Podcasts about apache struts

Risky Business returns for its 19th year! Patrick Gray and Adam Boileau discuss the week's cybersecurity news and there is a whole bunch of it. They discuss: The incoming Trump administration guts the CSRB Biden's last cyber Executive Order has sensible things in it China's breach of the US Treasury gets our reluctant admiration Ross Ulbricht - the Dread Pirate Roberts of Silk Road fame - gets his Trump pardon New year, same shameful comedy Forti- and Ivanti- bugs US soldier behind the Snowflake hacks faces charges after a solid Krebs-ing And much, much (much! after a month off) more. This week's episode is sponsored by Sandfly Security, who make a Linux EDR solution. Founder Craig Rowland joins to talk about how the Linux ecosystem struggles with its lack of standardised approaches to detection and response. If you've got a telco full of unix, and people are asking how much Salt Typhoon you've got in there… Sandfly's tools are probably what you're looking for. If you like your Business like us… - Risky - then we're hiring! We're looking for someone to help with audio and video production for our work, manage our socials, and if you're also into the Cybers… even better. Position is remote, with a preference for timezones amenable to Australia/NZ. Drop us a line: editorial at risky.biz. This episode is also available on Youtube. Show notes POLITICO Pro | Article | Acting DHS chief ousts CSRB experts, other department advisers Treasury's sanctions office hacked by Chinese government, officials say Strengthening America's Resilience Against the PRC Cyber Threats | CISA AT&T, Verizon say they evicted Salt Typhoon from their networks Risky Bulletin: Looking at Biden's last cyber executive order - Risky Business Internet-connected devices can now have a label that rates their security | Reuters US sanctions prominent Chinese cyber company for role in Flax Typhoon attacks FCC ‘rip and replace' provision for Chinese tech tops cyber provisions in defense bill CIA nominee tells Senate he, too, wants to go on cyber offense | CyberScoop Trump tells Justice Department not to enforce TikTok ban for 75 days Judge rules NSO Group is liable for spyware hacks targeting 1,400 WhatsApp user devices | The Record from Recorded Future News Unpacking WhatsApp's Legal Triumph Over NSO Group | Lawfare Time to check if you ran any of these 33 malicious Chrome extensions Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware Researchers warn of active exploitation of critical Apache Struts 2 flaw DOJ deletes China-linked PlugX malware off more than 4,200 US computers Russian internet provider confirms its network was ‘destroyed' following attack claimed by Ukrainian hackers | The Record from Recorded Future News Ukraine restores state registers after suspected Russian cyberattack | The Record from Recorded Future News Hackers claim to breach Russian state agency managing property, land records | The Record from Recorded Future News U.S. Army Soldier Arrested in AT&T, Verizon Extortions – Krebs on Security

New wave of file transfer platform attacks perpetrated by Clop.Apache Struts exploited in the wild using publicly available PoC code.

The U.S. considers a ban on Chinese made routers. More than 200 Cleo managed file-transfer servers remain vulnerable. The Androxgh0st botnet expands. Schneider Electric reports a critical vulnerability in some PLCs. A critical Apache Struts 2 vulnerability is being actively exploited. Malicious campaigns are targeting Chinese-branded IoT devices. A Nebraska-based healthcare insurer discloses a data breach affecting over 225,000 individuals. IntelBroker leaks 2.9GB of data from Cisco's DevHub environment. CISA issues a Binding Operational Directive requiring federal agencies to enhance cloud security. On today's CERTByte segment, Chris Hare and Dan Neville unpack a question targeting the Network+ certification. INTERPOL says, “Enough with the pig butchering.“ Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment This week, Chris is joined by Dan Neville to break down a question targeting the Network+ certification (N10-008 expires on 12/20/24 and the N10-009 update launched on June 20th of this year). Today's question comes from N2K's CompTIA® Network+ Practice Test, both exam versions of which are offered on our site. Have a question that you'd like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K's full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. To get the full news to knowledge experience, learn more about our N2K Pro subscription at https://thecyberwire.com/pro. Please note: The questions and answers provided here and on our site are not actual current or prior questions and answers from these certification publishers or providers. Selected Reading U.S. Weighs Ban on Chinese-Made Router in Millions of American Homes (Wall Street Journal) Attack Exposure: Unpatched Cleo Managed File-Transfer Software (BankInfo Security) Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities (Hackread) Schneider Electric reports critical flaw in Modicon Programmable Logic Controllers (Beyond Machines) RATs can sniff out your Chinese-made web cameras: here's how to defend yourself (Cybernews) Regional Care Data Breach Impacts 225,000 People (SecurityWeek) Hacker IntelBroker Leaked 2.9GB of Data Stolen From Cisco DevHub Instance (Cyber Security News) New critical Apache Struts flaw exploited to find vulnerable servers (Bleeping Computer) CISA Issues Binding Operational Directive for Improved Cloud Security (SecurityWeek) Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure (CISA) INTERPOL urges end to 'Pig Butchering' term, cites harm to online victims (INTERPOL)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

[Referências do Episódio] S2-067 - CVE-2024-53677 - https://cwiki.apache.org/confluence/display/WW/S2-067  New critical Apache Struts flaw exploited to find vulnerable servers - https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/  2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged - https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US  Hidden in Plain Sight: TA397's New Attack Chain Delivers Espionage RATs - https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats  Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks - https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html  TAG Bulletin: Q4 2024 - https://blog.google/threat-analysis-group/tag-bulletin-q4-2024/  Effective Phishing Campaign Targeting European Companies and Institutions - https://unit42.paloaltonetworks.com/european-phishing-campaign/  BADBOX Botnet Is Back - https://www.bitsight.com/blog/badbox-botnet-back  Roteiro e apresentação: Carlos Cabral e Bianca Oliveira Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

ChatGPT and Meta face widespread outages. Trump advisors explore splitting NSA and CyberCom leadership roles. A critical vulnerability in Apache Struts 2 has been disclosed. “AuthQuake” allowed attackers to bypass Microsoft MFA protections. Researchers identify Nova, a sophisticated variant of the Snake Keylogger malware. Adobe addresses critical vulnerabilities across their product line. Chinese law enforcement has been using spyware to collect data from Android devices since 2017. A new report highlights the gaps in hardware and firmware security management. A Krispy Kreme cyberattack creates a sticky situation. N2K's Executive Editor Brandon Karpf speaks with guest Mike Silverman, Chief Strategy and Innovation Officer at the FS-ISAC discussing cryptographic agility. Do Not Track bids a fond farewell.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, N2K's Executive Editor Brandon Karpf speaks with guest Mike Silverman, Chief Strategy and Innovation Officer at the FS-ISAC discussing cryptographic agility. You can learn more in their new white paper "Building Cryptographic Agility in the Financial Sector." We will share the extended version of this conversation over our winter break. Stay tuned.  Selected Reading ChatGPT Down Globally, Services Restored After Hours Of Outage (Cyber Security News) Facebook, Instagram and other Meta apps go down due to 'technical issue' (CNBC) Unfinished business for Trump: Ending the Cyber Command and NSA 'dual hat' (The Record) Apache issues patches for critical Struts 2 RCE bug (The Register) Microsoft MFA Bypassed via AuthQuake Attack (SecurityWeek) Nova Keylogger – A Snake Malware Steal Credentials and Capture Screenshorts From Windows (Cyber Security News) Adobe releases December 2024 patches for flaws in multiple products, including critical (Beyond Machines) Mobile Surveillance Tool EagleMsgSpy Used by Chinese Law Enforcement (SecurityWeek) Three-Quarters of Security Leaders Admit Gaps in Hardware Knowledge (Infosecurity Magazine) Krispy Kreme cyberattack impacts online orders and operations (Bleeping Computer) Firefox, one of the first “Do Not Track” supporters, no longer offers it (Ars Technica)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Free, ungated access to all 300+ episodes of “It's 5:05!” on your favorite podcast platforms: https://bit.ly/505-updates. You're welcome to

https://youtu.be/YZLayuDJyyk This week on the podcast, we cover a supply chain attack against one of the largest hardware cryptocurrency wallet manufacturers. After that, we discuss the latest Apache Struts vulnerability under active exploit by threat actors. We end the episode with our thoughts on a research blog post about a set of threat actors using an old school attack against modern targets.

Microsoft takes down the Storm-1152 cybercrime operation. “GambleForce” is a newly discovered threat actor.  The SVR exploits a JetBrains TeamCity vulnerability. US Postal Service impersonation. Malicious ads associated with Zoom. An update on the cyberattack against Kyivstar. Apache issues a Struts 2 security advisory. The FCC adopts new data breach rules.  In our latest Threat Vector segment, David Mouton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. And the State Department's Global Engagement Center is under fire. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment with Palo Alto Networks Unit 42's David Moulton, hear about decoding cyber adversaries. David discusses unveiling intent and behavior in the world of threat hunting with Madeline Sedgwick. Selected Reading Microsoft disrupts cybercrime operation selling fraudulent accounts to notorious hacking gang (TechCrunch+) New hacker group GambleForce targets government and gambling sites in Asia Pacific using SQL injections (Group-IB) Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (Joint Advisory) Malvertisers zoom in on cryptocurrencies and initial access (MalwareBytes) Russian hacker group claims responsibility for Kyivstar cyberattack (The Kyiv Independent)  New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now (The Hacker News) FCC Adopts Updates to Data Breach Rules, Sets Up Privacy Battle (Bloomberg Law) State Dept.'s Fight Against Disinformation Comes Under Attack (The New York Times) Threat Vector. In this Threat Vector segment, David Mouton and Palo Alto Networks Madeline Sedgwick discuss the skills and methods necessary for understanding threat actor intent and behaviors. Madeline, a Senior Cyber Research Engineer and Threat Analyst for the Cortex Xpanse team at Palo Alto Networks, shares insights into how analyzing adversary behavior helps in anticipating threats and avoiding guesswork. They discuss the value of understanding both system dynamics and human behavior in cybersecurity, emphasizing that cyber adversaries are limited by the same laws of internet physics. Please share your thoughts with us for future Threat Vector segments by taking our brief survey. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

[Referências do Episódio] Malvertisers zoom in on cryptocurrencies and initial access - https://www.malwarebytes.com/blog/threat-intelligence/2023/12/malvertisers-zoom-in-on-cryptocurrencies-and-initial-access  BazarCall Attack Leverages Google Forms to Increase Perceived Credibility - https://abnormalsecurity.com/blog/bazarcall-attack-leverages-google-forms Hackers are exploiting critical Apache Struts flaw using public PoC - https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-apache-struts-flaw-using-public-poc/ New Underground Market Comes Online Just inTime for the Holidays - https://www.zerofox.com/blog/new-underground-market-comes-online-just-intime-for-the-holidays/ Roteiro e apresentação: Bianca Oliveira Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

IPAおよびJPCERT/CCは、Apache Struts 2における外部からアクセス可能なファイルの脆弱性が存在すると「JVN」で発表した。

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security). Show Notes: https://securityweekly.com/asw-256

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security). Show Notes: https://securityweekly.com/asw-256

An airhacks.fm conversation with Karol Harezlak (@karolh2000) about: C 64 with Datasette, enjoy gaming, The Last Ninja, the demo scene, adding demo to the game, the dark horse federation, Amiga 500, Amiga AMOS, stealing assets from games, learning assembler with 10 years, AMOS and STOS, building lottery simulation, Borland JBuilder and Delphi, working for JDeveloper, starting with internet in 1992, building a game chat, starting with Snowbaording and Skateboarding, using Apache Struts and JSPs, joining the NetBeans team at Sun MIcrosystems, working on Java ME, the episode with John Ceccarelli:"#216 Low Code, No Code, WYSIWYG …and some CRaC", lan parties in a cottage, JavaOne 2010, JDD conference in Krakow, Silesia Java User Group in Katowice, JUG Tricity, Microservices and The History Repeats, replacing JDeveloper engine with NetBeans, SQL Developer is based on NetBeans, working on windows manager for JDeveloper, implementing Oracle Developer Cloud, working on Pyrsia for JFrog, a distributed binary system, the hard System.out.println with Rust, Rust: one line of code can generate 50 warnings Karol Harezlak on github: @karolh2000

The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we've seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”. This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We'll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines. Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master's degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community. Speaker Links: Youtube Channel: https://www.youtube.com/c/RanaKhalil101 Academy: https://ranakhalil.com/ Twitter: https://twitter.com/rana__khalil LinkedIn: https://www.linkedin.com/in/ranakhalil1/ Medium Blog: https://ranakhalil101.medium.com/

[Referências do Episódio] - Takedown da Zloader - https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/ - CVE-2021-31805 no Apache Struts - https://www.cisa.gov/uscert/ncas/current-activity/2022/04/12/apache-releases-security-advisory-struts-2 - Exploit para VMware - https://www.bleepingcomputer.com/news/security/hackers-exploiting-vmware-servers-with-public-rce-exploit/ - Documento da NSA, FBI, CISA e o Departamento de Energia dos Estados Unidos sobre PLCs - https://media.defense.gov/2022/Apr/13/2002976115/-1/-1/0/JOINT_CSA_APT_CYBER_TOOLS_TARGETING_ICS_SCADA_20220413.PDF - Incontroller - https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool?utm_source=pocket_mylist [Ficha técnica] Roteiro e apresentação: Carlos Cabral Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia Projeto gráfico: Julian Prieto

An airhacks.fm conversation with Victor Orozco (@tuxtor) about: Cyrix 486 computer, disassembling Prehistorik 2 game, enjoying Dangerous Dave, starting programming in FoxPro, joining programming bootcamps, learning Visual Basic 6, starting to study Computer Science with the age of 16, studying in Guatemala City, starting to learn Java in 2005, from .net to Java, Sun Certified Programmer certification, human rights application with Apache Struts on Sun Java Application Server, getting the NetBeans DVD from Sun Microsystems, starting with NetBeans RCP, gentoo linux was the future, Central America has only three Java Champions, two Java Champions from Guatemala and they joined the bootcamp, writing code for Blackberry in Java and J2ME, enjoying Glassfish and Java EE 6 for backend development, going to Brazil and switching to ML, Scala and Spark, betting on Java EE, Jakarta EE, MicroProfile, JUG in Guatema is the oldest in the country, winning the Duke Choice Award for Duke Adventures, meeting Bruno Souza, checkout episode "#170 Java, OpenSource and the Brazilian Christmas" with Bruno Souza, "knowledge and clouds" - is nabenik in Mayan - victor's company, Java EE, Jakarta EE, MicroProfile are great platforms for building products and consulting, working on-premise openshift, AWS and Azure, working with Payara Micro, Quarkus on OpenShift, packaging old Java EE codes as AWS Lambda, Victor Orozco on twitter: @tuxtor, Victor's company: nabenik

The Log4Shell vulnerability is making waves this week; we'll explain why and break down how it works. Plus, some good news for the Desktop and systemd-homed gets one step closer.

The Log4Shell vulnerability is making waves this week; we'll explain why and break down how it works. Plus, some good news for the Desktop and systemd-homed gets one step closer.

The Log4Shell vulnerability is making waves this week; we'll explain why and break down how it works. Plus, some good news for the Desktop and systemd-homed gets one step closer.

Good Morning and Welcome to the ProactiveIT Cyber Security Daily number 262.  It is Wednesday December 9th  2020.  I am your host Scott Gombar and It’s the December Patch Tuesday Episode This podcast is brought to you by Nwaj Tech, a Client Focused and Security Minded IT Consultant based in Central Connecticut.  You can visit us at nwajtech.com  Patches/Updates Available from SAP, OpenSSL, Adobe, Apache Struts, D-Link Routers and Microsoft FireEye Cyberattack Compromises Red-Team Security Tools Spearphishing Attack Spoofs Microsoft.com to Target 200M Office 365 Users ‘Amnesia:33’ TCP/IP Flaws Affect Millions of IoT Devices Ransomware forces hosting provider Netgain to take down data centers Scammers spoof Target's gift card balance checking page All Kubernetes versions affected by unpatched MiTM vulnerability Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health

GitHub goes mobile with new apps for Android and iOS, Vulkan has new ray tracing extensions, RiskSense reports on the most vulnerable web and application frameworks, System76 enters the keyboard market, and Google starts rolling out new labels for Chromebook-compatible accessories.

בפרק זה נדבר על גניבת זהות שקרתה לחברת Equifax. חברת Equifax הינה אחת משלושת סוכנויות הדיווח האשראי הצרכניות הגדולות ביותר שמנהלת 800 מיליון לקוחות ו 88 מיליון עסקים. בגניבת הזהות נגנבו פרטים של כ 150 מיליון תושבים, גניבה שהוגדרה על ידי VentureBeat אחת מהפרות הנתונים הגדולות בהיסטוריה, נזק שהוערך במאות מיליוני דולרים. המקרה נגרם על ידי פירצה שהייתה ידועה (CVE) בספריית קוד פתוח לפיתוח ממשקי ניהול ווב, Apache Struts, הפירצה איפשרה להריץ קוד זדוני מרחוק, ובעזרתה שאבו מידע במשך 76 ימים ממגוון רחב של בסיסי נתונים. בנוסף, מוצר לזיהוי התנהגות וניתוח של הרשת שהיה אמור לזהות את גניבת המידע, לא זיהה מכיוון שתעודת ה SSL שלו פגה. נדבר על החשיבות במעקב אחרי תיקוני CVE של ספריות וקומפוננטות, וגם על תעודות SSL. 

This week, 61 impacted versions of Apache Struts let off security advisories, a hacker publicly releases Jailbreak for iOS version 12.4, Chrome users ignoring warnings to change breached passwords, an unpatchable security flaw found in popular SoC boards, and a reward up to $30,000 for find vulns in Microsoft Edge dev and beta channels! In the expert commentary, we welcome Jason Wood, to discuss Ransomware and City Governments!   Full Show Notes: https://wiki.securityweekly.com/HNNEpisode230 Roman Sannikov, Recorded Future - https://www.youtube.com/watch?v=0kCZIX6a-6o   Visit https://www.securityweekly.com/hnn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, 61 impacted versions of Apache Struts let off security advisories, a hacker publicly releases Jailbreak for iOS version 12.4, Chrome users ignoring warnings to change breached passwords, an unpatchable security flaw found in popular SoC boards, and a reward up to $30,000 for find vulns in Microsoft Edge dev and beta channels! In the expert commentary, we welcome Jason Wood, to discuss Ransomware and City Governments!   Full Show Notes: https://wiki.securityweekly.com/HNNEpisode230 Roman Sannikov, Recorded Future - https://www.youtube.com/watch?v=0kCZIX6a-6o   Visit https://www.securityweekly.com/hnn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, 61 impacted versions of Apache Struts let off security advisories, a hacker publicly releases Jailbreak for iOS version 12.4, Chrome users ignoring warnings to change breached passwords, an unpatchable security flaw found in popular SoC boards, and a reward up to $30,000 for find vulns in Microsoft Edge dev and beta channels! In the expert commentary, we welcome Jason Wood, to discuss Ransomware and City Governments! Full Show Notes: https://wiki.securityweekly.com/HNNEpisode230 Roman Sannikov, Recorded Future - https://www.youtube.com/watch?v=0kCZIX6a-6o Visit http://hacknaked.tv to get all the latest episodes!

An airhacks.fm conversation with Matthias Reining (@MatthiasReining) about: Power Basic is not QBasic and was comparable with Turbo Pascal, game high score manipulation as programming motivation, C 64 was the first computer encounter, writing a "Jump and Run" game in Power Basic, Power Basic IDE as Christmas present, the menu bar fascination, using GW-Basic at high school, call by value vs. call by reference in Power Basic and Turbo Pascal, the Comal programming language, learning C, the University of Wuerzburg, learning Visual C++ and object oriented programming at university, C over C++, learning Java during internship at Nobiscum, writing a Java frontend with AWT for CVS as proof of concept, renaming com.sun.swing to javax.swing, switching to Lotus Notes as consultant, improving Lotus Notes user interface with Java, accessing Lotus Notes with JDBC, CouchDB the Lotus Notes "successor" created by Damien Katz - a former Lotus Notes developer, Lotus Notes the NoSQL database before the popularity of NoSQL, Transact-SQL, PL/SQL and back to Java, JSPs, Servlets, Tomcat and Apache Struts, from Java back to Pearl, the strategy of spending as much time as possible in a single project, writing fronted code with "this and that" or ES 5-the ancient JavaScript, the Java EE 5 fascination, xdoclet code generation for early EJB versions was slow, annotation-based programming with Java EE 5 improved the productivity, building a freelancer portal with Java EE 5 as proof of concept, a Java EE workshop in 2011, learning politics in Java insurance projects with "C-structs" as design pattern, enjoying PowerPoint time, founding a startup with Java EE 8 / Jakarta EE 8 and MicroProfile as technology choice, WildFly and Keycloak are the perfect technologies for a startup, focus on the business and not the technology, considering OpenLiberty and Quarkus as migration target caused by slow support of MicroProfile APIs by WildFly, saving memory with Quarkus, making WARs thinner by moving to MicroProfile JWT from proprietary Keycloak libraries, building the heart of an insurance company - an insurance platform, cloud-ready and private clouds are a common deployment model, migration from COBOL systems to tech11 insurance platform, team of 8 people is incredibly productive, it is hard to find good developers in Germany, hiring pragmatic developers from Afrika with the "ThinWAR" mindset, the "airhacks stack", polyglot programming is chaos, using Java EE 8 as the baseline, all other dependencies require permission, an average tech11 ThinWAR is a few hundreds kB, code snippets from 2005 gave Java EE a bad name, implement whatever you can today and care about potential problems tomorrow, the time to first commit has to be as low as possible, projects and products require different approaches, the "getting things done" developer, long-term maintenance is key to product success, every company has the right technology at certain time, Java EE is not the only "right" technology, projects are also barely dependent on Java EE, tech11 does not sell technology, tech11 sells solutions, using plain WebStandards with WebComponents, ES 6 in the frontend, Custom Elements looks like ReactJS, lit-html is one of the few dependencies in frontend, tech11 started with hyperHTML, then migrated to lit-html, open-wc comes with lots of examples with LitElement what is not necessary, using Parcel for packaging without any transpiling, rollup.js is great for packaging, Jenkins transpiles for older browsers, on developer machines not even npm is necessary, airhacks.io workshop about WebComponents: webcomponents.training, tech11 uses a BPM engine to manage processes, tarifs claims, policies are the names of microservices (ThinWARs), the episode #36 with Markus Kett mentions the JCon keynote, Matthias Reining on twitter: @MatthiasReiningand his startup: https://tech11.com

jakelizziさんをゲストにお迎えして、ゲーム、塾講師、就活、SIer、オレオレフレームワーク、などについて話しました。 【Show Notes】 ファイナルファンタジーXIII - Wikipedia 「ゆうべはお楽しみでしたね」 | MBS ポケットモンスター (ゲーム) - Wikipedia 独習C 新版 | Amazon Hot Soup Processor - Wikipedia RPGツクール - Wikipedia キュリー温度 - Wikipedia J2SE 1.3 - Wikipedia Apache Struts - Wikipedia Apache Subversion - Wikipedia Aqua Blend Server 配信情報はtwitter ID @shiganaiRadio で確認することができます。 フィードバックは(#しがないラジオ)でつぶやいてください！ 感想、話して欲しい話題、改善して欲しいことなどつぶやいてもらえると、今後のポッドキャストをより良いものにしていけるので、ぜひたくさんのフィードバックをお待ちしています。 【パーソナリティ】 gami@jumpei_ikegami zuckey@zuckey_17 【ゲスト】 jakelizzi@jakelizzI 【機材】 Blue Micro Yeti USB 2.0マイク 15374

It's another It's a Security Thing Thursday. Craig talked about why businesses feel vulnerable to security attacks and what they can do about it. These and more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles  --- Below is a rush transcript of this segment, it might contain errors. Airing date: 02/28/2019 Why Business Feels Vulnerable To Security Attacks Craig Peterson 0:00 Hey everybody. Craig Peterson here. This is a little bit of a Security Thing today and it's all about two thirds of businesses. What are they thinking? You know, I've got a new section on my website at http://CraigPeterson.com that is all about security breaches and why they occurred. And I think it's really important for people to understand what's really happening out there. So that's why we're doing it. My wife and I've been putting a lot of work into that. But one of the articles that we have up there right now is from Infosecurity Magazine, and it's talking about how to in three, that's two thirds of organizations say that they are not convinced that they can avoid a breach. Now to me, that's a very big deal. I just don't get it. This was a Parliament Institute survey that was done of 600 cyber security leaders and professionals in these organizations. Now these people were people who are responsible for evaluating, selecting or implementing security solutions. And those are the only people who are supposed to take part in the survey. So it should be a pretty legitimate survey when it comes to understanding are these companies really positive about the outlooks or negative about the outlooks? Now I can tell you that the software we use for our bigger clients is designed to be really is designed to be 100% safe, and it's better than 99.9% safe statistically after billions of attempts to hack it. Quite literally billions. It never been never been broken through. So I know personally that there are ways to make sure that you aren't broken into. But here we go with these numbers. This is a quote right from the article vulnerability management particularly those vulnerabilities and unseen or unpatched systems is an issue for many organizations was 69% of respondents identify and delayed patching is an issue. 63% admitting they are not able to respond to alert. Now I have seen both of these as real big problems and they may be problems for you too because delayed patching is a problem in some areas of the business more than it is in other areas of the business so for instance if you have a really good next generation firewall like what, again I keep coming back to what we're using right, but there's Cisco their Firepower firewall family ties in with their switches, ties in with the software on your computers to help make it so that if something does happen, it recognizes almost instantly. So what they're talking about, really here are zero day attacks. In other words, attacks have never been seen before, all the way through attacks that maybe have been out there for six months like Equifax and they got hacked because they didn't patch and that's a real problem. It's a real problem and patching organizations don't do because it can mess things up. So let's say that you're a small organization. And if you're a small organization, you are probably running a website, but you're probably not doing it yourself. You probably didn't write the software for your website from scratch. Most likely you're using WordPress, or maybe Drupal which has turned into be quite the security nightmare. But let's say you're using Wordpress. How much patching do you need to do nowadays WordPress will patch itself and there are plugins you can put into WordPress that will not only make sure the core WordPress is up to date, but all of your modules, all of the things that you've installed in WordPress, all these plugins, it'll make sure they're all up to date as well. And it does it all automatically. So rule one, make sure those are in place. And just this week it was Monday night, I guess. I don't know it was over the weekend. That's what it was. We started getting alarms from our Firepower systems telling us that we were under attack and they were trying to use some vulnerabilities in some of the common software that used on the web. And it was the software that's typically used by bigger companies. It was some middleware attacks that were underway and it recognized them, it stopped them.  In fact this week no I think you but it's been a bad week for a tad attacks. We stopped a one of our customers. It's a fairly small company that is a very small company. But we have this technology in place for them because they are concerned about about breaches. And for some reason, over the weekend, when people are usually not there, because part of what we do is monitor when they're working, what are they doing when they're working? And what's abnormal? Well, we saw some abnormal stuff happening. And it was very abnormal stuff because they were sending files to a public file sharing service over on Google. And so again, automated systems took over and it was stopped almost instantly, which is again a very big deal a very good deal very positive thing. So we're meeting with them today to talk about what happened, the incident and how it was responded to and who was trying to breach what, you know, how did this happen? How could this happen? And it kind of smells like it was probably an insider who was just doing something that, you know, hopefully not malicious because many times your insiders will try and steal customer lists or plans or diagrams and other things and share them with someone else. And as part of that sharing, of course, they get a little remuneration right? They get a few bucks sent their way so that might have been what happened and and the reason we didn't meet with them right away is one they the CEO was very busy this week and two, we stopped it. So what's with these two thirds of companies that think they can't stop it? Well, they probably have an antivirus mentality because antivirus does not work anymore. You need a much more integrated, much larger response mechanism in place and needs to be completely automated in order to really stop the bad guys nowadays. But secondly I have to feel for them because you have an additional problem. And that is if you wrote the software for your business. In other words, a company like Equifax has huge department with programmers and analysts and stuff. So they write their software, they have to maintain it. So let's say they're using Apache Struts. And there is an Apache Struts attack, which is what actually happened to us this weekend. Now, in our case, it was stopped. But in many cases, it just won't be stopped. And it can't be stopped because they don't have the right stuff in place. So there's a Struts to attack because they haven't patch well why didn't they patch because they have to test their whole system. An integrated test, right? And that integrated test has to look at every component try it all tested all so it might take six months to do a patch because you can't just throw it in place. So an organization like that where you are writing your own software, I would highly advise you have one of these fully integrated systems like what we have in place for many of our clients now. So that's what I wanted to point out. Two thirds of businesses think that they just can't avoid a breach. In fact, you can avoid a breach, it doesn't matter the size of the organization. And if your people are telling you, you can't avoid a breach, they are wrong. Okay, they either don't know what they're talking about. Or they're being way, way, way, way too honest. Because there's always a chance that there is a breach or potential breach. But based on the responses from these guys where they're saying that the obstacles are really the mitigation and patching mitigation. You can take care of patching, you can kind of take care of but you can mitigate all of these risks by using the right kinds of systems. So anyways, that's a little bit of a security thing for today. I'm a little disappointed to see this come out I'm glad Kacy Zurkus wrote this article you'll find her on on Twitter as well as LinkedIn and the articles up on my website at http://CraigPeterson.com. You'll also find it over at Infosecurity Magazine. Take care. We'll talk to you a little bit later. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Message Input: Message #techtalk Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

In the handwringing post mortem after a hacker breach, the first point of intrusion usually takes the focus: The phishing email that Clinton campaign manager John Podesta's aide accidentally flagged as legit, or the Apache Struts vulnerability that let hackers get access to an Equifax server.

Facebook and Apple are fielding in a big way. It looks like Apple's taking this into their own hands is just fantastic. Today we are going to talk more about that. There is a new plug-in that can help you clean up your Facebook feed. Listen in and you can learn more about that. Hidden cameras again at Airbnb's. This thing is scary as heck. We will talk about the good and proper uses and when their use crosses the line. We've got a cybersecurity worker shortage is all that to surprise 3 million people is where that's at right now. So we'll talk a little bit about that. Did you know many of the Fortune 500 companies you deal with are have vulnerabilities that can compromise your personal information? Today, I will talk about their use of vulnerable server software. Yes, it is the same software that allowed hackers to steal personal data from Equifax. I will talk about the Three, cybersecurity must-haves for small businesses. Leading up to the free training I am offering next week.  Do you use a Mac? I will go over some basic must-haves for small business Mac users. Remember, you are not invulnerable, and there is a targeted piece of malware being used against you. Listen in to learn more. These and more tech tips, news, and updates visit - CraigPeterson.com --- Transcript: Below is a rush transcript of this segment, it might contain errors. Airing date: 02/02/2019 Apple Holding Facebook Accountable For Privacy - Cybersecurity Tips For SMB - FBPurity Plugin For Facebook Craig Peterson: 0:00 Hey, good morning, everybody. Craig Peterson here. And of course, we are going to talk about tech, some of the latest things, some latest articles, some of the nastiest things that are happening out there. I don't know if you've seen about this feud. But our friends at Facebook and Apple are fielding in a big way. You know, I'm asked if you listen to this radio show and if you listen to me appearing as a featured guest on some of these other shows, you know, I'm asked all the time about security and what we're going to do about our friends at Facebook. It looks like Apple's taking this into their own hands is just fantastic. So we'll talk about that and that's all due to a an article that came out that really kind of nailed them I got a really cool little tool in fact I learned it from a couple of friends of mine up in Maine who host a radio show that I'm on every week but Matt and Ken do this was actually Matt's idea but plugin you are going to love and this is going to clean up your Facebook feed. Hidden cameras again, AirBNB. This thing is scary as heck. The Fortune 100 you know about Equifax you know above the breach. While this is not very fun. We've got a cyber security worker shortage is all that to surprise a 3 million people is where that's at right now. So we'll talk a little bit about that. Three, cybersecurity must haves for small businesses. That kind of ties into what I'm doing here next week. I've got just a ton of training for small businesses. Make sure you visit my website. http://CraigPeterson.com. This stuff is all free. I'm giving away my best stuff. absolute best stuff for free this week. So make sure you sign up. http://CraigPeterson.com. But here's some basic must haves for small business Mac users. You are not in vulnerable, you're being targeted by piece of malware. So we got a lot going on today. And that's what we're going to be talking about right here. Of course, this is Craig Peterson. And this is Tech Talk. There's another guy I just don't I just don't get it. But little confusion. He calls himself Craig Peterson. I've been doing this for what, 25 years now. And then he said, Craig Peterson Tech Talk. What that's me. That's not you. Anyways, here we go. Unknown 2:41 Facebook had this controversial program. And this is really what's gotten this little bit of a war started. And the war is between Apple and Facebook. Now we all know that Facebook, their founder thought that we were idiots for giving him our information. And that now been documented in a court case over in Europe thinks we are idiots. In fact, he used a swear word an expletive in they're describing what kind of idiots he thought we were. Well, Apple is now ratcheting up its tug of war over privacy this week, you might have seen a little bit about it. But now we're going to explain what it's really about what's really going on. But there was a report that talked about Facebook collecting data on users. In fact, they were paying users for this data. Remember, I mentioned that Facebook has a free VPN and that you should never use it. Because typically, when you're thinking about a VPN, you're thinking about privacy, right? You thinking about security, hey, and people aren't going to be able to track me, have you ever used a VPN before, if you're a business person, you probably should. But you need to understand more about them. Well, Facebook had this whole VPN setup that was tracking you were you are going what you were doing what you were saying it was really just a piece of nasty spyware just crazy what they were doing. Well, they offered a $20 a month, I think it was kind of a bounty for anybody that would use their VPN. And they made it very obvious that what they were doing is tracking you they're trying to track people age 13 to 35 as much as $20 a month or it install this Facebook research app. Now, if that's what is called a Facebook research app, and it's designed to track phone and web usage habit. And this was reported by TechCrunch. This became a bit of a big deal when they started looking into it a little bit further, because it turned out the TechCrunch report said that Google's running a data collector that also similar to Facebook's app on Apple system. So you got Google doing something that collecting all this data, and you got Facebook doing something? Well, apparently, Google pulled the plug on their little project, Apple did not pull the excuse me, Facebook did not pull the plug on their little project. And so gate Facebook. So Facebook did not get nailed, and Google did get nailed. So this app is discontinued on Apple iOS, how those can continue to run on Android devices. Doesn't that figure, right? Android? Yeah, yeah, again, spying on you, man, Facebook's finally going to suffer some consequences for their actions. This is kind of interesting when you think about it. Because what's happened is, Apple completely pulled the plug on Facebook's development. Now, if you don't know much about the Apple ecosystem, let me explain a couple of things. Even if you're an Apple user, you might not be aware of this, if you are developing, you're trying to develop apps for iOS, you apply you pain money, and you get from Apple, a special key you can use to sign your applications. And then that key is used by Apple to verify Yes, and D. This is assigned application by developer x. And therefore it will run it'll be accepted on iOS. And Apple has some similar things in place for Mac OS, that's part of the reason Mac OS is so much safer than Windows is, well, one of the things you have to do if you write software is tested. And a lot of people do a lot of testing. And so with that developer license, you can now make your app available to people who kind of sign into your developer account, right? They don't have to have your credentials or anything, but they associate with your account, they can now use your software. So now it's kind of an alpha and beta stages before it gets its final release. So if you don't have one of these keys, if you cannot sign the software, you can't distribute it at all, basically. So you are kind of out of business. And that's what Apple did, Apple polled Facebook's developer key. And a one more big problem. You might not be aware of this, you know, there's one millions of apps in the app stores now. It's just it's it's incredible. How many I think it's over a million just an apple store itself. And I'm sure someone's about to text me with how many. 855-385-5553, 855-385-5553. Let me know how many there are. But there's at least a million apps in the app store. But did you know that there are more apps that are not in the App Store, then are in the app store? Now, you got to ask yourself, why would that be? Well, you know, I think Craig must be talking about development, right? developer apps, not real apps that people are using everyday. Well, obviously, there's a lot of developer apps that never ever hit the App Store. But there are more internally used business apps out there. Then there are apps that are for sale in the App Store. So companies like Facebook, for instance, will develop apps to be used internally by their staff to do different things. Now, in Facebook's case, it includes things like send a bus my way a bus to work, or maybe it's pick up my clothes from the triangle, and whatever might be all of the internal apps. And Facebook was using on iOS got shot in the head, they are all down. So now there's these people who work for Facebook are used to somebody in their little bus. And that bus is not showing up anymore. There's somebody in the bus and the app doesn't work. And they're trying to get in to an office by using an app. And that's not working. So this is very, very big. And Apple did this to basically punish Facebook for doing things that violated Apple's privacy. Apple has a whole thing they have to sign. I'm an Apple developer for iOS as well as for Mac. And when you get your developers license, you then have to accept their terms. You have to accept their contract, very big deal. No, and their contract says that you will keep our users data safe, and they did not do it. So Facebook, shut it all down. And we'll see where this ends up going. I'm sure they'll reach some sort of terms. I also wonder now if Facebook's going to switch from you in iOS is its primary development target and maybe switch to Android, which I think would be a mistake, but this is from Apple. They said the permission was intended solely for internal distribution of apps within an organization. Facebook has been using their membership to distribute a data collecting app to consumers, which is a clear breach of their agreement with Apple. So you know, Tim Cook hadn't been involved in this decision, Mark Zuckerberg was criticized over his handling of Cambridge Analytica over his handling of the whole Obama campaign where they gave Obama access to everything makes Cambridge Analytica look like just ridiculous bikers. They just don't know what they're doing right now, news to ask me, oh, wait a minute, you're Republican, I'm not going to give it to you. So it goes on and on extremely glib is how this was how this was described here, and Zuckerberg. So we'll, we'll see what happens. Hey, mentioned, apps and apple. So we're going to talk now about something if you have an Apple Mac, there is some new malware out there, you need to be aware of, Hey, as I was just mentioning, we're talking about security. Apple has a lot of things in place to help secure our devices and Mojave on the desktop added a bunch of stuff that it's just phenomenal what Apple's doing. And they're doing it, I think, basically the right way. And, and it is going to provide security that we're just we can't get in any other platform. So good for them. But there is a new sneaky piece of malware out back out there that's going after Mac users. And this one is image based. Now we've seen image based attacks before. But in this case, it's a little bit different. It seems like a key piece of data that used to launch the attack has been hidden in this harmless looking white triangle. There's a little image now we saw something like this late last year, when researchers discovered criminal hackers were controlling malware using Twitter means now how's that for an interesting way to do it. So what happens is a malware got on your computer. And then it monitored a trip a Twitter feed, and then looked at the means that were placed in the Twitter feed. And hidden inside those means were the control codes for the malware, yes, they are getting very tricky. So this new piece of malware is called VeryMal. And the image it's been linked to is using some parameters that get added to our URL in order to try and control malware. And you've seen this, I'm sure if you're an Apple user, where you go to a website, what comes up, it comes up and says, hey, you've got to update your flash bright, it's a fake Adobe Flash update, or, and of course, Adobe Flash, highly recommended to not use it, never use it, that don't use it for the last at least five to 10 years, really don't use it. And we had our friend Steve Jobs back in the day who saying we will never support Adobe Flash. And he had a lot of good reasons for it, not the least of which was he didn't like Adobe and what they were doing. But this is a fake flash up data, it's being pushed by this very mail campaign. And here's the bottom line Mac users, you don't want this app, you don't want to update your flash buy a little pop up that comes when you visit a website. legit flash up dates for Chrome comes straight from Google, they get pushed automatically with other browser updates, right. So ignore anything that says you have to upgrade and update flash, because you don't want to even have it on your machine. And if you're using Chrome, it's going to get updated automatically. Now, if you ignore that, by the way, you might be in trouble. Because just in two days in January this year, there were more than 190,000 impressions of this image. So that's a lot of people that might have been hit by this researchers are estimating as many as 5 million users per day have been exposed to the malware, fewer than a third the anti malware engines on the virus, total scanning service detect very mouse payload as of this morning. And these attacks, of course, they can be expensive. And we're going to be talking about that this week as well. But bottom line, a single round of attacks in January probably cost about $1.2 million to businesses. And that's on a per business basis. Now, if you're a small business, it's going to cost you less, but on average, right now it's about $120,000 per attack. So I want to make sure that you're aware of this. I've been sending out emails this week. If you didn't see them and you didn't see my invite in this morning's email make sure you sign up next week I'm going to be holding I'm going to have four different classes I'm going to be holding a live online class we're going to be going through kind of the DIY What do you need to do to protect your business online what's your drew be watching for what kind of software can you install for free some of the stuff that you should be using this paid that's all this week we're going to give you some of my best stuff and I'm not going to charge you a dime probably have an offer for you for people who really want to go the next level but this is absolutely mandatory must attend go to Craig Peterson comments right there on my homepage. So we're going to get right now into three cybersecurity must have here some things you've got to do if you are a small business and kind of a little bit of flash ahead to what we'll be talking a lot more about this coming week on my con shares page and in the live webinars as well. Alright, we got cybersecurity must haves for small businesses. Pop quiz, what percentage of small businesses in the United States, what percentage of small businesses in the US suffered a cyber attack in 2017? This is from an article from security today. And I've seen these stats before. So I know they're pretty much right. What would you estimate 10% of small businesses had a cyber attack 25% maybe higher? The answer is 47% of small businesses had their networks breached at least once by cyber criminals in 2017. In other words, half of all small businesses had their networks breached in 2017. Now, almost half of those businesses that were breached once were breached twice or more. Now, that's according to a survey though, that was reported in 2018 USA Today story. So when you look at all of the data from this is the he can only really draw one conclusion. And the researchers team concluded that only about three intend small businesses would be able to even handle a cyber attack. If they were hit with one today. So 3 in 10 could handle it, they'd be able to survive, and half of the small businesses were hit. So those numbers are pretty scary, frankly. And I want to ask you a couple of questions here. Why are you not prepared for a cyber attack? If you're a small business person, whether you own the business or you work in the small medium business, you know, maybe a $10 million a year business still considered to be a small business. But why? Well, there's a lot of reasons. Of course, small companies have limited budgets, that you don't have the IT resources you can't afford the professionals. I got another article here from Fox Business that is saying that data breaches of course, a big problem, but they're going to get even bigger and 2019 and there is a shortage of cybersecurity professionals. There's growing globally. And right now it's at about 3 million people. That's a pretty big shortage. And then we've got all the infrastructure, get all the software we've got it all been very confusing, right? You probably spend some time on YouTube, trying to figure it out some time on Google searching around again, trying to figure it out. And it's just hard to tell what to do. And of course, that's why next week, in fact, this whole year I'm dedicating to try and help you out but this next week is the week I have a bunch of training, a bunch of video training and stuff you can watch all for free, I'm giving my best stuff away. So I'm trying to take away the excuses because you've got to pull up your socks. You know, as I said, my email this week, a lot of small medium businesses thinks that their businesses are so small, so insignificant compared to these giant multi billion dollar companies and banks and agencies, you know, these these big names that we all know I'm not Equifax I'm not any of these. I'm not going to get hit. But in fact, you are. You are the real target because what I just said you have a limited budget, you lack the IT resources you can find the staff that know cyber security well enough. Sure you can talk to people who know more than you do. But do they really know enough to be able to protect you even these outsourced it firms. I'm just shocked every time I see them. When I talked to them about how little they actually know and how little they can do there just is not a whole lot of competence out there. So anyhow. Bad news, hackers know that small medium businesses don't prioritize cyber security and that's precisely why the targeting them of your burglar makes sense, right? Go to the house with the weakest locker no lock or the windows open. And unfortunately, that's what your business looks like to them. So keep keep an eye on your email. If you haven't signed up make sure you do right now. Go to http://CraigPeterson.com. It's right there on the homepage today because we start on Monday, you can sign up you can get a free ticket to this whole event. Absolutely free. I want to mention this study a little bit more. Studied by ISC squared, the world's largest nonprofit Association of Certified global or cyber security pros. And they're saying that we're really close to 3 million people short in the cyber security biz. And a lot of people, a lot of organizations are at risk. And of course, that's part of what I'm doing here on the radio and on the podcasts. And with these courses that we're teaching bring you up to date on cybersecurity. This one is shocking, out of TechCrunch. It's been two years almost since Equifax had their massive breach. And we know that it expose the personal data of almost every American and a lot of Europeans and Canadians etc. It was a terrible breach. We also know that it was caused because they were using vulnerable software that was not up to date. Now, if they had upgraded it, it's called Apache Struts, if they had patched it if they had been paying attention. There was a patch released six months prior to that. Six months they had to fix it and they didn't fix it. Well, another little study that came out of a company called Sonatype, and they monitor open source software which are patchy structure struts is a piece of open source software. And they're saying that in the last last six months or 2018, two thirds of the Fortune 100 companies downloaded a vulnerable version of Apache Struts. That's the same vulnerable server software used by hackers to steal the personal data and close to 150 million customers. Isn't that bad. All in all, by the way, more than 18,000 businesses downloaded vulnerable versions of Struts. So if you have a website and you are have a slightly larger one, if you are using Java, take a look no matter what it is. I found three WordPress sites just simple WordPress, right. Who cares about WordPress, just this last week, three WordPress sites. I found that and I helped their owners fix them. They'd all been hacked and they were all being used for malicious purposes. They still worked as well as websites for the owners, but they were hacked. So keep your software up to date, especially software that is facing the public Internet. Panasonic released a new home security camera earlier this month. And it looks like a floor lamp. It's one of those floor lamps that shoots right up at the roof, you know, and you get the reflective light which is really kind of nice. The long thin one I've had those for ages. In fact, those are some of the first lamps I forgot. It's called HomeHawk Floor. And it's designed to be discreet. The whole idea is you can monitor the inside of your house. There's no obvious cameras. This thing even has batteries and has local storage. They started an Indiegogo campaign and the lamp you could buy on Indiegogo 485 bucks, Panasonic just suddenly had the time. Well, we already have reports of Airbnb owners hiding the cameras in the homes capturing the activities of the renter. So it's not exactly a new concern. But keep an eye out because this is going to be a hard one to spot. Two more quick things here. We talked about the tug of war over privacy with Facebook that Apple is involved in and this all started with a TechCrunch article. But I wanted to mention too that you know, Facebook's been under fire for months Facebook settled they came to an arrangement with the federal government about privacy been What about a decade since that happened. And now the US Federal Trade Commission is likely to impose a record fine against Facebook for failing to protect users personal information. The District of Columbia also sued Facebook and this FTC finds going to come because of the settlement that apparently they have not been honoring. Now another Facebook tip I learned this week about a plugin for Chrome called FBPurity, look it up online. I have it on my website. http://CraigPeterson.com. But FBPurity has been around since 2009. It's one of the top 150 highest rated Firefox extensions and I like the Firefox browser. By the way, half a million happy users. Check it out. It will let you block all of the crap that comes up in your Facebook feed. You are going to love it FB purity online. http://CraigPeterson.com. Make sure you sign up for my training this week. Okay, there's going to be three training videos I'm releasing there's going to be a live webinar we are going to be discussing small business security, do it yourself. This is all about teaching you exactly what you need to do how you need to do it and backing you up slowly. You can get your small business Small, Medium Business secure. I've helped everybody from a little mom and pop Soho all web to fortune 100 companies. We're security I'm going to help you as well. http://CraigPeterson.com. Have a great week and we will chat next week. Bye bye. --- Related articles: Most Of The Fortune 100 Still Use The Same Flawed Software That Led To The Equifax Breach This Lamp With A Hidden Camera Could Be In Your Next Airbnb Nightmare Facebook Shuts Controversial Program To Pay Apple Users For Data Mac Users Being Targeted By A Sneaky Image-Based Malware Attack Three Cybersecurity Must-Haves For Small Businesses Cybersecurity Worker Shortage Hits 3 Million F.B. Purity Hides Annoying Facebook Applications And News Feed Updates --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

This week, we discuss a data breach affecting HSBC's US customers, a XSS vulnerability in Evernote and a critical RCE vulnerability in Apache Struts

In today’s podcast we take a quick look back at the US midterm elections, and at what did and didn’t happen. Is Iran looking at waging cyber-enabled economic warfare? If you use Apache Struts, update now to avoid remote code execution. A spyware-delivering app is used to smish Spanish-speaking users of the Play Store. And, once again, people really seem to think that Elon Musk will return them their Bitcoin donations tenfold. (Enough people to make crime pay, anyway.) Justin Harvey from Accenture on notification laws and incident response. Guest is Christian Lees from InfoArmor with thoughts on what they’re seeing trafficked on the dark web. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_07.html Support our show

Renato Marinho destaca as principais ameaças da semana com destaque à uma vulnerabilidade de execução remota de código no Apache Struts divulgada há apenas algumas horas. Como sempre, recomendamos que verifique seu ambiente por versões afetadas e aplique o patches devidos. Referência citada: http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

Wendy Nather (twitter: @wendynather) joins David Lee and Mike Kiser as they explore the interplay of trust and security. We examine the implications of what John Kindervag termed the “zero-trust model” — and the subsequent security architectures they have spawned: Google’s BeyondTrust and Duo Beyond, for example. A lively discussion of the current state of representation (a reflection of trust) within the security industry follows. Headlines range from a new Apache Struts vulnerability, ATT being sued for $200 million for a cryptocurrency theft, and privacy regulation that is coming to you in five years (or fifty, depending on who you ask.)

In the security news, Spanish driver tests positive for every drug test, vulnerabilities found in the remote management interface of Supermicro servers, Apache Struts 2 flaw in the wild, HTTPS crypto-shame, and how to manipulate Apple's podcast charts! Full Show Notes: https://wiki.securityweekly.com/Episode574 Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.com/securityweekly

In the security news, Spanish driver tests positive for every drug test, vulnerabilities found in the remote management interface of Supermicro servers, Apache Struts 2 flaw in the wild, HTTPS crypto-shame, and how to manipulate Apple's podcast charts! Full Show Notes: https://wiki.securityweekly.com/Episode574 Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.com/securityweekly

9/6/18 Apache Struts; Bitfi Hacked; Smart Bulbs; Internet Weather | AT&T ThreatTraq

How is a world class trainer using tech and social media to help people achieve their goals? Listen in as I talk with Oonagh Duncan about her business Fit Feels Good.   Congrats to Ajit Pai and President Trump!  I explain why repealing Net Neutrality has helped the industry and everyone else! What is the biggest danger to SMB's?  Do you know?  Listen in and I will tell you what every business need to be aware of.   Craig is putting up a new membership site (Yes, it is free, but you have to sign up)  On it will have all his special reports that he puts out and you will be the first to get them. These and more tech tips, news, and updates visit - CraigPeterson.com --- Transcript: Below is a rush transcript of this segment, it might contain errors. Airing date: 09/01/2018 Fit Feels Good's Oonagh Duncan, Net Neutrality Repeal Benefits, and Business Email Compromises Craig Peterson: [00:00:00] Hey, Everybody welcome. Of course, tech talk with Craig Peterson. Same time every week, and online as well. Craig Peterson dot com. Today, we've got a couple of different things going on. One I've got a friend of mine I've known for a couple of years who have been using the online world in order to help build a business and help people. You know I'm an entrepreneur, right, and so is she. I think you're going to find this interesting. And if you know anyone who is a woman in their 40s who might have a couple of problems with losing that baby weight that was put on, well she can probably help them out too. But, it's interesting because she's using the modern technology, including some of the stuff that we're constantly complaining about it comes to social media. So, that'll be fun. So, she's up next. We're also going to be talking about a couple of security things, this week. Half of the small businesses believe they're not cybercrime targets. We'll explain why that's a really bad idea. We've got some more information on the DNC, and another hack that appears to be underway. The whole 'Struts' Bug. Hey, if you work in with a bigger company get this fixed. Now, this is critical absolutely critical. This is how Equifax got hacked the same subsystem called Apache Struts 2 Flaw. So, check that out, if you're a bigger business. We've got an Ohio man sentenced to 15 months for BEC scam. We've got new stuff with scanners at airports. AT&T, oh I've got to talk about this. So, we'll get to that and a whole lot more. But first, we are going off to Oonagh. Here we go.  [00:01:47] We're joined right now by a young lady. No, I say young but she's working with women in their 40s her name is Oonagh Duncan and, Oonagh has been all over the place and associate fitness editor for a magazine. She's been a regular before on all kinds of podcasts and on the air as well as CBC up in the Great White North. And, we're going to talk with Oonagh in a little bit about technology. Now you know tech and you know tech has been influencing us. We've talked about some of the problems social media has caused with all kinds of negative things and when we think about it in kind of a negative stereotype, as well, so many times. The reason we're having Oonagh on is that she has been very busy in helping to build a community of these young women who in their 40's, who want to get back in shape, maybe lose some weight, maybe get that cardiovascular system going. And, then she's doing it using technology. So, I've known her for a while, and I asked her to come on she was gracious enough to do so. So, Hi.  [00:02:51] Oonagh. Hi, Craig how it been going? It's going really well, now.  [00:02:55] The first time I met you in person. I suspected that you were probably about 30 years old. You've got more than a decade on that, you've taken good care of yourself. What brought you to the point where you thought you might be able to help other people? And looking online Google, for instance, It has about a thousand people who have rated you 5-stars so, you're obviously good at it too. [00:03:22] Thank you. Yeah. Oh my gosh, it's been an unbelievable ride. I was I was originally an actor and playwright and then in order to, you know, you would be shocked playwriting is not very lucrative. So, I began to teach fitness classes at 6:00 in the morning and 6 at night. So, I have my whole day to work on my playwriting. And, so I did that for a few years and then I found, that you know, I just kind of getting sick of auditioning all the time, and you know trying to reach my place. So, it's like, no actually, this is the kind of fun. Well, see if I can make a go of it, and it just really took off from there. And, then I noticed that a lot of my clients even though they were exercising, a lot, weren't really seeing the results on their body, that they wanted to because a lot of people don't know this, exercise is not that efficient for a fat loss. It's really efficient to keep off the weight once you've lost it. If you want to lose fat it's going to be almost all about Nutrition. So, I am putting the nutrition component of my program and that I put it all online. So, the only client that had moved away that was sort of my initial impulse but then it just started being like all the strangers come into now I have people in like Mexico, and Germany, and you know Latvia and it's unbelievable. It's so fun because you know I get to log in in the morning, and see how everyone in the UK is doing and then you know before I go to bed and they see everyone on the West Coast and what they have for dinner. So, it's really, really cool the global aspect of it.  [00:04:49] It is a different world isn't it. You can get an expert to help you from almost anywhere, and that's what you're doing. Tell me about the success here?  [00:04:58] Two thousand people all over the world with a 100 percent 5-star review. You're having a real shock then. How are you achieving this?  [00:05:08] Oh, my gosh. Well, you know it is just it's really sort of happened, organically of course, and using Facebook to reach people. But, honestly, I see so much of it is word of mouth, and it's not because you know people are losing weight. My program is called a 28-day transformation challenge. We lose weight, in between. But, because we sort of have snuck in all these psychological triggers that build how bad people are tending to keep the weight off long term. I think that's like making all their friends go. Wait a second. What's going on here, and then? And, so, the word of mouth has just been like spreading wildfire. I think a lot of that is also about the community because there are so many. I mean, I don't know, if you know that there's no many, you know click thirty-nine-dollars to buy a PDF download. This meal plan and workout program that is everywhere. It's not everywhere, it is a life community where everyone is starting the program on the same day. We're all doing it, together. And, you have one on one access to a world-renowned trainer and a nutrition coach. And, it's sort of like sports that we can offer online and know into people's questions. My team, you know before long they're finished hyping it. So, people feel so unsupported, in order. If you were to try and figure that out locally, hey you know, who knows where you live, if you got access to that level of caliber of trainer, nutrition coach, but you know you have to work schedules and then see the cost could be prohibitive. So, really new technology is making history and more accessible to so many people. [00:06:43] So, you mentioned the kind of the social support side of this. Are you using Facebook? Or, do you have your own membership site? How does that all work?  [00:06:52] Yea, we do have a membership site but most of the time the membership site we're really just using for, you know, content distribution. It is really all the action happens in the Facebook group. You know we had considered forums because now we have so many people that there's had to be some little you know breakout groups have been new moms, and you know breakout groups women going through menopause and you know you have a little small but really cool dude factor and you know so they might be cool to sort of break that open. Right, now we're just in a big jumble in the Facebook group and sort of organizing with hashtags and you know community memes and stuff like that and it seems to be working pretty well.  [00:07:30] Now your wife excuse me my wife and you haven't had a chance to talk before. And of course she's almost 60 years old now and she has had a hard time over the years in losing weight and things. So, she has gone out, and we've done everything we've done the app can you name it we've done it and she's found apps online. Some free that she downloaded some she had to pay for and if it was like what you were talking about that 39 dollar PDF and she didn't get anywhere. But, I think maybe even the key that you have really hit on here is this whole idea of social support. Is that why the apps just typically aren't working for people?  [00:08:15] I think of it, I think to be honest Craig I think part of it is that those are there. You know you pay 20 bucks and they all kind of look the same. You know maybe you get a push notification, if you allow them. But it's so easy to ignore. If you are a real person who follows up and says Hey, Craig what's up? Haven't heard from you for a little while. Hey, I'm looking you know I know you slept in today and you said you really work done after work.  [00:08:38] I'm waiting for your sweaty selfie. You know.  [00:08:43] Yeah. And then people were like, Oh yeah I have to do it. So, there's that sense of accountability not only to your trainer and nutrition coach but to the rest of the community because you know you log into Facebook and you see all these other people are like oh my gosh you the soup was fantastic and it The workout was so hard, I can't believe I finished it or whatever. Then you're feel like you're part of something and building the team down if you don't win. And this is a well documented all over the psychology of exercise adherence if you work out as part of a group and that's a team sport or even group exercise in the gym you are hundred percent more likely to adhere to your is to achieve your goal.  [00:09:20] Yeah. No, part of the problem with the gym, Oonagh, is of course you've you've got to get babysitters, if you have younger kids, and you have a job, more than likely right. So, we only have a couple of minutes left but of course Fit Feels Good, of course, is your website will give that out again in just a minute. But you have this live community aspect that seems to make all the difference.  [00:09:41] That's right. And you know I'm sure your people are pretty tech savvy so, you know a lot of people are like are you going to go evergreen with this You know make it's sort of passive income that just keep coming in I'm like well yeah I have figured out a way to go evergreen and that we start live you know often. But, it's still a Live start. It still has me physically in the group, Welcoming people, commenting on their things like I can't and I won't ever just turn it into a do it yourself program because I know that doesn't work.  [00:10:12] Yeah, you've got to have that support. You know I've seen on your Web site you've got some other programs coming up you started with this outdoor kind of a boot camp. You mentioned your 28 day program now. Are you also have something. I think you're trying to set up to go down to Mexico and really kind of bootstrap people, but fit feels good Dot com is your Web site and know your brand is fit Feels good, as well. Can they find everything there or what's the best way to find out more?  [00:10:42] Yeah. If you go to it feels good dot com. You'll see everything there. You'll see a heading called free stuff and you can grab  free goodies. And, if you find out about my 28 day transformation challenge and next one is starting on the September 10. It actually is a really wicked bonuses going with that one, including you know I've got a celebrity stylist who's going to come in and tell us how to dress for your body shape. I've got a flat belly strong core program. All of that goes with that. So, if anyone is ever interested in taking care of your body, your health, getting lean kind of once and for all if you're done trying all the 39 dollar apps and your like lets get down to business and get this done. And yet come join me September 10th and I will welcome you with open arms and so much accountability.  [00:11:27] All right. Now, I've known you now for a couple of years I think give or take. And I got to say she's the real thing. She she lives, she loves this. I get on calls with her. And you know on Zoom or WebEx or you know all these types of technology online and she doing well she's on the call she's on a treadmill talking I'm gonna get on the call. All I know she's doing that right now. All right.  [00:11:54] Well, I am actually pacing right now.  [00:11:57] There you go. She she lives it, she loves it. The people that work with her absolutely love it. Oonagh is not compensating me in any way, for those of you who don't know me you haven't been listening for the last 20 years. I think she's got some great tech and great heart and is really trying to help out again. She has been an associate editor, fitness editor, in fact, for magazines. She has been all over the place helping women and some men as she said but kind of specializing in women in their 40s when it's really tough when you've got to start taking those pounds off from the kids. Helping them out doing that live and having a whole lot of fun while doing it. And again the Website is fit feels good dot com. Anything else, Oonagh like to add.  [00:12:43] No that's fantastic. Thank you so much. OK. That was really lovely. Hey  [00:12:46] You're welcome. Take care. OK. So now we're going to get into the tech side. We've got a lot of stuff to talk about. So here we go. [00:12:59] You know we had a lot of complaints from people about this whole net neutrality thing and I think the reason is people just didn't understand it. We had a group just like we have right now a group of far leftists, socialists who want the government to control everything. And, if you don't think that's been the case for a while. Look at your tax bills we're over 50 percent now. What do you buy? What do you own, that you think it's worth 50 percent of your income? Right. Anything is your car worth working six months out of the year for?  Remember that means January through June or July. What's worth that? Is government? Are the services government providing you. Are they worth half of your whole income? Well, those same socialists were out there just beating this drum, because in the latter part of the Obama administration the FCC passed this net neutrality rule where they pulled the Internet under direct FCC control, by one simple ruling right. And the FCC said well we don't really have the authority to do this but they did it anyway just like President Obama said that we don't have the authority to do this but I did anyway. They were saying if net neutrality goes through we are out of luck.  [00:14:17] Right. Because they're going to slow down the Internet. There's going to be advertising everywhere, if it doesn't go through we need it so that everything on the Internet is treated fairly. So, that your soccer team is treated fairly. So, that you're not overpaying for Internet access. And you'll remember at the time my argument to that was hey wait a minute now. Why should the old grandma, who's sitting there in her home doing nothing except waiting to get an e-mail or some pictures from the grandkids? Why should she pay the same amount as some kid sitting in the basement playing full 3D video games and talking to the friends all at the same time and streaming Netflix in the background? Maybe if Hulu in the background, right? Why should grandma pay the same as a super high end user of the Internet. It just doesn't make sense. Well, there's another factor I talked about which is that you will take the incentive to invest in the Internet away. If you have this so-called net neutrality, right. Why would businesses try new things? Why would businesses invest in more bandwidth, if they can't charge for it? Why would they invest in more bandwidth, if the high end users can't be charged more?  [00:15:39] Right. You remember me talking about that. Well, we now have proof that what I said was absolutely right. Because you know that President Trumps FCC and of course, the head of the FCC Ajit Pai just came out and eliminated that so-called net neutrality rule. Of course, the left was out all over the place saying oh the world is going to fall apart. Well, guess what. not only did it not fall apart, but the Internet has gotten much, much better because of the net neutrality repeal. So, I'm looking at two articles from this week. One is AT&T is investing more now. Iowa right. Not a big state kind of flyover country, as the Clintons like to call it, right. It's not an East Coast-West Coast which gets most of the attention. No, it's in the Midwest. Iowa. AT&T is investing nearly 120 million dollars to boost local networks in Iowa. That's just this week. So, they're boosting reliability coverage, speed, and overall performance for the residents and businesses of Iowa. Including rural Iowa. OK. So, they've already made 365 network enhancements across Iowa including new cell sites, network capacity, and network upgrades, since President Trump removed this so-called net neutrality, which was terrible, terrible to have in place I can't believe they did this. And, again it's the far left that's doing this. Here's another one. Absolute proof as to what's going on. That's just one sample right that article this week from MarketWatch which is an investment website. OK. And that ultimately came from PR Newswire. Our next one. The U.S. Internet speed has gone from 12th place in the world. [00:17:38] So, we had the 12 fastest average internet speeds. Now the U.S. we invented the Internet, literally invented the Internet. And we've been we've fallen to 12th place in the world under President Obama, as far as internet speeds go. Well, here you go, we got rid of net neutrality. We've got companies like AT&T and of course Comcast and you name it. Everybody investing this week as well. T-Mobile came out wasn't T-Mobile it was a third-party analysis. T-Mobile right now has the fastest 4G LTE speeds of any company. They are just pounding it. And you know I switch personally from Verizon, I've had Verizon Wireless since the early 90s. So, since they first started providing cell service, before it was even called Verizon. So, I've been with them a long time, and I switched to T-Mobile. And, of course, you have to have a newer phone if your Verizon customer moving to T-Mobile because you need the additional bands. But they've done amazing things again since net neutrality was removed. Well, now we've got this article. We were 12th in the world. And, since the repeal of net neutrality took effect on June 11th. Since then, the U.S. Internet speed has gone from 12th in the world 12th fastest in the world we're now sixth fastest in the world. What does that mean? That means that as far as the Internet goes businesses are investing again because they realize that if they put like AT&T 120 million dollars into Iowa, they can get their money back out. [00:19:31] Very good thing. I love the fact that they're doing this. So it makes a huge, huge difference here. You should see some of these tweets too about this article. Wow. So Ajit Pai. He announced late last year he's going to repeal it and stuff but it's oh it's going on and on and on. Of course, some positive comments and some others. So, my internet speeds have improved dramatically. How about yours? OK. So we're going to talk about new facial recognition stuff and I want to bring up this whole idea. Businesses have that, no one's going to come after me right. [00:20:16] Now, of course, who robs banks. thanks, Willy. Text me his last name if you remember 8 5 5 3 8 55 53. He Robbed Banks because that's where the money is. So, where are the bad guys going to try and hack? Well, obviously they're going to go after the money. They try and go after banks and try and build up the whole idea behind banks. And they've got the money we're going to have them but the banks have the money to put into fixing their security. So, where else to go if you're the bad guy? [00:20:52] Yes Sutton, you're right. Hey, thanks for that.  [00:20:56] Any other comments, you can always send them there to 8 5 5 3 8 5 fifty-five fifty-three.  [00:21:02] But, where do they go now? Well, they go after small businesses because small businesses are not savvy when it comes to security. And, I see that every day. You know I keep mentioning I'm picking up more and more customers two more this week where we're doing scans for them because you know in this case one of those cases was the unknown, unknowns right. I don't know. What I don't know about my security. In accountancy, an accounting company. And so we started looking. And of course they do billing for customers and things and we have a customer right now. Well actually their insurance company is our customer because they were an accounting firm and as an accounting firm, they had all of this data the data. Guess what was stolen? They got hacked. Their firewall right through it because most firewalls are pieces of garbage and they were able to use that stole 180000 dollars in cash from the accountancy's customers. So, if you don't think you're exposed, you're wrong. But, you wouldn't be out of the ordinary, because there is right now 76 percent of small businesses say that they have not activated any sort of multifactor authentication. And we've talked about that on the show before. You know I'm using Yubikeys. I've got my clients moving towards those, as well. We've got the integrated systems so, that if someone comes on board we can give them access to everything from one place and if they leave we can remove their access to everything, from one place.  [00:22:42] But 51 percent of small business leaders who were polled are convinced that their companies are not our target for cybercrime. Now, have any of you have a board of directors that needs some information. Let me know. We just this week did an FBI webinar that I ran, on this very issue. How do you convince your board of directors that they need to do something and do something urgently? This is not the same world it was five years ago. So, 51 percent of small business leaders are convinced their companies are not a target for cybercrime. And yet at the same time, they are the ones who are getting breached. I pick up a new client at least every week that has been breached and we've got to go in and clean up the mess. Or as I mentioned our help when the in the lawsuits that ensue and get paid by the insurance companies and that's after the business is going out of business because they lost all of their working capital, their cash is gone. So, here's another example an Ohio man got sentenced to 15 months for a BEC scam, business email compromise Olemewa Jumeau. I'm probably mispronouncing that, targeted CEOs, CFOs and other business leaders with fraudulent e-mails.  [00:24:06] So, Chief U.S. District Judge is this from the from the press report press release, Chief U.S. District Judge Janet Hall last week sentenced him to 15 months in federal prison for his role in a business email compromise scheme targeting organizations in the United States. You know I was looking at the stats from our clients from just last week and it was amazing to me to see wow how many attempts there were we stopped for our clients last week. I think it was like four dozen business email scam attacks directly actually attributed to it. Of course, you know tens of thousands of spam e-mails. But these were really directed attacks where they're going after a specific business. OK. So after 15 months in federal prison, he is going to have three years of supervised release. Now, it just bugs the heck out of me. Fifteen months. Here's a guy that stole the retirement, the livelihood of these business people, right. We're businesspeople, we're trying to run a business. We're hoping that it will support us in our retirement because heaven knows Social Security isn't going to cut it. We're hoping that maybe we have something left to pass on to the children, as long as the government doesn't take it from us. So, they've lost it all. They've lost it all. And this guy. It's 15 months. It's absolutely crazy.  [00:25:37] So, this guy admitted that he caused losses exceeding 100000 dollars in order to pay 90000 restitution. I don't know what the actual numbers are. That's all he admitted to but, bad news. Make sure you tighten up your security if you want me to talk to your board of directors. I'll be glad to make presentations. I do it all the time for annual meetings and other places. Reach out if you have any other questions or comments, reach out. Just pick up your phone you can text me 8 5 5 3 8 5 55 53 8 5 5 3 8 5 55 53. Keep an eye out in your e-mails, hopefully, you're on my e-mail list because starting this week, every week in September I'm going to be doing a different webinar. We're going to be talking about the big problems out there, ransomware what to do about it. Business email compromise. All of this stuff. So, if you want to be involved in those, let me know is well, free to attend. I have solutions that I'm going to offer, as well, but the free information here 8 5 5 3 8 5 55 53. Have a great week and we'll chat again next week. Bye-bye.  --- Related articles: The End Of Net Neutrality Has Doubled Our Internet Speed Ranking With The End Of Net Neutrality AT&T Invests Nearly $120 Million To Boost Local Networks In Iowa Half Of Small Businesses Believe They’re Not Cybercrime Targets  DNC Reports Attempted Cyberattack On Its Voter Database New Facial Recognition System Catches First Imposter At US Airport Ohio Man Sentenced To 15 Months For BEC Scam Another Equifax-Style Hack On The Way? Could Be! --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Message Input: Message #techtalk Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

In Kalenderwoche 35 geht es im CISO Summit um die Sicherheitslücke #ATtention, welche in vielen Android-Firmware-Versionen gefunden wurde. Außerdem sprechen wir über den Exploit für Apache Struts und berichten von einer schweren Sicherheitslücke bei packagist.org. #CISOSummit #ATtention #Exploit Android-Firmware ———————————————————————— Forscher von der Firma Usenix haben über 2.000 Android Firmware-Images von 11 Herstellern untersucht. Dabei war es bei fünf von 14 Geräten standardmäßig möglich, AT-Befehle über eine USB-Verbindung auszuführen. AT-Befehle wurden in den 80er-Jahren von der Firma Hayes entwickelt, um dadurch die damaligen Modems zu steuern. Heute erweitern Hersteller diesen Standard-Befehlssatz um eigene Befehle, wodurch dann auch Displaysteuerung und viele Konfigurationsmöglichkeiten zur Verfügung gestellt werden. Da die Befehle auf Firmware-Ebene laufen, bekommt das Betriebssystem und somit auch die installierten Dienste und Apps nichts von der Code-Ausführung mit. Somit könnte ein Angreifer mit physischem Zugriff auf das Android-Gerät beispielsweise Spionage-Software installieren. Es wurden Android-Versionen bis 7.1.1 getestet, aber vermutlich kann dieser Angriffsvektor auch bei neueren Versionen ausgenutzt werden. Aktuell stehen keine Updates bereit, es ist aber auch Fraglich, ob mit Updates gerechnet werden kann. Um sich vor der Lücke zu schützen sollten Sie den physischen Kontakt zu Ihrem Android-Gerät schützen. Quellen: https://atcommands.org/sec18-tian.pdf Tags: #ATtention #ATBefehle #Android #AndroidCodeExecution Exploit für Apache Struts ———————————————————————— Letzte Woche haben wir von einem wichtigen Patch für Apache Struts berichtet. Der Patch soll eine Sicherheitslücke (CVE-2018-11776) schließen, über die das Ausführen von Systembefehlen möglich ist. Mittlerweile gibt es einen öffentlichen Exploit auf Github um die Sicherheitslücke auszunutzen. Mithilfe des Exploits kann beliebiger Code mit den Benutzerrechten der Struts-Instanz auf dem Server ausgeführt werden. Da der Patch für die supporteten Versionen seit mehr als einer Woche verfügbar ist, sollte dringend gepacht werden, falls noch nicht gepacht wurde. Die abgesicherten Versionsnummer sind 2.3.35 und 2.5.17. Quellen: https://github.com/mazen160/struts-pwn_CVE-2018-11776 Tags: #ApacheStruts #Exploit #RemoteCodeExecution #RCE #CVE201811776 RemoteCodeExecution bei packagist.org ———————————————————————— Der Sicherheitsforscher Max Justicz hat bei packagist.org eine einfach auszunutzende Remote Code Execution gefunden. Über einen unzureichend geprüften Parameter konnte auf dem Webserver des Dienstes Code ausgeführt werden. Dazu hat es gereicht den auszuführenden Code als Command Substitution „$()“ in ein URL-Feld zu schreiben. Anschließend wurde der Code ausgeführt. Der Sicherheitsforscher hat im Vorfeld bereits bei anderen Paket-Managern ähnlich kritische Sicherheitslücken gefunden. Auch wenn Paketmanager das Entwickeln von Programmen vereinfachen, bergen diese ein hohes Risiko. Um die Integrität der verwendeten Quellen zu gewährleisten, sollten die Pakete nach dem herunterladen über einen sicheren Hashing-Algorithmus überprüft werden. Meist bieten Paketmanager einen Hashwert des originalen Paketes an, welchen Sie prüfen sollten. Quellen: https://justi.cz/security/2018/08/28/packagist-org-rce.html Tags: #packagistOrg #RemoteCodeExecution Diese Woche wurde das CISO Summit von Alexander Dörsam präsentiert. Besuchen Sie uns auf https://antago.info

In Kalenderwoche 34 geht es im CISO Summit um um ein neues kritisches Problem bei GhostScript, USBHarpoon und wichtigen Patches. #CisoSummit #Ghostscript #USBHarpoon GhostScript ———————————————————————— // ImageMagick, Evince, GIMP, and most other PDF/PS tools Im Ghostscript-Interpreter wurden kritische Sicherheitslücken entdeckt. Diese sind auch vergleichsweise leicht auszunutzen und Proof of Concept Quellcode wird von den Entdeckern gleich mitgeliefert. Laut den Entdeckern wird die Sicherheitslücke auch bereits aktiv ausgenutzt. Über die Lücken können Dateien ausgelesen und Schadcode ausgeführt werden. Die Sicherheitslücke tritt in dem Ghostscript-Interpreter auf. Somit sind Programm wie ImageMagick, Gimp und viele weitere PDF/PS-Tools betroffen. Besonders gefährlich wird die Lücke bei Webservern. Dort kann ein Angreifer Informationen auslesen, oder direkt Systemfunktionen ausführen. Patches gibt es noch nicht, aber das Sicherheitsproblem kann behoben werden, indem die policy.xml von ImageMagick angepasst wird. Dort sollten die Dateitypen PS, EPS, PDF und XPS durch folgende Zeilen deaktiviert werden: Quellen: https://bugs.chromium.org/p/project-zero/issues/detail?id=1640 https://www.kb.cert.org/vuls/id/332928 Tags: #RemoteCodeExecution #ImageMagick #GhostScript #USBHarpoon ———————————————————————— USBHarpoon ist ein Angriffsvektor, der auf dem im Jahr 2014 vorgestellten BadUSB basiert. Bei BadUSB wurde die Firmware von USB-Geräten wie zum Beispiel USB-Sticks manipuliert. So konnte der Stick nicht nur Daten speichern, sondern auch Befehle ausführen und somit Code auf dem Rechner ausführen. Da USB-Ladekabel seit einiger Zeit nicht nur Kabel sind, sondern auch Microcontroller implementiert haben, wurde nun festgestellt, dass diese das gleiche Problem aufweisen. Der Sicherheitsforscher hat auch gleich den Schutzmechanismus von sogenannten USB-Kondomen ausgehebelt. Dadurch soll die Datenübertragung via USB deaktiviert werden und nur noch reines Laden erlaubt sein. Da mittlerweile auch Laptops über einfache USB-Kabel geladen werden und Smartphones sowieso, ist die Angriffsfläche recht groß. Jedoch muss das USB-Kabel aktiv eingesteckt werden. Es sollte also darauf geachtet werden, dass keine Fremden und als unsicher erscheinden USB-Kabel verwendet werden. Dazu könnten zum Beispiel öffentliche Ladestationen zählen. Quellen: https://vincentyiu.co.uk/usbharpoon/ http://mg.lol/blog/badusb-cables/ Tags: #USBHarpoon #BadUSB #CodeExecution Patches ———————————————————————— Auch diese Woche wurden einige wichtige Patches veröffentlicht. Apache Struts, Photoshop CC und OpenSSH sollten gepacht werden. Der Patch für den Apache Struts Webserver beseitigt eine gefährliche Remote-Code-Execution Lücke. Hier schließt der Patch lediglich die Sicherheitslücke und sollte deshalb keine Probleme bereiten. Auch der Patch für Photoshop CC schließt eine kritische Remote Code Exection Lücke. Die Lücke betrifft die Windows- und macOS-Version. Der SSH-Patch schließt eine 19 Jahre alte Sicherheitslücke in OpenSSH. Darüber kann herausgefunden werden, ob ein Benutzer existiert oder nicht. Somit ist es ein Informationsabfluss, wodurch ein Angreifer im Anschluss versuchen kann das Passwort durch Bruteforcen zu knacken. Quellen: https://cwiki.apache.org/confluence/display/WW/S2-057 https://helpx.adobe.com/security/products/photoshop/apsb18-28.html http://seclists.org/oss-sec/2018/q3/124 Tags: #Patchen #ApacheStruts #RemoteCodeExecution #SSH #OpenSSH #PhotoshopCC Diese Woche wurde das CISO Summit von Alexander Dörsam präsentiert. Besuchen Sie uns auf https://antago.info

To make DNS more secure, we must move it to the cloud! At least that’s what Mozilla and Google suggest. We breakdown DNS-over-HTTPS, why it requires a “cloud” component, and the advantages it has over traditional DNS. Plus new active attacks against Apache Struts, and a Windows 10 zero-day exposed on Twitter.

In today's podcast we hear that the Apache Struts vulnerability, patched last week, is being actively exploited by cryptojackers. Microsoft works on a fix for local privilege escalation flaw in Windows. Trend Micro sees similarities among Urpage, Confucius, Patchwork, and Bahamut campaigns. Air Canada suffers a breach. Criminal threats to power grids. And searching for search engine optimization in all the wrong places. Jonathan Katz from UMD on flaws in Intel processors’ secure enclave. Guest is Fred Kneip from CyberGRX on third party risk.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_29.html

This week, Keith and Paul discuss The Apache Struts2 RCE Vulnerability! In the news, Using Signal Sciences to defend against Apache Struts, PHP flaw puts WordPress sites at risk, Oracle will charge for Java starting in 2019, how Netflix does Failovers in 7 minutes flat, Burp Suite 2.0 Beta released, even anonymous coders leave fingerprints, and more on this episode of Application Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ASW_Episode30   Visit https://www.securityweekly.com/asw for all the latest episodes!   Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!   →Visit our website: https://www.securityweekly.com →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

This week, Keith and Paul discuss The Apache Struts2 RCE Vulnerability! In the news, Using Signal Sciences to defend against Apache Struts, PHP flaw puts WordPress sites at risk, Oracle will charge for Java starting in 2019, how Netflix does Failovers in 7 minutes flat, Burp Suite 2.0 Beta released, even anonymous coders leave fingerprints, and more on this episode of Application Security Weekly!   Full Show Notes: https://wiki.securityweekly.com/ASW_Episode30   Visit https://www.securityweekly.com/asw for all the latest episodes!   Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!   →Visit our website: https://www.securityweekly.com →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

Conversamos com Renato Marinho sobre duas novas vulnerabilidades identificadas. Uma delas envolve RCE e segue com exploração massiva em curso. Recomendamos que atualizem o quanto antes.

Equifax was the victim of one of the highest profile hacks in history. More than 147 million people's financial data was exposed. Surprisingly, the Equifax CEO blamed the entire incident on a single engineer failing to patch a known vulnerability in Apache Struts. Anyone versed in security knows this scapegoating is ridiculous. The Struts vulnerability might have been the point of entry, but the failure was an over-reliance on patching as a security strategy. Atomicorp's Mike Shinn breaks down the Equifax hack, how it happened and what it says about how security cultures based on patching will face similar fates. 

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research. About Bas van Schaik — Head of Product at Semmle As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell. About Brian Fox, CTO, Sonatype Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

In today's podcast, we hear that spies like Apache Struts exploits. Server vulnerabilities described. A new cryptojacker steals at least four varieties of cryptocurrency. North Korea may have hacked UN sanctions enforcers. Dutch Intelligence (and Microsoft) warn of cyberwar, but it's not a declared war, which makes response harder. Update to the pack rat defense, with considerations of mens rea. ISIS terror inspiration. And a possible assassination attempt. Chris Poulin from BAH on next generation IoT devices, like security robots. Guest is Sylvain Gil from Exabeam on business by design, and the importance of the design process in security solutions. 

The internet isn’t ready for DNS sec, Netgear patches away, Whole Foods is the latest victim of a credit card breach, and more. Ferruh Mavituna and Sven Morgenroth of Netsparker join us to discuss Apache Struts vulnerability and the Equifax breach on this episode of Hack Naked News! Full Show Notes: https://wiki.securityweekly.com/HNNEpisode143 Visit http://hacknaked.tv to get all the latest episodes!

The internet isn’t ready for DNS sec, Netgear patches away, Whole Foods is the latest victim of a credit card breach, and more. Ferruh Mavituna and Sven Morgenroth of Netsparker join us to discuss Apache Struts vulns and the Equifax breach on this episode of Hack Naked News!Full Show Notes: https://wiki.securityweekly.com/HNNEpisode143 Visit http://hacknaked.tv for all the latest episodes!

The internet isn’t ready for DNS sec, Netgear patches away, Whole Foods is the latest victim of a credit card breach, and more. Ferruh Mavituna and Sven Morgenroth of Netsparker join us to discuss Apache Struts vulnerability and the Equifax breach on this episode of Hack Naked News! Full Show Notes: https://wiki.securityweekly.com/HNNEpisode143 Visit http://hacknaked.tv to get all the latest episodes!

The internet isn’t ready for DNS sec, Netgear patches away, Whole Foods is the latest victim of a credit card breach, and more. Ferruh Mavituna and Sven Morgenroth of Netsparker join us to discuss Apache Struts vulns and the Equifax breach on this episode of Hack Naked News!Full Show Notes: https://wiki.securityweekly.com/HNNEpisode143 Visit http://hacknaked.tv for all the latest episodes!

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

The Cyberwarfare Capability of North Korea For decades, policymakers, journalists and the media have discussed, prevented, and continued to assess North Korea's nuclear capabilities. The United States and the United Nations have repeatedly issued sanctions against the country to prevent it from developing its nuclear arsenal.  But what is the cyberwarfare capability of of North Korea? The Council of Korean Americans' Jessica Lee sheds light on the cyberwarfare capability of North Korea and the current policy landscape affecting the Korean Peninsula. Bio Jessica Lee is the Director of Policy and Advocacy at the Council of Korean Americans (CKA)(@CouncilKA). Jessica works closely with the Executive Director and CKA members to define CKA's policy agenda and advocacy strategy. Jessica leads research and analysis on leading issues of importance to Korean Americans. Prior to joining CKA, Jessica was a Resident Fellow at the Pacific Forum CSIS in Honolulu, HI. At the Pacific Forum, Jessica published articles on security and economic relations in East Asia. She brings a decade of public and private sector experience in Washington. Previously, Jessica was the director of a nonprofit organization specializing in women's leadership training and development. She was also a senior manager of The Asia Group, LLC, a strategy and capital advisory firm. Jessica previously served as a staff member in the House of Representatives. While she worked on the Hill, Jessica handled the Asia portfolio for the chairman of the House Committee on Foreign Affairs. She was also a senior legislative assistant for a member of Congress on the Ways and Means Committee. Jessica received a B.A. in political science from Wellesley College. She also holds an A.M. in East Asian regional studies from Harvard University. Jessica is a Truman Security Fellow, a David Rockefeller Fellow of the Trilateral Commission​, and a Google Next Gen Policy Leader​. Jessica has advanced proficiency in Korean and lives in northern Virginia with her husband and daughter. Resources Council of Korean Americans Backchannel to Cuba: The Hidden History of Negotiations Betweeen Washington and Havana by William M. LeoGrande News Roundup Equifax Hacked The credit reporting agency Equifax last week reported that its systems had been breached.  The breach potentially exposed the data of some 143 million Americans. Equifax CEO and Chairman Richard Smith made the announcement last week. However, the actual breach took place on July 29. Hackers got into Equifax's system by exploiting a flaw in a popular open source platform called Apache Struts. Equifax uses Apache Struts for the online form customers use to dispute errors in their credit reports. Equifax's initial attempt to repair the breach failed. Both the FBI and FTC are now investigating the data breach. Massachusetts Senator Ed Markey also introduced a bill called the "Data Broker Accountability and Transparency Act". MarketWatch reported on Saturday that now-fired Chief Security Officer Susan Mauldin doesn't have any educational background in information security. According to her LinkedIn profile, Mauldin has a bachelor's and Master of Fine Arts in Music Composition from the University of Georgia.  Equifax's stock price has fallen by more than 30% since Smith announced the breach. Experts suspect state actors played a role. AnnaMaria Andriotis, Michael Rapaport, and Robert McMillan report for the Wall Street Journal. Kaspersky ousted from federal agencies The Department of Homeland Security issued what's called a Binding Operational Directive that gives federal agencies 90 days to remove Kaspersky Lab technologies from federal networks. Officials suspect the Russia-based company has state ties to Russia and that they are a front for Russian spies. Agencies have 30 days to identify where they're using Kaspersky, and another 60 days to remove it. Jason Miller has the story on Federal News Radio. Alphabet may be considering a $1 billion investment in Lyft Greg Bensinger reports for the Wall Street Journal that Alphabet may be considering making a $1 billion investment in Lyft. This is still at speculation stage. Alphabet and primary Lyft rival Uber have been at odds over the last year or so. Tensions between Uber and Alphabet came to a head earlier this year when Alphabet sued Uber for allegedly stealing trade secrets from Alphabet's self-driving car unit Waymo. Google pay discrimination lawsuit Three women who previously worked at Google are suing the company for pay discrimination. The former employees who worked in both tech and non-tech roles at the tech giant allege the company pays women less than men working in similar roles. The California lawsuit also alleges that Google hires women for roles less likely to lead to promotions. Daniel Weissner reports in Reuters. Congress considers adding driverless trucks to autonomous vehicles legislation Finally, Edward Graham reports in Morning Consult that Senators are considering adding language to its draft autonomous vehicles bill that would include driverless trucks. The House unanimously passed an autonomous vehicles bill on September 6th, which didn't include language on driverless trucks. In the meantime, a new Morning Consult poll shows consumers are still a bit wary of autonomous vehicles. Just 22% of those surveyed said they thought self-driving cars are safer than the average human driver. Thirty-five percent said they think they are less safe.  

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

It's been a busy week in the world of IT, but the most notable story is the massive data breach at Equifax. Early reports are blaming a security hole in Apache Struts, so Don Pezet and Daniel Lowrie help us understand just what that means.

Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805) XML? Be cautious! The Backdoor Threat Java News Moving Java Forward - 6 month release cycle, breaking changes.  3 yearly LTS versions Java 9 will NOT be an LTS release Module Hell - java.ee not in base ( easy to fix, but ack ) O'Reily Java 9 Modularity published Use Stream API simpler ( or don't use it at all ) Kevlin Henny JavaZone talk/video: Paradigms Lost, Paradigms Regained: Programming with Objects and Functions and More Jitwatch Project Home IntelliJ Plugin Video demo of Jitwatch/IntelliJ Plugin at the JVM Language Summit Using GraphQL? Why Facebook Now Owns You Java EE moves to the Eclipse Foundation  

In today's podcast, we hear that DHS tells the US Executive Branch to stop using Kaspersky security software. Kromtech finds ElastiSearch servers hosting point-of-sale malware. BlueBorne bugs buzz billions of boxes. Equifax says that its breach was accomplished via the Apache Struts flaw patched in April. Industry notes include both venture funding and acquisition news. We take a quick look back at the Billington CyberSecurity Summit. Johannes Ulrich with an update on the Mirai botnet. Renato Marinho, Chief Research Officer at Morphus Labs, on a bad Chrome browser extension that can steal banking credentials. And robo-lawyers come to small claims court.  Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to protect your endpoints against advanced threats, check out Cylance. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event.

A short minisode on Apache Struts, XML deserialisation attacks, and Equifax. XML? Be cautious! Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805) CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin Apache Struts Statement on Equifax Security Breach Apache Struts Security Bulletins OWASP Dependency Check struts-pwn - an exploit tester Remotely Exploitable Java Zero Day Exploits through Deserialization (2015 alert for Apache Commons Collections 3.x) A critical Apache Struts security flaw makes it 'easy' to hack Fortune 100 firms Upgrade your s**t!  

In today's podcast we hear about a critical vulnerability in Apache Struts. It's been patched—enterprises are advised to apply it as soon as possible. Dragonfly poses a clear and present danger to European and US power grids. Ransomware continues rampant. Latin American social media platform Taringa suffers a breach. Notes from the Intelligence and National Security Summit. Cryptocurrencies in China and Russia. Ben Yelin from UMD CHHS on the resignation of many of President Trump’s cyber security advisors. Guest is Tom Billington promoting the upcoming Billington Cybersecurity event. And say it ain't so, Joe—are the Red Sox stealing signals with an Apple Watch? Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. To learn about combining threat intelligence, analytics, and orchestration, check out ThreatConnect’s webinar. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event.

Join Sophos experts Chester Wisniewski and Paul Ducklin for the latest episode of our regular security podcast. The duo turn the latest news into purposeful advice as they discuss swastikas on Twitter, the recent Apache Struts zero-day exploit, the CIA's funkily-named "Fine Dining" project, and why four of Google's biggest competitors have decided to stand up for Mountain View in court.

In today's podcast, we hear about how the Apache Struts bug has bitten in Canada. FireEye sees financial cybercrime approaching state espionage exploits in sophistication. The US Air Force leaves sensitive personal information exposed in a backup database. Investigation into WikiLeaks' Vault 7 continues. Okta files for its IPO. Ben Yelin from the UMD Center for Health and Homeland Security reviews a mobile device privacy bill. Adam Thomas from Deloitte outlines their latest cyber insurance report.  And today is Patch Tuesday.

In today's podcast, WikiLeaks offers to enter the responsible disclosure game, but be warned: there are legal problems should you accept classified information. Some AV companies tout their reviews in Vault 7. Speculation about how CIA hacking notes leaked turns to an insider threat. HackRead warns that Playstation credentials may have been compromised. The Apache Struts vulnerability is being exploited in the wild. Observers cast doubt on reports the US successfully hacked North Korean missile launches. Joe Carrigan from the Johns Hopkins University Information Security Institute weighs in on SHA-1. Comodo's Kenneth Geers share insights from their 2016 Global Report. Trend Micro and Interpol take a look at the West African cybercrime scene.

Blair Williams is a software engineer and entrepreneur. He is the owner and lead programmer for Caseproof. Caseproof has four products on the market Pretty Link, MemberPress, Affiliate Royale, and Buy Now for Stripe. Pretty Link is a WordPress plugin to manage link redirection on WordPress websites, MemberPress is a product to manage membership sites, Affiliate Royale is a product to manage your affiliates, and Buy Now for Stripe is a product that allows integration with Stripe to sell products on a website without an SSL certificate. Please see Disclosure* (below) concerning affiliate links on this page. Key Segments [0:02:39] After getting a degree in computer science, Blair worked as a programmer, software architect, and CTO at various companies. But while he was working these jobs, he was moonlighting on Caseproof doing freelance web development for clients and then got into WordPress plugins. [0:03:56] His passion was all about the web. He created Caseproof to both learn about the web and get started helping people build websites. When Blair first started building web apps, he thought he needed to use the most bulletproof technology he could find, something that could scale massively and be solid. He chose Java Struts [see Apache Struts] and Enterprise JavaBeans. It took him about a year to create his first web app, which was basically a file browser. After that experience, he switched to PHP. He wasn't sure how PHP would scale but felt that he would be able to get things done in a reasonable amount of time. [0:06:16] While working at Franklin Covey, he started working on larger applications that had been written in PHP and were out of control. He heard about Ruby on Rails. Since Rails uses a Model-View-Controller (MVC) as Struts does, he felt it had the strength of Struts while using a beautiful scripting language. He switched to Rails for several years, even using it after he started working with WordPress, and today still uses some Rails apps to facilitate the sale of MemberPress and other plugins. [0:07:21] He later began to work for a client doing more Search Engine Optimization (SEO) and Internet marketing work and started fiddling around with WordPress to develop microsites. As part of this, he wanted to start tracking links in pay-per-click campaigns independent from Google to have secondary confirmation. That's when he wrote Pretty Link for WordPress. He also wrote Pretty Link in such a way that he could use his own domain name instead of Bitly, or something like it, to shorten links. He put Pretty Link on the WordPress Plugin Directory and found that other people wanted to track their links too. [0:08:58] After Pretty Link, came Affiliate Royale, MemberPress, and Buy Now for Stripe. Pretty Link is a WordPress plugin. MemberPress is also a WordPress plugin but uses a license server on the backend running a Rails-based service. The backend issues and revokes licenses, and facilitates updates. Upgrades and support for a year come with a license. [0:10:30] “When I first got into this, I thought this was gonna be this primarily programming job. I was gonna just be in my basement coding all the time, and it was all about the software. I was just gonna make the software better, and that is a really important part of the business, but the thing I have found is that it's really not a software business; it's a support business [slightly edited].” MemberPress handles e-commerce, protecting pages, and keeping the life-cycle relationship with the customer intact. People use it to run their businesses. Blair's team takes support seriously, and that costs money. [0:12:36] “We take it just as seriously as you take your business, and we wanna make sure that you're up and running, that you are able to make money. That's our whole goal: to help you make money.” [0:12:51] Most of Caseproof's support team are developers. They can go in and fix things for people. Ron had a very positive support experience with the Caseproof team and, knowing how expensive support is, felt a little guilty for the time they spent fixing the problem [relative to the cost of Pretty Link Pro]. Blair's response was: “But that's what they're there for, and we try to fix as may things as we can.” [0:13:51] Blair attributes part of the strength of MemberPress to WordPress but notes that there are thousands of plugins, themes, and web hosts in the self-hosted WordPress environment. Testing every permutation is impossible. Support in this environment requires masterful troubleshooting skills. [0:16:04] Pretty Link, the free version, will do basic, server-side redirects (301, 302, and 307), which Blair explains. [0:19:15] Pretty Link Pro also allows JavaScript redirects, meta refresh redirects using HTML, cloaking, pixel tracking, Tweet automation, social bars, Tweet counters, keyword replacement, alternate base URLs, and geographic redirects. Cloaking is a technique to hide target URLs from the user. Cloaking is legitimately used to retain branding when redirecting but has also been used for questionable reasons to trick people. Pretty Bar Redirect is a form of cloaking that puts a bar at the top of a linked page with brought-to-you-by branding. Pixel tracking, where a one-pixel image is loaded with a page, is also provided to track page views and hits. Tweet automation tweets to connected Twitter accounts when designated pages are initially published. Keyword replacement will replace occurrences of keywords throughout a site with a predefined link (such as an affiliate link). An alternate base URL can be used to provide a short URL for a long URL, such as SaaSBP.com as a substitute for SaaSBusinessPodcast.com. Geographic redirects will redirect based on a user's location. [0:31:11] With MemberPress, you can control who has access to content by limiting access according to rules established by the admin. Access can be granted or revoked for posts, pages, categories, tags, feeds, communities, digital files, and custom taxonomies. Community access allows integration with BuddyPress or bbPress to limit access based on topics. You can manage subscriptions, manage transactions, and resend welcome emails. MemberPress centralizes the rules for access to all of your content. There are also developer tools to integrate with external systems such as SaaS products. MemberPress can revoke access if payments lapse. Membership levels control price, subscription period, trial period, access to content, and recurring billing. Registration pages can be set up for each level. Customers have account pages to view billing history, edit their information, and can be given the option to cancel subscriptions. The admin can also manage coupons with options to define the frequency of use, expiration, discount levels, applicable products, and trial periods. Members are not restricted to a single subscription level but may have multiple subscriptions defined within the site. MemberPress can calculate proration for membership level upgrades. [0:43:49] If customers require custom MemberPress development work, Caseproof maintains a list of trusted vendors and can provide referrals. These are vendors who are familiar with MemberPress and maintain a relationship with Caseproof to resolve problems. Caseproof does not receive payment from vendors for referrals made. [0:44:43] For payments, MemberPress integrates with PayPal for Business and Stripe(and Authorize.net for the developer version). Caseproof is working on integrating with Braintree and, for Australia, eWay. With Stripe and PayPal, the integration is tight, so you can tell if someone has purchased or canceled, and an admin can manage subscriptions from the membership site without needing to log into the gateway. All three services can notify MemberPress of payments made; MemberPress can then issues receipts to the user. [0:50:17] MemberPress also provides analytics to see how your membership site is doing. It will report by week, month, year, and product allowing you to see who has been buying what and when. You can measure traffic, money coming in, and lifetime average value of users. The data is live and displayed using Google's Visualization API [see Google Charts]. [0:52:28] Affiliate Royale allows you to manage a complete affiliate program. It will track affiliate commissions, and if you refund a transaction, it will automatically calculate the correction. Currently, it only supports payments to affiliates using PayPal. You can have a tiered commissions structure of up to 100 levels. It generates a dashboard allowing affiliates to see how much they have been paid or are currently owed, to see a leaderboard, to get affiliate links, banners, or other assets you have provided, and to enter an SSN or EIN for tax purposes. In addition to MemberPress, it integrates with Easy Digital Downloads, WooCommerce, Shopify, and other e-commerce platforms. And since Affiliate Royale is a WordPress plugin, all this is managed from your site with the same look and feel of the rest of your site. [0:56:00] Blair's software products came about organically. He started by searching for a tool that eventually led to the development of Pretty Link. He tried to find solutions but found none that completely solved his problem. [0:57:07] “Initially with Pretty Link, I didn't even have any idea that it would make money. I just put it out there on the repository thinking: well, this is what you do. You put software back out there into the community and give back a little bit. And there was kind of a big uptake. I think the first day there were almost 200 people who downloaded it. Just the first day! I was pretty excited about that, and over the next few months, I thought: ‘I wonder if there is a way I could make money at this?' [slightly editted]” [0:57:43] “WordPress, in general, does not make it easy to monetize plugins.” Anyone who sells premium plugins that can do automatic updates has to reverse engineer WordPress a little bit and create their own server that the plugin can talk to and get updates from. “It's pretty involved.” Initially, they were using FTP to copy files into WordPress, but over the years, they have gotten better at utilizing the plugin management facilities of WordPress. [0:59:07] Affiliate Royale and MemberPress were also needs that Blair had identified while working with other software or clients in those fields. He found things that were good, but not exactly what he needed, so he decided to build it himself. With the update mechanism from Pretty Link in place, he had an advantage with the other products. For the most part, the products were a “scratch-your-own-itch kind of thing.” [1:00:54] For resources, Blair recommends the book The Personal MBA, getting a good accountant, and GoDaddy Online Bookkeeping. The Personal MBA is his number one from the many business books he has read. “If anybody has one book to read, they should read The Personal MBA.” GoDaddy Bookkeeping integrates with Stripe and PayPal allowing them to track numerous small transactions. With BuyNow for Stripe, Caseproof gets a couple of cents per transaction as a fee. They must have software to track thousands of transactions. He has also heard good things about Xero and Less Accounting. FreshBooks is another great resource. Concerning accountants, Blair feels that you can't replace the in-depth professional knowledge of a good accountant. [1:05:03] Buy Now for Stripe is a plugin that allows users to accept credit card payments from a WordPress website without an SSL certificate. It's the most SaaS-like of their products. The backend is a Ruby-based application. For a credit card payment, it redirects to a secure payment server for the payment and then back to the original site when complete. It is similar to a PayPal flow without a PayPal account. It uses Stripe Connect, so it uses your Stripe account and is connected to the Buy Now for Stripe service. They facilitate the transaction, but the money goes straight into your account minus a small fee. They assess a transaction fee on top of Stripe's fees (for which they have gotten some flak), but if you weigh the transaction fee against the cost of an SSL, it's less expensive in many cases. If you're doing high volume, investigate getting an SSL. Buy Now for Stripe also has some features to facilitate the delivery of products; for example, it will send a receipt to a user with a link to where a product can be downloaded. They have had a lot of requests to integrate with MemberPress to allow transactions from MemberPress without an SSL, so they are looking into that. Resources Mentioned Affiliate Royale – a WordPress plugin that allows you to manage a complete affiliate program. See above or listen at [0:52:28]. Apache Struts – an open-source, Model-View-Controller (MVC) framework for creating web applications based on Java. It is extensible using a plugin architecture. It has plugins to support REST, AJAX, and JSON.Java Struts – see Apache Struts. Authorize.net – credit card processing. bbPress – a WordPress plugin to create online forums. Bitly – a link shortening and tracking service. Braintree – online payment processing. BuddyPress – a WordPress plugin to help you build a community website with member profiles, activity streams, user groups, messaging, and more. Buy Now for Stripe – accept payments on your WordPress site without an SSL certificate Caseproof – Blair Williams' company, makers of Pretty Link, Member Press, Affiliate Royale, and Buy Now for Stripe. Easy Digital Downloads – e-commerce web app for digital products. Enterprise JavaBeans – server-side software based on Java to encapsulate business logic. eWay – online payment processing. eWay Australia – online payment processing for Australia. FreshBooks – small business accounting software. GoDaddy Online Bookkeeping – online bookkeeping. Google Charts – interactive charts for use in browser and on mobile devices. Google's Visualization API – API for Google Charts. Java Struts – see Apache Struts. Less Accounting – online accounting software. MemberPress – WordPress plugin to manage membership sites allowing you to accept payments, control access, and sell digital products securely. PayPal – web app to pay for online transactions. PayPal for Business – a service to accept online payments using PayPal or credit cards. PHP – a script-type programming language used by WordPress and widely used on the web embedded in HTML. Pretty Link – Caseproof's WordPress plugin to manage affiliate links on WordPress sites. Pretty Link Pro – the paid version of Pretty Link. See above or listen at [0:19:15]. AddsJavaScript redirects, meta refresh redirects using HTML, cloaking, pixel tracking, Tweet automation, social bars, Tweet counters, keyword replacement, alternate base URLs, and geographic redirects. Ruby – a script-type programming language with an elegant syntax. Its creator, Yukihiro “Matz” Matsumoto, has said that he is “trying to make Ruby natural, not simple.” Ruby on Rails – on open-source Model-View-Controller (MVC) framework for creating web apps based on the Ruby programming language. Shopify – e-commerce web app. Stripe – web app to accept credit card payments. Stripe Connect – service to enable payments for sellers, vendors, contractors, etc. The Personal MBA: Master the Art of Business – book by Josh Kaufman covering the essentials of business. WooCommerce – e-commerce web app. WordPress – software to create web pages (websites, blogs, and apps). WordPress Plugin Directory – the official WordPress repository for plugins. Xero – online accounting software. *Disclosure: Some of the links on this page may be affiliate links. I may earn a commission if you purchase through these links. These commissions help to cover the cost of producing the podcast. I am affiliated only with companies I know and trust to deliver what you need. In most cases, affiliate links are to products and services I currently use or have used in the past. I would not recommend these resources if I did not sincerely believe that they would help you. I value you as a visitor/customer far more than any small commission I might earn from recommending a product or service. I recommend many more resources with which I am not affiliated than affiliated. In most cases where there is an affiliation, I will note it, but affiliations come and go, and the notes may not keep up.

Unsupported Operation 79IntelliJ IDEA 12.1.1 availableJavaZ - new functional patterns library for Java - looks interesting, but UGLYLambda Ladies - Recently started group to promote functional programming to women in techSonatype’s gateway to Central upgraded to Nexus 2.4 - what version is your nexus?JMS2, Bean Validation 1.1, JBatch, JSON-P go finalResteasy 3.0-beta-4 and 2.3.6.Final ReleasedRedline-RPM - Native Java RPM generation - no need for native rpm-tools installhttps://github.com/stephenc/non-maven-jar-maven-plugincucumber-testng-factory 1.0.1 released.KotlinfunKTionale 0.1.5 is readyScalaAtomic Scala print book now availableClojureClojureWerkz Money 1.2.0 - wrapper library for Joda MoneyRunning and debugging Clojure with IntelliJ IDEAlein-thriftc - Apache Thrift plugin for LeiningenGroovy2.1.3 availableApacheHttpClient 4.2.4 releasedMaven Compiler 3.1 releasedMaven Surefire 2.14.1Maven Shared Utils 0.4Wink 1.3.0 - Apache Wink is a simple yet solid framework for building RESTful Web services. It is comprised of a Server module and a Client module for developing and consuming RESTful Web servicesApache PDF Box 1.8.1Apache Wookie 0.14 - Apache Wookie is a Java server application that allows you to upload and deploy widgets for your applications; widgets can not only include all the usual kinds of mini-applications, badges, and gadgets, but also fully-collaborative applications such as chats, quizzes, and games. Wookie is based on the W3C Widgets specification, but widgets can also be included that use extended APIs such as Google Wave Gadgets and OpenSocialApache CouchDB 1.3.0Apache Struts 1 end of life - going to the AtticApache cTAKES becomes a top level project: (clinical Text Analysis and Knowledge Extraction System) is an Open Source natural language processing system for information extraction from electronic medical record clinical free-text. Widely used in production by numerous organisations across the healthcare sector, cTAKES was started in 2006 by a team of physicians, computer scientists and software engineers at Mayo Clinic, and was submitted to the Apache Incubator in June 2012Pig 0.11.1Apache Bloodhound 0.5.2 is a tool to track progress and defects in software products. Sits on Trac.The Apache Accumulo 1.4.3 - sorted, distributed key/value store is a robust,scalable, high performance data storage system that features cell-based access control and customizable server-side processing. It is based on Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift.Apache Syncope 1.0.7 is an Open Source system for managing digital identities in enterprise environments, implemented in JEE technology Apache Commons-FileUpload 1.3 - bug fixes, enhancements, drops pre 1.5 supportApache Rave 0.20.2 is a new web and social mashup engine. It provides an out-of-the-box, as well as extendible, lightweight Java platform to host, serve and manage OpenSocial, W3C and other web widgets.