Read more of this story at Slashdot.
Microsoft has released a security update to address a vulnerability in the Yammer desktop application. A remote attacker could exploit this vulnerability to take control of an affected system.
NCCIC encourages users and administrators to review the Microsoft Security Advisory and apply the necessary update.
A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.
The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
Security Impact Rating: Critical
Read more of this story at Slashdot.
High-value servers targeted by cyber-weapons dumped online by Shadow Brokers
Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.…
U.S. stocks traded mixed on Friday, as only one of three major bourses managed to bounce back from the heavy losses incurred in the previous session. Cryptocurrencies showed signs of wobbling early on before a modest recovery kept the market near break-even. Stocks Lose Steam The large-cap S&P 500 Index held higher up until the final […]
Read more of this story at Slashdot.
DataBreachToday.com RSS Syndication
Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."
Via: The Verge
A month ago we heard of an attack on the EOSBet gambling app. That time, the hackers exploited a vulnerability
Security researchers observed a new attack group known as Gallmaker using living-off-the-land (LotL) tactics in an extensive espionage campaign.
According to Symantec, the attackers targeted several embassies of an Eastern European country, defense targets in the Middle East, and other government and military targets. The threat group — which has been in operation since at least December 2017 — did not use malware as part of its most recent activity. Instead, it employed LotL tactics and publicly available hacking tools.
In the campaigns discovered by Symantec, Gallmaker sent out spear phishing emails with malicious attachments. These documents abused the Microsoft Office Dynamic Data Exchange (DDE) protocol to compromise recipients’ machines. The attackers then leveraged that access to spy on their victims by remotely executing commands in memory, including the use of WindowsRoamingToolsTask to schedule PowerShell scripts and a “reverse_tcp” reverse shell payload from Metasploit.
A Surge in Living-off-the-Land Tactics
Gallmaker isn’t the only group that has used LotL tactics in recent months. In fact, Symantec researchers witnessed a surge in these techniques dating back to at least July 2017.
At the time, they identified four main categories of LotL attacks, including the abuse of dual-use tools such as PsExec and the emergence of memory-only threats that may achieve fileless persistence. Symantec also noted that those behind the June 2017 Petya outbreak had lived off the land as a means to infect organizations around the world.
How to Defend Against Gallmaker Attacks
Security professionals can protect their organizations against Gallmaker’s campaigns by establishing a consistent software patching program that prioritizes vulnerabilities based on their assessed risk. Security teams should also adhere to the principle of layered security and implement next-generation endpoint protection tools to defend against fileless malware.
The post New Gallmaker Attack Group Using Living-off-the-Land Tactics in Espionage Campaign appeared first on Security Intelligence.
Read more of this story at Slashdot.
GandCrab ransomware has evolved again, and the newest version features a partnership with NTCrypt to facilitate code obfuscation and frustrate security researchers.
As noted by McAfee, GandCrab’s authors deployed version 5 of the ransomware on Sept. 27. Since first appearing in January 2018, the code’s authors have released regular updates that both improved functionality and introduced new bugs.
As the McAfee report put it, the ransomware authors “are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.” Still, public endorsement of FalloutEK and a new partnership with NTCrypt suggest that GandCrab is looking to claw its way into as many devices as possible with this new iteration.
What Does GandCrab’s Development Mean for Malware Security?
The makers of GandCrab aren’t afraid of notoriety; each new release comes with flashy announcements and promises of new partnerships. As a result, a members-only club of affiliates has developed around GandCrab, with more waiting in the wings to distribute the ransomware. GandCrab’s popularity has also led to partnerships with other criminal groups, which has helped the malware evolve from a simple infection vector to a more sophisticated ransomware-as-a-service.
Particularly concerning is GandCrab’s ability to attract other criminal groups. Its partnership with NTCrypt was established by way of competition: The crypter received $500 from the developers and free advertising in all of GandCrab advertisements. Beyond the obfuscation offered by NTCrypt services, this recruiting method provides a way for malware developers to avoid low-quality partners while diversifying their supply chain.
The ransomware uses multiple attack vectors to infect devices, encrypt files and demand cryptocurrency, including remote desktop connections, phishing emails, legitimate programs with hidden Trojans, exploit kits, PowerShell scripts and botnets such as Phorpiex.
How to Avoid the Pinch of GandCrab’s Code Obfuscation
Although the GandCrab developers are working hard to deliver regular updates, their lack of coding sophistication also introduces bugs that limit functionality or cause outright failure. For example, a compiling flaw in version 5 relies on a dynamic-link library (DLL) not available in Windows Vista or XP, meaning the malware will only work on machines running Windows 7 or later. The authors also claimed that their code doesn’t rely on existing CVE’s, but this is inaccurate — GandCrab uses both CVE-2018-8440 and CVE-2018-8120.
Despite its flaws, however, GandCrab remains a potent attack vector. To counter this type of malware security threat, security experts recommend establishing a security baseline, incorporating security best practices into all endpoint builds and ensuring a consistent “golden image” that adheres to your security policy. Security teams should also create and maintain a live inventory of all devices to help pinpoint malware infections, and develop “an aggressive and current patch management policy” to help mitigate the impact of existing vulnerabilities.
The post GandCrab Partners With NTCrypt for Code Obfuscation appeared first on Security Intelligence.
Read more of this story at Slashdot.
Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.
Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.
SecurityWeek RSS Feed
This week, the libssh project announced a serious bug in versions of their library released in the last few years.
ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”
Security Boulevard: Inside Safari Extensions | Malware’s Golden Key to User Data – “A 2-part series looking at the technology behind macOS browser extensions and how malicious add-ons can steal passwords, banking details and other sensitive user data”
And some Google/Android issues:
- John E. Dunn for Sophos: Is Google’s Android app unbundling good for security? – “…Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install … the Play Store. In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.”
- The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”
News Tom's Guide
Earlier this month, Bloomberg reported that San Jose-based server company Server Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed.
Source: BuzzFeed News
Read more of this story at Slashdot.
Thousands of projects are possibly impacted by a jQuery File Upload plugin vulnerability that has been actively exploited in the wild, a security researcher has discovered.
In early October, Bloomberg published a bombshell article uncovering an extraordinary hardware hacking effort by state-sponsored Chinese agents. “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” details successful efforts by the People’s Liberation Army (PLA) to implant tiny chips into the motherboards of servers made by Super Micro, to compromise those systems and give them access. It’s an extensive piece of reporting, too complex to fully summarize here. To really understand all the details, you should read the original article.
As a website owner, you may have experienced your website being down for any number of reasons. Maybe due to errors in code, server related difficulties or even being under attack from bad actors.
I once shared my own experience of a hacked website in a webinar. Whether you have one site or hundreds, when restoring your online presence it is imperative to have a process in place.
If Your Website Gets Hacked, What is Your Plan?
Read more of this story at Slashdot.
[Cross-posted from the Android Developers Blog]
In Android Pie, we introduced Android Protected Confirmation, the first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. This Trusted UI protects the choices you make from fraudulent apps or a compromised operating system. When an app invokes Protected Confirmation, control is passed to the Trusted UI, where transaction data is displayed and user confirmation of that data's correctness is obtained.
Protected Confirmation also adds additional security relative to other forms of secondary authentication, such as a One Time Password or Transaction Authentication Number. These mechanisms can be frustrating for mobile users and also fail to protect against a compromised device that can corrupt transaction data or intercept one-time confirmation text messages.
Once the user approves a transaction, Protected Confirmation digitally signs the confirmation message. Because the signing key never leaves the Trusted UI's hardware sandbox, neither app malware nor a compromised operating system can fool the user into authorizing anything. Protected Confirmation signing keys are created using Android's standard AndroidKeyStore API. Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its Keystore Attestation certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations.
There are many possible use cases for Android Protected Confirmation. At Google I/O 2018, the What's new in Android security session showcased partners planning to leverage Android Protected Confirmation in a variety of ways, including Royal Bank of Canada person to person money transfers; Duo Security, Nok Nok Labs, and ProxToMe for user authentication; and Insulet Corporation and Bigfoot Biomedical, for medical device control.
Insulet, a global leading manufacturer of tubeless patch insulin pumps, has demonstrated how they can modify their FDA cleared Omnipod DASH TM Insulin management system in a test environment to leverage Protected Confirmation to confirm the amount of insulin to be injected. This technology holds the promise for improved quality of life and reduced cost by enabling a person with diabetes to leverage their convenient, familiar, and secure smartphone for control rather than having to rely on a secondary, obtrusive, and expensive remote control device. (Note: The Omnipod DASH™ System is not cleared for use with Pixel 3 mobile device or Protected Confirmation).
To integrate Protected Confirmation into your app, check out the Android Protected Confirmation training article. Android Protected Confirmation is an optional feature in Android Pie. Because it has low-level hardware dependencies, Protected Confirmation may not be supported by all devices running Android Pie. Google Pixel 3 and 3XL devices are the first to support Protected Confirmation, and we are working closely with other manufacturers to adopt this market-leading security innovation on more devices.
Read more of this story at Slashdot.
If iTunes and Google Play aren't your thing, click here.
Ep. #39 show notes:Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.
The topics01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots
The linksPéter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true
Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.
Subscribe via iTunes (and leave a review!)
Check out the Talos Threat Research Blog
Subscribe to the Threat Source newsletter
Follow Talos on Twitter
Give us your feedback and suggestions for topics:
Privacy in the Age of the Algorithm
Welcome to the brave new world of GDPR, which came into effect on May 25, 2018. For weeks now, in-boxes have been brimming with notices from companies that, liked a spurned lover, beg of people “please come back! We miss you!” News reporting of the great “privacy watershed moment” even varied its perspective based on country.
Media outlets in the UK largely decried the “spamming by companies to get people to accept new terms and conditions”, whereas in France, companies were portrayed as simply sending e-mails with privacy policies had been updated with attendant links to “learn more about it”. Meanwhile, tech giants like Facebook and Google faced immediate legal filings — essentially shots across their bows — over perceptions of “forced consent”.
Is it any wonder companies are still confused and thereby confusing their customers?
As GDPR goes into effect, the first phase of the Internet – the Wild West Days – come to an end, and it is the perfect back drop to discuss the power of disruption, with ALL of its positive and negative consequences.
At the root of all this, of course is the even braver new world of the future of our privacy – in Europe, China, America, and elsewhere the new machines of the digital age reign. There is no question that the age of algorithms, automation and AI has resulted in great leaps forward for humanity in terms of personal recommendations, customised experiences and lightning-fast convenience.
All at the cost of sharing our personal information.
Today’s digital age is the proverbial double-edged sword, and our privacy is increasingly the hilt of that blade. With every click and like and swipe we make online, our interests, preferences and intent are revealed and contained. The ubiquity of location-based sensors, facial recognition and social and mobile computing have made consumers subject to vast and lucrative analysis for companies every day. As The Police sang in the ‘80s, “every move you make” in the online world is visible to not only those we trust but also those we do not know even exist.
The Restoration of the Sovereignty of Data Privacy
Revelations like Cambridge Analytica’s exploits — without these users’ direct consent – have brought this under a white-hot heat lamp of scrutiny. Questions continue to be asked in Brussels, the House of Commons, and on Capitol Hill. After 25 years of regulatory-light experimentation with the “information superhighway,” policy makers the world over are beginning to lay down serious “rules of the road” pertaining to data privacy, largely spurred by what EU has put in place the past few years as a policy pacesetter, culminating with GDPR.
If data is the new oil, the fervour every new massive breach or shocking revelation is a gusher that needs to be contained. And Like the Deepwater Horizon and Exxon Valdez did for the oil industry, regulation for the technology industry looms large. Regulating for privacy is a subplot to the great story of our time that is AI, but it runs the risk of necessarily side-tracking the excitement of possibilities in the digital age.
When it comes to bolstering privacy and trust in the Age of the Algorithm, here is how we begin the restoration. The following is a strategic list for all companies of six critical actions – three things to start doing, and three things to stop doing – to help data privacy flourish in the digital age.
- START innovating new roles like the chief trust officer at the executive level.Trust is an amorphous concept for which every employee of an organisation has implicit – but not explicit – responsibility. This must change. “Trust” is now a competitive factor for every business. A chief trust officer (reporting directly to the CEO and a peer to the CFO and general counsel) should work closely with data protection officers (now mandated by GDPR) to oversee privacy and customer advocacy, thus ensuring digital innovations thrive. They’ll certify that monetisation of data conforms to ethical guidelines and key performance indicators.
- START promoting public policy that rewards good privacy ethics. The closer you are to the debate – even if it means squirming through testimony in Brussels, Bern, Berlin or Westminster – the more influence you can have on the future.
- START ensuring privacy protection initiatives for metadata. Submitted customer data (e.g., comments, pictures, etc.) – and the ability to edit or delete it – is one thing. But it’s customers’ metadata (or “contextual data” in the PII parlance of GDPR) that’s the bigger deal. We’re already seeing moves from players like Facebook to establish a “clear history” feature – somewhat like an angioplasty for customers’ digital footprints.
- STOP taking things like ethics for granted.While “move quickly and break things” sounded great a few years ago, the tide has undeniably turned. The days of the “data debutantes” are over, since the consequence of betting the brand on questionable use of data is the disappearance of customers. As the backlash grows, there’s a very real possibility that new jobs of the future like personal data brokers will emerge to help customers manage the monetisation of their own data.
- STOP thinking of GDPR as the enemy.The absence of trust is antitrust, and your mindset needs to embrace one simple fact: love it or hate it, GDPR regulation is your new best friend. Legislative sea changes of this type could be the raw fuel that impels business success in the future.
- STOP over-reacting.Course corrections and pivots on the road to the future of privacy will be natural. That does not mean innovation is over, but let ethics (and the law) help your organisation walk the line between leading edge and bleeding edge. Capitulating to fear, and shutting down digital innovation is the worst thing any organisation can do.
While the fundamentals of these questions have always been with us, the future now rests on how we treat and manage data. The long view of the future of privacy is that corporate leaders, companies and countries that do this successfully – through ethics, responsible practices and, yes, healthy regulation like GDPR – will participate in a new golden age of digital practice.
Read more of this story at Slashdot.
Every single day, families suffering from police violence find themselves in the fog of unspeakable setbacks. Some have lost their fathers or sons, their mothers or daughters, their brothers or sisters, their neighbors or friends. I am sometimes enlisted to help them. Before I was a journalist, I was a pastor, and it was often my job to guide families through grief and loss. But it’s a unique crisis to have the life of your loved one taken by the state. Who do you call? 911? Who leads the investigation? Who brings you justice? The answers for these families are altogether different than in other murder cases.
When I got the call that Chinedu Okobi had been killed by police from the San Mateo County Sheriff’s Office in the San Francisco Bay Area, it was different. This was my Morehouse brother. You’d almost have to have lived at 830 Westview Drive, on that red clay hill in Georgia called Morehouse College, to truly understand how that bond is formed. We are close. We have each other’s back. Comparing Morehouse to a regular Greek fraternity is not good enough. It’s a brotherhood in the truest sense: It’s a family.
I was Chinedu’s student government president. He and I lived in the same dorm. He was close friends with many of my close friends. His sister Ebele, a revered executive at Facebook, is close with many of my closest friends at the company.
When I got a call from her this past Saturday to discuss Chinedu Okobi’s death, I had to fight hard to hold back tears. I was surprised at my own fragile state. My dear brother, Jason, just passed away a few weeks ago. While his death had absolutely nothing to do with police violence, for the first time I understood the unique pain of losing a brother who was supposed to have his whole life ahead of him.
Chinedu Okobi should be alive right now. At the very most, he should be in a hospital receiving mental health treatment. By now, he likely would’ve been released back to the care of his family. Local police have not responded to my repeated requests for more information about Chinedu’s death, but this much we know: While he was technically unarmed, meaning that he had no gun or knife or illegal weapon on his body, he was armed in a very American way. He was a big Black man, a dark-skinned Nigerian who was 6 feet, 3 inches tall and weighed 330 pounds. In the eyes of American police, that might as well be armed. This nation has long since weaponized blackness.
This country has also weaponized mental illness. Chinedu lived with mental illness. He received treatment, took medications, and worked hard to balance his life the best he could. I never knew it. What I do know is that in this country, when someone is having a mental health crisis, police are called — which is like bringing in a bulldozer to fix a leaky faucet. It’s a stupid system.
Chinedu needed to go to the hospital. He needed medical treatment. Instead, he was surrounded by officers who appear to have repeatedly used a Taser on him until he died. Let me phrase that another way: Chinedu was still shot, but by guns that electrocute people to death instead of tearing apart their flesh and organs with bullets. In the name of being safer than guns, hundreds of thousands of police officers have now been armed with Tasers, but they aren’t safe — not at all.
Chinedu’s black life didn’t matter. Those cops would not have treated their own family that way. If Chinedu was their son or father or brother, those men would’ve found another way to deal with his crisis.
Since 2000, American police have killed at least 1,000 people with Tasers. They are horrible. The primary company that makes them, Taser, has changed its name to Axon — just like Corrections Corporation of America, the notorious private prison company, changed its name to CoreCivic. It’s an attempt to escape their baggage, but it’s the same old shit.
And Axon has gotten a complete pass for what the company makes. The company deflects from the fact that they make machines that send uncontrollable electricity into people’s bodies. The problem, of course, is that the human body simply was not built to take these surges of electricity. Axon advertises these weapons as “less lethal,” but the comparison to guns and other weapons would be cold comfort for the more than 1,000 people who have died from the electric shocks.
Worse yet, the “less lethal” moniker has meant that many cities and states don’t have robust regulations for how law enforcement is supposed to use these weapons. So the mythical “less lethal” marketing is working — for the company, not for victims of the weapons.
That such dangerous shocks would be administered to people with mental illnesses is especially upsetting. Every single day in this country, hundreds of thousands of nurses treat adults and children who are living with mental illness. Those patients are regularly in crisis, and nurses consistently face them down without ever having to electrocute them into submission. If five police officers were unable to do the same thing with Chinedu without killing him, the problem is not Chinedu — it’s the police officers. It’s the consistent impatience with black people in distress that is shown by law enforcement.
The United States, particularly the United States government, seems to have long ago given up on completely reimagining how to solve its most complex problems. This much, though, should be obvious: Electrocuting people into submission is a horrible idea, no matter how supposedly “less lethal” the weapon is.
Basic Attention Token (BAT) has been quietly recording day on day growth for the last four days as anticipation builds regarding a Coinbase listing. The value of BAT has increased by 42% in that time, as public opinion leans toward the theory that BAT’s ERC-20 foundation makes it a prime candidate to be the next […]
The post Basic Attention Token (BAT) Quietly Racks Up 42% Gains on Coinbase Anticipation appeared first on Hacked: Hacking Finance.
Cisco employees spend a week going green
More RSS Feed: newsroom.cisco.com/rss-feeds ...
If you see me speaking about cloud it’s pretty much guaranteed I’ll eventually say:
Cloud security starts with architecture and ends with automation.
I’m nothing if not repetitive. This isn’t just a quip, it’s based on working heavily in cloud for nearly a decade with organizations of all size. The one consistency I see over and over is that once organizations hit a certain scale they start automating their operations. And every year that line is earlier and earlier in their cloud journey.
I know it because first I lived it, then I watched every single organization I worked with, talked with, or generally glanced at, go down the same path.- Rich (0) Comments Subscribe to our daily email digest
The Trump administration is considering whether to grant a South Carolina request that would effectively allow faith-based foster care agencies in the state the ability to deny Jewish parents from fostering children in its network. The argument, from the state and from the agency, is that the federal Religious Freedom Restoration Act should not force a Protestant group to work with Jewish people if it violates a tenet of their faith.
The case being made by South Carolina is an extension of the debate around RFRA, which is more commonly associated with discrimination against LGBTQ people, but by no means applies exclusively to that group.
If granted, the exemption would allow Miracle Hill Ministries, a Protestant social service agency working in the state’s northwest region, to continue receiving federal dollars while “recruiting Christian foster families,” which it has been doing since 1988, according to its website. That discrimination would apply not just to Jewish parents, but also to parents who are Muslim, Catholic, Unitarian, atheist, agnostic or other some other non-Protestant Christian denomination.
Miracle Hill covers Greenville, Pickens and Spartanburg counties, and its foster care services have becoming increasingly in demand as an opioid epidemic has torn through a generation of young parents. The fight over its policy has been written about in the local press and was first covered nationally by The Nation.
The request has been made to the Department of Health and Human Services. The agency has been quietly taken over by hardline evangelical activists, a perk for their unwavering support of Trump’s presidential bid and his administration.
Miracle Hill has told the local press that while they themselves will not place children with families who don’t meet their standards, they refer them to agencies that will. But as the provider with the region’s highest quality of service, making referrals means sending people to deal directly with the state Department of Social Services, or to agencies in other parts of the state that are several hours away by car.
Beth Lesser is a Jewish parent who was turned away by Miracle Hill. “Understand, in the upstate of South Carolina, if you want to be a foster parent or a mentor, there’s DSS, which is the government. And there’s Miracle Hill. There really isn’t anybody else,” Lesser told The Intercept.
When she still lived in Greenville, Lesser participated in a three-day training co-hosted by Miracle Hill and Fostering Great Ideas, another regional child welfare agency. On the third day, two officials running the training, David White of Fostering Great Ideas, as well as a Miracle Hill representative, told the group that non-Protestants wouldn’t be able to mentor with Miracle Hill, let alone foster a child.
“I’ve never felt that sort of discrimination before.”
“I’ve never felt that sort of discrimination before,” she said. “Once they get [the children] in one of their group homes, they don’t let non-Christian Protestants mentor them, foster them, or anything.” Lesser couldn’t recall the name of the Miracle Hill representative, but White confirmed the exchange to The Intercept, saying that they were explaining Miracle Hill’s policy, and that his agency, FGI, does not itself discriminate. Miracle Hill did not respond to a request for comment.
Originally from New Jersey, she and her husband lived in Florida before moving to South Carolina for 18 years. They’ve fostered and mentored other children through various agencies, and have since returned to Florida.
“What Miracle Hill does, is they scoop up these kids from foster care, and they have these group homes. And then once they get the kids in there, their whole objective is to indoctrinate them into their brand of Christianity,” Lesser said.
Lesser said that while she and her husband were licensed foster parents while they lived in South Carolina, they “hardly got any calls” to foster children.
“I think that if Trump knew about this in detail, he wouldn’t be for it,” Lesser said. “Because he’s not a religious nut.” She’s a proud supporter of the president — and, she offered, she wanted Supreme Court Justice Brett Kavanaugh to be confirmed.
For the state’s DSS, the practice of discriminating against Jewish families was too much. As early as January 2018, DSS sent a letter raising concerns that the agency was violating federal and state nondiscrimination laws, as well as DSS policy, by requiring applicants to meet strict religious standards — namely, being a practicing Protestant and not being in a same-sex relationship. The letter was obtained through a Freedom of Information Act request by the American Civil Liberties Union, which provided it to The Intercept.
“In telephone conversations with the Department, Miracle Hill has given the Department reason to believe Miracle Hill intends to refuse to provide its services as a licensed Child Placing Agency to families who are not specifically Christians from a Protestant denomination,” the letter reads, offering Miracle Hill 30 days to resolve the issue and 30 more days to implement a new approach.
But Miracle Hill, which is closely allied with the top GOP leadership of the state, had a different response: It went to lawmakers and the governor, who changed state law to shield Miracle Hill from DSS. The state officials in turn pleaded Miracle Hill’s case to the Trump administration.
Miracle Hill is one of 11 Christian-affiliated foster care agencies serving over 4,000 children in foster care and group homes in South Carolina, a the state that, like many others, has historically had a shortage of foster homes.
It is the only one of those Christian agencies, according to DSS, with religious qualifications for parents.
David White is the founder and CEO of Fostering Great Ideas, a nonprofit working to improve the child welfare system, though it does not itself foster children. FGI works closely with Miracle Hill in South Carolina and is expanding to Denver, but does not share its recruitment policy. He argued that families rejected by Miracle Hill do have other places to go. There are 11 foster care providers in Greenville, according to FGI data pulled from DSS. Seven of those provide therapeutic as opposed to regular care for children.
A number of agencies do allow gay couples or Catholic families to foster, White said. “There is the ability to have an intelligent conversation, versus a ‘we’re right, you’re wrong’ — ’cause it is subtle. It’s very difficult. And I know the CEO of Miracle Hill. I know him well. And he is not a bigot. And that’s what makes this a human story.”
The organization’s last provisional state license expired July 25, and DSS won’t issue a permanent one until Miracle Hill proves it’s not discriminating — or DSS gets a federal order to make an exception.
Such an order is already drafted. It’s awaiting final signature on the desk of Secretary Alex Azar at the Department of Health and Human Services. If granted, Miracle Hill will be allowed to continue denying qualified families from adopting kids based on religious views.
The ACLU is litigating a similar case in Philadelphia against Catholic Social Services. Bethany Christian Services, another Philadelphia agency originally involved in the complaint, has since stated it will comply with federal law and accept same-sex couples. Philadelphia’s DHS has since resumed doing business with the agency. CSS is now suing DHS.
“There are many, many faith-based agencies doing work in the child welfare field,” Leslie Cooper, deputy director for the ACLU LGBT & HIV Project told The Intercept. “And doing really important work. And regardless of their religious belief, the vast majority comply with professional child welfare standards … which include: you accept all qualified families; you don’t discriminate based on characteristics unrelated to ability to care for a child.”
“It’s pretty outrageous, in my view, that the states are actually passing laws to authorize this.”
The few agencies unwilling to do that, Cooper said, are “seeking to maintain state contracts for many millions of dollars to provide this government service to wards of the state — the service being, find families for these children who desperately need them. But ‘Oh, we’re gonna throw away the ones that don’t meet our religious test.’ Even though they may be fantastic parents and may be the only family for a particular child, that that child is waiting for. So it’s pretty outrageous, in my view, that the states are actually passing laws to authorize this.”
Those states include Alabama, Michigan, Texas, South Carolina, Oklahoma, North Dakota, South Dakota, and Mississippi.
Even in the Miracle Hill’s online application for interested foster parents it’s clear they intend for children to be raised in a Christian home.
In addition to basic information, the application asks for “denominational affiliation,” a pastor’s name, phone number, and “a brief, personal testimony of your faith/salvation,” and that of a spouse, if applicable. If you and your partner are the same sex, Miracle Hill will not allow you to adopt children in their network, according to lawyers, foster parents and employees at agencies who have worked closely with Miracle Hill.
Lesser said DSS eventually asked her to foster a child with another agency in the state, but she was never asked to foster with Miracle Hill. But she said working directly with DSS — as opposed to through a service provider like Miracle Hill — is often overly burdensome, bureaucratic and ultimately ineffective. Advocates agree. So does another Jewish foster mother, Lydia Currie, who tried, unsuccessfully, to work with Miracle Hill.
That’s in part because Miracle Hill really does good work. And DSS in South Carolina, unlike in many other states, handles not only child welfare but disaster response and emergency management. They’re currently orchestrating the state’s response to Hurricane Michael.
“Your worker at Miracle Hill picks up the phone,” Currie told the Intercept. “Which workers at DSS do not do.”
A Jewish foster mother who lived in Greenville until moving to Philadelphia this year, Currie adopted twice through DSS, in 2012 and again in 2018.
“DSS is chronically understaffed, chronically underfunded, chronically over-caseloaded. And that’s why they dump so much on Miracle Hill,” Currie said.
“The standard of service offered by DSS workers is significantly inferior to what’s offered at Miracle Hill. The support for foster families is significantly inferior,” Currie said. “It is a tremendous barrier to access for people who aren’t highly educated and highly motivated.”
She dealt extensively with Miracle Hill during her time in South Carolina, both as a prospective parent and as a guardian ad litem. She and her husband have three biological children. After deciding to grow their family, they adopted two children, in 2012 and in 2018, who spent extended periods of time in Christian orphanages.
“Miracle Hill offers continuity of services,” she continued. “It creates a burden upon non-narrowly defined Protestant Christians that does not exist for families who pass their religious test for the use of public funds.”
“It was a doctrinal test, they made it very clear.”
“It was a doctrinal test, they made it very clear,” she said, recalling the first time she saw the agency’s foster parent application. “In other situations I’ve had, Christian agencies have been happy to work with Jewish families, when it’s a matter of at-risk children. Particularly if they take public funding,” she said.
“The foster adoption world is full of Christian organizations that work with any fit and willing foster parents. So Miracle Hill is very much an outlier on that in an intensely creepy way.”
Miracle Hill’s practices discriminate against Christians too — just not those who are Protestant, she said. “I also know a Catholic family that was excluded from fostering with Miracle Hill,” Currie said. “And they’re mad too.” Lesser said that she had also learned of a Catholic family turned away.
That caveat is a particular point of turmoil for Miracle Hill’s president and CEO, Reid Lehman, according to FGI’s White. “I believe that Reid has definitively, definitely wrestled with this. I know he has. And he would like to have that ability to have that conversation with you, I would imagine.” Lehman did not respond to requests for comment by the time of publication.
On top of that, Currie said, the agency “practices coercive Protestant Christianity.”
“Many, many children who have absolutely no religious affiliation, or have a religious affiliation other than Christianity, are placed by the Department of Social Services with Miracle Hill,” Currie said. That means, Currie said, “effectively mandatory Sunday school, mandatory after school Bible study. Mandatory prayer. Including teenagers, including children for whom this is terrifyingly inappropriate.”
“Church and state are so co-mingled,” Currie went on, “that I don’t think it would survive a constitutional test. No one’s interested in giving it one. It needs one actually. And Miracle Hill might be a good test case.”
The Protestant agency may well see its request granted.
The Trump administration has made clear that religious freedom, at least for those of the Christian faith, is a priority. And following Governor Henry McMaster’s March executive order supporting Miracle Hill, tucked into a 2018-2019 budget proviso bill that passed the General Assembly on June 28, South Carolina added a clause that would keep DSS from discriminating or taking “any adverse action against a faith-based child placing agency” on the basis that the agency is declining services that conflict with its faith.
McMaster personally awarded Miracle Hill’s president and CEO Reid Lehman the state’s highest civilian honor this summer. Senator Lindsey Graham’s office in June also made appeals to HHS to speed up process.
Lehman reached McMaster’s office after initial appeals to South Carolina State Rep. Garry R. Smith, with whom he was in contact regarding the state’s budget proviso that weakened DSS’s power to scrutinize his agency. Lehman asked Smith to press McMaster, suggesting “a call [to HHS] from the Governor’s office” reminding them “that the federal response is needed to put this to bed.”
Both Lehman and Miracle Hill’s spokesperson did not respond to multiple calls, emails and voicemails from The Intercept.
The president in January established a new HHS division within the Office for Civil Rights (OCR) dedicated to “restore federal enforcement of our nation’s laws that protect the fundamental and unalienable rights of conscience and religious freedom.”
HHS officials at a Heritage Foundation event in May “directly solicited faith-based providers to request a RFRA exemption if they feel that they are experiencing a ‘burden’ to their religious expression from federal nondiscrimination laws,” as described in an October 3 letter from Sen. Ron Wyden to Azar opposing the contested waiver.
HHS has acknowledged receipt of the letter, but has not responded, a Wyden aide told the Intercept.
Where the waiver stands now is unclear. ACF told The Intercept that HHS does not comment on pending policy decisions. The question may come down to whose faith matters. “The whole faith-based initiative under [former President George W.] Bush has all kinds of language in there about when you’re providing federally funded social services, that you can’t discriminate against people based on faith,” the ACLU’s Cooper said, “And these are federally funded social services.”
The post South Carolina Is Lobbying to Allow Discrimination Against Jewish Parents appeared first on The Intercept.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Apex One enters as the evolution of Trend Micro’s endpoint security solution for enterprise. Also, learn about Java Usage Tracker’s new weakness and the conditions that enabled the exploit.
Apex One combines a breadth of threat detection & response capability with investigative features, in a single agent.
Trend Micro found design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges.
Trend Micro announced its Apex One endpoint security offering, which integrates malware prevention technology with endpoint detection and response (EDR) capabilities.
With medical device cyberattacks on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities.
Whether or not the UK leaves the EU with a Brexit deal, the impact upon cybersecurity and the skills shortage is likely to be considerable and immediate.
New research reveals a worldwide cybersecurity skills gap of 2.9 million, with the Asia-Pacific region experiencing the highest shortage at 2.14 million.
Facebook believes that the hackers who gained access to the private information of 30 million users were spammers looking to make money through deceptive advertising.
Do you think many organizations will discontinue tackling endpoint threats with two separate tools? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Apex One™ Release and Java Usage Tracker Flaws appeared first on .
A Connecticut city has paid $2,000 to restore access to its computer system after a ransomware attack.
West Haven officials said Thursday they paid the money to anonymous attackers through the digital currency bitcoin to unlock 23 servers and restore access to city data.
The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.
The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.
Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,
“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”
Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.
“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.
The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.
The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.
Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.
(Security Affairs – Drupal, hacking)
The post Drupal dev team fixed Remote Code Execution flaws in the popular CMS appeared first on Security Affairs.
Half a century ago, the Standing Rock Dakota scholar Vine Deloria Jr. wrote, “Whites claiming Indian blood tend to reinforce mythical beliefs about Indians.” Throughout her career, Sen. Elizabeth Warren, D-Mass., has used that mythical belief — what Deloria mocked as the “Indian-grandmother complex” — to stake a claim to Native American identity, like how her European settler ancestors staked a claim to land once called Indian Territory, or what is currently Oklahoma. For Warren, her claims are like a moving target. At one time, it was “Cherokee.” Now it’s just generic “Native American ancestry.”
President Donald Trump, being a bigot, has consistently taunted Warren — frequently referring to her as “Pocahontas” — about her claims with a million-dollar wager: Take a DNA test to prove she’s “an Indian.” It was an obvious ploy, and Warren took the bait.
Yet her reaction hurt more than she might realize. Reducing Native American identity to “race,” whether through biology or the law, is harmful to Native sovereignty and nationhood, despite Warren’s professed good intentions. Warren, however, didn’t walk into Trump’s trap with her eyes closed. What she didn’t see, however, was how low Trump had set the bar when he said “jump” and she tripped on it, landing face first — on stolen Native land.
Like many Native people, I am jealous of Warren and white people like her. Native plebeians, such as myself, a poor Indian kid born on the wrong side of the tracks in Podunk, South Dakota, lack her pedigree and life story. She might as well have rare Romanov ancestry, a secret but ill-fated royal bloodline, when compared to my proletarian biography.
It was Warren’s self-identified Republican family members — the white guys drinking beer telling family stories in a living room — that bolstered her Native credentials in a recent video defending her “Native American ancestry.” I wish I had such relatives to do the same for me, but, if my relatives were captured drinking like that on camera, they might spend a night in the slammer or get labeled as “drunk Indians.”
There is an irony here. The white guys drinking beer have become the arbiters of Native identity, while those who have survived genocide and the theft of an entire continent have become mere background noise to the spectacle of powerful elites duking it out for control over land that is not rightfully theirs. Such is the history of the United States.
The worst irony, though, is Warren’s appropriation of Native identity while simultaneously fetishizing and instrumentalizing it. To Warren, Native people are little more than a currency, a million-dollar ticket to the White House, a one-up to Trump. That’s how this game has been played so far: Trump asked her to prove that she’s “an Indian” (not that she has “ancestry”) with a DNA test, something that is, by all accounts, impossible. Indianness isn’t defined by DNA. It’s a legal, social, cultural, and historical construct, where Indigenous nations self-define the parameters of belonging. Put simply, it’s not about who you claim, it’s about who claims you. In response to Warren, the Cherokee Nation issued a statement saying that “using a DNA test to lay claim to any connection to the Cherokee Nation or any tribal nation, even vaguely, is inappropriate and wrong.”
Falsely claiming Native American identity is a white American tradition, with a deeply racist past.
Falsely claiming Native American identity is a white American tradition, with a deeply racist past. Forrest Carter, also known as Asa Earl Carter — a Ku Klux Klan leader and the former speechwriter for George Wallace (he co-wrote Wallace’s famous 1963 line, “Segregation now, segregation tomorrow, segregation forever”) — reinvented himself later in life as a “Cherokee” writer of the famous children’s book “The Education of Little Tree.” Famous white Southern Americans like Miley Cyrus, Johnny Cash, and Bill Clinton have also all falsely claimed “Cherokee heritage.”
I’ll admit, I’m not a geneticist. (And I’d refer anyone interested in the political and social aspects of “Native American DNA” to read Kim Tallbear’s excellent book on the subject.) I am, however, a historian and I can tell you that proving “Native American ancestry” by using Native body parts has a long, racist history. Genes are part of the human body, and to use genes to measure a degree or percentage of race to make a scientific claim is called race science, which discredits the legitimate science of DNA testing.
A century ago, Native people were considered a disappearing people. Anthropologists and others flooded Indian reservations intent on preserving the last vestiges of a dying race. With them, they brought calipers to measure Native skulls from the graves they robbed. Sometimes they used captured Indigenous children in boarding schools and prisoners of war for racial experiments, displaying their live specimens at traveling zoological exhibits. The goal was to prove a racial and civilizational superiority by showing just how far white Europeans had evolved from primitive conditions.
Such a people were also seen as too incompetent to manage their own lands and raise their own children. Their land and children were taken from them for their own good. The children were placed into the special care of white families and the land into the hands of white farmers (like Warren’s settler ancestors). Those who could not be killed or assimilated were placed under the supervision of the Department of Interior, which manages wildlife and public lands, where it was hoped that they would just disappear.
In other words, Native people, living or dead, were relegated to a tragic past with no place in the future of a white settler nation. Their identities and lands were simply absorbed and made into sports mascots and names for states and military equipment. Countless Native people were lost to this system, torn from their families and their Indigenous nations. Indigenous nations are still searching to reclaim their lost relatives — but Warren is not one of those people.
While Warren and white people like her are rushing to get DNA tests that prove “Native American ancestry,” there is less enthusiasm among white people about proving “African ancestry.” That’s the unspoken racist undertone of this whole debate, especially since many Black Americans have actual connections to Indigenous nations of this hemisphere. The “one-drop rule” of African ancestry, a racial calculus created to increase the size of slaveowners’ property through biological reproduction, was designed to make one Black and nothing more — not Indigenous and especially not white. (Even the descendants of Cherokee slaves were disallowed tribal citizenship until recently.)
These racial logics simply don’t grant Black and Native people the same visibility or authority over their own identities the same way they do to a powerful white woman who takes a DNA test. That’s called white supremacy.
Warren’s claims and Trump’s attacks have never been about upholding Native sovereignty. It’s pure opportunism. While Trump applauded the Cherokee Nation’s dismissal of Warren’s claims, his self-proclaimed policy of “American carnage” has opened billions of acres for offshore drilling — threatening circumpolar Indigenous nations as ice sheets melt and global temperatures rise — and has opened millions of acres of the Bears Ears National Monument, a once-protected Indigenous sacred site in the Southwest, for coal and uranium mining.
And North Dakota recently passed legislation disenfranchising thousands of Native American voters in the state, in places like Standing Rock that desperately fought the Dakota Access pipeline. Today, Standing Rock and the entire Sioux Nation in the Northern Plains are planning to halt the trespass of the Keystone XL pipeline through our treaty territory, a pipeline that imperils our water, our sovereignty, and therefore our lives.
While Indigenous nations face existential threats, Warren’s conflation of her “Native American ancestry” with Native American identity only continues a history theft.
There are plenty of other examples. Some are even race-based, along the lines of the pseudoscience through which Warren tried to hitch her wagon to Native Americans. A federal court recently ruled that the Indian Child Welfare Act, a four decade-old law created to keep Native families intact, is “race-based” legislation and therefore “unconstitutional.” Created to protect children who are members of Native nations or whose biological parents are members of Native nations, the law, in fact, was designed to prevent the disintegration of Native nations: the widespread practice of taking Native children and adopting them out to white families or placing them into state foster care systems.
While Indigenous nations face existential threats — from losing their children, land, and water — Warren’s conflation of her “Native American ancestry” with Native American identity only continues a history theft. The purposeful distortion and misunderstanding of Native sovereignty and identity, whether by Trump or Warren, is a longstanding tradition of American imperialism that has facilitated the taking of resources, whether they’re Native lands or Native bodies. And we still want our stolen relatives and stolen land back, regardless of the settler infighting currently taking place.
Warren has taken some concrete steps in an effort to help Native Americans, but her recent entry into the waters of Native identity stands to outweigh any efforts she has made for Natives. I’m not holding my breath for her to do the right thing — such as making a formal apology. Like Vine Deloria, the Standing Rock Dakota writer whose people are currently under threat, I don’t resent white people like Warren. I just hope she can accept herself and just leave us alone.
While Warren has become the punchline of a lot of jokes in Indian Country — “I’m Cherokee on my white side,” and so on — boiling Native American identity and race down to biology, and, more specifically, genomics, is racist. It needs to stop.
The post Native American Sovereignty Is Under Attack. Here’s How Elizabeth Warren’s DNA Test Hurt Our Struggle. appeared first on The Intercept.
When it comes to volatility, stocks and cryptocurrencies diverged wildly this week. On the equities front, major selloffs in China and Wall Street were followed by equally large single-day rallies, as investors bought on the dip. For cryptocurrencies, the picture was largely unchanged for most of the week, as bitcoin and the broader market hovered […]
Read more of this story at Slashdot.
The Internet has transformed every aspect of human life. We now rely on internet for entertainment, gathering knowledge, communication and endless other activities. Infact with the help of internet, we can browse through some of the humungous online stores and shops in the comfort of our homes.
Well, if you are a person who purchases everything ranging from groceries to vehicles online. Then the question “which is the best online shopping app” might have stuck your mind. So these are the ten best online shopping apps that will impress you.
Amazon is possibly the most popular online shopping application that boasts separate websites for around fifteen countries. Apart from e-commerce services Amazon also has its dedicated music, movies, and TV shows streaming services.
Amazon’s popularity and an extensive selection of more than 562 million products forced us to place Amazon in the first position of this online shopping apps list. Detailed reviews and ratings on Amazon may help you to make purchase decisions. You can blindly trust Amazon for the quality and reliability of products.
Next equally popular app for online shopping on the list is Flipkart. This Indian e-commerce website has a humungous collection of products. Flipkart also boasts popular books and eyewear subsidiaries.
Searching and exploring tools on this online shopping application make finding the right product reasonably simple. Flipkart also hosts many monthly and yearly sales that offer massive discounts on selected products. In addition to that, many smartphones and popular products are exclusively launched on Flipkart.
3. Paytm Mall
Paytm is one of the most popular e-wallet services in India that also has a full-fledged online shopping application Paytm Mall. This is one of the best app for online shopping that has gained immense popularity and exponential growth in recent years due to the massive cashback offers across a wide variety of products.
Paytm wallet also makes the process of paying for orders relatively straightforward and secure. While ordering, keep an eye on coupon codes for discounts and cashback offers. Similar to other shopping apps Paytm Mall also has millions of products in its catalog.
The next popular online shopping application on the list is Snapdeal. Though Snapdeal isn’t as popular Amazon and Flipkart it still has a massive selection of more than 65 million products. Snapdeal offers some of the best deals during festive seasons. Apart from heavy discounts, there are many products that are exclusively available on Snapdeal.
Secure payments, an extensive collection of products, and reliable delivery speeds helped Snapdeal to be added to the best online shopping apps list.
5. Tata CLiQ
Tata CLiQ is the best online shopping application for purchasing products available in different Tata subsidiaries like Croma, Voltas, Tanishq, Fastrack, Westside, and many more. This e-commerce website also offers impressive discounts and cashback offers. The overall UI of this shopping app makes searching and exploring content a breeze.
The product listing on Tata CLiQ is very well sorted and focused on consumer electronics and consumer segment. Lastly, the Now Trending section shows the best deals with massive discounts that are selling like hot cakes.
The next best app for online shopping on the list is Myntra. Well, Myntra was India’s first fashion-based online shopping app. You can find all sort of clothing and fashion accessories on Myntra. In addition to that, Myntra also has a decent collection of clothing from popular international brands.
Monthly sales on Myntra offer impressive discounts over a wide selection of products. Similar to many other online shopping apps Myntra also has clear return policies. Myntra has grown exponentially in the past few years, and users reviews helped this app to be a part of this best online shopping apps list.
Jabong is another fashion online shopping application that directly competes with Myntra. This popular online shopping application boasts more than 1200 brands and over 30,000+ products to pick from. Similar to Myntra, Jabong has also tied up with many national as well as international brands.
Jabong also suggests personalized content based on users activities and interests. You can expect massive discounts during festive sales and Jabong’s delivery speeds are also reliable.
OLX helps users to buy and sell used or new products. You can find impressive deals on OLX with products ranging from a smartphone to an SUV car. OLX also provides a well developed messaging feature for communicating with potential buyers. Furthermore, OLX displays content based on your location.
This is one of the best online shopping apps both for selling and purchasing stuff. If you have any unused product in your home selling it might help you earn some extra cash and the person in need will be helped at the same time.
2GUD is a relatively new e-commerce service that is owned and operated by Flipkart. This online shopping application is dedicated to selling refurbished smartphones and consumer electronics products. You can find refurbished content available in various quality ratings.
So if you want a secondary smartphone or just want to use a premium smartphone at not so premium price point, then 2GUD will definitely impress you.
10. Google App
Google search app is possibly one of the best pre-installed online shopping apps. Whenever you search for a product on Google, you will be presented by a number of different stores. Moreover, Google makes it relatively simple to compare the pricing of that product on diferrent online shopping apps.
Once you compare the pricing, you can easily choose the best shopping apps and directly purchase your product from that particular online shopping application. In addition to that, Google also suggests you several products while browsing the internet based on your online activity.
So these were some of the best online shopping applications that will help you to purchase all sort of products online. We do suggest comparing prices on different websites and using the promo code to get some additional discounts and cashback offers.
Do share any other impressive e-commerce application that you use in the comments section below.
Hello Friend!! Today we are going demontrate URLs and DNS brute force attack for extracting Directtories and files from inside URLs and subdomains from DNS by using “Gobuster-tool”.
Table of Content
- Introuction & Installation
- Using Wordlist for Directory Brute-Force
- Obtaining Full Path for a directory or file
- Hide Status Code
- Verbose Mode
- Identify Content Length
- Disable Banner
- User-Agent Mode
- Obtain Result with Specify Status Code
- Appending Forward slash
- Saving Output Result inside Text File
- Enumerating Directory with Specific Extension List
- Follow Redirect
- HTTP AUTHORIZATION (-u username: password)
- DNS Mode
- Set Threads Number
- Obtain Subdomain IPs
- Force Processing Brute Force
- Hide Process of Extracting
- Extracting CNAME Records
Introuction & Installation
Gobuster is a tool used to brute-force on URIs (directories and files) in web sites and DNS subdomains. Gobuster can be downloaded through apt- repository and thus execute following command for installing it.
apt-get install gobuster
When it will get installed, you can interact with it and can perceive all available option with the help of following command.
- -fw – force processing of a domain with wildcard results.
- -np – hide the progress output.
- -m <mode> – which mode to use, either dir or dns (default: dir).
- -q – disables banner/underline output.
- -t <threads> – number of threads to run (default: 10).
- -u <url/domain> – full URL (including scheme), or base domain name.
- -v – verbose output (show all results).
- -w <wordlist> – path to the wordlist used for brute forcing (use – for stdin).
Dir mode Parameter
- -a <user agent string> – specify a user agent string to send in the request header.
- -c <http cookies> – use this to specify any cookies that you might need (simulating auth).
- -e – specify extended mode that renders the full URL.
- -f – append / for directory brute forces.
- -k – Skip verification of SSL certificates.
- -l – show the length of the response.
- -n – “no status” mode, disables the output of the result’s status code.
- -o <file> – specify a file name to write the output to.
- -p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).
- -r – follow redirects.
- -s <status codes> – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).
- -x <extensions> – list of extensions to check for, if any.
- -P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).
- -U <username> – HTTP Authorization username (Basic Auth only).
- -to <timeout> – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).
DNS mode Parameters
- -cn – show CNAME records (cannot be used with ‘-i’ option).
- -i – show all IP addresses for the result.
Using Wordlist for Directory Brute-Force
You can use -w option for using a particular wordlist, for example common.txt or medium.txt to launch a brute-force attack for extracting web directories or files from inside the target URL.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt
The above command will dump the all possible files and directories with the help of common.txt wordlist.
Obtaining Full Path for a directory or file
Using -e option provides more significant result, as it Prints complete URL when extract any file or directories.
gobuster -e -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt
You can compare the following output result from the previous result.
Hide Status Code
Using -n Option “no status” mode, it print the output of the result’s without displaying the status code.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -n
The above command will dump the all possible files and directory without displaying their status code.
Using -v option – it enables verbose parameter and make brute-force attack vigorously on each file or directory.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -v
As you can observe from the following option that, this time it has dump the result including status 404 for missing directories or files.
Identify Content Length
Using -l option enables content-length parameter which display size of response. The Content-Length header is a number denoting and the exact byte length of the HTTP body for extracted file or directory.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -l
Gobuster always add banner to specify brief introduction of applied options while launching brute force attack. By using -q option we can disable the banner to hide additional information.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -q
From given below image, you can perceive the difference between last output results and in the current result.
Using -a option enables User-Agent mode to specify a user agent string to send in the request header for extracting directories and files from inside the target URL.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw
Obtain Result with Specify Status Code
Using -s Option, enables the status code for specific value such 302, 200, 403, and 404 and so on to obtain certain request pages.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -s 302 gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -s 200
From the given below image, you can take reference for the output result obtained for above commands.
Using -to option enables the timeout parameter for HTTP request and 10 second is the Default time limit for HTTP request.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -to 10s
Appending Forward slash
Using -f option, appending the forward slash while making brute-force attack on the target URL.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -f
Saving Output Result inside Text File
Using -o option, enables saving output result parameter in a text file which can be useful in future.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -o result.txt
We can ensure the result.txt file with the help of cat command
Enumerating Directory with Specific Extension List
There are a lot of situations where we need to extract the directories of a specific extension over the target server, and then we can use the -X parameter of this scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -x .php
Using -r options enables redirect parameter which redirect HTTP request to another and modify the Status code for a directory or file.
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -q gobuster -u http://192.168.1.108/dvwa -r -w /usr/share/wordlists/dirb/common.txt -q
You can compare the output result of default scan with redirect output result.
HTTP AUTHORIZATION (-u username: password)
HTTP Authentication/Authentication mechanisms are all based on the use of 401-status code and WWW-Authenticate response header. The most widely used HTTP authentication mechanisms are Basic. The client sends the user name and password as unencrypted base64 encoded text.
So, in order to bypass this kind of authentication with the help of Gobuster we have used the command below:
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -U test -P test
As a result it is shown Status –code 200 for the test: test and authorized credential on target URL.
Using -m option is enable DNS mode which is effect for public network IP and extract the subdomain.
gobuster -m dns -u google.com -w /usr/share/wordlists/dirb/common.txt
As you can observe the output result from the given below result.
Set Threads Number
Using -t option, its enables number of thread parameter to be apply while brute-forcing subdomain name or directories.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt
Obtain Subdomain IPs
Using -i option enables the IP parameter which should be showing IPs of extracted subdomain.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -i
From the given below result, you can observe that it showing IPv4 of Ipv6 for each extracted subdomains.
Force Processing Brute Force
It stop extracting the subdomain name if meet any Wildcard DNS which is a non-existing domain, therefore use -fw option to enable force processing parameter to continue the attack even if there is any Wildcard Domain.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw
Hide Process of Extracting
Using -np option hides the process of extracting subdomain name while making brute force attack.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw -np
Extracting CNAME Records
Using –cn option enables CNAME Records parameter of the extracted subdomains and show their CNAME records.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -cn
You can observe the output for above executed command in the given below result.
Author: Shubham Pandey is a Technical writer, Researcher and Penetration tester contact here
In response to last night’s news Popular Lawfare Blog Hit by DDoS Attack — Here’s What We Know, a Corero Network Security expert offers perspective. Lawfareblog.com is focused on national security issues, is published by the Lawfare Institute in cooperation with the Brookings Institution, and attracts approximately half a million unique readers each month.
Sean Newman, Director Product Management at Corero Network Security:
“Recent attacks on the Lawfare blog hark back to the ‘good-old days’ of DDoS, where perpetrators were typically just aiming to bring a site down to make the point that they do not agree with the views of the authors. Now, this is just one of many motives for DDoS attacks, many of which have the objective to make money for the cyber criminals, such as with ransom DDoS. What’s interesting here is whether news or blog sites are more tolerant to downtime than many other businesses are these days, with the statement that they use DDoS protection, but they’re still down. Presumably they were waiting for that protection to be manually enabled somewhere in the cloud.
It may well be acceptable for the owners of the Lawfare blog, or other similar sites, to use DDoS protection which has to be engaged after the fact, and results in an extended period of downtime. However, if most or all of your business revenue is generated online, every minute you’re down will usually hit the bottom line directly, which certainly won’t be tolerated by company owners or shareholders. And, neither should it be, as the latest DDoS protection solutions can operate in real-time, automatically blocking DDoS attacks before they have a chance to make any impact, and keeping vital services and applications online, without skipping a beat.”
Zcash had jumped over 17% over the period of 12-18th October, before running into sellers. The foundation set to launch the Sapling protocol upgrade. To improve efficiency for shielded transactions. Zcash over a 6-day period from 12-18th October gained a whopping 17%. Moving quickly from as low as $108, to then be above $126. Since, the price […]
The post Zcash Price Analysis: What is Behind the Recent Surge in Price? appeared first on Hacked: Hacking Finance.
News is breaking that a leading retailer has seen a website glitch put the privacy of customers’ personal data at risk. This time, Card Factory, a popular UK-based greeting card business, has been storing customers’ data in an insecure way, letting the public access their photos with a basic URL trick, specifically through an ‘insecure direct object reference.’ Bryan Becker, Application Security Researcher, WhiteHat Security, commented on the incident.
Bryan Becker, Application Security Researcher at WhiteHat Security:
“The Card Factory security incident is an important reminder that our personal information is constantly at risk. Unfortunately, Card Factory’s response to the personal data breach shows they are out of touch with the realities of modern software security and failed to follow Secure Coding Principles. The first steps any company should take to start a security program (in any order) are to: a) Set up some sort of auditing, testing, or scanning, b) Implement a responsible disclosure program: an email linked on their website (firstname.lastname@example.org) accompanied with a description of the policy. To go further, companies can include a PGP key so researchers can encrypt sensitive data they may have found when reporting.
In Card Factory’s case, they allegedly had no means for responsible disclosure, had no testing and threatened the researcher who provided them with free consulting. The question must be raised: Did Card Factory notify all their customers that their private photos were leaked?
To quote their response: “…the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful (sic) default.” Responsible companies are actively making the internet a more secure place, day by day, and responsible security researchers are actively helping progress that goal. Companies that blame others for their security failings, and actively repress when their users’ data has been breached will not survive long in today’s more vigilant, increasingly regulated landscape.”
The ISBuzz Post: This Post UK-based Card Factory Website Glitch Exposes Personal Data appeared first on Information Security Buzz.
Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,797 0.81 DAX 30 11,568 -0.18% WTI Crude Oil 69.61 1.35% GOLD 1,230 0.16% Bitcoin 6,379 -0.24% EUR/USD 1.1480 0.24% Risk assets are having an active and already very busy day after yesterday’s tumultuous session, as volatility continues to be high, especially in equities. All […]
The post Pre-Market Analysis And Chartbook: Risk Assets Higher Thanks to Chinese Bounce appeared first on Hacked: Hacking Finance.
Read more of this story at Slashdot.
The state of workplace mobility
The continued white-hot proliferation of personal devices has led to businesses adopting cultures where employees can contribute remotely, using whatever device is accessible. For many, this has led to Bring Your Own Device (BYOD) initiatives, where businesses formally embrace the use of personal devices and enable remote access to corporate data and applications. For others, a specific line of business drives the increased usage of personal devices, such as a sales team becoming increasingly mobile or a customer-facing team leveraging tablets to execute transactions.
According IDC’s Worldwide Semiannual Mobility Spending Guide, worldwide spending on mobility solutions is forecast to reach $1.72 trillion in 2021. IDC also found that two of the industries leading this surge – professional services and manufacturing – are largely driven by a “highly mobile, on-the-go workforce.”
While workplace mobility strategies are both gaining traction and clear drivers for productivity, pursuing them means that you’re introducing numerous entry points into your network environment, inherently increasing your attack surface. This article will shed some light on the importance of mobile security and detail how you can enable effective personal device usage with software that hardens your environment from threats.
The shortcomings of existing approaches to mobile security
Even as BYOD and workplace mobility strategies have gained traction, many businesses have neglected to complement these strategies with an effective security implementation. There are a few reasons for this.
First, workplace mobility strategies are relatively new and emerging, which commonly leads to a misunderstanding how to properly secure them. This problem is exacerbated by a confusing marketplace where many security vendors offer solutions they claim to be a “silver bullet” for whatever threats may arise. In reality, a single solution rarely provides complete protection, leaving businesses vulnerable as a result.
Another reason some struggle with mobile security is that budgets force businesses to prioritize their security measures. In these situations, many opt for other, more traditional security measures that fail to secure the network from the end-user device. These organizations must understand there are countless ways for cybercriminals to access corporate data, and they will move to the point of least resistance – even if you spend heavily on firewalls, they will seek out weaker areas to attack. Part of mitigating threats means you need to understand your weaknesses and act to fortify them. According to Dimensional Research’s The Growing Threat of Mobile Device Security Breaches, 20% of companies’ mobile devices have been breached.
This last point particularly applies to businesses that are understaffed or lack security expertise: your mobile security posture is only as strong as the personnel deploying the solutions and managing the environment. According to ESG’s 2018 annual global survey on the state of IT, 51% of respondents believe their organization has a problematic shortage of a cybersecurity skills – a number that has grown each year since 2014. Some of the larger security problems that organizations run into stem from a failure to configure the solutions correctly. Further, if your team is not familiar with managing the solution or you lack the manpower to monitor the environment 24/7, you limit your ability to assess threats and make intelligent decisions to mitigate them.
Keys to a successful mobile security approach
While it is important to understand how bad actors operate and the inadequacy of some current approaches, you shouldn’t be intimidated into avoiding workplace mobility altogether. In an increasingly mobile world, BYOD strategies can massively boost end-user productivity. A proper workplace mobility implementation with the right protection is in the best interests of your workforce.
Below are some keys to a successful mobile security implementation:
Key 1: Take a holistic security approach
The core value of any mobile security approach is the prevention of malicious hackers from accessing sensitive information. In this context, you must remember that personal devices serve as the point of access to your corporate resources, but should other weaknesses exist, they too can be exploited. When implementing mobile security, you must take a holistic approach that accounts for how the solution works with your existing security implementations to protect your environment from top to bottom: from the devices, through the operating system and software stack, to the public or private cloud. By doing so, you will be better equipped to eliminate any gaps in your security posture and ensure for consistent protection.
Tip: Many businesses have implemented solutions from numerous vendors over time across their environment (i.e., a firewall from one vendor, intrusion detection and prevention systems from another vendor, anti-malware from a third, and so on). It is common for these solutions to not work well with one another. Additionally, some teams are not well-versed with operating each of the solutions. This, in turn, can limit visibility and the ability to monitor ongoing threats in your environment. Security vendors are beginning to respond by delivering holistic security platforms. Leveraging a more complete, integrated set of solutions like this can help simplify security management and enable greater control over your environment.
Key 2: Deliver a good user experience
Your end users want to access corporate applications and data in the most user-friendly way possible. At the same time, you have numerous security needs that may limit their experience: making sure only approved devices can gain access to the network; controlling what aspects of your network the device is connected to; verifying who is behind the device, etc. However, if you deliver a poor user experience, you may risk end-users working around your solutions or resisting the technology to a point that it is abandoned by the company altogether. With this in mind, it is in your best interest to find the right balance of stringent security measures and user-friendliness. This can be realized through a wide range of solutions (depending on your organizational needs), including single sign-on identity management tools or desktop and application streaming services that take into account securing sensitive data and ensuring end-user performance.
Tip: It is common for a company’s network team to be in charge of workplace mobility initiatives, while the security team manages its protection. In many cases, these groups aren’t in sync with one another and don’t collaborate to the extent they should. This can result in either limited remote performance or poor security. To ensure both stakeholders fulfill their needs, you should bridge any silos that separate these groups and ensure they have the means to collaborate throughout the project.
Key 3: Leverage an expert
If your team is understaffed or lacks security expertise, you should consider leveraging a security service provider. Service providers can help you navigate the marketplace to find a solution that fits your needs. Once you have chosen a solution, it is easier and more reliable to utilize this provider for implementation and/or managed services (depending on your personnel strengths), rather than increasing staff size or providing ongoing training.
Tip: Mobile security is not one-size-fits-all. Your business has unique needs that are driving the adoption of workplace mobility. When evaluating consultants, find a partner that will work with you to understand these needs and help you select a solution that compliments your business, your existing security approaches, and your personnel strengths.
The ISBuzz Post: This Post How to Boost Remote Productivity While Remaining Secure appeared first on Information Security Buzz.
Apple has revamped its privacy page and for the first time is allowing users in the United States the opportunity to download and review all of their data collected by the company. The option has been available to European users since May as part of the European Union's General Data Protection Regulation (GDPR). Personally identifiable information such as Apple account info, iTunes and App Store purchases and usage, contacts, calendars, mail, and even photos and documents stored in iCloud can be downloaded. But since Apple prides itself on limiting the amount of user data it stores - and encrypting many items so they can't be accessed by the company - don't expect to see a complete history of everything you've done with your device. Other aspects of the site's update include options for deactivating or deleting your account and correcting data the company is holding. The site also includes a detailed explanation of the company's data-retention policies and a library of transaction reports that outline government and law enforcement requests for data.
GitHub remains unaffected by a security issue affecting thousands of servers. However, the authentication bypass bug exists in libssh versions 0.6 and higher when used in server mode. The vulnerability has been patched. A researcher warned that he uncovered over 3,300 servers vulnerable to this bug.
An iOS hacker has found a bug that can give an attacker unauthorized access to photos on an iPhone, AppleInsider reported. The bug, which is unpatched and affects the VoiceOver feature, has been detailed in a YouTube video. Rodriguez said that by using VoiceOver and the Siri assistant, an attacker can access photos and send them to another user.
LAquis SCADA, an industrial automation software, is vulnerable to several bugs, including a stack-based overflow and path traversal. According to an advisory, users should update to Version 22.214.171.12414.
Cisco released multiple advisories to address vulnerabilities in its product suites. Seven of the 15 advisories deal with issues that are rated as "high," including a privilege escalation bug in Cisco's Wireless LAN Controller Software GUI.
Google has released Chrome 70, which contains fixes for 23 security issues. Among these fixed issues are a sandbox escape in AppCache and a remote code execution bug in V8. Further information can be found in Google's advisory.
The Trend Micro security team found a design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. In turn, these can be chained and used to escalate privileges in order to access resources in affected systems that are normally protected or restricted to other applications or users. Oracle patched this bug as part of its October Security Bulletin.
Third-party vendor 0patch has gone ahead and issued a micropatch for a critical JET Database Engine vulnerability that Microsoft incompletely patched in its October batch of fixes. The bug was shared in September after Microsoft did not provide a patch for it within the expected 120 day period. 0patch, a project that offers small fixes for vulnerabilities, issued a micropatch for the JET bug. Microsoft then released an official patch on October 9 as part of its monthly security update, but it was discovered to not be a complete fix. 0patch's Mitja Kolsek said in a post, "Namely, in an ironical twist of fate Microsoft's October update actually re-opened the CVE-2018-8423 vulnerability for 0patch users who were previously protected by our micropatch. This new micropatch, which has already been distributed to all online users by now, resumes their protection."
An advisory posted by the Multi-State Information Sharing and Analysis Center identifies multiple vulnerabilities in PHP, the most severe of which could allow an attacker to execute arbitrary code. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition. It is recommended that users upgrade to the latest version of PHP.
Omron's CX-Supervisor has several vulnerabilities, which have been detailed in an ICS-CERT advisory. Version 3.4.2 of CX-Supervisor has been released to mitigate these issues.
Over 300 vulnerabilities have been remedied by Oracle in October's Critical Patch Update. The 301 fixes comprise Oracle's Database Server, Java SE, and other product families. This is the final expected massive batch of vulnerability patches expected for 2018.
Multiple exploitable operating system command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker could exploit these bugs by sending an authenticated HTTP request to the network configuration and then gain the ability to arbitrarily execute code on the machine. Cisco's Talos researchers discovered these bugs and reported them to Linksys. The vulnerabilities have since been patched.
While analyzing client-side security for dating apps, the research team at vpnMentor found multiple issues affecting Tinder. Further investigation led the researchers to determine that it wasn't just Tinder that was plagued by these issues, but other apps as well, which led them to identify the source of the vulnerabilities: Branch.io, an attribution platform used by many companies. Shopify, Yelp, Western Union, and Imgur are all affected, and vpnMentor believes 685 million users of these sites could be at risk. A DOM-based XSS (cross-site scripting) vulnerability was to blame and has since been patched.
Tumblr has disclosed details regarding a bug that could have been exploited to grab user information. Email addresses, passwords, user location, and other information may have been exposed by this vulnerability. The bug was detected by a researcher participating in Tumblr's bug bounty program.
Two vulnerabilities in NUUO's NVRmini2 and NVRsolo could allow an attacker to achieve remote code execution and user account modification. These devices are network video recorders. An ICS-CERT advisory states that NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.9.1. A second advisory discusses several vulnerabilities in NUUO CMS, a central software management platform. Multiple versions are affected and users should update to firmware v3.3.
Researcher Blazej Adamczyk has disclosed several vulnerabilities in D-Link routers after notifying the vendor in May and receiving no reply regarding updates or patches. The vulnerabilities are serious on their own, but if chained together, an attacker could gain complete control over the device.
Two vulnerabilities, an out-of-bounds write and a stack-based overflow, have been detected in Delta Electronics' Industrial Automation TPEditor. Delta Electronics recommends affected users update to the latest version of Delta Industrial Automation TPEditor, Version 1.91, according to an advisory posted by the ICS-CERT.
Check Point Software's researchers detected a near-400% increase in crypto mining malware attacks against iPhones in the last two weeks of September - a period when attacks against users of the Safari browser also rose significantly. These attacks used the Coinhive mining malware. Check Point's latest Global Threat Index revealed that Coinhive, Dorkbot, Cryptoloot, Andromeda, and Jsecoin were the top five most wanted types of malware during the month of September.
Central Asian diplomatic organizations have been the target for a cyber espionage campaign that is using a Trojan called "Octopus," which has been disguised as a version of a popular and legitimate online messenger. Once installed, Octopus provided attackers with remote access to victims' computers. Using Kaspersky Lab algorithms that recognize similarities in software code, researchers discovered that Octopus could have links to DustSquad - a Russian-speaking cyber-espionage actor previously detected in former USSR countries in Central Asia and Afghanistan since 2014.
The researchers at ESET have disclosed information about an entity called "GreyEnergy" and its attacks on energy companies and other high-value targets in Ukraine and Poland for several years. While ESET was assessing BlackEnergy, the threat group that caused outages in Ukraine in 2015, it came upon GreyEnergy, which has similar interests but has operated under the radar and has not been as destructive. GreyEnergy uses cyber espionage and reconnaissance tactics which could be gathering information for future attacks. GreyEnergy's malware framework bears many similarities to BlackEnergy and has connections to the Telebots threat group, an entity that was involved in the NotPetya ransomware attacks in 2017. ESET has been evaluating the connections between BlackEnergy, GreyEnergy, and Telebots and posted several blog posts about its findings.
News Tom's Guide
Travel records for Department of Defense (DOD) employees were breached, resulting in the theft of personal data and payment card information, the Associated Press (AP) reported. An anonymous US official said that 30,000 employees may have been affected. In a statement, a Pentagon cyber team notified leaders of the incident on October 4. Lieutenant Colonel Joseph Buccino, a Pentagon spokesman, said, "It's important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population" of DOD personnel. The affected vendor has not been identified and further details, including the dates of the breach, have not been made public.
The Department of Health and Human Services (HHS) Office for Civil Rights has announced that health insurer Anthem will pay $16 million USD in penalties to settle potential privacy violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyber attacks led to the largest US health data breach in history and exposed the electronic protected health information of almost 79 million people. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation's largest health benefits companies. In its investigation, HHS said that Anthem had not implemented the proper controls to circumvent hackers.
Anomali Labs researchers, in close partnership with Intel 471, a cybercrime intelligence provider, has uncovered a widespread unauthorized information disclosure of US voter registration databases. While the data is typically available to the public for legitimate uses, it has been learned that a large quantity of voter databases are up for sale on the dark underground. The disclosure affects 19 states and is estimated to contain 35 million records. The databases include valuable personally identifiable information and voting history.
Facebook has backtracked on earlier statements, saying that the large-scale breach it disclosed in September has affected far less people than originally thought. The breach was the result of attackers exploiting a bug in Facebook's code that had been infiltrated between July 2017 and September 2018 and then used to launch a cyber assault. "We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," Guy Rosen, Facebook's VP of product management, said in a statement.
McAfee released a report announcing the discovery of a new cyber espionage campaign targeting South Korea, the United States, and Canada. The new campaign uses a data reconnaissance implant last used in 2010 by the hacker group APT1, or Comment Crew, a Chinese military-affiliated group accused of launching cyber attacks on more than 141 US companies from 2006 to 2010. The actors of this new campaign have not been identified, but since they reused code from implants by Comment Crew, which conducted offensive cyber operations against the US dubbed Operation Seasalt, the new campaign has been named "Operation Oceansalt" due to its similarity to Seasalt. McAfee found that Oceansalt was launched in five attack waves adapted to its targets.
Following Hurricane Florence, ONWASA, a critical water utility in North Carolina, has been targeted by cybercriminals in a sophisticated ransomware attack that has left the utility with limited computer capabilities. Although customer information and the water supply were unaffected, many ONWASA databases must be rebuilt from scratch as a result of the attack. The Emotet banking Trojan was blamed for repeated attacks beginning on October 4. Emotet then launched the Ryuk ransomware on October 13, and while ONWASA's IT staff worked to contain it, the virus encrypted the utility's databases and files. Federal authorities are investigating, according to a statement from ONWASA.
Facebook issued an update to the report of the vulnerability it uncovered regarding its "View As" function. This flaw - which allowed one to steal access tokens to take over accounts - existed between July 2017 and September 2018 and is believed to have affected as many as 30 million accounts. Facebook noted that it has deactivated the feature and is cooperating with the FBI in "actively" investigating what parties may be behind the attack.
A 21-year-old Kentucky man will spend 30 months in prison for conspiracy to unlawfully access computers in furtherance of a criminal act, conspiracy to commit money laundering, and the illegal removal of property to prevent its lawful seizure, the Justice Department (DOJ) has announced. Colton Grubbs previously admitted to designing, marketing, and selling the LuminosityLink remote access Trojan and keylogger. In his plea agreement, Grubbs admitted to selling this software for $39.99 USD apiece to more than 6,000 customers.
A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.
Financial institutions, fintech firms and industry groups launched the Financial Data Exchange (FDX), a non-profit organization to unify the financial sector around the secure exchange of financial data. FDX will address common challenges around the way the industry shares consumer account information to enhance security, innovation and consumer controls. FDX is a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC). As digitization has impacted every industry, consumers expect protection of their personal … More
The post Financial industry unites to enhance data security, innovation and consumer control appeared first on Help Net Security.
TeleSign enhanced coverage of mobile identity services in China, Brazil, and other emerging markets. International businesses can now leverage TeleSign’s solutions to onboard new customers, prevent account takeover and registration fraud, and optimize the user experience in new markets. With some of the highest consumer spending and online engagement in the world, countries like China and Brazil represent growth opportunity for digital businesses. China currently has more than 1.5 billion mobile subscribers and its consumers … More
A vibrant, connected community of ethical hackers has an important role to play in the increasingly complex fight against cyber-crime, explains Brigitte d’Heygère, Vice President Security & Consulting Services at Gemalto
Buried treasure is not just the stuff of fiction and legend. For at least some of our ancestors, it was quite simply the most effective means of protecting prized possessions from unwanted attention. And whilst the methods of defense have inevitably evolved over time, the basic game of cat and mouse between legitimate owners and those who seek to steal from them has never gone away. Of course, in an era of digitalisation, the treasure being fought over is often no longer physical. Harvesting personal data, attacking critical national infrastructures and disrupting online services are just some of the aspirations of today’s cyber-criminals. In common parlance, these 21st century bandits are often lumped together under a single, catch-all label – hackers. Equally, there is a widespread assumption that our security will be ensured simply by the application of ever-more sophisticated technologies. However, in reality, this only tells half the story. Keeping digital resources safe from cyber-attacks ultimately means harnessing the ingenuity and expertise of a diverse global family of IT and digital security specialists. What’s more, at the heart of this community is an often-overlooked citizen army – made up of hackers with a very different ethical agenda to those who usually hit the headlines.
A shifting security landscape
Whilst the science of cryptography has a history stretching back almost as far as mathematics itself, prior to the advent of the internet, it was generally the preserve of select sections of society, such as governments and the military. But with digitalisation came a paradigm shift. In a permanently connected world, the security perimeter has become highly scalable and volatile, the attack surface exponentially bigger. Instead of simply protecting a physical memory unit or processor, for example, complex networks of computers and servers, as well as the constant flow of information between them, needs to be defended.
Machine learning and Big Data are changing the rules, again
What’s more, the world continues to spin faster. The digital footprints that individuals and organisations leave in cyberspace are getting deeper. Furthermore, the advent of machine learning has now made it easier for malevolent forces to compromise and reap this Big Data. But, at the same time, machine learning also represents a potentially powerful defense tool. In particular, its ability to predict situations and scenarios based on accumulated evidence can play a key role in detecting vulnerabilities and pre-empting attacks. A new front in the cyber-security arms race has opened.
Next on the horizon – quantum computing
As if the implications of machine learning and Big Data were not enough to contend with, yet another technology revolution is on the horizon. It comes in the form of quantum computing, which is set to redefine the limits of data processing power. In doing so, it will undermine the fundamentals on which many of our currently ‘unbreakable’ cryptographic codes are built. For the security industry, that obviously means another profound challenge: the creation of new, quantum-resistant cryptographic algorithms.
Harnessing the hackers
Given these rapidly shifting sands, the security sector has no choice but to evolve fast. And one of the most significant ways that this is being achieved is through closer collaboration with, and between, the good guys: the ethical hackers.
In terms of harnessing this key resource, we have already seen a major change in the landscape. Not so long ago, security experts were almost invariably drawn from the world of academic research. Consequently, cryptographic skills were concentrated in the hands of a relatively small circle of people, and typically paid for by governments. However, the ubiquity and accessibility of powerful IT systems has swiftly democratised the art of hacking. Subsequently, an extended community has developed, embracing both the public and private sectors, employed professionals, freelancers and talented amateurs. Moreover, whilst media attention, and consequently public fears, have tended to focus on the malevolent hackers, the energy, dynamism and co-operative approach of this ethical movement deserves to be recognised fully – and utilised as effectively as possible.
Cybersecurity Act will set new standards
There is growing recognition that, to stay one step ahead of the criminals, this exchange of ideas needs to be as comprehensive as possible. Within digital security companies, talented and dedicated digital security experts already represent a vital force. They invest their energy for good, continually and rigorously testing systems and products to identify and address any potential weak spots. By actively encouraging collaboration with the wider ethical hacking family, we are now forging an even stronger alliance between all those people who share not just the right skills, but the right principles too. Looking ahead, changes in the regulatory framework are only likely to make this approach even more worthwhile. In Europe, the forthcoming Cybersecurity Act will introduce a single means of security certification for ICT products, with levels ranging from ‘basic’ to ‘high’. Authorised hacking of products to test for any vulnerabilities will clearly be an important part of the process.
Listening, learning, sharing
To this end, the work of the ethical hacking community is being channeled not just by informal interaction, but also major organised events and conferences. Better known examples of these include Black Hat, “Nuit du Hack”, CHES Conference, DEF CON, AppSec and Pwn2Own. Notably, many play hosts to hack contests (aka bug bounties), which challenge participants to find vulnerabilities in a system, and a means of exploiting it, and then reward the team that is first to do so.
Time to bury the stereotypes
Stereotypes are invariably difficult to dispel. But, in the case of the hacker, we should at least try to change the perception that the term applies exclusively to malevolent loners, organised criminals and the murky world of state-sponsored cyber warfare. Today, a very different type of hacker is also hard at work, helping to protect us from the manifold threats that inhabit the dark corners of cyberspace. Moreover, as the systems that must be secured become more complex, so are the skills needed to defend them. Helping to build a truly diverse ethical hacking community and fostering dialogue with the principled experts working inside the digital security industry, should therefore be an imperative for all interested parties.
To this end, reclaiming the term hacker from the bad guys, and giving this vital and dynamic community due credit are more than symbolic gestures. Beneath it lies an understanding that, in an ever more digitalised world, greater safety and security remain rooted in the most positive elements of the human character.
Bitcoin’s price declined on Friday, as tepid trade volumes kept the bulls in check following a stalled recovery attempt earlier in the week. On the news front, President Trump’s massive import duties on Chinese goods is beginning to take its toll on Bitmain, the nation’s largest mining harder manufacturer. BTC/USD Update After holding above $6,500 […]
The post Bitcoin Price Resumes Slide as Volumes Dip, China Tariffs Weigh on Bitmain appeared first on Hacked: Hacking Finance.
Cryptojackers and eavesdroppers are continuing to exploit a one-time zero-day flaw in unpatched MikroTik routers, despite a patch that's been available for six months as well as the actions of a vigilante "gray hat" hacker who's forcibly "fixed" 100,000 vulnerable routers.