JumpCloud Community

We had a bit of a hiccup today where I got kicked out of crowdcast and when I went to get back in, it sent us straight to LIVE instead of pre-show greenroom. So we went with it! Instead of deleting that and reuploading the edited show, I'm leaving it. Sometimes, you just gotta roll with technical challenges. 🙈

Community Update

• Roto31 made some updates to their self-service app for JC endpoints on github. Make sure you check that out.
• Juergen just helped murtaza solve a problem around binding systems with users in Linux cloud VM.
• Hopefully you’ve already worked on patching those Mac vulnerabilities, but if you haven’t we posted a guide to that early in the week.
• Chris has another question for MSPs about pricing services.

Meetup Update

• Chicago meetup on Wednesday 8.31 at the 1871. We have more details on our Chicago meetup page. But expect food, drink, and hanging out with colleagues for a bit. Please join us!
• We’re also launching a new group in Singapore! Now I realize our friends there probably don’t watch this live but if they catch it on a replay, or if you have friends there, send them a link. For the kickoff, a few of our execs will already be in the area and will be attending. So if you’d like to meet our CEO, Chief Strategy Officer, and SVP of Engineering, AND you’re over there, well, here’s your chance! That one’s happening on Sept 8.

Product Release

• JumpCloud Reports API Endpoints Live: see Derek’s post on the community about how you can now access Reports via api.
• New password complexity component - new dialog shows and validates all password complexity requirements as you type (when setting up a user password). This is coming out on a rolling basis and should be out to everyone by early Sept.
• Two new Linux SSH Hardening Policies - we added 2 more policies for a total of six policies to secure Linux endpoints: SSH Server Security Enforcement & SSH Root Access. For more info, go here.

MFA (Eric, Dave, Todd)

A lot of our admins who listen every week are mostly up to date and already know that answer. But how do they justify it and overcome objections from leadership? What are the biggest advantages to MFA that they should share? There were a lot of great questions around MFA, what's coming, what to do when users have unstable internet, onboarding, zero touch for windows, and more. Watch the replay to get the full scoop.

IT News

All of these are brief snippets. Click the headlines to go read the full articles on the original sites.

• Two Critical Vulnerabilities Patched by Apple (IT guru)
  Everyone’s busy pushing patches to Macs since last Weds. (You are, aren't you? AREN'T YOU?)
  On Wednesday, Apple released security updates for iOS, iPadOS and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise devices.
  The issues were:
  CVE-2022-32893 – An out-of-bounds issue in WebKit which potentially lead to the execution of arbitrary code by processing a specially crafted web content
  CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges
  
  
• Google Fined A[US]$60million in Penalties For Misleading Users on Location Data (IT guru)
  Alphabet Inc’s Google Unit was ordered by Australia’s Federal Court to pay A$60million in penalties for misleading users on collection of their personal location data, according to Australia’s competition watchdog.
  
  The court found that Google misled some customers about their personal location data that was being collected through their Android mobile devices between January 2017 and December 2018.
  
  
• Apple Business Essentials now supports non-App Store installs on Macs (computer world)
  If you blinked you might have missed it, but Apple recently introduced support for packages to its Apple Business Essentials solution for small business IT management.
  
  The introduction of Packages support makes it possible for IT admins to schedule installation of applications held outside of the App Store onto work-related Macs. (It's not supported on iPhones or iPads, which don’t yet support such distribution.)
  
  
• LastPass Security Incident (hackernews)
  Thursday, from the LastPass blog:
  We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.
  
  In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.
  [to read more, click over to their full blog post]
  
  
• Ring patched an Android bug that could have exposed video footage (ars technica)
  Amazon quietly but quickly patched a vulnerability in its Ring app that could have exposed users' camera recordings and other data, according to security firm Checkmarx.
  
  Checkmarx researchers write in a blog post that Ring's Android app, downloaded more than 10 million times, made an activity available to all other applications on Android devices. Ring's com.ring.nh.deeplink.DeepLinkActivity would execute any web content given to it, so long as the address included the text /better-neighborhoods/.
  
  
• Phishers who hit Twilio and Cloudflare stole 10k credentials from 136 others (ars technica)
  A report security firm Group-IB published on Thursday said an investigation it performed on behalf of a customer revealed a much larger campaign. Dubbed "0ktapus," it has used the same techniques over the past six months to target 130 organizations and successfully phish 9,931 credentials. The threat actor behind the attacks amassed no fewer than 169 unique Internet domains to snare its targets. The sites, which included keywords such as "SSO," "VPN," "MFA," and "HELP" in their domain names, were all created using the same previously unknown phishing kit.
  
  
• “Invisible finger” demo hacks touchscreen (IT brew)
  Be careful putting your phone facedown on a table—at least around the labs at the University of Florida.
  
  A UF research team, along with colleagues at the University of New Hampshire, has developed an “invisible finger” that makes screen-clicks through a table. The touchscreen hack, presented at Black Hat 2022 this month, showed how an attacker with an antenna can generate touch events on a phone and potentially sign-in, send messages, or install malicious code.