Cyble vulnerability intelligence unit has shared a report, detailing the recent cyberattacks on the Spring Java framework and hundreds of thousands of Internet of Things (IoT) devices. The report sheds light on over 30 active attack campaigns targeting well-known vulnerabilities. Among these, a focus has emerged show more ...
on CVE-2024-38816, a critical vulnerability affecting the Spring Java framework. Furthermore, the report highlights that more than 400,000 attacks exploit a vulnerability linked to IoT devices. Cyble Vulnerability Intelligence Unit Highlights Key Flaws in Multiple Systems CVE-2024-38816: Exploitation of the Spring Java Framework CVE-2024-38816 represents a severe path traversal vulnerability within the widely used Spring Java framework, currently under assessment by the National Vulnerability Database (NVD). This vulnerability allows attackers to craft malicious HTTP requests, potentially accessing sensitive files on the system where the Spring application is running. Specifically, applications using RouterFunctions to serve static resources while configured with a FileSystemResource location are particularly at risk. Importantly, certain defenses can block these malicious requests. If the Spring Security HTTP Firewall is enabled, or if the application is hosted on platforms like Tomcat or Jetty, these attacks can be effectively mitigated. CVE-2020-11899: Treck TCP/IP Stack Vulnerability The vulnerability intelligence report also identifies CVE-2020-11899, a medium-severity out-of-bounds read vulnerability in the Treck TCP/IP stack, which impacts versions prior to 6.0.1.66. This vulnerability is part of the “Ripple20” series, which poses serious risks, including data theft and unauthorized device control. Cyble's sensors detected a staggering 411,000 attacks exploiting this vulnerability between October 9 and 15, 2024, aimed at gaining administrative privileges. Moreover, attacks against additional “Ripple20” vulnerabilities, such as CVE-2020-11900, were also noted, emphasizing the need for organizations operating IoT environments to assess their exposure and implement necessary mitigations. Ongoing Threats to Systems Beyond vulnerabilities in the Java framework and IoT devices, Cyble's vulnerability intelligence report reveals that threats to Linux systems persist, with cybercriminals using advanced methods to deploy malware through package managers. Active threats, including CoinMiner, Mirai, and IRCBot, remain prevalent. Additionally, previously identified vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) continue to attract the attention of threat actors, highlighting the urgent need for vigilant cybersecurity measures. In a noteworthy development, the Cyble vulnerability intelligence report reported a sharp increase in phishing attempts, identifying 478 new phishing email addresses this week—an all-time high. The vulnerability intelligence report details various scam campaigns, including fake refund claims and lottery scams, which illustrate the diverse tactics used by cybercriminals to exploit unsuspecting individuals. The report also outlines several brute-force attacks detected across various global locations. The most targeted ports include 22, 3389, and 445, with notable activity originating from Vietnam and the United States. Security analysts are urged to protect defenses by blocking suspicious IP addresses and securing the targeted ports. Recommendations for Mitigation To mitigate such threats, organizations should adopt several proactive security measures, including blocking malicious URLs and email addresses associated with recent scams, promptly patching open vulnerabilities while routinely monitoring internal network alerts, and consistently checking for suspicious ASNs and IPs to block known brute-force sources. Additionally, it's essential to change default usernames and passwords to prevent brute-force attempts and to enforce regular password updates, alongside employing complex passwords for servers and sensitive applications. By implementing these recommendations, businesses can enhance their defenses against the active threats identified in Cyble's vulnerability intelligence report, particularly those targeting the Spring Java framework and IoT devices.
Hackers are trying to gain remote access to Ukrainian government and military systems leveraging Remote Desktop Protocol (RDP) configuration files, disguised as popular network and security services. Ukrainian cyber defenders say their investigation revealed meticulous planning that began in August and is aimed at a show more ...
wider geography. A new wave of malicious phishing emails targeted at key sectors in Ukraine has been observed by the Computer Emergency Response Team of Ukraine (CERT-UA). Hackers are attempting to exploit the Remote Desktop Protocol (RDP) to gain unauthorized access. This campaign taps into the popularity of Amazon and Microsoft services, luring targets with promises of integration and the adoption of "Zero Trust Architecture" (ZTA). Attached to these phishing emails are RDP configuration files, and if opened, they allow attackers to connect to a remote server controlled by cybercriminals. Attack Mechanism: Exploiting RDP Vulnerabilities RDP is widely used for remote access in enterprise environments. However, in this attack, the ".rdp" files act as the entry point for the threat actors. Once the victim opens the file, it initiates an outbound connection to the attacker’s server. "Taking into account the parameters of the RDP file, during such an RDP connection, the remote server was not only granted access to disks, network resources, printers, COM ports, audio devices, the clipboard and other resources on the local computer, but also allowed unauthorized running of third-party programs/scripts on the victim's computer," CERT-UA said. [caption id="attachment_91861" align="aligncenter" width="1024"] Attack chain of the latest campaign (Source: CERT-UA)[/caption] This type of exploitation is possible on a machine that has improperly configured RDP settings. CERT-UA has noted that the attackers in this case are taking advantage of these misconfigurations to infiltrate networks, gain access to sensitive resources, and launch deeper attacks. Also Read: Ukrainian Government Agencies Hit by Stealthy MeshAgent Malware Campaign Global Implications Though initially reported in Ukraine, CERT-UA has cautioned that this campaign’s infrastructure shows signs of a wider geographical footprint. The malicious activity dates back to August 2024, with domain names and IP addresses associated with these attacks pointing to preparations spanning multiple regions. With attackers leveraging common themes like cloud services and zero-trust architecture, organizations worldwide could be at risk. Strengthening Defenses Against Rogue RDP Files Reducing the attack surface requires a multi-layered approach, particularly for organizations that rely on RDP for remote access. CERT-UA has issued several critical recommendations to help mitigate the risk of such attacks: Block RDP Files: Organizations should configure their mail gateways to block ".rdp" files, preventing users from accidentally launching these malicious configurations. Restrict RDP Access: Firewalls should be adjusted to restrict RDP connections (specifically those initiated by mstsc.exe) to trusted internal resources, preventing unauthorized connections to external servers. Set Group Policies: Administrators should use group policies to disable resource redirection during RDP sessions, which attackers often exploit to access drives, printers, and other connected peripherals. Also Read: VectorStealer, Unlocking Doors to RDP Hijacking Additionally, CERT-UA advises security teams to scrutinize network logs for any suspicious connections on port 3389 (the default port for RDP traffic). Any unusual outbound connections should be flagged and investigated as potential indicators of compromise. The activity has been assigned the identifier UAC-0215, suggesting it is part of a known campaign or actor group. Although the specific motivations behind these attacks are still unclear, the target selection—government agencies, industrial sectors, and military formations—implies a high degree of coordination, likely pointing to a nation-state or advanced persistent threat (APT) actor. Below is a list of some Indicators of Compromise (IoCs) listed by CERT-UA: File Hashes: a5de73d69c1a7fbae2e71b98d48fe9b5 34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a Zero Trust Architecture Configuration.rdp 8bcb741a204c25232a11a7084aa2221f 071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc ZTS Device Compatibility Test.rdp 86f58115c891ce91b7364e5ff0314b31 6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c Device Configuration Verification.rdp 80b3cad4f70b6ea8924aa13d2730328b 31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc Zero Trust Architecture Configuration.rdp c0da30b71d58e071fc5863381444d9f0 88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622 Device Security Requirements Check.rdp 1595266bb78dc1e3d67f929154824c74 b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a Device Security Requirements Check.rdp 222c83d156a41735c38cc552a7084a86 a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758 Device Configuration Verification.rdp fa9af43e9bbb55b7512b369084d91f4d 5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b Zero Trust Architecture Configuration.rdp 281a28800a4ba744bfde7b4aff46f24e b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b Zero Trust Security Environment Compliance Check.rdp d37cd2c462af0e0643076b20c5ff561e 18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9 Device Configuration Verification.rdp e465a4191a93195094a803e5d4703a90 bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a AWS IAM Quick Start.rdp 3f753810430b26b94a172fbf816e7d76 ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd Device Configuration Verification.rdp 434ffae8cfc3caa370be2e69ffaa95d1 1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a Zero Trust Security Environment Compliance Check.rdp c287c05d91a19796b2649ebebd27394b 3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5 ZTS Device Compatibility Test.rdp aabbfd1acd3f3a2212e348f2d6f169fc 984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc AWS IAM Configuration.rdp b0a0ad4093e781a278541e4b01daa7a8 383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b Zero Trust Security Environment Compliance Check.rdp a18a1cad9df5b409963601c8e30669e4 296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680 Device Security Requirements Check.rdp cbbc4903da831b6f1dc39d0c8d3fc413 129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5 ZTS Device Compatibility Test.rdp bd711dc427e17cc724f288cc5c3b0842 f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb AWS IAM Quick Start.rdp b38e7e8bba44bc5619b2689024ad9fca f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 AWS IAM Compliance Check.rdp 40f957b756096fa6b80f95334ba92034 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 AWS IAM Configuration.rdp db326d934e386059cc56c4e61695128e 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 Zero Trust Security Environment Compliance Check.rdp f58cf55b944f5942f1d120d95140b800 ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46 Zero Trust Security Environment Compliance Check.rdp Source IPs: 37.153.155[.]143 (Email) 45.42.142[.]49 (Email) 45.42.142[.]89 (Email) 199.204.86[.]87 (Email) 181.215.148[.]194 (Email) 104.247.120[.]157 (Email) 204.111.198[.]27 (Email) 136.0.0[.]11 (Email) 38.180.110[.]238 179.43.148[.]82 45.11.230[.]105 45.141.58[.]60 95.217.113[.]133 185.187.155[.]74 141.195.117[.]125 185.76.79[.]178 2.58.201[.]112 89.46.234[.]115 84.32.188[.]193 38.180.146[.]210 84.32.188[.]197 45.80.193[.]9 45.67.85[.]40 45.134.111[.]123 84.32.188[.]153 62.72.7[.]213 93.188.163[.]16 23.160.56[.]122 95.156.207[.]121 84.32.188[.]148 166.0.187[.]233 185.216.72[.]196 38.180.146[.]230 84.32.188[.]200 45.11.231[.]8 162.252.175[.]233 13.49.21[.]253 179.43.163[.]18 46.19.141[.]186 193.29.59[.]9 135.181.130[.]232 45.134.110[.]83 185.187.155[.]73 23.160.56[.]100
A “who’s who” of U.S. critical infrastructure entities came close to getting breached by Russian state threat actors in the days before the February 2022 invasion of Ukraine, a top CISA threat hunting official told MITRE ATT&CKcon attendees in McLean, Virginia today. CISA Threat Branch Chief Mark Singer show more ...
relayed some of the details surrounding a late 2021-early 2022 breach of a managed service provider (MSP) “who provided some pretty critical services to critical infrastructure entities inside the United States.” It was one of three incident response engagements that CISA was involved in during the months leading up to the Russian invasion of Ukraine, Singer said, but it was the only one he detailed in the talk. CISA’s engagement in the MSP case appears to have begun in January 2022, a month before the Russian invasion, and several months after Russian threat actors had apparently first breached the MSP’s network in August 2021. CISA investigators realized “pretty early on in the engagement there was a pretty severe compromise,” Singer said. “It was getting more and more concerning as time goes on that the actors that we were addressing, that we were focused on, in that engagement had reached a portion of the service provider network where they were in a position to collect, tamper with, alter communications for the customer set,” Singer said. “The reason this was alarming to us was that customer set of that service provider was like a who’s who of critical infrastructure entities in the United States.” The threat actors “had reached a place where the communications that they could spoof, alter, tamper, replay was all of the ICS data, Modbus protocol going to the actual operational technology of these companies,” he said. Russia Was Possibly Within Days of Breaching U.S. Critical Infrastructure An “aggressive containment response” successfully evicted the threat actors from the network, but as CISA responders didn’t know how much access they had gained, they took the unusual step of talking with all of the MSP’s customers. CISA also stayed on the network for four months to make sure everything was okay, another unusual step for the top U.S. cybersecurity agency. A couple of months later, when Russia had pivoted its cyber focus exclusively back to Ukraine, CISA forensic investigators were going through logs from the incident and realized that the threat actors tried to use two compromised credentials to try to regain access to the MSP network up until two days before the February 2022 invasion. “It’s a little bit unknowable exactly what they could have done,” Singer said. “I have my theories. But given the capabilities of that actor, given the reporting and the sort of risks that we were already concerned about, I’m really glad that they weren’t able to re-access that environment. “It does make me a little bit queasy to this day that we made it by a week and we didn’t know it at the time. So quite an extraordinarily close call.” Singer praised CERT-UA, Ukraine’s national Computer Emergency Response Team, for its help during the incident and since. CERT-UA “was doing and continues to do an amazing job with their work,” he said. Also read: MITRE ATT&CK Coverage by Security Tools Is Inconsistent, Incomplete: Researchers China Threat Grows as FSB-Linked Groups Remain a Threat Singer also warned about the threat posed by the People’s Republic of China (PRC), which he suggested is potentially greater than that of Russia, with groups like Volt Typhoon burrowing into U.S. critical infrastructure in case of a major conflict with the U.S. “The types of incidents that we’ve responded to, the types of intrusions that we’re seeing, this is getting more and more concerning as time goes on,” he said, calling the threat “a bigger risk” than Russia posed in the leadup to the Ukraine war. China also has “said publicly that they want to have the capability to invade Taiwan by 2027,” Singer said, increasing the chances of a major conflict. [caption id="attachment_91867" align="aligncenter" width="500"] China cyber threat (Mark Singer, CISA)[/caption] When asked by an audience member which threat groups are among the biggest concerns, he noted that Russian FSB-linked threat groups remain “very very active” and have “the ability to do the most damage.” He recommended that attendees follow CERT-UA in translation to stay up on Russian threats. He also said that ATT&CK “adds a lot of value as a common language” between government and organizational security officials. Singer also called for a greater measure of humility among cybersecurity pros, noting the importance of “being able to ask questions of each other and really support learning.”
The Cybersecurity and Infrastructure Security Agency (CISA), on October 22, 2024, issued a new advisory targeting Industrial Control Systems (ICS). One of the most significant vulnerabilities highlighted in the advisory involves the product suites from ICONICS and Mitsubishi Electric. These advisories are designed to show more ...
inform ICS users and administrators of security vulnerabilities, exploits, and emerging threats that may affect their critical infrastructure. Executive Summary of the ICS Advisory The vulnerability in question is categorized under CVE-2024-7587 with a CVSS v3.1 base score of 7.8, reflecting its high severity. With a low complexity of attack, this vulnerability presents a serious concern for users of ICONICS Suite, including products like GENESIS64, Hyper Historian, AnalytiX, and MobileHMI (version 10.97.3 and earlier), as well as Mitsubishi Electric’s MC Works64 across all versions. If successfully exploited, this vulnerability could lead to data breaches, unauthorized data tampering, and in the worst-case scenario, denial-of-service (DoS) conditions. Understanding the ICONICS and Mitsubishi Electric Vulnerability At the core of the issue is incorrect default permissions (CWE-276), which allow unauthorized users to gain access to critical data. This could result in the disclosure of confidential information, manipulation of sensitive data, or potential denial-of-service events due to misconfigured access permissions. While this vulnerability is not exploitable remotely, meaning it requires local access to the system, the impact is considerable, especially given that both ICONICS and Mitsubishi Electric products are widely deployed across industries worldwide, particularly within the critical manufacturing sector. Affected Products The advisory lists specific products impacted by this vulnerability: ICONICS Suite, which includes the products GENESIS64, Hyper Historian, AnalytiX, and MobileHMI, version 10.97.3 and earlier. Mitsubishi Electric MC Works64, which is affected across all versions. Risk Evaluation The vulnerability presents a moderate to high risk due to the potential for critical consequences. While the vulnerability is not exploitable remotely and does require local access, the incorrect default permissions open the door to data tampering, information disclosure, and service interruptions. Given the growing reliance on ICS across industries, such vulnerabilities can pose serious challenges to operational continuity and data integrity. Technical Breakdown The issue stems from default permissions being improperly assigned. Specifically, unauthorized users could potentially gain excessive access to directories that store critical data. This poses a threat not just to individual systems but also to interconnected ICS environments where even localized breaches can ripple across entire infrastructures. The assigned CVSS vector string for this vulnerability is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This breakdown reflects the fact that the attack requires local access (AV) and has a low complexity (AC), with the potential to significantly compromise the system’s confidentiality, integrity, and availability. Mitigations To address this vulnerability, ICONICS and Mitsubishi Electric recommend several mitigation strategies for their users. For ICONICS products, the following steps are critical: Use Version 10.97.3 CFR1 or Later: For new systems, upgrade to this version or later, which is not vulnerable to the issue. For Existing Systems: If using version 10.97.3 or earlier, avoid installing the included GenBroker32. Instead, download and install the latest version of GenBroker32 from ICONICS. Verify and Correct Folder Permissions: Administrators should review the permissions for the C:ProgramDataICONICS folder. If the folder provides access to the "Everyone" group, remove this permission by following a step-by-step process outlined in the advisory. For Mitsubishi Electric MC Works64, the same principles of permissions review and security patching apply. Administrators are encouraged to: Regularly apply security patches as they become available. Continuously monitor access permissions and ensure that overly broad permissions (like "Everyone" access) are removed. Proactive Defense Recommendations from CISA CISA offers a wealth of resources to help ICS users defend against vulnerabilities like CVE-2024-7587. It is critical for organizations to take a proactive approach to cybersecurity, incorporating defense-in-depth strategies that include: Conducting a risk assessment and proper impact analysis before deploying mitigation strategies. Regularly reviewing and implementing best practices for ICS cybersecurity, such as those outlined in CISA’s Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies document. Monitoring the ICS webpage at CISA for the latest security advisories, guidance, and technical resources. Importance of Reporting and Vigilance While no public exploitation of this vulnerability has been reported to CISA so far, the agency urges organizations to remain vigilant. Should any malicious activity be suspected, organizations are advised to follow their established incident response procedures and report findings to CISA for correlation and tracking. Early detection and quick action can significantly reduce the potential impact of vulnerabilities within critical infrastructure systems. By following the steps outlined in this advisory, users can reduce the risk of exploitation and ensure the resilience of their ICS infrastructure against potential threats.
Cybersecurity tools are inconsistent and incomplete in their coverage of the MITRE ATT&CK framework, according to research presented at the fifth MITRE ATT&CKcon conference in McLean, Virginia today. The MITRE ATT&CK framework identifies tactics and techniques that indicate a cyberattack is in progress, show more ...
and is often used by security vendors, analysts and researchers as a framework for detecting and investigating incidents. “ATT&CK” stands for "Adversarial Tactics, Techniques, & Common Knowledge." The researchers – led by Apurva Virkud, a PhD student in computer science at the University of Illinois Urbana-Champaign, who presented the research – looked at endpoint security and security information and event management (SIEM) tools in conducting the research, which dates from 2022-2023. What they found was that the tools examined – Carbon Black, Splunk, Elastic and the Sigma open source tool – had at least one detection technique for about half of the ATT&CK framework, and lower-risk detections could further dilute that value, Virkud said. Virkud noted that MITRE doesn’t position ATT&CK as a marketing tool, even though vendors often tout their ATT&CK coverage. She said ATT&CK coverage is “too high level of a metric to really be meaningful.” MITRE ATT&CK Coverage: Same Threats, Different Techniques Virkud and colleagues found that the products were consistent in which techniques are covered (slide below). [caption id="attachment_91782" align="aligncenter" width="500"] Security tools' MITRE ATT&CK technique coverage (Apurva Virkud)[/caption] “Even when products are trying to detect the same threat, they’re not using the same attack techniques to describe it,” Virkud said. Those variations may be reasonable, she said, because an ATT&CK technique can cover multiple behaviors. The researchers also looked at 53 techniques that weren’t implemented in any of the tools, and found the top three reasons for not implementing a technique were: Ineffective detection method: MITRE itself notes that some behaviors are difficult to detect. Targets non-host infrastructure: Internet scanning is beyond the scope of these tools. Client-specific: Detection requires specific knowledge of a customer environment. “Many of these techniques are difficult if not impossible to implement,” Virkud said (slides below). Inconsistent ATT&CK Application Virkud compared rules from Elastic and Splunk for named pipe impersonation and malicious DNS activity (slides below) and noted that “security analysts may attribute the same system log activity to completely different motivations depending on which tool they are using.” [caption id="attachment_91788" align="aligncenter" width="500"] MITRE ATT&CK inconsistency case studies[/caption] Perhaps most surprisingly, Virkud and colleagues found that products disagree on the appropriate ATT&CK technique about half the time. As Virkud’s abstract noted, “even when attempting to detect the same malicious entity, products completely disagree about the appropriate ATT&CK technique annotations 51% of the time, while fully agreeing just 2.7% of the time. Put another way, ‘covering’ one technique may not even suggest protection from the same threat across different products. These findings underscore the dangers of coverage-based ATT&CK assessments.” The researchers recommended ongoing guidance, evaluations and education from MITRE, and caution and nuance among vendors and practitioners:
At the University of Central Florida (UCF), students have discovered a fun yet formidable way to sharpen their cybersecurity skills: a competition called Horse Plinko. While the name may sound like a joke—a nod to a meme of a horse falling through a plinko board—the experience it provides is anything but trivial. show more ...
Created by Hack@UCF and the UCF Collegiate Cybersecurity Competition Team (C3), Horse Plinko allows students to simulate defending a company from a real-time cyberattack. What is the Horse Plinko Cyber Competition? Earlier this month, the second Horse Plinko Cyber Competition attracted more than 160 participants, making it one of the university's most highly anticipated cybersecurity events. For many students, the contest is their first exposure to hands-on cyber defense, a chance to practice what textbooks can’t fully teach: how to react under the pressure of a live cyberattack. Harrison Keating, the competition’s director and a cybersecurity master’s student at UCF, explains the real-world application of Horse Plinko. "We simulate a business network for teams to defend, and we pit them against live attackers attempting, and often succeeding, to hack into their network," he says. "That’s an experience many of them won’t get again until they’re out working in the field." Motive Behind the Horse Plinko Cyber Competition Participants in the competition, affectionately dubbed "plinkterns," take on the role of cybersecurity interns working for the fictional International Horse Plinko League. Their mission? To protect the company’s critical services from a barrage of cyberattacks over six hours. Teams must quickly identify threats, strengthen defenses, and keep the company running. It's a race against time and the attackers, with plenty of high-stakes moments along the way. Yet, despite the tension that comes with defending a company’s digital infrastructure, Horse Plinko’s organizers have worked hard to ensure the event remains approachable, especially for beginners. The quirky name, light-hearted atmosphere, and running jokes throughout the competition help ease the nerves of first-time competitors. Keating, who is also the captain of UCF’s Collegiate Cybersecurity Competition team, emphasizes that this blend of serious work and fun is intentional. “We have a LinkedIn profile and website for the fictional company, there are recurring characters that appear during the competition, and we throw in a lot of humor,” he says. "It’s important to keep things light to make it more approachable for new students." But make no mistake—beneath the laughs, Horse Plinko is a serious learning experience. Cybersecurity is a highly collaborative field, and the competition is structured to reflect that. Keating highlights that it’s not just technical skills that are honed during the event. "Cybersecurity is all about teamwork and communication," he says. "Horse Plinko gives students a chance to practice working together in high-pressure situations, and they learn a lot from each other." First-time competitor Muhammad Ali, a freshman majoring in computer science, found the event particularly eye-opening. Ali had always been more interested in "red team" activities—offensive cybersecurity or ethical hacking—and wasn’t sure if he was cut out for defending a network. But Horse Plinko changed his perspective. “It’s a different story when you’re tasked with defending against a whole squad of live red team hackers trying to take your services down,” Ali says. “It’s a lot of fun, and it really pushed me.” Winners For Ali, the competition not only offered him a challenging experience but also helped him overcome feelings of self-doubt. Despite his obvious interest in cybersecurity—he recalls hacking into his dad’s computer at the age of nine—he has struggled with imposter syndrome. "I feel like I’m not good enough for cybersecurity sometimes," Ali admits. "But Horse Plinko, and UCF in general, have given me a lot of self-confidence." His team placed second in the competition, and he’s now preparing for two more cyber competitions out of state. He’s also planning to return to Horse Plinko next year—this time, as an attacker on the red team. “I never thought I’d enjoy it this much,” Ali says. “I’m 100% doing this again. If you’re new to cybersecurity, Horse Plinko is the best place to get first-hand experience.” Horse Plinko’s accessibility is a big part of its success. Unlike many cyber competitions that require a high level of expertise, Horse Plinko is designed for students of all skill levels. Organizers have intentionally built the competition to be inclusive, giving anyone with an interest in cyber defense the chance to participate. "Our club has over 350 members, but only eight get to compete in the National College Cyber Defense Competition," Keating explains. "Our goal with Horse Plinko is to give as many students as possible the chance to experience what it’s like to defend a network from a live attack." Horse Plinko’s continued growth is made possible by the support of the UCF C3 team and Hack@UCF, with previous competitors often returning to help run future events. This sense of community and shared learning is one of the competition’s most valuable aspects, according to Keating. "It’s not just about the technical side of things. It’s about building a network of peers and mentors who can help each other along the way." As the competition continues to grow, Horse Plinko is proving to be more than just a fun event. It’s an innovative training ground for the next generation of cyber professionals—one where students can laugh, learn, and prepare for the high-stakes challenges they’ll face in their future careers.
Bitdefender has recently alerted users to critical vulnerabilities within Bitdefender Total Security and SafePay, necessitating immediate action to protect against online threats. These Bitdefender vulnerabilities are classified as high-severity risks. Utilizing the Common Vulnerability Scoring System (CVSS), show more ...
these Bitdefender vulnerabilities have been categorized based on their severity, ranging from Critical (9.0-10) to Low (0.0-3.9). The advisory identifies six high-severity vulnerabilities, each linked to a unique CVE ID: CVE-2023-6055, CVE-2023-6056, CVE-2023-6057, CVE-2023-6058, CVE-2023-49567, and CVE-2023-49570. Patches for these vulnerabilities are available through automatic updates. Major Bitdefender Vulnerabilities The first Bitdefender vulnerability, CVE-2023-6055, relates to improper certificate validation within Bitdefender Total Security and has a CVSS score of 8.6. This flaw allows attackers to conduct Man-in-the-Middle (MITM) attacks by exploiting the software’s failure to validate HTTPS website certificates properly. An automatic update to version 27.0.25.115 is recommended to mitigate this risk. Another significant Bitdefender vulnerability, CVE-2023-6056, scored 8.6, arises from the software’s undue trust in self-signed certificates, particularly those using the RIPEMD-160 hashing algorithm. This flaw can enable attackers to establish SSL connections to arbitrary sites, necessitating the installation of the latest update to counter this threat. The third vulnerability, CVE-2023-6057, is found within the HTTPS scanning functionality of Bitdefender Total Security. Like the previous vulnerabilities, it carries a severity score of 8.6, stemming from inadequate checking of the certificate chain for DSA-signed certificates, potentially allowing for MITM attacks. Users should apply the automatic update to version 27.0.25.115 to address this issue. Additionally, CVE-2023-6058 impacts Bitdefender SafePay, where the vulnerability also has a high severity score of 8.6. This issue occurs when SafePay blocks a connection due to an untrusted server certificate but allows users to add exceptions, which can later be exploited. Users are advised to install the automatic update to secure their transactions. CVE-2023-49567 is another critical vulnerability with a CVSS score of 8.6, caused by the software trusting certificates issued using the MD5 and SHA1 collision hash functions. This flaw can enable the creation of counterfeit certificates, making it crucial for users to update to the latest version. Similarly, CVE-2023-49570 poses a risk by allowing Bitdefender to trust certificates from unauthorized entities, which can lead to potential MITM attacks. To protect against this vulnerability, users should ensure they install the automatic update. Mitigation and Workarounds To mitigate the risks associated with the Bitdefender vulnerabilities, users and organizations must prioritize timely software updates and establish a structured patch management approach. Implementing effective network segmentation, maintaining a tested incident response plan, and utilizing comprehensive monitoring solutions will enhance security. Additionally, organizations should proactively manage End-of-Life products to minimize risks. Ultimately, staying informed and promptly addressing these Bitdefender vulnerabilities is essential for maintaining a strong cybersecurity posture and protecting digital assets from online threats.
The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Postal Inspection Service (USPIS) have launched a joint Election Mail Security Public Service Announcement (PSA) and training video. This new initiative is taken to safeguard the U.S. general election 2024 integrity and the well-being of show more ...
election officials. CISA PSA focus on addressing the potential hazards associated with handling election mail, a critical component of U.S. election infrastructure. As the nation gears up for another U.S. general election season, the collaboration highlights the federal government’s continued commitment to ensuring that election officials, as well as the mail-in voting process, remain secure and protected from both cyber and physical threats. CISA and USPIS Join Forces for Election Security In recent years, elections have faced increased scrutiny and threats, not only from cyberattacks but also from physical dangers like mail tampering and toxic substances potentially delivered through the postal system. Recognizing these evolving risks, CISA, which leads federal efforts to secure election infrastructure, has partnered with USPIS to fortify the safety of election-related mail. USPIS, known for its role in protecting the integrity of the U.S. mail system, plays a pivotal role in securing the delivery of election mail and ensuring election officials are shielded from harmful substances. The PSA released underlines the joint efforts between local, state, and federal officials to protect the election process. It reinforces how both CISA and USPIS are working together to ensure election mail is not only secure from tampering but also free from any hazardous materials that could pose a threat to the safety of those handling it. “CISA, alongside our federal partners like the US Postal Inspection Service, are committed to helping those on the frontline of our democratic process have the tools and resources necessary to accomplish their incredible mission while staying safe from the range of hazards they may face,” said CISA Director Jen Easterly. "Together, we can protect America’s election infrastructure against new and evolving threats, and that is our continued goal for Protect 2024 here at CISA." Chief Postal Inspector Gary Barksdale echoed this sentiment, highlighting the collaborative effort between the two agencies. “We have a shared commitment, with our close partner CISA, to ensure the safety of election workers and the security of election mail, in part through the education and empowerment of voters and election officials,” Barksdale said. “Today’s releases are another way we are delivering on that commitment.” Safety Measures for Election Mail The PSA and training video provide detailed guidance to election officials on how to safely handle mail that may present toxic hazards. This includes instructions on identifying suspicious mail, handling it appropriately, and mitigating any potential risks. In addition, election officials are urged to maintain close collaboration with local postal workers to ensure that election mail is processed and delivered in a timely and secure manner. This initiative comes as part of CISA’s broader Protect 2024 campaign, which aims to arm election officials with the tools and resources they need to defend against a variety of threats to election infrastructure. This includes everything from cyber intrusions and disinformation campaigns to physical threats such as suspicious packages. What Americans Can Do to Help While federal agencies are working diligently to secure the U.S. general election 2024 process, the PSA also emphasizes the crucial role that individual voters play in safeguarding election mail. In the PSA, voters are encouraged to take the following steps to ensure the safe and secure handling of their election mail: Pick Up Mail Promptly: Voters should collect election mail from their mailboxes as soon as it is delivered. Leaving mail unattended for extended periods can increase the risk of it being tampered with or lost. Don’t Let Mail Sit Unattended: Whether outgoing or incoming, election mail should not be left unattended. Voters should avoid letting their ballots sit in a mailbox for too long, reducing the opportunity for someone to interfere with it. Use Secure Postal Options: When sending out election mail, voters are encouraged to take it directly to their local post office or hand it to a postal employee. This ensures that ballots are securely in the postal system from the very beginning. Track Your Ballot: Many states offer online tracking tools that allow voters to monitor the status of their ballots. Voters who are concerned about the status of their mail-in ballot should check with their local election office before reaching out to USPS. These tracking systems add an additional layer of transparency to the voting process, giving voters peace of mind that their ballots have been safely delivered and counted. Protecting the Election Process Together The combined efforts of CISA and USPIS, alongside local and state election officials, are part of a broader strategy to ensure that the 2024 elections are secure, safe, and trustworthy. With the rise of cyber and physical threats to the election process, this partnership represents a critical layer of defense. By providing election officials with the resources to handle potentially dangerous mail and encouraging voters to take simple yet effective measures to protect their ballots, the two agencies are helping to reinforce the integrity of the electoral process. In a democracy, the ability to vote securely and without fear is paramount. The steps outlined in the PSA and the newly released training video are designed to maintain public confidence in the election process and ensure that all votes are counted, free from interference or harm. As the 2024 elections approach, voters, election officials, and federal agencies are working hand-in-hand to protect one of the country’s most sacred democratic institutions. By taking proactive measures, both large and small, Americans can contribute to the safe and secure delivery of election mail and help uphold the integrity of the election process. With CISA and USPIS at the forefront, the nation’s election infrastructure is better equipped to face the challenges of a rapidly evolving threat landscape, ensuring that every vote counts in a safe and secure environment.
Please upload a selfie with your ID to verify your identity — such requests are becoming increasingly common for various online services. Banks, car rental services, even potential employers or landlords may ask for such photos. Whether you should share your confidential data in this way or not is a personal show more ...
decision. Weve laid out all the pros and cons, and prepared tips on how to protect yourself if you do need to take such a selfie. Should you take a selfie with your documents? Without an ID selfie, you may not be able to install certain banking apps, register for services like car sharing, or quickly apply for a loan. The choice here is very straightforward. Want to use these services? Take a photo. Worried about the security of your data? Dont take a photo. But then, for example, you wont be able to make a bank transfer, rent a car quickly, or solve your financial issues with an instant loan. The stakes are obvious: either you gain access to these services, or your prioritize your own safety. A common argument from those who choose to take ID selfies is that their data has already been leaked multiple times, so theyre not afraid of potential security risks. Well, if youre dishing out the ID card selfies left and right, using the same password like 12345 across all accounts for years, its likely that your data has already been compromised. To know for certain whether your data has been leaked or not, use our protection, and in the Data Leak Checker section, provide all the email addresses that you (or your loved ones) may have used to register for online services. Users of Kaspersky Premium can also check their phone numbers in the Identity Theft Check section. Then, our app will automatically search for data leaks in the background, notify you if any are found, and advise what needs to be done in each case. What could go wrong? Unfortunately, with rare exceptions, we can almost never know how companies actually store and process our data. Normally, all that users get to hear about their personal data is that its security is taken very seriously and therefore its stored very carefully. Youll agree that this kind of messaging doesnt inspire much confidence — especially when its not backed up by anything except a privacy policy page on the website. Often, services store your data for too long. For example, one popular European car-sharing company stores user data for as long as 10 years. In that time, you might change residence several times, quit driving, or simply forget about the car-sharing service — but your personal information will still be stored on the companys servers. And since, according to the agreement, the company can transfer client data to third parties, then theoretically your ID-card selfie could end up in someone elses hands without your knowledge. And this is not an example of a bad company, but a harsh reality: almost all organizations that request IDs during registration process your data under similar conditions. And thats just the official side — we havent mentioned leaks Data transmission will be carried out according to the European security regulations, but this is not guaranteed Data leaks from car-sharing companies are a classic issue: such companies have been subject to hacker attacks since their inception. Sometimes these leaks lead to absurd situations. In Russia, criminals registered fake accounts in car-sharing services using stolen passport photos, then booked expensive cars, violated traffic laws, and caused accidents. Where did they get the data? From leaks of customer data from other car-sharing companies! And we shouldnt forget the more obvious threat — unexpected loans. Of course, large banks are unlikely to issue a loan based solely on an ID selfie, but less accountable organizations that hand out microloans to practically anyone — sure thing. And if you suddenly find a dozen such loans in your name, its bad news. Not to mention the fact that another unreliable company now has your ID selfie. These ID card selfies are a universal tool in the hands of criminals. In addition to the above scenarios, fraudsters can open a shell company in your name or register a SIM card using your identity to break the law in various ways. And the more services support remote online registration — the greater the risks of taking selfies with ID cards. Criminals have long been selling sets of photos and videos of people holding white sheets of paper the size of standard documents on underground websites to forge photos and bypass standard KYC (Know Your Customer) procedures. And if they get hold of a real selfie with a passport — its a goldmine How to reduce the risks Unfortunately, despite the significant risks, sometimes we may still have to take these photos. So the best we can do is approach the process with maximum care. How to protect yourself? Study the companys privacy policy. Before sending your document selfies, find out everything you can about the company. Check where and by whom your data will be processed, how long it will be stored, and whether the company can pass customer information to law enforcement, third parties, or even to other countries. Investigate the companys history of data leaks. Find out if there have been any customer data leaks. If there have, did they occur more than once? What kind of information was leaked? How did the company respond to the breach? You can find this out using search queries like Company_Name data leaks, or Company_Name data breaches. Add watermarks to your selfie. If you decide its worth the risk, add watermarks to the selfie with the name of the service youre sending it to. This can be done easily on your smartphone using the built-in photo editor to overlay semi-transparent text, or by using free apps – there are plenty of them in any app store. This way, even if the photo leaks, it will be much harder for criminals to use it to register with another service. Send the photo through the official app or website of the service. Do not use messengers or email to send document selfies. Delete the selfie immediately after sending if your device lacks reliable protection. Dont forget to remove the selfie from your messages (if possible) and from the Recently Deleted folder on your smartphone or the recycle bin on your computer. Regularly check your credit history. Check with your bank to find out how to be notified promptly of changes to your credit history. Use maximum protection for all your devices alerting you to identity theft and data leaks. Use Kaspersky Password Manager Identity Protection Wallet to store and share sensitive documents and photos encrypted across all your devices. Compare the value of the service being provided against the value of your ID card selfie. And absolutely never give out your personal data for monetary rewards.
Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law show more ...
shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites. Image: Shutterstock, Arthimides. Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services. Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge — his mother. Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area. Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices. Babel Street can offer this tracking capability by consuming location data and other identifying information that is collected by many websites and broadcast to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user. This image, taken from a video recording Atlas made of its private investigator using Babel Street to show all of the unique mobile IDs seen over time at a mosque in Dearborn, Michigan. Each red dot represents one mobile device. In an interview, Atlas said a private investigator they hired was offered a free trial of Babel Street, which the investigator was able to use to determine the home address and daily movements of mobile devices belonging to multiple New Jersey police officers whose families have already faced significant harassment and death threats. Atlas said the investigator encountered Babel Street while testing hundreds of data broker tools and services to see if personal information on its users was being sold. They soon discovered Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device. The investigator contacted Babel Street about possibly buying home addresses in certain areas of New Jersey. After listening to a sales pitch for Babel Street and expressing interest, the investigator was told Babel Street only offers their service to the government or to “contractors of the government.” “The investigator (truthfully) mentioned that he was contemplating some government contract work in the future and was told by the Babel Street salesperson that ‘that’s good enough’ and that ‘they don’t actually check,’” Atlas shared in an email with reporters. KrebsOnSecurity was one of five media outlets invited to review screen recordings that Atlas made while its investigator used a two-week trial version of Babel Street’s LocateX service. References and links to reporting by other publications, including 404 Media, Haaretz, NOTUS, and The New York Times, will appear throughout this story. Collectively, these stories expose how the broad availability of mobile advertising data has created a market in which virtually anyone can build a sophisticated spying apparatus capable of tracking the daily movements of hundreds of millions of people globally. The findings outlined in Atlas’s lawsuit against Babel Street also illustrate how mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees. WARRANTLESS SURVEILLANCE Atlas says the Babel Street trial period allowed its investigator to find information about visitors to high-risk targets such as mosques, synagogues, courtrooms and abortion clinics. In one video, an Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days. While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day. Each red dot in this Babel Street map represents a unique mobile device that has been seen since April 2022 at a Jewish synagogue in Los Angeles, Calif. Image: Atlas Data Privacy Corp. One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away). Atlas plaintiffs Scott and Justyna Maloney are both veteran officers with the Rahway, NJ police department who live together with their two young children. In April 2023, Scott and Justyna became the target of intense harassment and death threats after Officer Justyna responded to a routine call about a man filming people outside of the Motor Vehicle Commission in Rahway. The man filming the Motor Vehicle Commission that day is a social media personality who often solicits police contact and then records himself arguing about constitutional rights with the responding officers. Officer Justyna’s interaction with the man was entirely peaceful, and the episode appeared to end without incident. But after a selectively edited video of that encounter went viral, their home address and unpublished phone numbers were posted online. When their tormentors figured out that Scott was also a cop (a sergeant), the couple began receiving dozens of threatening text messages, including specific death threats. According to the Atlas lawsuit, one of the messages to Mr. Maloney demanded money, and warned that his family would “pay in blood” if he didn’t comply. Sgt. Maloney said he then received a video in which a masked individual pointed a rifle at the camera and told him that his family was “going to get [their] heads cut off.” Maloney said a few weeks later, one of their neighbors saw two suspicious individuals in ski masks parked one block away from the home and alerted police. Atlas’s complaint says video surveillance from neighboring homes shows the masked individuals circling the Maloney’s home. The responding officers arrested two men, who were armed, for unlawful possession of a firearm. According to Google Maps, Babel Street shares a corporate address with Google and the consumer credit reporting bureau TransUnion. Atlas said their investigator was not able to conclusively find Scott Maloney’s iPhone in the Babel Street platform, but they did find Justyna’s. Babel Street had nearly 100,000 hits for her phone over several months, allowing Atlas to piece together an intimate picture of Justyna’s daily movements and meetings with others. An Atlas investigator visited the Maloneys and inspected Justyna’s iPhone, and determined the only app that used her device’s location data was from the department store Macy’s. In a written response to questions, Macy’s said its app includes an opt-in feature for geo-location, “which allows customers to receive an enhanced shopping experience based on their location.” “We do not store any customer location information,” Macy’s wrote. “We share geo-location data with a limited number of partners who help us deliver this enhanced app experience. Furthermore, we have no connection with Babel Street” [link added for context]. Justyna’s experience highlights a stark reality about the broad availability of mobile location data: Even if the person you’re looking for isn’t directly identifiable in platforms like Babel Street, it is likely that at least some of that person’s family members are. In other words, it’s often trivial to infer the location of one device by successfully locating another. The terms of service for Babel Street’s Locate X service state that the product “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action.” But Scott Maloney said he’s convinced by their experience that not even law enforcement agencies should have access to this capability without a warrant. “As a law enforcement officer, in order for me to track someone I need a judge to sign a warrant – and that’s for a criminal investigation after we’ve developed probable cause,” Mr. Maloney said in an interview. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to is deeply disturbing.” Mr. Maloney’s law enforcement colleagues in other states may see things differently. In August, The Texas Observer reported that state police plan to spend more than $5 million on a contract for a controversial surveillance tool called Tangles from the tech firm PenLink. Tangles is an AI-based web platform that scrapes information from the open, deep and dark web, and it has a premier feature called WebLoc that can be used to geofence mobile devices. The Associated Press reported last month that law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cell phone tracking tool called Fog Reveal — at times without warrants — that gives them the ability to follow people’s movements going back many months. It remains unclear precisely how Babel Street is obtaining the abundance of mobile location data made available to users of its platform. The company did not respond to multiple requests for comment. But according to a document (PDF) obtained under a Freedom of Information Act request with the Department of Homeland Security’s Science and Technology directorate, Babel Street re-hosts data from the commercial phone tracking firm Venntel. On Monday, the Substack newsletter All-Source Intelligence unearthed documents indicating that the U.S. Federal Trade Commission has opened an inquiry into Venntel and its parent company Gravy Analytics. “Venntel has also been a data partner of the police surveillance contractor Fog Data Science, whose product has been described as ‘mass surveillance on a budget,'” All-Source’s Jack Poulson wrote. “Venntel was also reported to have been a primary data source of the controversial ‘Locate X’ phone tracking product of the American data fusion company Babel Street.” MAID IN HELL The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses. However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID. One of many vendors that “enrich” MAID data with other identifying information, including name, address, email address and phone number. Atlas said its investigator wanted to know whether they could find enriched MAID records on their New Jersey law enforcement customers, and soon found plenty of ad data brokers willing to sell it. Some vendors offered only a handful of data fields, such as first and last name, MAID and email address. Other brokers sold far more detailed histories along with their MAID, including each subject’s social media profiles, precise GPS coordinates, and even likely consumer category. How are advertisers and data brokers gaining access to so much information? Some sources of MAID data can be apps on your phone such as AccuWeather, GasBuddy, Grindr, and MyFitnessPal that collect your MAID and location and sell that to brokers. A user’s MAID profile and location data also is commonly shared as a consequence of simply using a smartphone to visit a web page that features ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. A great deal of data can be included in a bid request, including the user’s precise location (the current open standard for bid requests is detailed here). The trouble is that virtually anyone can access the “bidstream” data flowing through these so-called “realtime bidding” networks, because the information is simultaneously broadcast in the clear to hundreds of entities around the world. The result is that there are a number of marketing companies that now enrich and broker access to this mobile location information. Earlier this year, the German news outlet netzpolitik.org purchased a bidstream data set containing more than 3.6 billion data points, and shared the information with the German daily BR24. They concluded that the data they obtained (through a free trial, no less) made it possible to establish movement profiles — some of them quite precise — of several million people across Germany. A screenshot from the BR24/Netzpolitik story about their ability to track millions of Germans, including many employees of the German Federal Police and Interior Ministry. Politico recently covered startling research from universities in New Hampshire, Kentucky and St. Louis that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge. The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it. Justin Sherman, a distinguished fellow at Georgetown Law’s Center for Privacy and Technology, called the research a “shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.” “Politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions,” Sherman wrote for Lawfare this week. A BIDSTREAM DRAGNET? The Orwellian nature of modern mobile advertising networks may soon have far-reaching implications for women’s reproductive rights, as more states move to outlaw abortion within their borders. The 2022 Dobbs decision by the U.S. Supreme Court discarded the federal right to abortion, and 14 states have since enacted strict abortion bans. Anti-abortion groups are already using mobile advertising data to advance their cause. In May 2023, The Wall Street Journal reported that an anti-abortion group in Wisconsin used precise geolocation data to direct ads to women it suspected of seeking abortions. As it stands, there is little to stop anti-abortion groups from purchasing bidstream data (or renting access to a platform like Babel Street) and using it to geofence abortion clinics, potentially revealing all mobile devices transiting through these locations. Atlas said its investigator geofenced an abortion clinic and was able to identify a likely employee at that clinic, following their daily route to and from that individual’s home address. A still shot from a video Atlas shared of its use of Babel Street to identify and track an employee traveling each day between their home and the clinic. Last year, Idaho became the first state to outlaw “abortion trafficking,” which the Idaho Capital Sun reports is defined as “recruiting, harboring or transporting a pregnant minor to get an abortion or abortion medication without parental permission.” Tennessee now has a similar law, and GOP lawmakers in five other states introduced abortion trafficking bills that failed to advance this year, the Sun reports. Atlas said its investigator used Babel Street to identify and track a person traveling from their home in Alabama — where abortion is now illegal — to an abortion clinic just over the border in Tallahassee, Fla. — and back home again within a few hours. Abortion rights advocates and providers are currently suing Alabama Attorney General Steve Marshall, seeking to block him from prosecuting people who help patients travel out-of-state to end pregnancies. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said she’s extremely concerned about dragnet surveillance of people crossing state lines in order to get abortions. “Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin said. “It’s not a great leap to imagine that states will do this.” APPLES AND GOOGLES Atlas found that for the right price (typically $10-50k a year), brokers can provide access to tens of billions of data points covering large swaths of the US population and the rest of the world. Based on the data sets Atlas acquired — many of which included older MAID records — they estimate they could locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. Google refers to its MAID as the “Android Advertising ID,” (AAID) while Apple calls it the “Identifier for Advertisers” (IDFA). What accounts for the disparity between the number of Android and Apple devices that can be found in mobile advertising data? In April 2021, Apple shipped version 14.5 of its iOS operating system, which introduced a technology called App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users by their IDFA or any other identifier. Apple’s introduction of ATT had a swift and profound impact on the advertising market: Less than a year later Facebook disclosed that the iPhone privacy feature would decrease the company’s 2022 revenues by about $10 billion. Source: cnbc.com. Google runs by far the world’s largest ad exchange, known as AdX. The U.S. Department of Justice, which has accused Google of building a monopoly over the technology that places ads on websites, estimates that Google’s ad exchange controls 47 percent of the U.S. market and 56 percent globally. Google’s Android is also the dominant mobile operating system worldwide, with more than 72 percent of the market. In the U.S., however, iPhone users claim approximately 55 percent of the market, according to TechRepublic. In response to requests for comment, Google said it does not send real time bidding requests to Babel Street, nor does it share precise location data in bid requests. The company added that its policies explicitly prohibit the sale of data from real-time bidding, or its use for any purpose other than advertising. Google said its MAIDs are randomly generated and do not contain IP addresses, GPS coordinates, or any other location data, and that its ad systems do not share anyone’s precise location data. “Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.” In a written statement shared with reporters, Apple said Location Services is not on by default in its devices. Rather, users must enable Location Services and must give permission to each app or website to use location data. Users can turn Location Services off at any time, and can change whether apps have access to location at any time. The user’s choices include precise vs. approximate location, as well as a one-time grant of location access by the app. “We believe that privacy is a fundamental human right, and build privacy protections into each of our products and services to put the user in control of their data,” an Apple spokesperson said. “We minimize personal data collection, and where possible, process data only on users’ devices.” Zach Edwards is a senior threat analyst at the cybersecurity firm SilentPush who has studied the location data industry closely. Edwards said Google and Apple can’t keep pretending like the MAIDs being broadcast into the bidstream from hundreds of millions of American devices aren’t making most people trivially trackable. “The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem,” he said. STATES ACT, WHILE CONGRESS DITHERS According to Bloomberg Law, between 2019 and 2023, threats against federal judges have more than doubled. Amid increasingly hostile political rhetoric and conspiracy theories against government officials, a growing number of states are seeking to pass their own versions of Daniel’s Law. Last month, a retired West Virginia police officer filed a class action lawsuit against the people-search service Whitepages for listing their personal information in violation of a statute the state passed in 2021 that largely mirrors Daniel’s Law. In May 2024, Maryland passed the Judge Andrew F. Wilkinson Judicial Security Act — named after a county circuit court judge who was murdered by an individual involved in a divorce proceeding over which he was presiding. The law allows current and former members of the Maryland judiciary to request their personal information not be made available to the public. Under the Maryland law, personal information can include a home address; telephone number, email address; Social Security number or federal tax ID number; bank account or payment card number; a license plate or other unique vehicle identifier; a birth or marital record; a child’s name, school, or daycare; place of worship; place of employment for a spouse, child, or dependent. The law firm Troutman Pepper writes that “so far in 2024, 37 states have begun considering or have adopted similar privacy-based legislation designed to protect members of the judiciary and, in some states, other government officials involved in law enforcement.” Atlas alleges that in response to requests to have data on its New Jersey law enforcement clients scrubbed from consumer records sold by LexisNexis, the data broker retaliated by freezing the credit of approximately 18,500 people, and falsely reporting them as identity theft victims. In addition, Atlas said LexisNexis started returning failure codes indicating they had no record of these individuals, resulting in denials when officers attempted to refinance loans or open new bank accounts. The data broker industry has responded by having at least 70 of the Atlas lawsuits moved to federal court, and challenging the constitutionality of the New Jersey statute as overly broad and a violation of the First Amendment. Attorneys for the data broker industry argued in their motion to dismiss that there is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest.” Atlas’s lawyers responded that data covered under Daniel’s Law — personal information of New Jersey law enforcement officers — is not free speech. Atlas notes that while defending against comparable lawsuits, the data broker industry has argued that home address and phone number data are not “communications.” “Data brokers should not be allowed to argue that information like addresses are not ‘communications’ in one context, only to turn around and claim that addresses are protectable communications,” Atlas argued (PDF). “Nor can their change of course alter the reality that the data at issue is not speech.” The judge overseeing the challenge is expected to rule on the motion to dismiss within the next few weeks. Regardless of the outcome, the decision is likely to be appealed all the way to the U.S. Supreme Court. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states could limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminal charges against media outlets that publish the same type of public and government records that fuel the people-search industry. Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis. “Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” Wyden said in a statement shared with KrebsOnSecurity, 404 Media, Haaretz, NOTUS, and The New York Times. Sen. Wyden said Google also deserves blame for refusing to follow Apple’s lead by removing companies’ ability to track phones. “Google’s insistence on uniquely tracking Android users – and allowing ad companies to do so as well – has created the technical foundations for the surveillance economy and the abuses stemming from it,” Wyden said. Georgetown Law’s Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said. “All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief,” Sherman said. “You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people’s extramarital affairs and extorting public officials.” WHAT CAN YOU DO? Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device. Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.” Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future. Google’s documentation on this is here. Image: eff.org By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you. Apple’s Privacy and Ad Tracking Settings. Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.” Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7. There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.
Popular titles on both Google Play and Apple's App Store include hardcoded and unencrypted AWS and Azure credentials in their codebases or binaries, making them vulnerable to misuse by threat actors.
ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.
ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.
Ubuntu Security Notice 7082-1 - Gerrard Tai discovered that libheif did not properly validate certain images, leading to out-of-bounds read and write vulnerability. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or to obtain sensitive information.
Ubuntu Security Notice 7081-1 - It was discovered that the Go net/http module did not properly handle responses to requests with an "Expect: 100-continue" header under certain circumstances. An attacker could possibly use this issue to cause a denial of service. It was discovered that the Go parser module did show more ...
not properly handle deeply nested literal values. An attacker could possibly use this issue to cause a panic resulting in a denial of service.
Ubuntu Security Notice 7079-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Red Hat Security Advisory 2024-8358-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8357-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8356-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8355-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8354-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8353-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 8. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8352-03 - An update for the NetworkManager-libreswan:1.2.14 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8351-03 - An update for the grafana:7.3.6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-8339-03 - Red Hat Integration Camel K 1.10.8 release and security update is now available. Issues addressed include code execution, deserialization, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2024-8338-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8327-03 - An update for grafana is now available for Red Hat Enterprise Linux 8. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2024-8312-03 - An update for NetworkManager-libreswan is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-8229-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-8228-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs.
Red Hat Security Advisory 2024-6341-03 - Kube Descheduler Operator for Red Hat OpenShift 5.1.0 for RHEL 9. Issues addressed include a denial of service vulnerability.
New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the
Identity security is front, and center given all the recent breaches that include Microsoft, Okta, Cloudflare and Snowflake to name a few. Organizations are starting to realize that a shake-up is needed in terms of the way we approach identity security both from a strategic but also a technology vantage point. Identity security is more than just provisioning access The conventional view
A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result
Cybersecurity researchers have shed light on a new adversarial technique that could be used to jailbreak large language models (LLMs) during the course of an interactive conversation by sneaking in an undesirable instruction between benign ones. The approach has been codenamed Deceptive Delight by Palo Alto Networks Unit 42, which described it as both simple and effective, achieving an average
It may come as a surprise to learn that 34% of security practitioners are in the dark about how many SaaS applications are deployed in their organizations. And it’s no wonder—the recent AppOmni 2024 State of SaaS Security Report reveals that only 15% of organizations centralize SaaS security within their cybersecurity teams. These statistics not only highlight a critical security blind spot,
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is
_Jochen_Tack_Alamy.jpg)
_Antony_Cooper_Alamy.jpg)
