A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely.

%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 34 0 R 48 0 R 49 0 R 54 0 R 55 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 6 0 R/Group<>/Tabs/S>> endobj 4 0 obj <> stream ����JFIF����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222����"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?��(�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� )��Ā����S�&��QE0 (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (����݋Kb��xQ�VY�)bpɮ\[P�7w%��^W��c~�GO��ta��I�&�|��D�Ĥ��ϯ�t����G��b�����W����7������PӞ&�Q\_Ny�EPEPEPEPEPEPEP\\��:�4�nn�k���� �0V\`>�g��WO}{o��O{w\*�o$�� ��|e���x��W����~��#�,���<��h��ᥬ��\[������������5�?L\_�^\\�n$7���s�{��5�����9�aKo��� x����t-b�K����\\��cu7#���z��5�� ��(�\[a����(��\_��}����ᥬ��\[������֟��h-+Y׬��&\[�\\G���2�=21�8�|�J "�>�����ߎ?�.����T���|��q����������MF��o��mk��s������������|��&�>>���GS\_ �K�\[6�x�xy{/���j�\*�#�Z������ �Mz'��I��>�P\]"\[X���� �|q�q��ɞ��犼Eg�د�n��5�&>�f����k?h��M�{-�����'ܞh�|U�����'��\_C�v��!�g �zc���� -e�B�����+���%S���?��.�>��s�"�Q�-�%�،\`�>�۽�5�W�������O�������Z�Kq<�8bB�;tU$�Y����y(�nwv�Q�My������4� ����q���f�b�3^#�3�u���9-�� '���������h�9�ih�~��NW?�v�Z��\]��X���W��@�� .��,���+�<9��o�oN���'��7��v܌�=��Z�\_����o�ׄ\_� I�x�=\*I#�#o%�'�ge�6o��\*�3�A�$dR�)�S�8dH��XC4��~�r���i9���K%��:���Rk^�2��

CVE-2017-20049

A vulnerability has been found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007 and classified as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: David Wearing <wearing () google com>  
_Date_: Thu, 16 Mar 2017 16:47:27 +1100  

Introduction

============

Vulnerabilities were identified in the camera software by Axis.  These were
discovered during a black box assessment and therefore the vulnerability
list should not be considered exhaustive; observations suggest that it is
likely that further vulnerabilities exist.

Affected Software And Versions

==============================


Model P1204, software versions <= 5.50.4

Model P3225, software versions <= 6.30.1

Model P3367, software versions <= 6.10.1.2

Model M3045, software versions <= 6.15.4.1

Model M3005, software versions <= 5.50.5.7

Model M3007, software versions <= 6.30.1.1

CVE

===

No CVEs have been assigned to these vulnerabilities.


Vulnerability Overview

======================

1. Axis01: No cross-site request forgery protections

2. Axis02: Bypass manual checks for XSS

3. Axis03: Web services run as root

4. Axis04: Script editor function allows for arbitrary write as root on
successful CSRF attack

5. Axis05: root setuid .CGI scripts and binaries present

6. Axis06: Inability to disable the http interface

Vulnerability Details

=====================

---------------------------------------------

1. Axis01: No cross-site request forgery protections

---------------------------------------------

Axis software does not have any cross-site request forgery protection
within the management interface. Axis provide guidance on risk mitigation
for CSRF only.

https://www.axis.com/files/faq/Advisory\_Cross-Site\_Request\_Forgery.pdf

--------------------------------------------------

2. Axis02: Bypass manual checks for XSS

--------------------------------------------------

Axis software on the camera has client-side JavaScript to try and remove
XSS payloads. No server-side security checks are present. Viewers or lower
privileged users of cameras exposed to the internet or corporate networks
may be able to store persistent XSS payloads.

Example of code in language\_incl.js used to detect and remove malicious
javaScript shown below:

if( data.toLowerCase().indexOf(\\"<script\\") != -1 ||
data.toLowerCase().indexOf(\\"</script\\") != -1 )


-----------------------------------------------

3. Axis03: Web service runs as root

-----------------------------------------------

The versions of Axis software tested have a BOA server (boa) running as
root. BOA is an ancient web server and no longer maintained since approx.
2005. Fuzzing of the process using off-the-shelf fuzzers result in crashes
that have not yet been investigated further.

Axis software versions >5.70 have replaced BOA with Apache.


-----------------------------------------------

4. Axis04: Script editor function allows for arbitrary write as root on
successful CSRF attack

-----------------------------------------------

A script editor function “/admin-bin/editcgi.cgi” can be used to write as
root to the device, due to Axis01 lack of CSRF protection, this can be
exploited to write over /etc/shadow and obtain root access to the device,
as well as backdoor the device.

Proof of concept to overwrite /etc/shadow file:

<body>
<form action="https://<ip-of-axis-camera|hostname>/admin-bin/editcgi.cgi?file=/etc/shadow"
method="POST" >
<input type="hidden" name="save&#95;file" value="&#47;etc&#47;shadow" />
<input type="hidden" name="mode" value="0100600" />
<input type="hidden" name="convert&#95;crlf&#95;to&#95;lf" value="on" />
<input type="hidden" name="content" value="#####INPUT HTML ENCODED SHADOW
HERE##### " />
<input type="submit" value="Submit request" />
</form>
</body>

-----------------------------------------------

5. Axis05: root setuid .CGI scripts and binaries present

-----------------------------------------------

Multiple root setuid .CGI scripts and binaries are present. The CGI scripts
manage web session temp files,group memberships and functionality of the
camera. Exploitable vulnerabilities in any will provide root access to the
camera.

E.g /axis-cgi/admin/param.cgi & /axis-cgi/admin/pwdgrp.cgi which allows for
changing user and group passwords.

-----------------------------------------------

6. Axis06: Inability to disable the HTTP interface

-----------------------------------------------

No option existed in Axis software to disable the HTTP interface. The web
server will always listen on all network interfaces of the camera, which
makes these cameras trivial to find on the internet e.g. using Shodan.

E.g port 80 is listening and /httpDisabled.shtml is always accessible.

Axis advise to move the web server listening port to another port.

Mitigation

==========

Axis released zero advisories related to the issues reported here.

Axis recommends following their hardening guide available on:
https://www.axis.com/mu/en/support/product-security

For the vulnerabilities related to Axis02, Axis03 and Axis06 Axis has
recommended to upgrade Axis software to versions >5.70 or use the new Axis
platform with >7.10 versions. Versions other than those listed here have
not been tested to confirm these vulnerabilities have been fixed.

Author

======

The vulnerabilities were discovered by David Wearing from Google Security
Team.

Timeline

========

2016/11/24 - Security report sent to Axis with 90 day disclosure deadline
(2017/02/24).

2016/12/02 - Axis acknowledges report and starts working on the issues.

2016/12/06 - Pinged for patch ETA.

2016/12/09 - Pinged for patch ETA.

2017/01/11 - Pinged for patch ETA.

2017/01/12 - Response from Axis Security listing multiple issues as having
been fixed in the new firmware versions. Redesign of CGI scripts to be
interfaces confirmed.

2017/01/25 - Send query regarding the lack of CSRF protections and if
changes to handling of XSS was to occur.

2017/02/28 - Request to Axis on any advice or mitigations they want to
include in the post.

2017/03/02 - Pinged Axis.

2017/03/02 - Response from Axis including advice on mitigation of CSRF.

2017/03/05 - Review of mitigations provided to Axis

2017/03/10 - Discussions with Axis on post.

2017/03/15 - Public disclosure.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Axis Camera Multiple Vulnerabilities** _David Wearing (Mar 16)_

CVE-2017-20050: Full Disclosure: Axis Camera Multiple Vulnerabilities

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

John Leyden 15 June 2022 at 14:26 UTC

Many consumers still relying on easy-to-crack passwords, warns Digital Shadows

An eye-watering 24 billion usernames and passwords available on the dark web – an increase of 65% in just two years, according to a new study from Digital Shadows.

Some combinations are advertised more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist – an increase of approximately 1.7 billion or 34% in two years.

A study (PDF) from the threat intel firm, published on Wednesday (June 15), found that despite this, consumers continue to use easy to guess passwords.

For example, around 0.46% of all passwords – nearly one in every 200 – is ‘123456’. Keyboard combinations such as ‘qwerty’ or '1q2w3e’ are also all too commonplace.

In response to questions from The Daily Swig, Digital Shadows said most of the credentials collected and analyzed in its report come from organizations whose databases have been breached before password hashes are cracked and passwords leaked on cybercriminal forums. Login credential initially stolen through phishing attacks, and often using specialist phishing kits with another significant vector of credential pwnage.

Catch up on the latest password-related security news

Easy-to-use tools commonly available through criminal marketplaces at minimal cost or for free make it straightforward for even unskilled script kiddies to crack weak passwords.

Simply adding a ‘special character’ (such as @ # or \_) to a basic 10-character password makes it far harder to crack passwords and therefore makes it much less likely that a person will fall victim to an attack, with criminals instead attacking accounts that are easier to breach.

Digital Shadows reports that the sale of stolen and cracked credentials remains a mainstay of sales through cybercrime forums and marketplaces.

"Stolen credentials are one of the most crucial access tokens for a variety of cybercriminals and state-sponsored groups’ operations," Digital Shadows told The Daily Swig. "As such, the market for them is constantly florid and threat groups scramble to put their hands on these valuable assets."

**Progressively worse**

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that despite industry attempts to move beyond passwords as an authentication mechanism, the issue of breached credentials remains pressing – and is becoming progressively worse over time.

“Criminals have an endless list of breached credentials they can try but adding to this problem is weak passwords which means many accounts can be guessed using automated tools in just seconds,” Morgan said.

Morgan added: “In just the last 18 months, we at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices.

YOU MAY ALSO LIKE Cybercriminals use reverse tunneling and URL shorteners to launch ‘virtually undetectable’ phishing campaigns

“Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts,” they concluded.

In a blog post, Digital Shadows summarizes the findings from its research as well as offering advice on password security best practices.

Its top tips include advising users to switch to using a password manager and adding multi-factor authentication to their online accounts so that a password alone (even if compromised) is not enough to gain access.

READ MORE Volatile market for stolen credit card data shaken up by sanctions against Russia

Dark web awash with breached credentials, study finds

Vendor addresses threat to integrity and availability of physical access systems

Vendor addresses threat to integrity and availability of physical access systems

Attackers could remotely unlock doors in critical infrastructure facilities by exploiting recently patched vulnerabilities in LenelS2 access control panels, security researchers have revealed.

Sam Quinn and Steve Povolny from Trellix Threat Labs uncovered eight security flaws in the industrial control system (ICS) access control technology that “allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms, and undermine logging and notification systems”, they said in a technical write-up.

In a security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) said that successful exploitation could allow “monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition”.

**Chain reaction**

The findings emerged from a penetration test in which Quinn and Povolny combined known and novel hardware hacking techniques to manipulate on-board components and achieve root access to the device’s Linux operating system.

Then the duo conducted reverse engineering and live debugging to discover the remotely exploitable flaws, two of which they chained to exploit the access control board and remotely gain root-level privileges. This enabled them to create a program that could run alongside the legitimate firmware and unlock any door and subvert system monitoring.

The researchers captured the exploit in the video below:

The vulnerable panels, which are manufactured by HID Global, are used in government, healthcare, transportation, and education settings, among other sectors, and can be integrated with complex building automation deployments.

**Bug breakdown**

The flaws include a critical unauthenticated buffer overflow leading to remote code execution (RCE) that earned a maximum severity score of CVSS 10.0 (CVE-2022-31481).

The second most severe issue, a critical command injection bug notching a CVSS of 9.6 (CVE-2022-31479), could see an unauthenticated attacker “update the hostname with a specially crafted name, allowing shell command execution during the core collection process”, explained CISA.

Catch up on the latest hardware security news

Scoring CVSS 9.1, another critical, arbitrary file write issue (CVE-2022-31483) meant “an authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem”.

And a high severity authenticated command injection with a CVSS rating of 8.8 (CVE-2022-31486) due to improper neutralization of special elements was the only issue yet to be patched, according to Trellix.

Other flaws include three high severity (all CVSS 7.5) issues comprising a pair of denial-of-service (DoS) bugs (CVE-2022-31480 and CVE-2022-31482) and unauthenticated user modification issue (CVE-2022-31484), and an unauthenticated information spoofing bug scoring CVSS 5.3 (CVE-2022-31485).

**Mitigations**

The vulnerable models include LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-4502, S2-LP-2500, and S2-LP-1502.

“HID Global has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms,” warned the researchers.

“This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors.”

A security advisory (PDF) published on June 2 by Carrier, which owns LenelS2, provides advice on updating firmware and, in the meantime, mitigating the risk by disabling web access.

The researchers said they “did not expect to find common, legacy software vulnerabilities in a relatively recent technology”, especially one approved for US federal government use. “It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” they advised.

YOU MIGHT ALSO LIKE Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups

LenelS2 access control vulnerabilities leave door open to lock manipulation

Manufacturer addresses threat to integrity and availability of physical access systems sold by LenelS2

Manufacturer addresses threat to integrity and availability of physical access systems sold by LenelS2

UPDATED Attackers could remotely unlock doors in critical infrastructure facilities by exploiting recently patched vulnerabilities in LenelS2 access control panels, security researchers have claimed.

Sam Quinn and Steve Povolny from Trellix Threat Labs uncovered eight security flaws in the industrial control system (ICS) technology, which is manufactured by HID Mercury and resold under LenelS2 branding, that “allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms, and undermine logging and notification systems”, they said in a technical write-up.

In a security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) said that successful exploitation could allow “monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition”.

However, Carrier told The Daily Swig that Trellix’s “method of scoring (CVSS) is subjective and does not capture or reflect actual operational risk based on the manufacturer’s recommended installation requirements.”

**Chain reaction**

The findings emerged from a penetration test in which Quinn and Povolny combined known and novel hardware hacking techniques to manipulate on-board components and achieve root access to the device’s Linux operating system.

Then the duo conducted reverse engineering and live debugging to discover the remotely exploitable flaws, two of which they chained to exploit the access control board and remotely gain root-level privileges. This enabled them to create a program that could run alongside the legitimate firmware and unlock any door and subvert system monitoring.

The researchers captured the exploit in the video below:

The vulnerable panels are used in government, healthcare, transportation, and education settings, among other sectors, and can be integrated with complex building automation deployments.

**Bug breakdown**

The flaws include a critical unauthenticated buffer overflow leading to remote code execution (RCE) that earned a maximum severity score of CVSS 10.0 (CVE-2022-31481).

The second most severe issue, a critical command injection bug notching a CVSS of 9.6 (CVE-2022-31479), could see an unauthenticated attacker “update the hostname with a specially crafted name, allowing shell command execution during the core collection process”, explained CISA.

Catch up on the latest hardware security news

Scoring CVSS 9.1, another critical, arbitrary file write issue (CVE-2022-31483) meant “an authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem”.

And a high severity authenticated command injection with a CVSS rating of 8.8 (CVE-2022-31486) due to improper neutralization of special elements was the only issue yet to be patched, according to Trellix.

Other flaws include three high severity (all CVSS 7.5) issues comprising a pair of denial-of-service (DoS) bugs (CVE-2022-31480 and CVE-2022-31482) and unauthenticated user modification issue (CVE-2022-31484), and an unauthenticated information spoofing bug scoring CVSS 5.3 (CVE-2022-31485).

Carrier said it “disputes Trellix scoring of these vulnerabilities”, adding: “In keeping with our commitment to the cybersecurity of all products we sell regardless of manufacturer, we proactively filed all eight CVEs as a CVE numbering authority within the CVE program.”

**Mitigations**

The vulnerable models include LNL-X2210, LNL-X2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-4502, S2-LP-2500, and S2-LP-1502.

“HID Global \[HID Mercury’s parent company\] has confirmed that all OEM partners using Mercury boards are vulnerable to the issues on specific hardware controller platforms,” warned the researchers.

“This research is actionable for vendors and third parties that collaborate with companies like Carrier to install physical access systems. Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors.”

A security advisory (PDF) published on June 2 by Carrier, which owns LenelS2, provides advice on updating firmware and, in the meantime, mitigating the risk by disabling web access.

**‘Corrective actions’**

The researchers said they “did not expect to find common, legacy software vulnerabilities in a relatively recent technology”, especially one approved for US federal government use. “It is crucial to independently evaluate the certifications of any product prior to adding it into an IT or OT environment,” they advised.

Carrier also told The Daily Swig: “The HID Mercury access control panel is designed and manufactured by third-party supplier HID Mercury and resold by a great number of other companies, including LenelS2, under their own and HID Mercury brand names. Therefore, the vulnerability is with HID Mercury, not with Carrier’s LenelS2.

“There were four zero-day vulnerabilities identified by Trellix. Earlier this year, these were proactively communicated to LenelS2 sales channels along with a temporary mitigation and plan for permanent fix. The other four vulnerabilities were patched and corrected before the Trellix assessment and are therefore not zero-day vulnerabilities.

“At this time LenelS2 is not aware of any exploitations of these identified vulnerabilities and has not been informed of any by HID Mercury. LenelS2 has taken precautions and corrective actions to inform and address with customers and partners to mitigate these vulnerabilities. LenelS2 has also reached out to Trellix who will be updating their materials with some clarifying points.”

This article was updated on June 14 with comments from Carrier. The Daily Swig also invited HID Global to comment but we have yet to hear back.  

YOU MIGHT ALSO LIKE Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups

HID Mercury access control vulnerabilities leave door open to lock manipulation

In 2017, The Australian Cyber Security Center (ACSC) published a set of mitigation strategies that were designed to help organizations to protect themselves against cyber security incidents. These strategies, which became known as the Essential Eight, are designed specifically for use on Windows networks, although variations of these strategies are commonly applied to other platforms.
What is

In 2017, The Australian Cyber Security Center (ACSC) published a set of mitigation strategies that were designed to help organizations to protect themselves against cyber security incidents. These strategies, which became known as the Essential Eight, are designed specifically for use on Windows networks, although variations of these strategies are commonly applied to other platforms.

**What is the Essential Eight?**

The Essential Eight is essentially a cyber security framework that is made up of objectives and controls (with each objective including multiple controls). Initially, the Australian government only mandated that companies adhere to four of the security controls that were included in the first objective. Starting in June of 2022 however, all 98 non-corporate Commonwealth entities (NCCEs) are going to be required to comply with the entire framework.

**Non-Australians take note**

Although the Essential Eight is specific to Australia, organizations outside of Australia should take notice. After all, the Essential Eight is "based on the ACSC's experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organizations to implement the Essential Eight" (source). In other words, the Essential Eight could be thought of as a set of best practices that are based on the ACSC's own experience.

Another reason for those outside of Australia to pay attention to the Essential Eight is because most developed nations have cyber security regulations that closely mimic the Essential Eight. While there are inevitably going to be differences in regulations, most sets of cyber security regulations seem to agree on the basic mechanisms that need to be put into place in order to remain secure. Examining Australia's Essential Eight can help organizations abroad to better understand what it takes to keep their systems secure.

The Essential Eight are divided into four maturity levels, with Maturity Level 0 indicating that the organization is not at all secure. Maturity Level 1 provides a very basic level of protection, while Maturity Level 3 has requirements that are far more stringent. Organizations are encouraged to assess their overall risks and IT resources when choosing a target maturity level.

**Objective 1: Application Control**

The Application Control objective is designed to prevent unauthorized code from running on systems. Maturity Level 1 is primarily intended to prevent users from running unauthorized executables, scripts, tools, and other components on their workstations, while Maturity Level 2 adds protections for Internet facing servers. Maturity Level 3 adds additional controls, such as driver restrictions and adherence to Microsoft's block lists.

**Objective 2: Patch Applications**

The second objective is focused on applying patches to applications. Software vendors routinely deliver security patches as vulnerabilities are discovered. The Patch Applications objective states (for all maturity levels) that patches for vulnerabilities in Internet facing services should be patched within two weeks, unless an exploit exists, in which case patches should be applied within 48 hours of becoming available. This objective also prescribes guidance for other types of applications and for the use of vulnerability scanners.

**Objective 3: Configure Microsoft Office Macro Settings**

The third objective is to disable macro use in Microsoft Office for users who do not have a legitimate business need for macro use. Organizations must also ensure that macros are blocked for any Office file originating from the Internet and that the settings cannot be modified by end users. Organizations must also use antivirus software to scan for macros. Higher maturity levels add additional requirements such as running macros in sandboxed locations.

**Objective 4: Use Application Hardening**

The fourth objective is called Application Hardening, but at a maturity level of 1, this objective mostly relates to locking down the Web browser on user's PCs. More specifically, the browsers must be configured so that they do not process Java, nor can they process Web advertisements. Additionally, Internet Explorer 11 cannot be used to process Internet content (higher maturity levels call for removing or disabling Internet Explorer). Browser settings must be configured so that they cannot be changed by users.

Higher maturity levels focus on hardening other applications beyond just the browser. For instance, Microsoft Office and PDF readers must be prevented from creating child processes.

**Objective 5: Restrict Administrative Privileges**

Objective 5 is all about keeping privileged accounts save. This objective sets up rules such as privileged accounts not being allowed to access the Internet, email, or Web services. Likewise, unprivileged accounts must be prohibited from logging in to privileged environments.

When an attacker seeks to compromise a network, one of the first things that they will do is to try to gain privileged access. As such, it is extraordinarily important to guard privileged accounts against compromise. One of the best third-party tools for doing so is Specops Secure Service Desk which prevents unauthorized password resets for both privileged and unprivileged accounts. That way, an attacker will be unable to gain access to a privileged account simply by requesting a password reset.

**Objective 6: Patch Operating Systems**

Just as application vendors periodically release patches to address known vulnerabilities, Microsoft releases Windows patches on a regular basis. These patches normally arrive on "Patch Tuesday", but out of band patches are sometimes deployed when serious vulnerabilities are being patched.

The Patch Operating System objective sets up the basic requirements for keeping Windows patched. In addition, this objective requires organizations to regularly scan for missing patches.

**Objective 7: Multifactor Authentication**

The seventh objective defines when multifactor authentication must be used. Maturity Level 1 is relatively lenient, requiring multifactor authentication primarily when users access Internet facing, or Web based applications (among other things). Higher maturity levels require multifactor authentication to be used in an ever-increasing number of situations.

Requiring multifactor authentication is one of the most effective things that an organization can do to keep user accounts secure. Specops uReset enables multifactor authentication for password reset requests, helping to keep user accounts secure.

**Objective 8: Regular Backups**

The eighth's objective is to create regular backups. Besides creating backups, organizations are required to perform test restorations and to prevent unprivileged accounts from deleting or modifying backups, or from accessing any backups that are not their own. Higher maturity levels set additional access restrictions on unprivileged accounts and on privileged accounts (aside from backup admins and break glass accounts).

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

What is the Essential Eight (And Why Non-Aussies Should Care)

ODoH is said to enhance user privacy without compromising performance

John Leyden 14 June 2022 at 14:46 UTC

ODoH is said to enhance user privacy without compromising performance

Security engineers are proposing an experimental protocol that promises greater privacy in how DNS, the internet’s equivalent of a telephone directory, operates.

Oblivious DNS-over-HTTPS (ODoH) describes a protocol that allows clients to hide their IP addresses from DNS resolvers through proxies relaying encrypted DNS-over-HTTPS (DoH) messages.

The approach creates a setup that means no one server is aware of both a client’s IP address and the content of DNS queries and answers – a significant privacy benefit.

RELATED A guide to DNS-over-HTTPS – how a new web protocol aims to protect your privacy online

The experimental protocol has been developed outside the Internet Engineering Task Force (IETF) but with the involvement of engineers at Apple, Cloudflare, and Fastly.

A detailed technical outline of the experimental protocol, which its developers hope will attract wide-scale experimentation and interoperability, was published last week.

In response to a question from The Daily Swig on use cases for the technology, one of the authors of ODoH technical paper highlighted current deployments with Apple’s iCloud Private Relay (PDF) and Cloudflare.

According to Cloudflare, the ODoH protocol enhances privacy for users while aiming to “improve the overall adoption of encrypted DNS protocols” but without compromising performance and user experience on the internet.

**How does Oblivious DNS-over-HTTPS work?**

Oblivious DNS-over-HTTPS works by adding a layer of public key encryption, as well as a network proxy between clients and DNS-over-HTTPS servers.

The Oblivious HTTP Application Intermediation (OHAI) IETF working group, where the technology is being developed as a standard, offers an overview of how engineers would like to further develop and refine Oblivious DNS-over-HTTPS.

Catch up with the latest DNS security news

Cricket Liu, chief DNS architect at Infoblox, recognized the privacy benefit ODoH offers to consumers while cautioning that the technology could frustrate the operation of security controls found in many enterprise environments.

Liu told The Daily Swig: “I think the basic idea behind Oblivious DNS makes sense from a consumer privacy standpoint: You launder the query and the source IP address through a series of proxies, the first of which sees the querier’s IP address and the second of which sees the query itself.

“From the perspective of an enterprise, however, it poses the same challenges that DoH does and possibly more, since the use of an external Oblivious DNS proxy would leave IT organizations blind to what employees are doing.”

The protocol’s source code is publicly available, so anyone can try out ODoH or run their own ODoH service.

YOU MAY ALSO LIKE GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

New research shows how electromagnetic interference can be used to trigger arbitrary behavior on mobile touchscreens, although caveats apply

New research shows how electromagnetic interference can be used to trigger arbitrary behavior on mobile touchscreens, although caveats apply

Some attacks on smartphones require physical access to the device and interactions with the touchscreen. So your phone is more or less safe as long as no one touches it, right? Wrong, according to a new research paper by security researchers at Zhejiang University, China, and the Technical University of Darmstadt, Germany.

To be presented at the Usenix Security Symposium in July, the paper (PDF) introduces GhostTouch, a type of attack that can execute taps and swipes on the phone’s screen from a distance of up to 40 millimeters.

According to the researchers’ findings, an attacker can use GhostTouch to carry out several types of malicious actions, including initiating calls and downloading malware.

**Electromagnetic interference**

Today’s smartphones and tablets use capacitive touchscreens that provide multi-touch capabilities and can measure small electric fields. However, capacitive touchscreens are sensitive to the environmental impact of electromagnetic interference (EMI) and charger noise.

Read more of the latest hacking news from around the world

Previous studies show that EMI can disrupt the user experience of touchscreens and possibly cause random and harmful behavior. In one case, a phone that was placed on a charger booked a very expensive hotel room because of EMI signals.

In creating GhostTouch, the researchers wanted to see if they could use EMI to create controllable touch events and trigger arbitrary behavior on capacitive touchscreens.

The GhostTouch attack in action

**Manipulating the touchscreen**

The core idea behind GhostTouch is to interfere with the capacitance measurement of touchscreens using electromagnetic signals injected into the receiving electrodes integrated into the touchscreen.

The researchers created a technology stack composed of a waveform generator that creates the EMI signal and an antenna that transmits it to the phone’s touchscreen. A phone locator module determines the exact location of the phone’s screen and calibrates the signals to specific locations.

GhostTouch is a targeted attack. The adversary must know the model and make of the victim’s phone in order to tune the equipment. The attacker might also need extra information about the phone, such as the passcode, which they must acquire through social engineering or ‘shoulder surfing’.

**DON’T MISS** Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

The main scenario for the attack is public places like cafes, libraries, or conference lobbies, where people might place their smartphones face-down on a table. The attacker will have embedded the attack equipment under the table to launch attacks remotely.

The researchers tested several actions with GhostTouch, including answering the phone, pressing a button, swiping up to unlock, and entering a password. For example, if the victim’s phone is on silent mode, an attacker may call the victim and use GhostTouch to answer the call without alarming the victim, and then eavesdrop on a private conversation.

In another scenario, the attacker may send a malicious link to the victim’s phone and use GhostTouch to tap on it and download it.

**Testing GhostTouch**

The researchers tested GhostTouch on 11 widely used phone models. They were able to use the attack with varying degrees of success on nine models. For example, they were able to establish a malicious Bluetooth connection on an iPhone SE.

The researchers conclude that although the capacitive touchscreens of smartphones go through thorough electromagnetic compatibility tests and include anti-interference design elements, they are still susceptible to EMI attacks such as GhostTouch.

Several countermeasures were proposed, including reinforcing the touchscreen to protect it against targeted EMI attacks and using an algorithms to detect abnormal touch points.

**RECOMMENDED** Cybercriminals use reverse tunneling to launch ‘virtually undetectable’ phishing campaigns

GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

A vulnerability has been identified in EN100 Ethernet module DNP3 IP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.37), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). Affected applications contains a memory corruption vulnerability while parsing specially crafted HTTP packets to /txtrace endpoint. This could allow an attacker to crash the affected application leading to a denial of service condition.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 630.026 null\] >> endobj 4 0 obj << /D \[2 0 R /XYZ 70.866 569.947 null\] >> endobj 5 0 obj << /D \[2 0 R /XYZ 70.866 253.003 null\] >> endobj 6 0 obj << /D \[2 0 R /XYZ 70.866 98.278 null\] >> endobj 7 0 obj << /D \[8 0 R /XYZ 85.039 235.088 null\] >> endobj 9 0 obj << /D \[10 0 R /XYZ 70.866 576.314 null\] >> endobj 11 0 obj << /S /GoTo /D \[2 0 R /Fit\] >> endobj 2 0 obj << /Contents 12 0 R /Type /Page /Resources 13 0 R /Parent 14 0 R /Annots \[15 0 R 16 0 R 17 0 R 18 0 R 19 0 R 20 0 R 21 0 R 22 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 15 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[458.38 472.367 518.276 481.891\] >> endobj 17 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[458.38 430.327 518.276 439.851\] >> endobj 19 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/us/en/view/109745821/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 386.394 518.276 397.811\] >> endobj 21 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[302.649 349.039 433.497 361.716\] >> endobj 22 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[458.38 322.336 518.276 331.86\] >> endobj 24 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[458.38 280.296 518.276 289.82\] >> endobj 26 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/gridsecurity) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[358.077 144.983 522.822 156.52\] >> endobj 27 0 obj << /A << /S /GoTo /D (section\*.2) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[386.143 115.095 524.579 126.632\] >> endobj 28 0 obj << /A << /S /GoTo /D (section\*.4) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[147.498 97.282 309.548 108.699\] >> endobj 13 0 obj << /ProcSet \[/PDF /Text\] /Font << /F50 29 0 R /F47 30 0 R >> >> endobj 12 0 obj << /Filter /FlateDecode /Length 2522 >> stream x��Z\[S�J~�W�Q�Zs����Iq�@X0Im%�A��bl�%���=7#�±W>��0kz�{��˴p���������;����2�' #-e��A��d4I>��E������\*�����r0$"-�~�d�(�0�p���z�X~��OV����fo��~;:���C8!/�I�OG����~�-���<�7�.��x�������M+�aM�����$�~�\`�p�� ���nO��0!ěM����\]6'1f֛�HH l�\]h���\*� Qb�\\�O��=� (�H��� i�;$�T#��N$(�m����4%8�/��EU�g�0���+��NǨbBn�S�6�8�8\]Mg�2�ZL-�6�0�ӽ�0�5�;��Vf�@�����#�E�9QH����3D��Ƹ%��E�?�"w�.�wӋu@�0;�P\`�d+�@L;��^=��Y^u�S���q�MkQ�vq}�"�hp�Χ�۷�\[�'C\*g�/�^�1-ƙ��gY���8�9M)�t��pK�.'!��߳��k��J(B~��t�\\泰��@�4\_��;��D��#A�s���\[��;ؖ���<��|iPR��WA2�$8�m�/!���C���6�C�� ������f p��y�� ��n�og50�57��Ӎ����{��q�O6����/�������ڜc@|���M��~<�Sc�03�#ע�I�����=5�M��,��4�����l�������Ʋl@~�b�-���Z-0�8?�I�K���,�E٬��O"S��0; LV�-!vc��k���+����~r�I��7d'�eM7�scwXZ.�q�c:���� 8&�Zf�j���A\[�k>yt�AM��j�j%r�9��̲e��ټ��9�~�~X������b�y��@��U� @��r+�42��2�4"�y䜼{w~::?�H�A��v���ʮ\\!;1/ R\]!�yK�f �o��>�ݝ�n;$0���~" ޝ�B�r�@�V��T�uWg��)��8�̱���(p�|�������F�:lxfA4�x��1F6��H��!��͓��F^���Xs��I�O%ˇ�5sӨ��@\*U���Sj$ /��V�E�JT�8�d0 �Q�����ޝ� �d6�q\_ظo��u�e�MA^+!����A  �}�@��Fn L��� \`� ����0;no �c�}i��r���DN\\(���y�� �kپ����5�����9�8������#G2�CM3�<�Nk}�/9w��B'ѶJ i��G�1����ff�@��\*��'t�դ��K�zK?y��?�Q (�V��Y5��U�gx���b����-!ř4ӓ5O%a!?�>Ⲩ�����z�(�\_ϛ��"hO��aQD�+��"�¹�E>����C�H�C�t�6��R�"fO�R����B��z�D�����BQO�"& �2�\]�\])�3a�8��7�b���G#7�ϐaq��ϑu=� ����X9/ռ�S��5�rC��aͣe�Lg+���jQ�9>.W������ɪ��& \[�ST�Ҝ�@����<�g�-\\1(@a������i�� 6 �%� %w�(!n��oPZ�����q���lx�M���x�:ے8Y�K۟�K݉4S���f�r��\]�~��/ �(�E�8D�eP�r�����Oܥ�\*������u��5�9X�e\`��\_u(Zh�'���M �֘� ��4LT�����{�C�S�b{wqu> q��ߣ<�n��5�s04Q ���R4Q ��B��z�@�%��셦~4�5:e����܆��;\\�S۬ ��O#7�:�\`��:뺎�A%���FK�Q����6Z�k Ր��2�h�0�m}�Z%�P��ޮ}K �:ח���'�S{}��-"��¡�l�m7%B� ���k\*��W:U0����tnS��b��\](x~������%�E�>ՠ��\*?C�=\]�Ϯ\],�o���jOQ�� ��e>Y�c���k��޴�m���bF��T4��<�gE�n^9�N���(s�@�^�͟�걘����K�����a���/���>���.x�b\[������l�o���\[����,�u��}li�5>�ƋV��9{�����"y|;�R�Y���M\_B���C�@�q?�jA�~k�XB�F$Ơ�\`9��0�r�K;^}-��kx�C��?��/O�r�7���b6<�7�/��\]����/�R���y I�f�f|��R���y�C�ۑ��GQ�t�P9Qc=�TYl�DD��u綪��x�M,��|�ZG�d�\`�<���}\_��K��wQ�7<���TD�L��~»��gM�E\*�H�3��'�OT��D�%��6H��;ZER��}��UT�������-����G�W?Ƽi�L\]�u'1�7Du�χ��~E�m�k�I��Q���t|!j��Q�P�^��dAg��ypo�-����� endstream endobj 31 0 obj << /D \[2 0 R /XYZ 69.866 808.885 null\] >> endobj 30 0 obj << /Subtype /Type1 /FirstChar 2 /Type /Font /BaseFont /UKLFEB+NimbusSanL-Regu /FontDescriptor 32 0 R /Encoding 33 0 R /LastChar 169 /Widths 34 0 R >> endobj 29 0 obj << /Subtype /Type1 /FirstChar 45 /Type /Font /BaseFont /IPYDJP+NimbusSanL-Bold /FontDescriptor 35 0 R /Encoding 33 0 R /LastChar 121 /Widths 36 0 R >> endobj 37 0 obj << /D \[2 0 R /XYZ 70.866 519.299 null\] >> endobj 16 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 457.03 372.108 469.707\] >> endobj 18 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 414.989 372.108 427.667\] >> endobj 20 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/us/en/view/109745821/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 376.331 379.978 385.856\] >> endobj 23 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 306.998 372.108 319.676\] >> endobj 25 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 264.958 372.108 277.636\] >> endobj 14 0 obj << /Kids \[2 0 R 8 0 R 10 0 R\] /Type /Pages /Count 3 >> endobj 38 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/gridsecurity) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[69.87 543.452 237.948 554.989\] >> endobj 39 0 obj << /A << /S /URI /Type /Action /URI (https://www.first.org/cvss/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[131.954 397.405 248.203 408.942\] >> endobj 40 0 obj << /A << /S /URI /Type /Action /URI (https://cwe.mitre.org/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[69.87 307.741 163.926 319.278\] >> endobj 41 0 obj << /A << /S /URI /Type /Action /URI (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[224.029 210.182 508.922 224.129\] >> endobj 42 0 obj << /ProcSet \[/PDF /Text\] /Font << /F50 29 0 R /F47 30 0 R >> >> endobj 8 0 obj << /Contents 43 0 R /Type /Page /Resources 42 0 R /Parent 14 0 R /Annots \[38 0 R 39 0 R 40 0 R 41 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 43 0 obj << /Filter /FlateDecode /Length 2992 >> stream xڝYKs�H��W�6TUL���|��(JFS����Lm�́&i��Ԉ�=�\_�@M���x�"��@h<>��d3�&��ޯ�fU8��8����~zn�0�\]-��:��ᬊ|�W���#g���~z.�S��4t�=M ��sx�n��σ�7�:��v���������og����g�&���vC)&��쏿�Is�M

CVE-2022-30937

A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another users password hash.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 630.026 null\] >> endobj 4 0 obj << /D \[2 0 R /XYZ 70.866 569.947 null\] >> endobj 5 0 obj << /D \[2 0 R /XYZ 70.866 223.312 null\] >> endobj 6 0 obj << /D \[2 0 R /XYZ 70.866 116.408 null\] >> endobj 7 0 obj << /D \[8 0 R /XYZ 85.039 481.353 null\] >> endobj 9 0 obj << /D \[8 0 R /XYZ 70.866 208.938 null\] >> endobj 10 0 obj << /S /GoTo /D \[2 0 R /Fit\] >> endobj 2 0 obj << /Contents 11 0 R /Type /Page /Resources 12 0 R /Parent 13 0 R /Annots \[14 0 R 15 0 R 16 0 R 17 0 R 18 0 R 19 0 R 20 0 R 21 0 R 22 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 14 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/ww/en/view/109780559/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 470.474 518.276 481.891\] >> endobj 16 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[302.649 433.119 433.497 445.797\] >> endobj 17 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/ww/en/view/109780559/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 404.524 518.276 415.941\] >> endobj 19 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[302.649 367.169 433.497 379.846\] >> endobj 20 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/ww/en/view/109780559/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 338.573 518.276 349.99\] >> endobj 22 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[302.649 301.218 433.497 313.895\] >> endobj 23 0 obj << /A << /S /URI /Type /Action /URI (https://support.industry.siemens.com/cs/ww/en/view/109780559/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 272.622 518.276 284.039\] >> endobj 25 0 obj << /A << /S /GoTo /D (section\*.3) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[302.649 235.267 433.497 247.945\] >> endobj 26 0 obj << /A << /S /GoTo /D (section\*.2) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[386.143 133.225 524.579 144.762\] >> endobj 27 0 obj << /A << /S /GoTo /D (section\*.4) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[147.498 115.412 309.548 126.829\] >> endobj 12 0 obj << /ProcSet \[/PDF /Text\] /Font << /F49 28 0 R /F46 29 0 R >> >> endobj 11 0 obj << /Filter /FlateDecode /Length 2404 >> stream x��ZKs�8��W�HU� �A�����g��kə�J�P������ʿ�ƃ IѴ��\]sHL�@������8�ppq���d���@#-���@aI(�� \*�΃o�$MV�:���I����0-~����!�7��p�~���6�:��wqqz~3�������OΧ'�=!��/R����۟8�û�����G�sp���������'�U���4�)!�h�̈#��^��C�+Uu�Ј��;h2JF� "B B��\\ ��~��Qǉ\`гS#�\[}\*\\�E�\]&��SB������x���H�c$P�8\]�S�!u��0&?Zt�E���\\��%�#̢N�FX5"'1����{��f�EQ/���~G���Џ� a�5B��@�p�\\'��G�L�4�-a� �IK���&d�i�uK����G�a�GqH6��! 5;7�׍ �<\_��.��W�pIG���XժSw�u#|.�t~>��I��V��L���B>��ӯnN� v��,��Y�&n֏Fe�����0�^�l�\[��H7kW��fE��\`�iH1�C,���f8�$� �4�7�v;w��"�Q��,K�~��A>�r�Fs��+A�u���� z��~��/��&3 ()B����e��Н� !>\[ �2����dPq�0n���7����ɛ�\`�� �AM����kH% , �~�}�hڒ�wK����;�4�����\[�'�?��1���2��w�E���A�xa \]�逄&�mζ�J���i|\_N/ws�,!mX�a)�YkWi��kH@�p����\\-�ŀ�а1�!.�tY����K�n�\[�fX>��062�Y��ˎ���p�%ܥ^~��\]'�S~?��N�}᛼x��z�̫�A�K:�fq��(�7��T�����>��(;9������>0Pl�@��\]�Φ��0�|?���p���I\\�����z��$ۜ%�f3ν8��~׹l�K\_�����V^�z2��²3#�);"��-2����O��g-h$�3\[,�!G)5B ҥ��DC���\_�nO��,��g0��1"(G@S;MaR��|n�=����Q�Rf�9&p�\[cޥ������˧����-1k���D(�{9�em/Gi���d�j��\]"�s2d��Ã�?dwA�妶��V�ƴSj���%���W-}\\ـ+���A�� 2����F�x�\`�YV L�3(��e\[ah|������ɾ� ���������( JP��xvܜ�W��}e@���i�� ��䭲�\*�p1�#�����rʷg/���<�\]v=�7W��;X^��("�zy�S@R�\\�x�0 �#���Fү�F����:�/���V�m���~ �H��|k쿆C��ܻѨx\[�� ��J�gK2௩�ف1^q��q�}0Ψ��~V�lTY���6�0�����@�z��T��ρ�B�{^�����|��8J֣��z��~ ���&qGka!����V�FRx�>I�+'@;A%� �\\˞>�<\_T��f�^�I\\t������g u��aN=��k�mv��U� ���ɸ)!��qs��Rz�Ha�Y�׆X�hR\`SЄ�T!z\\��d��<\*6�B�Q��\]P�5|�O�ғ�\*X��z;T1�xR��UX���U�2�7B����"0 '��J\_U0��eTa0�� T��U�� �xL�{���l�wi��1�q�\`c\_O�C��f�� �ݧP��w�ƁOH���B5R������}���}lyq����&=�cKO�-�MCT�6���K��(��c�i�\`�����5�b�iA�8P�vt�ty ߖI��転U��ۡ��Q��PA ��;�eE�m���asԜK�~��O�;X��.L:?8�Ə8X��\\���s2}�;���|�vB-1��1J

Tag

#pdf