Inaccurate information from data brokers can damage careers and reputations. It's time for US privacy laws to change how law enforcement and legal agencies obtain and act on data.

"Predictive policing" sounds like something from the plot of the movie _Minority Report_. However, it's a very real practice that relies heavily on data collected and disseminated by two of the largest data brokers in the United States — RELX and Thomson Reuters.

When we talk about big data, we tend to focus on companies such asAmazon, Equifax, Experian, Google, and Meta (formerly known as Facebook). These are mostly companies that commercialize data for marketing efforts, business decisions, product insights, and financial reasons. RELX and Thomson Reuters operate a little differently. These data giants broker data access, analytics tools, news, and research to libraries, scientists, large corporations, law enforcement, and other government agencies.

They are sometimes referred to as "law enforcement data brokers" due to the breadth of information they make available to legal and law enforcement agencies. Unfortunately, this is also a major point of contention with the public.

**What Do Law Enforcement Data Brokers Do?**

Law enforcement data brokers have used technology to expand the scope of public surveillance far beyond traditional surveillance means. While RELX and Thomson Reuters are secretive about their data-collection resources, there are many obvious information veins, including court records, news collections, research studies, and any information you make public that they feel is valuable.

It's not just the massive amount of data they have on every one of us that's a problem, it's also how they analyze this data to make human risk predictions. The information they combine uses past activities, legal records, personal associations, and even ZIP codes to determine the risk that a person will break the law or conduct illegal activity. It's effectively high-tech profiling, and often perpetuates systemic racism.

These data brokers also provide vast amounts of information to the US Immigration and Customs Enforcement (ICE) Agency, which it then uses to target immigrants. This has led to a collective public outrage that has produced petitions, lawsuits, and increased interest in how law enforcement and the government obtain and use data.

**Law Enforcement Has Found a Workaround to Data Privacy Laws**

Many of us are aware that we, as Americans, have a right to privacy. And there are laws that prohibit law enforcement and government agencies from gathering and using our data under most circumstances. However, these laws say nothing about them buying this data access from third parties.

Since the government isn't collecting and processing this data itself, these agencies can skirt federal privacy laws, operating in a legal gray area.

While we all deserve to live in a safe environment, we also deserve to not have our privacy violated and data used to inform legal opinions about our potential for certain actions.

**The Data They're Using Isn't Always Accurate**

It's unsettling to imagine that information being used to assess the risk you pose isn't necessarily accurate. It's not just related to law enforcement targeting; it's also related to any legal decisions. Custody decisions, civil suit outcomes, insurance decisions, and even hiring decisions can all be influenced by the RELX-owned LexisNexis system, which gathers and aggregates data.

Unfortunately, there's little recourse for someone who was unfairly treated due to a data-based risk assessment because people are rarely privy to the way these decisions are made. So, a corporate HR manager or Family Court judge could be operating off bad or incomplete data when making decisions that could effectively change lives.

RELX and Thomson Reuters have disclaimers freeing them from liability for inaccurate data, which means your information could be mixed in with someone else's, causing serious repercussions in the wrong circumstances.

In 2016, a man named David Alan Smith successfully sued LexisNexis Screening Solutions when the company provided his prospective employer with an inaccurate background check. LexisNexis failed to make sure that Smith's middle name was the same across all the data, resulting in the reporting of a criminal history that was not his. Smith's potential employer withdrew its job offer based on this report, showing just how significantly bad data can impact someone's life.

Fortunately, the courts held LexisNexis accountable for this gross negligence, but this is not always the case.

**How Can We Stop This Misuse of Data?**

Because privacy laws are still young and poorly structured in the US, the best recourse is to be knowledgeable and vocal. There are online petitions and organizations that are working to change how law enforcement and legal agencies obtain and act on data.

Hopefully, with enough public support, we can push legislators to act. Every person has a right to be in control of their own data. Any entity that threatens that right should be held accountable, and protections need to be put in place to prevent it from continuing to happen.

The Threat of Predictive Policing to Data Privacy and Personal Liberty

Courier Deprixa version 2.5 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=09731 [+] https://deprixalogistics.online/dashboard/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Courier Deprixa 2.5 Backdoor Account

Consultine Consulting Business and Finance Website CMS version 1.8 has been reported as having a default backdoor account.

    =======================================================================================================================================================================================| # Title     : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability                                                                            || # Author    : indoushka                                                                                                                                                             || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                                                                               | | # Vendor    : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735                                                                           |  | # Dork      : About Us  Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.|=======================================================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@gmail.com & pass=1234 [+] https://www.seusite.top/jornal/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Consultine Consulting Business And Finance Website CMS 1.8 Backdoor Account

Car Dealer Pro version 2.01 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Car Dealer Pro v2.01 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/car-dealer-pro/7265588                                                                 |  | # Dork      : "Powered by: Car Dealer Pro"                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Car Dealer Pro 2.01 Backdoor Account

Botble version 5.28.3 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Botble 5.28.3 Backdoor Account Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182                           |  | # Dork      : "Botble Technologies. All right reserved."                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=botble  & pass=159357 [+] https://cms.botble.com/admin/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Botble 5.28.3 Backdoor Account

Active Ecommerce CMS version 6.4.0 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24                                                |  | # Dork      : "category/beauty-health-hair"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@example.com  & pass=123456 [+] https://www.sbeshopping.com/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Active Ecommerce CMS 6.4.0 Backdoor Account

A variety of initiatives — such as memory-safe languages and software bills of materials — promise more secure applications, but sustained improvements will require that vendors do much better, researchers agree.

Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

"Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?" he says. "You've stripped away those protections and defenses."

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

**The Software Supply Chain's Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users' human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

"The unfortunate truth is that no matter what is happening in the enterprise and how well you lock it down and secure it, there is opportunity to attack the users," he says. "With ransomware and malware, phishing and scams, even if the back end is secure, they can take advantage of the user."

****Cyberthreats Against Applications Only Loom Larger**

To see an example of how little progress cybersecurity has made in the past three decades, companies do not have to look further than phishing. The social engineering technique has been around for almost as long as email, yet the vast majority of companies (83%) have suffered a successful email-based phishing attack in 2022. Phishing easily leads to credential harvesting and then to compromises of Web applications and cloud infrastructure.

The simple technique can bypass multiple layers of application security and give attackers access to sensitive data, systems, and networks, Daniel Cuthbert, global head of cyber security research at Banco Santander, said at this month's Black Hat Europe security conference.

"You should be able to click on something and not have it push a reverse shell out to somebody else," he lamented. "Is it that hard to ask?"

Attackers are also focusing on targeting applications in ways that get by many of the security controls that are operating at the edge of the network.

At the Black Hat Asia conference in May, researchers outlined ways to sneak attacks past web application firewalls (WAFs) to deliver malicious payloads to otherwise-protected applications and their databases. In December, cybersecurity firm Claroty demonstrated more general attacks using JSON to bypass five major WAFs, including those of Amazon Web Services and Cloudflare. In the same month, a pair of researchers used a vulnerable version of Spring Boot to bypass Akamai's WAF.

Companies have to be more tactical about how they rely on WAFs, says Akamai's Lauro. So-called "virtual patching" — when the WAF is used to block the exploit of vulnerabilities that are not yet, or cannot yet be, patched — is an important capability. Yet, too many companies use WAFs to protect poorly designed applications, he says.

"You need to identify how that vulnerability could be attacked from the Internet, and virtual patches helps there, but once you are inside the network, the first thing I'm going to do as an attacker is look for some of these zero-days and use them to move laterally," he says.

**Future AppSec Requires Innovation**

Efforts to protect the fundamental components of software by securing the software supply chain will be a key source of innovation in the near future. These advances take time to implement and are not silver bullets, but they can result in far more robust software development and end product, experts say.

Providing developers more information about the components they import into their own software through systems like Scorecard, for example, has significant security benefits. Scorecard checks a variety of software project attributes, such as whether there are binary code included in the software, have dangerous development workflows, or has signed releases. Just that information can determine whether a project is vulnerable with 78% accuracy, according to the Open Software Security Foundation (OpenSSF).

Sigstore, which allows each software component to be signed, is another technology that will help developers understand and secure their supply chains, says John Speed Meyers, principal security scientist at Chainguard, a software security firm.

"A key building block for preventing software supply chain compromises is the widespread use of digital signatures," he says. "This helps reduce the chance of software supply chain compromises and reduce the blast radius when they do happen."

**Companies Can Make Cyber-Secure Application Choices**

While those advances in the software development process can result in more secure software, the choice of language can make a significant difference as well. Memory-safe languages can all but eliminate pernicious classes of software flaws, such as buffer overflows and use-after-free vulnerabilities. 

Google, for example, found that the use of memory-safe languages, such as Java and Rust, rather than C and C++ resulted in lowering the number of vulnerabilities from 223 to 85 over three years.

Companies need to give developers more support and leeway in selecting secure tools and frameworks, not just focus on productivity and features, says Sonatype's Fox.

"There is a new reality that companies need to wake up to and deal with, and that is that the developers at the end of the day are the ones that have to make these changes, and the organizations need to recognize their problems and support them," he says. "Developers are finding their own tools, and they know that's a problem, but they are not getting the support from the company, so even in a world where developers want to do the right thing, their companies are holding them back."

At the executive level, companies also need to be using their buying power to focus on holding their vendors accountable for security of their products, Banco Santander's Cuthbert said during his Black Hat Europe keynote.

"When we look at buying product, and we look at buying software, the reality is that we have zero input to make sure that those vendors, those products are secure," he said. "We just don't have that power and we don't have meaningful influence."

Internet AppSec Remains Abysmal & Requires Sustained Action in 2023

The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2022-4242

The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2022-3840

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

)\]}' { "commit": "383b2e75a7a4198c42f8f87833eefb772868a56f", "tree": "44e79b095cf43e1ed915df938a9b9fe3d387f9f4", "parents": \[ "3115f89c4b99a620c7f1a4395a2b4405e95b82b6" \], "author": { "name": "Russ Cox", "email": "rsc@golang.org", "time": "Mon Aug 09 15:09:12 2021 -0400" }, "committer": { "name": "Russ Cox", "email": "rsc@golang.org", "time": "Tue Aug 10 18:28:16 2021 +0000" }, "message": "language: turn parsing panics into ErrSyntax\\n\\nWe keep finding new panics in the language parser.\\nLimit the damage by reporting those inputs as syntax errors.\\n\\nChange-Id: I786fe127c3df7e4c8e042d15095d3acf3c4e4a50\\nReviewed-on: https://go-review.googlesource.com/c/text/+/340830\\nTrust: Russ Cox \\u003crsc@golang.org\\u003e\\nRun-TryBot: Russ Cox \\u003crsc@golang.org\\u003e\\nTryBot-Result: Go Bot \\u003cgobot@golang.org\\u003e\\nReviewed-by: Roland Shoemaker \\u003croland@golang.org\\u003e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "f41aedcfc8aaf1db50211c0b75bbafa157ce0f23", "old\_mode": 33188, "old\_path": "internal/language/language.go", "new\_id": "6105bc7fadc11148c74d33ed45d978b659dc69ac", "new\_mode": 33188, "new\_path": "internal/language/language.go" }, { "type": "modify", "old\_id": "c696fd0bd867dbbac347721ad862055d8f177718", "old\_mode": 33188, "old\_path": "internal/language/parse.go", "new\_id": "47ee0fed174f22d8e07542716ea146c12d894092", "new\_mode": 33188, "new\_path": "internal/language/parse.go" }, { "type": "modify", "old\_id": "11acfd885627957280da6eb58f986b6542dd9192", "old\_mode": 33188, "old\_path": "language/parse.go", "new\_id": "59b04100806a9186164d246b5f61f1f9d2f3bba7", "new\_mode": 33188, "new\_path": "language/parse.go" } \] }

Tag

#google