An analysis by RSA Conference's security operations center found 20% of data over its network was unencrypted and more than 55,000 passwords were sent in the clear.

Even cybersecurity professionals need to improve their security posture.

That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

"As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a 'best-case' level of security awareness," she says. "Somewhat shockingly, unencrypted email is still being used in 2022."

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

**User Credentials at Risk**

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

"Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear," the report stated.

Yet the situation isn't as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

"This is not necessarily a high-fidelity threat," the report stated. "\[H\]owever, it does leak information about the device as well as the organization it's trying to communicate with."

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

**CISO Mistake**

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. "It is difficult to send email in cleartext these days, and analyzing these incidents found similarities," the report stated. "Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses."

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

"The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol," the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

"We've found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks," Cisco Secure's Oppenheimer says. "Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal."

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Unencrypted Traffic Still Undermining Wi-Fi Security

By Habiba Rashid
The apps reported by Malwarebytes contain Android trojan yet the developer is still active on Google Play, continuing their scam.
This is a post from HackRead.com Read the original post: Google Fails To Remove “App Developer” Behind Malware Scam

  
One can never be too sure about an **app’s legitimacy** even if it is found to have approving ratings on the Google Play store. On 1st November 2022, Malwarebytes Labs analyst Nathan Collier reported on a family of malicious apps developed by Mobile apps Group that are currently available on Google’s app store even at the time of writing.

Before proceeding to discuss the details of the malware’s workings, we advise our readers to watch out for the following apps and delete them from their devices immediately:  

*   Bluetooth Auto Connect
*   Bluetooth App Sender
*   Driver: Bluetooth, Wi-Fi, USB
*   Mobile transfer: smart switch

All four apps are infected with the hidden ads trojan and the developer seems to be familiar with common tactics used to **evade detection of malware** because they have created a self-delaying schedule for the displaying of these ads.

If you have any of these apps on your Android device remove them now

The Bluetooth Auto Connect app, for example, takes approximately four days from the time it is installed to display its first ad in Chrome. This is followed by further timed delays which are always succeeded by a sequence of new ads.

The **phishing sites** opened in Chrome vary and range from harmless sites used to produce pay-per-click to more dangerous sites that attempt to trick unwary users by stating that their device has been infected and needs to be updated.

This activity continues in the background even while the mobile device is locked which means that upon unlocking their phones, users will be faced with numerous phishing website tabs in Chrome that they will have to close each time. 

In their must-read **blog post**, the analysts at Malwarebytes have compiled a list that shows the long history of the variants of HiddenAds that have infected this particular app. This behavior, it seems, is also common for the other apps from the Mobile apps Group.

What’s shocking is that previous versions of these apps have been found to contain varying versions of Android/Trojan.HiddenAds, the developer is still active on Google Play, distributing more HiddenAds malware. 

Although it’s unclear why the company’s built-in malware defense program, **Google Play Protect**, is unable to detect these apps, it turns out that this is not the first time such an issue has been brought to light.

A recent **report from Bitdefender,** a cybersecurity company, showed that there were up to 35 malicious apps being listed on Play Store that have over 2 million downloads combined. They also noted that these apps rename themselves and change their app icon after being installed in order to confuse users and remain undetected. 

At times like this where users cannot even rely on the good ratings that an app presumably has to verify its authenticity (three of the malicious apps listed above have favorable ratings themselves), it is difficult to conclude how well one can guard its device against threats such as adware.

Moreover, with this one example of malware that has still not been removed, we can only imagine the other threats that go **undetected on the Google Play Store** and continue to infect the devices of those who install them. 

1.  **Android app with 1b users fails to fix flaws; expose to malware**
2.  **Play Store Apps Caught Spreading Android Malware to Millions**
3.  **BRATA Android malware factory resets phones after stealing funds**
4.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
5.  **Scylla Ad Fraud Attack on iOS, Android Users Halted by Apple and Google**

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Google Fails To Remove “App Developer” Behind Malware Scam

By Waqas
Z-Library offered pirated e-books for free and proved a suitable alternative to expensive originals.
This is a post from HackRead.com Read the original post: Tor domain remains online after Feds seize Z-Library websites

Z-Library is a famous online e-book repository used by students, bookworms, and academics. The site offered thousands of downloadable, pirated books for free. Reportedly, the internet domains of Z-Library were seized by the US Department of Justice (DoJ) last week.

**Seizure Details**

The US DoJ took down Z-Library in compliance with piracy laws since it was a platform that offered pirated e-books and proved a suitable alternative to expensive originals. The seizure occurred on Friday, after which the site went dark.

It is worth noting that the Z-Library site and its numerous domains and servers, including z-lib.org, b-ok.org, and 3lib.net, were all seized on Friday morning. The website displayed the following notice after it became inaccessible:

One of the Z-Library websites (Image: Hackread.com)

**Tor Domain for Z-Library is Still Accessible**

Although the clearnet domains for Z-Library have been seized and taken offline, it seems that the site is still accessible via the Tor network. As checked by Hackread.com, the .Onion domain (or the “dark web” domain) is still up and running. However, the Tor domain does acknowledge having server issues.

This is good news for users who value their privacy, as they can still access the site without having to worry about their identity being revealed. However, it is worth noting that the content on Z-Library may be of questionable legality, so use it at your own risk.

Z-Library on the dark web (Image: Hackread.com)

**Z-Library – A Brief History**

Z-Library was founded in 2009 as an extension of Libgen. It was a free file-sharing platform showcasing academic textbooks and peer-reviewed journal articles. It is one of the internet’s top 10k most visited websites.

The platform offered more than 11 million books and 84 million articles. All the content was available free of cost. Instructors and students loved this platform, and around one million unique users visited the site every month.

Gradually, the site started charging for book downloads after a user reached a certain number of books. After some time, Z-Library became a separate platform. Z-Library boasted globally dispersed servers that hosted a database of 220TB.

1.  **Giveaway: Download Millions of Free Microsoft E-books**
2.  **Hundreds of Websites and Piracy Apps Seized in US-Brazil**
3.  **Authorities dismantle online piracy hackers network Sparks Group**
4.  **3 arrested, 30,000+ piracy sites shut down in global operation IOSX**
5.  **Flight Sim Lab installed Chrome passwords stealer in piracy check tool**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tor domain remains online after Feds seize Z-Library websites

HCL Domino is susceptible to an information disclosure vulnerability. In some scenarios, local calls made on the server to search the Domino directory will ignore xACL read restrictions. An authenticated attacker could leverage this vulnerability to access attributes from a user's person record.

 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2022-38654: Knowledge Article View HCL - Customer Support

Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Thursday, November 3, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.

**The one big thing**

Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.

**Why do I care?**

Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”

**So now what?**

Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.

For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE\_2022\_3602-9976476-0, to detect malware artifacts related to this threat.

**Top security headlines of the week**

Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.

Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn't gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.

**Can't get enough Talos?**

*   https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
*   https://blog.talosintelligence.com/openssl-vulnerability/
*   https://youtu.be/KhG6RUZgMas

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

  
SHA256:  
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86  
MD5: 69fbf6849d935432bac8b04bdb00fd68  
Typical Filename: KMSAuto++.exe  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: outlook.exe  
Claimed Product: MS Outlook  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemap.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

*   Nonce Security!
*   Generates META tags automatically.
*   Works out-of-the-box. Just install!
*   You can override any title and set any META description and any META keywords you want!
*   Google Analytic 4!
*   Google Webmaster Tools!
*   Bing verification & Yandex verification!
*   Twitter and Facebook customization!
*   Quickedit SEO titles and descriptions!
*   Import Yoast SEO data!
*   Import Rank Math SEO data!
*   Import All In One SEO data!
*   Supports custom post types!

1.  Upload the plugin files to the /wp-content/plugins/cds-simple-seo directory, or install the plugin through the WordPress plugins screen directly.
2.  Activate the plugin through the ‘Plugins’ screen in WordPress.
3.  Use the Settings -> Simple SEO screen to configure the sitemap, the META info for the homepage, Google webmaster tools, Google analytic, etc.

If upgrading, please back up your database first!

Please email dave@coleds.com with any questions.

Q: How does front page title and description work.

A: The default title and description will be used under settings. If the front page, or blog page are used, then those pages meta information will be used.

Keep it up Mr. Cole. Simplicity in chaos is the correct path.

As feedback, We are not pleased with the way the plugin is set, but also with the support provided to properly configuring it. This made us simply unistalled it. Perhaps you guys may need to include more people to help you with this area, while having videos, screenshots and all the information available to configure the plugin easy and efficiently, but also providing a lean and clean way to unistall it if the case arises. At the end all is about service quality and customer experience.

JUST AWESOME & simple. please add redirect url. complete!

Finally after searching through SEO plugins all day I came across this one. Does exactly what I wanted, nothing superfluous. Excellent!

Great SEO plug-in! Puts the control back to the user without all the smoke and mirrors of Yoast, AIOSEO, et. al. Study your SEO manual, install this WordPress plug-in, and you're set.

Finally, a simple plugin just to add custom keyword and meta description like the old days.

Read all 14 reviews

“Simple SEO” is open source software. The following people have contributed to this plugin.

Contributors

*    David Cole

**1.1.0**

*   Added Google webmaster tools and analytic

**1.2.0**

Release Date: August 11th, 2017

*   Enhancements
    
    *   Added Robot NOINDEX and NOFOLLOW
    *   Added a preview sections for how the meta information should show on a search engine page.
    *   Added pre\_get\_document\_title for compatibility
*   Bugfixes
    
    *   Fixes a typo in the readme.txt :-p

**1.2.1**

Release Date: August 24th, 2017

*   Bugfixes
    *   Google Verification fixed/updated.

**1.2.2**

Release Date: August 30th, 2017

*   Bugfixes
    *   Fixed title, description, etc from showing a empty result () if it’s not specified.
    *   Added some simple code to generate default metadata if none is specified.

**1.2.3**

*   Enhancements
    *   Added settings link to plugin page.
    *   Updated the GA script/code.
    *   Various minor changes for future updates.

**1.3.0**

Release Date: April 17th, 2018

*   Enchancments
    
    *   Complete overhaul of Simple SEO presentation when editing pages, posts, etc.
    *   Lots of code optimization.
*   Random
    
    *   Updated the license to: GPLv3

**1.3.1**

Release Date: May 21st, 2018

*   Bugfixes
    *   Fixed a bug which prevented the keywords and description from showing. Thank you Aletta!

**1.3.2**

Release Date: May 28th, 2018

*   Bugfixes
    *   Fixed a bug which displayed Google Analytic even if a code was not added. Thank you Mahendra!

**1.3.3**

Release Date: June 21th, 2018

*   Enchancments
    *   Added meta title and meta description input fields to quick edit and bulk edit.
    *   Added meta titles and meta description to index; where applicable

**1.3.4**

Release Date: July 5th, 2018

*   Bugfixes
    *   Quick edit fix.

**1.4.0**

Release Date: May 19th, 2019

*   Enchancments
    *   Facebook
    *   Twitter
    *   Bing Verification
    *   Baidu Verification
    *   Yandex Verification

**1.4.1**

Release Date: May 22nd, 2019

*   Bugfix
    *   WooCommerce compadability – Thank you Andrew.

**1.4.2**

Release Date: May 23rd, 2019

*   Bugfix
    *   WooCommerce compadability – Thank you Andrew.

**1.4.3**

Release Date: June 13th, 2019

*   Enchancments
    *   Added quick edit for posts
    *   Added the option to import Yoast SEO data into Simple SEO. This can be found under Settings -> Simple SEO at the bottom of the page.

**1.4.4**

Release Date: June 13th, 2019

*   Enchancments
    *   Added post\_name to the columns options

**1.4.5**

Release Date: June 13th, 2019

*   Enchancments
    *   Added taxonomy support
    *   Including WooCommerce taxonomy support!

**1.4.6**

Release Date: June 13th, 2019

*   Bugfix
    *   Taxonomy fix.

**1.4.8**

Release Date: June 14th, 2019

*   Bugfix
    *   WooCommerce compadability issue for those not running woocommerce. Fixed.

**1.4.9**

Release Date: June 14th, 2019

*   Bugfix
    *   d2.roth posted a bug with contact form 7. Fixed.

**1.5**

Release Date: Feb 27th, 2020

*   Enchancments
    *   Quickedit for custom post types
    *   Column sorting

**1.5.1**

Release Date: June 16th, 2020

*   Bugfix
    *   Fix an issues where the default meta data was not showing on the static post front page.

**1.5.2**

Release Date: October 12th, 2020

*   Bugfix
    *   WooCommerce CSS updates.

**1.5.3**

Release Date: October 14th, 2020

*   Bugfix
    *   WooCommerce updates.

**1.5.6**

Release Date: December 4th, 2020

*   Update
    *   Minor updates to code.

**1.6**

Release Date: December 7th, 2020

*   Update
    *   Added sitemap generation.

**1.6.1**

Release Date: December 7th, 2020

*   Update
    *   added htmlspecialchars() to url for sitemap.

**1.6.2**

Release Date: December 8th, 2020

*   Update
    *   updated the date format in sitemap.

**1.6.4**

Release Date: December 9th, 2020

*   Update
    *   Disabled sitemap generation on admin\_init
    *   Removed noindex, nofollow pages (Simple SEO) from sitemap
    *   Added more translation features/options (more coming soon.)
    *   Added action for transition\_post\_status to update sitemap, if sitemap generation is enabled.

**1.6.5**

Release Date: December 9th, 2020

*   Bugfix
    *   Modified the transition\_post\_status

**1.6.6**

Release Date: Jan 1st, 2021

*   Update
    *   Added some more translation capabiltiies
    *   Added the abilty to import infor from All in One SEO and Rank Math. Enjoy!

**1.6.7**

Release Date: Jan 1st, 2021

*   Update
    *   Corrected some typos.

**1.6.8**

Release Date: March 3rd, 2021

*   Update
    *   Corrected some typos.

**1.6.9**

Release Date: July 19th, 2021

*   Update
    *   WordPress 5.8.
    *   Blog page title shows if using a static page
    *   Some other minor fixes.
    *   Added supportt for Google Analytic 4

**1.7**

Release Date: August 11th, 2021

*   Bugfix
    *   Fixed homepage title bug for static page.
    *   Fixed keywords being erased when using quickedit.

**1.7.1**

Release Date: October 19th, 2021

*   New Feature
    *   Added canonical urls.

**1.7.2**

Release Date: Jan 20th, 2022

*   Bugfix
    *   Taxonomy code updates and meta title fixes provides by Daniel Roth. Thanks Daniel!

**1.7.3**

Release Date: March 6th, 2022

*   Bugfix
    *   Search title update. Thanks Daniel Roth!

**1.7.4**

Release Date: March 6th, 2022

*   Bugfix
    *   og and twitter title update.

**1.7.5**

Release Date: March 14th, 2022

*   Bugfix
    *   Category forwardslash issue fix. Thanks Daniel Roth!

**1.7.7**

Release Date: May 8th, 2022

*   Update for WP 6.0

**1.7.8**

Release Date: June 20th, 2022

*   Archive pages titles, descriptions, og data fixed!
*   Sitemaps fixed; for now it will only show pages and posts. Recommend using WordPress built in Sitemap as this sitemap feature will be removed in the future.

**1.7.9**

Release Date: July 10th, 2022

*   Updated sseoGetTitle() for archive pages.

**1.7.91**

Release Date: July 11th, 2022

*   Updated sseoGetTitle() for WooCommerce shop page.

**1.7.96**

Release Date: July 25th, 2022

*   Updates for WordPress compliance.

**1.7.98**

Release Date: July 26th, 2022

*   Update is\_home\_posts\_page()

**1.7.99**

Release Date: August 18th, 2022

*   Update to FB/OG meta data.

**1.8.0**

Release Date: August 18th, 2022

*   Update to FB/OG meta data.

**1.8.1**

Release Date: Sept 4th, 2022

*   Updated default meta titles, descriptions and keywords.
*   More updates coming for default FB, Twitter, and erasing database information on uninstall.

**1.8.12**

Release Date: Sept 7th, 2022

*   Fixed meta description issue.

**1.8.13**

Release Date: October 14th, 2022

*   Removed Baidu.
*   Removed Sitemaps; WordPress has a built in Sitemap, no need for this functionality.

**1.8.14**

Release Date: October 26th, 2022

*   Preping for WordPress 6.1

**1.8.15**

Release Date: October 26th, 2022

*   Preping for WordPress 6.1
*   Added screenshots
*   Removed obsolete code functions

CVE-2022-36404: Simple SEO

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

Publique banners no seu blog de maneira rápida e efetiva, e converta visitantes em subscribers, leads ou clientes sem precisar entender código. Esses calls-to-action (CTAs) serão publicados diretamente do seu painel do WordPress e poderão ser monitorados através do Google Analytics.

**Adicione os banners em massa**

Seus posts estão sendo criados, mas você tem problemas quando o assunto é aumentar o número de conversões? Publique seus banners em todos os seus posts sem mexer diretamente no código.

**Organize de acordo com categorias**

Para facilitar, os banners podem ser organizados para serem apresentados de acordo com a categoria dos posts do seu blog. Assim fica fácil manter o controle sobre o que cada conteúdo irá apresentar.

**Personalize e obtenha melhores resultados**

Posicione o CTA dentro dos posts escolhendo entre o topo e o final do conteúdo, programe a data do lançamento e personalize as tags HTML para obter melhores resultados.

**Analise os resultados**

Insira UTMs (as tags de monitoramento padrão do Google) para monitorar os resultados diretamente no Google Analytics.

**Outras funcionalidades**

*   Compatível com SEO.
*   Compatível com qualquer versão do WordPress, sem a necessidade de customização de estilo (CSS).
*   Compatível com AMP.
*   Responsivo (funciona em qualquer dispositivo).
*   Disponível em inglês (en) e português (pt-br).
*   Clique aqui para ver exemplos online.

Avalie o plugin deixando uma classificação ou sugira novas features no fórum de suporte.

Feito com ❤ pelo time da Rock Content no #SanPedroValley.

Rock Convert will definitely save you some hours of manual work through enabling you to scale banner distribution across your blog and converting users to leads. If you download it, you will not regret!

As estatísticas pararam de funcionar. Testei direto no PHP e direto no texto também, mas não contabiliza mais. Utilizo o plugin há tempos e funcionava. Estou usando a versão 2.9.5.

Instalei pois necessitava de uma caixa de captura para newsletter. A caixa é a com o melhor design e a mais fácil de configurar entre todas as opções que vi (testei várias). Porém a mesma não funciona no site versão AMP. Uso o AMP oficial do Wordpress. Entrei em contato com o suporte e infelizmente também não conseguiram resolver. Sá não tirei ainda do meu site, pois os demais plugins de newsletter não me agradaram.

Gostei mas o plugin não está atualizado, só queria adicionar CTA de baixar o conteúdo em páginas e não artigos. Está causando erro quando atualiza a nova versão do WordPress.

Sou desenvolvedor e sempre instalo nos WP que faço. Com ele de maneira muito fácil você consegue colocar e partes estratégicas do site um action para sua LP e assim aumentar o número de leads

Ainda não experimentei pois o WP só permite instalação de plugins no plano pago(pago eu utilizo o Wix). Ou plano de hospedagem profissional, mas a princípio para uma forma de adSense da RockContent.

Read all 20 reviews

“Rock Convert” is open source software. The following people have contributed to this plugin.

Contributors

*    Rock Content

**3.0.0**

*   Revisão completa do plugin
*   Refatorado o código para melhor desempenho e segurança
*   Todas as variáveis e opções foram escapadas a fim de evitar ataques XSS
*   Refatoração baseada no WordPress Coding Standard

**2.11.0**

Correção:  
\* Corrigidos pontos de vulnerabilidade XSS  
\* Melhoria na semântica dos formulários da área administrativa  
\* Corrigida chamada a API Rest

**2.10.2**

Improvements:  
\* Improvements in the plugin security

**2.10.1**

Correção:  
\* Css which affected the theme fixed

**2.10.0**

Correção:  
\* Fix popup front

**2.9.9**

Correção:  
\* Fix query categories and layout admin

**2.9.8**

Correção:  
\* Correção do formulário de popup

**2.9.7**

Correção:  
\* Melhorias no layout do preview

**2.9.6**

Correção:  
\* Correção de chamada de função javascript  
\* Melhorias no layout do preview

**2.9.5**

Correção:  
\* Correção dos endpoints rest

**2.9.4**

Correção:  
\* Correção de css dos titulos do blog

**2.9.3**

Correção:  
\* Correção de versão do arquivo javascript

**2.9.2**

Correção:  
\* Correção de bug no campo de widget

**2.9.1**

Correção:  
\* Correção de bug no layout do admin

**2.9**

Novidades:  
\* Adição de nova funcionalidade de popup exit

**2.8.1**

Melhorias:  
\* Corrigida chamada rest  
\* Corrigida quebra de layout no painel

**2.8**

Novidades:  
\* Adicionado novos campos para o formulário do widget

**2.7.1**

Novidades:  
\* Adicionado painel para visualização das leads

**2.7.0**

Novidades:  
\* Suporte a tags  
\* Possibilidade de escolher regras de exibição mais refinadas

**2.2.0**

Novidades:  
\* Nova funcionalidade: Barra de anúncios no topo do site  
\* Nova funcionalidade: CTA customizavel na barra lateral

Melhorias:  
\* Altera separador ao exportar para arquivo CSV de ; para ,  
\* Permite alterar a mensagem de sucesso do widget Caixa de captura  
\* Permite alterar o titulo e o texto do botão na caixa de download

**2.1.4**

Melhorias:  
\* Adiciona suporte a event tracking para o Google Analytics  
\* Reduz o tamanho do script necessário para utilizar o Rock Convert

**2.1.3**

Correção:  
\* Previne que aconteça o Fatal Error na função get\_rest\_url

Melhorias:  
\* Previne que as visualizações dos CTAs sejam bloqueadas por plugins de cache

**2.1.2**

Melhorias:  
\* Permite cadastrar parametros customizados no link do CTA  
\* Adiciona suporte ao WordPress 5.0  
\* Adiciona formulário na página de configurações para se inscrever na newsletter do Rock Convert

**2.1**

Novas funcionalidades  
\* Adiciona Widget com caixa de captura de e-mails

**2.0.11**

Correção:  
\* Previne que o erro “Undefined index” aconteça ao mostrar banners na página do post

**2.0.0**

Melhorias:  
\* Visibilidade: Agora é possível escolher páginas onde um banner não deve aparecer;  
\* Shortcode: Todo banner tem um shortcode único que pode ser adicionado em qualquer posição de qualquer conteúdo;

Novas funcionalidades:  
\* Analytics: saiba como seus CTAs estão performando diretamente no painel do wordpress;  
\* Captura de leads: Disponibilize seus posts para download no formato PDF e capture os e-mails;  
\* Faça download dos leads no formato CSV

**1.0.0**

*   Permite criar CTAs
*   Permite selecionar as categorias onde o CTA deve aparecer
*   Permite selecionar a imagem do CTA
*   Permite selecionar onde o CTA deve aparecer (início ou fim do post)
*   Permite cadastrar as UTM Tags para o link

CVE-2022-36428: Rock Convert

By Deeba Ahmed
Elusiv protocol offers privacy with compliance to protect Solana users with accessible and compliant privacy.
This is a post from HackRead.com Read the original post: Privacy Protocol Elusiv Raises $3.5 Million in Seed Funding

A zero-knowledge-oriented compliant privacy protocol, Elusiv, has secured $3.5 million in its seed funding round. LongHash and Staking Facilities Ventures led this round. The company stated in its press release that individual freedom relies on financial privacy, but privacy-maintaining technology requires practical compliance.

> “ZK and new decentralized technologies allow us to overcome the notion that privacy and compliance are exclusive and instead enable us to form a new kind of symbiosis between privacy and compliance.”
> 
> Yannik Schrade – Co-founder Elusiv

**Elusiv** is gearing up to become the “backbone of the blockchain financial ecosystem.” The protocol aims to provide users and merchants with privacy while maintaining safety via low-trade-off compliance solutions. Moreover, Elusiv will make standard transactions private while allowing users to choose the transactions to make public.

For your information, the Elusiv protocol boasts full composability, so it can be directly integrated into protocols and wallets and stay functioning even if just one party is using it to maintain privacy. This is definitely a competitive advantage because the existing solutions demand that both parties use the same service.

The proceeds will be used to create Elusiv’s own development team and manage security audits. Additionally, it will bring its **solution to different blockchains**. Some investors include NGC Ventures, Jump Crypto, Anagram, Big Brain Holdings, Cogitent Ventures, Equilibrium, Token Adventures, Marin Ventures, Monke Ventures, Moonrock Capital, SolanaFM, etc. Also included are several angels e.g., the founders of UXD Protocol, Zeta, Solana, Notify, and Solflare.

The General Partner and Chief Operations Officer at **LongHash Ventures**, Wei Shi Khai stated that the company is excited by the strong position taken by Elusiv to address this space via their user-friendly and scalable integrations without compromising upon the practicality of compliance.

> “Moving forward, we see privacy as a key modular layer in our multi-chain infrastructure thesis, especially as more social and identity use cases mature.”
> 
> Wei Shi Khai – LongHash Ventures

Conversely, Staking Facilities Ventures’ Venture Partner Louis Bauer stated that Elusiv had laid the foundation for sensitive transactions to be carried out on-chain. Ensuring privacy with compliance can widen blockchain’s options.

Some key systems introduced by Elusiv for compliance include Zero-Knowledge proofs and advanced **cryptography**. Elusiv allows users to provide insights into their private assets and transactions to third parties by sharing individual transaction viewing keys or adopting the TTP (trusted third parties) to view every transaction. Users can also prove to third parties that their transactions weren’t sent, such as by a known threat actor, with just a button or click.

The best aspect is that Elusiv’s advanced compliance system utilizes a decentralized network of trusted execution environments so bad actors don’t lose ownership of their funds but cannot gain privacy. The system allows disclosing retroactively made truncations of malicious actors to make Elusiv an unfavorable option for them and provide security to other users.

1.  **The Benefits Of Blockchain In The Travel Industry**
2.  **Ankr Launches Chainscanner Blockchain Explorer Tool**
3.  **Blokhaus Launches New Open-Source NFT Tool Minterpress**
4.  **Yield Monitor Integrates DeFiChain Blockchain Into Its Database**

Privacy Protocol Elusiv Raises $3.5 Million in Seed Funding

**TEL AVIV, LONDON and NEW YORK – November 3, 2022 –** Apiiro, the leader in Cloud-Native Application Security, today announced a significant Series B round of $100M led by General Catalyst with participation by Greylock and Kleiner Perkins. The new funding will be used to accelerate the business and advance the company’s mission to empower developers and application security engineers to proactively fix risks before releasing to the cloud with all the context they need in a single solution.

With more companies shifting to agile development and adopting CI/CD practices to release code to the cloud on a daily basis, there is an exponential increase in the number of changes. This creates a massive market opportunity to help CISOs and CIOs effectively and contextually identify, prioritize and eliminate risks in their code and development environments to prevent application and software supply chain threats using one solution.

“In this economy, it’s important to invest in technology that helps companies drive business growth,” said Quentin Clark, Managing Director at General Catalyst. “Idan, Yonatan and the Apiiro team are giving customers a solution to a whole problem – not just a piece of it. They are going beyond providing tools for developers to address potential security issues in the code base and actually delivering an operational platform that workflows those fixes in context of how a company is configuring and deploying software. This approach has driven phenomenal growth to date, which comes from strong execution with the right team at the right time.”

Apiiro has introduced a completely new approach to application security in the cloud by providing complete visibility into code bases, assessing risks from design to code to cloud and proactively fixing actual risks that attackers can exploit before releasing to the cloud. This enables Fortune 500 companies to reduce operational costs and risks at scale with seamless deployment by connecting to their source control managers via API.

There are several isolated and unrelated findings hiding across code, configurations, open source packages and cloud infrastructure that when pulled together with relevant context, creates a “risk story” that is exploitable by attackers. Apiiro’s Risk Graph technology connects these infinite factors with actionable context to offer a completely new way for developers and security teams to fix risks.

_“_The unrelenting demand for next generation application security solutions has allowed us to deploy our product at-scale with leading Fortune 500 customers,” said Idan Plotnik, co-founder and CEO of Apiiro. “Early innovation enabled us to grow faster and more efficiently than the competition, and we are building the company for hyper growth. The combination of our team, business momentum, and support from top-tier investors positions Apiiro to continue to lead a growing industry.”

**Supporting Resources**

*   Apiiro blog
*   Apiiro on LinkedIn
*   Apiiro on Twitter

**About Apiiro**

Apiiro helps security and development teams proactively fix risks before releasing to the cloud. The company is backed by General Catalyst, Greylock, and Kleiner Perkins. apiiro.com.

Apiiro Raises $100M Series B Funding Round to Solidify Position as the Cloud-Native Application Security Leader

Banco de Crédito Cooperativo (BCC) wins the first hyper-realistic cybersecurity competition for the financial industry.

**RESTON, Va. and BOSTON, Nov. 3, 2022 /PRNewswire/ —** FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, and Cyberbit, provider of the world's leading cybersecurity skill development and readiness platform, announced today that team "IsNotTheEDR" from Banco de Crédito Cooperativo (BCC) is the winner of the first International Cyber League (ICL) Financial Cup, 2022 – the first hyper-realistic cybersecurity tournament for the financial industry. The first runner-up is team "Suboptimal" from a leading Fortune 500 financial institution, the second runner-up is Team "AskITTeam" from BCC and the third runner up is team "TIAA" from TIAA.

The tournament ran from 6-26 October 2022 and challenged cybersecurity teams from the financial sector to respond to live-fire cyberattack simulations replicating attacks they may encounter in real life. Teams were scored based on typical incident response KPIs including investigation, eradication, and remediation goals, as well as their response times. The BCC team outperformed 55 cyber defense teams from leading financial organizations around the world and scored a perfect 100 in the live-fire challenge. The Cyberbit platform, normally used by enterprises to train and upskill information security teams, as well as for FS-ISAC's monthly cyber range workshops, was repurposed to power the ICL competition. The platform provided a virtual arena that emulated an organizational network and a virtual security operations center (SOC) that simulated the live attacks and automatically scored the teams based on their achievements.

The ICL reinvents cybersecurity competition formats by assessing cyber defense skills in real-world scenarios, allowing teams to predict their performance during an attack. Traditional Capture-the-Flag (CTF) events test offensive skills, but these do not reflect the capabilities that cyber defenders will be required to demonstrate during an attack. The ICL leverages cyber range live-fire scenarios to simulate real threat vectors and malware that assess essential "blue team" skills, including technical skills like malware analysis and SIEM investigation, as well as soft skills like teamwork, critical thinking, and communications.

"We in the financial sector believe that exercising builds muscle memory to ensure smooth and efficient incident response," said **Cameron Dicker, Global Head of Business Resilience at FS-ISAC**. "We run a wide variety of exercises to ensure preparedness throughout all different organizational levels and functions, and we chose this competition format during Cybersecurity Awareness Month to bring a little fun into this critical tool for operational resilience."

"CISA and the NCA aptly named this year's cyber awareness month theme as 'See Yourself in Cyber,' demonstrating that cybersecurity is ultimately, about people," said **Sharon Rosenman, Chief Marketing Officer at Cyberbit**. "The feedback from the ICL teams was overwhelmingly positive and we are proud to collaborate with FS-ISAC in helping the financial industry become better prepared for real-world attacks by assessing and maximizing human performance."

"A Cyber Range is a strategic capability that enables governments and companies to effectively educate and train their professionals, as well as to experiment, test and validate new cybersecurity and cyber defense concepts, technologies, techniques, and tactics. Cyber range competitions such as the ICL Financial Cup help in providing a comparison with the rest of the peers in the sector", said Francisco Navarro García, Chief Information Security Officer, Banco de Crédito Cooperativo (BCC).

Additional teams who reached the top 10 in ICL finals include Loan Depot and Somerset Trust.

"The International Cyber League has been an excellent experience for our teams and a fantastic opportunity for them to test their skills with other elite teams across the financial services sector. We are incredibly proud of their work in keeping our company safe. Their strong performance in this competition is celebrated across Technology and the entire company", said Harold Rivas, Chief Information Officer, Loan Depot.

"Somerset Trust takes the security of our information very seriously, and I have always known that we assembled a good team of security professionals. It's always nice to see a competition like this that hones their skills and proves our dedication to security", said John Ash, Sr. Vice President and Chief Information Officer, Somerset Trust.

**About FS-ISAC**

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization's real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector's collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

**About Cyberbit**

Cyberbit provides the global leading attack readiness platform for enabling SOC teams to maximize their performance when responding to cyberattacks. The platform empowers security leaders to make the most of their cybersecurity investment by boosting the impact of the human element in their organization. Cyberbit delivers hyper-realistic attack simulations mirroring real-world scenarios. It enables security leaders to dramatically reduce MTTR, dwell time and cybercrime costs, improve hiring and onboarding, and increase employee retention. Customers include Fortune 500 companies, MSSPs, systems integrators, governments, and leading healthcare providers.

Tag

#ios