Category Archives: Top Story

cPanel admins urged to close 2FA vulnerability

Administrators who use cPanel applications for automating server management and for helping customers manage their sites are being urged to update to the latest versions and close a two-factor authentication vulnerability.

The updates affect WHM (Web Host Manager), which lets web hosting firms create accounts for customers, and cPanel, which lets them create and manage websites, domains and email networks. cPanel & WHM is a suite of tools built for Linux OSs. cPanel says over 70 million domains have been launched on servers using the two applications.

“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” the company said. “This allowed an attacker to bypass the two-factor authentication check using brute force techniques. Failed validation of the two-factor authentication code is now treated as equivalent to a failure of the account’s primary password validation and rate limited by cPHulk.”

cPHulk is a brute-force protection service. The updates also fix a cross-site vulnerability and URL parameter injection vulnerabilities in multiple cPanel interfaces.

The company credits Texas-based security vendor Digital Defense with discovering the 2FA vulnerability. In a statement, the vendor said internal testing showed an attack can be accomplished in minutes.

The Hacker News noted that Zoom had to close a similar vulnerability in its numeric passcode.

The post cPanel admins urged to close 2FA vulnerability first appeared on IT World Canada.

New study reveals digital strategy helped companies perform well during pandemic, but only 12% actually have one running

There is a saying that if you fail to plan, you plan to fail. A study by IDC Canada in partnership with SAP Canada conducted during the pandemic discovered that when it comes to performance, nothing could be truer: Companies without a digital strategy are being left behind.

The fifth SAP-IDC Intelligent Enterprise Study reveals that today 95 per cent of Canadian organizations now have or are developing a digital strategy, up from 85 per cent in 2019. But for many, its execution is in its early stages. Only 12 per cent say the strategy is fully integrated into the core business, the same proportion of respondents as in 2019.

Source: IDC/SAP survey – Intelligent Enterprise: Building an Agile and Resilient Business

When it refers to a digital strategy, the study defines it as “a strategy that enables organizations to transform data into action across all lines of business — driving process automation and innovation, unlocking new areas of growth, and delivering exceptional experiences.” And its execution can be a tall order, especially during a pandemic.

“At the beginning of COVID, we saw a lot of change,” said Sam Masri, chief operating officer at SAP Canada. “Many projects and digital transformation mandates were put on pause for some time, especially around the March/April timeframe. And I think largely it was because of the uncertainty that the pandemic has brought.

“What we witnessed after that is very similar to what the survey indicated, which was very interesting. Around 64 per cent of Canadian enterprises are either keeping or increasing their level of investments in digital. I did not expect to see that.”

To evaluate where businesses are in their journey, IDC developed the Intelligent Enterprise (IE) Overall Progress Scale, which categorized enterprises across four stages based on their strategic focus, technology readiness, and organizational readiness. IE “Observers” and IE “Participants” were on one side of what it calls the Digital Divide, and IE Challengers and IE Leaders on the other.

While the percentage of IE “Leaders” has grown from 12 per cent in 2019 to 17 percent in 2020, so has the number of Observers (from 11 to 14 per cent). Among Observers and Participants, 80 per cent or more are either building their digital strategies or have just begun to execute. Among Challengers, that number tops out at 46 per cent, with Leaders at 18 per cent. Conversely, 82 per cent of Leaders and 55 per cent of Challengers either have the strategy starting to show significant results, or it is fully integrated into the core business, compared to 3 per cent of Observers and 20 per cent of Participants.

The report noted that digital strategy maturity varies by industry, with sectors such as telecom/media, oil & gas, and manufacturing indicating a higher percentage of organizations adopting a digital strategy that is fully integrated to the core business. A combination of globalization, competitive dynamics, and changing customer expectations have driven these sectors to adopt digital more quickly. But COVID-19 gave every industry a nudge. Masri described how two Canadian banks found benefits from digital transformation.

The National Bank, he said, had just installed an advanced procurement and expense management system when the pandemic struck. Thanks to it, it was able to accelerate automation and cross lines of business with processes. The Bank of Montreal’s example was more in the people realm. Its system for understanding customers served it well.

“When COVID hit, as you can imagine, it has never been more important to understand how your employees and how your customers feel, to get that feedback from them on what their new requirements are, whether it’s an employee or a customer,” he said. “But if you’re an employee, also, what’s your engagement level, morale, mental health, etc. And in the case of BMO, because they had invested early on, it was immediately possible for them to exponentially grow their understanding of their customer needs and challenges at once, to the point that their net promoter score increased significantly during COVID.”

Tony Olvet, group vice-president, research for IDC Canada, added that although every organization is at a different stage of digital maturity, he believes that digital transformations have accelerated since the beginning of the pandemic.

“The speed of transformation was really dependent on organizational leadership and the degree to which change was needed to survive (or thrive) due to the impacts of COVID-19 and the volatility of the economy,” he noted. “In this year’s study, we asked: What are the three most important skills that the digital strategy sponsor needs in order to achieve success? The top response was really interesting. It has to do with having the ability to link the use of new technologies to business outcomes. It reminds me that sometimes connecting the dots between cool new technology and what this actually produces for the organization is really important, and perhaps not always the first instinct of tech-savvy business people.  The second, third and fourth most important attributes had to do with communication, driving cultural change, and listening to feedback. So while digital transformation is often a topic focused only on technology, the reality is the people side of the strategy is a vital ingredient to success.”

This was reflected in the survey results, where nearly half of Leaders were willing to adjust their workforce to support digital initiatives. Only 7 percent of Observers voiced that sentiment. Interestingly, 76 per cent of Leaders planned to retrain existing staff, while only 42 per cent of Observers would do so. Since they are retraining so many, Leaders hired a few new internal staff but mainly filled the gaps with contractors or outsourcing. Observers tended to hire more new staff.

Another big difference between Leaders and the rest was the existence of a change management strategy. Overall, 41 per cent of respondents said they either did not have a change management strategy or were developing one, and 16 per cent said their change management was integrated into their digital strategy. Among Leaders, 47 per cent said they have change management integrated into their digital strategy.

“It should be 100 per cent,” Masri said. “But if you look at the gap, or the difference between the digital leaders and average, being 47 per cent versus 16 percent, that gives you a really good indication on why the leaders are leaders.”

He also cited executive leadership’s role – the CEO and the board – in driving digital strategy. “I don’t mean for them to be executive sponsors in a ceremonial way,” he explained. “But to be genuinely enthusiastic and aware of what digital can do for their business. And we are seeing that when those CEOs and boards are behind the change, and they’re driving the cultural change that comes with it, this transformation is much more likely to be successful, and their results, therefore, are significant.

“Digital is not something that you can or should fight,” he continued. “Instead, it’s something that you should use to fight the pandemic. And we realize that those who have invested early in digital before COVID or during COVID are the ones who were able to fight the pandemic better, minimize the impact of the pandemic on their business, and in many cases, even grow their businesses further.”

 


Methodology:

The study was completed in June 2020 among 371 organization strategy decision-makers or influencers with $50 million+ in revenue and a minimum of 100 employees (Canada =266, France=53, Australia=52). The study objective was to examine the progress of digital strategy, explore pathways to the intelligent enterprise, and examine the role of experience management in Canadian enterprises.

The post New study reveals digital strategy helped companies perform well during pandemic, but only 12% actually have one running first appeared on IT World Canada.

Scaling up in rural Canada: BC tech firm’s success a blueprint for growth outside of big tech’s shadow

One of North America’s largest Salesforce consulting and app development firms is betting big on rural Canada, a move its chief executive officer thinks other small enterprises should mimic to help Canada accelerate its overdue transition to a knowledge economy.

Nelson, B.C. native Greg Malpass founded Traction on Demand (ToD) in 2007, and since hiring his first employee in 2010, ToD has ballooned to a headcount of nearly 1,000. Along the way, Malpass managed to open a branch office in his hometown, saving the financially-struggling local Royal Canadian Legion branch in the process by purchasing the building. ToD and the Legion are sharing the space. As Nelson’s ToD team gradually grew, recruiters began favouring a strong enthusiasm and willingness to learn just as much as a technical background.

“We searched for people that had some sort of technology background, maybe working remotely and yearning for a bit of an office experience. But on the other side, we just said we’ll go find smart people that haven’t had an opportunity to work in technology yet and train them,” Malpass explained in an interview.

ToD discovered local forestry, construction, and mining industries were brimming with multi-talented individuals who quickly picked up the required skills need to develop, analyze, and market the firm’s solutions. The Salesforce platform is immense and used by many kinds of customers. ToD helps enhance the platform experience by packaging its software into SaaS applications, making them accessible at a standard price for a broader audience.

Salesforce Q2 2021 earnings still paint a picture of an immovable object in the customer relationship management space. Subscription and support revenues for the quarter were US$4.84 billion, an increase of 29 per cent year-over-year. In Canada, every business regardless of the sector is investing in new software services to become more intelligent, oftentimes attainable only through a giant software vendor.

For some businesses, these investments were uncharted territory and sudden pivots from the local data centres and internally developed tools that dominated IT administrators’ attention. With remote work as the new normal for businesses globally, IT teams have been given a seat at the decision-making table, says Andrew Caprara, president of managed services provider Softchoice. “They have the ears of the executive team like never before,” he said during a recent virtual roundtable event hosted by Cisco.

Also:

Canada is cramming years worth of modernization into months, but experts say the country’s scale-up problem lingers [IT Business Canada]

 

ToD has been riding the software wave for years and is fast approaching some important milestones.

“We’ve moved into a new chapter of growth. In the next 18 months, we plan to bring 800+ new hires into the fold. We’ve already had 41 new starts in the last few weeks, and another 20 starting in the next two weeks. We are also actively exploring new locations,” Malpass told us in a follow-up email recently.

According to the municipality’s director of economic development and tourism, Gary Schatz, Princeton, B.C. was one of those locations.

“There would be phenomenal interest locally,” Schatz told IT World Canada, referring to the prospect of a ToD branch opening up in Princeton. But before it can take serious steps towards partnering with ToD, Princeton has a serious housing crisis to address first, Schatz explained.

Malpass is aware of this problem too, and it’s certainly not isolated to Princeton. It’s one of the factors the firm and its employees – most of whom are based in Canada – have been taking into consideration while scoping out possible future satellite offices. The plan is to build offices closer to where people live and consolidate existing office infrastructure where possible. Malpass has noticed more of the team moving out of the city, especially over the past eight months.

The majority of Nelson’s talent comes from what he calls “talent conversion,” essentially the organic growth of the team thanks to the talent well from industries and educational institutions nearby. But scaling up organically instead of selling out is not something many organizations in Canada are in a position to do, he says.

Getting the same incentives as Amazon and Microsoft

Canada hasn’t been able to produce a unicorn company (businesses with a valuation that’s $1 billion or greater) since the messaging company Kik – which recently got slapped with a $5 million penalty from the United States’ Securities Exchange Commission – earned its horn in 2015. Also, Canada ranks 22nd in the Bloomberg 2020 innovation index. Not exactly top tier.

“To scale a business, you need access to stable growing customers, strong investment in creating talent, and ensuring new arrivals to our nation are set up to pursue valuable work,” Malpass wrote in an email, adding an emphasis on STEM education is a plus. “It also helps to have an economic system that allows for maximum retention capital for reinvestment into growth, appropriate incentives for investors and policy and programs that invest in innovation with similar constructs to that of venture markets.”

A recent report from KPMG and B.C. Tech suggests B.C.’s technology sector continues to contribute more to the provincial economy than traditional sectors, such as forestry and oil and gas, but it’s still dominated by small firms and has “significant room to grow when compared to US jurisdictions.” While the province’s tech ecosystem continues to thrive overall, its third consecutive B grade stems from a scale-up gap. “Because BC tech companies have long tended to stay small or sell too early, they haven’t grown into the large companies that anchor a tech ecosystem.”

Tech CEOs have become increasingly frustrated about the scale-up gap. Malpass was recently one of 133 tech CEOs who signed an open letter to Justin Trudeau, demanding the federal government implement new ideas and ecosystems that help Canadian scaleups become global powerhouses and commercialize home-grown IP.

The federal government recently signalled its intention to tax big tech during its throne speech, a promise critics have scoffed at since the last time it was made in 2019, New Democrat MP Charlie Angus told Yahoo! Finance.

“The digital giants have not been paying anywhere close to a reasonable rate of tax in Canada, and that’s a problem. We’re seeing the Liberals now acknowledge that, but they’ve acknowledged that many times and have done nothing on it. I think they’re deeply in awe of the power of Silicon Valley to the detriment of Canada,” he told the publication, adding tax policies would be used to reinvest in local companies.

“Beyond specific policies though, you also need CEOs, founders and leaders to believe in the stability and longevity of these programs, so they will take the ultimate risk to scale-up vs sell-out,” Malpass wrote. “We are asking our government to believe the same. We want their procurement policies to reinforce this and ensure long-standing programs remain in place. We want them to reinvest in success as opposed to focusing on those who ‘need’ it. We want them to provide Canadian-controlled organizations with the same incentives they offer Amazon, Microsoft, etc.”

Big tech incentives come in various shapes and sizes. In December 2018, Ontario’s auditor Bonnie Lysyk issued a report saying Sidewalk Labs — owned, along with Google, by Alphabet Inc. — had a leg up on other firms competing on a request for proposals (RFP) to be Waterfront Toronto’s innovation and funding partner and help build the city’s first 12-acre “smart neighbourhood” in Toronto’s Quayside region. Sidewalk Labs received more information from Waterfront Toronto prior to the RFP than other parties that would be responding to the RFP, indicated the report. Shortly after, Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre, resigned from her position as a privacy advisor for Sidewalk Labs after the project did not guarantee anonymity with a provision to let people remove their identity from a publicly viewable database called the Civic Data Trust.

Sidewalk Labs has since pulled the plug on the project, leaving the land open for business, although there is no current timeline in place for when a new request for proposals will be tendered for Quayside, according to The Star.

Emil Sylvester Ramos, co-founder of Iris R&D Group, an AI-camera tech firm from Ontario, has had some recent success with public sector RFPs. The firm teamed up with Orangeville earlier this year to detect potholes in the road and alert officials to clusters of people with smart cameras. It has a similar working relationship with The City of Guelph. However, companies like theirs can still get caught in the same vicious cycle of getting “swallowed” by big tech somewhere in the growth process, Ramos revealed.

“Canadian IPs get developed by SMEs here and are funded by the federal or provincial government. Then after that whole R&D phase, you have Google coming in and buying the Canadian IP,” he explained.

Canada’s efforts to inject some life into Canada’s knowledge economy, such as Ottawa’s Innovation Superclusters Initiative, have been steps in the right direction, but that’s just it – they’re only steps, says Benjamin Bergen, executive director for the Council of Canadian Innovators.

“When you actually want to build an ecosystem that ultimately commercializes IP and data, you need to have the proper policy frameworks in place. We’ve poured money into the superclusters, but yet we don’t have the proper apparatus or tools to actually really reap the benefits of the IP and the data that’s being generated,” Bergen said. “I think that Canada has fantastic innovators, and I think the challenge that we face is a public policy framework that doesn’t have government and industry working together to create an ecosystem where these companies can be successful. If we look at countries like Isreal, Sweden, South Korea, Germany or the U.S., you have a government working with industry on a whole host of public policy issues that allow the intangible economy to succeed. In some countries, you have IT collectives and data policies that support data domestic innovators.

“And we just haven’t seen that in Canada, not just from this government, but obviously the previous government as well. And the thing is that it’s now really catching up with us, and it’s only going to be exacerbated by the COVID-19 crisis.”

A recently released survey from Microsoft Canada appears to back up Bergen’s claims. Nearly half (46 per cent) of business leaders are not confident that their company will be able to adapt to whatever the upcoming year might hold. Only half (51 per cent) are confident their business could survive the second wave or spike in coronavirus infections, and only four in ten (38 per cent) business decision-makers have changed their employee training or are specifically training their staff in the new tools and platforms their organization is now using.

“‘When I looked at the results, as a Canadian, I was pleased and then in a way concerned at the same time,” Microsoft Canada president Kevin Peesker indicated in an interview, pointing to the lack of action around employee training.

“There is an immediate need to cultivate a skilled talent pipeline to drive innovation in Canada and fuel economic recovery. Whether it’s students preparing for the future, those in the workforce keeping pace with the latest skills to drive innovation or those seeking new skills so they can pursue meaningful employment opportunities, we must ensure Canadians have access to the training they need to succeed in the digital economy.”

This summer, Microsoft announced a new global skills initiative aimed at bringing more digital skills to 25 million people worldwide by the end of this year. This was followed by an announcement in September whereby 12 post-secondary institutions joined Microsoft Canada for the “Canada Skills Program,” enabling more than 4,500 students in diploma, degree and continuing education programs to graduate with in-demand data analytics, AI and cloud certifications in the first phase of the program.

While Peesker didn’t comment directly on the open letter or Canada’s scale-up challenges, he did say companies making investments in platform services, such as the ones available through Azure, and moving beyond basic workload migration to the cloud are cracking the code to growth.

“The most foundational impact is the move around platform services,” he said. “When we talk about this compression of two years worth of digital transformation in two months, it’s been because of that understanding of the business and getting to the core of data and getting it to work for you.”

Thanks to its mastery of the Salesforce platform, ToD has also launched four freestanding and independent software companies. Malpass says stepping out of big tech’s shadow isn’t easy. On top of smart partnerships and investments in software, the key ingredient to solving Canada’s scaleup problem may not require a dominating presence in the middle of a big city anymore. Talk to local municipalities and business owners, Malpass urges others. Nelson recently opened the Nelson Innovation Centre, a hub for entrepreneurs and technology enthusiasts to collaborate. Nelson Innovation Centre manager Karen Kornelsen said the centre will be a place for tech and tech-enabled entrepreneurs and businesses to connect with one another and get the support they need through programming and referral services to “take their businesses to a new level,” according to reporting by The Nelson Daily.

“What I’ve found in all the small towns that we’ve spoken to is there’s usually a few anchor businesses and people – Rotary clubs, for example – who are a little bit more engaged in the science and technology associations,” he said. And in many cases, they have a strong desire to drive local employment.”

The post Scaling up in rural Canada: BC tech firm's success a blueprint for growth outside of big tech's shadow first appeared on IT World Canada.

AI is more than our digital security guard, says Vatican Library CIO – it’s helping preserve our reputation

The Vatican Apostolic Library’s digital security guard is doing more than shielding hundreds of historical texts from cyber threats, according to the library’s chief information officer – it’s guarding the library’s reputation.

Founded in 1451 by Nicholas V, the Vatican Apostolic Library is home to some of the oldest and most important collections of historical texts in the world, including the oldest surviving copy of The Bible. The library started the digitization process in 2012, and it has currently digitized around 20,000 of the 80,000 manuscripts – starting with the most unique, most famous and fragile pieces. 

“Digitizing for preservation requires digital preservation; we have to protect our online collection from cyberattacks so that our readers can trust the records are accurate, unaltered history and so that they can rely on their constant availability,” Manlio Miceli, chief information officer for the Vatican Library, told the publication in an email. “What is clear from the current threat landscape is that you cannot throw people at this problem – you need to augment human beings with technology that understands the shades of grey within very complex systems and fights back at machine-speed. AI is a term that is surrounded by a lot of hype today, which can be unhelpful. We have an extremely small security team managing two very large data centres – for us, AI is delivering value in the real world. You could think of it like this: our colleague is an AI that never sleeps, doesn’t take breaks and can spot and investigate more threats than any human team could.”

Also:

If ransomware doesn’t kill you, the downtime will, says Datto report [Channel Daily News]

Majority of Canadian cyber incidents happen due to poor cyber hygiene, new report says [IT World Canada]

 

The Vatican library has partnered with AI cybersecurity firm Darktrace to prevent further attempts to steal and manipulate its digital collection. The growing threat of ransomware is one of the library’s biggest fears.

Powered by an algorithm that evolves thanks to a solid understanding of the ‘normal’ activity within the Vatican Library’s digital systems, Darktrace’s cyber AI detects significant changes that may suggest an emerging cyber threat. The digital archives face roughly 100 threats a month, according to David Masson, director of enterprise security for Darktrace, in an interview with IT World Canada.

“What we do is learn the pattern-of-life of everything inside the Vatican library’s networks or digital infrastructure. If we know what this pattern-of-life is, we can easily see any changes that take place in it at any time, and this allows us to see attacks in very early stages, which means we can stop them before they cause any damage,” Masson said.

A successful attack on the library could see the collection stolen, manipulated or deleted altogether. While physical damage is often clear and immediate, an attack of this kind wouldn’t have the same physical visibility. This has the potential to cause enduring and potentially irreparable harm not only to the archive but to the world’s historical memory. In the era of fake news, these collections play an important role in the fight against misinformation. Defending them against these kinds of “trust attacks” is critical, explains Miceli. 

“What is clear from the current threat landscape is that you cannot throw people at this problem – you need to augment human beings with technology that understands the shades of grey within very complex systems and fights back at machine-speed. AI is a term that is surrounded by a lot of hype today, which can be unhelpful. We have an extremely small security team managing two very large data centres – for us, AI is delivering value in the real world. You could think of it like this: our colleague is an AI that never sleeps, doesn’t take breaks and can spot and investigate more threats than any human team could,” Miceli wrote.

The software makes decisions in seconds about what is strange but benign and strange but threatening – and not only does it detect the threat, but it writes up its own human-readable report on security events for Miceli and the rest of his team, as well as his bosses. Miceli says the AI does this “nine times faster than a human analyst ever could.”

The post AI is more than our digital security guard, says Vatican Library CIO - it's helping preserve our reputation first appeared on IT World Canada.

IBM urges infosec pros to patch DB2 for Windows, Cisco urges patches for Webex Meetings

IBM is warning infosec pros of a hijacking vulnerability in its DB2 database on Windows.

In a security bulletin issued Thursday, the company said the issue could allow a locally authenticated attacker to execute arbitrary code on the system. The cause is a DLL search order hijacking vulnerability in the Microsoft Windows client.

“By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the bulletin says.

IBM says the issue carries a  Common Vulnerability Scoring System (CVSS) Base score of 7.8.

All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 editions on Windows are affected.

Customers running any vulnerable fixpack level of an affected version can download a special build containing the interim fix for this issue from IBM Fix Central. These special builds are available based on the most recent fixpack level for each impacted release. There are no workarounds or mitigations.

Meanwhile, Cisco has issued patches for its Webex Meetings server and client application to close vulnerabilities that allowed a hacker to listen in to meetings without being detected. A so-called ‘ghost’ attendee could have picked up valuable corporate intelligence.

The vulnerabilities, discovered by IBM researchers, allow a person to have full access to audio, video, chat and screen-sharing without being seen on the participant list. In fact they could stay in a Webex meeting and listen in even after being expelled from a session by maintaining the audio connection.

These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants, IBM explained. Usually, a client system and a server conduct a handshake process by exchanging ‘join’ messages with information about the attendees, client application, meeting ID, meeting room details and more.

A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others.

 

The post IBM urges infosec pros to patch DB2 for Windows, Cisco urges patches for Webex Meetings first appeared on IT World Canada.