Why Juul and Republican Lawmakers Want To Raise the Minimum Vaping Age To 21

Senate Majority Leader Mitch McConnell announced a new bill today that would block all tobacco and vape purchases for Americans under 21 years old, citing widespread public health risks. Surprisingly, vaping companies don't appear to be too concerned, as Juul's CEO Kevin Burns issued this statement supporting the measure: "JUUL Labs is committed to eliminating combustible cigarettes, the number one cause of preventable death in the world and to accomplish that goal, we must restrict youth usage of vapor products. Tobacco 21 laws fight one of the largest contributors to this problem -- sharing by legal-age peers -- and they have been shown to dramatically reduce youth usage rates." The Verge says it all has to do with Big Vape's image: Over the past year, Juul has come under the FDA's fire for its massive popularity among young people. So supporting a higher minimum age could help its image and take some of the regulatory pressure off. From an industry perspective, the move is fairly low risk since the product is already embedded in the population, and people under age 21 may already be addicted, says Kathleen Hoke, a law professor at the University of Maryland. "We can change this age to 21 but we're going to have to work extraordinarily hard at the state and local level to actually get cigarettes or vape products or chew out of the hands of the 18 to 20 year olds," she says. [T]he bill's success will depend on how it's crafted. Rob Crane, professor of family medicine at The Ohio State University and president of the Preventing Tobacco Addiction Foundation, is skeptical that it will really hold tobacco retailers responsible for selling to people who are underage. From the more than 450 cities and counties that have passed Tobacco 21 laws, "what we have found that does work is when you make local health departments under civil law do the enforcement," he says. "For a rogue retailer that keeps on selling, there's a risk of license suspension." But if the law winds up penalizing convenience store clerks who sell vapes and tobacco products to kids, the retailer who's profiting gets off scot-free, he says. In the end, Crane is skeptical of the motivations behind the bill, no matter what form it takes. "This is all a PR move to keep Juul out of the hot seat from the FDA."

Read more of this story at Slashdot.

ExaGrid and Zerto launch an integrated solution for real-time backup and recovery

ExaGrid, a leading provider of intelligent hyperconverged storage for backup, announced the availability of an integrated disaster recovery, long-term retention backup storage, and data backup solution with Zerto, an industry leader for IT resilience. It is key to a complete business continuity and disaster recovery (BC/DR) plan that data is protected and recoverable during a disaster from very granular restore points, as well as providing long-term retention compliance for the growing number of data protection … More

The post ExaGrid and Zerto launch an integrated solution for real-time backup and recovery appeared first on Help Net Security.

Serve’s fingerprint recognition technology integration increases order fulfillment security

Serve announced the integration of its unique fingerprint recognition technology with its award-winning blockchain-based Serve platform. Bringing forth a new paradigm in securing deliveries in sectors such as pharmaceuticals and other sensitive consumer goods where chain of custody and proof of delivery are paramount, this seemingly ubiquitous technology offers users an extra layer of security throughout the order fulfillment process without sacrificing efficiency. “Being involved in the logistics space for over 20 years, the current … More

The post Serve’s fingerprint recognition technology integration increases order fulfillment security appeared first on Help Net Security.

The Source Code For All Infocom Text Adventure Classics Has Been Released

You can now download the source code of every Infocom text adventure game, thanks to archivist Jason Scott who uploaded the code to GitHub. "There are numerous repositories under the name historicalsource, each for a different game," reports Ars Technica. "Titles include, but are not limited to, The Hitchhiker's Guide to the Galaxy, Planetfall, Shogun, and several Zork games -- plus some more unusual inclusions like an incomplete version of Hitchhiker's sequel The Restaurant at the End of the Universe, Infocom samplers, and an unreleased adaptation of James Cameron's The Abyss." From the report: The code was uploaded by Jason Scott, an archivist who is the proprietor of textfiles.com. His website describes itself as "a glimpse into the history of writers and artists bound by the 128 characters that the American Standard Code for Information Interchange (ASCII) allowed them" -- in particular those of the 1980s. He announced the GitHub uploads on Twitter earlier this week. The games were written in the LISP-esque "Zork Implementation Language," or ZIL, which you could be forgiven for not being intimately familiar with already. Fortunately, Scott also tweeted a link to a helpful manual for the language on archive.org. Gamasutra, which first reported the news, notes that Activision still owns the rights to Infocom games and could request a takedown if it wanted.

Read more of this story at Slashdot.

The Source Code For All Infocom Text Adventure Classics Has Been Released

You can now download the source code of every Infocom text adventure game, thanks to archivist Jason Scott who uploaded the code to GitHub. "There are numerous repositories under the name historicalsource, each for a different game," reports Ars Technica. "Titles include, but are not limited to, The Hitchhiker's Guide to the Galaxy, Planetfall, Shogun, and several Zork games -- plus some more unusual inclusions like an incomplete version of Hitchhiker's sequel The Restaurant at the End of the Universe, Infocom samplers, and an unreleased adaptation of James Cameron's The Abyss." From the report: The code was uploaded by Jason Scott, an archivist who is the proprietor of textfiles.com. His website describes itself as "a glimpse into the history of writers and artists bound by the 128 characters that the American Standard Code for Information Interchange (ASCII) allowed them" -- in particular those of the 1980s. He announced the GitHub uploads on Twitter earlier this week. The games were written in the LISP-esque "Zork Implementation Language," or ZIL, which you could be forgiven for not being intimately familiar with already. Fortunately, Scott also tweeted a link to a helpful manual for the language on archive.org. Gamasutra, which first reported the news, notes that Activision still owns the rights to Infocom games and could request a takedown if it wanted.

Read more of this story at Slashdot.

SoftwareONE acquires SAMSentry advancing its software lifecycle management portfolio

SoftwareONE, a global leading Platform, Solutions and Services company, announced that it has recently acquired SAMSentry, a software governance technology. The technology will be incorporated into SoftwareONE’s managed services portfolio, to work in conjunction with industry-leading Software Asset Management (SAM) technologies such as Flexera, Snow and ServiceNow. To drive additional value across the software estate and existing technology investments; while visualizing findings and tracking on-going improvements. SAMSentry utilizes insights derived from machine learning across millions … More

The post SoftwareONE acquires SAMSentry advancing its software lifecycle management portfolio appeared first on Help Net Security.

First Japan-Built Airliner In 50 Years Takes On Boeing and Airbus

An anonymous reader quotes a report from Bloomberg: More cities in Asia and Europe are seeking to link up with each other and the global air travel network. The Mitsubishi Regional Jet, the first airliner built in Japan since the 1960s, began certification flights last month in Moses Lake, Washington, to satisfy that demand. Mitsubishi Heavy Industries Ltd.'s new airliner is testing the skies just as rivals are moving to sell off their manufacturing operations for jets with up to 160 seats. Boeing is set to buy 80 percent of the Embraer SA's commercial operations in a joint venture, while Bombardier last year sold control of its C Series airliner project to Airbus SE and is exploring "strategic options" for its regional-jet operations. At stake, particularly in the market for jets with fewer seats, is $135 billion in sales in the two decades through 2037, according to industry group Japan Aircraft Development Corp. With few seats and smaller fuselages, regional jets are a different class of aircraft from larger narrow-body planes such as Boeing's 737 or Airbus's A320. The MRJ has a range of about 2,000 miles, while a smaller variant can haul up to 76 people for about the same distance. A longtime supplier of aircraft components to Boeing, Mitsubishi Heavy is developing the MRJ to emerge from its customer's shadow. After spending at least $2 billion over more than a decade, the manufacturer is looking to get its jet certified and start deliveries to launch partner ANA Holdings. Mitsubishi expects to have the plane ready for customers next year, a timetable that will test the company, said Mitsubishi Aircraft President Hisakazu Mizutani.

Read more of this story at Slashdot.

First Japan-Built Airliner In 50 Years Takes On Boeing and Airbus

An anonymous reader quotes a report from Bloomberg: More cities in Asia and Europe are seeking to link up with each other and the global air travel network. The Mitsubishi Regional Jet, the first airliner built in Japan since the 1960s, began certification flights last month in Moses Lake, Washington, to satisfy that demand. Mitsubishi Heavy Industries Ltd.'s new airliner is testing the skies just as rivals are moving to sell off their manufacturing operations for jets with up to 160 seats. Boeing is set to buy 80 percent of the Embraer SA's commercial operations in a joint venture, while Bombardier last year sold control of its C Series airliner project to Airbus SE and is exploring "strategic options" for its regional-jet operations. At stake, particularly in the market for jets with fewer seats, is $135 billion in sales in the two decades through 2037, according to industry group Japan Aircraft Development Corp. With few seats and smaller fuselages, regional jets are a different class of aircraft from larger narrow-body planes such as Boeing's 737 or Airbus's A320. The MRJ has a range of about 2,000 miles, while a smaller variant can haul up to 76 people for about the same distance. A longtime supplier of aircraft components to Boeing, Mitsubishi Heavy is developing the MRJ to emerge from its customer's shadow. After spending at least $2 billion over more than a decade, the manufacturer is looking to get its jet certified and start deliveries to launch partner ANA Holdings. Mitsubishi expects to have the plane ready for customers next year, a timetable that will test the company, said Mitsubishi Aircraft President Hisakazu Mizutani.

Read more of this story at Slashdot.

EfiGuard – Disable PatchGuard And DSE At Boot Time

EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).

Features
  • Currently supports all EFI-compatible versions of Windows x64 ever released, from Vista SP1 to Server 2019.
  • Easy to use: can be booted from a USB stick via a loader application that automatically finds and boots Windows. The driver can also be loaded and configured manually using either the UEFI shell or the loader.
  • Makes extensive use of the Zydis disassembler library for fast runtime instruction decoding to support more robust analysis than what is possible with signature matching, which often requires changes with new OS updates.
  • Works passively: the driver does not load or start the Windows boot manager. Instead it acts on a load of bootmgfw.efi by the firmware boot manager via the boot selection menu or an EFI application such as the loader. If a non-Windows OS is booted, the driver will automatically unload itself.
  • Supports four-stage patching for when bootmgfw.efi starts bootmgr.efi rather than winload.efi. This is the case when a WIM file is loaded to boot WinPE, Windows Setup or Windows Recovery mode.
  • Graceful recovery: in case of patch failure, the driver will display error information and prompt to continue booting or to reboot by pressing ESC. This is true even up to the final kernel patch stage, because the last patch stage happens before ExitBootServices is called. Many UEFI Windows bootkits hook OslArchTransferToKernel which, while easy to find by pattern matching, is a function that executes in protected mode after ExitBootServices. This means no boot services are available to tell the user that something went wrong. 
  • Simulated patch failure with error information
  • Debuggable: can output messages to a kernel debugger and to the screen (albeit buffered) during the kernel patching stage, and to a serial port or unbuffered to the screen during the boot manager and boot loader patching stages. If the driver is compiled with PDB debug information, it is possible to load the debug symbols at any point after HAL initialization by specifying the virtual DXE driver base and debugging it as you would a regular NT driver.
  • DSE bypasses: available as either a straightforward UPGDSED-style DSE disable at boot time or as a hook on the SetVariable() EFI runtime service. The latter serves as an arbitrary kernel mode read/write backdoor that can be called from Windows using NtSetSystemEnvironmentValueEx and allows setting g_CiEnabled/g_CiOptions to the desired value. A small DSEFix-style application named EfiDSEFix.exe is provided that can be used to do this. It is also possible to leave DSE enabled and to disable only PatchGuard. The loader will use the SetVariable hook method by default, due to the fact that some anti-cheat and anti-virus programs do not understand the difference between cheats or malware and self-signed drivers in general and target the UPGDSED fix.
  • Supports on-disk modified kernels and boot loaders by patching ImgpValidateImageHash at every stage as well as ImgpFilterValidationFailure, which may silently rat out some classes of violations to a TPM or the SI log file.
  • Allows Secure Boot to work with Windows 7 (not a joke!). Windows 7 itself is oblivious to Secure Boot as it does not support it, or (officially) even booting without CSM. This is useful for people who want to use Windows 7 on a locked down device that requires WHQL Secure Boot. Wiki entry on how to get this to work here
  • WinObjEx64 on Windows 7 with Secure Boot enabled

Issues and limitations
  • EfiGuard can not disable Hypervisor-enforced Code Integrity (HVCI or HyperGuard) due to HVCI running at a greater privilege level. EfiGuard can coexist with HVCI and even successfully disables PatchGuard in the normal kernel, but this is not useful in practice because HVCI will catch what PatchGuard did previously. Both types of DSE bypass are rendered useless by HVCI: the boot time patch has no effect because the kernel defers to the secure kernel for integrity checks, and the SetVariable hook will cause a SECURE_KERNEL_ERROR bugcheck if it is used to write to g_CiOptions.
  • Checked kernels are not supported due to the differences in PatchGuard and DSE initialization code caused by disabled optimizations and added asserts, as well as additional changes to PatchGuard in checked kernels. This should not be an issue as checked kernels are not generally useful without a kernel debugger attached, which disables PatchGuard.
  • The loader application is currently not directly bootable on some PCs (e.g. Dell XPS). In this case the UEFI shell can be used as a fallback (see below).

How to use
There are two ways to use EfiGuard: booting the loader (easiest), or using the UEFI shell to load the driver.

Booting the loader
  1. Download or compile EfiGuard, go to EFI/Boot and rename one of Loader.efi or Loader.config.efi to bootx64.efi. The two are identical, except Loader.efi boots without user interaction whereas Loader.config.efi will prompt you to configure the DSE patch method used by the driver (if you want to change this).
  2. Place the files on a boot drive such as a USB stick (for physical machines) or an ISO/virtual disk (for VMs). The paths should be /EFI/Boot/{bootx64|EfiGuardDxe}.efi. It is recommended to use FAT32 formatted USB sticks.
  3. Boot the machine from the new drive instead of booting Windows. Most firmwares provide a boot menu to do this (accessible via F10/F11/F12). If not, you will need to configure the BIOS to boot from the new drive.
  4. If you are using the default loader, Windows should now boot, and you should see EfiGuard messages during boot. If you are using the configurable loader, answer the configuration prompts and Windows will boot.
  5. If you booted with the SetVariable hook (the default), run EfiDSEFix.exe -d from a command prompt after boot to disable DSE. Run EfiDSEFix.exe to see the full list of options.

Using the UEFI shell to load the driver
  1. Follow the steps 1 and 2 as above, but do not rename the loader to bootx64.efi. Instead, either use the BIOS-provided shell (if you have one), or download the EDK2 UEFI Shell and rename it to bootx64.efi.
  2. Boot the machine to the UEFI shell.
  3. cd to /EFI/Boot on the correct filesystem and run load EfiGuardDxe.efi to load the driver.
  4. (Optional) Run either Loader.efi or Loader.config.efi from the same directory to boot Windows. You can also continue working in the shell, or exit to go back to the BIOS/boot menu and boot from there.
  5. After boot, apply the DSE fix as above if applicable.

Compilation

Compiling EfiGuardDxe and the loader
EfiGuard requires EDK2 to build. If you don't have EDK2 installed, follow the steps in Getting Started with EDK2 first as the EDK2 build system is fairly complex to set up. This section assumes you have a workspace directory that your WORKSPACE environment variable points to, with a copy of EDK2 checked out in workspace/edk2. Supported compilers are MSVC, Clang, GCC and ICL.
  1. Clone the EfiGuard repository into workspace/edk2/EfiGuardPkg.
  2. Open a prompt or shell that sets up the environment variables for EDK2.
  3. Run build -a X64 -t VS2017 -p EfiGuardPkg/EfiGuardPkg.dsc -b RELEASE, substituting your toolchain for VS2017.
This will produce EfiGuardDxe.efi and Loader.efi in workspace/Build/EfiGuard/RELEASE_VS2017/X64. To build the interactively configurable loader, append -D CONFIGURE_DRIVER=1 to the build command.

Compiling EfiDSEFix
EfiDSEFix requires Visual Studio to build.
  1. Open EfiGuard.sln and build the solution.
The output binary EfiDSEFix.exe will be in Application/EfiDSEFix/bin.
The Visual Studio solution also includes projects for EfiGuardDxe.efi and Loader.efi which can be used with VisualUefi, but these projects are not built by default as they will not link without additional code, and the build output will be inferior (bigger) than what EDK2 produces. Loader.efi will not link at all due to VisualUefi missing UefiBootManagerLib. These project files are thus meant as a development aid only and the EFI files should still be compiled with EDK2. To set up VisualUefi for this purpose, clone the repository into workspace/VisualUefi and open EfiGuard.sln.

Architecture


While EfiGuard is a UEFI bootkit, it did not start out as one. EfiGuard was originally an on-disk patcher running on NT (similar to UPGDSED), intended to test the viability of a disassembler-based aproach, as opposed to using PDB symbols and version-specific signatures. PatchNtoskrnl.c still looks very much like this original design. Only after this approach proved successful, with no modifications to code needed in over a year of Windows updates, did UEFI come into the picture as a way to further improve capabilities and ease of use.
Some of the benefits provided by a bootkit approach include:
  • No on-disk modifications to kernels or bootloaders needed.
  • No need to modify the boot configuration store using bcdedit.
  • No need to patch ImgpValidateImageHash (although this is still optionally done).
  • Ironically, the use of a bootkit allows enabling Secure Boot, provided you own the Platform Key and are able to add your personal certificate to the db store.
The initial incarnation of EfiGuard as a bootkit was an attempt to get dude719's UEFI-Bootkit to work with recent versions of Windows 10, because it had become dated and no longer works on the latest versions (like UPGDSED, often caused by version-sensitive pattern scans). While I did eventually get this to work, I was unsatisfied with the result mostly due to the choice of hooking OslArchTransferToKernel, which as noted above executes in protected mode and after ExitBootServices has been called. Apart from this, I was not satisfied with only being able to patch some versions of Windows 10; I wanted the bootkit to work on every EFI-compatible version of Windows x64 released to date. Because of this, I rewrote the bootkit from scratch with the following aims:
  • To provide patch information at every stage of boot including the kernel patch itself.
  • To increase the number of supported EFI-compatible Windows versions to "all" (at the time of writing).
  • To enable lazy instantiation of the bootkit and optionally a kernel backdoor, achieved by EFI System Table hooks.
A big picture overview of the final EfiGuard boot flow is shown in the diagram above. For the individual component-specific hooks and patches, see EfiGuardDxe/PatchXxx.c in the source files. For driver initialization/unloading and the EFI Boot and Runtime Services hooks, see EfiGuardDxe.c.

Credits


Netflix Will Invest Up To $100 Million In a NYC Production Hub

Netflix is establishing an NYC production hub that will include six sound stages in Brooklyn and an expanded office in Manhattan's Flatiron District. "It should create 'hundreds of jobs' (including 127 executive, marketing and production development roles) over the next five years, and should foster up to $100 million in investments, according to Governor Cuomo," reports Engadget. From the report: The sound stages will also have the capacity for "thousands" of jobs, Cuomo said, although that's likely to vary widely based on what's in production at any given time. Not surprisingly, there are financial incentives attached to the move. The state is offering up to $4 million in tax credits over 10 years, although those are contingent on Netflix's ability to both create the 127 promised office jobs and keep the 32 existing positions.

Read more of this story at Slashdot.

How to Thwart an Attacker’s Attempt to Compromise Credentials and Move Around a Network

In the past year, we have seen numerous publicly traded corporations (Marriott and T-Mobile), airlines (Cathay Pacific and Delta), and tech companies (Facebook and Google+) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that insider threats and preventing credential compromise are growing concerns for organizations.

The post How to Thwart an Attacker’s Attempt to Compromise Credentials and Move Around a Network appeared first on Security Boulevard.

Ask Slashdot: What’s a Good Chair For a Software Developer?

AmiMoJo writes: It's time to buy a new chair so I'm turning to Slashdot for recommendations. The Herman Miller Aeron seems to be the go-to, much like the Model M for keyboards, but I've heard that there are some other good options on the market. I need something that is comfortable and durable -- too many chairs get squeaky and loose because I can't sit still and keep shifting my weight around. Many are difficult to maintain as well, e.g. the screws attacking the back are often under plastic attached with very stiff clips so you can't easily give them a quick tighten. What does Slashdot recommend for my posterior? It's been more than a decade since readers sought recommendations for a quality chair for desktop coding, or back-friendly chairs. In fact, it's been almost two decades since a user inquired about the perfect computer chair. Hopefully office chairs have improved in quality/design since then...

Read more of this story at Slashdot.

CVE-2019-11324

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Packet Storm: Atlassian Confluence Widget Connector Macro Velocity Template Injection

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is not required to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.

Packet Storm

Atlassian Confluence Widget Connector Macro Velocity Template Injection

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is not required to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.

Packet Storm: Ubuntu Security Notice USN-3950-1

Ubuntu Security Notice 3950-1 - It was discovered that ZNC incorrectly handled certain invalid encodings. An authenticated remote user could use this issue to cause ZNC to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm

Ubuntu Security Notice USN-3950-1

Ubuntu Security Notice 3950-1 - It was discovered that ZNC incorrectly handled certain invalid encodings. An authenticated remote user could use this issue to cause ZNC to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm: ManageEngine Applications Manager 14 SQL Injection / Remote Code Execution

This Metasploit module exploits SQL injection and command injection vulnerabilities in ManageEngine AM 14 and prior versions. An unauthenticated user can gain the authority of "system" on the server due to the SQL injection vulnerability. The exploit allows the writing of the desired file to the system using the postgresql structure. The module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring by the ManageEngine which working with "system" authority. In addition, it dumps the users and passwords from the database for us. After the harmful ".vbs" file is written, the shell session may be a bit late.

Packet Storm

ManageEngine Applications Manager 14 SQL Injection / Remote Code Execution

This Metasploit module exploits SQL injection and command injection vulnerabilities in ManageEngine AM 14 and prior versions. An unauthenticated user can gain the authority of "system" on the server due to the SQL injection vulnerability. The exploit allows the writing of the desired file to the system using the postgresql structure. The module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring by the ManageEngine which working with "system" authority. In addition, it dumps the users and passwords from the database for us. After the harmful ".vbs" file is written, the shell session may be a bit late.

Facebook Imports Info Without User Consent | Avast

Before 2016, one of Facebook’s regular protocols was an option for users to verify their accounts using email passwords. Users were informed if they chose this option, all of their email contacts would be uploaded as well, which would let the users see which of their friends were already on Facebook. (The info was also used by Facebook to better target ads.) Even though Facebook claimed the email passwords were never stored, the practice of asking users to enter such sensitive info and pulling all their contact info did not sit well with many cybersecurity experts, and in May 2016 the company changed that feature.

The post Facebook Imports Info Without User Consent | Avast appeared first on Security Boulevard.

Blog | Avast EN: Facebook Imports Info Without User Consent | Avast

Before 2016, one of Facebook’s regular protocols was an option for users to verify their accounts using email passwords. Users were informed if they chose this option, all of their email contacts would be uploaded as well, which would let the users see which of their friends were already on Facebook. (The info was also used by Facebook to better target ads.) Even though Facebook claimed the email passwords were never stored, the practice of asking users to enter such sensitive info and pulling all their contact info did not sit well with many cybersecurity experts, and in May 2016 the company changed that feature.



Blog | Avast EN

Proposed Washington Privacy Act Dead or in Mortal Danger

The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.

SB 5376 was the subject of attention in part because legislators sought the input of technology companies, among other organizations, while drafting the bill. Two days ago, on April 16, 2019, six advocacy organizations—including the American Civil Liberties Union of Washington and the Electronic Frontier Foundation—released a joint statement opposing the Governor’s office/Senate draft of the bill.

Robert Mueller Did Not Merely Reject the Trump/Russia Conspiracy Theories. He Obliterated Them.

The two-pronged conspiracy theory that has dominated U.S. political discourse for almost three years – that (1) Trump, his family and his campaign conspired or coordinated with Russia to interfere in the 2016 election, and (2) Trump is beholden to Russian President Vladimir Putin — was not merely rejected today by the final report of Special Counsel Robert Mueller. It was obliterated: in an undeniable and definitive manner.

The key fact is this: Mueller – contrary to weeks of false media claims – did not merely issue a narrow, cramped, legalistic finding that there was insufficient evidence to indict Trump associates for conspiring with Russia and then proving their guilt beyond a reasonable doubt. That would have been devastating enough to those who spent the last two years or more misleading people to believe that conspiracy convictions of Trump’s closest aides and family members were inevitable. But his mandate was much broader than that: to state what did or did not happen.

That’s precisely what he did: Mueller, in addition to concluding that evidence was insufficient to charge any American with crimes relating to Russian election interference, also stated emphatically in numerous instances that there was no evidence – not merely that there was insufficient evidence to obtain a criminal conviction – that key prongs of this three-year-old conspiracy theory actually happened. As Mueller himself put it: “in some instances, the report points out the absence of evidence or conflicts in the evidence about a particular fact or event.”

With regard to Facebook ads and Twitter posts from the Russia-based Internet Research Agency, for example, Mueller could not have been more blunt: “The investigation did not identify evidence that any U.S. persons knowingly or intentionally coordinated with the IRA’s interference operation” (emphasis added). Note that this exoneration includes not only Trump campaign officials but all Americans:

To get a further sense for how definitive the Report’s rejection is of the key elements of the alleged conspiracy theory, consider Mueller’s discussion of efforts by George Papadopoulos, Joseph Misfud and and “two Russian nationals” whereby they tried “to arrange a meeting between the Campaign and Russian officials” to talk about how the two sides could work together to disseminate information about Hillary Clinton. As Mueller puts it: “No meeting took place.”

Several of the media’s most breathless and hyped “bombshells” were dismissed completely by Mueller. Regarding various Trump officials’ 2016 meetings with Russian Ambassador Sergey Kislyak, Mueller said they were “brief, public and nonsubstantive.” Concerning the much-hyped change to GOP platform regarding Ukraine, Mueller wrote that the “evidence does not establish that one campaign official’s efforts to dilute a portion of the Republican platform was undertaken at the behest of candidate Trump or Russia,” and further noted that such a change was consistent with Trump’s publicly stated foreign policy view (one shared by Obama) to avoid provoking gratuitous conflict with the Kremlin over arming Ukrainians.. Mueller also characterized a widely hyped “meeting” between then-Senator Jeff Sessions and Kislyak as one that did not “include any more than a passing mention of the presidential campaign.”

Regarding one of the most-cited pieces of evidence by Trump/Russia conspiracists – that Russia tried once Trump was nominated to shape his foreign policy posture toward Russia – Mueller concluded that there is simply no evidence to support it:

In other crucial areas, Mueller did not go so far as to say that his investigation “did not identify evidence” but nonetheless concluded that his 22-month investigation “did not establish” that the key claims of the conspiracy theory were true. Regarding alleged involvement by Trump officials or family members in the Russian hacks, for instance, Mueller explained: “the investigation did not establish that members of the Trump campaign conspired or coordinated with the Russian government in its election interference activities.”

As for the overarching maximalist conspiracy – that Trump and/or members of his family and campaign were controlled by or working for the Russian government – Mueller concluded that this belief simply lacked the evidence necessary to prosecute anyone for it:

 

And Mueller’s examination of all the so-called “links” between Trump campaign officials and Russia that the U.S. media has spent almost three years depicting as “bombshell” evidence of criminality met the same fate: the evidence could not, and did not, establish that any such links constituted “coordination” or “conspiracy” between Trump and Russia:

Perhaps most amazingly, even low-level, ancillary, hangers-on to the Trump campaign that even many Russiagate skeptics thought might end up being charged as Russian agents were not.

All the way back in March, 2017, in reporting that even anti-Trump intelligence officials were warning Democrats that there was no solid evidence of a Trump/Russia conspiracy, I predicted that the appointment of a Special Counsel (which I vehemently favored) would likely end up finding evidence of financial impropriety by Paul Manafort unrelated to the 2016 election, as well as a possible indictment of someone like Carter Page for acting on concert with the Russian government:

But so vacant is the Mueller investigation when it comes to supporting any of the prevailing conspiracy theories that it did not find even a single American whom it could indict or charge with illegally working for Russia, secretly acting as a Russian agent, or conspiring with the Russians over the election – not even Carter Page. That means that even long-time Russiagate skeptics such as myself over-estimated the level of criminality and conspiracy evidence that Robert Mueller would find:

In sum, Democrats and their supporters had the exact prosecutor they all agreed was the embodiment of competence and integrity in Robert Mueller. He assembled a team of prosecutors and investigators that countless media accounts heralded as the most aggressive and adept in the nation. They had subpoena power, the vast surveillance apparatus of the U.S. government at their disposal, a demonstrated willingness to imprison anyone who lied to them, and unlimited time and resources to dig up everything they could.

The result of all of that was that not a single American – whether with the Trump campaign or otherwise – was charged or indicted on the core question of whether there was any conspiracy or coordination with Russia over the election. No Americans were charged or even accused of being controlled by or working at the behest of the Russian government. None of the key White House aides at the center of the controversy who testified for hours and hours – including Donald Trump, Jr. or Jared Kushner – were charged with any crimes of any kind, not even perjury, obstruction of justice or lying to Congress.

These facts are fatal to the conspiracy theorists who have drowned U.S. discourse for almost three years with a dangerous and distracting fixation on a fictitious espionage thriller involved unhinged claims of sexual and financial blackmail, nefarious infiltration of the U.S. Government by familiar foreign villains, and election cheating that empowered an illegitimate President. They got the exact prosecutor and investigation that they wanted, yet he could not establish that any of this happened and, in many cases, established that it did not.

The anti-climatic ending of the Mueller investigation is particularly stunning given how broad Mueller’s investigative scope ended up being, extending far beyond the 2016 election into years worth of Trump’s alleged financial dealings with Russia (and, obviously, Manafort’s with Ukraine and Russia). There can simply be no credible claim that Mueller was, in any meaningful way, impeded by scope, resources or topic limitation from finding anything for which he searched.

Despite efforts today by long-time conspiracist theorists to drastically move goalposts so as to claim vindication, the historical record could not be clearer that Mueller’s central mandate was to determine whether crimes were committed by Trump officials in connection with alleged Russian interference in the election. The first paragraph of the New York Times article from May, 2017, announcing Mueller’s appointment, leaves no doubt about that:

The Justice Department appointed Robert S. Mueller III, a former F.B.I. director, as special counsel on Wednesday to oversee the investigation into ties between President Trump’s campaign and Russian officials, dramatically raising the legal and political stakes in an affair that has threatened to engulf Mr. Trump’s four-month-old presidency.

As recently as one month ago, former CIA Director and current NBC News analyst John Brennan was confidently predicting that Mueller could not possibly close his investigation without first indicting a slew of Americans for criminally conspiring with Russia over the election, and specifically predicted that Trump’s family members would be included among those so charged:

Obviously, none of that happened. Nor were any of the original accusations that launched this three-year-long mania — from an accusatory August, 2016 online commercial from the Clinton campaign — corroborated by the Mueller Report:

Indeed, so many of the most touted media “bombshells” claiming to establish Trump/Russia crimes have been proven false by this report. Despite an extensive discussion of Paul Manafort’s activities, nothing in the Report even hints, let alone states, that he ever visited Julian Assange in the Ecuadorian Embassy, let alone visited him three times, including during the 2016 election. How the Guardian could justify still not retracting that false story is mystifying.

Faring even worse is the Buzzfeed bombshell from January claiming that “President Donald Trump directed his longtime attorney Michael Cohen to lie to Congress about negotiations to build a Trump Tower in Moscow” and that “Cohen also told the special counsel that after the election, the president personally instructed him to lie — by claiming that negotiations ended months earlier than they actually did — in order to obscure Trump’s involvement.” Mueller himself responded to the story by insisting it was false, and his Report directly contradicts it, as it makes clear that Cohen told Mueller the exact opposite:

Equally debunked is CNN’s major blockbuster by Jim Sciutto, Carl Bernstein, and Marshall Cohen from last July that “Michael Cohen, President Donald Trump’s former personal attorney, claims that then-candidate Trump knew in advance about the June 2016 meeting in Trump Tower.” The Mueller Report says the exact opposite: that Cohen had no knowledge of Trump’s advanced knowledge.

And the less said about the Steele Dossier, pee-pee tapes, secret meetings in Prague, and indescribably unhinged claims like this one, the better:

But beyond the gutting of these core conspiracy claims is that Mueller’s investigation probed areas far beyond the initial scope of Trump/Russia election-conspiring, and came up empty. Among other things, Mueller specifically examined Trump’s financial dealings with Russia to determine whether that constituted incriminating evidence of corrupt links:

Because Trump’s status as a public figure at the time was attributable in large part to his prior business and entertainment dealings, this Office investigated whether a business contact with Russia-linked individuals and entities during the campaign period—the Trump Tower Moscow project, see Volume I, Section IV.A.1, infra—led to or involved coordination.

Indeed, Mueller’s examination of Trump’s financial dealings with Russia long pre-dates the start of the Trump campaign, going back several years before the election:

Mueller additionally made clear that he received authorization to investigate numerous Americans for ties to Russia despite their not being formally associated with the Trump campaign, including Michael Cohen and Roger Stone. And regarding Cohen, Mueller specifically was authorized to investigate any attempts by Cohen to “receive funds from Russia-backed entities.” None of this deep diving to other individuals or years of alleged financial dealings with Russian resulted in any finding that Trump or any of his associates were controlled by, or corruptly involved with, the Russian government.

Then there is the issue of Manafort’s relationship with the Ukrainians, and specifically his providing of polling data to Konstantin Kilimnik, an episode which Trump/Putin conspiracist Marcy Wheeler, along with many othersparticularly hyped over and over. To begin with, Mueller said his office “did not identify evidence of a connection” between that act and “Russian interference in the election,” nor did he “establish that Manafort otherwise coordinated with the Russian government on its election-inteference efforts”:

The New York Times originally reported, but then retracted, that Manafort provided that polling data with the intent that it go to “Oleg V. Deripaska, a Russian oligarch close to the Kremlin.” In reality, Manafort thought it would be provided to Ukrainians with whom he had substantial business dealings, part of a long line of acts Manafort took to exploit his connection with the Trump campaign to solve his financial woes. Wheeler insisted that “the NYT had it correct the first time” and, in making their redaction, “they got — badly — played.” The Mueller Report showed that, yet again, conspiracists like Wheeler were misleading and deceiving people while using the tone of authority and expertise:

Also endlessly hyped by Wheeler and other conspiracists were the post-election contacts between Trump and Russia: as though it’s unusual that a major power would seek to build new, constructive relationships with a newly elected administration. Indeed, Wheeler went so far as to cite these post-election contacts to turn her own source into the FBI on the ground that it constituted smoking gun evidence, an act for which she was praised by the Washington Post (nothing Wheeler claimed about the evidence “related to the Mueller investigation” that she claimed to possess appears to be in the Mueller Report). Here again, the Mueller Report could not substantiate any of these claims:

The centerpiece of the Trump/Russia conspiracy – the Trump Tower meeting – was such a dud that Jared Kushner, halfway through the meeting, texted Manafort to declare the meeting “a waste of time,” and then instructed his assistant to call him so that he could concoct a reason to leave. Not only could Mueller not find any criminality in this meeting relating to election conspiring, but he could not even use election law to claim it was an illegal gift of something of value from a foreigner, because, among other things, the information offered was of so little value that it could not even pass the $2,000 threshold required to charge someone for a misdemeanor, let alone the $25,000 required to make it a felony.

Neither the Trump Tower meeting itself nor its participants – for so long held up as proof of the Trump/Russia conspiracy – could serve as the basis for any finding of criminality. Indeed, the key Trumpworld participants who testified about what happened at that meeting and its aftermath (Trump Jr. and Kushner) were not even accused by Mueller of lying about any of it.

None of this is to say that the Mueller Report exonerates Trump of wrongdoing. Mueller makes clear, for instance, that the Trump campaign not only knew that Russia was interested in helping it win the election but was happy to have that help. There’s clearly nothing criminal about that. One can debate whether it’s unethical for a presidential campaign to have dirt about its opponent released by a foreign government, though anyone who wants to argue that has to reconcile that with the fact that the DNC had a contractor working with the Ukrainian government to help Hillary Clinton win by feeding them dirt on Trump and Manafort, as well as a paid operative named Christopher Steele (remember him?) working with Russian officials to get dirt on Trump.

As is true of all investigations, Mueller’s team could not access all relevant information. Some was rendered inaccessible through encryption. Other information was deleted, perhaps with corrupt motives. And some witnesses lied or otherwise tried to obstruct the investigation. As a result, it’s of course possible that incriminating evidence existed that Mueller – armed with subpoena power, unlimited resources, 22 months of investigative work, and a huge team of top-flight prosecutors, FBI agents, intelligence analysts and forensic accountants – did not find.

But anything is possible. It’s inherently possible that anyone is guilty of any crime but that the evidence just cannot be found to prove it. One cannot prove a negative. But the only way to rationally assess what happened is by looking at the evidence that is available, and that’s what Mueller did. And there’s simply no persuasive way – after heralding Mueller and his team as the top-notch investigators that they are and building up expectations about what this would produce – for any honest person to deny that the end of the Mueller investigation was a huge failure from the perspective of those who pushed these conspiracies.

Mueller certainly provides substantial evidence that Russians attempted to meddle in various ways in the U.S. election, including by hacking the DNC and Podesta and through Facebook posts and tweets. There is, however, no real evidence that Putin himself ordered this, as was claimed since mid-2016. But that Russia had done such things has been unsurprising from the start, given how common it is for the U.S. and Russia to meddle in everyone’s affairs, including one another’s, but the scope and size of it continues to be minute in the context of overall election spending:

To reach larger U.S. audiences, the IRA purchased advertisements from Facebook that promoted the IRA groups on the newsfeeds of U.S. audience members. According to Facebook, the IRA purchased over 3,500 advertisements, and the expenditures totaled approximately $100,000.

The section of Mueller’s report on whether Trump criminally attempted to obstruct the investigation is full of evidence and episodes that show Trump being dishonest, misleading, and willing to invoke potentially corrupt tactics to put an end to it. But ultimately, the most extreme of those tactics were not invoked (at times because Trump’s aides refused), and the actions in which Trump engaged were simply not enough for Mueller to conclude that he was guilty of criminal obstruction.

As Mueller himself concluded, a reasonable debate can be conducted on whether Trump tried to obstruct his investigation with corrupt intent. But even on the case of obstruction, the central point looms large over all of it: there was no underlying crime established for Trump to cover-up.

All criminal investigations require a determination of a person’s intent, what they are thinking and what their goal is. When the question is whether a President sought to kill an Executive Branch investigation – as Trump clearly wanted to do here – the determinative issue is whether he did so because he genuinely believed the investigation to be an unfair persecution and scam, or whether he did it to corruptly conceal evidence of criminality.

That Mueller could not and did not establish any underlying crimes strongly suggests that Trump acted with the former rather than the latter motive, making it virtually impossible to find that he criminally obstructed the investigation.

The nature of our political discourse is that nobody ever needs to admit error because it is easy to confine oneself to strictly partisan precincts where people are far more interested in hearing what advances their agenda or affirms their beliefs than they are hearing the truth. For that reason, I doubt that anyone who spent the last three years pushing utterly concocted conspiracy theories will own up to it, let alone confront any accountability or consequences for it.

But certain facts will never go away no matter how much denial they embrace. The sweeping Mueller investigation ended with zero indictments of zero Americans for conspiring with Russia over the 2016 election. Both Donald Trump, Jr. and Jared Kushner – the key participants in the Trump Tower meeting – testified for hours and hours yet were never charged for perjury, lying or obstruction, even though Mueller proved how easily he would indict anyone who lied as part of the investigation. And this massive investigation simply did not establish any of the conspiracy theories that huge parts of the Democratic Party, the intelligence community and the U.S. media spent years encouraging the public to believe.

Those responsible for this can refuse to acknowledge wrongdoing. They can even claim vindication if they want and will likely be cheered for doing so.

But the contempt in which the media and political class is held by so much of the U.S. population – undoubtedly a leading factor that led to Trump’s election in the first place – will only continue to grow as a result, and deservedly so. People know they were scammed, that their politics was drowned for years by a hoax. And none of that will go away no matter how insulated media and political elites in Washington, northern Virginia, Brooklyn, and large West Coast cities keep themselves, and thus hear only in-group affirmation while blocking out all of that well-earned scorn.

The post Robert Mueller Did Not Merely Reject the Trump/Russia Conspiracy Theories. He Obliterated Them. appeared first on The Intercept.

Intune® vs Jamf®

With more Mac® systems making their way into organizations, IT organizations and MSPs are looking for how they can best manage not only their Macs, but their Windows® and Linux® systems. The result is that IT admins are pitting Intune® vs Jamf® in their evaluation. But, for managing systems and their users, are Intune and […]

The post Intune® vs Jamf® appeared first on JumpCloud.

The post Intune® vs Jamf® appeared first on Security Boulevard.

e Gobblerr Malvertising Campaign Using A Chrome iOS Bug

An eGobbler malvertising campaign leveraging a Chrome vulnerability that is targeting iOS users has been discovered by security researchers at Confiant. 

Mike Bittner, Digital Security and Operations Manager at The Media Trust:  

“While some researchers have found this malvertising campaign affecting only users of Chrome for iOS, we have seen it affect Safari users as well. This is significant because most iPhone users browse using Safari. The fraudulent reward pop-ups masquerading as ads from highly recognized retailers are taking advantage of JavaScript functions that are normally used to serve ads, exhibiting their familiarity with the digital ad supply chain’s advantageous reach. These malicious actors are becoming more complex in their malware authoring techniques. Today’s malware is increasingly polymorphic, sneaking past blockers through a combination of obfuscation, code switching, and malicious domain changes. AfterShock-3PC is a good example of these polymorphic malware, and if anything shows why blockers alone are not a security solution, but a band aid. 

 

 

The ISBuzz Post: This Post e Gobblerr Malvertising Campaign Using A Chrome iOS Bug appeared first on Information Security Buzz.

Ajit Pai Proposes Blocking China-Owned Telecom From US Phone Market

An anonymous reader quotes a report from Ars Technica: FCC Chairman Ajit Pai has proposed denying China Mobile USA's application to offer telecom services in the U.S., saying the Chinese government-owned company poses a security risk. The FCC is scheduled to vote on an order to deny the application at its open meeting on May 9, and Pai yesterday announced his opposition to China Mobile entering the U.S. market. "After reviewing the evidence in this proceeding, including the input provided by other federal agencies, it is clear that China Mobile's application to provide telecommunications services in our country raises substantial and serious national security and law enforcement risks," Pai said. "Therefore, I do not believe that approving it would be in the public interest. I hope that my colleagues will join me in voting to reject China Mobile's application." China Mobile filed its application in 2011, and has repeatedly complained about the government's lengthy review process. According to Pai's announcement, China Mobile's application sought authority "to provide international facilities-based and resale telecommunications services between the U.S. and foreign destinations." In simpler terms, the company was seeking "a license to connect calls between the United States and other nations" and "was not seeking to provide domestic cell service and compete in the country with businesses like AT&T and Verizon," The New York Times wrote yesterday. An FCC official told reporters that such calls "could be intercepted for surveillance and make the domestic network vulnerable to hacking and other risks," the Times wrote.

Read more of this story at Slashdot.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

Dear Democrats: Mueller Just Handed You a Road Map for Impeachment. Follow It.

WASHINGTON, DC - APRIL 17: A view of the White House on Wednesday evening, April 17, 2019 in Washington, DC. The results of the investigation by special counsel Robert Mueller will be made public on Thursday in a nearly 400-page report. (Photo by Drew Angerer/Getty Images)

The White House on April 17, 2019 in Washington, D.C.

Photo: Drew Angerer/Getty Images

Dear House Democrats,

You told us to be patient. You told us to be cautious. You told us to wait for Robert Mueller.

Well, the time for waiting is over. And the moment for impeachment hearings has arrived.

Forget the mendacious Attorney General William Barr, and his repeated — and repeatedly dishonest — attempts to summarize and spin the special counsel’s report prior to publication.

You now have access to the report itself, and even the “lightly redacted” 448 pages provide you with a clear and detailed road map for impeaching Donald Trump, in line with Article II, Section 4 of the U.S. Constitution: “The President, Vice President and all civil officers of the United States, shall be removed from office on impeachment for, and conviction of, treason, bribery, or other high crimes and misdemeanors.”

Listen to special counsel Robert Mueller. “With respect to whether the President can be found to have obstructed justice by exercising his powers under Article II of the Constitution, we concluded that Congress has authority to prohibit a President’s corrupt use of his authority in order to protect the integrity of the administration of justice,” he writes, adding: “The conclusion that Congress may apply the obstruction laws to the President’s corrupt exercise of the powers of office accords with our constitutional system of checks and balances and the principle that no person is above the law.”

Got that? The special counsel — who listed 10 instances of potential obstruction of justice in his report and refused to “exonerate” the president — placed the decision firmly in your court. This is the impeachment referral you claimed you were waiting for.

Trump, in Mueller’s view, may not have committed an “underlying crime” in relation to Russian interference in the 2016 presidential election — but this is frankly irrelevant to the case for impeachment. Listen to one of the 13 managers sent from your august body to prosecute the case against President Bill Clinton in the Senate in 1999. “You don’t even have to be convicted of a crime to lose your job [as president] in this constitutional republic if this body determines your conduct as a public official is clearly out of bounds in your role,” said then Republican representative — and now senator — Lindsay Graham. The process of impeachment, he argued, “is about restoring honor and integrity to the office.”

This is your duty — your obligation! You must restore some sense of honor and integrity to the office of the presidency.

Listen to your Republican and Democratic predecessors, who served on the House Judiciary Committee in July 1974 and published three articles of impeachment against President Richard Nixon. The first article focused on obstruction of justice and cited the president’s “false or misleading public statements for the purpose of deceiving the people of the United States.” It also cited Nixon’s efforts “to cause prospective defendants, and individuals duly tried and convicted, to expect favored treatment and consideration in return for their silence or false testimony, or rewarding individuals for their silence or false testimony.”

I defy any of you to read the special counsel’s report and conclude that this president did not lie, lie, and lie again. He lied about Russian interference in the 2016 election; he lied about his campaign’s contacts with Russians; he lied about the covering up of his campaign’s contacts with Russians. Take the infamous Trump Tower meeting in June 2016. The president personally dictated a statement on behalf of his son, Donald Trump Jr., which claimed that the latter and a Russian lawyer had met in Trump Tower to “primarily” discuss “a program about the adoption of Russian children.” Here is what Mueller says, however, about the purpose of that meeting: “The Campaign anticipated receiving information from Russia that could assist candidate Trump’s electoral prospects, but the Russian lawyer’s presentation did not provide such information.”

I also defy any of you to read the special counsel’s report and conclude that this president did not try and offer “favored treatment” and “rewards” to witnesses and defendants in the Russia investigation, à la Nixon. (Sample quote from Mueller: “Many of the President’s acts directed at witnesses, including discouragement of cooperation with the government and suggestions of possible future pardons, occurred in public view … And no principle of law excludes public acts from the scope of obstruction statutes.”)

Listen to former Rep. Elizabeth Holtzman, who served on the House Judiciary Committee in 1974 and is author of the recent book, “The Case for Impeaching Trump.” “In light of the Nixon precedent,” she told me over the phone on Thursday, evidence from the Mueller report “strengthens the claim that Trump committed impeachable offenses.” The parallels between Trump and Nixon, Holztman said, “are much stronger than they were before.”

Look, I get it. You’re afraid. You’re afraid of the backlash from your Republican counterparts. You’re afraid of losing in the Senate, where — right now — you lack a majority to convict Trump. You’re afraid that impeachment hearings will distract from your party’s 2020 presidential campaign.

But your job, first and foremost, is to preserve democracy and protect the rule of law. That’s the job assigned to you by the Constitution and also what’s expected of you by the American people. You cannot walk away from it.

Your leader in the House, Speaker Nancy Pelosi, said last month — prior to the publication of the Mueller report — that she believes impeaching Trump is “just not worth it.” Sorry, what? If a president who has repeatedly and brazenly misled the American people; welcomed the interference of a foreign government in the U.S. election process while also trying to benefit from it; obstructed justice on multiple occasions in order to try and cover it all up; and also — lest we forget! — praised neo-Nazis as “very fine people,” is not “worth” impeaching, then … which president is? When will it ever be “worth” it?

And what, then, is the point of Article II, Section 4 of the Constitution? If you’re not willing to remove this president from office, in the wake of this damning report, you might as well remove the impeachment clause from the Constitution. If not Trump, who?

According to the special counsel’s report, Trump’s response to Mueller’s appointment in May 2017 was to exclaim, “Oh my God. This is terrible. This is the end of my Presidency. I’m fucked.”

Well, House Democrats, the truth is that he isn’t “fucked” until you do your job.

Sincerely,

Mehdi Hasan

The post Dear Democrats: Mueller Just Handed You a Road Map for Impeachment. Follow It. appeared first on The Intercept.

California Attorney General Must Investigate Improper Database Searches on Community Observers at Controversial Police Event

This is a guest post by Tracy Rosenberg, executive director of Media Alliance. It was originally published on the Media Alliance website

For the last two years (2017 and 2018) of the Urban Shield weapons expo and SWAT drill in Alameda County, I was a community observer. I went as a citizen to see how my tax dollars were being spent, and as an activist/journalist so I could describe the event to others and to the media. What I didn’t know is that in exchange the Alameda County Sheriff would access my driving record, parking tickets and legal history through CLETS, the California Law Enforcement Telecommunications System.

Urban Shield, as a Homeland Security-funded regional training exercise for SWAT, Fire and Emergency Services, was not open to the public, although some volunteers were solicited to role-play victims and perpetrators in the counterterrorism scenarios. So the great battle that sprung up around the event starting in 2013 with protests in Oakland dislodging the weapons expo from the Downtown Marriotreporters getting thrown out of the eventcivil disobedience outside the gates, and finally bloodied heads at a Berkeley City Council meeting debating the city’s possible withdrawal from the event, was largely waged by people who had never seen the event, but knew that militaristic training of local law enforcement wasn’t helping the growing problems with excessive use of force and the deaths of unarmed people.

When Alameda County finally got serious about debating whether the Urban Shield exercise should continue, a county task force was set up, and that task force set about gathering data, including organizing delegations of outside observers. I was a member of both of those delegations, a large one in 2017 and a smaller one in 2018. As a community observer, I was asked to register and fill out a form to produce a little badge on a rope with my name. The form included in small letters, a disclaimer that a background check would be performed.

I am a privacy advocate, so a) I noticed and b) I felt uncomfortable. In practical terms, during both of my observation periods, I was surrounded by battalions of armed officers at all times, rarely less than 2 feet from me at any given moment. During my guided tour of the SWAT practices, I was escorted by armed sheriff personnel and driven about in a sheriff SUV, much as the KGB-guided tours of the Kremlin during the days of the Soviet Union were described to me as a child. While neither I, nor my fellow observers who included attorneys, medical doctors, and religious leaders, were criminals, the slightest untoward action would have resulted in being immediately blown to smithereens.

In a memo to CLETS subscribing entities sent in April 2018, the Department of Justice reminded law enforcement agencies that CLETS was not to be used to query individuals in the media and the Automated Criminal History System (ACHS) was not to be used for licensing, employment, or certification purposes.

On April 12, Media Alliance and the Electronic Frontier Foundation filed a request for investigation into possible misuse of the CLETS database and a request that the agency cease all similar background checks on journalists and advocates engaged in oversight roles.

Read the letter from EFF and Media Alliance to the California Department of Justice. 

In our inquiry, we added: “Community trust in law enforcement relies on transparency and respect for the watchdog roles of civil society and the news media. Accessing the sensitive data of these observers via CLETS discourages members of the community from participating in oversight activities.”

CVE-2019-3718

Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.

CVE-2019-3719

Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables.

CVE-2019-10893

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.

IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

Effective malware is typically developed with intention, targeting specific victims using either known or unknown vulnerabilities to achieve its primary functions. In this blog, we will explore a vulnerability submitted by McAfee Advanced Threat Research (ATR) and investigate a piece of malware that recently incorporated similar vulnerabilities. The takeaway from this blog is the increasing movement towards IoT-specific malware and the likelihood of this unique vulnerability being incorporated into future malware.

We are rapidly approaching the one-year mark for the date McAfee ATR disclosed to Belkin (a consumer electronics company) a critical, remote code execution vulnerability in the Belkin WeMo Insight smart plug.  The date was May 21st, 2018, and the disclosure included extensive details on the vulnerability (a buffer overflow), proof-of-concept, exploit code and even a video demo showing the impact, dropping into a root shell opened on the target device. We further blogged about how this device, once compromised, can be used to pivot to other devices inside the network, including smart TVs, surveillance cameras, and even fully patched non-IoT devices such as PCs. Initially, the vendor assured us they had a patch ready to go and would be rolling it out prior to our planned public disclosure. In January of 2019, Belkin patched a vulnerability in the Mr. Coffee Coffee Maker w/ WeMo, which McAfee ATR reported to Belkin on November 16th, 2018, and released publicly at Mobile World Congress in late February. We commend Belkin for an effective patch within the disclosure window, though we were somewhat surprised that this was the prioritized patch given the Mr. Coffee product with WeMo no longer appears to be produced or sold.

The Insight smart plug firmware update never materialized and, after attempts to try to communicate further, three months later, in accordance with our vulnerability disclosure policy, McAfee ATR disclosed the issue publicly on August 21st. Our hope is that vulnerability disclosures will encourage vendors to patch vulnerabilities, educate the security community on a vulnerable product to drive development of defenses and, ultimately, encourage developers to recognize the impact that insecure code development can have.

Fast forward nearly a year and, to the best of our knowledge this vulnerability, classified as CVE-2018-6692, is still a zero-day vulnerability.  As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm. We intentionally did not release exploit code to the public, as we believe it tips the balance in favor of cyber criminals, but exploitation of this vulnerability, while challenging in some regards, is certainly straightforward for a determined attacker.

IoT-Specific Malware

Let’s focus now on why this vulnerability is enticing for malicious actors.  Recently, Trend Micro released a blog observing occasional in-the-wild detections for a malware known as Bashlite. This specific malware was recently updated to include IoT devices in its arsenal, specifically using a Metasploit module for a known vulnerability in the WeMo UPnP protocol. The vulnerability appears to be tied to a 2015 bug which was patched by Belkin and was used to fingerprint and exploit WeMo devices using the “SetSmartDevInfo” action and corresponding “SmartDevURL” argument.

We can say for certain that this Metasploit module is not targeting the same vulnerability submitted by McAfee ATR, which resides in the <EnergyPerUnitCostVersion> XML field, within the libUPnPHndlr.so library.

Analysis of Bashlite and IOT Device Targets

After briefly analyzing a few samples of the malware (file hashes from the aforementioned blog), the device appears to check for default credentials and known vulnerabilities in multiple IoT devices. For example, I came across a tweet after finding reference to a password in the binary of “oelinux123”.

This IoT device is an Alcatel Mobile Wifi, which has a number of known/default passwords. Notice the top username/password combination of “root:oelinux123.” When we analyze the actual malware, we can observe the steps used to enumerate and scan for vulnerable devices.

Here is a reference from the popular binary disassembly tool IDA Pro showing the password “OELINUX123” used to access a mobile WiFi device.

The next image is a large “jump table” used to scan through and identify a range of devices or targets using known passwords or vulnerabilities.

Next is some output from the “Echobot” scanner employed by the malware used to report possible vulnerabilities in target devices from the above jump table.

The final screenshot shows a list of some of the hardcoded credentials used by the malware.

The “huigu309” password appears to be associated with Zhone and Alcatel Lucent routers. Both routers have had several known vulnerabilities, backdoors and hardcoded passwords built into the firmware.

There is no need to continue the analysis further as the point of this is not to analyze the Bashlite malware in depth, but I did think it was worth expanding on some of the capabilities briefly, to show this malware is programmed to target multiple IoT devices.

Now to the point! The simple fact that generic WeMo Metasploit modules were added to this indicates that Belkin WeMo makes an interesting enough target that an unpatched vulnerability would be compelling to add to the malware’s capabilities. Hence, we believe it is possible, perhaps even likely, that malware authors already have or are currently working on incorporating the unpatched WeMo Insight vulnerability into IoT malware. We will be closely following threats related to this zero-day and will update or add to this blog if malware embedding this vulnerability surfaces. If the vendor does produce an effective patch, it will be a step in the right direction to reduce the overall threat and likelihood of weaponizing the vulnerability in malware.

How to Protect Your Devices

As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation. McAfee Secure Home Platform users can enable whitelisting or blacklisting features for protection from malicious botnets attempting to exploit this vulnerability.

Call to Action for Vendors, Consumers and Enterprise

It should be plain to see there is some low-hanging fruit in the industry of securing IoT devices. While some of the obvious simple issues such as hardcoded credentials are unexplainable, we understand that true software vulnerabilities cannot always be avoided. However, we issue a call-to action for IoT vendors; these issues must be fixed, and quickly too. Threat actors are constantly tracking flaws which they can weaponize, and we see a prime example of this in the Bashlite malware, updated for IoT devices including Belkin WeMo. By listening to consumer’s asks for security, partnering with researchers closely to identify flaws, and having a fast and flexible response model, vendors have a unique opportunity to close the holes in the products the world is increasingly relying on. Consumers can take away the importance of basic security hygiene; applying security updates when available, practicing complex password policy for home networks and devices, and isolating critical devices or networks from IoT.  Enterprise readers should be aware that just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised.  Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops.  This is a common method for cyber criminals to cross the boundary between home and enterprise.

The post IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target? appeared first on McAfee Blogs.

MoviePass Has Lost Over 90% of Its Subscribers in Less Than a Year, Leaked Documents Reveal

MoviePass users apparently hit the exits en masse after it scaled back the number of movies users could see each month. From a report: The flailing cinema-subscription provider has seen its subscriber rolls plunge from a peak of more than 3 million to just 225,000 in under a year, according to a new report. The numbers were reported by Business Insider, which cited "internal data" it had obtained. Asked for comment, a MoviePass spokeswoman declined to confirm the subscriber figure. In June 2018, MoviePass claimed it had signed up more than 3 million subscribers for its $9.95 monthly plan, which let customers see one movie every single day. But that proved unsustainable, and MoviePass was forced to change that to a three-movies-per-month plan. In August 2018, MoviePass began to convert subscribers on annual subscription plans to the three-movies-per-month subscription plan, by giving annual subscribers the option to either cancel or refund their annual subscription or continue on the new three-movies-per-month subscription plan.

Read more of this story at Slashdot.

MoviePass Has Lost Over 90% of Its Subscribers in Less Than a Year, Leaked Documents Reveal

MoviePass users apparently hit the exits en masse after it scaled back the number of movies users could see each month. From a report: The flailing cinema-subscription provider has seen its subscriber rolls plunge from a peak of more than 3 million to just 225,000 in under a year, according to a new report. The numbers were reported by Business Insider, which cited "internal data" it had obtained. Asked for comment, a MoviePass spokeswoman declined to confirm the subscriber figure. In June 2018, MoviePass claimed it had signed up more than 3 million subscribers for its $9.95 monthly plan, which let customers see one movie every single day. But that proved unsustainable, and MoviePass was forced to change that to a three-movies-per-month plan. In August 2018, MoviePass began to convert subscribers on annual subscription plans to the three-movies-per-month subscription plan, by giving annual subscribers the option to either cancel or refund their annual subscription or continue on the new three-movies-per-month subscription plan.

Read more of this story at Slashdot.

Dow’s Push to Record High Continues as Retail Sales Offset Recession Fears

The Dow and broader U.S. stock market rallied on Tuesday after stronger than expected retail sales data alleviated concerns about a slowing economy. Meanwhile, cryptocurrencies clawed back […]

The post Dow’s Push to Record High Continues as Retail Sales Offset Recession Fears appeared first on Hacked: Hacking Finance.

Capsule8 Supports Google Cloud Security Command Center with Security Partner Integration

BROOKLYN, N.Y., April 18, 2019 (GLOBE NEWSWIRE) — Capsule8 today announced it is included as a Security Partner Integration within the newly launched Google Cloud Security Command Center (Cloud SCC), a security and data risk platform to help security teams prevent, detect, and respond to threats from a single pane of glass. Capsule8 provides Cloud SCC users run-time..

The post Capsule8 Supports Google Cloud Security Command Center with Security Partner Integration appeared first on Security Boulevard.

The Dirty Truth About Green Batteries

If we're going to avoid the worst consequences of climate change, we'll need an energy revolution. But there's a big problem. Making that future a reality will, among other things, require a lot of batteries: batteries to charge our electric cars; batteries to store solar power collected while the sun's up and wind power harnessed when it's gusty out. And as a new report by researchers at the University of Technology Sydney warns, that's likely to drive demand for the metals used to build green batteries -- as well as wind turbines and solar panels -- through the roof. From a report: In other words the clean tech boom is, at least in the short term, likely to fuel a mining boom. And that won['t come without cost. "We already know about the environmental, social, and human rights impacts extraction is posing to front line communities right now," Payal Sampat, mining program director at Earthworks, which commissioned the new report, told Earther. "It's kind of unimaginable to think about... how it would be considered sustainable to scale up those impacts that many fold and still be reaping benefits." Much like our smartphones and computers, the high-tech energy infrastructure of tomorrow requires a host of metals and minerals from across the periodic table and the planet. The lithium-ion batteries used in EVs and energy storage require not just lithium, but often cobalt, manganese, and nickel. Electric vehicle engines rely on rare earths, as do the permanent magnet-based generators inside some wind turbines. Solar panels gobbles up a significant share of the world's supply of tellurium, and gallium, along with a sizable fraction of mined silver and indium. Most renewable technologies demand heaps of copper and aluminum.

Read more of this story at Slashdot.

The Dirty Truth About Green Batteries

If we're going to avoid the worst consequences of climate change, we'll need an energy revolution. But there's a big problem. Making that future a reality will, among other things, require a lot of batteries: batteries to charge our electric cars; batteries to store solar power collected while the sun's up and wind power harnessed when it's gusty out. And as a new report by researchers at the University of Technology Sydney warns, that's likely to drive demand for the metals used to build green batteries -- as well as wind turbines and solar panels -- through the roof. From a report: In other words the clean tech boom is, at least in the short term, likely to fuel a mining boom. And that won['t come without cost. "We already know about the environmental, social, and human rights impacts extraction is posing to front line communities right now," Payal Sampat, mining program director at Earthworks, which commissioned the new report, told Earther. "It's kind of unimaginable to think about... how it would be considered sustainable to scale up those impacts that many fold and still be reaping benefits." Much like our smartphones and computers, the high-tech energy infrastructure of tomorrow requires a host of metals and minerals from across the periodic table and the planet. The lithium-ion batteries used in EVs and energy storage require not just lithium, but often cobalt, manganese, and nickel. Electric vehicle engines rely on rare earths, as do the permanent magnet-based generators inside some wind turbines. Solar panels gobbles up a significant share of the world's supply of tellurium, and gallium, along with a sizable fraction of mined silver and indium. Most renewable technologies demand heaps of copper and aluminum.

Read more of this story at Slashdot.

Update: Facebook passwords for hundreds of millions of users were exposed to Facebook employees

Facebook confirmed Thursday that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees -- including millions more Instagram users than previously thought. Affected users will be notified, Facebook said, so they can change those passwords.

Interestingly, Facebook downplayed and confirmed the problem in the same post, filed in late March, after researcher Brian Krebs issued his own report.  Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.

To read this article in full, please click here

CVE-2018-20200

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.

Better protection against Man in the Middle phishing attacks



We’re constantly working to improve our phishing protections to keep your information secure. Last year, we announced that we would require JavaScript to be enabled in your browser when you sign in so that we can run a risk assessment whenever credentials are entered on a sign-in page and block the sign-in if we suspect an attack. This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.

However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.

What developers need to know

The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

Condres OS Conjures Up Pleasing Arch Linux Transition

Condres OS, a distro much like the defunct Apricity OS, could be a speedier replacement for Linux OSes that have turned slow to no-go in recent new releases. Condres OS is an Arch-based distro that offers many pleasing usability traits similar to three popular Debian-based distros: Linux Mint; Peppermint; and Zorin, which bundles ICE and Wine accouterments. Condres OS, as is typical of Arch distributions, comes with a rolling release upgrade model. It is very easy to install and use. Something else that impresses me with Condres OS is its software balance.

IBM Halting Sales of Watson AI Tool For Drug Discovery Amid Sluggish Growth

Citing lackluster financial performance, IBM is halting development and sales of a product that uses its Watson AI software to help pharmaceutical companies discover new drugs, news outlet Stat reported on Thursday, citing a person familiar with the company's internal decision-making. From the report: The decision to shut down sales of Watson for Drug Discovery marks the highest-profile retreat in the company's effort to apply artificial intelligence to various areas of health care. Last year, the company scaled back on the hospital side of its business, and it's struggled to develop a reliable tool to assist doctors in treating cancer patients. In a statement, an IBM spokesperson said, "We are focusing our resources within Watson Health to double down on the adjacent field of clinical development where we see an even greater market need for our data and AI capabilities." Further reading: IBM Pitched Its Watson Supercomputer as a Revolution in Cancer Care. It's Nowhere Close (September 2017); IBM Watson Reportedly Recommended Cancer Treatments That Were 'Unsafe and Incorrect' (July 2018).

Read more of this story at Slashdot.

Response Comment: Google Hit By Global Login Outage

Google experienced a global outage last night, preventing users from logging in to the company’s many applications, including Gmail and Google Docs and any site that allows access via a Google account.  

Expert Comments: 

Tim Dunton, MD at Nimbus Hosting:

“In an age where Google’s core services and platforms, such as Gmail and Google Drive, are used so heavily for the transfer of essential information in business – it is simply not acceptable that a faulty IT infrastructure can render the service completely useless for its millions of users. 

Google’s statement that they will conduct an ‘internal investigation of the issue’ is certainly the correct step towards preventing any future issues which could cause even more downtime for consumers. But, moving forward, its essential that all social media, messaging and software providers recognise the importance of a safe, cybersecure platform as an essential component of the services that we use on such a regular basis.” 

 

 

The ISBuzz Post: This Post Response Comment: Google Hit By Global Login Outage appeared first on Information Security Buzz.

Next generation antivirus: the future of malware protection or marketing hype?

A lot of antivirus companies are marketing their products as “nextgen”, but have you ever stopped to wonder what this term actually means? Learn more about the differences between traditional and nextgen antivirus in our latest blog post.

The post Next generation antivirus: the future of malware protection or marketing hype? appeared first on Emsisoft | Security Blog.

The post Next generation antivirus: the future of malware protection or marketing hype? appeared first on Security Boulevard.

CVE-2018-17287

In Kofax Front Office Server Administration Console 4.1.1.11.0.5212, some fields, such as passwords, are obfuscated in the front-end, but the cleartext value can be exfiltrated by using the back-end "download" feature, as demonstrated by an mfp.password downloadsettingvalue operation.

CVE-2018-17288

Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client and Administration Console) suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Filename" field in /Kofax/KFS/ThinClient/document/upload/ - (Thin Client) or (2) "DeviceName" field in /Kofax/KFS/Admin/DeviceService/device/ - (Administration Console).

CVE-2018-17289

An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter.

CVE-2019-11017

On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vulnerabilities were found in the Web Configuration: /spap.htm, /smap.htm, and /cgi-bin/smap, as demonstrated by the cgi-bin/smap RC parameter.

CVE-2019-11223

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension.

CVE-2018-16877

A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.

CVE-2019-3398

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

Facebook Confirms Millions of Instagram Passwords Were Stored in Plain Text

Back in March, Facebook announced that millions of Facebook passwords were stored on its servers in plain text with no encryption. At the time, Facebook also said that "tens of thousands" of Instagram passwords were also stored in the same unencrypted format, but as it turns out, the actual number was much, much higher.

In an update to its original blog post, Facebook now says that millions of Instagram passwords were stored on its servers in a readable format.

Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
These unencrypted, plain text passwords were accessible to thousands of Facebook employees, and while Facebook says that there's no "evidence to date" that anyone within Facebook abused or improperly accessed the passwords, it's highly concerning.

Instagram user names, unlike Facebook usernames, can be highly appealing to thieves. Short names can sell for quite a lot of money, which makes Instagram passwords rather valuable.

Facebook was not forthcoming about the discovery of additional impacted Instagram accounts, burying it in a month-old blog post and, as Recode points out, releasing the update just before the Mueller report came out and media sites were distracted.

Facebook will be notifying Instagram users whose passwords were improperly stored, and Instagram users who are concerned about their accounts should change their passwords and make sure two-factor authentication is enabled.

Facebook's latest security leak comes just a day after news spread that Facebook harvested the email contacts of 1.5 million Facebook users without their consent and used the data to build a web of social connections.

Earlier this week, a scathing report also outlined how Facebook leveraged user data to punish its rivals and reward companies who paid heavily into Facebook advertising and shared data of their own.


This article, "Facebook Confirms Millions of Instagram Passwords Were Stored in Plain Text" first appeared on MacRumors.com

Discuss this article in our forums

Facebook Quietly Updates Last Month’s Security Disclosure To Add That ‘Millions’ of Instagram Users Are Also Impacted

Last month, Facebook disclosed that hundreds of millions of users on its platform had their account passwords stored in plain text -- in some cases going back to 2012 -- and searchable by thousands of Facebook employees. Today, the company quietly updated that blog post to reveal that Instagram users are also impacted. It said, in the update: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.

Read more of this story at Slashdot.