Live2D Cubism suffers from a heap corruption vulnerability.

    Live2D Cubism is the dominant "vtuber" software suite for 2D avatars for use in livestreaming and integrating them in other software.They publish various SDKs and a frameworks for integrating their libraries with your own program. You're supposed to use those to deserialize and render/animate the models created with their main software - often untrusted files from random people on the internet.While their main java-based programs and their web toolkit seem to have at least minimal sanity checks for input, the same is not true for their "native" (C/C++) framework.This is trivially, unintentionally and repeatedly triggered by people just testing it with janky rips available broadly on the internet, such as this model of a Discord moderator: https://github.com/Eikanya/Live2d-model/tree/master/%E4%B8%BA%E7%BE%8E%E5%A5%BD%E7%9A%84%E4%B8%96%E7%95%8C%E7%8C%AE%E4%B8%8A%E7%A5%9D%E7%A6%8F%EF%BC%81Fantastic%20Days/1399100Those models have nonsense numbers of total segments and points for the animation curves because the Unity live2d asset ripper which was used to generate them calculates the totals wrong. The framework happily trusts the totals and lets you squirt as many bytes (or, more accurately, floating point numbers) as there is contiguous memory allocated. If you hit the upper bound you will segfault, otherwise your allocator will probably panic only on the next free() or allocation.e.g. https://github.com/MizunagiKB/gd_cubism/issues/52TLDR: They don't validate that the total numbers of points and segments in animations actually match the total numbers in the corresponding arrays in serialized models. I sent them a patch to recalculate those numbers and ignore the totals, as it's really annoying to have to validate every model manually with an external python script, but they refuse to apply it because the data wasn't generated by their official program and they think this is a customer support issue ?This leaves gaping wide open a heap corruption issue that I don't have the skill or time to actually exploit in any interesting way, but I'm just going to leave this here because fuck those guys. They also like to send their deranged fanboys after anyone reporting on their incompetence and negligence, because if you're not willing to spend thankless weeks/months trying to get RCE then your bug isn't really el8 enough: https://github.com/UlyssesWu/D2Evil/issues/6#issuecomment-1685596304PT

Live2D Cubism Heap Corruption

Gentoo Linux Security Advisory 202405-4 - Multiple vulnerabilities have been discovered in systemd, the worst of which can lead to a denial of service. Versions greater than or equal to 252.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: systemd: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #882769, #887581  
       ID: 202405-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in systemd, the worst of  
which can lead to a denial of service.

Background  
==========

A system and service manager.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/systemd  < 252.4       >= 252.4

Description  
===========

Multiple vulnerabilities have been discovered in systemd. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All systemd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/systemd-252.4"

References  
==========

[ 1 ] CVE-2022-4415  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4415  
[ 2 ] CVE-2022-45873  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45873

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-04

Gentoo Linux Security Advisory 202405-3 - A vulnerability has been discovered in Dalli, which can lead to code injection. Versions greater than or equal to 3.2.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Dalli: Code Injection  
     Date: May 04, 2024  
     Bugs: #882077  
       ID: 202405-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Dalli, which can lead to code  
injection.

Background  
==========

Dalli is a high performance pure Ruby client for accessing memcached  
servers.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-ruby/dalli  < 3.2.3       >= 3.2.3

Description  
===========

A vulnerability was found in Dalli. Affected is the function  
self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb  
of the component Meta Protocol Handler. The manipulation leads to  
injection.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Dalli users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3"

References  
==========

[ 1 ] CVE-2022-4064  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4064

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-03

Red Hat Security Advisory 2024-2700-03 - An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2700.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish security updateAdvisory ID:        RHSA-2024:2700-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2700Issue date:         2024-05-06Revision:           03CVE Names:          CVE-2024-30156====================================================================Summary: An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-30156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271486

Red Hat Security Advisory 2024-2700-03

Gentoo Linux Security Advisory 202405-2 - Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. Versions greater than or equal to 6.9.13.0 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202405-02- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High    Title: ImageMagick: Multiple Vulnerabilities     Date: May 04, 2024     Bugs: #835931, #843833, #852947, #871954, #893526, #904357, #908082, #917594       ID: 202405-02- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========Multiple vulnerabilities have been discovered in ImageMagick, the worstof which can lead to remote code execution.Background==========ImageMagick is a software suite to create, edit, and compose bitmapimages, that can also read, write, and convert images in many otherformats.Affected packages=================Package                Vulnerable    Unaffected---------------------  ------------  ------------media-gfx/imagemagick  < 6.9.12.88   >= 6.9.13.0Description===========Multiple vulnerabilities have been discovered in ImageMagick. Pleasereview the CVE identifiers referenced below for details.Impact======Please review the referenced CVE identifiers for details.Workaround==========There is no known workaround at this time.Resolution==========All ImageMagick 6.x users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.9.13.0" =media-gfx/imagemagick-6*"All ImageMagick 7.x users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-7.1.1.22"References==========[ 1 ] CVE-2021-4219      https://nvd.nist.gov/vuln/detail/CVE-2021-4219[ 2 ] CVE-2021-20224      https://nvd.nist.gov/vuln/detail/CVE-2021-20224[ 3 ] CVE-2022-0284      https://nvd.nist.gov/vuln/detail/CVE-2022-0284[ 4 ] CVE-2022-1115      https://nvd.nist.gov/vuln/detail/CVE-2022-1115[ 5 ] CVE-2022-2719      https://nvd.nist.gov/vuln/detail/CVE-2022-2719[ 6 ] CVE-2022-3213      https://nvd.nist.gov/vuln/detail/CVE-2022-3213[ 7 ] CVE-2022-28463      https://nvd.nist.gov/vuln/detail/CVE-2022-28463[ 8 ] CVE-2022-32545      https://nvd.nist.gov/vuln/detail/CVE-2022-32545[ 9 ] CVE-2022-32546      https://nvd.nist.gov/vuln/detail/CVE-2022-32546[ 10 ] CVE-2022-32547      https://nvd.nist.gov/vuln/detail/CVE-2022-32547[ 11 ] CVE-2022-44267      https://nvd.nist.gov/vuln/detail/CVE-2022-44267[ 12 ] CVE-2022-44268      https://nvd.nist.gov/vuln/detail/CVE-2022-44268[ 13 ] CVE-2023-1906      https://nvd.nist.gov/vuln/detail/CVE-2023-1906[ 14 ] CVE-2023-2157      https://nvd.nist.gov/vuln/detail/CVE-2023-2157[ 15 ] CVE-2023-5341      https://nvd.nist.gov/vuln/detail/CVE-2023-5341[ 16 ] CVE-2023-34151      https://nvd.nist.gov/vuln/detail/CVE-2023-34151[ 17 ] CVE-2023-34153      https://nvd.nist.gov/vuln/detail/CVE-2023-34153Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202405-02Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-02

By Deeba Ahmed
Paris 2024 Olympics face cybersecurity threats. Outpost24 analysis reveals open ports, SSL misconfigurations, and more. Can the organizers secure the Games in time? Read for critical insights and potential consequences.
This is a post from HackRead.com Read the original post: Critical Cybersecurity Loopholes Found in Paris 2024 Olympics Infrastructure

With the 2024 Olympic Games in Paris fast approaching (Fri, 26 Jul 2024 – Sun, 11 Aug 2024), a recent cybersecurity assessment by cyber threat exposure management solutions provider, Outpost24, has raised concerns about the game’s online infrastructure. 

While the overall security posture is deemed “mostly secure,” Outpost24, using its External Attack Surface Management (EASM) solution, Sweepatic, has identified critical vulnerabilities that could be exploited by malicious actors. Here’s a breakdown of the concerning findings:

****Open Ports:** **

Unsecured open ports act as gateways for hackers, allowing unauthorized access to sensitive data and internal systems.

****SSL Misconfigurations:** **

The report reveals that 31 domains have invalid SSL certificates, while 86 domains lack them entirely. These issues create vulnerabilities in the network, allowing attackers to intercept communications and steal information. The report highlights the need for improved SSL certificate configurations to protect against such attacks.

****Cookie Consent Violations:** **

Websites associated with the Paris 2024 Olympics may be failing to comply with data privacy regulations regarding user consent for cookie usage.

****Domain Squatting:** **

The presence of lookalike domains with malicious intent can potentially lure users into phishing scams or malware attacks.

****Potential Dangers****

The Paris 2024 Olympics face significant threats from cyberattacks utilizing these vulnerabilities, including data breaches, operational disruptions, and reputational damage. These vulnerabilities could compromise athlete information, ticketing details, and financial data, posing privacy and security risks. Critical systems like scorekeeping, broadcasting, and access control could be targeted, leading to chaos and disruption during the Games.

The report also highlights the positive aspects of the Paris 2024 cybersecurity citing that organizers have implemented strong security measures, and their overall approach deserves recognition but careful monitoring of loopholes too.

“Even though we’d consider the Paris 2024 games as a ‘good’ example of how to manage an attack surface, it isn’t perfect (as perfection rarely exists with cybersecurity),” stated Outpost24’s EASM CSO, Stijn Vande Casteele.

The Paris 2024 Olympics, expected to attract over 1 billion viewers, are a prime target for cyber criminality due to rising online traffic. Cybercriminals would want to exploit weaknesses and steal sensitive information for financial gain, akin to the 450 million cyberattacks in 2020 Tokyo. 

Therefore, addressing identified vulnerabilities and loopholes, patching open ports, rectifying SSL configurations, ensuring cookie consent compliance, and monitoring suspicious domain activity are crucial due to potential cyberattack consequences.

1.  New Malware Campaign Launched to Disrupt Winter Olympics
2.  Anonymous DDoS Brazilian Govt Websites Because Rio Olympics
3.  Russia hacked Winter Olympics, framed N.Korea in false-flag attack
4.  Olympics whistleblower Yuliya Stepanova hacked after Wada Breach
5.  World Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked

Critical Cybersecurity Loopholes Found in Paris 2024 Olympics Infrastructure

By Daily Contributors
Is truly offline offline electronic Cash possible? Unlike Bitcoin, experts dig deeper into the technical hurdles of creating software-based cash that works without the internet. Discover why achieving this might be a tougher nut to crack than expected.
This is a post from HackRead.com Read the original post: Fully Offline Electronic Cash: Is It an Intractable Problem?

About a week ago I sat down with Michal Bajor, a senior security engineer at Resonance Security, to discuss things we both consider interesting topics within computing and security.

One problem we discussed was the idea of an ideal offline electronic cash from a purely technical perspective. We chose to ignore all the economic and political issues surrounding replacements Central Banks proposed for physical cash.

This article summarizes some of the things we considered. Unfortunately, I can’t remember exactly who said what, so let’s just attribute everything to both of us.

****Background****

One of the claims made by the European Central Bank about the digital euro, which is meant to be an electronic replacement (sorry, analog) for cash, is that “… it would be available both online and offline.”

This is not a trivial requirement. I don’t think it can be achieved.

Cash, like all physical objects, is strictly bound by the laws of physics. Objects cannot be spontaneously created out of thin air, and _they can only exist in one place at a time_. This much is obvious even to children, but it is a surprisingly useful feature of the real world. If have a five euro note and I give it to a shopkeeper, I no longer own it — it is in the till rather than my wallet.

Making identical copies of physical objects is hard, especially if people have spent centuries adding features to those objects to prevent casual duplication.

Another useful feature of cash is that once it has been issued and distributed, it is decentralized. If I have a five euro note in my wallet, short of a police raid, a mugging, or carelessness on my part, I get to decide when and where I transact with it. That transaction can take place anywhere — in a shop, on my driveway, or even halfway up Mount Everest.

In the digital world, on the other hand, duplication is easy. Despite numerous attempts by the music, film, and software industries using digital rights management and software keys, digital products such as mp3s, video files, and executable binaries continue to be illegally copied and shared.

This ease of copying things results in the “double spend” problem for digital money. How does one make a digital construct behave like a physical object so that only one person can own it at a time?

That is the core problem when designing and implementing offline digital cash.

****Framing the problem****

Before you can meaningfully discuss a problem, you need to be sure that both of you are considering the same issue under the same restrictions, and that means starting with some definitions to ensure that the digital solution has all the important features of paper notes and metal coins, while remaining digital.

****It must be software-based only****

The first is that the electronic cash we are considering should be electronic, not physical. That means it must be implemented in software only, so the code to hold and transact with the electronic cash can be run on standard smartphones and laptops.

This is a significant restriction, but a necessary one. If you start talking about the equivalent of scratch cards with bar codes, RFID cards with balances stored in a secure memory sector, or some kind of esoteric banknote with an embedded chip, then you are no longer talking about the kind of electronic cash Michal and I were considering.

Instead, you’re either just talking about a more complicated kind of physical cash, or you are going to require everyone to trade in their phones for new tamper-proof payment devices that will eventually be hacked.

****It must work when both parties are offline****

The first thing to note is that the payer does not care if the payment goes through or not. If they are buying a coffee, for example, as long as the system is accurate, the payer either ends up with a paid-for coffee, or a free coffee. The payee, on the other hand, is the party most concerned with the payment system working.

If both parties who are transacting are online, then the solution for electronic cash is technically trivial — the payer can submit their payment to the network, and the payee can then check on the network that the payment has been made. We already have such payment systems, both centralized ones (for example, payment processors like PayPal, credit card companies, or banks with their debit cards), and decentralized ones(for example, blockchain systems such as Bitcoin).

If the receiving party is online, then the solution is, similarly, relatively technically trivial. The payer can authorize the transaction offline, and the payee can present the transaction to the system on behalf of the payer, wait for it to be validated and accepted, and then verify that the payment has indeed gone through.

Again, this works in centralized systems, for example, using chip-and-pin and a point-of-sale terminal (provided the terminal is trusted), and in decentralized systems like Bitcoin where a valid digital signature on a transaction acts like a signed cheque.

If the transmitting party is online, then there are also possible solutions. Here’s a simplified explanation of one: if an offline receiver has a list of known validator public keys for a blockchain, then the online payer can submit a payment transaction, and wait until the transaction is signed by one of the validators. The payer can then present the signed transaction to the receiver, which can verify that the transaction signature is valid and made by a known validator, hence proving that the payment is valid.

Just to make it clear: we are looking for a solution that matches the diagram below, in which both the payer and the payee know that the transaction has taken place without a payment network being involved at the point of the transaction.

Note that it is perfectly fine if setting up the offline digital payment involves some online activity before and/or after the transaction takes place. The acid test is whether the two parties can walk out into the forest with no network coverage, transact, and then return to civilization safe in the knowledge that a fair value transfer happened.

****Incomplete solutions********Bitcoin****

Satoshi Nakamoto solved the problem of decentralized cash when connected to a computer network, namely through Bitcoin. In Bitcoin, asymmetric key cryptography is used to provide authentication for transferring digital assets from one person to another, and there is a ledger residing on a multitude of computers communicating with each other through a peer-to-peer network, with the ledger keeping track of exactly who owns what at what time.

With a market capitalization of $1.25 trillion and over a hundred million users, Bitcoin is not a failure. The problem is that Bitcoin doesn’t satisfy the offline requirement. You can present a signed transaction to the payee, but the payee needs to check the Bitcoin ledger to be sure that the payer’s Bitcoin address has enough of a balance to cover the payment.

And so although Bitcoin provides a fully software-based solution, it can only handle “payer is offline” cases at best.

****Ripple’s XPOP****

Ripple has presented another partial solution to offline payments, namely one where the payer is online, and the payee is not, through XPOP. There is a fair amount of misinformation online, claiming that XPOP allows Ripple to conduct fully offline transactions — it doesn’t. Instead, a more complicated version of the “payee is offline” case examined above is used.

Again, we have a fully software-based solution, but it can only handle “payee is offline” or “payer is offline” cases, but not both at the same time.

****Chaumian eCash****

The cryptographer David Chaum has been working on the problem of digital cash for four decades now. Although his eCash 2.0 does work offline, it manages this through the use of scratch cards with erasable bar codes on them. Thus Chaumian eCash 2.0 can manage the fully offline case but fails to meet the requirement of being software-based only.

One of the problems I immediately see with erasable bar-codes is that surveillance cameras are so good these days that a simple spycam videoing the bar code from afar before it is erased would allow a malicious third party to redeem the barcode before the merchant gets home and can do so.

That is without even considering how awkward transactions are, involving:

*   connecting two phones,
*   scratching off a foil covering with a coin (will people even be carrying those), and then
*   licking a Q-tip you happen to have in your pocket and using it to erase the bar code.

****Other partial or failed solutions****

When I posted a video about offline digital cash on LinkedIn and YouTube stating the problem, I received four direct messages within a day, proposing solutions. All of them relied on:

1.  enhancements to physical cash (creating a digital twin in the virtual space and linking them through a bar code or something similar), or
2.  specific locked-down hardware, such as a trusted execution environment

The first solution seems pointless to me, as we can already use the serial numbers on banknotes to track them in databases if we want to, making the proposed improvements no more than part of the effort to reduce counterfeiting.

The second solution comes with a hefty price tag to produce and distribute new hardware to everyone. Perhaps that could be overcome by only issuing devices to people in remote areas with no mobile phone coverage, such as some of the rural counties in the UK, or the Sahara desert.

****Conclusion****

So, I hear you ask, what is the solution? The sad thing is, Michal and I don’t have one. And after thinking about it for a long time, I am left with the sense that truly offline digital cash could be such an intractable problem that proving it is simply not possible may be easier than trying to invent it.

This article was authored and contributed by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist.  

*   What the Bitcoin ETF Approval Mean for the Crypto Market
*   Analyzing Bitcoin Price Trends and Crypto Scalping Methods
*   Exploring the Phenomenal Rise of Ethereum as a Digital Asset
*   Owning Versus Renting – The Circumstances of Web3 Domains

Fully Offline Electronic Cash: Is It an Intractable Problem?

By Uzair Amir
Is your coding class engaging and effective? Learn what makes the best online coding classes for kids fun, effective, and future-proof!
This is a post from HackRead.com Read the original post: A Checklist for What Every Online Coding Class for Kids Needs

Parents everywhere are eager to sign up their kids for online coding classes to ensure they’re ready for life and the workforce of the future. Nobody can say with 100% accuracy what the future will hold, but surely, in our digital society, it will be high-tech!

How can parents know which online coding classes are better than others? Here’s a checklist that outlines what the best coding classes offer.

****1\. Fun and Video Games Above All****

Parents want their kids to learn to code online, but having fun after school is even more important. The best coding programs embed games into their classes by teaching kids how to design and program their own video games, ones they can play afterwards with friends and family.

Parents and teachers won’t have to push kids very hard to learn when the goal is something they’re so hungry to achieve. Gamification dynamics make learning as addictive and engaging as playing video games.

****2\. Small Classes****

Some coding programs claim to teach STEM skills and everything kids will need to know in the future, but they’re overly packed with students, making for a distractive environment where learning is difficult. Students shouldn’t have to deal with busy teachers who are more concerned with classroom management than teaching.

The best coding courses limit sessions to four students per class, so every child gets their teacher’s full attention.

****3\. Leading Coding Languages****

Avoid the coding classes that rely too heavily on programs like Scratch, which is more of a drag-and-drop program designed to give kids a sense of what coding is like rather than a proper coding language employers look for in prospective employees. Nobody uses Scratch in the field to make video games, apps, or websites.

Instead, look for a program that teaches kids the popular, in-demand coding languages, such as:

*   C#
*   C++
*   Java
*   Python
*   JavaScript

The classes should be engaging for young students who are brand new to coding but never overwhelming. As students develop and hone their skills within each language, they progress to the next until they develop confidence and expertise in that language, too.

****4\. Expert Teachers****

Finally, the leading coding courses hire computer science and computer engineering students who also grew up playing video games to pass on their knowledge to the next generation. Such an approach has multiple benefits.

Kids should learn how to code games from teachers who also played computer games growing up and have the expertise and domain knowledge. Practically speaking, high school students have the perfect resources to speak to about the coding jobs available and where else programming can take them after school when their teachers are also navigating the same situation.

Every computer-related program for kids promises to give a strong foundation in STEM skills, but they’re not all the same in quality. Before signing up your child for an after-school coding course, you should know how to recognize a red flag or the signs of a great coding program when you see them.

1.  1 in 5 Youth Engage in Cybercrime, NCA Finds
2.  Kids breach and bypass Linux Mint screensaver lock
3.  9 risky apps you must monitor on your kids’ smartphone

A Checklist for What Every Online Coding Class for Kids Needs

Plus: An assassination plot, an AI security bill, a Project Nimbus revelation, and more of the week’s top security news.

This week, WIRED reported that a group of prolific scammers known as the Yahoo Boys are openly operating on major platforms like Facebook, WhatsApp, TikTok, and Telegram. Evading content moderation systems, the group organizes and engages in criminal activities that range from scams to sextortion schemes.

On Wednesday, researchers published a paper detailing a new AI-based methodology to detect the “shape” of suspected money laundering activity on a blockchain. The researchers—composed of scientists from the cryptocurrency tracing firm Elliptic, MIT, and IBM—collected patterns of bitcoin transactions from known scammers to an exchange where dirty crypto could get turned into cash. They used this data to train an AI model to detect similar patterns.

Governments and industry experts are sounding the alarm about the potential for major airline disasters due to increasing attacks against GPS systems in the Baltic region since the start of the war in Ukraine. The attacks can jam or spoof GPS signals, and can result in serious navigation issues. Officials in Estonia, Latvia, and Lithuania blame Russia for the GPS issues in the Baltics. Meanwhile, WIRED went inside Ukraine’s scrappy and burgeoning drone industry, where about 200 companies are racing to build deadlier and more efficient autonomous weapons.

An Australian firm that provided facial recognition kiosks for bars and clubs appears to have exposed the data of more than 1 million records of patrons. The episode highlights the dangers of giving companies your biometric data. In the United States, the Biden administration is asking tech companies to sign a voluntary pledge to make “good-faith” efforts to implement critical cybersecurity improvements. This week we also reported that the administration is updating its plan for protecting the country’s critical infrastructure from hackers, terrorists, and natural disasters.

And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

**How Israeli Weapons Firms Use Amazon and Google**

A government procurement document unearthed by The Intercept reveals that two major Israeli weapons manufacturers are required to use Google and Amazon if they need any cloud-based services. The reporting calls into question repeated claims from Google that the technology it sells to Israel is not used for military purposes—including the ongoing bombardment of Gaza that has killed more than 34,000 Palestinians. The document contains a list of Israeli companies and government offices “required to purchase” any cloud services from Amazon and Google. The list includes Israel Aerospace Industries and Rafael Advanced Defense Systems, the latter being the manufacturer of the infamous “Spike” missile, reportedly used in the April drone strike that killed seven World Central Kitchen aid workers.

In 2021, Amazon and Google entered into a contract with the Israeli government in a joint venture known as Project Nimbus. Under the arrangement, the tech giants provide the Israeli government, including its Israel Defense Forces, with cloud services. In April, Google employees protested Project Nimbus by staging sit-ins at offices in Silicon Valley, New York City, and Seattle. The company fired nearly 30 employees in response.

A mass surveillance tool that eavesdrops on wireless signals emitted from smartwatches, earbuds, and cars is currently being deployed at the border to track people’s location in real time, a report from Notus revealed on Monday. According to its manufacturer, the tool, TraffiCatch, associates wireless signals broadcast by commonly used devices with vehicles identified by license plate readers in the area. A captain from the sheriff’s office in Webb County, Texas—whose jurisdiction includes the border city of Laredo—told the publication that the agency uses TraffiCatch to detect devices in areas where they shouldn’t be, for instance, to find trespassers.

Several states require law enforcement agencies to obtain warrants before deploying devices that mimic cell towers to obtain data from the devices tricked into connecting to it. But in the case of TraffiCatch, a technology that passively siphons ambient wireless signals out of the air, the courts haven’t yet weighed in. The report highlights how signals intelligence technology, once exclusive to the military, is now available for purchase by both local governments and the general public.

**An Indian Assassination Plot in America**

_The Washington Post_ reports that an officer in India's intelligence service, the Research and Analysis Wing, was allegedly involved in a botched plan to assassinate one of Indian prime minister Narendra Modi's top critics in the United States. The White House said Monday that it was taking the matter "very, very seriously," while India's foreign ministry blasted the _Post_ report as "unwarranted" and "not helpful." The alleged plot to murder the Sikh separatist, Gurpatwant Singh Pannun, a dual citizen of the United States and Canada, was first disclosed by US authorities in November.

Canadian authorities previously announced having obtained "credible" intel allegedly linking the Indian government to the death of another separatist leader, Hardeep Singh Nijjar, who was shot to death outside a Sikh temple in a Vancouver suburb last summer.

**An AI Security Bill Emerges**

US lawmakers have introduced a bill aimed at establishing a new wing of the National Security Agency dedicated to investigating threats aimed at AI systems—or "counter-AI." The bipartisan bill, introduced by Mark Warner and Thom Tillis, a Senate Democrat and Republican, respectively, would further require agencies including the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to track breaches of AI systems, whether successful or not. (The NIST currently maintains the National Vulnerability Database, a repository for vulnerability data, while the CISA oversees the Common Vulnerabilities and Exposures Program, which similarly identifies and catalogues publicly disclosed malware and other threats.)

The Senate bill, known as the Secure Artificial Intelligence Act, aims to expand the government's threat monitoring to include "adversarial machine learning"—a term that is essentially synonymous with "counter-AI"—which serves to subvert AI systems and “poison” their data using techniques vastly dissimilar to traditional modes of cyberwarfare.

A New Surveillance Tool Invades Border Towns

By Waqas
A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark
This is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw

Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a new botnet threat dubbed “Goldoon” specifically targeting D-Link routers and network-attached storage (NAS) devices. This malware infects devices by exploiting the CVE-2015-2051 (CVSS score: 10.0) vulnerability, potentially putting user data and network security at risk.

It’s noteworthy to mention that CVE-2015-2051, a security vulnerability identified in February 2015, is nearly a decade old. This vulnerability primarily affects end-of-life devices.

In September 2022, Palo Alto Networks’ Unit 42 discovered that the same vulnerability was being exploited by the infamous Mirai botnet’s variant, known as MooBot, targeting D-Link devices. D-Link addressed the issue in 2015, and further details regarding their response can be found here.

According to the Fortinet report, Goldoon leverages brute-force attacks to gain access to D-Link devices. Brute-force attacks involve systematically trying different username and password combinations until gaining unauthorized access. The report suggests these attacks exploit weak default credentials or outdated firmware on targeted devices.

Once established, Goldoon transforms the infected device into a bot, adding it to a network of compromised machines under the control of the botnet operator. This network of bots can then be used for various malicious activities, including:

*   **Launching Distributed Denial-of-Service (DDoS) attacks:** Bombarding websites or online services with overwhelming traffic, causing them to crash or become unavailable to legitimate users.
*   **Data theft:** Stealing sensitive information like login credentials, financial details, or personal data stored on the infected device.
*   **Spreading malware:** Using the compromised device to propagate malware across a network further, potentially infecting other devices.

The report highlights the critical role of patching and updating firmware on D-Link devices. Outdated firmware often contains vulnerabilities that attackers can exploit. Fortinet recommends D-Link users to:

*   **Enable automatic firmware updates:** Most devices can download and install security updates automatically.
*   **Change default credentials:** Replace the factory-set username and password with a strong, unique combination.
*   **Implement strong network security practices:** Enable firewalls, use complex passwords, and be cautious when clicking on links or opening attachments from unknown senders.

> _“While CVE-2015-2051 is not a new vulnerability and presents a low attack complexity, it has a critical security impact that can lead to remote code execution. Once attackers successfully exploit this vulnerability, they can incorporate compromised devices into their botnet to launch further attacks We strongly recommend applying patches and updates whenever possible because of the ongoing development and introduction of new botnets.”_
> 
> FortiGuard Labs

Fortinet’s discovery of Goldoon serves as a reminder of the evolving cyber threat landscape. By prioritizing proper device security measures, D-Link users can minimize the risk of falling victim to this or similar botnet attacks.

1.  Androxgh0st Malware Hacks Servers for Botnet Attack
2.  Russian Hackers Target Ubiquiti Routers for Botnet Creation
3.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
4.  Ddostf Botnet Resurfaces in DDoS Attacks Against Docker Hosts
5.  Mirai’s NoaBot Botnet Targeting Linux Systems with Cryptominer

Tag

#web