app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

CVE-2022-31263: Release v3.5.0 · mastodon/mastodon

NIST may be on the brink of revealing which post-quantum computing encryption algorithms it is endorsing, solidifying commercial developments like QuProtect.

Cybersecurity experts are awaiting the imminent announcement from the National Institute for Standards (NIST) of its recommended post-quantum computing (PQC) encryption algorithms, an important milestone in a years-long process that started back in 2016 with 82 candidates. NIST has signaled it will reveal its decision imminently — possibly just before or during the RSA Conference in San Francisco in two weeks, amid a swirl of new activity in the field of quantum computing.

The PQC algorithms would join RSA and elliptic curve cryptography (ECC) as a new generation of NIST-recommended encryption standards. The PQC algorithms promise to enable encryption that is exponentially more powerful than current standards, which will become essential when quantum computers are available for commercial use.

Once NIST reveals which four algorithms it is endorsing, the next phase of drafting standards will begin. That process is expected to take roughly a year. But the pending decision will establish which algorithms to focus on. While the NIST selection will allow stakeholders to apply them to their offerings, many providers say that is just one part of the solution. Several startups focused on addressing PQC are now coming out of stealth. The latest came last Thursday, when QuSecure, a San Mateo, Calif.-based company formed three years ago, officially launched both itself and its first PQC product, called QuProtect. QuSecure describes QuProtect as an orchestration platform that can protect data in transit and at rest encrypted with the new PQC algorithms.

**A 'Perfect Storm' for Quantum Computing**

NIST's selection, until recently considered at least a year away, would come amid a perfect storm unfolding this month in quantum computing, all signaling that CISOs should accelerate their PQC strategies. Recent disclosures portend that quantum computing could become commercially available sooner than once thought likely. Notably, IBM two weeks ago revealed that it will release a 433-qubit processor called IBM Osprey by the end of this year, more than a threefold increase from IBM Eagle, a 127-qubit processor introduced in November 2021. IBM's updated roadmap calls for the introduction of a 1,000-qubit processor next year called IBM Candor. In three years, IBM plans to deliver a multi-cluster offering capable of exceeding 4,000 qubits.

"By 2025, we will have effectively removed the main boundaries in the way of scaling quantum processors up with modular quantum hardware and the accompanying control electronics and cryogenic infrastructure," Jay Gambetta, VP of quantum computing and an IBM Fellow, explained in a May 10 blog post. During that same week, D-Wave Systems announced the availability of its Advantage quantum computer via the Leap quantum cloud service, a part of the University of Southern California-Lockheed Martin Quantum Computing Center hosted at USC's Information Sciences Institute (ISI).

After the creation of Shor's algorithm in 1994, researchers realized that once quantum computers arrive with an abundant level of scale and precision, they will be able to break current forms of encryption. Besides RSA and ECC, quantum computers are expected to break the long-trusted Diffie-Hellman key exchange algorithm used for modern cryptographic communications including SSL, TLS, PKI, and IPsec.

Meanwhile, efforts to provide protections from quantum computing is accelerating. The recent White House directives emphasized that the government and industry should move forward with NIST's standards as well as calling for swift passage of the Bipartisan Innovation Act, legislation reintroduced last year as the Endless Frontier Act by US Senate Majority Leader Chuck Schumer, Senator Todd Young (R-IN), Representative Ro Khanna (D-CA), and Representative Mike Gallagher (R-WI). The bill seeks to boost funding in research and the advance of technology deemed critical to US national security, which includes artificial intelligence, PQC, and semiconductors.

Following the White House directive, the US House of Representatives Oversight and Government Reform Committee on May 11 unanimously passed the Quantum Computing Cybersecurity Preparedness Act, a bill proposed by US Representative Nancy Mace (R-SC) seeking to advance the migration of federal government IT systems with PQC capabilities. The legislation now sits before the House for consideration.

**Building QuProtect**

QuSecure was founded by chairman and COO Skip Sanzeri, CEO Dave Krauthamer, and chief product officer Rebecca Krauthamer, who is also a member of the World Economic Forum's Global Future Council on Quantum Computing.

Sanzeri tells Dark Reading that roughly 15 customers are now piloting QuProtect, including several branches of the US Department of Defense and large enterprise businesses. The only commercial customer QuSecure has permission to reference is Franklin Templeton, the New York-based diversified investment firm with roughly $1.5 trillion in assets under management as of April 30, which is best known for its large mutual funds. QuSecure is incubated within Franklin Templeton, which is also an investor in the company.

While Franklin Templeton declined to comment on its QuProtect pilot, Sanzeri says it is currently in beta there. "We are moving to the next step to a broader rollout," Sanzeri says. While Sanzeri said he was restricted in the amount of detail he could offer, it has established the quantum communications link between its servers and select institutional customers. The technology doesn't require the customers to add anything on their end, he says.

The QuProtect communications channels can run on servers on premises and in the cloud, Sanzeri adds. Eventually, it will run on network switches as well, according to Sanzeri, who says QuSecure has been in talks with players including Cisco, Fortinet, Juniper Networks, and Palo Alto Networks. "The switch providers are very standards based," Sanzeri says. "And one of the reasons why they haven't necessarily adopted this yet, across the board is because NIST hasn't finalized their standards. But once they do, then I think the switch providers will all come along nicely."

QuProtect provides a secure communications channel designed to protect any node on a network and is designed to use any of the NIST-approved PQC algorithms. Sanzeri claims QuSecure is the first company that is offering a complete PQC platform. "There are some point solutions out there that might be focusing on, say, quantum random number generation, or possibly just on cryptography," Sanzeri says. "And we think that is fine. However, it's not enough. If you're going to protect the enterprise, you need to be able to protect holistically."

Vincent Berk, chief strategy officer of QuantumXchange, which provides software that uses PQC keys shared on two specific endpoints, disputes QuSecure's claim of being the only company developing a complete offering. "To claim you're the first one that brings post quantum cryptographic solutions to the entire world, I can make that exact same claim for QuantumXchange, and we can start bickering over what we consider post quantum hard," Berk says.

Nevertheless, Berk, who joined QuantumXchange earlier this year after serving as CTO and chief security architect at Riverbed Technology, believes the QuSecure has a viable offering. "What I think they're doing a great job of is they're trying to make it as easy as possible to get you to know that you can trust your new cryptographic algorithms are working for you," Berk adds.

QuSecure Carves Out Space in Quantum Cryptography With Its Vision of a Post-RSA World

Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS.

CVE-2022-1467: Support | Cyber Security Updates

Mohit Tiwari, CEO of Symmetry Systems, explores Zero Trust, data objects and the NIST framework for cloud and on-prem environments.

Mohit Tiwari, CEO of Symmetry Systems, explores Zero Trust, data objects and the NIST framework for cloud and on-prem environments.

AUTHOR: Mohit Tiwari, CEO and Co-Founder, Symmetry Systems

Compromised credentials and identities, third-party breaches, API attacks, and application exploits are all foundational entry points for today’s hackers.

Recent months have brought many high-profile breaches from Samsung and Nvidia to Okta and the continued aftermath of Log4j. Still, ultimately, these attacks are all symptoms of the same problem: organizations do not have visibility into how their data objects are protected and used.

Until security teams can answer in real-time what data they have, who has access to it, and how it is being used, organizations will continue to fail in rapidly communicating the extent of breaches within the cloud.

When Samsung confirmed the Lapsus$ hacking group had obtained and leaked almost 200 gigabytes of confidential data, the first question for customers was whether or not their customers’ data was a part of that statistic or if Samsung had safeguards in place to protect them.

Fortunately, Samsung said that no customers’ personal information was compromised. However, when Okta was breached by the same hacking group just a few weeks later, their security team had difficulty communicating the blast radius because they could not seamlessly pinpoint the location and privileges of all the data within their ecosystem. This kind of delay can lead to growing distrust within the broader enterprise community as security teams scramble to identify the full scope of the breach.

With so much at stake, an increasing number of organizations are choosing the Zero Trust Security model, which assumes that untrusted users exist on both sides of an organization’s computing perimeter.

Zero Trust principles – whether applied to identities, network, or data objects – help organizations systematically improve security risks throughout each of visibility, detection, response, and protection. However, in the modern enterprise, implementing Zero Trust for data without breaking business logic is a new direction that requires a careful shift from Posture Management to Detection-Response to Protection to avoid creating business risk or outage.

As the concept of Zero Trust continues to evolve, there are a few practical ways that organizations can begin eliminating risk once they have improved visibility and found a solution that works within their cloud or on-prem environment. The United States’ National Institute of Regulations and Technology (NIST), which has released a number of cloud security standards that take into account overlapping federal regulations, including HIPAA and the Federal Information Security Management Act (FISMA), is also a great reference point. It provides supplemental materials and details that update organizations about how the controls coincide and collaborate with other widely accepted standards and frameworks. The NIST model incorporates the following framework:

****Visibility into Security Posture:** **

When companies have visibility into their data security posture, they are able to determine and set policies for enhanced data protection across cloud-based organizations to help them better determine how data objects should be treated. Data Security Posture Management (DSPM) tools are a good starting point for your Zero Trust journey.

****Detection-Response:****

Many critical identities and service roles necessarily need permissions to large swaths of data to do their job – privileged identities, applications that are fronts for databases or data lakes, and even CI/CD etc. supply chain software are all examples of these. Placing detection and response seat-belts around crown jewel data objects protects them from such identities being mis-used through phishing or app-sec faults.

****Protection:****

Organizations should create permissions and entitlements, issue cleanup campaigns, and set up governance models to be set up to proactively prepare to respond to detected cybersecurity incidents. These are longer term campaigns with major strategic value and hence are informed by the fine-grained visibility into how data objects are used across different business functions.

Simply put, data is valuable and an organization’s most persistent asset. It is critical for organizations to completely understand where their secrets (IP) lie across their entire cloud and on-prem environment. Where is your data? Who has access to it, and is this access monitored? Does your organization maintain authority over this data so excessive or dormant privileges can be revoked when necessary?

Answering these questions is foundational to a modern cloud data security strategy, especially when faced with the challenge of operationalizing access control or data security without breaking business logic. If left unanswered, organizations will continue to invest time and resources in tangential protections around networks and applications that leave significant gaps for data to be exploited or taken for ransom.

**Infosec Insiders columnist Mohit Tiwari is the CEO and Co-Founder of Symmetry Systems.** 

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Zero Trust for Data Helps Enterprises Detect, Respond and Recover from Breaches

By Owais Sultan
Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment…
This is a post from HackRead.com Read the original post: 5 Casual Games You Can Play on Your Mobile Browser Now

Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment to our lives after spending some hectic time. That’s why online games are the love of everyone irrespective of age and gender. However, the landscape of the online gaming world has changed with the advancement in technology.

The games first moved from our backyards to PCs and now they are enclosed in our cell phones through apps and online versions. So, now you don’t have to go anywhere to play games with your friends. Comfortably sit (or lay down!) on your couch, open your mobile browser, and get ready to take a dip in the gaming world. It’s that easy!

But with so many gaming options, it is hard to find the best games in one go. Don’t worry, we have made the list of the best casual games for you that can keep you hooked for hours.

Here is the list of fun games you can play on your mobile browser:

*   **Solitaire**

Microsoft introduced Solitaire with Microsoft Windows in 1990 and since then this card game has become popular among kids and adults alike. Back in time, people used to stick to their PC, playing Solitaire games for hours, and the urge to play more kept them sitting for hours. This was the level of the craze of Solitaire! And this mania is still alive!

Despite the introduction of many online games, the love of people for Solitaire has not ended yet. They still love to play it on their laptops, on online sites like Solitaire Bliss, and on in-app versions.

So, if you haven’t tried this amazing game yet, it is time you pick up your mobile and become a part of the huge Solitaire games community. You will surely not regret it!

*   **Sudoku**

Sudoku is one of the oldest and most popular puzzle games that is fun and an excellent way to sharpen up your mind. The goal is to complete the 9×9 grid in a way that each column, row, and 3×3 section contains all numbers from 1 to 9. This game has different difficulty levels from easy, medium, and hard to expert.

You can download the app or play it on the mobile browser and switch between different levels and check how good you are at solving puzzles.

Sudoku is an amazing brain game and besides keeping you busy and your fun part alive, it can also help improve your concentration and focus. Once you start playing this game, in no time it will become one of your favorite games. So, what are you waiting for? Let’s begin!

*   **Spider Solitaire**

The good news for card game lovers is that there are various variations of Solitaire if you get bored with the traditional Solitaire, but still want to stick to a card game. One of the Solitaire variations is Spider Solitaire.

Spider Solitaire is loved by many card game maniacs for all the right reasons. It also came with Windows in 1990, but it is a bit hard to master. Moving a few cards here and there thoughtlessly won’t help you out. You need full concentration and a strategy to win this game. The goal is to remove all cards by building piles of cards irrespective of suit.

This might seem to be something that anyone can do, but remember that in reality, it can tease your brain. So, with this game opened in your mobile browser, you will be on the edge of your seat while playing this game.

*   **Minesweeper**

Minesweeper is another Windows 7 game that is now available online and in in-app forms as well. You can open it on your mobile browser and start playing it right away. But the question is: why should someone download it? Simply because it is a fun game that can help you check your guesswork skills and luck in one go.

The goal is to empty the whole gray board by clicking different boxes on the board. But the tricky part is to save yourself from the mines hidden in the board. If you mistakenly click on the mine, the game is over.

Therefore, it is easy to play, but hard to win (tidbits: I have never won a minesweeper game ever in my life!). But if you are confident enough about your guesswork skills and luck, this game is the right pick for you. Wish you the best of luck – hope I also get to win it one day.

*   **Mahjong**

Mahjong is a traditional Chinese game with an enriched history dating back to 3000 years. It was once considered a game for Asians, but now the popularity of this game has broken the boundaries and become popular the world over. Thanks to the online and app version of this game.

Mahjong is not an easy nut to crack. This game involves 4 players and 136 tiles made of bamboo or plastic. The goal is to make 1 pair of identical tiles and four sets of tiles with three identical tiles. You might not understand it initially, but the practice can make you perfect. It becomes easier to learn it if you know Chinese because the tiles have different Chinese symbols carved.

Therefore, you can play the game in a better way if you can read those symbols. Once you get on the road to understanding this game, you will also become part of those millions of people who like to play this game like a religion.

**Conclusion**

Passing leisure time doesn’t always mean sleeping or lying lazily on your bed. It also means doing things you love to do – just like playing games. Open your mobile browser, find the games mentioned above and your leisure hour will turn into a fun time with a rollercoaster of emotions. These games also give the option to invite your friends to take the fun part to the next level. So, whatever you do, these games will not disappoint you!

**More Gaming Topics**

1.  5 Best Android Emulators for PC
2.  Influence of technology on the gaming industry
3.  12 Classic Games You Can Play on Your Smartphone
4.  How data collected in gaming can be used to breach user privacy
5.  Sony is bringing PlayStation games to your Android and iOS devices

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

5 Casual Games You Can Play on Your Mobile Browser Now

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, a buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or timed out. An attacker could exploit this to cause excessive memory usage. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.

@@ -1,6 +1,7 @@ package dtls  
import ( "errors" "reflect" "testing" ) @@ -57,7 +58,7 @@ func TestFragmentBuffer(t \*testing.T) { Epoch: 0, }, { Name: "Multiple Handshakes in Signle Fragment", Name: "Multiple Handshakes in Single Fragment", In: \[\]\[\]byte{ { 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x30, /\* record header \*/ @@ -113,3 +114,18 @@ func TestFragmentBuffer(t \*testing.T) { } } }  
func TestFragmentBuffer\_Overflow(t \*testing.T) { fragmentBuffer := newFragmentBuffer()  
// Push a buffer that doesn't exceed size limits if \_, err := fragmentBuffer.push(\[\]byte{0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x03, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0xfe, 0xff, 0x00}); err != nil { t.Fatal(err) }  
// Allocate a buffer that exceeds cache size largeBuffer := make(\[\]byte, fragmentBufferMaxSize) if \_, err := fragmentBuffer.push(largeBuffer); !errors.Is(err, errFragmentBufferOverflow) { t.Fatalf("Pushing a large buffer returned (%s) expected(%s)", err, errFragmentBufferOverflow) } }

CVE-2022-29189: Add limit to fragmentBuffer · pion/dtls@a6397ff

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, an attacker can send packets that sends Pion DTLS into an infinite loop when processing. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.

@@ -73,6 +73,20 @@ func TestFragmentBuffer(t \*testing.T) {

},

Epoch: 0,

},

// Assert that a zero length fragment doesn't cause the fragmentBuffer to enter an infinite loop

{

Name: "Zero Length Fragment",

In: \[\]\[\]byte{

{

0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00,

0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

},

},

Expected: \[\]\[\]byte{

{0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00},

},

Epoch: 0,

},

} {

fragmentBuffer := newFragmentBuffer()

for \_, frag := range test.In {

CVE-2022-29190: Don't attempt to append zero length fragments · pion/dtls@e0b2ce3

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.

This release includes fixes for a security issue reported by the Mattermost security team. We'd like to thank them for the responsible disclosure and urge any consumers of the DTLS package to update.

*   GHSA-w45j-f832-hxvh

CVE-2022-29222: Release v2.1.5 · pion/dtls

Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remove custom post type base slug from url

*   possibility to select specific custom post type(s)
*   auto redirect old slugs to no-base slugs

1.  Upload remove-cpt-base directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

I easily removed the services slug from the link

Very simple plugin, but works perfectly! 🎉

A simple but efficient plugin that works like charm... 🙂

couldnt get the slug remove done with custom code on one particular site for whatever reason ... but this little thing works flawlessly! thanks - please keep it up!! 🙂

Read all 18 reviews

“Remove CPT base” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**5.9**

*   added nonce and security checks

**5.8**

*   tested on WP 5.9

**5.7**

*   tested on WP 5.5
*   minor fix

**5.6**

*   tested again with WPML, Polylang and Custom Post Type Permalinks and fixed

**5.5**

*   tested on WP 5.5
*   another fix for Custom Post Type Permalinks plugin

**5.4**

*   enable previews for CPTs without base

**5.3**

*   make it works with WPML
*   make it works with Polylang
*   make it works with Custom Post Type Permalinks plugin

**5.2**

*   tested on WP 5.4

**5.1**

*   removed auto-prevent slug duplicates
*   removed debug mode
*   removed remove\_cpt\_base\_skip filter
*   use default WP function instead of custom
*   make it works for custom rewrite slugs
*   prioritize page and post like WP does

**5.0**

*   YOU HAVE TO SAVE YOUR SETTINGS AGAIN, because:
*   added alternation option for each post type separately
*   added debug mode

**4.8**

*   fix alternative CPT children solving for nested children

**4.7**

*   alternative CPT children solving

**4.6**

*   fix server port redirect

**4.5**

*   make it works for WP installations in directory

**4.4**

*   minor changes

**4.3**

*   fix for some endpoints and make sure post is not interpreted as attachment

**4.2**

*   fix for hierarchical CPTs on some servers

**4.1**

*   make it works for posts interpreted like category by WP

**4.0**

*   tested on WP 5.2
*   make it works for hierarchical post types and different permalink structures
*   going back to ‘pre\_get\_posts’
*   optimize generating slug for duplicate names

**3.3**

*   change HTTP code from 404 to 200

**3.2**

*   fix for query strings

**3.1**

*   add custom endpoint rewrites support

**3.0**

*   stop using complicated ‘pre\_get\_posts’ and handle 404 instead

**2.3**

*   tested on WP 5.0

**2.2**

*   fix 404

**2.1**

*   fix redirect loop in WPML and WooCommerce

**2.0**

*   stop using .htaccess rules

**1.2**

*   auto init after permalinks updated

**1.1**

*   add uninstall hook
*   add duplicate slug check
*   minor updates

**1.0**

*   First version

CVE-2022-29431: Remove CPT base

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

Tag

#ssl