A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.

CVE-2022-4087

By Deeba Ahmed
According to researchers, this scam is highly sophisticated and large-scale, targeting brands like McDonald’s, Unilever, Emirates, Knorr, Coca-Cola, etc.
This is a post from HackRead.com Read the original post: 42,000 phishing domains discovered masquerading as popular brands

Security researchers at Cyjax have uncovered a highly sophisticated and large scale phishing campaign in which the threat actors used as many as 42,000 phishing domains to distribute malware and gain ad revenue.

**Campaign Details**

Cyjax researchers noted that the threat actors have links to China and have been active since 2017. So far, the attackers, identified as the Fangxiao group, have spoofed over 400 brands from the banking, retail, travel, transport, pharmaceutical, energy, and finance sectors.

The group operates an extensive network comprising 42,000 domains used for impersonating famous brands. Their latest campaign aims to generate revenue from users who pay for traffic. At least 24,000 survey/landing domains have been used by the attackers to promote this scam since March 2022.

**How does the Attack Works?**

Fangxiao lures unsuspecting users to the malicious domains through WhatsApp messaging, informing them that they have won a prize. The users are redirected to fake dating sites, Amazon via affiliate links, adware, and giveaway sites. These sites appear convincing enough to the user. This brand impersonation campaign spoofs well-reputed names like McDonald’s, Unilever, Emirates, Knorr, and Coca-Cola.

Once visitors access the spoofed version of authentic brand sites, they are redirected to ad sites created by Fangxiao to generate money through fake surveys, promising the victim to win a prize upon completing it. Sometimes, the attacker may force Triada malware to be downloaded on the device when the victim clicks the Complete Registration button.

1.  Brand Protection is Essential for Cybersecurity
2.  Microsoft, PayPal & Facebook most targeted brands in phishing scams
3.  240 top Microsoft Azure-hosted subdomains hacked to spread malware
4.  Hundreds of counterfeit branded shoe stores hacked with web skimmer

“As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections,” Cyjax’s report (PDF) read.

**Domain Analysis**

The group uses 42,000 domains registered in 2019 through GoDaddy, Namecheap, and Wix. Their infrastructure is protected with Cloudflare, and domain names keep changing regularly.

Reportedly, the group used 300 new brand domains in one day in October. Therefore, it seems like a continually evolving money-making scam. Researchers could identify the threat actor behind this scam campaign after domain de-anonymizing, bypassing Cloudflare security, and discovering the IP address.

They learned that the IP address was hosting a Fangxiao site operating since 2020, and the pages were written in Mandarin. They found Fangxiao TLs certificates and identified that the attackers were utilizing WhatsApp to claim victims. This means they are targeting people outside of China.

**More Phishing News**

1.  Crooks Using FB Messenger Chatbots to Steal Login Data
2.  Zoom Phishing Scam Steals Microsoft Exchange Credentials
3.  Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
4.  ‘Important Notification’ Phishing Scam Hits American Express Users
5.  Research sector targeted in new phishing attack using Google Drive

42,000 phishing domains discovered masquerading as popular brands

By Waqas
The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).
This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

In December last year, it was reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US CISA (Cyber security infrastructure and security Agency), an advanced persistent threat (APT) group sponsored by the Iranian government compromised the network of a U.S. federal agency.

The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).

**Cyberattack Details**

CISA revealed that the hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and gain control of the organization’s domain controller (DC). Once they successfully invaded the system, the hackers deployed XMRig crypto mining software to steal credentials and mine for crypto.

For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j that causes arbitrary code execution and impacts VMware Horizon and an extensive array of products.

**CISA’s Analysis**

As per CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activities on the FCEB network using the EINSTEIN intrusion detection system used by the agency.

They discovered bi-directional traffic passing through the network and an already found malicious I.P. address linked with Log4Shell vulnerability exploitation in VMware Horizon servers.

CISA further noted that an HTTPS activity was launched from I.P. address 51.89.18164 to VMware’s server. Further probe revealed that the I.P. address was associated with Lightweight Directory Access Protocol (LDAP) server operated by attackers to deploy Log4Shell.

**Who are the Attackers?**

In a joint advisory from CISA, the Department of Homeland Security, and the FBI, it was revealed that the attack was launched in February 2022. The attackers moved laterally to DC, stole credentials, and implanted Ngrok reverse proxies on multiple hosts to retain persistence. U.S. security officials responded in June to clean the network.

Reportedly, the hackers were identified as Nemesis Kitten, and they launched the attack with backing from the Iranian government. Nemesis Kitten is an extension of the Phosphorus Iranian malware group, and they regularly utilize well-known, highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.

CISA warned that organizations still using the unpatched server versions should be concerned as they would eventually be compromised.

1.  Dirty Pipe Linux Vulnerability Overwrites Data
2.  Watch Out: Microsoft Office 0-Day Vulnerability Follina
3.  OpenSSL Released Patch for High-Severity Vulnerability
4.  Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
5.  Critical Amazon Ring Flaw Could Expose Camera Recordings

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.

CVE-2022-41155: iQ Block Country

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

Auth. (admin+) Arbitrary File Read vulnerability in S2W – Import Shopify to WooCommerce plugin <= 1.1.12 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

S2W – Import Shopify to WooCommerce helps you migrate data from Shopify to WooCommerce easily. With only 2 steps your Shopify products(including images) and categories will be migrated. The plugin uses Shopify API key to transfer data from Shopify to WooCommerce store directly, your data is kept private. With the premium version, you can also migrate store settings, shipping zones, taxes, pages, blogs, coupons, customers and orders.

Documents| Premium version | Facebook group

Learn how to get shopify API key and password to use with S2W – Import Shopify to WooCommerce  

Preview S2W – Import Shopify to WooCommerce  

**IMPORTANT NOTICE:**

*   The plugin works based on WooCommerce plugin.
    
*   It is released on WordPress.org and you can use the plugin as free to build themes for sale.
    

**FEATURES:**

*   **Products per ajax request**: Change this option to avoid bad request error, default is 5
    
*   **Import Products sequence**: Change the order to import products by Title, Created date or Updated date
    
*   **Import products**: Import unlimited products from your Shopify store to WooCommerce
    
*   **Product variations**: All product variations will be imported with your current stock, price… in your Shopify store
    
*   **Status of products**: Can set status of imported products to publish, pending or draft
    
*   **Product categories**: Product categories will be remained, can choose to add all products to specific categories
    
*   **Migrate images**: Product images, gallery and variations images will be queued to import to avoid overload of your server
    
*   **Logs**: You can review the migration process in log files
    

**PRO VERSION:**

► **All features from free version.**

► **WEBHOOKS**: You can use webhooks to automatically import/update new data for Products/Orders/Customers.

► **IMPORT PRODUCTS from CSV**: In case you don’t use API, this is what you need to migrate your products

► **IMPORT PRODUCT BY ID**: You can choose specific products to import by entering product ids

► **IMPORT PRODUCT OPTIONS**: Besides some options like the free version, you can do more with the pro version:

*   **Metafields**: You can import metafields of products such as SEO title, SEO description…
    
*   **Migrate description images**: Images in the product description can be easily migrated to the WordPress site and images sources(URLs) will be replaced correctly after that
    
*   **Products filters**: If you don’t want to import all products, there are some filters available such as product type, collection ID, published before date, published after date. And you can also select the sequence products are imported
    

► **CRON UPDATE PRODUCT**: Schedule to update product price or quantity automatically

► **UPDATE PRODUCT OPTIONS**: Able to update product images, title, inventory, description, price, SKU, attributes, slug after products are imported to WooCommerce store

► **ORDERS**: Payment method, shipping method, first name, last name, company, country, address, zip, city, province, phone, total, subtotal, tax, discount, shipping cost, currency, date create, browser IP, customer user agent, line items, discount code, order number, order fulfillment.

► **IMPORT ORDER OPTIONS**: Orders per ajax request, Import orders created/imported at or before/after date, Import Orders sequence

► **UPDATE ORDER OPTIONS**: Able to update order status, order date, order fulfillments

► **CRON UPDATE ORDER**: Schedule to update orders automatically

► **STORE SETTINGS**: Site title, admin email, store address, city, country, state, postcode, timezone, weight unit, currency code, currency format.

► **SHIPPING ZONES**: shipping zones and shipping methods.

► **TAXES**: Tax name, tax rate, country, province, zip, shipping.

► **PAGES**: Title, content.

► **BLOGS**: Blog title, blog content, categories, tags, featured image.

► **COUPONS**: Coupon types that WooCommerce support, coupon amount, usage limit, expiry date, minimum amount.

► **CUSTOMERS**: Import customers per ajax request, first name, last name, phone, company, address, city, province, zip, country.

► **PREMIUM SUPPORT**

Go Pro

**Plugin Links**

*   Project Page
*   Documentation
*   Report Bugs/Issues

**MAY BE YOU NEED**

FEWC – WooCommerce Extra Checkout Fields: Manage checkout fields using WordPress Customizer

EPOW – Custom Product Options for WooCommerce: Add extra options for products using frontend form builder

ChinaDS – Taobao Dropshipping for WooCommerce: Another Taobao dropshipping solution for WooCommerce stores

9MAIL – WordPress Email Templates Designer: Replace plaintext WordPress emails with more beautiful and professional templates

EPOI – WP Points and Rewards: Points and Rewards system for a WordPress website

WebPOS – Point of Sale for WooCommerce: Point of Sale solution for WooCommerce stores

Jagif – WooCommerce Free Gift: Giving gifts to your customers can never be more easier

COREEM – Coupon Reminder for WooCommerce: Send emails to customers to remind them of their coupons, especially ones which are about to expire

COMPE – WooCommerce Compare Products: Help your customers compare two or more products to find out the right one they need

W2S – Migrate WooCommerce to Shopify: Migrate WooCommerce products to Shopify easily via the official Shopify REST Admin API

REDIS – WooCommerce Dynamic Pricing and Discounts: Create flexible pricing rules for products

EXMAGE – WordPress Image Links: Save storage by using external image URLs

Pofily – WooCommerce Product Filters: Advanced filters for WooCommerce

Bopo – Woo Product Bundle Builder: Let the plugin provide your customers with a very flexible and convenient way to purchase bundles

WPBulky – WordPress Bulk Edit Post Types: Save time editing posts/pages/attachment… and other custom post types except for ones created by WooCommerce(product, shop\_order and shop\_coupon)

Bulky – Bulk Edit Products for WooCommerce: Quickly and easily edit your products in bulk. This plugin will save you tons of time editing products.

Product Size Chart For WooCommerce: A simple but flexible solution to create size chart for your products

Checkout Upsell Funnel for WooCommerce: Offer product suggestions and smart order bumps on checkout page

Cart All In One For WooCommerce: All cart features you need in one simple plugin

Email Template Customizer for WooCommerce: Customize WooCommerce emails to make them more beautiful and professional after only several mouse clicks

Product Variations Swatches for WooCommerce: Professional and beautiful colors, buttons, images, variation images and radio variations swatches

Dropshipping and Fulfillment for AliExpress and WooCommerce: Free dropshipping solution – Transfer data from AliExpress products to WooCommerce effortlessly and fulfill AliExpress orders automatically

Abandoned Cart Recovery For WooCommerce: Capture abandoned carts & send reminder emails to customers.

Orders Tracking for WooCommerce: Import orders tracking number and send tracking info to customers

Customer Coupons for WooCommerce: Display coupons on your website

Virtual Reviews for WooCommerce: Virtual Reviews for WooCommerce helps generate virtual reviews, display canned reviews for newly created store

Thank You Page Customizer for WooCommerce: Customize your “Thank You” page and give coupons to customers after a successful order

Sales Countdown Timer: Create a sense of urgency with a countdown to the beginning or end of sales, store launch or other events

EU Cookies Bar: A very simple plugin which helps your website comply with Cookie Law

Lucky Wheel for WooCommerce: Offer customers to spin for coupons by entering their emails.

WordPress Lucky Wheel: WordPress Lucky Wheel gives you the best solution to get emails address from visitors of your WordPress website

Advanced Product Information for WooCommerce: Display more intuitive information of products such as sale countdown, sale badges, who recently bought products, rank of products in their categories, available payment methods…

LookBook for WooCommerce: Create beautiful Lookbooks, Shoppable with Product Tags

Photo Reviews for WooCommerce: Allow posting reviews include product pictures, review reminder, review for coupons.

Product Builder for WooCommerce: Allows your customers to build a full product set from small parts step by step. The plugin works base on WooCommerce with many useful features like compatible, email completed product, attributes filters.

Boost Sales for WooCommerce: Increase profit on every single order with Up-selling and Cross-selling

Free Shipping Bar for WooCommerce: Use free shipping as a marketing tool, encourage customers to pay more for free shipping.

Notification for WooCommerce: Social Proof Marketing plugin. Live recent order on the front-end of your site.

Multi Currency for WooCommerce: Switches to different currencies easily and accepts payment with only one currency or all currencies.

Coupon Box for WooCommerce: Subscribe emails for discount coupons

**Plugin Links**

*   Report Bugs/Issues

1.  Unzip the download package
2.  Upload s2w-import-shopify-to-woo to the /wp-content/plugins/ directory
3.  Activate the plugin through the ‘Plugins’ menu in WordPress

Unable to sync product images!

I was skeptical at first about this plugin, as with any "migrate your store" plugin. However, all I did was put in the Shopify API information and the plugin crunched the numbers and pulled everything over. These are some complex products as well, with several images, many attributes, and variation types, and it handled them all with minimal errors. The only thing is that images are a little slow to move over, and every once in a while I have to go back and click "Download All" again. But, other than that small issue, this plugin is perfect!

Thank you your app helps lot

This plugin does exactly what I was looking for

Hello, I would like to ask, the product was successfully imported from shopify, but why the downloading of pictures is very slow?

Read all 28 reviews

“S2W – Import Shopify to WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

/**1.1.13 – 2022.11.05**/  
– Fixed: Security dispatch

/**1.1.12 – 2022.11.02**/  
– Updated: Compatibility check with WP 6.1 and WC 7

/**1.1.11 – 2022.08.04**/  
– Updated: Support importing HEIC image type

/**1.1.10 – 2022.07.22**/  
– Updated: VillaTheme\_Support  
– Updated: Data sanitization/escaping check  
– Updated: Shopify API version 2022-04  
– Updated: Support importing WEBP image type

/**1.1.9 – 2022.05.30**/  
– Updated: VillaTheme\_Support  
– Updated: Compatible with WP6.0

/**1.1.8 – 2022.04.20**/  
– Updated: VillaTheme\_Support

/**1.1.7 – 2022.03.29**/  
– Updated: VillaTheme\_Support

/**1.1.6 – 2022.03.21**/  
– Updated: VillaTheme\_Support

/**1.1.5 – 2022.02.12**/  
– Updated: Support Shopify custom apps as Private apps are deprecated and can’t be created as of January 2022

/**1.1.4 – 2022.01.11**/  
– Updated: VillaTheme\_Support  
– Updated: Support latest Shopify API version 2022-01  
– Added: Option to disable background processing

/**1.1.3.7 – 2021.07.31**/  
– Updated: Compatible with WP5.8 and WC5.5  
– Updated: Class support

/**1.1.3.6 – 2021.06.16**/  
– Fixed: Variation attributes are not set correctly if attributes name and terms contain non-latin characters

/**1.1.3.5 – 2021.05.04**/  
– Fixed: Can not set product type as variable in some cases

/**1.1.3.4 – 2021.03.06**/  
– Updated: Support latest Shopify API version 2021-01  
– Updated: Compatible with WP5.7 and WC5.0

/**1.1.3.3 – 2020.10.31**/  
– Fixed: Out-of-stock product affects product page query

/**1.1.3.2 – 2020.08.14**/  
– Updated: Compatible with WP5.5 and WC4.3

/**1.1.3.1 – 2020.04.23**/  
– Fixed: Conflict with other plugins using jquery accordion  
– Updated: Class support

/**1.1.3 – 2020.04.06**/  
– Updated: Support latest Shopify API version 2020-04  
– Optimized: Download images in the background

/**1.1.2 – 2020.03.24**/  
– Fixed: Download duplicated images  
– Fixed: Conflict usage of accordion  
– Updated: Compatible with WP5.4 and WC4.0  
– Updated: Class support  
– Updated: Support latest Shopify API version 2020-01  
– Improved: Import speed

/**1.1.1 – 2019.11.17**/  
– Removed: App data  
– Changed: Banner and logo

/**1.1.0 – 2019.11.13**/  
– Added: Shortcut to import products options  
– Added: Support WooCommerce 3.8

/**1.0.9.2 – 2019.10.24**/  
– Added: Function to download error images

/**1.0.9.1 – 2019.10.07**/  
– Updated: Premium URL

/**1.0.9 – 2019.09.27**/  
– Fixed: Reduce bad request rate  
– Fixed: Reduce error images rate  
– Updated: Able to view error images list  
– Optimized: Import speed

/**1.0.8 – 2019.08.07**/  
– Fixed: Conflict usage of accordion with other plugins or theme  
– Fixed: Error matching variation attributes when attribute name is not in English alphabet

/**1.0.7 – 2019.06.14**/  
– Added: Set request timeout  
– Added: Able to change the number of products per ajax request  
– Added: Import Products sequence

/**1.0.6 – 2019.05.15**/  
– Fixed: Some sites can not send API correctly

/**1.0.5 – 2019.05.08**/  
– Optimized: UX, UI  
– Optimized: Download product images

/**1.0.4 – 2019.04.18**/  
– Fixed: Problem downloading product images in the background

/**1.0.3 – 2019.04.10**/  
– Fixed: Error activating plugin

/**1.0.2 – 2019.04.05**/  
– Updated: Add usage guide video

/**1.0.1 – 2019.04.04**/  
– Updated: Make admin notices dismissible  
– Updated: Optimize UX

CVE-2022-44634: S2W – Import Shopify to WooCommerce

Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WatchTowerHQ Website Monitoring: Done Right  
Fed up with using tools that get sold to GoDaddy, lose their founding team, and slowly die?  
Tired of half-assed customer service that takes 72-144 hours to get a response?  
Looking for one solution to cut the costs of many tools?  
Our founding team is intact and not only focused on a world-class customer service experience, we’re focused on making WatchTowerHQ the best tool agencies and companies turn to when managing multiple websites.

**Automated Updates**

Set it and forget it by scheduling WordPress theme and plugin updates in advance. Every Tuesday at 7am? Not a problem with WatchTowerHQ

**Performance Insights**

Wondering why no one stays on your website? It’s probably because it’s slow…like Ford Fiesta slow. Figure out what you need to do to transform it into the Porsche it deserves to be.

**Daily Backups**

Take them daily, store them for a year. Don’t be at the mercy of the intern who accidentally deleted all of your blog posts from the last 6 years. Restore them quickly from one of your backups. Automate these as you would like, or take them manually.

**Historical Data Tracking**

A snapshot in time is great for some. You’re not some. Most are like you, they want to see how data looks over time. Screen shots from last May? Easy peasy. Site speed today relative to 2 months ago? One click.

**Notifications?**

We’ve got you covered. You control who gets alerts, which alerts they get, and when. All for you to control within your account.

**Domain and SSL Registration Monitoring**

The dreaded call from a client at 12:47am when they realize their domain has expired and a 12 year old North Korean is holding it hostage for 72 BTC. Don’t let that happen to you or your clients. Always know when your domain or SSL certificate are about to expire so you can proactively renew.

**Real-time Uptime Monitoring**

Kiss false positives good-bye. Set your limits, get updated when they’re triggered.

**One-Click Access**

Access your WordPress site or staging environment with one click right from the website dashboard.  
WatchTowerHQ is the most robust website monitoring and management tool. Increase operational efficiency by eliminating wasted time, improving your security, and taking preventive action.

**Custom User Roles**

Select from one of WatchTowerHQ’s user roles with granular permissions selection or create custom roles to fit your organizational needs.

Please note that WatchTowerHQ tracks information about your site including:  
\* Domain information (Registrar, DNS, SSL, Blacklist Status, Site & Proxy IP addresses)  
\* WordPress plugins, themes, and core  
\* Google Lighthouse & Google Analytics data  
\* Screen captures  
\* CSS & JavaScript code

After installing the WatchTowerHQ plugin you will need to do a few things to start monitoring your site.  
1\. Activate the WatchTowerHQ plugin.  
2\. Copy the access token found in the WatchTowerHQ Settings (you will need this in a future step).  
3\. Go to WatchTowerHQ to sign up for an account.  
4\. Fill in information about your websites – including the access token that you’d copied earlier.  
5\. Save the website’s information once complete. Happy monitoring!

If you’ve already signed up on WatchTowerHQ, you can also follow the alternative installation:  
1\. Download the WatchTowerHQ client from the Settings dropdown menu  
2\. Go to the Plugins tab in WordPress and select “Add New Plugin”.  
3\. Click the “Upload Plugin” button and upload the zip file you downloaded from WatchTowerHQ.  
4\. Click to activate the client and copy the access token from the WatchTowerHQ settings.  
5\. Go to the “Add new website” form found on the Websites page of your WatchTowerHQ dashboard.  
6\. Select WordPress as your CMS and paste the access token in the space.

**Can I have multiple environments on WatchTowerHQ?**

Yes, you can include your development and other environments to your WatchTowerHQ account for convenient one-click access.

**What does WatchTowerHQ do with my site’s information?**

The information tracked by WatchTowerHQ is used to provide real-time analytics and alerts on your site’s status including vulnerabilities, site downtime, and performance. As well as to notify you about WordPress-specific issues such as abandoned plugins.

**How much is WatchTowerHQ?**

To view our plans and get started with WatchTowerHQ check out our website.

**Can I limit access to other users?**

We have a number of standard roles, that many users requested, along with that we’ve created custom user roles. With custom user roles the options are endless to the access that you can give any one user. Custom User roles are included in all plans at no additional cost.

It's packed with features. One of the best tools available to manage my websites.

Read all 1 review

“WatchTowerHQ” is open source software. The following people have contributed to this plugin.

Contributors

*    watchtowerhq

**3.6.20**

*   remove unused code

**3.6.19**

*   db backup fix

**3.6.18**

*   WordPress 6.1.x compatibility declaration update

**3.6.17**

*   Fix security issue

**3.6.16**

*   Fix security issue

**3.6.15**

*   Fix theme updates info

**3.6.13**

*   Fix plugin updates info

**3.6.12**

*   Fix plugin slug

**3.6.11**

*   Fix plugin slug

**3.6.10**

*   WP 6.x compatibility declaration

**3.6.7**

*   WP 5.9.x compatibility declaration

**3.6.6**

*   fix open basedir warnings

**3.6.1**

*   Add endpoint for removing database backup file

**3.6.0**

*   updated action scheduler

**3.5.69**

*   WP Engine – exception

**3.5.67**

*   code improvements

**3.5.65**

*   code improvements
*   fetch info about debug log

**3.5.1**

*   update action scheduler

**3.5.0**

*   new backup system

**3.4.16**

*   WordPress 5.8 compatibility

**3.4.15**

*   fix UI issue

**3.4.13**

*   better settings UI

**3.4.12**

*   allow resume downloading backup
*   include backup integrity checksum to confirm error free transfer

**3.4.10**

*   code refactoring

**3.4.9**

*   update composer properties

**3.4.8**

*   WordPress 5.7 compatibility

**3.4.4**

*   new backup queue file limits

**3.4.2**

*   increase timeout

**3.4.0**

*   added ZipArchive fallback

**3.3.10**

*   fix curl timeout

**3.3.7**

*   minimum PHP version: 7.1

**3.3.6**

*   readme improvements

**3.3.0**

*   WordPress.org first release.
*   removed custom updates library

CVE-2022-44583: WatchTowerHQ

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

CVE-2022-41634: Media Library Folders

Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5285-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301  
                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845  
                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608  
                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792  
                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651  
Debian Bug     : 1014998 1018073 1014976

Multiple security vulnerabilities have been found in Asterisk, an Open Source  
Private Branch Exchange. Buffer overflows and other programming errors could be  
exploited for information disclosure or the execution of arbitrary code.

Special care should be taken when upgrading to this new upstream release.  
Some configuration files and options have changed in order to remedy  
certain security vulnerabilities. Most notably the pjsip TLS listener only  
accepts TLSv1.3 connections in the default configuration now. This can be  
reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also  
https://issues.asterisk.org/jira/browse/ASTERISK-29017.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:16.28.0~dfsg-0+deb11u1.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr  
EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo  
k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ  
TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k  
jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV  
Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx  
OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH  
gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r  
foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw  
VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr  
VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7Aêjm  
-----END PGP SIGNATURE-----

Debian Security Advisory 5285-1

By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#ssl