Computer Safety & News

While the USA DoD websites were already well defended a major contest/bounty program was made public called “Hack U.S.” found 349 vulnerabilities that could be better improved & awarded a total of $110,000

Department of Defense Forks Over $110K to Hackers Who Discovered 349 Bugs | PCMag

The US Department of Defense (DoD) has paid out $110,000 in bounties and bonuses to ethical hackers who discovered 349 “actionable” vulnerabilities on its networks.  As The Record reports, the vulnerabilities were discovered at a week-long “Hack U.S.” event held in July through a partnership with Hackerone. It tasked so-called white hat (ethical) hackers with finding “High” and “Critical” severity vulnerabilities on any publicly accessible information systems, including web property or data owned, operated, or controlled by the DoD.

In total, 349 actionable vulnerabilities were discovered, leading to the DoD paying out $75,000 in bounties. A further $35,000 was paid out in bonuses and awards.  Melissa Vice, the Vulnerability Disclosure Program director, said in a statement, “in just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge … This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner.”

Details & even challenges are still emerging for the $10,000 college student loan forgiveness program & many SCAMs are actively circulating.  The FTC warns to work only with the official application process & avoid locking into other 3rd party resources until more facts emerge.

Got student loans? Spot scams related to the Sweet lawsuit | Consumer Advice (ftc.gov)

Some of the names on the list of schools included in the Sweet settlement may look familiar — and they should. The FTC has also sued the University of Phoenix, DeVry, and the operators of American InterContinental University and Colorado Technical University for their allegedly deceptive practices. Students who took out loans to attend those schools got more than $300 million in payments and debt cancellation through these FTC actions. If you got a check from one of these settlements: You’re still eligible to get your federal loans forgiven through the borrower defense program, so file your application.   The details are still coming together, but here’s what to know right now:

• If your borrower defense application was pending as of June 22, 2022, there’s nothing else you need to do. Students who attended certain schools will have their loans discharged, along with other benefits. Otherwise, decisions will be made on a rolling basis depending on when you submitted your application. Check ED’s website for more details.
• If you haven’t applied for borrower defense (but think you should) – do it now. There are benefits to getting your borrower defense application in before the final approval of the settlement (which hasn’t been announced yet — but should  be soon). Check out what types of claims may qualify for borrower defense.

When researching products & services online, it is important to use multiple evaluations & esp. reviews from trustworthy sites.  Fake reviews can be submitted, regardless of whether a product is “good” or “bad” & extra time evaluating with due-diligence can be valuable

Should we trust online reviews? | Consumer Advice (ftc.gov)

When’s the last time you checked out online reviews to decide whether to buy something? Or where to buy it? Many of us use reviews to see the honest opinions of other buyers — but how do we know the reviews really are honest? Or from real buyers? Read on for ideas about handling fake reviews.  Companies rely on reviews to stand out from the pack. But some companies write or use fake reviews — about both how great their thing is, and how terrible their competitor is.   So can’t somebody do something? The short answer is: Yup. The websites and platforms where those reviews appear are well aware of the problem. Some of them do more than others to filter out the suspicious reviews, as well as finding, labeling, suspending, or delisting the companies or people who acquire those reviews.   Clearly, the problem isn’t solved, and some websites and platforms need to do a much better job.

USA Today’s technology site shares an overview of new features release found in the Fall 2022 release v22H2.

Microsoft Windows 11 update: What you need to know about the changes (usatoday.com)

To help commemorate the operating system’s first anniversary in early October, Microsoft has just rolled out its first major update to Windows 11.  Dubbed the Windows 11 2022 Update (and referred to as version 22H2 on your PC), the free download has started rolling out to users in more than 190 countries, says Microsoft. It comes with several new features and improvements offered to those on laptops, desktops and tablets.  Is it worth the upgrade? Absolutely.

1. Live captions accessibility (to better help visually/hearing impaired)
2. New Windows 11 has voice updates
3. New Windows 11 has enhancements to video chatting
4. Windows 11 productivity tools – new do not disturb mode
5. New security enhancements
6. redesigned taskbar experience
7. New ways to snap open apps and other windows to see more on your screen
8. Five new touch gestures

The latest beta version of Azure Virtual Desktop features a new SSO capability for organizations to pilot test (but not use in production extensively yet)

Azure Virtual Desktop Gets Tagging and Single Sign-On Previews — Redmondmag.com

The SSO preview for the Azure Virtual Desktop service offers the following options, per the announcement:

• Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and the web clients
• Use passwordless authentication to sign in to the host using Azure AD
• Use passwordless authentication inside the session when using the Windows client
• Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

Organizations can use the SSO preview, which “is not recommended for production workloads,” with Windows 11 or Windows 10 single or multisession clients or with Windows Server 2022. The SSO preview requires first installing “the September Cumulative Update Preview,” the announcement indicated.  Enablement of the SSO preview is said to be “easy,” per this Azure Academy video demo.

The forthcoming new INTEL Raptor Lake Core i9 is rated as one of the most powerful CPUs for the highest end computing needs.

Intel Core i9-13900KS runs circles around Ryzen 9 7950X in CPU-Z benchmark – NotebookCheck.net News

Intel’s upcoming Core i9-13900KS processor scored 928 and 18,453 in CPU-Z’s single and multi-core tests, respectively, effectively making it the fastest consumer desktop CPU on the market. Intel claims that it can boost to 6.0 GHz out of the box without overclocking.  Intel demoed a lot of interesting tech at its Innovation event yesterday; the main highlights being the new Raptor Lake desktop processors, Arc A770 graphics card and a rollable display. It also teased the launch of several other Raptor Lake processors, including the Core i9-13900KS, which will be launched in limited quantities later next year. As its name suggests, it is an improved version of the already impressive Core i9-13900K and can reportedly boost its P-cores to 6.0 GHz out of the box. Benchmarks of the processors have already arrived on Bilibili (via HXL).

The iPhone 14 model is a little larger than iPhone 13, but is more expensive when looking base model comparisons.  Version 14 does offer a little better battery life, slightly improved camera & the new satellite/crash SOS capability.  

iPhone 14 vs. iPhone 13: What’s the difference? | CNN Underscored

The arrival of the new iPhone 14 lineup doesn’t mean that the iPhone 13 is gone. As Apple has done with previous iPhone releases, the company kept some of the year-old iPhone models in its lineup as a more affordable option.  This year, Apple kept the $699 iPhone 13 and $599 iPhone 13 Mini, giving iPhone users the option of purchasing either of those or picking up the new $799 iPhone 14 or $899 iPhone 14 Plus.

Apple replaced the smallest iPhone with the iPhone 14 Plus. The 6.7-inch display dwarfs the 5.4-inch iPhone 13 Mini and gives iPhone owners the option to go big without the requirement of paying a premium for the iPhone 14 Pro Max, which is the same size as the iPhone 14 Plus.

iPhone 14 v. 13 Display = 6.1-inch or 6.7-inch … 5.4-inch or 6.1-inch
iPhone 14 v. 13 Processor = A15 Bionic for BOTH
iPhone 14 v. 13 Storage = 128GB/256GB/512GB for BOTH
iPhone 14 v. 13 Battery = 20 hours video playback … 19 hours video playback
iPhone 14 v. 13 Rear cameras = Main/Ultrawide=12MP for BOTH
iPhone 14 v. 13 Front camera = 12-megapixel TrueDepth camera for BOTH
iPhone 14 v. 13 Connectivity = 5G, Wi-Fi 6 for BOTH
iPhone 14 v. 13 Bluetooth version = 5.3 … 5.0
iPhone14 Safety features = Emergency SOS via satellite, Crash Detection
iPhone13 Safety features = Emergency SOS
iPhone14 Colors = Blue, Purple, Midnight, Starlight, Product Red
iPhone14 Colors = Pink, Blue, Midnight, Starlight, Green and Product Red
iPhone 14 v. 13 Starting prices = From $799 … From $599

Usually fixed image files (e.g., JPG or PNG file extensions) are usually safe, but can be manipulated by malware based decrypts that build the final image presented to the user.  Image based malware is not new, and while they do not circulate abundantly in the wild — this is unexpected attack vector to trick users into clicking a malformed PNG

PNG Analysis – SANS Internet Storm Center

Security Primer – IcedID (cisecurity.org)

According to MalwareBazaar’s info for these files, they were PNG files with an encrypted IcedID payload. So I set out to write a small script that would help me detect PNG files carrying an IcedID payload. Decrypting this payload is not difficult, thus I wrote a small script for my translate.py tool. It has 2 functions: Check and Decrypt. I use Check to validate that the PNG I’m analyzing, is an IcedID payload

IcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. Once it successfully completes its initial attack, it uses the stolen information to take over banking accounts and automate fraudulent transactions. IcedID is primarily dropped as a secondary payload from other malware, most notably Emotet, in addition to its own malspam campaigns. IcedID uses multiple injection methods to evade antivirus and other malware detection methods, such as injecting itself into operating system (OS) memory and regular processes. The malware authors are known to update IcedID to increase persistence and evade new detection efforts.

Gradually companies can more to the IE 11 mode in the EDGE browser.  The IE11 mode uses a full IE11 API for full compatibility & presents output within the EDGE browser for legacy applications using ActiveX or other IE11  techniques.

Microsoft Suggests Ending IE 11 Before It Gets Disabled — Redmondmag.com

Organizations waiting for Microsoft to “permanently disable” the Internet Explorer 11 browser should just end it beforehand, if possible.  The IE 11 browser can be removed by using a Group Policy option called “Disable Internet Explorer 11 as a standalone browser.” This option was described in a Microsoft document dated Aug. 31, 2022, which was cited in this Wednesday Microsoft announcement on the topic.

Microsoft has already dropped product support for IE 11 in certain Windows versions that follow the semiannual channel update model. IE 11 is unsupported as of June 15, 2022 for Windows 10 semiannual channel releases, for instance. Microsoft plans to permanently disable IE 11 for those Windows 10 users via its Windows Update service, but it’ll happen in a phased-approach manner, varying in its timing across organizations.

IT departments typically plan for upcoming year early in 4th quarter & early trends share some growth for 2023 to compensate for rising costs & inflation.   Staffing may hold or even decline in 2023 to help compensate for rising costs.

IT Budgets Expected To Increase Next Year, but IT Hiring May Decline — Redmondmag.com

The 2023 State of IT – Spiceworks Ziff Davis (swzd.com)

About half (51 percent) of IT departments are planning to increase their IT budgets in 2023, compared with a prior-year’s sampling, despite concerns about a general economic recession, per a newly published annual report.  The “2023 State of the IT Report,” announced on Tuesday by Spiceworks Ziff Davis, contains insights about IT spending and technology plans. It typically contrasted enterprise spending with small business spending plans. The report is based on a survey of “968 IT buyers from organizations across North America and Europe” that was conducted in June of 2022 by the group’s Aberdeen Strategy & Research division.  While the 2023 IT budgetary increase plans may seem positive in terms of IT prospects, the report’s authors noted that inflation is already a factor in such spending estimates. They noted that “40% of budget increases in 2023 will be influenced by inflation, compared to 22% in 2022.”