News & Updates

This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.

The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using  specially crafted URL input against some plugins.

Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”

Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.

Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.

The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.

Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs –WordPress, security)

The post WordPress version 5.0.1 addressed several vulnerabilities appeared first on Security Affairs.

Source: Security affairs

5G is here, but that doesn't mean you have to buy into it.

Enlarge / 5G is here, but that doesn’t mean you have to buy into it.

2019 is going to be the year of 5G—at least, that’s what the cellular industry keeps saying. We’re going to see the launch of several 5G smartphones from OEMs like Samsung, Motorola, and OnePlus, and carriers will be tripping over themselves to tell you how awesome their new 5G networks are despite coming with a slew of asterisks. I would like to make something up about how ridiculous the 5G hype has gotten, but it’s hard to top actual quotes from industry executives, like Verizon’s claim that 5G will “dramatically improve our global society.” Faster mobile Internet is coming, but should you care about it yet?

Qualcomm recently had its big 2019 chip announcement, and as the world’s biggest provider of smartphone chips, that gives us a good idea of what the upcoming 5G hardware will look like. The industry is doing its best to hype 5G up as The Next Big Thing™, but 5G hardware in 2019 is going to be a decidedly first-generation affair. Early adopters for 5G will have to accept all manner of tradeoffs. And when there might not even be 5G reception in your area, it might be better to just wait the whole thing out for a year or two.

A 5G mmWave primer: Making use of the spectrum that nobody wanted

“5G” is a shorthand reference to the next generation of cellular network technology that is launching in 2019. The whole “G” naming scheme started in the 1990s with the launch of GSM, which was called the “second generation”—aka “2G”—of mobile networking technology. GSM upgraded early networks from analog to digital, and those old analog networks were retroactively given the name “1G.” Since then, we’ve gotten new “G” numbers with major coordinated network upgrades about every 10 years. These iterations brought important features like SMS and MMS messages, IP-based networking and mobile Internet, and, of course, more speed.

Read 33 remaining paragraphs | Comments


“Pay $20,000 worth of bitcoin, or a bomb will detonate in your building”

A massive number of businesses, schools, government offices and individuals across the US, New Zealand and Canada on Thursday received bomb threats via emails that caused nationwide chaos, forcing widespread evacuations and police response.

The bomb threat emails were apparently sent by spammers, threatening people that


Spider... sweatpants? That's just one of the many weird things you'll find in the hilarious, entertaining <em>Into the Spider-Verse</em>.

Enlarge / Spider… sweatpants? That’s just one of the many weird things you’ll find in the hilarious, entertaining Into the Spider-Verse. (credit: Sony Pictures Animation)

I’ll keep this glowing review short for two reasons: because I’m on vacation, and because there’s not much I need to say to make my point.

Spider-Man: Into the Spider-Verse is right up there with Black Panther and Deadpool 2 as one of the best comic book adaptations in theaters this year. What’s more, it’s easily the best comic-nerd film in years to warmly embrace the kinds of viewers who know their comics canon front and back, all without intimidating the inevitable kid and newbie viewers attracted to this incredibly family-friendly adventure.

Miles and Peter and Gwen and…

Read 6 remaining paragraphs | Comments


A Falcon 9 rocket launches from Vandenberg Air Force Base.

Enlarge / A Falcon 9 rocket launches from Vandenberg Air Force Base. (credit: Aurich Lawson/SpaceX)

Welcome to Edition 1.29 of the Rocket Report! This week, we send our hearty congratulations to Virgin Galactic, which reached an important milestone Thursday with its first flight above 80km. We also have some good news on the commercial crew front, with multiple flights looking promising for 2019.

As always, we welcome reader submissions, and if you don’t want to miss an issue, please subscribe using the box below (the form will not appear on AMP-enabled versions of the site). Each report will include information on small-, medium-, and heavy-lift rockets as well as a quick look ahead at the next three launches on the calendar.

Virgin flies into space (probably). With Mark “Forger” Stucky and C.J Sturckow piloting the vehicle, the VSS Unity vehicle was dropped from its White Knight Two carrier aircraft on Thursday before burning its rocket motor. During that 60-second burn, it reached a velocity of Mach 2.9 and soared to an altitude of 82.68km. These were records for the company, which may begin flying space tourists in 2019.

Read 26 remaining paragraphs | Comments


Image of an electric aircraft with many small motors.

Enlarge (credit: NASA)

Currently, the world is struggling to keep its carbon emissions from rising. But to reach the longer-term goals we have for stabilizing the climate, we’re going to have to do far more than roll out some renewable energy. Keeping the earth from warming by 2°C above preindustrial temperatures means a deep decarbonization of our energy use. Which means that we not only have to go fully carbon neutral in generating electricity, but we have to start using those emissions-free electrons to handle our heating and transportation needs.

For things like cars and buses, that process has already started. But there’s one weight-sensitive mode of transportation where batteries may not be able to bail us out: air travel. The relatively low energy density of batteries means that you need a lot of them—plus the weight and space they take up—to power an aircraft. For this reason, many people have decided that we’ll need biofuels to power air travel. Yet there are companies that are planning to develop electric passenger aircraft.

So who’s being realistic? To find out, an international team has done an evaluation of whether battery-powered electric aircraft can become viable and when it’s possible they’ll reach the market.

Read 10 remaining paragraphs | Comments


Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.

Source: Security affairs

Tape reading

Enlarge (credit: Tony Webster / Flickr)

A tsunami of emailed bomb threats is prompting closures at hospitals, schools, public transit agencies, and businesses across the US and Canada.

Word of the emails surfaced Thursday morning in tweets such as this one:

And this one:

Read 5 remaining paragraphs | Comments


Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail


A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

“In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers wrote.

Read 7 remaining paragraphs | Comments


A Verizon logo on a red background.

Enlarge (credit: Getty Images | Spencer Platt)

Verizon is parting ways with 10,400 employees in “a voluntary separation program,” despite the Trump administration providing a tax cut and various deregulatory changes that were supposed to increase investment in jobs and broadband networks. The cuts represent nearly seven percent of Verizon’s workforce and were announced along with a $4.6 billion charge related to struggles in Verizon’s Yahoo/AOL business division.

Verizon described the voluntary buyouts as well as ongoing Yahoo/AOL failures in a Securities and Exchange Commission filing on Tuesday. The buyouts affect “US-based management employees” in multiple business segments, not just Yahoo and AOL.

Here’s what Verizon says about its Yahoo/AOL problem:

Read 9 remaining paragraphs | Comments