlayStation, etc.

The show stars Jared Keeso, Nathan Dales, Michelle Mylett, K. Trevor Wilson, Dylan Playfair, Andrew Herr, Tyler Johnston and more.

While this is the first time we’ve gotten a new Letterkenny season this year, earlier in 2022, spin-off series Shoresy and a Letterkenny International Women’s Day special streamed on Crave.

Best Buy Canada’s Boxing Day Sale is here! Save big on tech and treat yourself to something great with discounts over 50 percent on several product categories, including wearables, peripherals, storage and more.

The sale starts today, December 24th, at 6pm ET, and ends on December 31st. Check out some of the deals from the sale below:

Fitbit Versa 4 + Premium Smartwatch with Heart Rate Monitor – Waterfall Blue: $199.99 (save $100)

Logitech G29 Driving Force Racing Wheel for PlayStation/PC – Dark: $299.99 (save $93)

Samsung Galaxy Watch 4 40mm Smartwatch with Heart Rate Monitor – Pink Gold: $199.99 (save $80)

Breville Barista Express Espresso Machine (BES870XL) – Stainless Steel: $749.99 (save $50)

WD Easystore 18TB USB 3.0 Desktop External Hard Drive (WDBAMA0180HBK-NESE) – Black: $359.99 (save $170)

Schwinn IC4 Spin Bike – Includes 1-Year JRNY Subscription: $959.99 (save $440)

Segway Ninebot G30P MAX Adult Electric Scooter (350W Motor/ 65km Range / 30km/h Top Speed) – Dark Grey: $999.99 (save $200)

Logitech M720 Triathlon Wireless Optical Mouse – Black: $39.99 (save $30)

SteelSeries Apex Pro TKL Backlit Mechanical OmniPoint Gaming Keyboard – English: $169.99 (save $70)

Corsair K65 Mini Backlit 60% Mechanical Cherry MX Red RGB Gaming Keyboard – English: $69.99 (save $80)

Corsair K55 RGB PRO Optical Keyboard & Harpoon RGB Pro Gaming Mouse Combo – English: $59.99 (save $50)

Blue Microphones Yeti USB Microphone – Blackout Edition: $109.99 (save $19.99)

Logitech C920S Pro 1080p 30fps HD Webcam: $69.99 (save $10)

Fitbit Inspire 2 Fitness Tracker with 24/7 Heart Rate – Black: $79.99 (save $20)

Samsung Galaxy Watch 4 40mm Smartwatch with Heart Rate Monitor – Black: $199.99 (save $80)

Fitbit Sense 2 Smartwatch with Heart Rate Monitor – Shadow Grey: $259.99 (save $140)

Seagate One Touch 2TB USB 3.0 Portable External Hard Drive (STKB2000404) – Grey: $69.99 (save $20)

Check out the full Best Buy Boxing Day sale here. You can find all of the top Boxing Week deals at Canadian retailers here.

Image credit: Best Buy

Marques Brownlee (MKBHD) has done another blind camera test, pitting sixteen smartphones against each other and having participants on the internet vote for their favourite pictures taken from these devices.

The phones include plenty of handsets that don’t release in Canada, along with devices that do, like the iPhone 14 Pro, OnePlus 10 Pro, Pixel 6a, Pixel 7 Pro, iPhone SE, and the S22 Ultra.

However, the Huawei Mate 50 Pro, Moto Edge 30 Ultra, Nothing Phone (1), Oppo Find X5 Pro, Realme 10 Pro+, Asus ROG Phone 6, Sony Xperia 1 IV, Xiaomi 12s Ultra, Asus Zenfone 9 and the Vivo X80 Pro+ on the list are not available in Canada, which is worth keeping in mind.

This year the MKBHD used an ELO rating system similar to what you find in competitive games to break down devices into ‘Best Overall,’ ‘Best HDR,’ and ‘Best Portrait.’

The Pixel 6a won the contest, with the Pixel 7 Pro in second place and the Zenfone 9 in third for best overall photos. The S22 Ultra was fifth on the list, and the iPhone 14 Pro landed in seventh.

It’s worth noting that the Pixel 5a won the blind camera contest last year, so that’s two years in a row for Google’s Pixel a series handsets.

Source: MKBHD

Best Buy Canada has leaked some of its upcoming Boxing Day sales that go live on Saturday, December 24th at 3pm PT/6pm ET, with promotions on Dyson, HP, Samsung, Acer and other brands included.

Check out some of the deals below:

Samsung 65-inch 4K UHD HDR LED Tizen Smart TV (UN65TU690TFXZC) — 2022: $649.99 (save $100)

HP Gaming PC – Mica Silver (Intel Core i5-12400F/512GB SSD/16GB RAM/RTX 3060/Windows 11): $1,199.99 (save $500)

Acer 23.8-inch FHD 75Hz 1ms GTG VA LED Monitor (KA242Y ABI) : $119.99 (save $30)

Lenovo IdeaPad 3i 15.6-inch Touchscreen Laptop – Grey (Intel Core i3-1115G4/256GB SSD/8GB RAM/Windows 11 S): $449.99 (save $200)

Dyson Airwrap Multi-Styler Complete Curling Iron: $699.99 (save $50)

Logitech G29 Driving Force Racing Wheel for PlayStation/PC — Dark: $299.99 (save $93)

WD Easystore 18TB USB 3.0 Desktop External Hard Drive (WDBAMA0180HBK-NESE): $359.99 (save $170)

Mario Party Superstars (Switch): $54.99 (save $25)

Nautilus T618 Folding Treadmill: $998.99 (save $1,001)

Acer Aspire 3 15.6-inch Laptop – Silver (AMD Athlon-3050U/512GB SSD/8GB RAM/Windows 11): $369.99 (save $130)

Dyson V15 Detect Complete+ Cordless Stick Vacuum: $949.99 (save $200)

It’s worth noting that the sale pricing isn’t live yet. You can find the discounted deals online on Saturday, December 24th at 3pm PT/6pm ET.

Check out all of Best Buy’s Boxing Week deals here.

Nintendo has more games on sale in time for the holidays.

Switch titles like Just Dance 2023 Edition, Mario + Rabbids Sparks Of Hope, and NEO: The World Ends with You are available on the list. It’s worth noting that the sale on the games ends on different dates.

Below are all of the deals:

Just Dance 2023 Edition: now $39.99, was $79.99 (until January 3rd)
Mario + Rabbids Sparks of Hope: now $59.99, was $79.99 (until January 3rd)
NEO: The World Ends with You: now $39.99, was $79.99 (until January 29th)
Monster Hunter Stories 2: Wings of Ruin: now $26.99, was $79.99 (until January 4th)
Pac-Man 99 Deluxe Pack: now $19.99, was $39.99 (until January 1st)
Astronomical Club for Queers: now $2.68, was $13.44
Floppy Knights: now $21.27, was $26.59 (until January 1st)
Oddworld: Soulstorm: now $47.99, was $59.99
It Takes Two: now $41.24, was $54.99
Signalis: now $24.99, was $26.99

Image credit: Nintendo

Source: Nintendo

Welcome to Cyber Security Today. This is the Week in Review edition for Friday, December 23rd, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

 

In a few minutes Terry Cutler of Cyology Labs will be here to talk about some of what happened in the past seven days. First, a recap of the headlines:

The U.S. Justice Department seized 48 internet domains of crooks offering DDoS-for-hire services. Terry and I will talk about that. We’ll also look at the Samba project, which issued four patches to plug vulnerabilities, and at how trying to save money is getting government departments in Ukraine hacked, a group is attacking Russia

Canadian supermarket chain Empire Co. said may have to take a charge of $25 million to its finances for costs not covered by cyber insurance after the cyber attack it suffered last month.

Personal information of customers who dined in restaurants that use the SevenRooms customer management platform is being offered for sale on the internet. SevenRooms told the Bleeping Computer news site that a file transfer interface of a third-party vendor was hacked, allowing a crook to steal information such as customers’ names, email addresses and phone numbers.

The Agenda ransomware strain now has a version written in the Rust language. Researchers at Trend Micro say the version doesn’t yet have the same features as the original written in Golang. Hackers are increasingly using Rust because it is more difficult for IT defenders to analyze and isn’t easily detected by antivirus engines.

Last month I reported that the sports betting site called DraftKings had suffered a cyber attack. Last week the company told the Maine attorney general’s office how big it was: Personal information of just under 68,000 players was copied. According to letters sent to victims, attackers may have accessed their username or email address plus their password to access their DraftKings account. In some cases funds were stolen. The money lost has been restored.

Cisco Systems issued a security advisory for a critical vulnerability in its IOS and IOS XE software that was patched in 2017. The advisory is essentially a reminder to Cisco administrators to install the update if they haven’t done so already.

And FoxIt issued security updates for version 12.1 of its PDF Reader and Editor.

(The following transcript has been edited for clarity. To hear the full conversation play the podcast)

Howard: Joining us now from Montreal is Terry Cutler. Let’s start with Samba. The Samba project issued four patches to plug vulnerabilities. First, what is Samba?

Terry: In a nutshell Samba is the standard interoperability suite that allows integration of both Linux and Windows. This will allow IT administrators to link Linux and Unix servers and desktops into Active Directory. This way administrators can manage setup and configuration from one place. A lot of large companies deploy Linux because it obviously takes less resources, and it’s more stable than Windows, in my opinion. The challenge is finding Linux experts to manage these things. One of the reasons why some get installed is so it could be centrally managed.

Howard: How serious are the four vulnerabilities that the Samba project identified?

Terry: By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that’s directly connected to the internet you’re especially going to be vulnerable. But here’s where it gets worse: If the Samba server is misconfigured and allows unauthenticated users to connect to it then an authenticated attacker could leverage a cryptographic flaw … This will allow the security feature to be bypassed in Windows Active Directory. Now attackers can leverage a Linux box to gain access to a Windows environment.

Howard: Do IT departments that generally run Samba well-configured?

Terry: In my opinion it’s not always safely configured. A lot of times we’ll find configurations that are set for anyone, so it’s like a general public folder where anyone could upload malicious content to that folder, and then somebody will open it. We’ve seen it in a case where it was vulnerable and it could be exploited.

Howard: Do these new patches that were just announced need to be installed fast?

Terry: Here’s the challenge: Microsoft released some patches in November as part of their patch Tuesday to stop an attacker from gaining access from that Samba exploit. So now administrators have to get this patch out as quickly as possible. But there are already log4j vulnerabilities still lingering. There’s obviously problems with patch management solutions. They’re not getting their stuff done in time. Companies don’t have proper asset management, they don’t have proper vulnerability management. And most Linux servers are critical hosts, which means you can’t just simply patch or reboot them. You have to go through a change management process which could take weeks — and then you have the issue of a shortage of Linux experts. I think what we’re going to start seeing in the future is supply chain attacks where you it’s going to like a cross exploit. We’ve got to learn to start doing more with less, so we need more automation.

Howard: Item number two: The U.S. Justice Department seized 48 internet domains that were offering distributed denial of service for hire services. That’s good news to end the year on. Charges were also laid against six American residents. Denial-of-service services are often marketed as so-called legitimate sites that security researchers can use to stress websites and so they’re called stressor services. Or on the dark web they’re called booster sites. Why are DDoS sites of such concern to it t organizations?

Terry: Maybe we can back up a little second here and explain the difference between a DoS attack and a DDoS attack. Imagine you’re browsing a shopping site and you don’t like what they sell. Or you’re a competitor. If they get attacked by one computer sending tons of packets to it, that’s a denial of service attack. Usually most environments are equipped to handle that. A distributed denial of service attack happens when computers of unsuspecting consumers or legitimate websites are infected with malicious code to create a bot. A bot master allows the attacker to launch thousands of computers against that shopping site and overwhelms it. The booster or stressor service offers convenient ways for malicious hackers to conduct DDoS attacks and obscure attribution.

Howard: And the thing is these services are cheap: If you were a crook all you had to do was pay $20, $ 50, $75 and you automatically had an entire configured DDoS attack system ready for you. All you had to do was type in the URL of your target and hit enter.

Usually IT and security teams are worried about data theft. At first blush a DDoS attack is harassment. But it can be more than that.

Terry: Yes. I’ve only dealt with two cases in the last five years. In one a company was selling guitars and I guess a competitor didn’t like them and started attacking them. We found out that they didn’t have proper DDoS protection in place, and they had to buy that. Another one was for political reasons. The attacker didn’t believe in what a not-for-profit was doing, and shot down its site for days. DDoS could also be used for misdirection: While they’re attacking your site they could be launching an attack on another area of your network.

Howard: Are organizations doing enough to fend off DDoS attacks?

Terry: I don’t believe so. They’re not going to think they’re a target until it’s too late and under attack. There’s a chance that you can call up your ISP and have them change your IP address, which will bring you back up. The good news is that DDoD attacks don’t last forever, but it will take a couple of days [to get you back], and if you’re a high transactional site you could be losing thousands and millions of dollars in the meantime.

Howard: News item three: Cyberwar. Last week David Shipley and I talked about cyber war. This week is your turn. A couple of things are going on: Mandiant found Ukrainian government departments were being infected with trojanized versions of Windows 10 installer files. These are called ISO files. Victims are downloading these corrupted versions of Windows from torrent sites, not from Microsoft. With the war on I suspect that IT people in Ukraine must have thought they struck gold by finding a free version of Windows.

Terry: This is crazy, but I had the same experience doing an incident response for another company last year. An insurance company [employee] thought they were going to save money and download an antivirus solution off torrent instead of paying $69. The antivirus was backdoored. It was installed in all his computers and infected his Outlook. Then it started sending out infected zip files to everyone on his contact list. It was sendng emails saying, ‘Here’s your latest quote, here’s the password to unlock the file.’ Because the zip file was encrypted the antivirus solution won’t scan it. Once a victim opens the zip file and executes what’s in it they become infected. The insurance company started getting lawsuits from clients who became infected. Why would you waste time downloading these operating systems and things from torrents?

Howard: IT people at the very least should know you don’t download from torrent sites. These are highly risky places. And if I read the Mandiant report right the organizations that were victimized by this malicious Windows had already been hit by wiperware. So perhaps they were desperate for what they thought was a new and free copy of Windows.

Terry: I’ve seen this before, especially with junior IT folks. They think they’re doing a company a favor by saving money on the license by downloading this backdoor version of an operating system. The problem is a lot of companies don’t have proper network monitoring in place to know that there’s been communication established to a hacker network so they don’t see these things happening.

Howard: The thought that this is an espionage tactic by a Russian group that first hit the Ukrainian government departments earlier in the year with data-wiping malware. Then they let free versions of Windows 10 just sit there waiting for victims to download.

Terry: Imagine if it was actually a spy working for these companies that explicitly swapped out a real version of the Windows ISO file and copied that version in. I had to deal with a situation like that in 2015 at an energy company. There was actually a spy that was hired from China, but we couldn’t prove who it was so at the time. We had to create a special HTML and copy it into a sensitive folder and waited for somebody to open it. And when they did it revealed some information about the operating system on their computer. We could then triangulate where this machine was.

Howard: The other related news was a report by CheckPoint Software that an unattributed cyber espionage group has recently been targeting Russia and its ally in Belarus after years of hitting other countries. This group, which was given the nickname Cloud Atlas, is also going after organizations in the Russian-annexed Crimea Peninsula and in the Donetsk region. Typically the gang’s weapon is a compromised Microsoft Office document. So this is new angle of the cyber war — a group going after Russia. What do you think is going on here?

Terry: Obviously the Cloud Atlas group typically uses phishing emails with malicious attachments to gain initial access to the victim’s computer. What’s interesting is that these documents are carefully crafted to mimic government statements or media articles or business proposals. But here’s the kicker the file might not be flagged as malicious by antivirus solutions because the document itself only contains a link to a template. So when the file comes through the antivirus can say there are no problems here. But the moment someone opens up the attachment the template will be pulled down and execute the malicious code. If you have things like EDR (endpoint detection and response) you’re going to see Word trying to open up a command prompt and starting to do lateral movement. That’s why EDR is so important.

Howard: What struck me was here’s a group a threat group — there’s no attribution to who this group might be — that has been going on for a couple of years and it seems to have switched targets from other countries to now going after Russia and its allies. The conspiracy genes inside me are saying if I’m a western government I might slip a few thousand dollars to a criminal threat group and say, ‘Instead of attacking us. Why didn’t you attack Russia?’

Terry: We are starting to see some of these things. There are reports of ransomware gangs turning on each other.

Howard: The last thing today I want to talk about is the year end. We’re going to hear more from you next Wednesday about the Year in Review. Are there lessons that you’ve learned in the past 12 months from data breach investigations that you’ve participated in?

Terry: We actually surpassed over a hundred audits this year. We’re seeing a common theme: A very large increase in phishing attacks because most companies don’t have the proper technology in place to stop them There’s not enough awareness training to stop this. We’re seeing a lot of people using the same password everywhere online. So when data breaches occur passwords are leaking on the dark web. We’re seeing a lot of unpatched systems. We’re seeing a lot of folks who think antivirus is all they need when in fact, they need endpoint detection and response technology. Or they don’t have network monitoring, especially in the cloud. No log management, and not enough staff with expertise. And the big one I see is they have a lot of tools in place but they have to piecemeal an incident back together again.

If I can provide any advice it’s that you have to understand times have changed. Gone are the days of ‘I have a firewall and an antivirus and I’m safe.’ Those are traditional cybersecurity technologies that can be easily bypassed now … Try to find some tools that can give you a holistic view of what’s going on in your network. Replace your AV with EDR right now … We’re also seeing a lot of turnovers because IT guys are leaving their current employers for the highest bidder. Lastly, I would say invest in good anti-spam systems.

The post Cyber Security Today, Week in Review for Friday, December 23, 2022 first appeared on IT World Canada.

Samsung is bringing a new collection of Pokémon accessories to North America, including the hotly anticipated Poké Ball Galaxy Buds case.

There’s also Galaxy Watch strap and a Galaxy Z Flip 4 case alongside the Poké Ball case. The Galaxy Buds case is the most intriguing, and it should be noted that it’s a case for your existing Galaxy Buds charging case, so makes the wireless earbuds less pocket friendly.

To remedy this, a pretty cool matte black lanyard comes with the enclosure. There are still cutouts for the charging port, so once you slot them into the Poké Ball, you’ll never really need to take them out. The case only fits newer Galaxy Buds, including the Galaxy Buds Live, Buds 2 and Buds 2 Pro.

I’ll note that the inside of the Poké Ball matches the black Galaxy Buds Pro, so other brightly coloured earbuds might look a little strange when open. The case is set to go on sale in the U.S. on December 26th for $39.99 USD (roughly $54.35 CAD). MobileSyrup has reached out to Samsung for more specific Canadian pricing and release info.

The watch strap works with Galaxy Watch 4 and Galaxy Watch 5 in both sizes, according to The Verge. It also retails for $39.99 USD (roughly $54.35 CAD).

The Z Flip 4 case is the same as the existing Galaxy Z Flip cases with the ring attachment. This costs $49.99 USD (roughly $67.94 CAD). However, Samsung usually sells these cases for $60 in Canada.

Image credit: Samsung

Via: The Verge

The fallout from the 2018 Cambridge Analytica scandal continues to follow Facebook and its parent, Meta Platforms.

Reuters reports that  Meta has agreed to pay US$725 million to resolve a U.S. class-action lawsuit accusing Facebook of allowing third parties, including British political consulting firm Cambridge Analytica, to access the personal information of as many as 87 million users in several countries, including Canada and the U.S, to target political ads in the 2016 Brexit referendum and that year’s U.S. federal election.

Meta did not admit wrongdoing as part of the settlement, Reuters said, which is subject to the approval of a federal judge in San Francisco.

If approved, the settlement will resolve claims by Facebook users that the company violated various federal and state laws by letting app developers and business partners harvest their personal data without their consent on a widespread basis.

Reuters says the users’ lawyers alleged that Facebook misled them into thinking they could keep control over personal data, when in fact it let thousands of preferred outsiders gain access.

Facebook argued its users have no legitimate privacy interest in information they shared with friends on social media, says the news agency. But U.S. District Judge Vince Chhabria called that view “so wrong”, and in 2019 largely allowed the case to move forward.

By contrast, an attempt by Canadian Facebook users to launch a class action lawsuit against Facebook was sunk by an Ontario judge earlier this year.

In 2019, Facebook agreed to pay US$5 billion to resolve a Federal Trade Commission probe into its privacy practices, and US$100 million to settle U.S. Securities and Exchange Commission claims that it misled investors about the misuse of users’ data.

In Canada, the federal privacy commissioner has taken Facebook to court after the social media company refused to acknowledge it had violated the Personal Information Protection and Electronic Documents Act (PIPEDA) in the gathering of information from an estimated 622,000 Canadians.

The data came from an app, offered to Facebook users by the University of Cambridge researcher Aleksandr Kogan, which purported to be a personality quiz called This Is Your Digital Life for academic research. Unknown to participants, the data was shared with SCL Elections and its subsidiary, Cambridge Analytica. Lists of individuals, based on modeling by SCL and Kogan, were then provided to British Columbia-based AggregateIQ for the placement of targeted political ads on Facebook.

Participants in the quiz didn’t realize that allowing their personal profiles to be accessed allowed the profiles of their followers to be accessed as well. So, for example, while only 53 people in Australia installed the This is Your Digital Life app, according to court documents it was able to harvest the data of about 311,127 people.

In February, Facebook lost a major battle with the Australian privacy regulator relating to Cambridge Analytica, after a court dismissed the social media giant’s claim that it neither conducts business nor collects personal information in the country. The decision allowed the privacy commissioner to continue a lawsuit against Facebook.

The post Meta to pay US$725 to U.S. Facebook users over Cambridge Analytica scandal first appeared on IT World Canada.

Boxing Week is here and the offers have arrived! To help beat the post-Christmas blues, The Mobile Shop™ is running epic Boxing Week offers right into the new year on the latest phones, plans, and mobile tech accessories. From now until January 3, you can earn up to 300,000 PC Optimum™ points on select phones and plans – that’s an extra $300 in PC Optimum™ points that you can use towards your next grocery bill.

Whether you are looking to upgrade your phone, or even switch plans, The Mobile Shop™ is here to help. They’ve got a huge selection of zero-dollar down devices available across all the nation’s leading providers like Bell, Rogers, Fido, and Telus. 

HOT Boxing Week Offers: 

iPhone 14 (128GB and 256GB) – starting at $0 on a 2-year term with select carriers
iPhone 12 (64GB) – starting at $0 on a 2-year term with select carriers
Samsung Galaxy S22 (128GB and 256GB) – starting at $0 on a 2-year term with select carriers
Samsung Galaxy S21 FE (128GB) – starting at $0 on a 2-year term with select carriers
Samsung Galaxy A53 (128GB) – starting at $0 on a 2-year term with select carriers: 
Google Pixel 7 (128GB) – starting at $0 on a 2-year term with select carriers

As your one-stop shop for phones and plans this Boxing Week, be sure to head to one of the 200 The Mobile Shop™ locations across Canada before January 3 to take advantage of the exciting offers! 

Check out more details on the Boxing Day deals here, find the closest store to you and follow The Mobile Shop™ on Instagram and Facebook for more information.

Image credit: The Mobile Shop

The story is sponsored by The Mobile Shop.

MobileSyrup publishes sponsored posts. These partnerships do not influence our editorial content.

Bell is sending out a special Boxing Week offer to some former customers offering a $30/mo discount on its ‘Unlimited Essential’ plan, making it $55/mo for 20GB of data.

Moreover, the email notes the offer can be extended to up to two family members, meaning you get sign three people up total with 20GB of shareable data each. The plan includes:

20GB of shareable 5G data with speeds up to 250Mbps
Unlimited data at throttled speeds of up to 512Kbps beyond the 20GB cap
Unlimited Canada-wide calling, texting, picture, and video messaging

Overall, it’s not a bad deal if you can get it. Former Bell customers should keep an eye out for an email like this from Bell. For what it’s worth though, I’m sticking with my Black Friday $45/50GB offer since it’s cheaper and I get more data per month (the only thing I really lose out on is 5G but, having had Bell 5G before, it’s a blessing not to have it).

For all of the carrier Boxing Day/Week deals in Canada, follow this link.