Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Apple's Encryption Is Under Attack by a Mysterious Group

By Owais Sultan
SEO vs. PPC – Understanding the Difference and Choosing the Right Strategy for Your Business – Let’s delve…
This is a post from HackRead.com Read the original post: SEO vs. PPC: Choosing the Right Strategy for Your Business

SEO vs. PPC – Understanding the Difference and Choosing the Right Strategy for Your Business – Let’s delve into it.

Visibility is everything for online businesses nowadays – if you want visitors on your website, you’ll need some sort of exposure that will redirect users to your URL. The two most popular methods of this is through Search Engine Optimization, also known as SEO, or Pay-Per-Click (PPC) advertising. Both have their advantages, but which one is right for your business?

****What is SEO?****

Search Engine Optimization, or SEO, is a collection of techniques – some might even call it art – related to improving the visibility of your website in organic (i.e., non-paid) search engine results. This can be achieved by optimizing various website areas, primarily including its content, structure, and backlinks.

A website that is well-optimized will be able to attract a steady stream of traffic over time much easier. Since SEO relies purely on organic search results, users often trust these results more than paid ads, potentially increasing conversion rates and improving brand image when compared to other methods of online advertising.

SEO costs are usually lower than those of PPC campaigns, but it requires a holistic approach to be effective, typically restructuring entire websites and dramatically changing content, which might take some time to fully deploy.

****What is PPC?****

PPC is short for Pay-Per-Click advertising and involves placing ads on platforms like Google Ads or Meta Ads, where businesses can pay for their ad to be displayed and pay a set fee each time it is clicked. This method offers brands immediate visibility and can drive traffic to specific landing pages easily. Most platforms also offer handy tools for precise targeting of your ads, based on keywords, demographics, location, audience interests, and more. 

Looking for professional PPC services in London? Don’t leave your online visibility to amateurs – go with an experienced digital agency like Nautilus Marketing, which provides measurable performance indicators to track the effectiveness of PPC campaigns and implements optimal changes when necessary.

****PPC vs. SEO Strategies****

SEO can be more cost-effective in the long run, building trust and credibility in addition to just traffic. The results it provides are long-lasting and can significantly influence brand visibility. These results, however, are not immediate – SEO requires patience, and changes might take time to show up in measurable indicators. What’s more, search engine algorithms are constantly evolving, which can affect ranking and needs constant attention and monitoring.

PPC campaigns, on the other hand, give immediate results and traffic that is easily trackable. The specific ads can be easily targeted to your desired audience, and the budget can be adjusted dynamically according to your needs.

However, PPC campaigns can be expensive, especially in competitive niches, and the costs may increase based on targeting settings. It requires a constant budget that must be maintained, or the ads will immediately disappear, cutting visibility. Users might also be wary of paid advertisements, discouraging conversions.

In the end, which strategy is better depends on your specific needs, niche, and business model. SEO and PPC have their place in a comprehensive digital marketing strategy – a blend of both might often be the most effective approach.

****_RELATED ARTICLES_****

1.  How SASE Supports Digital Transformation
2.  The Most In-Demand Freelance Skills for 2023
3.  Understanding the E-Commerce Marketplaces in Europe
4.  cheqd’s Recent Rollout Focuses on Monetizing Digital Identity
5.  Key Considerations When Transferring Your Digital Workspace

SEO vs. PPC: Choosing the Right Strategy for Your Business

Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 version Alpha 1.3.9, allows local attackers to execute arbitrary code and gain sensitive information.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-36123: GitHub - 9Bakabaka/CVE-2023-36123: The PoC of CVE-2023-36123

File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44061: CVE-2023-44061/poc.md at main · soundarkutty/CVE-2023-44061

An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.

CVE-2023-44860: CVE/netis_N3/Improper Authentication Mechanism Leading to Denial-of-Service (DoS).md at main · adhikara13/CVE

** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Skip to content

GitLab 

**Memory error: heap-use-after-free in xmllint (xmlUnlinkNode)**

I am using the current commit 778cca38.

There is a heap-use-after-free error when I run xmllint on some input file and on some program options. I attach the xml input file here input.xml

To reproduce the error, run:

./libxml2/xmllint --copy --html --maxmem 315229 input.xml

The ASAN output is the following:

    ==12246==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa3052580 at pc 0xaaaacd087148 bp 0xffffc11cad10 sp 0xffffc11cad20
    WRITE of size 8 at 0xffffa3052580 thread T0
        #0 0xaaaacd087144 in xmlUnlinkNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144)
        #1 0xaaaacd06ceac in xmlFreeDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xbeceac)
        #2 0xaaaaccee01d8 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa601d8)
        #3 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #4 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #5 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #6 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    0xffffa3052580 is located 96 bytes inside of 160-byte region [0xffffa3052520,0xffffa30525c0)
    freed by thread T0 here:
        #0 0xffffa8c79fe8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #1 0xaaaacd141a3c in xmlMemFree (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc1a3c)
        #2 0xaaaacced0d04 in myFreeFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d04)
        #3 0xaaaacd0842e4 in xmlFreeNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc042e4)
        #4 0xaaaacd08db9c in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0db9c)
        #5 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
        #6 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
        #7 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #8 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #9 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #10 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    previously allocated by thread T0 here:
        #0 0xffffa8c7a2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0xaaaacd13fd0c in xmlMallocLoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcbfd0c)
        #2 0xaaaacd140b58 in xmlMemMalloc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc0b58)
        #3 0xaaaacced0d24 in myMallocFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d24)
        #4 0xaaaacd08abf8 in xmlStaticCopyNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0abf8)
        #5 0xaaaacd08d930 in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0d930)
        #6 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
        #7 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
        #8 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #9 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #10 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #11 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    SUMMARY: AddressSanitizer: heap-use-after-free (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144) in xmlUnlinkNode
    Shadow bytes around the buggy address:
      0x200ff460a460: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x200ff460a470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x200ff460a490: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x200ff460a4a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x200ff460a4b0:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x200ff460a4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a4d0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x200ff460a4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x200ff460a500: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==12246==ABORTING

If any program option is removed, the issue does not trigger.

CVE-2023-45322: Memory error: heap-use-after-free in xmllint (xmlUnlinkNode) (#583) · Issues · GNOME / libxml2 · GitLab

At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it's working to verify the data.

The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see. 

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” 

The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.

This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.

The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.

“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”

The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.

“When data is shared relating to ethic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft. 

Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

_Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident._

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.

**Cross-site Scripting in snipe/snipe-it**

Moderate severity GitHub Reviewed Published Oct 6, 2023 to the GitHub Advisory Database • Updated Oct 9, 2023

GHSA-rr5c-69c9-gj9f: Cross-site Scripting in snipe/snipe-it

In NASA Open MCT (aka openmct) before commit 545a177 is subject to a prototype pollution which can occur via an import action.

**Prototype Pollution in NASA Open MCT**

Moderate severity GitHub Reviewed Published Oct 6, 2023 to the GitHub Advisory Database • Updated Oct 9, 2023

GHSA-4xcx-cwrq-w792: Prototype Pollution in NASA Open MCT

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

**Code injection in fsevents**

Moderate severity GitHub Reviewed Published Oct 6, 2023 to the GitHub Advisory Database • Updated Oct 9, 2023

Tag

#git