Tesla Quietly Drops ‘Full Self-Driving’ Option As It Adds $45,000 Model 3

An anonymous reader quotes a report from Ars Technica: Elon Musk took to Twitter on Thursday evening to inform his followers of a new addition to the Model 3 lineup. This is not the long-awaited $35,000 version, however; the mid-range Model 3 starts at $45,000. Musk also revealed that the Model 3 ordering process has been simplified and now has fewer options. One that's missing -- from all new Tesla orders, not just the Model 3 -- is the controversial "full self-driving" option. The reason? It was "causing too much confusion," Musk tweeted. The mid-range Model 3s will be rear-wheel drive only, prompting some to wonder if the company was using software to limit battery capacity on existing RWD inventory in order to get it out of the door. But Tesla says it's able to build these slightly cheaper cars by using the same battery pack as the more expensive, longer-range cars but with fewer cells inside (so no future software upgrades can increase their range at a later date). While Tesla is promoting the car as costing as little as $30,700 by factoring in "gas savings" and all federal and local tax incentives, it did also announce last week that any new Tesla delivered after October 15th might not ship before the beginning of next year. As Ars Technica notes, "Any new Tesla delivered after January 1st 2019 (but before July 1st 2019) is only eligible for a $3,750 IRS credit."

Read more of this story at Slashdot.

Microsoft Releases Security Update for Yammer

Original release date: October 19, 2018

Microsoft has released a security update to address a vulnerability in the Yammer desktop application. A remote attacker could exploit this vulnerability to take control of an affected system.

NCCIC encourages users and administrators to review the Microsoft Security Advisory and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018

A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.

The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh


Security Impact Rating: Critical
CVE: CVE-2018-10933

3D Printers Have ‘Fingerprints’, a Discovery That Could Help Trace 3D-Printed Guns: Study

Like fingerprints, no 3D printer is exactly the same. That's the takeaway from a new University at Buffalo-led study that describes what's believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. From the study: The advancement, which the research team calls "PrinTracker," could ultimately help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. "3D printing has many wonderful uses, but it's also a counterfeiter's dream. Even more concerning, it has the potential to make firearms more readily available to people who are not allowed to possess them," says the study's lead author Wenyao Xu, PhD, associate professor of computer science and engineering in UB's School of Engineering and Applied Sciences. [...] To understand the method, it's helpful to know how 3D printers work. Like a common inkjet printer, 3D printers move back-and-forth while "printing" an object. Instead of ink, a nozzle discharges a filament, such as plastic, in layers until a three-dimensional object forms. Each layer of a 3D-printed object contains tiny wrinkles -- usually measured in submillimeters -- called in-fill patterns. These patterns are supposed to be uniform. However, the printer's model type, filament, nozzle size and other factors cause slight imperfections in the patterns. The result is an object that does not match its design plan.

Read more of this story at Slashdot.

Market Update: U.S. Stocks Settle Mixed in Choppy Trade; Cryptocurrencies Endure Modest Pullback

U.S. stocks traded mixed on Friday, as only one of three major bourses managed to bounce back from the heavy losses incurred in the previous session. Cryptocurrencies showed signs of wobbling early on before a modest recovery kept the market near break-even. Stocks Lose Steam The large-cap S&P 500 Index held higher up until the final […]

The post Market Update: U.S. Stocks Settle Mixed in Choppy Trade; Cryptocurrencies Endure Modest Pullback appeared first on Hacked: Hacking Finance.

Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk. The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

Read more of this story at Slashdot.

DataBreachToday.com RSS Syndication: Vendor Risk Management: Conquering the Challenges

Organizations must carefully monitor that their business associates are adequately addressing data security to help guard against breaches, says Mark Eggleston, CISO at Health Partners Plans, who will speak on vendor risk management at ISMG's Healthcare Security Summit, to be held Nov. 13-14 in New York.

DataBreachToday.com RSS Syndication

US intelligence chief says “no evidence” of Chinese spy chips

Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."

Via: The Verge

Source: Cyberscoop

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers

A month ago we heard of an attack on the EOSBet gambling app. That time, the hackers exploited a vulnerability

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers on Latest Hacking News.

Symantec Norton Security Premium

With Symantec Norton Security Premium, you can protect up to 10 Windows, macOS, Android, or iOS devices. This security suite is a feature-packed winner with top-notch antivirus, comprehensive backup, cross-platform parental control, and more.

New Gallmaker Attack Group Using Living-off-the-Land Tactics in Espionage Campaign

Security researchers observed a new attack group known as Gallmaker using living-off-the-land (LotL) tactics in an extensive espionage campaign.

According to Symantec, the attackers targeted several embassies of an Eastern European country, defense targets in the Middle East, and other government and military targets. The threat group — which has been in operation since at least December 2017 — did not use malware as part of its most recent activity. Instead, it employed LotL tactics and publicly available hacking tools.

In the campaigns discovered by Symantec, Gallmaker sent out spear phishing emails with malicious attachments. These documents abused the Microsoft Office Dynamic Data Exchange (DDE) protocol to compromise recipients’ machines. The attackers then leveraged that access to spy on their victims by remotely executing commands in memory, including the use of WindowsRoamingToolsTask to schedule PowerShell scripts and a “reverse_tcp” reverse shell payload from Metasploit.

A Surge in Living-off-the-Land Tactics

Gallmaker isn’t the only group that has used LotL tactics in recent months. In fact, Symantec researchers witnessed a surge in these techniques dating back to at least July 2017.

At the time, they identified four main categories of LotL attacks, including the abuse of dual-use tools such as PsExec and the emergence of memory-only threats that may achieve fileless persistence. Symantec also noted that those behind the June 2017 Petya outbreak had lived off the land as a means to infect organizations around the world.

How to Defend Against Gallmaker Attacks

Security professionals can protect their organizations against Gallmaker’s campaigns by establishing a consistent software patching program that prioritizes vulnerabilities based on their assessed risk. Security teams should also adhere to the principle of layered security and implement next-generation endpoint protection tools to defend against fileless malware.

Sources: Symantec, Symantec(1)

The post New Gallmaker Attack Group Using Living-off-the-Land Tactics in Espionage Campaign appeared first on Security Intelligence.

DHS Seized Aftermarket Apple Laptop Batteries From Independent Repair Expert

Louis Rossmann says US Customs and Border Patrol seized $1,000 worth of laptop batteries, claiming they were counterfeit. From a report: Earlier this year, Louis Rossmann, the highest-profile iPhone and Mac repair professional in the United States, told Motherboard that determining "the difference between counterfeiting and refurbishing is going to be the next big battle" between the independent repair profession and Apple. At the time, his friend and fellow independent repair pro, Jessa Jones, had just had a shipment of iPhone screens seized by Customs and Border Patrol. Rossmann was right: His repair parts were also just seized by the US government. Last month, US Customs and Border Protection (CBP) seized a package containing 20 Apple laptop batteries en route to Rossman's store in New York City. The laptop batteries were en route from China to Rossmann Repair Group -- a NYC based repair store that specializes in Apple products. "Apple and customs seized batteries to a computer that, at [the Apple Store], they no longer service because they claim it's vintage," Rossmann, the owner and operator of Rossmann Repair Group, said in a YouTube video. "They will not allow me to replace batteries, because when I import batteries that are original they'll tell me the they're counterfeit and have them stolen from by [CBP]." CBP seized the batteries on September 6, then notified Rossmann via a letter dated October 5. Rossmann produced the letter in its entirety in his video.

Read more of this story at Slashdot.

GandCrab Partners With NTCrypt for Code Obfuscation

GandCrab ransomware has evolved again, and the newest version features a partnership with NTCrypt to facilitate code obfuscation and frustrate security researchers.

As noted by McAfee, GandCrab’s authors deployed version 5 of the ransomware on Sept. 27. Since first appearing in January 2018, the code’s authors have released regular updates that both improved functionality and introduced new bugs.

As the McAfee report put it, the ransomware authors “are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.” Still, public endorsement of FalloutEK and a new partnership with NTCrypt suggest that GandCrab is looking to claw its way into as many devices as possible with this new iteration.

What Does GandCrab’s Development Mean for Malware Security?

The makers of GandCrab aren’t afraid of notoriety; each new release comes with flashy announcements and promises of new partnerships. As a result, a members-only club of affiliates has developed around GandCrab, with more waiting in the wings to distribute the ransomware. GandCrab’s popularity has also led to partnerships with other criminal groups, which has helped the malware evolve from a simple infection vector to a more sophisticated ransomware-as-a-service.

Particularly concerning is GandCrab’s ability to attract other criminal groups. Its partnership with NTCrypt was established by way of competition: The crypter received $500 from the developers and free advertising in all of GandCrab advertisements. Beyond the obfuscation offered by NTCrypt services, this recruiting method provides a way for malware developers to avoid low-quality partners while diversifying their supply chain.

The ransomware uses multiple attack vectors to infect devices, encrypt files and demand cryptocurrency, including remote desktop connections, phishing emails, legitimate programs with hidden Trojans, exploit kits, PowerShell scripts and botnets such as Phorpiex.

How to Avoid the Pinch of GandCrab’s Code Obfuscation

Although the GandCrab developers are working hard to deliver regular updates, their lack of coding sophistication also introduces bugs that limit functionality or cause outright failure. For example, a compiling flaw in version 5 relies on a dynamic-link library (DLL) not available in Windows Vista or XP, meaning the malware will only work on machines running Windows 7 or later. The authors also claimed that their code doesn’t rely on existing CVE’s, but this is inaccurate — GandCrab uses both CVE-2018-8440 and CVE-2018-8120.

Despite its flaws, however, GandCrab remains a potent attack vector. To counter this type of malware security threat, security experts recommend establishing a security baseline, incorporating security best practices into all endpoint builds and ensuring a consistent “golden image” that adheres to your security policy. Security teams should also create and maintain a live inventory of all devices to help pinpoint malware infections, and develop “an aggressive and current patch management policy” to help mitigate the impact of existing vulnerabilities.

Source: McAfee

The post GandCrab Partners With NTCrypt for Code Obfuscation appeared first on Security Intelligence.

Justice Department Charges Russian Woman With Interference in Midterm Elections

The Justice Department on Friday charged a Russian woman for her role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. From a report: Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of "Project Lakhta," a foreign influence operation they said was designed "to sow discord in the U.S. political system" by pushing arguments and misinformation online about a whole host of divisive political issues, including immigration, the Confederate flag, gun control, and the NFL national anthem protests. The charges against Khusyaynova came just as the Office of the Director of National Intelligence warned that it was concerned about "ongoing campaigns" by Russia, China and Iran to interfere with the upcoming Midterm elections and even the 2020 race -- an ominous warning that comes just weeks before voters head to the polls.

Read more of this story at Slashdot.

Mac Virus: Apple and personal data, plus Android issues

ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”

Less positively:

Security Boulevard: Inside Safari Extensions | Malware’s Golden Key to User Data – “A 2-part series looking at the technology behind macOS browser extensions and how malicious add-ons can steal passwords, banking details and other sensitive user data”

And some Google/Android issues:

  • John E. Dunn for Sophos: Is Google’s Android app unbundling good for security? – “…Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install … the Play Store. In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.”
  • The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”

David Harley

Advertisements




Mac Virus

Apple CEO calls on ‘Bloomberg’ to retract China surveillance report

Earlier this month, Bloomberg reported that San Jose-based server company Server Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed.

Source: BuzzFeed News

Click Farms Are Gaming Apple’s Top Podcasts List

A new report sheds some light on the issue of paid click farms gaming Apple's long-running list of Top Podcasts. From a report: Earlier this month, Apple's long-running list of Top Podcasts began to exhibit some unusual issues -- no-name podcasts vaulting over popular, well-established ones -- but the company appeared to quickly fix its chart. Unfortunately, the problems have popped up again, and an analysis from podcast industry tracker Chartable suggests that paid click farms are now gaming the list, which it calls "the closest thing to the Billboard Top 100 in the podcast world." In theory, Apple's podcast popularity rankings might not matter -- podcasts are free, and Apple's only one source of such rankings. But after introducing its Podcast Directory in 2005, Apple became the world's largest aggregator of such programming, and its rankings serve two purposes: showing listeners what's hot, and helping advertisers determine which shows to support, thereby keeping their creators afloat. The core problem is that Apple's Top Podcasts chart appears to use a poor and easily manipulated ranking metric. Chartable believes that it's based entirely upon a podcast's total number of new subscribers over the past week, with weights assigned to movement in the past one to three days.

Read more of this story at Slashdot.

Apple strongly denies Bloomberg’s Chinese hacking report, call for retraction

In early October, Bloomberg published a bombshell article uncovering an extraordinary hardware hacking effort by state-sponsored Chinese agents. “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” details successful efforts by the People’s Liberation Army (PLA) to implant tiny chips into the motherboards of servers made by Super Micro, to compromise those systems and give them access. It’s an extensive piece of reporting, too complex to fully summarize here. To really understand all the details, you should read the original article.

To read this article in full, please click here

Creating a Response Plan You Can Trust

Creating a Response Plan You Can Trust

As a website owner, you may have experienced your website being down for any number of reasons. Maybe due to errors in code, server related difficulties or even being under attack from bad actors.

I once shared my own experience of a hacked website in a webinar. Whether you have one site or hundreds, when restoring your online presence it is imperative to have a process in place.

If Your Website Gets Hacked, What is Your Plan?

Continue reading Creating a Response Plan You Can Trust at Sucuri Blog.

CVE-2018-18520

An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.

CVE-2018-18521

Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.

In an Unprecedented Move, Apple CEO Tim Cook Calls For Bloomberg To Retract Its Chinese Spy Chip Story

John Paczkowski and Joseph Bernstein, reporting for BuzzFeed News: Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that the company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim. Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create "a stealth doorway" into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. [...] "We turned the company upside down," Cook said. "Email searches, datacenter records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."

Read more of this story at Slashdot.

Android Protected Confirmation: Taking transaction security to the next level



[Cross-posted from the Android Developers Blog]

In Android Pie, we introduced Android Protected Confirmation, the first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. This Trusted UI protects the choices you make from fraudulent apps or a compromised operating system. When an app invokes Protected Confirmation, control is passed to the Trusted UI, where transaction data is displayed and user confirmation of that data's correctness is obtained.
Once confirmed, your intention is cryptographically authenticated and unforgeable when conveyed to the relying party, for example, your bank. Protected Confirmation increases the bank's confidence that it acts on your behalf, providing a higher level of protection for the transaction.
Protected Confirmation also adds additional security relative to other forms of secondary authentication, such as a One Time Password or Transaction Authentication Number. These mechanisms can be frustrating for mobile users and also fail to protect against a compromised device that can corrupt transaction data or intercept one-time confirmation text messages.
Once the user approves a transaction, Protected Confirmation digitally signs the confirmation message. Because the signing key never leaves the Trusted UI's hardware sandbox, neither app malware nor a compromised operating system can fool the user into authorizing anything. Protected Confirmation signing keys are created using Android's standard AndroidKeyStore API. Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its Keystore Attestation certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations.
There are many possible use cases for Android Protected Confirmation. At Google I/O 2018, the What's new in Android security session showcased partners planning to leverage Android Protected Confirmation in a variety of ways, including Royal Bank of Canada person to person money transfers; Duo Security, Nok Nok Labs, and ProxToMe for user authentication; and Insulet Corporation and Bigfoot Biomedical, for medical device control.
Insulet, a global leading manufacturer of tubeless patch insulin pumps, has demonstrated how they can modify their FDA cleared Omnipod DASH TM Insulin management system in a test environment to leverage Protected Confirmation to confirm the amount of insulin to be injected. This technology holds the promise for improved quality of life and reduced cost by enabling a person with diabetes to leverage their convenient, familiar, and secure smartphone for control rather than having to rely on a secondary, obtrusive, and expensive remote control device. (Note: The Omnipod DASH™ System is not cleared for use with Pixel 3 mobile device or Protected Confirmation).

This work is fulfilling an important need in the industry. Since smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulinSince smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulin pumps. A technology like Protected Confirmation plays an important role in gaining higher assurance of user intent and medical safety.
To integrate Protected Confirmation into your app, check out the Android Protected Confirmation training article. Android Protected Confirmation is an optional feature in Android Pie. Because it has low-level hardware dependencies, Protected Confirmation may not be supported by all devices running Android Pie. Google Pixel 3 and 3XL devices are the first to support Protected Confirmation, and we are working closely with other manufacturers to adopt this market-leading security innovation on more devices.

WikiLeaks Founder Julian Assange Sues Ecuador For ‘Violating His Rights’

Julian Assange is suing Ecuador's government for violating his "fundamental rights and freedoms," despite the fact he is still being sheltered in the country's UK embassy. From a report: It comes after Ecuador cut off communications for Mr Assange, who has been living inside the country's London embassy for more than six years. Baltasar Garzon, a lawyer for WikiLeaks, has arrived in Ecuador to launch the case, which is expected to be heard next week in a domestic court. WikiLeaks claims Mr Assange's access to the outside world has been "summarily cut off" and says Ecuador has threatened to remove the protection he has had since being given political asylum. The site said Ecuador's government has refused to allow a visit by Human Rights Watch general counsel Dinah PoKempner and prevented several meetings with Mr Assange's lawyers. A statement said: "Ecuador's measures against Julian Assange have been widely condemned by the human rights community."

Read more of this story at Slashdot.

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF



Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #39 show notes: 

Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.

The timeline:

The topics

01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots

The links

Péter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true

==========

Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).

Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Every Move You Make

Privacy in the Age of the Algorithm
Welcome to the brave new world of GDPR, which came into effect on May 25, 2018.  For weeks now, in-boxes have been brimming with notices from companies that, liked a spurned lover, beg of people “please come back!  We miss you!” News reporting of the great “privacy watershed moment” even varied its perspective based on country.

Media outlets in the UK largely decried the “spamming by companies to get people to accept new terms and conditions”, whereas in France, companies were portrayed as simply sending e-mails with privacy policies had been updated with attendant links to “learn more about it”. Meanwhile, tech giants like Facebook and Google faced immediate legal filings — essentially shots across their bows — over perceptions of “forced consent”.

Is it any wonder companies are still confused and thereby confusing their customers?

As GDPR goes into effect, the first phase of the Internet – the Wild West Days – come to an end, and it is the perfect back drop to discuss the power of disruption, with ALL of its positive and negative consequences.

At the root of all this, of course is the even braver new world of the future of our privacy – in Europe, China, America, and elsewhere the new machines of the digital age reign.  There is no question that the age of algorithms, automation and AI has resulted in great leaps forward for humanity in terms of personal recommendations, customised experiences and lightning-fast convenience.

All at the cost of sharing our personal information.

Today’s digital age is the proverbial double-edged sword, and our privacy is increasingly the hilt of that blade. With every click and like and swipe we make online, our interests, preferences and intent are revealed and contained. The ubiquity of location-based sensors, facial recognition and social and mobile computing have made consumers subject to vast and lucrative analysis for companies every day. As The Police sang in the ‘80s, “every move you make” in the online world is visible to not only those we trust but also those we do not know even exist.

The Restoration of the Sovereignty of Data Privacy

Revelations like Cambridge Analytica’s exploits — without these users’ direct consent – have brought this under a white-hot heat lamp of scrutiny. Questions continue to be asked in Brussels, the House of Commons, and on Capitol Hill. After 25 years of regulatory-light experimentation with the “information superhighway,” policy makers the world over are beginning to lay down serious “rules of the road” pertaining to data privacy, largely spurred by what EU has put in place the past few years as a policy pacesetter, culminating with GDPR.

If data is the new oil, the fervour every new massive breach or shocking revelation is a gusher that needs to be contained. And Like the Deepwater Horizon and Exxon Valdez did for the oil industry, regulation for the technology industry looms large. Regulating for privacy is a subplot to the great story of our time that is AI, but it runs the risk of necessarily side-tracking the excitement of possibilities in the digital age.

When it comes to bolstering privacy and trust in the Age of the Algorithm, here is how we begin the restoration. The following is a strategic list for all companies of six critical actions – three things to start doing, and three things to stop doing – to help data privacy flourish in the digital age.

Start:

  1. START innovating new roles like the chief trust officer at the executive level.Trust is an amorphous concept for which every employee of an organisation has implicit – but not explicit – responsibility. This must change. “Trust” is now a competitive factor for every business. A chief trust officer (reporting directly to the CEO and a peer to the CFO and general counsel) should work closely with data protection officers (now mandated by GDPR) to oversee privacy and customer advocacy, thus ensuring digital innovations thrive. They’ll certify that monetisation of data conforms to ethical guidelines and key performance indicators.
  2. START promoting public policy that rewards good privacy ethics. The closer you are to the debate – even if it means squirming through testimony in Brussels, Bern, Berlin or Westminster – the more influence you can have on the future.
  3. START ensuring privacy protection initiatives for metadata. Submitted customer data (e.g., comments, pictures, etc.) – and the ability to edit or delete it – is one thing. But it’s customers’ metadata (or “contextual data” in the PII parlance of GDPR) that’s the bigger deal. We’re already seeing moves from players like Facebook to establish a “clear history” feature – somewhat like an angioplasty for customers’ digital footprints.

Stop:

  1. STOP taking things like ethics for granted.While “move quickly and break things” sounded great a few years ago, the tide has undeniably turned. The days of the “data debutantes” are over, since the consequence of betting the brand on questionable use of data is the disappearance of customers. As the backlash grows, there’s a very real possibility that new jobs of the future like personal data brokers will emerge to help customers manage the monetisation of their own data.
  2. STOP thinking of GDPR as the enemy.The absence of trust is antitrust, and your mindset needs to embrace one simple fact: love it or hate it, GDPR regulation is your new best friend. Legislative sea changes of this type could be the raw fuel that impels business success in the future.
  3. STOP over-reacting.Course corrections and pivots on the road to the future of privacy will be natural. That does not mean innovation is over, but let ethics (and the law) help your organisation walk the line between leading edge and bleeding edge. Capitulating to fear, and shutting down digital innovation is the worst thing any organisation can do.

While the fundamentals of these questions have always been with us, the future now rests on how we treat and manage data. The long view of the future of privacy is that corporate leaders, companies and countries that do this successfully – through ethics, responsible practices and, yes, healthy regulation like GDPR – will participate in a new golden age of digital practice.

Robert Brown
Robert Brown, AVP at Cognizant’s Center of the Future of Work

Robert Brown Web Site

The ISBuzz Post: This Post Every Move You Make appeared first on Information Security Buzz.

Historical OSINT – iPowerWeb Hacked Hundreds of Web Sites Affected

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software courtesy of a well known Russian Business Network's hosting provider - HostFresh. In this post we'll profile the campaign provide actionable intelligence on the

Quantum Computers Will Break the Encryption that Protects the Internet

An anonymous reader shares a report: Factorising numbers into their constituent primes may sound esoteric, but the one-way nature of the problem -- and of some other, closely related mathematical tasks -- is the foundation on which much modern encryption rests. Such encryption has plenty of uses. It defends state secrets, and the corporate sort. It protects financial flows and medical records. And it makes the $2trn e-commerce industry possible. Nobody, however, is certain that the foundation of all this is sound. Though mathematicians have found no quick way to solve the prime-factors problem, neither have they proved that there isn't one. In theory, any of the world's millions of professional or amateur mathematicians could have a stroke of inspiration tomorrow and publish a formula that unravels internet cryptography -- and most internet commerce with it. In fact, something like this has already happened. In 1994 Peter Shor, a mathematician then working at Bell Laboratories, in America, came up with a quick and efficient way to find a number's prime factors. The only catch was that for large numbers his method -- dubbed Shor's algorithm -- needs a quantum computer to work. Quantum computers rely on the famous weirdness of quantum mechanics to perform certain sorts of calculation far faster than any conceivable classical machine. Their fundamental unit is the "qubit", a quantum analogue of the ones and zeros that classical machines manipulate. By exploiting the quantum-mechanical phenomena of superposition and entanglement, quantum computers can perform some forms of mathematics -- though only some -- far faster than any conceivable classical machine, no matter how beefy.

Read more of this story at Slashdot.

My Morehouse Brother Chinedu Okobi Died After Being Electrocuted by Police. Tasers Are Not “Less Lethal” Weapons.

44584695314_31eef361a8_o_big-1539897208

Chinedu Okobi with his daughter, Christina, on April 16, 2010.

Photo: Courtesy of Ebele Okobi

Every single day, families suffering from police violence find themselves in the fog of unspeakable setbacks. Some have lost their fathers or sons, their mothers or daughters, their brothers or sisters, their neighbors or friends. I am sometimes enlisted to help them. Before I was a journalist, I was a pastor, and it was often my job to guide families through grief and loss. But it’s a unique crisis to have the life of your loved one taken by the state. Who do you call? 911? Who leads the investigation? Who brings you justice? The answers for these families are altogether different than in other murder cases.

When I got the call that Chinedu Okobi had been killed by police from the San Mateo County Sheriff’s Office in the San Francisco Bay Area, it was different. This was my Morehouse brother. You’d almost have to have lived at 830 Westview Drive, on that red clay hill in Georgia called Morehouse College, to truly understand how that bond is formed. We are close. We have each other’s back. Comparing Morehouse to a regular Greek fraternity is not good enough. It’s a brotherhood in the truest sense: It’s a family.

I was Chinedu’s student government president. He and I lived in the same dorm. He was close friends with many of my close friends. His sister Ebele, a revered executive at Facebook, is close with many of my closest friends at the company.

When I got a call from her this past Saturday to discuss Chinedu Okobi’s death, I had to fight hard to hold back tears. I was surprised at my own fragile state. My dear brother, Jason, just passed away a few weeks ago. While his death had absolutely nothing to do with police violence, for the first time I understood the unique pain of losing a brother who was supposed to have his whole life ahead of him.

Chinedu Okobi should be alive right now. At the very most, he should be in a hospital receiving mental health treatment. By now, he likely would’ve been released back to the care of his family. Local police have not responded to my repeated requests for more information about Chinedu’s death, but this much we know: While he was technically unarmed, meaning that he had no gun or knife or illegal weapon on his body, he was armed in a very American way. He was a big Black man, a dark-skinned Nigerian who was 6 feet, 3 inches tall and weighed 330 pounds. In the eyes of American police, that might as well be armed. This nation has long since weaponized blackness.

45306917351_b423746433_o-1539895621

Chinedu, center, at his college graduation with his family at Morehouse College in Atlanta.

Photo: Courtesy of Ebele Okobi

This country has also weaponized mental illness. Chinedu lived with mental illness. He received treatment, took medications, and worked hard to balance his life the best he could. I never knew it. What I do know is that in this country, when someone is having a mental health crisis, police are called — which is like bringing in a bulldozer to fix a leaky faucet. It’s a stupid system.

Chinedu needed to go to the hospital. He needed medical treatment. Instead, he was surrounded by officers who appear to have repeatedly used a Taser on him until he died. Let me phrase that another way: Chinedu was still shot, but by guns that electrocute people to death instead of tearing apart their flesh and organs with bullets. In the name of being safer than guns, hundreds of thousands of police officers have now been armed with Tasers, but they aren’t safe — not at all.

Chinedu’s black life didn’t matter. Those cops would not have treated their own family that way. If Chinedu was their son or father or brother, those men would’ve found another way to deal with his crisis.

Since 2000, American police have killed at least 1,000 people with Tasers. They are horrible. The primary company that makes them, Taser, has changed its name to Axon — just like Corrections Corporation of America, the notorious private prison company, changed its name to CoreCivic. It’s an attempt to escape their baggage, but it’s the same old shit.

And Axon has gotten a complete pass for what the company makes. The company deflects from the fact that they make machines that send uncontrollable electricity into people’s bodies. The problem, of course, is that the human body simply was not built to take these surges of electricity. Axon advertises these weapons as “less lethal,” but the comparison to guns and other weapons would be cold comfort for the more than 1,000 people who have died from the electric shocks.

Worse yet, the “less lethal” moniker has meant that many cities and states don’t have robust regulations for how law enforcement is supposed to use these weapons. So the mythical “less lethal” marketing is working — for the company, not for victims of the weapons.

45259226342_6bbd90fae3_o-1539895619

Chinedu with his sister Ekene.

Photo: Courtesy of Ebele Okobi

That such dangerous shocks would be administered to people with mental illnesses is especially upsetting. Every single day in this country, hundreds of thousands of nurses treat adults and children who are living with mental illness. Those patients are regularly in crisis, and nurses consistently face them down without ever having to electrocute them into submission. If five police officers were unable to do the same thing with Chinedu without killing him, the problem is not Chinedu — it’s the police officers. It’s the consistent impatience with black people in distress that is shown by law enforcement.

The United States, particularly the United States government, seems to have long ago given up on completely reimagining how to solve its most complex problems. This much, though, should be obvious: Electrocuting people into submission is a horrible idea, no matter how supposedly “less lethal” the weapon is.

The post My Morehouse Brother Chinedu Okobi Died After Being Electrocuted by Police. Tasers Are Not “Less Lethal” Weapons. appeared first on The Intercept.

Basic Attention Token (BAT) Quietly Racks Up 42% Gains on Coinbase Anticipation

Basic Attention Token (BAT) has been quietly recording day on day growth for the last four days as anticipation builds regarding a Coinbase listing. The value of BAT has increased by 42% in that time, as public opinion leans toward the theory that BAT’s ERC-20 foundation makes it a prime candidate to be the next […]

The post Basic Attention Token (BAT) Quietly Racks Up 42% Gains on Coinbase Anticipation appeared first on Hacked: Hacking Finance.

Disrupt:Ops: Why Everyone Automates in Cloud

Posted under:

Why Everyone Automates in Cloud

If you see me speaking about cloud it’s pretty much guaranteed I’ll eventually say:

Cloud security starts with architecture and ends with automation.

I’m nothing if not repetitive. This isn’t just a quip, it’s based on working heavily in cloud for nearly a decade with organizations of all size. The one consistency I see over and over is that once organizations hit a certain scale they start automating their operations. And every year that line is earlier and earlier in their cloud journey.

I know it because first I lived it, then I watched every single organization I worked with, talked with, or generally glanced at, go down the same path.

- Rich (0) Comments Subscribe to our daily email digest

South Carolina Is Lobbying to Allow Discrimination Against Jewish Parents

The Trump administration is considering whether to grant a South Carolina request that would effectively allow faith-based foster care agencies in the state the ability to deny Jewish parents from fostering children in its network. The argument, from the state and from the agency, is that the federal Religious Freedom Restoration Act should not force a Protestant group to work with Jewish people if it violates a tenet of their faith.

The case being made by South Carolina is an extension of the debate around RFRA, which is more commonly associated with discrimination against LGBTQ people, but by no means applies exclusively to that group.

If granted, the exemption would allow Miracle Hill Ministries, a Protestant social service agency working in the state’s northwest region, to continue receiving federal dollars while “recruiting Christian foster families,” which it has been doing since 1988, according to its website. That discrimination would apply not just to Jewish parents, but also to parents who are Muslim, Catholic, Unitarian, atheist, agnostic or other some other non-Protestant Christian denomination.

Miracle Hill covers Greenville, Pickens and Spartanburg counties, and its foster care services have becoming increasingly in demand as an opioid epidemic has torn through a generation of young parents. The fight over its policy has been written about in the local press and was first covered nationally by The Nation.

The request has been made to the Department of Health and Human Services. The agency has been quietly taken over by hardline evangelical activists, a perk for their unwavering support of Trump’s presidential bid and his administration.

Miracle Hill has told the local press that while they themselves will not place children with families who don’t meet their standards, they refer them to agencies that will. But as the provider with the region’s highest quality of service, making referrals means sending people to deal directly with the state Department of Social Services, or to agencies in other parts of the state that are several hours away by car.

Beth Lesser is a Jewish parent who was turned away by Miracle Hill. “Understand, in the upstate of South Carolina, if you want to be a foster parent or a mentor, there’s DSS, which is the government. And there’s Miracle Hill. There really isn’t anybody else,” Lesser told The Intercept.

When she still lived in Greenville, Lesser participated in a three-day training co-hosted by Miracle Hill and Fostering Great Ideas, another regional child welfare agency. On the third day, two officials running the training, David White of Fostering Great Ideas, as well as a Miracle Hill representative, told the group that non-Protestants wouldn’t be able to mentor with Miracle Hill, let alone foster a child.

“I’ve never felt that sort of discrimination before.”

“I’ve never felt that sort of discrimination before,” she said. “Once they get [the children] in one of their group homes, they don’t let non-Christian Protestants mentor them, foster them, or anything.” Lesser couldn’t recall the name of the Miracle Hill representative, but White confirmed the exchange to The Intercept, saying that they were explaining Miracle Hill’s policy, and that his agency, FGI, does not itself discriminate. Miracle Hill did not respond to a request for comment.

Originally from New Jersey, she and her husband lived in Florida before moving to South Carolina for 18 years. They’ve fostered and mentored other children through various agencies, and have since returned to Florida.

“What Miracle Hill does, is they scoop up these kids from foster care, and they have these group homes. And then once they get the kids in there, their whole objective is to indoctrinate them into their brand of Christianity,” Lesser said.

Lesser said that while she and her husband were licensed foster parents while they lived in South Carolina, they “hardly got any calls” to foster children.

“I think that if Trump knew about this in detail, he wouldn’t be for it,” Lesser said. “Because he’s not a religious nut.” She’s a proud supporter of the president — and, she offered, she wanted Supreme Court Justice Brett Kavanaugh to be confirmed.

For the state’s DSS, the practice of discriminating against Jewish families was too much. As early as January 2018, DSS sent a letter raising concerns that the agency was violating federal and state nondiscrimination laws, as well as DSS policy, by requiring applicants to meet strict religious standards — namely, being a practicing Protestant and not being in a same-sex relationship. The letter was obtained through a Freedom of Information Act request by the American Civil Liberties Union, which provided it to The Intercept.

“In telephone conversations with the Department, Miracle Hill has given the Department reason to believe Miracle Hill intends to refuse to provide its services as a licensed Child Placing Agency to families who are not specifically Christians from a Protestant denomination,” the letter reads, offering Miracle Hill 30 days to resolve the issue and 30 more days to implement a new approach.

But Miracle Hill, which is closely allied with the top GOP leadership of the state, had a different response: It went to lawmakers and the governor, who changed state law to shield Miracle Hill from DSS. The state officials in turn pleaded Miracle Hill’s case to the Trump administration.

Miracle Hill is one of 11 Christian-affiliated foster care agencies serving over 4,000 children in foster care and group homes in South Carolina, a the state that, like many others, has historically had a shortage of foster homes.

It is the only one of those Christian agencies, according to DSS, with religious qualifications for parents.

David White is the founder and CEO of Fostering Great Ideas, a nonprofit working to improve the child welfare system, though it does not itself foster children. FGI works closely with Miracle Hill in South Carolina and is expanding to Denver, but does not share its recruitment policy. He argued that families rejected by Miracle Hill do have other places to go. There are 11 foster care providers in Greenville, according to FGI data pulled from DSS. Seven of those provide therapeutic as opposed to regular care for children.

A number of agencies do allow gay couples or Catholic families to foster, White said. “There is the ability to have an intelligent conversation, versus a ‘we’re right, you’re wrong’ — ’cause it is subtle. It’s very difficult. And I know the CEO of Miracle Hill. I know him well. And he is not a bigot. And that’s what makes this a human story.”

The organization’s last provisional state license expired July 25, and DSS won’t issue a permanent one until Miracle Hill proves it’s not discriminating — or DSS gets a federal order to make an exception.

Such an order is already drafted. It’s awaiting final signature on the desk of Secretary Alex Azar at the Department of Health and Human Services. If granted, Miracle Hill will be allowed to continue denying qualified families from adopting kids based on religious views.

The ACLU is litigating a similar case in Philadelphia against Catholic Social Services. Bethany Christian Services, another Philadelphia agency originally involved in the complaint, has since stated it will comply with federal law and accept same-sex couples. Philadelphia’s DHS has since resumed doing business with the agency. CSS is now suing DHS.

“There are many, many faith-based agencies doing work in the child welfare field,” Leslie Cooper, deputy director for the ACLU LGBT & HIV Project told The Intercept. “And doing really important work. And regardless of their religious belief, the vast majority comply with professional child welfare standards  … which include: you accept all qualified families; you don’t discriminate based on characteristics unrelated to ability to care for a child.”

“It’s pretty outrageous, in my view, that the states are actually passing laws to authorize this.”

The few agencies unwilling to do that, Cooper said, are “seeking to maintain state contracts for many millions of dollars to provide this government service to wards of the state — the service being, find families for these children who desperately need them. But ‘Oh, we’re gonna throw away the ones that don’t meet our religious test.’ Even though they may be fantastic parents and may be the only family for a particular child, that that child is waiting for. So it’s pretty outrageous, in my view, that the states are actually passing laws to authorize this.”

Those states include Alabama, Michigan, Texas, South Carolina, Oklahoma, North Dakota, South Dakota, and Mississippi.

Even in the Miracle Hill’s online application for interested foster parents it’s clear they intend for children to be raised in a Christian home.

In addition to basic information, the application asks for “denominational affiliation,” a pastor’s name, phone number, and “a brief, personal testimony of your faith/salvation,” and that of a spouse, if applicable. If you and your partner are the same sex, Miracle Hill will not allow you to adopt children in their network, according to lawyers, foster parents and employees at agencies who have worked closely with Miracle Hill.

miracle-hill-1539628662

A screenshot of a portion of Miracle Hill’s foster care inquiry form on their website.

Screenshot: The Intercept

Lesser said DSS eventually asked her to foster a child with another agency in the state, but she was never asked to foster with Miracle Hill. But she said working directly with DSS — as opposed to through a service provider like Miracle Hill — is often overly burdensome, bureaucratic and ultimately ineffective. Advocates agree. So does another Jewish foster mother, Lydia Currie, who tried, unsuccessfully, to work with Miracle Hill.

That’s in part because Miracle Hill really does good work. And DSS in South Carolina, unlike in many other states, handles not only child welfare but disaster response and emergency management. They’re currently orchestrating the state’s response to Hurricane Michael.

“Your worker at Miracle Hill picks up the phone,” Currie told the Intercept. “Which workers at DSS do not do.”

A Jewish foster mother who lived in Greenville until moving to Philadelphia this year, Currie adopted twice through DSS, in 2012 and again in 2018.

“DSS is chronically understaffed, chronically underfunded, chronically over-caseloaded. And that’s why they dump so much on Miracle Hill,” Currie said.

“The standard of service offered by DSS workers is significantly inferior to what’s offered at Miracle Hill. The support for foster families is significantly inferior,” Currie said. “It is a tremendous barrier to access for people who aren’t highly educated and highly motivated.”

She dealt extensively with Miracle Hill during her time in South Carolina, both as a prospective parent and as a guardian ad litem. She and her husband have three biological children. After deciding to grow their family, they adopted two children, in 2012 and in 2018, who spent extended periods of time in Christian orphanages.

“Miracle Hill offers continuity of services,” she continued. “It creates a burden upon non-narrowly defined Protestant Christians that does not exist for families who pass their religious test for the use of public funds.”

“It was a doctrinal test, they made it very clear.”

“It was a doctrinal test, they made it very clear,” she said, recalling the first time she saw the agency’s foster parent application. “In other situations I’ve had, Christian agencies have been happy to work with Jewish families, when it’s a matter of at-risk children. Particularly if they take public funding,” she said.

“The foster adoption world is full of Christian organizations that work with any fit and willing foster parents. So Miracle Hill is very much an outlier on that in an intensely creepy way.”

Miracle Hill’s practices discriminate against Christians too — just not those who are Protestant, she said. “I also know a Catholic family that was excluded from fostering with Miracle Hill,” Currie said. “And they’re mad too.” Lesser said that she had also learned of a Catholic family turned away.

That caveat is a particular point of turmoil for Miracle Hill’s president and CEO, Reid Lehman, according to FGI’s White. “I believe that Reid has definitively, definitely wrestled with this. I know he has. And he would like to have that ability to have that conversation with you, I would imagine.” Lehman did not respond to requests for comment by the time of publication.

On top of that, Currie said, the agency “practices coercive Protestant Christianity.”

“Many, many children who have absolutely no religious affiliation, or have a religious affiliation other than Christianity, are placed by the Department of Social Services with Miracle Hill,” Currie said. That means, Currie said, “effectively mandatory Sunday school, mandatory after school Bible study. Mandatory prayer. Including teenagers, including children for whom this is terrifyingly inappropriate.”

“Church and state are so co-mingled,” Currie went on, “that I don’t think it would survive a constitutional test. No one’s interested in giving it one. It needs one actually. And Miracle Hill might be a good test case.”

Republican presidential candidate Donald Trump speaks with South Carolina Lieutenant Governor Henry Dargan McMaster (L) during a press conference at the Hanahan Town Hall in Hanahan, South Carolina, February 15, 2016.  / AFP / JIM WATSON        (Photo credit should read JIM WATSON/AFP/Getty Images)

Then-Republican presidential candidate Donald Trump speaks with South Carolina Lt. Gov. Henry Dargan McMaster, left, during a press conference in Hanahan, S.C., on Feb. 15, 2016.

Photo: Jim Watson/AFP/Getty Images

The Protestant agency may well see its request granted.

The Trump administration has made clear that religious freedom, at least for those of the Christian faith, is a priority. And following Governor Henry McMaster’s March executive order supporting Miracle Hill, tucked into a 2018-2019 budget proviso bill that passed the General Assembly on June 28, South Carolina added a clause that would keep DSS from discriminating or taking “any adverse action against a faith-based child placing agency” on the basis that the agency is declining services that conflict with its faith.

McMaster personally awarded Miracle Hill’s president and CEO Reid Lehman the state’s highest civilian honor this summer. Senator Lindsey Graham’s office in June also made appeals to HHS to speed up process.

Lehman reached McMaster’s office after initial appeals to South Carolina State Rep. Garry R. Smith, with whom he was in contact regarding the state’s budget proviso that weakened DSS’s power to scrutinize his agency. Lehman asked Smith to press McMaster, suggesting “a call [to HHS] from the Governor’s office” reminding them “that the federal response is needed to put this to bed.”

Both Lehman and Miracle Hill’s spokesperson did not respond to multiple calls, emails and voicemails from The Intercept.

The president in January established a new HHS division within the Office for Civil Rights (OCR) dedicated to “restore federal enforcement of our nation’s laws that protect the fundamental and unalienable rights of conscience and religious freedom.”

HHS officials at a Heritage Foundation event in May “directly solicited faith-based providers to request a RFRA exemption if they feel that they are experiencing a ‘burden’ to their religious expression from federal nondiscrimination laws,” as described in an October 3 letter from Sen. Ron Wyden to Azar opposing the contested waiver.

HHS has acknowledged receipt of the letter, but has not responded, a Wyden aide told the Intercept.

HHS officials have spoken out about a department culture that favors Christianity over other faiths, a phenomenon The Intercept’s Rachel Cohen reported on last year.

Where the waiver stands now is unclear. ACF told The Intercept that HHS does not comment on pending policy decisions. The question may come down to whose faith matters. “The whole faith-based initiative under [former President George W.] Bush has all kinds of language in there about when you’re providing federally funded social services, that you can’t discriminate against people based on faith,” the ACLU’s Cooper said, “And these are federally funded social services.”

Top photo: The Miracle Hill Industries office in Greenville, S.C., in December 2016.

The post South Carolina Is Lobbying to Allow Discrimination Against Jewish Parents appeared first on The Intercept.

This Week in Security News: Apex One™ Release and Java Usage Tracker Flaws

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Apex One™ enters as the evolution of Trend Micro’s endpoint security solution for enterprise. Also, learn about Java Usage Tracker’s new weakness and the conditions that enabled the exploit.

Read on:

Trend Micro Redefines Endpoint Security with Apex One™

Apex One™ combines a breadth of threat detection & response capability with investigative features, in a single agent. 

CVE-2018-3211: Java Usage Tracker Local Elevation of Privilege on Windows

Trend Micro found design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. 

Trend Micro Converges EDR, Endpoint Security Protection in Apex One

Trend Micro announced its Apex One endpoint security offering, which integrates malware prevention technology with endpoint detection and response (EDR) capabilities.

The FDA is Embracing Ethical Hackers in its Push to Secure Medical Devices

With medical device cyberattacks on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities.

Post-Brexit Britain Could Be A Cybersecurity Nightmare With Or Without A Deal

Whether or not the UK leaves the EU with a Brexit deal, the impact upon cybersecurity and the skills shortage is likely to be considerable and immediate.

Cybersecurity Faces a Worldwide Shortage of Almost 3 Million Staff

New research reveals a worldwide cybersecurity skills gap of 2.9 million, with the Asia-Pacific region experiencing the highest shortage at 2.14 million.      

Facebook Finds Hack Was Done by Spammers, Not Foreign State

Facebook believes that the hackers who gained access to the private information of 30 million users were spammers looking to make money through deceptive advertising.

Do you think many organizations will discontinue tackling endpoint threats with two separate tools? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Apex One™ Release and Java Usage Tracker Flaws appeared first on .

Drupal dev team fixed Remote Code Execution flaws in the popular CMS

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.

The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

The post Drupal dev team fixed Remote Code Execution flaws in the popular CMS appeared first on Security Affairs.

Native American Sovereignty Is Under Attack. Here’s How Elizabeth Warren’s DNA Test Hurt Our Struggle.

BOSTON, MA - OCTOBER 16: U.S. Senator Elizabeth Warren speaks to the Boston Globe's editorial board at the newspaper's office in Boston on Oct. 16, 2018. (Photo by Suzanne Kreiter/The Boston Globe via Getty Images)

Sen. Elizabeth Warren speaks to the Boston Globe’s editorial board at the newspaper’s office in Boston, Mass., on Oct. 16, 2018.

Photo: Suzanne Kreiter/The Boston Globe via Getty Images


Half a century ago, the Standing Rock Dakota scholar Vine Deloria Jr. wrote, “Whites claiming Indian blood tend to reinforce mythical beliefs about Indians.” Throughout her career, Sen. Elizabeth Warren, D-Mass., has used that mythical belief — what Deloria mocked as the “Indian-grandmother complex” — to stake a claim to Native American identity, like how her European settler ancestors staked a claim to land once called Indian Territory, or what is currently Oklahoma. For Warren, her claims are like a moving target. At one time, it was “Cherokee.” Now it’s just generic “Native American ancestry.”

President Donald Trump, being a bigot, has consistently taunted Warren — frequently referring to her as “Pocahontas” — about her claims with a million-dollar wager: Take a DNA test to prove she’s “an Indian.” It was an obvious ploy, and Warren took the bait.

Yet her reaction hurt more than she might realize. Reducing Native American identity to “race,” whether through biology or the law, is harmful to Native sovereignty and nationhood, despite Warren’s professed good intentions. Warren, however, didn’t walk into Trump’s trap with her eyes closed. What she didn’t see, however, was how low Trump had set the bar when he said “jump” and she tripped on it, landing face first — on stolen Native land.

Like many Native people, I am jealous of Warren and white people like her. Native plebeians, such as myself, a poor Indian kid born on the wrong side of the tracks in Podunk, South Dakota, lack her pedigree and life story. She might as well have rare Romanov ancestry, a secret but ill-fated royal bloodline, when compared to my proletarian biography.

It was Warren’s self-identified Republican family members — the white guys drinking beer telling family stories in a living room — that bolstered her Native credentials in a recent video defending her “Native American ancestry.” I wish I had such relatives to do the same for me, but, if my relatives were captured drinking like that on camera, they might spend a night in the slammer or get labeled as “drunk Indians.”

There is an irony here. The white guys drinking beer have become the arbiters of Native identity, while those who have survived genocide and the theft of an entire continent have become mere background noise to the spectacle of powerful elites duking it out for control over land that is not rightfully theirs. Such is the history of the United States.

The worst irony, though, is Warren’s appropriation of Native identity while simultaneously fetishizing and instrumentalizing it. To Warren, Native people are little more than a currency, a million-dollar ticket to the White House, a one-up to Trump. That’s how this game has been played so far: Trump asked her to prove that she’s “an Indian” (not that she has “ancestry”) with a DNA test, something that is, by all accounts, impossible. Indianness isn’t defined by DNA. It’s a legal, social, cultural, and historical construct, where Indigenous nations self-define the parameters of belonging. Put simply, it’s not about who you claim, it’s about who claims you. In response to Warren, the Cherokee Nation issued a statement saying that “using a DNA test to lay claim to any connection to the Cherokee Nation or any tribal nation, even vaguely, is inappropriate and wrong.”

Falsely claiming Native American identity is a white American tradition, with a deeply racist past.

Falsely claiming Native American identity is a white American tradition, with a deeply racist past. Forrest Carter, also known as Asa Earl Carter — a Ku Klux Klan leader and the former speechwriter for George Wallace (he co-wrote Wallace’s famous 1963 line, “Segregation now, segregation tomorrow, segregation forever”) — reinvented himself later in life as a “Cherokee” writer of the famous children’s book “The Education of Little Tree.” Famous white Southern Americans like Miley Cyrus, Johnny Cash, and Bill Clinton have also all falsely claimed “Cherokee heritage.

I’ll admit, I’m not a geneticist. (And I’d refer anyone interested in the political and social aspects of “Native American DNA” to read Kim Tallbear’s excellent book on the subject.) I am, however, a historian and I can tell you that proving “Native American ancestry” by using Native body parts has a long, racist history. Genes are part of the human body, and to use genes to measure a degree or percentage of race to make a scientific claim is called race science, which discredits the legitimate science of DNA testing.

A century ago, Native people were considered a disappearing people. Anthropologists and others flooded Indian reservations intent on preserving the last vestiges of a dying race. With them, they brought calipers to measure Native skulls from the graves they robbed. Sometimes they used captured Indigenous children in boarding schools and prisoners of war for racial experiments, displaying their live specimens at traveling zoological exhibits. The goal was to prove a racial and civilizational superiority by showing just how far white Europeans had evolved from primitive conditions.

Such a people were also seen as too incompetent to manage their own lands and raise their own children. Their land and children were taken from them for their own good. The children were placed into the special care of white families and the land into the hands of white farmers (like Warren’s settler ancestors). Those who could not be killed or assimilated were placed under the supervision of the Department of Interior, which manages wildlife and public lands, where it was hoped that they would just disappear.

In other words, Native people, living or dead, were relegated to a tragic past with no place in the future of a white settler nation. Their identities and lands were simply absorbed and made into sports mascots and names for states and military equipment. Countless Native people were lost to this system, torn from their families and their Indigenous nations. Indigenous nations are still searching to reclaim their lost relatives — but Warren is not one of those people.

While Warren and white people like her are rushing to get DNA tests that prove “Native American ancestry,” there is less enthusiasm among white people about proving “African ancestry.” That’s the unspoken racist undertone of this whole debate, especially since many Black Americans have actual connections to Indigenous nations of this hemisphere. The “one-drop rule” of African ancestry, a racial calculus created to increase the size of slaveowners’ property through biological reproduction, was designed to make one Black and nothing more — not Indigenous and especially not white. (Even the descendants of Cherokee slaves were disallowed tribal citizenship until recently.)

These racial logics simply don’t grant Black and Native people the same visibility or authority over their own identities the same way they do to a powerful white woman who takes a DNA test. That’s called white supremacy.

Warren’s claims and Trump’s attacks have never been about upholding Native sovereignty. It’s pure opportunism. While Trump applauded the Cherokee Nation’s dismissal of Warren’s claims, his self-proclaimed policy of “American carnage” has opened billions of acres for offshore drilling — threatening circumpolar Indigenous nations as ice sheets melt and global temperatures rise — and has opened millions of acres of the Bears Ears National Monument, a once-protected Indigenous sacred site in the Southwest, for coal and uranium mining.

And North Dakota recently passed legislation disenfranchising thousands of Native American voters in the state, in places like Standing Rock that desperately fought the Dakota Access pipeline. Today, Standing Rock and the entire Sioux Nation in the Northern Plains are planning to halt the trespass of the Keystone XL pipeline through our treaty territory, a pipeline that imperils our water, our sovereignty, and therefore our lives.

While Indigenous nations face existential threats, Warren’s conflation of her “Native American ancestry” with Native American identity only continues a history theft.

There are plenty of other examples. Some are even race-based, along the lines of the pseudoscience through which Warren tried to hitch her wagon to Native Americans. A federal court recently ruled that the Indian Child Welfare Act, a four decade-old law created to keep Native families intact, is “race-based” legislation and therefore “unconstitutional.” Created to protect children who are members of Native nations or whose biological parents are members of Native nations, the law, in fact, was designed to prevent the disintegration of Native nations: the widespread practice of taking Native children and adopting them out to white families or placing them into state foster care systems.

While Indigenous nations face existential threats — from losing their children, land, and water — Warren’s conflation of her “Native American ancestry” with Native American identity only continues a history theft. The purposeful distortion and misunderstanding of Native sovereignty and identity, whether by Trump or Warren, is a longstanding tradition of American imperialism that has facilitated the taking of resources, whether they’re Native lands or Native bodies. And we still want our stolen relatives and stolen land back, regardless of the settler infighting currently taking place.

Warren has taken some concrete steps in an effort to help Native Americans, but her recent entry into the waters of Native identity stands to outweigh any efforts she has made for Natives. I’m not holding my breath for her to do the right thing — such as making a formal apology. Like Vine Deloria, the Standing Rock Dakota writer whose people are currently under threat, I don’t resent white people like Warren. I just hope she can accept herself and just leave us alone.

While Warren has become the punchline of a lot of jokes in Indian Country — “I’m Cherokee on my white side,” and so on — boiling Native American identity and race down to biology, and, more specifically, genomics, is racist. It needs to stop.

The post Native American Sovereignty Is Under Attack. Here’s How Elizabeth Warren’s DNA Test Hurt Our Struggle. appeared first on The Intercept.

Week in Review: The Two Tales of Volatility

When it comes to volatility, stocks and cryptocurrencies diverged wildly this week. On the equities front, major selloffs in China and Wall Street were followed by equally large single-day rallies, as investors bought on the dip. For cryptocurrencies, the picture was largely unchanged for most of the week, as bitcoin and the broader market hovered […]

The post Week in Review: The Two Tales of Volatility appeared first on Hacked: Hacking Finance.

Should We Break Up the Tech Giants? Not if You Ask the Economists Who Take Money From Them

This week's FTC hearings on the growing power of companies like Amazon, Facebook, and Google only included economists who have taken money, directly and indirectly, from giant corporations that have a stake in the debate. From a report: Amid growing concern over the power of such behemoths as Amazon, Google, Facebook, and other tech giants, in recent months there's been a bipartisan push for better enforcement of antitrust rules -- with even President Trump saying in August that their size and influence could constitute a "very antitrust situation." The Federal Trade Commission (FTC) has launched its most wide-ranging study of corporate concentration in America in more than 20 years with a series of hearings being held around the country. Chairman Joseph Simons, a practical enforcement-minded leader, launched the hearings by expressing concern over the growing problem of monopoly, which is now found in nearly every sector of the economy. "I approach all of these issues with a very open mind," said Simons, "very much willing to be influenced by what I see and hear." But there's a problem. The FTC organized these hearings so that Simons and the public would be hearing from many economists who have taken money, directly or indirectly, from giant corporations. For example, on Monday, the FTC convened a panel titled "The Current Economic Understanding of Multi-Sided Platforms" to look specifically at the most dynamic and dangerous set of concentrated economic actors, the big tech platforms. Every single one of the economists who testified had financial ties to giant corporations. One example is David Evans, the chairman of the Global Economics Group. Evans scoffed at the danger of platform monopolies. He indicated that the question of "whether Facebook and Google and Amazon are monopolies, it's all interesting, it's great to read in the New York Times," but it's "not all that relevant" to the practice of antitrust. His firm has taken money directly from Microsoft, Visa, the large investment bank SIFMA, and the Chinese giant tech giant Tencent. Another example is Howard Shelanski, a partner at Davis Polk. Shelanski is more enforcement-minded, but he expressed caution, testifying that we don't know enough for antitrust enforcers to understand whether powerful technology companies hold unassailable market positions. Shelanski pointed to his own children, saying that they've stopped using Facebook because it's uncool. As it turns out, his law firm's clients include Facebook, as well as Comcast, and Chinese search giant Baidu.

Read more of this story at Slashdot.

10 Best Online Shopping Apps For Android

The Internet has transformed every aspect of human life. We now rely on internet for entertainment, gathering knowledge, communication and endless other activities. Infact with the help of internet, we can browse through some of the humungous online stores and shops in the comfort of our homes.

Well, if you are a person who purchases everything ranging from groceries to vehicles online. Then the question “which is the best online shopping app” might have stuck your mind. So these are the ten best online shopping apps that will impress you.

1. Amazon

Amazon is possibly the most popular online shopping application that boasts separate websites for around fifteen countries. Apart from e-commerce services Amazon also has its dedicated music, movies, and TV shows streaming services.

Amazon’s popularity and an extensive selection of more than 562 million products forced us to place Amazon in the first position of this online shopping apps list. Detailed reviews and ratings on Amazon may help you to make purchase decisions. You can blindly trust Amazon for the quality and reliability of products.

DOWNLOAD Amazon

2. Flipkart

Next equally popular app for online shopping on the list is Flipkart. This Indian e-commerce website has a humungous collection of products. Flipkart also boasts popular books and eyewear subsidiaries.

Searching and exploring tools on this online shopping application make finding the right product reasonably simple. Flipkart also hosts many monthly and yearly sales that offer massive discounts on selected products. In addition to that, many smartphones and popular products are exclusively launched on Flipkart.

DOWNLOAD Flipkart

3. Paytm Mall

Paytm is one of the most popular e-wallet services in India that also has a full-fledged online shopping application Paytm Mall. This is one of the best app for online shopping that has gained immense popularity and exponential growth in recent years due to the massive cashback offers across a wide variety of products.

Paytm wallet also makes the process of paying for orders relatively straightforward and secure. While ordering, keep an eye on coupon codes for discounts and cashback offers. Similar to other shopping apps Paytm Mall also has millions of products in its catalog.

DOWNLOAD Paytm Mall

4. Snapdeal

The next popular online shopping application on the list is Snapdeal. Though Snapdeal isn’t as popular Amazon and Flipkart it still has a massive selection of more than 65 million products. Snapdeal offers some of the best deals during festive seasons. Apart from heavy discounts, there are many products that are exclusively available on Snapdeal.

Secure payments, an extensive collection of products, and reliable delivery speeds helped  Snapdeal to be added to the best online shopping apps list.

DOWNLOAD Snapdeal

5. Tata CLiQ

Tata CLiQ is the best online shopping application for purchasing products available in different Tata subsidiaries like Croma, Voltas, Tanishq, Fastrack, Westside, and many more. This e-commerce website also offers impressive discounts and cashback offers. The overall UI of this shopping app makes searching and exploring content a breeze.

The product listing on Tata CLiQ is very well sorted and focused on consumer electronics and consumer segment. Lastly, the Now Trending section shows the best deals with massive discounts that are selling like hot cakes.

DOWNLOAD Tata CLiQ

6. Myntra

The next best app for online shopping on the list is Myntra. Well, Myntra was India’s first fashion-based online shopping app. You can find all sort of clothing and fashion accessories on Myntra. In addition to that, Myntra also has a decent collection of clothing from popular international brands.

Monthly sales on Myntra offer impressive discounts over a wide selection of products. Similar to many other online shopping apps Myntra also has clear return policies. Myntra has grown exponentially in the past few years, and users reviews helped this app to be a part of this best online shopping apps list.

DOWNLOAD Myntra

7. Jabong

Jabong is another fashion online shopping application that directly competes with Myntra. This popular online shopping application boasts more than 1200 brands and over 30,000+ products to pick from. Similar to Myntra, Jabong has also tied up with many national as well as international brands.

Jabong also suggests personalized content based on users activities and interests. You can expect massive discounts during festive sales and Jabong’s delivery speeds are also reliable.

DOWNLOAD Jabong

8. OLX

OLX helps users to buy and sell used or new products. You can find impressive deals on OLX with products ranging from a smartphone to an SUV car. OLX also provides a well developed messaging feature for communicating with potential buyers. Furthermore, OLX displays content based on your location.

This is one of the best online shopping apps both for selling and purchasing stuff. If you have any unused product in your home selling it might help you earn some extra cash and the person in need will be helped at the same time.

DOWNLOAD OLX

9. 2GUD

2GUD is a relatively new e-commerce service that is owned and operated by Flipkart. This online shopping application is dedicated to selling refurbished smartphones and consumer electronics products. You can find refurbished content available in various quality ratings.

So if you want a secondary smartphone or just want to use a premium smartphone at not so premium price point, then 2GUD will definitely impress you.

VISIT 2GUD

10. Google App

Google search app is possibly one of the best pre-installed online shopping apps. Whenever you search for a product on Google, you will be presented by a number of different stores. Moreover, Google makes it relatively simple to compare the pricing of that product on diferrent online shopping apps.

Once you compare the pricing, you can easily choose the best shopping apps and directly purchase your product from that particular online shopping application. In addition to that, Google also suggests you several products while browsing the internet based on your online activity.

DOWNLOAD Google App

CONCLUSION

So these were some of the best online shopping applications that will help you to purchase all sort of products online. We do suggest comparing prices on different websites and using the promo code to get some additional discounts and cashback offers.

Do share any other impressive e-commerce application that you use in the comments section below.

The post 10 Best Online Shopping Apps For Android appeared first on TechWorm.

Comprehensive Guide to Gobuster Tool

Hello Friend!! Today we are going demontrate URLs and DNS brute force attack for extracting Directtories and files from inside URLs and subdomains from DNS by using “Gobuster-tool”.

Table of Content

  • Introuction & Installation
  • Using Wordlist for Directory Brute-Force
  • Obtaining Full Path for a directory or file
  • Hide Status Code
  • Verbose Mode
  • Identify Content Length
  • Disable Banner
  • User-Agent Mode
  • Obtain Result with Specify Status Code
  • Timeout
  • Appending Forward slash
  • Saving Output Result inside Text File
  • Enumerating Directory with Specific Extension List
  • Follow Redirect
  • HTTP AUTHORIZATION (-u username: password)
  • DNS Mode
  • Set Threads Number
  • Obtain Subdomain IPs
  • Force Processing Brute Force
  • Hide Process of Extracting
  • Extracting CNAME Records

Introuction & Installation

Gobuster is a tool used to brute-force on URIs (directories and files) in web sites and DNS subdomains. Gobuster can be downloaded through apt- repository and thus execute following command for installing it.

apt-get install gobuster

When it will get installed, you can interact with it and can perceive all available option with the help of following command.

gobuster -h

Common Parameters

  • -fw – force processing of a domain with wildcard results.
  • -np – hide the progress output.
  • -m <mode> – which mode to use, either dir or dns (default: dir).
  • -q – disables banner/underline output.
  • -t <threads> – number of threads to run (default: 10).
  • -u <url/domain> – full URL (including scheme), or base domain name.
  • -v – verbose output (show all results).
  • -w <wordlist> – path to the wordlist used for brute forcing (use – for stdin).

Dir mode Parameter

  • -a <user agent string> – specify a user agent string to send in the request header.
  • -c <http cookies> – use this to specify any cookies that you might need (simulating auth).
  • -e – specify extended mode that renders the full URL.
  • -f – append / for directory brute forces.
  • -k – Skip verification of SSL certificates.
  • -l – show the length of the response.
  • -n – “no status” mode, disables the output of the result’s status code.
  • -o <file> – specify a file name to write the output to.
  • -p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).
  • -r – follow redirects.
  • -s <status codes> – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).
  • -x <extensions> – list of extensions to check for, if any.
  • -P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).
  • -U <username> – HTTP Authorization username (Basic Auth only).
  • -to <timeout> – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).

DNS mode Parameters

  • -cn – show CNAME records (cannot be used with ‘-i’ option).
  • -i – show all IP addresses for the result.

Using Wordlist for Directory Brute-Force

You can use -w option for using a particular wordlist, for example common.txt or medium.txt to launch a brute-force attack for extracting web directories or files from inside the target URL.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt

The above command will dump the all possible files and directories with the help of common.txt wordlist.

Obtaining Full Path for a directory or file

Using -e option provides more significant result, as it Prints complete URL when extract any file or directories.

gobuster -e -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt

You can compare the following output result from the previous result.

Hide Status Code

Using -n Option “no status” mode, it print the output of the result’s without displaying the status code.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -n

The above command will dump the all possible files and directory without displaying their status code.

                                                  

Verbose Mode

Using -v option – it enables verbose parameter and make brute-force attack vigorously on each file or directory.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -v

As you can observe from the following option that, this time it has dump the result including status 404 for missing directories or files.

Identify Content Length

Using -l option enables content-length parameter which display size of response. The Content-Length header is a number denoting and the exact byte length of the HTTP body for extracted file or directory.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -l

Disable Banner

Gobuster always add banner to specify brief introduction of applied options while launching brute force attack. By using -q option we can disable the banner to hide additional information.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -q

From given below image, you can perceive the difference between last output results and in the current result.

User-Agent Mode

Using -a option enables User-Agent mode to specify a user agent string to send in the request header for extracting directories and files from inside the target URL.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw

Obtain Result with Specify Status Code

Using -s Option, enables the status code for specific value such 302, 200, 403, and 404 and so on to obtain certain request pages.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -s 302
gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -s 200

From the given below image, you can take reference for the output result obtained for above commands.

Timeout

Using -to option enables the timeout parameter for HTTP request and 10 second is the Default time limit for HTTP request. 

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -to 10s

Appending Forward slash

Using -f option, appending the forward slash while making brute-force attack on the target URL.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -f

 

Saving Output Result inside Text File

Using -o option, enables saving output result parameter in a text file which can be useful in future.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -o result.txt

We can ensure the result.txt file with the help of cat command

cat result.txt

 

Enumerating Directory with Specific Extension List

There are a lot of situations where we need to extract the directories of a specific extension over the target server, and then we can use the -X parameter of this scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -x .php

 

Follow Redirect

Using -r options enables redirect parameter which redirect HTTP request to another and modify the Status code for a directory or file.

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -q
gobuster -u http://192.168.1.108/dvwa -r -w /usr/share/wordlists/dirb/common.txt -q

You can compare the output result of default scan with redirect output result.

HTTP AUTHORIZATION (-u username: password)

HTTP Authentication/Authentication mechanisms are all based on the use of 401-status code and WWW-Authenticate response header. The most widely used HTTP authentication mechanisms are Basic. The client sends the user name and password as unencrypted base64 encoded text.

So, in order to bypass this kind of authentication with the help of Gobuster we have used the command below:

gobuster -u http://192.168.1.108/dvwa -w /usr/share/wordlists/dirb/common.txt -U test -P test

As a result it is shown Status –code 200 for the test: test and authorized credential on target URL.

DNS Mode

Using -m option is enable DNS mode which is effect for public network IP and extract the subdomain.

gobuster -m dns -u google.com -w /usr/share/wordlists/dirb/common.txt

As you can observe the output result from the given below result.

Set Threads Number

Using -t option, its enables number of thread parameter to be apply while brute-forcing subdomain name or directories.

gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt

Obtain Subdomain IPs

Using -i option enables the IP parameter which should be showing IPs of extracted subdomain.

gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -i

From the given below result, you can observe that it showing IPv4 of Ipv6 for each extracted subdomains.

Force Processing Brute Force

It stop extracting the subdomain name if meet any Wildcard DNS which is a non-existing domain, therefore use -fw option to enable force processing parameter to continue the attack even if there is any Wildcard Domain.

gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw

Hide Process of Extracting

Using -np option hides the process of extracting subdomain name while making brute force attack.

gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw -np

Extracting CNAME Records

Using –cn option enables CNAME Records parameter of the extracted subdomains and show their CNAME records.

gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -cn

You can observe the output for above executed command in the given below result.

Author: Shubham Pandey is a Technical writer, Researcher and Penetration tester contact here

The post Comprehensive Guide to Gobuster Tool appeared first on Hacking Articles.

DDoS Attack On Nat’l Security Issues Blog Lawfare

In response to last night’s news  Popular Lawfare Blog Hit by DDoS Attack — Here’s What We Know, a Corero Network Security expert offers perspective. Lawfareblog.com is focused on national security issues, is published by the Lawfare Institute in cooperation with the Brookings Institution, and attracts approximately half a million unique readers each month.

Sean Newman, Director Product Management at Corero Network Security:

“Recent attacks on the Lawfare blog hark back to the ‘good-old days’ of DDoS, where perpetrators were typically just aiming to bring a site down to make the point that they do not agree with the views of the authors.  Now, this is just one of many motives for DDoS attacks, many of which have the objective to make money for the cyber criminals, such as with ransom DDoS.  What’s interesting here is whether news or blog sites are more tolerant to downtime than many other businesses are these days, with the statement that they use DDoS protection, but they’re still down.   Presumably they were waiting for that protection to be manually enabled somewhere in the cloud.

It may well be acceptable for the owners of the Lawfare blog, or other similar sites, to use DDoS protection which has to be engaged after the fact, and results in an extended period of downtime.  However, if most or all of your business revenue is generated online, every minute you’re down will usually hit the bottom line directly, which certainly won’t be tolerated by company owners or shareholders.  And, neither should it be, as the latest DDoS protection solutions can operate in real-time, automatically blocking DDoS attacks before they have a chance to make any impact, and keeping vital services and applications online, without skipping a beat.”

The ISBuzz Post: This Post DDoS Attack On Nat’l Security Issues Blog Lawfare appeared first on Information Security Buzz.

Zcash Price Analysis: What is Behind the Recent Surge in Price?

Zcash had jumped over 17% over the period of 12-18th October, before running into sellers. The foundation set to launch the Sapling protocol upgrade. To improve efficiency for shielded transactions. Zcash over a 6-day period from 12-18th October gained a whopping 17%. Moving quickly from as low as $108, to then be above $126. Since, the price […]

The post Zcash Price Analysis: What is Behind the Recent Surge in Price? appeared first on Hacked: Hacking Finance.

UK-based Card Factory Website Glitch Exposes Personal Data

News is breaking that a leading retailer has seen a website glitch put the privacy of customers’ personal data at risk. This time, Card Factory, a popular UK-based greeting card business, has been storing customers’ data in an insecure way, letting the public access their photos with a basic URL trick, specifically through an ‘insecure direct object reference.’ Bryan Becker, Application Security Researcher, WhiteHat Security, commented on the incident.

Bryan Becker, Application Security Researcher at WhiteHat Security:

“The Card Factory security incident is an important reminder that our personal information is constantly at risk. Unfortunately, Card Factory’s response to the personal data breach shows they are out of touch with the realities of modern software security and failed to follow Secure Coding Principles. The first steps any company should take to start a security program (in any order) are to: a) Set up some sort of auditing, testing, or scanning, b) Implement a responsible disclosure program: an email linked on their website (ex.security@example.com) accompanied with a description of the policy. To go further, companies can include a PGP key so researchers can encrypt sensitive data they may have found when reporting.

In Card Factory’s case, they allegedly had no means for responsible disclosure, had no testing and threatened the researcher who provided them with free consulting. The question must be raised: Did Card Factory notify all their customers that their private photos were leaked?

To quote their response: “…the Internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the Internet and will not hold us responsible for any breach of security unless this is due to our negligence or wilful (sic) default.” Responsible companies are actively making the internet a more secure place, day by day, and responsible security researchers are actively helping progress that goal. Companies that blame others for their security failings, and actively repress when their users’ data has been breached will not survive long in today’s more vigilant, increasingly regulated landscape.”

The ISBuzz Post: This Post UK-based Card Factory Website Glitch Exposes Personal Data appeared first on Information Security Buzz.

Pre-Market Analysis And Chartbook: Risk Assets Higher Thanks to Chinese Bounce

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,797 0.81 DAX 30 11,568 -0.18% WTI Crude Oil 69.61 1.35% GOLD 1,230 0.16% Bitcoin 6,379 -0.24% EUR/USD 1.1480 0.24% Risk assets are having an active and already very busy day after yesterday’s tumultuous session, as volatility continues to be high, especially in equities. All […]

The post Pre-Market Analysis And Chartbook: Risk Assets Higher Thanks to Chinese Bounce appeared first on Hacked: Hacking Finance.

Google App Suite Costs as Much as $40 Per Phone Under New EU Android Deal

Android manufacturers will have to pay Google a surprisingly high cost in Europe in order to include Google's Play Store and other mobile apps on their devices, according to documents obtained by The Verge. From the report: A confidential fee schedule shows costs as high as $40 per device to install the "Google Mobile Services" suite of apps, which includes the Google Play Store. The new fees vary depending on country and device type, and it would apply to devices activated on or after February 1st, 2019. But phone manufacturers may not actually have to shoulder that cost: Google is also offering separate agreements to cover some or all of the licensing costs for companies that choose to install Chrome and Google search on their devices as well, according to a person familiar with the terms. Google declined to comment.

Read more of this story at Slashdot.

How to Boost Remote Productivity While Remaining Secure

The state of workplace mobility

The continued white-hot proliferation of personal devices has led to businesses adopting cultures where employees can contribute remotely, using whatever device is accessible. For many, this has led to Bring Your Own Device (BYOD) initiatives, where businesses formally embrace the use of personal devices and enable remote access to corporate data and applications. For others, a specific line of business drives the increased usage of personal devices, such as a sales team becoming increasingly mobile or a customer-facing team leveraging tablets to execute transactions.

According IDC’s Worldwide Semiannual Mobility Spending Guide, worldwide spending on mobility solutions is forecast to reach $1.72 trillion in 2021. IDC also found that two of the industries leading this surge – professional services and manufacturing – are largely driven by a “highly mobile, on-the-go workforce.”

While workplace mobility strategies are both gaining traction and clear drivers for productivity, pursuing them means that you’re introducing numerous entry points into your network environment, inherently increasing your attack surface. This article will shed some light on the importance of mobile security and detail how you can enable effective personal device usage with software that hardens your environment from threats.

The shortcomings of existing approaches to mobile security

Even as BYOD and workplace mobility strategies have gained traction, many businesses have neglected to complement these strategies with an effective security implementation. There are a few reasons for this.

First, workplace mobility strategies are relatively new and emerging, which commonly leads to a misunderstanding how to properly secure them. This problem is exacerbated by a confusing marketplace where many security vendors offer solutions they claim to be a “silver bullet” for whatever threats may arise. In reality, a single solution rarely provides complete protection, leaving businesses vulnerable as a result.

Another reason some struggle with mobile security is that budgets force businesses to prioritize their security measures. In these situations, many opt for other, more traditional security measures that fail to secure the network from the end-user device. These organizations must understand there are countless ways for cybercriminals to access corporate data, and they will move to the point of least resistance – even if you spend heavily on firewalls, they will seek out weaker areas to attack. Part of mitigating threats means you need to understand your weaknesses and act to fortify them. According to Dimensional Research’s The Growing Threat of Mobile Device Security Breaches, 20% of companies’ mobile devices have been breached.

This last point particularly applies to businesses that are understaffed or lack security expertise: your mobile security posture is only as strong as the personnel deploying the solutions and managing the environment. According to ESG’s 2018 annual global survey on the state of IT, 51% of respondents believe their organization has a problematic shortage of a cybersecurity skills – a number that has grown each year since 2014. Some of the larger security problems that organizations run into stem from a failure to configure the solutions correctly. Further, if your team is not familiar with managing the solution or you lack the manpower to monitor the environment 24/7, you limit your ability to assess threats and make intelligent decisions to mitigate them.

Keys to a successful mobile security approach

While it is important to understand how bad actors operate and the inadequacy of some current approaches, you shouldn’t be intimidated into avoiding workplace mobility altogether. In an increasingly mobile world, BYOD strategies can massively boost end-user productivity. A proper workplace mobility implementation with the right protection is in the best interests of your workforce.

Below are some keys to a successful mobile security implementation:

Key 1: Take a holistic security approach

The core value of any mobile security approach is the prevention of malicious hackers from accessing sensitive information. In this context, you must remember that personal devices serve as the point of access to your corporate resources, but should other weaknesses exist, they too can be exploited. When implementing mobile security, you must take a holistic approach that accounts for how the solution works with your existing security implementations to protect your environment from top to bottom: from the devices, through the operating system and software stack, to the public or private cloud. By doing so, you will be better equipped to eliminate any gaps in your security posture and ensure for consistent protection.

Tip: Many businesses have implemented solutions from numerous vendors over time across their environment (i.e., a firewall from one vendor, intrusion detection and prevention systems from another vendor, anti-malware from a third, and so on). It is common for these solutions to not work well with one another. Additionally, some teams are not well-versed with operating each of the solutions. This, in turn, can limit visibility and the ability to monitor ongoing threats in your environment. Security vendors are beginning to respond by delivering holistic security platforms. Leveraging a more complete, integrated set of solutions like this can help simplify security management and enable greater control over your environment.

Key 2: Deliver a good user experience

Your end users want to access corporate applications and data in the most user-friendly way possible. At the same time, you have numerous security needs that may limit their experience: making sure only approved devices can gain access to the network; controlling what aspects of your network the device is connected to; verifying who is behind the device, etc. However, if you deliver a poor user experience, you may risk end-users working around your solutions or resisting the technology to a point that it is abandoned by the company altogether. With this in mind, it is in your best interest to find the right balance of stringent security measures and user-friendliness. This can be realized through a wide range of solutions (depending on your organizational needs), including single sign-on identity management tools or desktop and application streaming services that take into account securing sensitive data and ensuring end-user performance.

Tip: It is common for a company’s network team to be in charge of workplace mobility initiatives, while the security team manages its protection. In many cases, these groups aren’t in sync with one another and don’t collaborate to the extent they should. This can result in either limited remote performance or poor security. To ensure both stakeholders fulfill their needs, you should bridge any silos that separate these groups and ensure they have the means to collaborate throughout the project.

Key 3: Leverage an expert

If your team is understaffed or lacks security expertise, you should consider leveraging a security service provider. Service providers can help you navigate the marketplace to find a solution that fits your needs. Once you have chosen a solution, it is easier and more reliable to utilize this provider for implementation and/or managed services (depending on your personnel strengths), rather than increasing staff size or providing ongoing training.

Tip: Mobile security is not one-size-fits-all. Your business has unique needs that are driving the adoption of workplace mobility. When evaluating consultants, find a partner that will work with you to understand these needs and help you select a solution that compliments your business, your existing security approaches, and your personnel strengths.

The ISBuzz Post: This Post How to Boost Remote Productivity While Remaining Secure appeared first on Information Security Buzz.

Critical Flaw Found in Streaming Library Used by VLC and Other Media Players

Security researchers have discovered a serious code execution vulnerability in the LIVE555 Streaming Media library—which is being used by popular media players including VLC and MPlayer, along with a number of embedded devices capable of streaming media. LIVE555 streaming media, developed and maintained by Live Networks, is a set of C++ libraries companies and application developers use to

Security Flaws & Fixes – W/E – 101918

Apple Provides Tool Allowing Users to Access Personal Data (10/17/2018)
Apple has revamped its privacy page and for the first time is allowing users in the United States the opportunity to download and review all of their data collected by the company. The option has been available to European users since May as part of the European Union's General Data Protection Regulation (GDPR). Personally identifiable information such as Apple account info, iTunes and App Store purchases and usage, contacts, calendars, mail, and even photos and documents stored in iCloud can be downloaded. But since Apple prides itself on limiting the amount of user data it stores - and encrypting many items so they can't be accessed by the company - don't expect to see a complete history of everything you've done with your device. Other aspects of the site's update include options for deactivating or deleting your account and correcting data the company is holding. The site also includes a detailed explanation of the company's data-retention policies and a library of transaction reports that outline government and law enforcement requests for data.

Authentication Bypass Bug in libssh Targets Servers, But Not GitHub's (10/18/2018)
GitHub remains unaffected by a security issue affecting thousands of servers. However, the authentication bypass bug exists in libssh versions 0.6 and higher when used in server mode. The vulnerability has been patched. A researcher warned that he uncovered over 3,300 servers vulnerable to this bug.

Bug in iOS VoiceOver Exploitable to Look Through Photos (10/17/2018)
An iOS hacker has found a bug that can give an attacker unauthorized access to photos on an iPhone, AppleInsider reported. The bug, which is unpatched and affects the VoiceOver feature, has been detailed in a YouTube video. Rodriguez said that by using VoiceOver and the Siri assistant, an attacker can access photos and send them to another user.

Bugs Identified in LAquis SCADA Industrial Software (10/17/2018)
LAquis SCADA, an industrial automation software, is vulnerable to several bugs, including a stack-based overflow and path traversal. According to an advisory, users should update to Version 4.1.0.4114.

Cisco Advises on Vulnerabilities Across Product Lines (10/17/2018)
Cisco released multiple advisories to address vulnerabilities in its product suites. Seven of the 15 advisories deal with issues that are rated as "high," including a privilege escalation bug in Cisco's Wireless LAN Controller Software GUI.

Google's Chrome 70 Is Now Available (10/17/2018)
Google has released Chrome 70, which contains fixes for 23 security issues. Among these fixed issues are a sandbox escape in AppCache and a remote code execution bug in V8. Further information can be found in Google's advisory.

Local Privilege Escalation Bug Patched in Java Usage Tracker (10/18/2018)
The Trend Micro security team found a design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. In turn, these can be chained and used to escalate privileges in order to access resources in affected systems that are normally protected or restricted to other applications or users. Oracle patched this bug as part of its October Security Bulletin.

Microsoft's Patch for JET Database Is Incomplete (10/17/2018)
Third-party vendor 0patch has gone ahead and issued a micropatch for a critical JET Database Engine vulnerability that Microsoft incompletely patched in its October batch of fixes. The bug was shared in September after Microsoft did not provide a patch for it within the expected 120 day period. 0patch, a project that offers small fixes for vulnerabilities, issued a micropatch for the JET bug. Microsoft then released an official patch on October 9 as part of its monthly security update, but it was discovered to not be a complete fix. 0patch's Mitja Kolsek said in a post, "Namely, in an ironical twist of fate Microsoft's October update actually re-opened the CVE-2018-8423 vulnerability for 0patch users who were previously protected by our micropatch. This new micropatch, which has already been distributed to all online users by now, resumes their protection."

Multiple Vulnerabilities Found in PHP, Update Recommended (10/15/2018)
An advisory posted by the Multi-State Information Sharing and Analysis Center identifies multiple vulnerabilities in PHP, the most severe of which could allow an attacker to execute arbitrary code. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition. It is recommended that users upgrade to the latest version of PHP.

Omron Update Fixes Bugs in CX-Supervisor (10/17/2018)
Omron's CX-Supervisor has several vulnerabilities, which have been detailed in an ICS-CERT advisory. Version 3.4.2 of CX-Supervisor has been released to mitigate these issues.

Oracle Plugs 310 Holes with October's Security Patch Bulletin (10/17/2018)
Over 300 vulnerabilities have been remedied by Oracle in October's Critical Patch Update. The 301 fixes comprise Oracle's Database Server, Java SE, and other product families. This is the final expected massive batch of vulnerability patches expected for 2018.

Researchers Point Out Flaws in Linksys Routers (10/17/2018)
Multiple exploitable operating system command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker could exploit these bugs by sending an authenticated HTTP request to the network configuration and then gain the ability to arbitrarily execute code on the machine. Cisco's Talos researchers discovered these bugs and reported them to Linksys. The vulnerabilities have since been patched.

Security Bug on Third-Party Site Affects Tinder, Shopify, and Yelp (10/15/2018)
While analyzing client-side security for dating apps, the research team at vpnMentor found multiple issues affecting Tinder. Further investigation led the researchers to determine that it wasn't just Tinder that was plagued by these issues, but other apps as well, which led them to identify the source of the vulnerabilities: Branch.io, an attribution platform used by many companies. Shopify, Yelp, Western Union, and Imgur are all affected, and vpnMentor believes 685 million users of these sites could be at risk. A DOM-based XSS (cross-site scripting) vulnerability was to blame and has since been patched.

Tumblr Closes Hole that Exposed User Information (10/18/2018)
Tumblr has disclosed details regarding a bug that could have been exploited to grab user information. Email addresses, passwords, user location, and other information may have been exposed by this vulnerability. The bug was detected by a researcher participating in Tumblr's bug bounty program.

Two ICS-CERT Advisories Detail Bugs in NUUO Products (10/15/2018)
Two vulnerabilities in NUUO's NVRmini2 and NVRsolo could allow an attacker to achieve remote code execution and user account modification. These devices are network video recorders. An ICS-CERT advisory states that NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.9.1. A second advisory discusses several vulnerabilities in NUUO CMS, a central software management platform. Multiple versions are affected and users should update to firmware v3.3.

Unpatched Bugs Leave D-Link Routers Susceptible to Attacks (10/17/2018)
Researcher Blazej Adamczyk has disclosed several vulnerabilities in D-Link routers after notifying the vendor in May and receiving no reply regarding updates or patches. The vulnerabilities are serious on their own, but if chained together, an attacker could gain complete control over the device.

Update Remedies Security Issues in Delta Industrial Automation's TPEditor (10/15/2018)
Two vulnerabilities, an out-of-bounds write and a stack-based overflow, have been detected in Delta Electronics' Industrial Automation TPEditor. Delta Electronics recommends affected users update to the latest version of Delta Industrial Automation TPEditor, Version 1.91, according to an advisory posted by the ICS-CERT.

VMware Patches Bugs in ESXi, Workstation, and Fusion (10/17/2018)
ESXi, Workstation, and Fusion updates from VMware address an out-of-bounds read vulnerability. This issue could cause a guest to execute code on the host. Further information has been made available in a vendor-issued advisory.

Malware Watch – W/E – 101918

Crypto Mining Attacks Soared Significantly in Late September (10/15/2018)
Check Point Software's researchers detected a near-400% increase in crypto mining malware attacks against iPhones in the last two weeks of September - a period when attacks against users of the Safari browser also rose significantly. These attacks used the Coinhive mining malware. Check Point's latest Global Threat Index revealed that Coinhive, Dorkbot, Cryptoloot, Andromeda, and Jsecoin were the top five most wanted types of malware during the month of September.

Octopus Trojan Masquerading as Messenger App to Spy on Central Asian Entities (10/15/2018)
Central Asian diplomatic organizations have been the target for a cyber espionage campaign that is using a Trojan called "Octopus," which has been disguised as a version of a popular and legitimate online messenger. Once installed, Octopus provided attackers with remote access to victims' computers. Using Kaspersky Lab algorithms that recognize similarities in software code, researchers discovered that Octopus could have links to DustSquad - a Russian-speaking cyber-espionage actor previously detected in former USSR countries in Central Asia and Afghanistan since 2014.

Researchers Evaluates Dangerous GreyEnergy Cyber Espionage Group (10/17/2018)
The researchers at ESET have disclosed information about an entity called "GreyEnergy" and its attacks on energy companies and other high-value targets in Ukraine and Poland for several years. While ESET was assessing BlackEnergy, the threat group that caused outages in Ukraine in 2015, it came upon GreyEnergy, which has similar interests but has operated under the radar and has not been as destructive. GreyEnergy uses cyber espionage and reconnaissance tactics which could be gathering information for future attacks. GreyEnergy's malware framework bears many similarities to BlackEnergy and has connections to the Telebots threat group, an entity that was involved in the NotPetya ransomware attacks in 2017. ESET has been evaluating the connections between BlackEnergy, GreyEnergy, and Telebots and posted several blog posts about its findings.

Data Breaches – W/E – 101918

About 30,000 Defense Department Employees Had Travel Data Breach (10/15/2018)
Travel records for Department of Defense (DOD) employees were breached, resulting in the theft of personal data and payment card information, the Associated Press (AP) reported. An anonymous US official said that 30,000 employees may have been affected. In a statement, a Pentagon cyber team notified leaders of the incident on October 4. Lieutenant Colonel Joseph Buccino, a Pentagon spokesman, said, "It's important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population" of DOD personnel. The affected vendor has not been identified and further details, including the dates of the breach, have not been made public.

Anthem to Pay $16 Million for Breach that Violated HIPAA Laws (10/17/2018)
The Department of Health and Human Services (HHS) Office for Civil Rights has announced that health insurer Anthem will pay $16 million USD in penalties to settle potential privacy violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyber attacks led to the largest US health data breach in history and exposed the electronic protected health information of almost 79 million people. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation's largest health benefits companies. In its investigation, HHS said that Anthem had not implemented the proper controls to circumvent hackers.

Cyber Thieves Selling 35 Million Voter Records in Dark Underground (10/17/2018)
Anomali Labs researchers, in close partnership with Intel 471, a cybercrime intelligence provider, has uncovered a widespread unauthorized information disclosure of US voter registration databases. While the data is typically available to the public for legitimate uses, it has been learned that a large quantity of voter databases are up for sale on the dark underground. The disclosure affects 19 states and is estimated to contain 35 million records. The databases include valuable personally identifiable information and voting history.

Facebook: Breach Impacted 30 Million, Not 50 Million (10/15/2018)
Facebook has backtracked on earlier statements, saying that the large-scale breach it disclosed in September has affected far less people than originally thought. The breach was the result of attackers exploiting a bug in Facebook's code that had been infiltrated between July 2017 and September 2018 and then used to launch a cyber assault. "We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," Guy Rosen, Facebook's VP of product management, said in a statement.

CyberCrime – W/E – 10/19/18

"Operation Opensalt" Cyber Spy Campaign Uses Source Code from Chinese Hackers (10/18/2018)
McAfee released a report announcing the discovery of a new cyber espionage campaign targeting South Korea, the United States, and Canada. The new campaign uses a data reconnaissance implant last used in 2010 by the hacker group APT1, or Comment Crew, a Chinese military-affiliated group accused of launching cyber attacks on more than 141 US companies from 2006 to 2010. The actors of this new campaign have not been identified, but since they reused code from implants by Comment Crew, which conducted offensive cyber operations against the US dubbed Operation Seasalt, the new campaign has been named "Operation Oceansalt" due to its similarity to Seasalt. McAfee found that Oceansalt was launched in five attack waves adapted to its targets.

Crippling Ransomware Attack on NC Utility Caused by Emotet Trojan (10/17/2018)
Following Hurricane Florence, ONWASA, a critical water utility in North Carolina, has been targeted by cybercriminals in a sophisticated ransomware attack that has left the utility with limited computer capabilities. Although customer information and the water supply were unaffected, many ONWASA databases must be rebuilt from scratch as a result of the attack. The Emotet banking Trojan was blamed for repeated attacks beginning on October 4. Emotet then launched the Ryuk ransomware on October 13, and while ONWASA's IT staff worked to contain it, the virus encrypted the utility's databases and files. Federal authorities are investigating, according to a statement from ONWASA.

Facebook Issues Update on "View As" Vulnerability and Attack (10/15/2018)
Facebook issued an update to the report of the vulnerability it uncovered regarding its "View As" function. This flaw - which allowed one to steal access tokens to take over accounts - existed between July 2017 and September 2018 and is believed to have affected as many as 30 million accounts. Facebook noted that it has deactivated the feature and is cooperating with the FBI in "actively" investigating what parties may be behind the attack.

LuminosityLink RAT Creator Receives Prison Term (10/17/2018)
A 21-year-old Kentucky man will spend 30 months in prison for conspiracy to unlawfully access computers in furtherance of a criminal act, conspiracy to commit money laundering, and the illegal removal of property to prevent its lawful seizure, the Justice Department (DOJ) has announced. Colton Grubbs previously admitted to designing, marketing, and selling the LuminosityLink remote access Trojan and keylogger. In his plea agreement, Grubbs admitted to selling this software for $39.99 USD apiece to more than 6,000 customers.

Financial industry unites to enhance data security, innovation and consumer control

Financial institutions, fintech firms and industry groups launched the Financial Data Exchange (FDX), a non-profit organization to unify the financial sector around the secure exchange of financial data. FDX will address common challenges around the way the industry shares consumer account information to enhance security, innovation and consumer controls. FDX is a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC). As digitization has impacted every industry, consumers expect protection of their personal … More

The post Financial industry unites to enhance data security, innovation and consumer control appeared first on Help Net Security.

TeleSign to deliver identity verification and fraud prevention with enhanced Mobile Identity Solutions

TeleSign enhanced coverage of mobile identity services in China, Brazil, and other emerging markets. International businesses can now leverage TeleSign’s solutions to onboard new customers, prevent account takeover and registration fraud, and optimize the user experience in new markets. With some of the highest consumer spending and online engagement in the world, countries like China and Brazil represent growth opportunity for digital businesses. China currently has more than 1.5 billion mobile subscribers and its consumers … More

The post TeleSign to deliver identity verification and fraud prevention with enhanced Mobile Identity Solutions appeared first on Help Net Security.

In Praise Of The Hackers

A vibrant, connected community of ethical hackers has an important role to play in the increasingly complex fight against cyber-crime, explains Brigitte d’Heygère, Vice President Security & Consulting Services at Gemalto

Buried treasure is not just the stuff of fiction and legend. For at least some of our ancestors, it was quite simply the most effective means of protecting prized possessions from unwanted attention. And whilst the methods of defense have inevitably evolved over time, the basic game of cat and mouse between legitimate owners and those who seek to steal from them has never gone away. Of course, in an era of digitalisation, the treasure being fought over is often no longer physical. Harvesting personal data, attacking critical national infrastructures and disrupting online services are just some of the aspirations of today’s cyber-criminals. In common parlance, these 21st century bandits are often lumped together under a single, catch-all label – hackers. Equally, there is a widespread assumption that our security will be ensured simply by the application of ever-more sophisticated technologies. However, in reality, this only tells half the story. Keeping digital resources safe from cyber-attacks ultimately means harnessing the ingenuity and expertise of a diverse global family of IT and digital security specialists. What’s more, at the heart of this community is an often-overlooked citizen army – made up of hackers with a very different ethical agenda to those who usually hit the headlines.

A shifting security landscape

Whilst the science of cryptography has a history stretching back almost as far as mathematics itself, prior to the advent of the internet, it was generally the preserve of select sections of society, such as governments and the military. But with digitalisation came a paradigm shift. In a permanently connected world, the security perimeter has become highly scalable and volatile, the attack surface exponentially bigger. Instead of simply protecting a physical memory unit or processor, for example, complex networks of computers and servers, as well as the constant flow of information between them, needs to be defended.

 Machine learning and Big Data are changing the rules, again

What’s more, the world continues to spin faster. The digital footprints that individuals and organisations leave in cyberspace are getting deeper. Furthermore, the advent of machine learning has now made it easier for malevolent forces to compromise and reap this Big Data. But, at the same time, machine learning also represents a potentially powerful defense tool. In particular, its ability to predict situations and scenarios based on accumulated evidence can play a key role in detecting vulnerabilities and pre-empting attacks. A new front in the cyber-security arms race has opened.

Next on the horizon – quantum computing

As if the implications of machine learning and Big Data were not enough to contend with, yet another technology revolution is on the horizon. It comes in the form of quantum computing, which is set to redefine the limits of data processing power. In doing so, it will undermine the fundamentals on which many of our currently ‘unbreakable’ cryptographic codes are built. For the security industry, that obviously means another profound challenge: the creation of new, quantum-resistant cryptographic algorithms.

Harnessing the hackers

Given these rapidly shifting sands, the security sector has no choice but to evolve fast. And one of the most significant ways that this is being achieved is through closer collaboration with, and between, the good guys: the ethical hackers.

In terms of harnessing this key resource, we have already seen a major change in the landscape. Not so long ago, security experts were almost invariably drawn from the world of academic research. Consequently, cryptographic skills were concentrated in the hands of a relatively small circle of people, and typically paid for by governments. However, the ubiquity and accessibility of powerful IT systems has swiftly democratised the art of hacking. Subsequently, an extended community has developed, embracing both the public and private sectors, employed professionals, freelancers and talented amateurs. Moreover, whilst media attention, and consequently public fears, have tended to focus on the malevolent hackers, the energy, dynamism and co-operative approach of this ethical movement deserves to be recognised fully – and utilised as effectively as possible.

Cybersecurity Act will set new standards

There is growing recognition that, to stay one step ahead of the criminals, this exchange of ideas needs to be as comprehensive as possible. Within digital security companies, talented and dedicated digital security experts already represent a vital force. They invest their energy for good, continually and rigorously testing systems and products to identify and address any potential weak spots. By actively encouraging collaboration with the wider ethical hacking family, we are now forging an even stronger alliance between all those people who share not just the right skills, but the right principles too. Looking ahead, changes in the regulatory framework are only likely to make this approach even more worthwhile. In Europe, the forthcoming Cybersecurity Act will introduce a single means of security certification for ICT products, with levels ranging from ‘basic’ to ‘high’. Authorised hacking of products to test for any vulnerabilities will clearly be an important part of the process.

Listening, learning, sharing

To this end, the work of the ethical hacking community is being channeled not just by informal interaction, but also major organised events and conferences. Better known examples of these include Black Hat, “Nuit du Hack”, CHES Conference, DEF CON, AppSec and Pwn2Own. Notably, many play hosts to hack contests (aka bug bounties), which challenge participants to find vulnerabilities in a system, and a means of exploiting it, and then reward the team that is first to do so.

Time to bury the stereotypes

Stereotypes are invariably difficult to dispel. But, in the case of the hacker, we should at least try to change the perception that the term applies exclusively to malevolent loners, organised criminals and the murky world of state-sponsored cyber warfare. Today, a very different type of hacker is also hard at work, helping to protect us from the manifold threats that inhabit the dark corners of cyberspace. Moreover, as the systems that must be secured become more complex, so are the skills needed to defend them. Helping to build a truly diverse ethical hacking community and fostering dialogue with the principled experts working inside the digital security industry, should therefore be an imperative for all interested parties.

To this end, reclaiming the term hacker from the bad guys, and giving this vital and dynamic community due credit are more than symbolic gestures. Beneath it lies an understanding that, in an ever more digitalised world, greater safety and security remain rooted in the most positive elements of the human character.

Brigitte d’Heygère
Brigitte d’Heygère, Vice President Security & Consulting Services at Gemalto

Brigitte d’Heygère Web Site

The ISBuzz Post: This Post In Praise Of The Hackers appeared first on Information Security Buzz.

Bitcoin Price Resumes Slide as Volumes Dip, China Tariffs Weigh on Bitmain

Bitcoin’s price declined on Friday, as tepid trade volumes kept the bulls in check following a stalled recovery attempt earlier in the week. On the news front, President Trump’s massive import duties on Chinese goods is beginning to take its toll on Bitmain, the nation’s largest mining harder manufacturer. BTC/USD Update After holding above $6,500 […]

The post Bitcoin Price Resumes Slide as Volumes Dip, China Tariffs Weigh on Bitmain appeared first on Hacked: Hacking Finance.

CVE-2018-15316

In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.

CVE-2018-4013

An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

CVE-2018-15312

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user.

Cryptojackers Keep Hacking Unpatched MikroTik Routers

Vigilante Hacker Is Killing Unpatched Routers' Remote Administration Ability
Cryptojackers and eavesdroppers are continuing to exploit a one-time zero-day flaw in unpatched MikroTik routers, despite a patch that's been available for six months as well as the actions of a vigilante "gray hat" hacker who's forcibly "fixed" 100,000 vulnerable routers.